CYBERSECURITY DEBT—unaddressed security vulnerabilities like unpatched software, unmanaged devices, shadow IT, insecure network protocols, etc.—is a type of technical debt. As the cybersecurity “debt” accrues, not only does it become more costly to address, but it also makes an organization increasingly vulnerable to attack.
Indeed, recent research from the 2023 Global Cyber Confidence Index concluded that "cybersecurity debt associated with weak cyber hygiene practices is a leading cause of cyber incidents, including ransomware.”
And according to a December 2022 cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), “Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.”
Kevin Kiser, senior director of strategy within the insurance solutions division at Arctic Wolf, and a former solutions provider and current licensed insurance provider, sees the same cybersecurity gaps across the client landscape. “First are external vulnerabilities such as poorly configured web servers and clouds.” Second is a lack of multifactor authentication. “Finally, they need better backup systems,” he says, adding that “snapshots are helpful.”
If your customers are ignoring security holes or have poor practices that put them at risk, there are some ways to help them help themselves.
“You want to close the doors attackers use,” says Kiser. “Focus on the known vulnerabilities hackers target,” like unpatched systems and configuration errors.
For motivation, let customers know that cyberescurity debt can hurt both finances and reputation. Just ask Michael Goldstein, president of LAN Infotech, an MSP in Fort Lauderdale, Fla. Goldstein’s small medical office client, with only a handful of locations, earned visits by the FBI when their information showed up in hacker chat rooms.
He also had a large client that suffered an undiscovered breach, but it wasn’t ransomware. The criminals used their stolen information to send their customers fake bills redirecting payments to bank accounts they controlled. LAN Infotech also assisted another firm, not a client, that needed extra techs to remediate ransomware damage. He billed them for weeks of services.
Undiscovered cybersecurity debt will cause businesses to make mistakes on their insurance coverage too, and as a result choose coverage that’s too low, says Kiser. “You may set a low limit on certain coverage, like a ransomware payment of business interruption loss. When you go above that limit, you pay out of pocket.”
If clients need more convincing to address cybersecurity debt, the insurance industry is your friend. Cyber insurers address the same cybersecurity debts from their end. Kiser adds, “There’s good collaboration between insurance carriers and security techs.”
Adds Goldstein, “It’s a great reality check for our clients when they bring us cyber insurance forms and there’s 24 security guidelines to follow and they’re doing only six.” LAN Infotech is a Kaseya partner, and when clients use their full security stack, the protection provided meets all the recommendations for most cyberinsurance carriers, he says.
Why is cybersecurity debt sometimes left unadddressed? “Humans have a special ability to believe bad things won’t happen to them,” Kiser notes. He focuses on stories and responses to past incidents as well as financial ramifications to persuade clients to reduce cybersecurity debt. “Privacy attorney groups are often pulled in as first responders after a breach so that responses are covered by client privilege,” he says. Attorney billing rates make MSP service fees look like babysitting money, and that difference will make an impact on clients.
Goldstein leans on education to address debt. “We offer informative sessions and speak often to civic and business groups. You can’t have enough discussions.”
He also encourages better cyber hygiene.
“We’re contacting clients to run more phishing tests,” Goldstein says. “They’re more receptive to those now. [And] with SaaS tools you can do network vulnerability testing without expensive equipment.” He also uses proactive tools to check network shares, examines files going in and out, and blocks traffic from countries in which his clients have no contacts. Many Errors & Omissions insurance policies for professionals now include cyber insurance questions in the same areas he’s recommending.
Image: iStock / Ildo Frazao