Cybersecurity leaders should strive to reward high-performing teams that are powered by high levels of inclusion.

As more organizations try to dovetail diversity, equity, and inclusion (DEI) efforts with the broader business goal of bridging the growing cybersecurity talent gap, diversity is gaining considerable attention in cybersecurity leadership discussions in 2023.

But security and workforce development experts say that the push isn't just about the staffing numbers game or the warm fuzzies of fairness. Those passionate about DEI in cybersecurity argue that bringing in a more diverse set of backgrounds and thinking patterns is also crucial to coming up with new ways of thinking about security problems.

"If we don't do it for empathy and our care for everybody else, then we should be doing it because our attackers are diverse. Do it because we won't win otherwise in this fight of protecting our business," says Deidre Diamond, CEO and founder of CyberSN, a cybersecurity staffing firm. "It takes investing, caring for, and developing people, and it takes going out of our way to do so. I do believe it needs to be done for everybody but certainly for minorities more."

**Words Matter**

As organizations develop their initiatives for bringing in a more diverse cyber workforce, they have to be mindful that the path to DEI failure is often paved with good intentions. While building a diverse and high-performing team of cybersecurity pros takes not only intentional recruitment and development of minority populations, organizations have to be wary that the very efforts that they're taking don't end up alienating the diverse people they're trying to attract.

"Understand that the words we're choosing could actually be sending out language that is turning folks away," says Christy Wyatt, president and CEO of Absolute Software. "The exact people you're trying to bring into the organization, you might be pushing away."

This might come into play in recruitment when the pitch to a highly talented recruit leads with diversity goals rather than a discussion of their skills or learning capacity. Or it could be more subtle cues after employment has been established that cause alienation — for example, by recognizing high-performers not for their accomplishments but their demographic identity. Or maybe it's a lack of communication altogether, such as by making all of those new diversity hires but failing to follow through with internal engagement and development so they feel like they're a contributing member to the team rather than a statistic.

"Think of it this way: If you're sitting in a room and you are the only person that looks like you or has your background, how are you made to feel like you have a voice?" says RegScale CISO Larry Whiteside, Jr., who is also co-founder and president of Cybersity, a nonprofit focused on supporting the academic and professional success of minority cybersecurity pros. "Once we get these people that we are looking to fill roles from these diverse communities, if we aren't reaching out internally, they're going to leave. Organizations have to be very purposeful in how they communicate and work with these people to make sure that they are getting their voice heard."

**'Inclusion Is the How'**

As a technology leader of 25 years who went through a computer science program during a time when she was often the only girl in the classroom, Wyatt has lived the good, the bad, and the ugly of diversity programs. She has spent a long time honing her technical acumen and business skills. She excelled in that room full of boys, climbed the rungs of the corporate ladder, and earned her seat at the boardroom table of numerous organizations. Along the way, certain programs and initiatives have helped and supported her — and others have decidedly not.

"My experience comes from being the target of those programs. I think that gives me a unique view," Wyatt says, "because in some cases that was incredibly empowering. Somebody saw me, and they valued me, and they gave me some support," she says. "In other cases, they identified me and isolated me, and it made me stand out. I did not love it."

As a leader at Absolute and a board member of several organizations, Wyatt is now on the other side of the fence, championing for change. One of the mantras that she tries to keep in mind is that "culture is a function of what you reward," she says. And while being transparent about DEI stats may be an important step in fostering trust both within and outside the organization, those may not be the metrics that organizations want to be tuning their biggest rewards against. 

"Inclusion is the how. It's not the what," Wyatt points out. "We want to reward the performance. We want to reward that the business is getting faster. We want people to understand that this is a result of the investment we're making in our business by creating a more diverse organization — that's what's driving the performance."

At Absolute, Wyatt has pushed for a culture that values high-performing teams by rewarding the performance of the teams and not the individuals. People get paid the same for their role across the board, and when teams hit their profitability and growth targets, everybody gets a bonus.

"That's important because we need folks to make the connection that we all win when we have a broader set of perspectives, a broader set of approaches to solving problems, and we are doing it in one inclusive way," she says.

In addition to financial rewards, the way a company promotes and celebrates diversity successes will also set the tone for cultural values and can make all the difference in creating an atmosphere that retains diverse talent. Wyatt tells a story of how during the run-up to the last cybersecurity awareness month, her team was musing on the positive impact from building a cybersecurity team that is more than 50% female — comprised of highly talented individuals and many Ph.Ds. The initial proposal was to bring a selection of those women to talk about diversity at the company's all-hands meeting. Wyatt says she nudged a slight shift in that direction. She urged that they shouldn't focus primarily on the diversity but, rather, celebrate their cybersecurity work, their credentials, and allow them to "talk about the kick-ass job they're doing to protect our company."

