Cybersecurity VARs – Over the last year, executives and board members from various businesses have begun to ask more pointed questions about the threat posed by cyberattacks. They’re no longer satisfied with technical audits of their security controls, and they’re inquiring about the business effect of cyberattacks. For example, how much of a cyber-threat do we face? Are we overspending or underspending? With the planned information security budget, how much risk can we reduce? Is it necessary to purchase cyber insurance?
Cybersecurity VAR’s (value-at-risk) model objectives
As a result of these concerns, value-at-risk (VaR) models for information security have been developed. These models, also known as cyber VaR, provide a basis for quantifying information risk and bringing discipline to the process. VaR models have two objectives:
- Assist risk and information security professionals in articulating cyber risk in a language that everyone understands
- Allow corporate executives to make cost-effective judgments and strike a balance between safeguarding the company and running it
Organizations that use VaR models for cybersecurity can steer the risk conversation in more consistent, business-friendly terms. It has also enabled them to shift away from making judgments based on Fear, Uncertainty, and Doubt and toward making decisions based on financial data (FUD).
Cybersecurity VaR’s beginnings and definition
Value-at-risk modelling is a statistical tool used in the financial services sector to assess the level of financial risk inside a corporation or investment portfolio over a certain period. Three variables are used to calculate risk value:
- the size of the possible loss
- the likelihood of losing that much money
- the time limit
On the other hand, cyber VaR models employ probabilities to assess the likely losses from cyberattacks over a particular timeframe.
Cybersecurity VaR’s perceived limits
Certain alleged constraints have impeded the implementation of cyber VaR models:
First, there is insufficient information provided
The most serious argument is that there isn’t a large enough set of historical data on the frequency and magnitude of risk events to perform quantifiable risk analyses.
Many companies are discovering that combining advanced estimation approaches with mathematical simulations like Monte Carlo allows them to estimate event frequency as a probability distribution on the event frequency front. The final shape of the distribution represents the level of confidence in the data: flatter if the level of confidence is low, spikier if the level of confidence is high, and flatter if the level of confidence is low. In every case, these groups claim that the analysis’ outcome is far superior to relying on guesses or “sticking a wet finger in the air.”
On the loss magnitude front, the problem stems from firms’ (understandable) aversion to freely sharing data that could be used to develop industry-specific loss tables. Organizations that use cyber VaR models rely on industry data and the experience of vendors who sell cyber VaR solutions, such as RiskLens (disclaimer: the author is a RiskLens executive), to create loss tables that they may use in their risk evaluations.
There is a scarcity of standard risk definitions
Another issue is that there are no common risk definitions inside corporations. Within the same organization, how risk is defined can differ from person to person. Risk registers are fairly prevalent, and they should ideally indicate an organization’s major hazards. The main issue is that many of the items on the list aren’t top risks, and some aren’t even hazards. Instead, they should be labeled as control flaws, vulnerabilities, or dangerous communities.
Adopting risk models, such as FAIR, provides a thorough and uniform definition of risk in the form of a shared taxonomy or ontology, which adds a lot of value. This allows everyone in the organization to use the same yardstick when comparing risk scenarios, allowing for more effective comparisons.
A small number of scenarios are supported
Single assessments were conducted using sophisticated spreadsheets in the early uses of cyber VaR models. However, comparing risk scenarios was a time-consuming and resource-intensive, and pooling risk scenarios for enterprise-wide evaluations was impossible.
Next-generation cyber VaR platforms, such as RiskLens, have overcome these challenges by developing enterprise-grade apps that can assess a large number of risk scenarios simultaneously and in aggregate.
Information security experts are putting out a plan
Many businesses and risk experts are creating forums where they can learn about conventional cyber VaR practises and discuss use cases and real-life experiences in response to recent pressure from corporate boards and executive management for improved reporting and management of cyber risk.
How VARs Can Help Keep Their Customers Protected?
Because of the sheer volume of cyberattacks and their improved sophistication, 2020 might well be dubbed the “Year of the Cyberattack.” Hackers are no longer content to steal information and sell it to others — while this is still a common practice — but are instead employing the sensitive data in novel and dangerous ways.
Unfortunately, the increased frequency and sophistication of breaches is a portent of things to come. To protect themselves from cyberattacks in 2016, businesses must learn from past mistakes and their terrible consequences. The good news is that the VAR community is in a great position to assist defend its customers and serve as important cybersecurity leadership resources for years to come.
What Is On The Horizon For Cybersecurity In 2021?
While it’s impossible to forecast the types of assaults that will gain traction in 2016, we feel the following are the newest and most serious cyber threats:
Increased use of ransomware: Ransomware is software that infiltrates a company’s network and locks down access to it or its data unless a ransom is paid to unlock or release it. Ransomware, which is frequently spread through phishing attacks, interrupts business operations and adds to the financial strain. In 2020, many hackers were successful with this attack — and the short-term financial gain that comes with it — so expect more ransomware attacks in 2021.
Wiper attacks are being used more frequently: Wiper attacks are designed to wipe data from hard drives of PCs and file servers and prevent the machine from starting. This approach was utilized in the Sony Pictures assault in 2014 and other high-profile Asian attacks. Wiper assaults can cause major harm to vital systems as our world becomes more connected than ever before.
More sophisticated social engineering attacks: Hackers are already using social engineering to deceive people into revealing personal information to obtain access to their victims’ personal and professional lives for financial benefit. However, in 2021, hackers are likely to go one step further and utilize stolen credentials from past breaches to gain access to even more sensitive data.
Major IoT vulnerabilities: Through an eco-system of connected devices and services, the Internet of Things has the potential to transform how we interact with the world around us. It also means that criminals will have an exponentially greater number of entry points to attack and infiltrate if a network is left unprotected.
