Cyber Risk Report: A View from the U.S. Government’s Lead Cyber Agency

What did we learn? Here are the top takeaways from Cyber Risk Report: A View from the U.S. Government’s Lead Cyber Agency.

Any organization can get customized cyber help from CISA. Rosado emphasized that there is no size requirement an organization must meet to work with CISA. His first recommendation is to check out the agency’s website: cisa.gov/resources-tools.  

Contact your CISA region: “I would also ask for folks to take a second step and look at the regions,” said Rosado. “Find out what region you belong to, and you can actually email that particular region.” From there, organizations can contact officials from their CISA region to help them customize the tools that best support their needs. Find your region here: cisa.gov/about/regions

The present-day threat landscape is sophisticated. Threat actors include activists and cybercriminals (operating either individually or in a gang), as well as nation states and their proxies. Forms of cyberattacks include ransomware, distributed denial of service (DDOS), destructive malware, data breach and espionage, Garcia shared. “Company employees are getting better at identifying phishing emails, and technology is doing a better job at catching and removing malicious links and attachments. Because of this, some actors are bribing company employees to deploy ransomware onto their corporate network,” he said.

Cybercrime is a business. There are many reasons cyber threat actors want money from a cyberattack, and they now have affiliates joining them. “[Cybercriminals] can share some of that risk by either being a developer of that ransomware or being a user of that ransomware. If you’re the affiliate, you don’t need to know how to code malicious software. You just need to be willing to take the risk to deploy it and threaten a victim entity to try to get those funds,” Garcia said. In response, law enforcement has had to expand its focus to the affiliates as well as the cyber threat actors themselves.   

There are still classic scams to look out for. Not every cybersecurity threat is complicated. “It’s a common tactic for cybercriminals to drop a thumb drive into a parking lot, expecting that an employee will pick it up and plug it into a corporate computer and it will deploy ransomware onto their corporate network,” Garcia told us. He suggested implementing training so that employees know to bring suspicious devices to security. 

CISA has concerns. There are risks that can compromise more than cyber systems themselves. “The convergence of cyber and physical – things we used to do manually in the past, such as dams and power grids, now we are using info systems to operate,” Rosado said. This can create new vulnerabilities within infrastructure. 

Artificial Intelligence (AI) is playing a key role in cyberattacks. “Cyber threat actors are now using AI platforms to identify vulnerabilities and develop sophisticated malware to exploit them,” Garcia said. He stressed that it’s important to remain informed about how hackers are operating, since AI is no longer an up-and-coming threat but now a current one.

Most cyberattacks are preventable. Threat actors are opportunists who are looking to find an easy way in. Francis noted that while some have advanced capabilities, they will tend to choose the simplest approach to reach their desired outcome. “The overwhelming majority of cybersecurity insurance claims are things that could have been prevented and organizations had the means to prevent. Having multifactor authentication (MFA) in place is number one. Updating and patching systems. Having backups. When these are not done, it shows up in the claims,” he said.

The insurance industry is consistently responding to changes on the cyber front. With an ever-evolving field like cybersecurity, it’s important for the insurance industry to adapt alongside it. “The industry was seeing more claims which were becoming more expensive, particularly around ransomware, but also around business email compromise and social engineering fraud,” Francis said. “The industry responded with making sure customers have best-in-class controls and making sure they have access to professionals.”