"Now, of course, everybody saw who was standing on the stage. It's not that we didn't talk about diversity. It's not that we didn't mention it, that we didn't call it out," she says. "But it was a way of talking about this as a part of something that was fueling an impact on the business. It was a part of what was fueling the impact. It was a part of something that was fueling performance, that is something we want to share, as opposed to just making \[diversity\] the headline."

Make Diversity the 'How,' Not the 'What,' of Cybersecurity Success

One Peak investment will advance the ubiquity of network assurance, helping organizations to reduce network complexity, assure network automation, and improve network security.

**NEW YORK****,** **June 29, 2023** **/PRNewswire/ --** IP Fabric, the market leader in automated network assurance, today announced that it has closed a $25m Series B funding round led by One Peak with the participation of Senovo and Presto Ventures. This will fuel IP Fabric's mission of making network assurance ubiquitous so that people, businesses, and governments can operate without the exponential risk of network failures or outages.

IP Fabric is a pioneer in network assurance, helping organizations to overcome network complexity, assure network automation, and improve network security. Network assurance is becoming critical for managing private network infrastructure which combined globally is vastly larger than the Internet and forms the backbone of the modern economy. This infrastructure is now the foundation for every part of modern life, from our airports and factories to public utilities and financial systems.

However, rising complexity is making it much harder for humans to understand and manage networks. This makes network automation risky – automation without assurance will lead to unpredictability if organizations cannot see whether automation has had the intended effect, and that it hasn't negatively impacted the rest of the network. Rising complexity also makes it impossible for organizations to identify and eliminate network vulnerabilities, creating multiple blind spots for attackers to potentially exploit. These challenges have created a perfect storm that is putting network resilience at risk.

_"Without network assurance we are leaving network resilience to chance,"_ comments Pavel Bykov, CEO, IP Fabric._"We've seen how network outages can cause businesses and critical infrastructure to grind to a halt, but amidst rising complexity and the need to ensure control in the face of rising cyber threats while adhering to regulatory compliance, enterprises lack the means to assure operations for their entire network end-to-end. IP Fabric delivers the network assurance needed to operate without the exponential risk of network failure or outages while enabling innovation through standardized access to network control data. Organizations must act now because building operational control without a validated baseline provided by network assurance will lead to gaps and unknown unknowns which ultimately cause outages and security incidents that impact people, businesses, critical infrastructure, and governments."_

IP Fabric is an API-first platform that rapidly discovers, models and visualizes complex networks down to the wire, giving end-to-end visibility and control over an organizations' entire network infrastructure. IP Fabric was recognized as a Gartner Cool Vendor in Network Automation and came 8th in the Deloitte Technology Fast 50 with a CAGR of 160% over the past 4 years. Today, IP Fabric works with over a hundred enterprise customers globally, including Airbus, Air France, Major League Baseball, Red Hat, HCL Technologies, Avast and Blackberry.

_"Enterprise networks are becoming increasingly complex, which makes the requirement to discover, model and visualize large networks a priority,"_ comments Humbert de Liedekerke, Co-founder and Managing Partner of One Peak. _This is especially important, when, as Gartner has reported, only 26% of network leaders maintain accurate network data, massively hindering the effectiveness of automation initiatives for 74% of enterprises. Automation must be assured, secure and able to operate effectively in complex network environments. Enterprises can't risk automating in the dark – networks are too important for guesswork that could expose vulnerabilities or cause outages. This is why IP Fabric's unique ability to help enterprises understand, automate, and secure complex networks is so critical_ _to enable the future of network automation."_

Prior seed and Series A investment rounds were conducted with Senovo, Presto Ventures, and Credo Ventures. 

**ABOUT IP FABRIC**

IP Fabric is a powerful Intent-Based Networking technology enabling modern enterprise network operations. A vendor-neutral, API-first automated network assurance platform, IP Fabric discovers, verifies, visualizes, and documents large-scale networks holistically, reducing costs and resources while improving security and efficiency. Ensure smooth migration and transformation projects while simplifying network planning, testing, and troubleshooting. Eliminate business-impacting inefficiencies and continuously verify policy compliance with a standardized, consumable view of your multi-domain network, end to end. Accelerate and refine programmability, automation, and network analytics with accessible, accurate, and contextualized network data at your fingertips. IP Fabric helps organizations including Airbus, Air France, Major League Baseball, Red Hat, HCL Technologies, Avast, and Blackberry overcome complexity, implement effective network automation, and improve network security. For more information, visit www.ipfabric.io

**ABOUT** **ONE PEAK**

One Peak is a leading growth equity firm investing in technology companies in the scale-up phase. One Peak provides growth capital, operating expertise, and access to its extensive network to exceptional entrepreneurs, with a view to help transform innovative and rapidly growing businesses into lasting, category-defining leaders. In addition to IP Fabric, One Peak's investments include Ardoq, Cymulate, Deepki, DocPlanner, Keepit, Lucca, Neo4j, Orgvue, Pandadoc, Spryker, and many more. To learn more, visit www.onepeak.tech.

