That’s a nice cyber you’ve got there. Shame if something were to happen to it.

It should deeply concern us that cyber insurance is becoming less available.

The CEO of Zurich Insurance (the company that denied Mondelez’s USD 100m claim after NotPetya on the grounds of it being warfare) says “What will become uninsurable is going to be cyber,” and he asks “What if someone takes control of vital parts of our infrastructure, the consequences of that?”

https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

He’s right – and also right that ransomware payments are creating perverse incentives for insurance companies. This is something like the equivalent of submitting a claim to your home insurance for $10,000 when you had to pay that 10k to a criminal threatening to burn your house down, and telling the insurance company that they should be happy that they aren’t paying the full value of your home instead.

Now, the issue here is that there’s no law enforcement agency with the ability to save you from ransomware attacks in the same way that you can turn in a criminal threatening arson, leaving especially small and mid-sized businesses in the lurch. Ransomware is existential for them in a way it is simply not for larger organizations.

The burden will be put on organizations to save themselves from ransomware with what I think is an ever more likely push by USG to ban ransomware payments. Because this ban will not hit SMBs (existential threat) the same way it will for enterprises (closer to a cost of doing business), USG must provide more services at the state and local level for SMBs to prevent and recover from ransomware attacks. I and @ciaranmartin wrote an article on this last year which is still 100% true: attacking critical infrastructure via ransomware payments along any point in the supply chain is a national security risk, not simply a financial one.

https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/

Contempt is the most dangerous emotion

There is an entire world of small and mid-sized businesses that are absolutely helpless in front of the kinds of attacks that we call “basic” in infosec. Invoice spearphishing, BEC, credential harvesting – these are the kinds of things we think of as entry-level hacks.

Ok, I’m a little angry here. I’ve heard a dozen stories this year from professional services providers like accountants and lawyers and MSPs about the jargon, contempt, and expense from enterprise product companies and infosec consultancies.

I’d like to challenge every infosec pro: can you talk to your friends, barista, gardening service, local cafe owner, bookkeeper, day care provider, personal trainer, housekeeper (really, any person whose job is actively being replaced by the gig economy) and find out if their business has implemented 2FA? If they don’t understand what you’re talking about, can you explain it clearly and helpfully enough that they’re happy to become the internal advocate at their SMB for more security?

If you can, thanks. If you can’t, ask yourself and your company and your community: what are we doing to protect the half of American workers who don’t work at enterprises large enough to force security measures and profitable enough to pay for them?