Intercast Staffing – October 2022 Newsletter

Welcome to the October edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to make you a better-informed consultant.

In this edition:

  • Client Insights
  • Cyber Insurance In Crisis?
  • US Goes Big On Cybersecurity
  • Lessons From LastPass
  • Cybersecurity On The Curriculum
  • Unsecure Devices Could Be Costly For Manufacturers

Client Insights

Each month we ask our clients what’s on their minds and what it means for candidates. This month the most common theme is uncertainty in the cybersecurity marketplace. That’s partly general uncertainty in business and the economy as a whole, with mixed messages making economic confidence hard to pin down. But it’s also uncertainty about how to approach cybersecurity recruitment.

In many cases it comes down to the age-old dilemma of false economies: cutting cybersecurity can bring quick financial “wins” but risks greater costs in the long term. And as we cover in this month’s news, relying on insurance as the main line of defense is an increasingly questionable strategy.

What’s the lesson for cybersecurity professionals looking for work? Simply put, don’t worry about macro trends you can’t control and instead concentrate on the factors you can influence such as keeping your skills and knowledge sharp.

Cyber Insurance In Crisis?

With cyber-attacks arguably as much a risk to businesses as fraud or natural disasters, specialist cyber-insurance seems like a business that should be booming. However, it seems problems on both the supply and demand side of the market are threatening the industry. The good news is it could mean more of a great role for cybersecurity professionals. The Information reports that total cyberinsurance premiums in the US leapt 74 percent last year to $4.83 billion. That’s not just a case of more customers however: instead, it’s largely because individual premiums are rising. So far in 2022 it appears the average policy cost has more than doubled.

The reason is simple: more cyberattacks (and more expensive cyberattacks) have led to more claims that insurers expected. SP Global reports that things aren’t helped by smaller and newer insurers getting into what looked like a profitable market without really understanding the risks.  The rising costs appear to be deterring some businesses, who’ve decided to take the gamble of not being covered. They are also being deterred by insurers imposing strict security rules on would-be clients. In some cases, insurers even hire cybersecurity professionals to check clients have adequate defences before they’ll offer them cover.

US Goes Big On Cybersecurity

The Department of Homeland Security says it will award a billion dollars in grants for state and local cybersecurity programs over the next four years. The money comes from the Bipartistan Infrastructure Law, passed late last year. It’s not just the amount that shows how serious the program is, but the administration as well: the grants will be distributed and overseen by the Federal Emergency Management Agency, reflecting the importance of cybersecurity to the national infrastructure.

State and local governments can apply for funding to “address cyber threats and vulnerabilities, identify key vulnerabilities and evaluate needed capabilities, implement measures to mitigate the threats, and develop a 21st-century cyber workforce across local communities.” Chris Inglis, the current National Cyber Director, described the program as being a “whole-of-society approach” to securing US cyberspace.

Lessons From LastPass

We often think of cybersecurity as being about preventing attacks, but the recent experience of LastPass shows it’s also about providing reassurance and boosting confidence. The company lets users generate and store passwords in a secure vault, protected by a master password that’s unknown even to LastPass itself. In principle at least, that should mean customers aren’t compromised by an attack on the company. When such an attack took place in August, however, it’s understandable that many users were concerned.

LastPass has now written to customers with an update after an “investigation and forensics process.” It added more detail to the original findings that the attackers were only able to get hold of in-development source code for Last Pass’s software and applications. It confirmed that “our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”

As part of the update, it detailed the physical and technical measures that protect customer data from any attacks elsewhere in the LastPass ecosystem. It’s a perfect example that cybersecurity isn’t just about protection, but understanding that protection well enough to explain it clearly and earn trust.

Cybersecurity On The Curriculum

K-12 students will be getting more education and training in cybersecurity thanks to a new partnership. The US government’s Cybersecurity and Infrastructure Security Agency and the independent NAF network will share resources with educators and students. The partnership will include semester-long or annual cybersecurity courses designed to give students across the country a more consistent and comprehensive insight into the topic.

There’ll also be “short-term learning modules” that teachers can build into student projects. The idea is to make sure students are taught relevant and up-to-date skills in an ever-evolving subject.

Unsecure Devices Could Be Costly For Manufacturers

Smart device manufacturers who sell products in Europe may need to up their security game or pay a steep price. A proposed European Union law would mean businesses have to assess the cybersecurity risks of new products and then keep them secure for up to five years. Under the Cyber Resilience Act, manufacturers would also need to tell the European cybersecurity agency ENISA about any breach within 24 hours of discovering it. The maximum fine for breaking the rules would be €15 million or 2.5% of global annual turnover.

Device manufacturers have already complained the costs of compliance could make it uneconomical to operate in the market. However, EU officials say they’ve crunched the numbers and say the extra costs across the industry would be around €29 billion a year, but the extra measures would save manufacturers 10 times that amount by reducing the number of successful attacks.

Best Of The Rest

Here’s our round-up of some of the other stories you need to know about: