The status quo approach to cybersecurity practices is ineffective leaving companies vulnerable to attacks. The SEC Cybersecurity Regulation that goes live in December is a step in the direction to change from the status quo cybersecurity practice to a more effective, holistic, inclusive approach to cybersecurity, referred to as Cyber Risk Management, that aims to ensure resilience within cyber ecosystems to avoid business disruptions caused by a cyber incident. We have reached an inflection point where cybersecurity risks are being acknowledged as business risk and a paradigm shift in cybersecurity governance and policies is underway. Officers and Directors are being held responsible for failing cybersecurity processes and practices.
As Denmark demonstrated, such attacks are only stopped when effective monitoring and defense is paired with partnership between companies and law enforcement. "At the end of the day, this is a problem that needs to be tackled holistically and coordinated between multiple teams and tools," Schmitt concludes.
The incident described in the article below (Read More) was enabled by a CISA KEV in a firewall product. I'll quote the report for impact:
We were therefore in a situation where the attack groups had a publicly known vulnerability they could use to penetrate the industrial control systems. And the primary defense against that happening was precisely the equipment that was vulnerable.
It was a so-called worst case scenario – the worst imaginable scenario.
My FERC Filing on Docket AD23-9-000 discusses the risk when a common software product used in the energy industry is exposed to an exploitable software vulnerability (CISA KEV), enabling a coordinated cyber-attack. The "blast radius" from a CISA KEV is significantly broader and more impactful than the typical BEC or phishing attack which usually affects one company when credentials are compromised. A CISA KEV coordinated cyber attack can affect hundreds of companies and inflict far more damage across multiple companies.Â