Cyber Risk Governance Insights from Netswitch 2025-03-10

Cyber Risk Governance Insights

March 10, 2025

WEEK IN BRIEF

GOVERNMENT – System Vulnerabilities Actively Exploited

SUMMARY: The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to U.S. federal agencies, requiring them to secure their systems against actively exploited vulnerabilities in Cisco and Windows devices. These flaws are being actively targeted in the wild, making unpatched systems prime attack vectors. Agencies have been instructed to update their systems immediately to mitigate the risk of compromise.

PROBABLE CAUSE: Failure to apply critical security patches, leaving government systems vulnerable to known exploits.

PROACTIVE PREVENTION: Automate patch management and enforce strict vulnerability scanning to ensure no system remains unpatched beyond the remediation window.

INSIGHT: Really?! — if CISA has to remind agencies to patch actively exploited vulnerabilities, we have bigger problems than just outdated software. If “Patch Tuesday” wasn’t already circled on your calendar, why not?

TECHNOLOGY – View The New Attack Vector

SUMMARY: A ransomware gang just proved that endpoint detection and response (EDR) solutions aren’t as bulletproof as we’d like. Attackers leveraged a vulnerable internet-connected webcam to breach a corporate network, bypassing traditional security tools. Once inside, they encrypted critical systems, leaving the victim organization scrambling.

PROBABLE CAUSE: Poor IoT security—an internet-facing webcam with weak security allowed attackers a backdoor into the network.

PROACTIVE PREVENTION: Segment IoT devices on a separate, restricted network and enforce strict access controls to prevent lateral movement.

INSIGHT: Your fancy EDR might stop a phishing attack, but what about that $40 webcam your IT team forgot about? If your security strategy doesn’t account for everything on your network, it’s only a matter of time before someone finds the weakest link.

SOFTWARE – 2FA Fail: A Cautionary Tale

SUMMARY: Automation giant Zapier suffered a breach due to a misconfigured two-factor authentication (2FA) system. Attackers exploited an overlooked security gap, granting unauthorized access to sensitive user data. While 2FA is supposed to enhance security, improper implementation turned it into an Achilles’ heel.

PROBABLE CAUSE: Misconfigured authentication controls left an unintended security gap.

PROACTIVE PREVENTION: Conduct regular authentication audits to validate the effectiveness of 2FA implementations and detect configuration flaws.

INSIGHT: 2FA is great—until it isn’t. If you’re rolling out security measures without validating their effectiveness, you’re just adding to the illusion of security. Pro tip: test what you trust before attackers do it for you.

TECHNOLOGY – Billions of Bluetooth Devices Exposed

SUMMARY: A newly discovered set of undocumented commands in a widely used Bluetooth chip is putting over a billion devices at risk. Attackers could potentially exploit these commands to compromise phones, smart devices, and even cars. Security researchers are calling for immediate firmware updates, but many affected devices may never receive patches.

PROBABLE CAUSE: Manufacturers shipping devices with unvetted, undocumented functions that increase the attack surface.

PROACTIVE PREVENTION: Mandate rigorous security testing for hardware vendors and restrict Bluetooth-enabled functions to only those explicitly required.

INSIGHT: Turns out, your “smart” device might be a little too smart—doing things even the manufacturer didn’t think through. If you can’t update your Bluetooth devices, you may want to update your expectations about their security.

TELECOM – Giant Data Breach Hits 18,000 Companies

SUMMARY: Japanese telecom giant NTT confirmed a data breach affecting 18,000 corporate clients. While the full impact is still being assessed, compromised information could lead to supply chain attacks, phishing scams, and business email compromise (BEC) incidents.

PROBABLE CAUSE: Weak third-party security controls allowed unauthorized access to customer data.

PROACTIVE PREVENTION: Enforce stricter third-party security assessments and implement zero-trust principles for vendor access.

INSIGHT: Your vendors can be your biggest asset—or your biggest liability. If you don’t trust them with your passwords, why trust them with your security?

INTERNET – ISP Networks Targeted in Global Attack

SUMMARY: Over 4,000 internet service provider (ISP) networks have been targeted in a coordinated cyberattack aimed at disrupting global connectivity. Attackers leveraged sophisticated techniques to exploit vulnerabilities in networking infrastructure, raising concerns about the resilience of the internet itself.

PROBABLE CAUSE: Weak security in critical internet infrastructure allowed attackers to launch large-scale disruptions.

PROACTIVE PREVENTION: Require ISPs to adopt stricter security baselines, including route filtering, DNS security extensions (DNSSEC), and anomaly detection.

INSIGHT: When cybercriminals take aim at and hit the internet itself, we’ve got a serious problem. If ISPs don’t step up their game, we might start longing for the days of dial-up—at least that was harder to hack.