**ABOUT SENOVO**

Senovo is an early-stage venture capital firm based in Munich and Berlin that partners with exceptional founders building global B2B SaaS category-leaders from Europe. As European first-mover, the fund invests since 2013 into a new generation of B2B software startups which enable the digitalization of medium and large enterprises. Their focus is primarily on supporting teams working in the areas of process optimization, industry 4.0 and data-enabled solutions. Senovo joins the journey after a company has first revenues in a late Seed or Series A round. Their team of SaaS specialists seek meaningful eye-level relationships and regularly publish their learnings and thought leadership at www.medium.com/senovovc. For more information, visit: www.senovo.vc.

**ABOUT PRESTO VENTURES**

Presto Ventures is a Prague\-based investment firm focused on early-stage B2B software startups and online marketplaces led by founders from the CEE region. With over 50 portfolio companies and counting, Presto Ventures stands out as one of the region's most dynamic venture capital firms. In 2022 alone, they successfully closed 24 new deals. Backed by entrepreneurs, family offices, and exited startup founders, Presto serves as a vital link that connects the flourishing CEE tech ecosystem with major Western markets. Besides IP Fabric, Presto's notable investments include Cloudtalk, Ready Player Me, Woltair, Oddin, Sharry, Yieldigo, Omofox, Inventoro, Finmap, Okredo, and Zypl.ai. For more information, visit: www.prestoventures.com

SOURCE IP Fabric

IP Fabric Announces $25M Series B Funding to Accelerate Adoption of Network Assurance

The detection model identifies LLM patterns to counter the rising abuse of generative AI in social engineering attacks.

**(Tel Aviv, Israel – June 29, 2023) —** Perception Point, a leading provider of advanced threat prevention across digital communication channels, today reveals its latest detection innovation, developed to counter the emergent wave of AI-generated email threats. The AI-powered technology leverages Large Language Models (LLMs) and Deep Learning architecture to effectively detect and prevent Business Email Compromise (BEC) attacks, a cyber threat which is currently undergoing a seismic shift due to the rise of Generative AI (GenAI) technologies. 

Threat actors are increasingly abusing evolving GenAI technology to perpetrate more sophisticated, highly targeted attacks against organizations of all sizes. Newly democratized capabilities, including the creation of high-quality, human-like outputs such as personalized emails, have transformed GenAI into a potent tool for cybercrime, particularly in the realm of social engineering and BEC attacks, which have scaled to new heights over the past year. BEC accounted for over 50% of incidents involving social engineering according to the DBIR 2023 Report, while Perception Point's 2023 Annual Report revealed an 83% growth in BEC attempts.

In response to this escalating threat, Perception Point has developed an LLM-based detection model, innovatively harnessing the power of Transformers, AI models capable of understanding the semantic context of text - mirroring the technology behind popular LLMs like OpenAI’s ChatGPT and Google’s Bard. This approach enables Perception Point's solution to identify the unique patterns in LLM-generated text, a critical factor in detecting and thwarting GenAI-based threats - a task traditional security vendors fail to achieve using contextual and behavioral analysis.

The model processes incoming emails at an average of 0.06 seconds, aligning with Perception Point’s ability to dynamically scan 100% of content in near real-time. It has initially been trained on hundreds of thousands of malicious samples caught by Perception Point, and is continuously updated with new data to maximize its effectiveness. 

"Amid an increasingly complex threat landscape, there is an urgent need for cutting-edge defenses against GenAI-powered threats," said Tal Zamir, CTO of Perception Point. "We’re being challenged as an industry with yet another avenue that bad actors have come to exploit in their ever-expanding range of attacks. By reversing this dynamic and proactively leveraging AI for detection, we are able to prevent these threats before they even reach the user’s inbox – a paradigm shift in the fight against BEC attacks.”

To minimize false positives, resulting from the widespread use of generative AI for crafting legitimate emails, Perception Point utilizes a unique 3-phase architecture. After initial scoring, the model categorizes the email content using Transformers and clustering algorithms, integrating insights from these steps with additional data such as sender reputation and authentication protocol information. This process allows the model to accurately predict whether the email is AI-generated and if it potentially poses a threat.

As GenAI continues to rise, Perception Point is leading the charge with its AI-powered cybersecurity solution. By leveraging the patterns in LLM-generated content, advanced image recognition, anti-evasion algorithms and patented dynamic engines, Perception Point provides a robust and proactive defense, neutralizing threats before they ever reach the user.

