Zurich VP Risk Engineering: Companies Must Become Cyber Resilient
It may be impossible to stop cyber attacks altogether, but companies can take steps to become cyber resilient, said David Shluger, vice president, Cyber Risk Engineering, Zurich North America. Shluger spoke with Insider Engage at RIMS 2022 in San Francisco.
What is cyber risk engineering?
Cyber risk engineering very simply is our efforts to help our customers manage their cyber risk, understand their cyber risk, and really do something about one of the biggest risk areas for most of our customers today.
We're providing support, whether it's training, assessments and actually helping them put into place the risk mitigations that'll help reduce cyber risk and help them respond in a better way.
What can companies do to help reduce the risk of cyber attacks?
It's a great question because everyone's asking how can I become more cyber safe. We believe the concept is cyber resilient. It may not be something we can ever truly prevent. But if we're ready to respond, if we know the risks we're facing, and we're managing them in the most appropriate way, using every possible tool we have at our disposal, that's how we're going to achieve the best outcomes.
When customers ask me what they can do to achieve cyber resilience I talk about a number of steps that they can take practically. We're probably all familiar with multi-factor authentication, which requires either our phone or some other method to authenticate that I am who I say I am. That technology is truly table stakes at this point. Now there are other things that are becoming increasingly important. If you think about privileged access management, that's using technology and systems to actually prevent threat actors from elevating their privilege within a network, which is one of the biggest risks that we see through breaches.
Other things that you can do are to ensure that you have a security operation center, whether that's in house or outsourced. But someone who's watching and monitoring the network 24/7 and has the ability to intervene if something arises. And then training the frontline employees. That's generally how we see breaches start. So whether that's training videos, phishing campaigns, all of those things are critically important to making sure you have a truly cyber resilient organization.
How would you describe the risk landscape today?
The risk landscape is challenging, there's no there's no way around that. What we've seen over the past couple years is ransomware becoming incredibly prevalent. And there are a variety of methods, we see whether it's simply encrypting and locking a system, demanding some sort of ransom all the way to exfiltrating data. And that being incredibly problematic, depending on what level of data you have on your systems. The threat landscape is not slowing down. It really just stresses more and more that companies need to take this risk seriously, need to approach it, like any other risks that they would seek to manage with cross divisional support. And don't give up, it is possible to really become cyber resilient and achieve outcomes that are better than potential.