August 9, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
Think before you plug it in!
Amazing story I read on LinkedIn the other day. The lengths that cyber criminals will go to!
Someone just shared that their father received a package in snail mail to their house (pictures below), plugged in the very legit looking USB (fail) then ransomware did its thing.
Isn’t that incredible? Educate your parents as well as your children!
Say what you do, do what you say
A recent lawsuit provides yet another example of cyber insurance being worthless if you aren’t truthful and accurate on your application:
Travelers alleges that ICS represented on its policy application materials that the company requires MFA for employees and third parties to access email, remotely access the company’s network, and gain access to endpoints, servers, network infrastructures, directory services, and the like. Travelers claims that ICS was in fact only using the MFA protocol on its firewall and that access to its other systems – including its servers, the target of the ransomware attack at issue – were not subject to MFA’s heightened protections. Had Travelers known this, it argues, it wouldn’t have issued the policy to ICS in the first place. Accordingly, Travelers argues the court must “rescind the policy and declare that there is no coverage for any losses, costs or claims submitted by ICS to Travelers for coverage under the policy.”
Ouch. Now, please note that I made a point of saying both “truthful” and “accurate” because there is a distinction. I have seen numerous cyber insurance applications with incorrect answers, because the person completing the application was not knowledgeble about either the technology in question, or the way the technology is used in practice within the organization. Remember that both acts of commission (intentionally false statements) and ommission (inaccurate information, whether due to misunderstanding or trying to look good) can result in the same bad outcome. So make certain you get help on technical questions, to be sure that you don’t overstate your actual security posture without realizing it.
Stay cyber aware this week!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