Discover more about Perception Point's cutting-edge approach to combating GenAI-generated content attacks **here**. 

**About Perception Point**

Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection and response to all attacks across email, cloud collaboration channels, and web browsers. The solution's natively integrated incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights; providing proven best protection for all organizations.

Deployed in minutes, with no change to the enterprise’s infrastructure, the patented, cloud-native and easy-to-use service replaces cumbersome legacy systems to prevent phishing, BEC, spam, malware, Zero-days, ATO, and other advanced attacks well before they reach end-users. Fortune 500 enterprises and organizations across the globe are preventing content-borne attacks across their email and cloud collaboration channels with Perception Point.

Perception Point Unveils AI Model to Thwart Generative AI-Based BEC Attacks

The new network visibility mandate provides a good foundation for identifying risks and building better security programs at federal agencies.

By April, all federal agencies were required to begin complying with a new mandate from the US Cybersecurity and Infrastructure Security Agency (CISA) to "make measurable progress toward enhancing visibility into agency IT assets and associated vulnerabilities." In plain language, this means they must get better at monitoring their assets and evaluating their security vulnerabilities.

While complying with Binding Operational Directive 23-01 (BOD 23-01) won't on its own make agencies secure, it does provide a good foundation for identifying risks and building better security programs. Ultimately, federal IT directors will need to go beyond the letter of these BOD requirements and think about how they can use these new capabilities to improve their network operations and security processes.

**Understanding CISA BOD 23-01**

The new mandate focuses on two activities that are essential to improving operational compliance at scale for a successful cybersecurity program: asset discovery and vulnerability enumeration.

**Asset discovery** means finding all network-addressable assets that reside on an agency's network infrastructure by identifying all the associated IP addresses (hosts). This typically does not require special logical access privileges and is vital information for more advanced analytics and security investigations. But discovering networked assets gets harder as networks get bigger, more complex, and virtualized, and as users connect from more locations using a wider range of devices. Most concerning for CISA are bring-your-own (BYO) and other unauthorized devices that have acquired addresses and are present on the network but should not be. Discovery solves both problems: confirmation of approved devices that are present, and detection of devices that are present but are unauthorized.

**Vulnerability enumeration** identifies and reports suspected vulnerabilities on network assets. It detects host attributes (for example operating systems, applications, and open ports) and attempts to identify security flaws and issues such as outdated software versions, missing updates, and misconfigurations. It also involves tracking compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities.

The mandate specifies several general requirements that federal agencies must meet, including:

*   Performing automated asset discovery every seven days to maintain an inventory of devices
*   Identifying software vulnerabilities using privileged or client-based means where technically feasible (to provide the deepest inspection of access issues)
*   Tracking how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are
*   Providing this asset and vulnerability information to CISA's Continuous Diagnostics and Mitigation (CDM) federal dashboard

The mandate also includes more specifics such as how often to perform asset discovery and vulnerability enumeration, how to conduct those scans, and requirements for reporting this data to CISA. Importantly, CISA doesn't specify how to meet any of these objectives but leaves it up to the discretion of each agency's IT leadership.

**What This Means for Federal Agencies**

It's clear from this mandate that the old approach of doing compliance assessments every few years won't be sufficient. Agencies will need to build or buy a network automation and visibility solution that allows them to discover assets and find vulnerabilities at scale and across domains while also providing regular, ongoing status reporting.

Meeting these requirements doesn't mean an agency will be safe from cyberattacks, but it does help improve the security of IT resources. For instance, asset visibility is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation. But for a network topology with the scale and complexity of the federal government — with its broad deployment of devices and virtualized services — automation is the only realistic way to conduct security best practices (like updating device firmware with security patches, changing passwords regularly, and preventing firewall configuration drift).

**Complying With BOD 23-01**

The new CISA mandate stems from the realization that the historical approach of allowing individual agencies to determine how best to secure their networks isn't working. In practice, resource-constrained agencies deprioritized aggressive secure-access verification. They also did not fully account for how frequently their networks would change due to new technologies, new applications, and new projects all making the problem worse. This ultimately led to the declining security of federal IT infrastructure.

However, given that this new mandate does not come with any additional funding to meet it, agencies must rethink how they use existing operational and engineering resources to perform all the required visibility and vulnerability assessments in the weekly timeframes specified. In fact, they will need a solution that democratizes network automation to better leverage their available subject matter experts to define the required topology, secure access, and compliance needs. While a single engineer can test a device or create a vulnerability scan once, automation can continuously replicate and execute that work any number of times across the entire infrastructure automatically.

**Putting it All Together**

The reality is this automated approach is the only way to effectively meet the requirements of the BOD 23-01 mandate. Automation can apply accepted best practices — or any repetitive network task like those embodied in BOD 23-01 — at scale.