INSIGHTS & EXPERT PERSPECTIVES

GOVERNANCE: Leading Beyond Compliance

Cybersecurity governance is often viewed through the lens of regulatory compliance, but true security leadership requires a proactive, risk-based approach. Organizations operating without regulatory oversight must establish governance frameworks that align cybersecurity with business objectives, integrate risk-based decision-making, and ensure executive accountability. By adopting industry best practices, leveraging frameworks like NIST CSF or ISO 27001, and prioritizing continuous assessment, organizations can maintain a strong security posture without relying on external mandates. This approach transforms cybersecurity from a reactive function into a strategic enabler that drives business resilience and operational integrity.

Key Insights:

  1. Governance Extends Beyond Compliance: Organizations should not equate compliance with security. Effective governance integrates cybersecurity into broader business strategy, ensuring alignment with operational goals and risk management priorities.

  2. Risk-Based Frameworks Provide Structure: Even without regulatory oversight, organizations can benchmark their governance maturity using established frameworks such as NIST CSF, ISO 27001, or CIS Controls, ensuring structured and measurable security practices.

  3. Leadership Accountability is Critical: Strong cybersecurity governance requires active engagement from executive leadership and the board. Cyber risk must be a business-level conversation, with clear accountability, performance metrics, and continuous oversight.

INSIGHT: Cybersecurity governance is not determined by regulatory requirements but by an organization’s ability to anticipate, withstand, and recover from threats. In industries without compliance mandates, security leaders must take a proactive approach—leveraging risk intelligence, third-party validation, and continuous improvement cycles to ensure governance remains strong and adaptable. The absence of regulations is not an excuse for weak security—it is an opportunity to build a governance model that is tailored, strategic, and resilient.

Drawing from our approach and methodologies, organizations should assess governance through the following key areas:

1. Alignment with Business Objectives - Emphasize cybersecurity as a business enabler rather than a compliance requirement. Organizations should adopt a governance model that balances security with operational efficiency.

2. Risk-Based Decision-Making - Our Security And Risk Assessment methodology focuses on continuous risk assessment and threat intelligence to shape governance practices tailored to the unique risk profile of each organization.

3. Framework-Based Self-Regulation - Find an appropriate framework - or develop your own - to meet business objectives.  Many apply NIST CSF 2.0 as a foundational framework for businesses seeking structured cybersecurity governance, emphasizing adaptability to evolving threats. But if you perceive NIST CSF 2.0 as daunting to undertake, consider CIS Critical Security Controls (CIS CSC) for prioritized actions like "inventory and control of assets" and "implement secure configurations" that are actionable with minimal interpretation.

4. Board and Executive Accountability - A governance structure should include clear roles, responsibilities, and executive buy-in, aligning cybersecurity investment with business priorities.

5. Incident Preparedness and Response Maturity - proactive threat hunting and incident response automation are as critical components of a strategy.

6. Third-Party Validation and Continuous Assessment - Organizations should embrace third-party risk assessments and managed security services to ensure ongoing governance refinement and maximize resources. 

Cybersecurity governance is not determined by regulatory requirements but by an organization’s ability to anticipate, withstand, and recover from threats.

In industries without compliance mandates, security leaders must take a proactive approach—leveraging risk intelligence, third-party validation, and continuous improvement cycles to ensure governance remains strong and adaptable.

The absence of regulations is not an excuse for weak security—it is an opportunity to build a governance model that is tailored, strategic, and resilient.


About Netswitch

Elevating Cognizance Since Y2K

Secure Your Business Today!

Netswitch, an industry leader and recognized by Gartner, ensures 100% compliance and data breach protection.

Our proven process saves you resource commitments, more quickly elevates your security, and reduces your anxiety and stress about cyber risks.

Say goodbye to cyber threats and hello to long-term peace of mind.

Our Integrated PaaS technology reduces MTTD and MTTR by over 90%, staying ahead of threats and minimizing damage.

Take control of your company's future now.

Trust Netswitch for a secure future. Contact Sean Mahoney to learn more.


Comments

Post a Comment

Popular posts from this blog

Beyond the Beer Stein: Russell Nomer's Real Invite to Elevate Your Music

Image
  Level Up Your Music: Russell Nomer Invites You to Unlock a World of Opportunity with UnitedMasters SELECT New York, NY – May 23, 2025 – Independent music producer Russell Nomer is extending a special invitation to artists looking to elevate their careers: "Level Up Your Music!" This call to action, prominently featured on a custom beer stein, directs artists to a valuable opportunity through a QR code – a gateway to UnitedMasters SELECT and a suite of tools designed to empower independent musicians. The QR code unlocks a special referral offer for UnitedMasters' premium SELECT subscription. In a "game recognize game" spirit, referring artists can earn $10 for each new artist who joins SELECT (up to $100 per calendar year), while the referred artist receives a $20 discount on their first year of SELECT. Referral bonuses are conveniently credited to the referrer's Wallet 60 days after the new artist signs up using the personal invitation link. But the ben...
Read more