Gary Phipps, CyberGRX: cybersecurity is a cat and mouse game
As ransomware picks up its pace, more companies turn to the cybersecurity field to look for effective solutions to combat cybercrime.
In 2021 alone, cybercrime-related losses are predicted to reach $6 trillion, double the values seen just five years ago. Today, it is as clear as ever that the evolving ransomware environment needs to be met with the novel, privacy-friendly security developments.
We reached out to Gary Phipps, the Vice President of Solution Architecture at CyberGRX, to learn his insights into the new emerging ransomware landscape, as well as find out more about the security solutions provided by CyberGRX.
How did it all start for CyberGRX?
Our CEO, Fred Kneip, previously served in a security leadership position where he witnessed firsthand how cyber risks were increasing as organizations shared more and more data with their business partners. After speaking with other security leaders about their concerns around the inability to scale existing third-party security programs to effectively meet the demand of the business, Fred knew there had to be a better way. He decided to take the leap and build a startup that would bring much-needed innovation to the third-party cyber risk management (TPCRM) space. Thus, CyberGRX was born.
Do you think the pandemic played a role in the recent rise of cyberattacks? Did you notice any new tactics?
The pandemic has significantly changed how businesses operate. In order to maintain operations and increase efficiency, businesses had to rely more heavily on new technologies and digital processes, including increased reliance on cloud providers and supply chain software. As organizations increase outsourcing and onboard new vendors and partners, they also increase their third-party ecosystems and attack surfaces. Diversifying your supply chain reduces risk in some contexts, such as manufacturing, but having a vast digital vendor portfolio is dangerous and expensive to secure properly. Surprisingly, while 82% recognize that third-party threats expose their organizations to risk, many fail to take adequate mitigation measures, leaving them open to attacks, such as those experienced by Kaseya and Solar Winds. Hackers are no longer as interested in going after the most high-profile targets but those with the most connections. Software providers, especially Cloud Applications, provide pre-packaged connectors or apps that allow your users to easily connect networks, file structures, and other applications to differentiate themselves from the competition. These connections make the user experience immensely valuable but also allow threat actors easy points of egress. Where a vulnerability used to entail an intentional backdoor in a line of code now could be just a clever understanding of how to traverse the right mix of business applications to get to where you want to go.
Did you implement any new features as a result of the pandemic?
Research finds that 67% of companies have experienced a third-party incident in the past year. CyberGRX has released important new features to support our customers in managing third-party cyber risk.
Our Ransomware Threat Profile tool allows customers to pull reports for specific third parties and view their coverage against 124 controls that have been deemed critical to ransomware protection by MITRE®. We’ve also created threat profiles aligned with specific ransomware campaigns and other attacks, including REvil, Kaseya, SolarGate, CodeCov, and Accellion. Organizations will be able to get a better sense of the ransomware risk within their entire third-party ecosystem so they can request remediation and mitigate risk.
We’ll be releasing some exciting product news in the coming months, too -- stay tuned!
We often hear that human errors might be even more to blame for successful ransomware attacks than security flaws. How is ransomware deployed into one’s device, and are people themselves usually the cause of it?
It’s hard to vilify anyone for being the victim of ransomware. Having said that, the distribution method for ransomware primarily revolves around tricking someone into clicking something they shouldn’t have clicked.
What are the best practices when it comes to protecting one’s company against ransomware?
The best way to defend yourself against a ransomware attack is to try to never receive the malware to begin with. Filter your web traffic and email content before the end-user has to decide how suspicious-looking each piece of digital correspondence is. Provide your employees with great Security Awareness Training because, after the clicking starts, your options become limited.
Is paying a ransom a bad strategy?
Making policy decisions for others without context can be dangerous and, in some cases, outright irresponsible but overall, clearly paying ransoms rewards the tortfeasor. I can suggest that whatever policy your company lands on regarding negotiations with digital criminals shouldn't be written during an active attack.
Let’s say a ransom is paid. What’s the aftermath of a ransomware attack? Can everything be restored back to normal?
Likely, no, and for several reasons. Depending on how publicized the event becomes, your reputation will sustain at least some impact that will last longer than the physical event itself. After the press (no offense) gives your brand a shiny new hashtag, normal will have a new meaning for a while. The percentage of your data that is returned and the duration of the exploitation is determined by the criminal. You don’t have much control over the degree of normalcy that is recovered. Furthermore, the monetary costs associated with a ransom event—especially a disruption—take a true cost accountant to codify; network downtime, people productivity, loss of business opportunity, supplier productivity, machine downtime, restoration costs, etc. Get a quote for Security Awareness Training. Then come read that second-to-last sentence again.
How do you think cybercrime is going to evolve as organizations start to take cybersecurity more seriously?
Cybersecurity is a cat and mouse game. Organizations implement new security technologies to thwart attacks and then threat actors develop new tactics to undermine these systems. Unfortunately, attackers tend to move faster than organizations can and are always developing new tactics and techniques. We’re currently witnessing this with ransomware as hackers incorporate new levels of extortion into their attacks. Hackers are no longer relying on traditional encryption methods but are also using the threat of embarrassment or public disclosure of illicit activity to make victims pay the ransom.
And finally, what’s next for CyberGRX?
CyberGRX has grown to more than 125,000 companies in our risk exchange with 8,000 completed assessments. That means 80% of the top 500 companies requested by customers are already on our exchange. Where we aim to continue growing our assessment library, we’re not stopping there, and we have some truly exciting new features and capabilities in the pipeline.
Through our assessment process and other rich data sources, we’ve been able to gather the most extensive and comprehensive datasets and analytics available in the market. We’re excited to deliver new tools that harness the power of this data and offer visibility and insights unattainable by other vendors. While I cannot divulge all of the exciting projects we’re currently building, I encourage readers to stay up-to-date on all of CyberGRX’s news by checking out our website and social channels.