All in all, the BOD 23-01 mandate is a welcome first step toward securing the US federal government's digital footprint. Understanding what is connected and its vulnerability in near real-time will go a long way to identifying potential problems and possible attack vectors before they can be exploited. Federal IT directors must go beyond traditional labor-intensive approaches and consider network automation if they hope to successfully meet the mandate's requirements.

CISA BOD 23-01: What Agencies Need to Know About Compliance

With the right collaboration among employers, educators, and policymakers, we can come together to create a more secure environment for all.

The Organisation for Economic Co-operation and Development (OECD), in partnership with Microsoft, recently released an extensive report analyzing over 400 million online job postings from January 2012 to June 2022 to better understand cybersecurity workforce supply and demand. Centered around insights from Australia, Canada, New Zealand, the UK, and the US, the report comes amid a backdrop of growing worker shortages and increased cyberattacks.

Cybersecurity failures are among the top 10 risks that have worsened the most since the pandemic. These failures have put more pressure on security teams and have caused the overall demand for skilled cybersecurity workers to outpace the current supply. (ISC)2 estimates that we have a worldwide shortage of 3.4 million cybersecurity workers, with nearly 70% of organizations dealing with a worker shortage. 

If organizations want to overcome this hurdle, they’ll need to come together with policymakers and educators to create a series of sweeping changes that empower current and future cybersecurity workers. 

The OECD's report reveals a number of insights into the most in-demand skills over the past decade. These include skill sets throughout cloud security, cybersecurity frameworks, and threat assessment. By examining these dynamics, companies can better measure their current needs against existing education and training programs to determine where gaps exist. However, this also means that companies will need to partner closely with educators and policymakers to create a sustainable talent pipeline that's equipped to meet the cybersecurity needs of tomorrow.

Based on the findings laid out in the report, here are three ways that the private and public sectors can work together to expand educational opportunities and create a more skilled cybersecurity workforce:

*   **Offer multiple career pathways within cybersecurity training**: Formal and informal cybersecurity training should be offered at various levels for a broad range of job roles in both long- and short-course formats. Additionally, organizations must work to establish clear progression pathways between training programs.

*   **Close the workforce gap with skills-based recruitment and formal education**: Cybersecurity skills are evolving quickly. Many types of education are relevant, including community and technical college programs, as well as skills-based certifications. Formal education is not the only path. Recruiting workers based on acquired skills can close the cybersecurity workforce gap by reducing entry barriers for young people and people with less experience. Investing in mentorship and curriculum co-design programs to meet the demand for cybersecurity skills beyond the technology sector also is worthwhile.

*   **Build basic digital skills first**: Digital skills are the foundation for cybersecurity skills. People of all ages, especially the most disadvantaged, need opportunities to develop essential online knowledge. For example, before engaging in cybersecurity-specific training, workers should first have a basic understanding of cloud computing. By embedding cybersecurity best practices throughout the organization and making cybersecurity the responsibility of all, organizations can raise the bar for defense across the board.

**How Diversity Can Help Fuel Cybersecurity**

In addition to insights around highly sought-after skill sets and job titles, OECD's report also reveals that demand for cybersecurity professionals has spread beyond the confines of major urban centers. It calls for a more decentralized workforce to meet demand in underserved areas. 

This landscape creates an opportunity for employees from more diverse professional backgrounds to break into the cybersecurity field. If companies are to close the skills gap and meet the current demand for cybersecurity workers, they will need to broaden their horizons to account for more nontraditional cybersecurity career paths. In doing so, they will enhance the industry with a broader range of unique experiences and life skills.

Recruiting more diverse candidates also allows companies to approach security challenges from different angles and identify solutions that may not have been considered otherwise. When a workforce is as diverse as the cybersecurity threats an organization faces, it can pull from a broader range of professional and personal experiences to more effectively and inclusively protect themselves and their end users. Additionally, weaving diversity throughout the recruiting and retention process helps ensure that security measures are effective for all users — regardless of their backgrounds or abilities. 

The challenges facing the cybersecurity sector are steep, but with the right collaboration among employers, educators, and policymakers, we can come together to create a more secure environment for all.

3 Ways to Build a More Skilled Cybersecurity Workforce

Thales will build new machine learning-powered data discovery and classification features based on Google Cloud's Vertex AI.

Thales is partnering with Google Cloud to add generative AI features to its CipherTrust Data Security Platform, the company said this week. The first project will be to build a data discovery and classification tool based on Google Cloud's Vertex AI machine learning platform.

Gartner estimates that companies will deploy more than 95% of new digital workloads on cloud-native platforms by 2025, up dramatically from 30% in 2021. But all of that cloud reliance comes with new or enhanced security threats, such as not knowing where sensitive data is being stored.

Thales will build a data discovery and classification machine learning feature using Vertex AI to help organizations find and categorize data, and then apply the correct controls to protect the data. The new capabilities, which will be part of CipherTrust Platform's Intelligence Protection service, will use machine learning to classify data into categories and subcategories, Thales said. Semantic context will help discover and classify information from a range of document repositories while ensuring sensitive data remains within defined boundaries. By using named entity recognition techniques, the service will be able to discover a range of sensitive information types.

Google Cloud's Vertex AI will allow Thales to automate processes and perform tasks in line with corporate policies.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Cloud GenAI Is Coming to Thales' Data Security Platform

If you have an IoT network powered by Pepper, you can now insure it through Embedded Insurance — even if your business is too small to support a SOC.

Consumers and small-to-midsize businesses (SMBs) that use Internet of Things (IoT) devices to manage smart homes and businesses have a new option for obtain cyber insurance — providing their service providers are using the Pepper IoT Platform-as-a-Service (PaaS) back end. The service, announced on June 28, allows users to opt for a minimum of $10,000 per device in coverage from their providers for each device without requiring them to submit cyber insurance applications. The insurance is available either as an add-on at the time of the sale from the service provider, or it can be purchased later.

Pepper CEO Scott Ford says that consumers currently have very few options to obtain comprehensive cyber insurance for their IoT devices. While individuals have some options to reduce their risk and become better candidates for cyber insurance, many do not know how to do so. Offering an actual cyber insurance policy — not just a rider to an existing home policy that might offer nominal coverage — provides real and measurable coverage for common cyber threats, he says.

While the consumer market is the primary target for this partnership, Ford says that SMBs that use surveillance cameras and similar IoT devices also can benefit from this low-cost cyber insurance alternative.

**Consumers Need Simple**

Toby Coleridge, chief product officer at Embedded Insurance (EI), which is Pepper's cyber insurance broker, says the process of obtaining a policy through his company — without the need to fill out long applications that must be processed through underwriting — is easy for the clients to understand. EI's policies are underwritten by Chubb, the top-ranking cyber insurance carrier in 2023.

Coleridge notes that these are real cyber insurance policies that are specifically designed to be simple to purchase. Unlike corporate cyber insurance policies — where rates and terms are based on an organization's existing cybersecurity controls, audits, penetration tests of networks, and negotiations with corporate boards, corporate counsels, and CISOs — these policies are off-the-shelf packages that are preconfigured and priced accordingly, much like purchasing an automobile policy.

"We haven't needed to look at putting in restrictions," he adds. "That's the complexity of SMB insurance versus the residential policy that we're using here. Ultimately, the whole point of this is to keep it as simple as possible."

Among the coverages offered are cyber financial fraud, cyber extortion (including ransomware coverage up to the policy's limits), identity theft, data restoration, device replacement, and cyber bullying. Policies are available starting at $5.28 per month per device. For higher limits, such as coverage up to $100,000 per device, the price could rise to $20 per device per month or more.

Coleridge sees personal cyber insurance as a growing market going forward. As social engineering attacks increase against individuals, the need for personal cyber insurance will increase as well, he says. "It's about protecting you against some of those threats that most consumers are probably naive to today," he adds.

**Security and Insurance Are Natural Partners**

Ford notes that in 2022 State Farm Insurance invested some $1.2 billion into the electronic alarm-monitoring security firm ADT, adding that the insurer could offer better rates to customers who proactively add security controls and thus become lower insurance risks. Similarly, Pepper late last year acquired Comcast business unit Notion, a smart property monitoring sensor system and app that enables home and small-business owners to monitor and reduce loss from costly property damage. In both cases, the acquired firms provide the new parent with on-the-ground intelligence that lowers the user's vulnerability to losses.

The partnership between Pepper and Embedded Insurance is similar to others. For example, earlier this month in the enterprise space, security operations center (SOC) and XDR vendor Arctic Wolf announced a similar program with cyber insurance carrier Cysurance. The Arctic Wolf model is designed for much larger enterprises that can support a SOC, as well as other enterprise-class security controls. As part of the program, Arctic Wolf customers can purchase up to $1 million worth of cyber insurance at an 80% discount from standard market rates.

Pepper and Embedded Insurance Partner on Cyber Insurance for Consumers, SMBs

Though government agencies have hundreds of devices exposed to the open Internet, experts wonder if CISA is moving at the right pace.

Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA's advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.

To gauge how significant BOD 23-02 would be, researchers at Censys scanned the Internet for devices exposing management interfaces in federal civilian executive branch (FCEB) agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02. 

"While this level of exposure probably doesn't warrant an immediate panic, it's still worrisome, because it could be just the tip of the iceberg," says Himaja Motheram, security researcher for Censys. "It suggests that there may be deeper and more critical security issues, if this kind of basic hygiene isn't being met."

**How Exposed FCEB Organizations Are**

Devices qualifying under BOD 23-02 include Internet-exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces, and any others "for which the management interfaces are using network protocols for remote management over public Internet," CISA explained — protocols like HTTP, FTP SMB, and others.

Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

The search was so bountiful that they even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

Organizations often don't know their level of exposure or don't understand the implications of exposure. Motheram emphasizes that unprotected gear was all quite simple to find. "And what was trivial for us to find is, honestly, probably even more trivial for amateur threat actors out there."

**How Edge Devices Get Exposed**

How is it that so many devices are exposed on otherwise highly scrutinized government networks?

Joe Head, CTO of Intrusion, points to any number of reasons, including "convenience of the administrator, lack of operational security awareness, lack of respect for adversaries, use of default or known passwords, and lack of visibility."

James Cochran, director of endpoint security at Tanium, adds that "staffing shortages can cause overworked IT teams to take shortcuts so they can make the management of the network easier."

Consider, too, the traps unique to the government that can make the problem even worse. "With little oversight and concern about potential threats, devices can get added to the network under the guise of being 'mission critical,' which absolves them from all scrutiny," Cochran laments. Agencies can also merge or expand, with gaps in their network and security integration. “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why."

**Will BOD 23-02 Turn Things Around?**

In its directive, CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or "deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself."

That two-week period will force relevant agencies to act fast to secure their systems. But that could be difficult, Motheram acknowledges. "In theory, removing devices that are exposed from the Internet should be simple, but that's not always the reality. There can be some bureaucracy to deal with when changing access policies that add friction," she explains.

Others believe the burden is undue. "This is not a responsible timeline," Cochran says. "Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies. This is the same as trying to untangle a bunch of wires by sawing through them."

Others applaud CISA's no-nonsense approach. "It is hard to come up with a timeline to stop doing what should have never been done," Head says, arguing that 14 days may be too long to wait. "Five minutes would be more advisable as managers task the corrective network changes. It has been standard practice not to expose management interfaces to the public Internet for years, so making it mandatory is prudent and reasonable."

CISA Wants Exposed Government Devices Remediated in 14 Days

**LONDON****,** **June 29, 2023** **/PRNewswire/ --** IEC standards have long been considered _de facto_ for the European power grid sector. But the cost and complexity inherent in implementing them has inhibited full adoption, until now.

Smart Grid Forums, an independent conference organizer specialized in the European power grid sector has been facilitating meetings on various IEC standards for more than 10 years. Key standards include IEC 61850 for substations, IEC CIM for control centers, and IEC 62443 for OT cybersecurity. The objective of these meetings have been to support grid operators in assessing the business case for the standards, conducting pilot projects to test their technical feasibility, and educating the wider utility workforce, to mobile large-scale deployment in support of the Energy transition.

"This year it has become clear that these standards are inter-dependent" says Mandana White, CEO of Smart Grid Forums. "Whilst utilities have been working with them in focused silos, the reality is that without their effective interworking, grid operations will not be able to run seamlessly and reliably."

As a result, Smart Grid Forums are hosting a joint meeting brining all three utility IEC standardization communities together at one time in one venue. Each group will benefit from a dedicated case-study programme that deep dives into the latest lessons learnt from the implementation of each standard whilst also being able to access information and networking related to the other standards.

The week-long event begins with a choice of 3 Fundamentals Workshops, providing participants with the foundational knowledge they need in IEC 61850, IEC CIM, and IEC 62443. The main 3-day conference opens with a series of high-level plenary sessions on the macro issues facing the standardization community, and then breaks out into three technical tracks focused on utility case-studies. The week wraps up with a Communication briefing designed to help technical teams translate their engineering know-how into organizational priorities using language that will influence the Board and secure long term investment.

70+ SPEAKERS INCLUDING:

·  Christoph Brunner, Convenor, TC57 WG10

·  Gabriel Faifman, Co-Convenor, TC65 WG10

·  Svein Olsen, Lead Member, TC57 WG13,14 & 16

·  Alex Apostolov, Editor-in-Chief, PacWorld

·  Jennifer MacKenzie, Lead Design Engineer, Scottish Power Energy

·  Anders Johnson, Power Systems Specialist, Vattenfall Networks

·  Barry Coatesworth, Cybersecurity Advisor, Scottish Power

·  Philip Westbroek, OT Security Officer, Enexis

·  Damien Ploix Chief of Cybersecurity, Enedis

·  Mohammed Radi, Network Data Modelling Engineer, UK Power Networks

·  Rui Pena, Senior Consultant, E-REDES

·  Anna Elgersma, Data Architect, Alliander

DISCUSSION TOPICS INCLUDE:

·  GLOBAL STANDARDISATION REVIEW - Evaluating the rate of IEC standardization take-up globally and identifying market trends and lessons to be learnt for Europe

·  WORKING GROUP IMPROVEMENTS - Evaluating the benefits of working group participation and identifying how the IEC can better engage utility contribution in the interest of wider market development

·  WORKFORCE ENGAGEMENT - Establishing a training culture that rapidly advances IEC 61850 competence of engineering, operations, and maintenance teams to drive organizational change at pace

·  PROCESS BUS - Leveraging IEC 61850 standardization to drive the cost-efficiency and accessibility of process bus architectures for grid networks

·  VIRTUALISATION - Determining the roadmap from digital to virtual substations and prioritizing the implementation steps to commit to in the next 2-3 years

·  IEC 62443 FOR THE GRID - Determining how IEC 62443 can be leveraged in combination with ISO 27001 to drive end-to-end cybersecurity of the IT-OT integrated digital grid

·  IMPLEMENTATION PLANNING - Creating a IEC 62443 implementation roadmap with clear priorities for utilities, suppliers and system integrators on both a governance and technical level

·  PATCH MANAGEMENT - Ensuring the effective application of IEC 62443 guided patch management regimes to maximize the lifecycle of OT infrastructure

·  CIM FOR A CENTRALISED REPOSITORY - Applying CIM to all grid systems to promote centralization and to build a coordinated set of data models

·  INTERNAL-EXTERNAL DATA EXCHANGE - Reviewing the latest developments with CGMES to support TSO-DSO data exchange and interoperability

TESTIMONIALS FROM PAST EVENTS

"As usual high-quality presentations and relevant topics." 

Anders Johnsson, Power system specialist, Vattenfall Eldistribution AB

"In my opinion this is the best industrial conference about smart grid and IEC 61850." 

Andrea Bonetti, Senior Specialist, Megger Sweden AB

"This was a great opportunity to learn about the IEC 62443 concepts, controls and framework."

Anja Ivanovska, Info Sec Specialist, EVN

"A refreshing insight and different angle on cyberthreats and possible measures for the OT domain."

Bas Mulder, Technologist OT, TenneT

"Great opportunity to meet, exchange, discuss and develop ideas concerning CIM."

Ruben Haasjes, Data Consultant, Alliander

"Bringing utilities from across the world together to digitally transform our energy systems." 

Jakub Sliva, Asset Data Specialist, Stedin

To find more about how you can get involved contact the SGF team directly at:

We are an independent B2B event provider serving the smart grid technical community. We monitor the market, conduct depth interviews, and translate the insights into techno-commercial meetings that empower participants to accelerate their grid modernisation plans, drive renewables integration, and help meet climate goals.

SOURCE Smart Grid Forums

IEC Standardization Leaders Convene in Amsterdam to Review Utility Interworking of Key Standards

New online safety bill could force encrypted messaging apps like iMessage and WhatsApp to scan for child abuse material, but platforms warn about privacy implications.

Apple has joined more than 80 technology experts and organizations in an appeal to UK lawmakers to consider the broader privacy ramifications of pending legislation called the Online Safety Bill.

The legislation, moving its way through Parliament, is intended to force accountability for technology platforms used to distribute child abuse materials.

Platforms like iMessage and WhatsApp use end-to-end encryption (E2EE), which prevents anyone but the sender and recipient from viewing the contents of a message. E2EE also keeps law enforcement from identifying illicit materials.

In its current form, the Online Safety Bill allows, under some circumstances, the UK's communications regulator Ofcom to force platforms to scan messages for prohibited content.

In a statement, Apple said it was willing to work with the British government to purge abusive content on its platform, but adds that breaking end-to-end encryption comes with other privacy risks, according to reports.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats," Apple said, according to the BBC. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches."

"Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all," Apple added.

In addition to Apple's objections, an open letter to Technology Minister Chloe Smith from the Open Rights Group (ORG) warned about the security risks associated with this kind of open spying on citizens without their consent. The letter was signed by more than 80 national and international civil society organizations, academics, and cyber experts, the ORG said.

"The inconvenient truth is that it is not possible to scan messages for bad things without infringing on the privacy of lawful messages," the ORG open letter read. "It is not possible to create a backdoor that only works for 'good people' and that cannot be exploited by 'bad people'."

Other encrypted messaging apps like WhatsApp and Signal told the BBC they adamantly refuse to weaken the privacy on their platforms, with Signal putting out a statement in February that if the legislation became law it ... "would absolutely walk," meaning it would halt services to the UK altogether rather than comply with proposed Online Safety Bill requirements.

Source

DARKReading