What are the options on Cybersecurity VARs?
Most firms have some security measures in place, but many organizations discover that these safeguards are insufficient to protect their assets fully when it is too late. Many people only respond to security vulnerabilities after an assault, by which time the damage has already been done.
Businesses must explore stronger detection techniques and continuous, improved end-user security education to prevent these types of security breaches. This education must be more than just a once-a-year seminar; it must be a continuous endeavor. Furthermore, preventing future attacks will necessitate increased endpoint visibility to detect and promptly neutralize attacks before they have a foothold on the target device.
VARs can profit from both delivering solutions that properly protect data and counseling clients. Partners can and should look for solutions that complement existing security measures by adding additional layers of protection. Many traditional solutions, for example, focus solely on preventing unauthorized network access, but persistent hackers will nearly always find a way in. As a result, the primary focus should be on preventing data from leaving the company’s data center infrastructure.
Taking on an advisory position with consumers is also has great potential since many customers are unaware of how sophisticated and deadly cyber attacks can be. VARs should, at the absolute least, provide educational content such as frequent training and instruction, best practices for deploying security technology and detecting potential risks, and tools for keeping personal and professional information safe from hackers. VARs that provide this kind of leadership to their customers will ensure that those end-user businesses continue to turn to them for security solutions for many years to come.
Nobody has a crystal ball to tell when or how the next hack will occur. All we know is that they’ll keep happening, and they’ll get more intricate, evil, and destructive as time goes on. Partners may play a crucial role in assisting their clients in resolving current issues and preparing for new attack tactics that emerge every day.
What VARs Need To Know About Cybersecurity?
A conversation with Hervé Tardy, Eaton (from VarInsights)
Hervé Tardy, president and general manager of Eaton’s Distributed Power Infrastructure, spoke with VAR Insights recently on all things cybersecurity, from what resellers should know to how to help clients deal with cyber threats.
Q: How should VARs educate their clients about the importance of cybersecurity in their overall power management strategies?
VARs should encourage their customers to think about how power management is changing as the Internet of Things (IoT) — that is, the rise of linked devices inside and outside the data centre – takes hold. IT and operational processes, including backup power systems, are becoming increasingly integrated, which can help businesses across the board. On the other hand, IoT devices often have a unique IP address that allows them to communicate and exchange data with other systems, posing a significant cybersecurity risk.
VARs must understand the importance of taking an end-to-end strategy to cybersecurity for their customers as IoT technologies continue to find their way into IT systems. Consider this example: hackers could gain access to POS terminals and steal 70 million client accounts by exploiting an unnoticed weakness in a big retailer’s HVAC unit.
The threat of assaults will only grow as networks migrate off-site and away from a traditional, centralized IT framework. Daily, the number of server-gateway connections grows, and the number of devices linked to networks grows, generating more possible targets.
Q: What role does the Internet of Things play in advancing power management, and how can a VAR take advantage of it?
Tardy: Organizations may now strategically utilize the power of connectivity and data sciences to impact their operations thanks to IoT innovation favourably. Companies can now use network management cards to connect uninterruptible power system (UPS) equipment and reach interesting new capabilities in the power management space. These technologies help improve business continuity by delivering warnings of potential issues to IT administrators and performing an orderly shutdown of servers and storage with better speed and security.
Predictive analytics is another area in power management where significant progress has been made. As more data from thousands of backup systems is collected, predictive analytics services are becoming much better at making judgments independently. VARs can collaborate with their partners to transform the model from reactive to proactive as preventive maintenance plays an important role in power management functions.
As a monitoring and management tool, predictive analytics services can help IT managers identify major component failure before it happens. Predictive analytics, Big Data, sensors, and algorithms are used to proactively spot issues and notify IT staff and field workers when a part needs to be replaced using predictive analytics, Big Data, sensors, and algorithms. These solutions enable firms to act fast and avoid costly emergency repairs and difficulties that could occur if anything breaks down by providing insights into existing power management components.
Q: How can VARs assist their customers in mitigating cyber threats?
VARs should commit to being proactive in tackling IoT and security threats and employ technology with the strongest track record for cybersecurity, as the spread of smart, connected devices connects more parts of everyday operations. This entails looking for electrical products and solutions for consumers that emphasize cybersecurity as a significant difference, even going so far as to include particular cybersecurity certifications (more on this below).
VARs can also offer a variety of tips with partners to assist them in protecting their network infrastructure. For example, experts advise using a firewall and encrypting data and conducting routine security assessments, regularly updating antivirus software and antispyware, employing advanced email filtering, establishing strong password policies and endpoint protection, and providing employees with cybersecurity awareness training.
Q: How can IoT-enabled devices be made more secure against cyberthreats?
UL 2900-1 is a software cybersecurity standard for network-connected devices developed and published by the global safety science organization UL in response to escalating cyber threats. The UL cybersecurity certification ensures that a product has been thoroughly evaluated and tested against a recognized standard.
State legislatures are also taking steps to require a higher degree of cybersecurity. For example, California recently approved legislation requiring IoT device manufacturers to be more accountable for the privacy and security of the state’s people. Furthermore, the International Electrotechnical Commission (IEC) has issued cybersecurity certifications to provide businesses with additional tools for a successful cybersecurity strategy.
As industry standards and government laws grow, this type of reputable independent testing will continue to be one of the most effective ways for VARs and their clients to confirm that their equipment makers have done their due diligence to avoid risks.
Q: How critical is it for a VAR to improve its cybersecurity skills?
Tardy: It’s critical because as connectivity grows, new chances for attacks will develop. UPSs aren’t normally thought of when it comes to cybersecurity. Still, the desire of more IT workers to use linked capabilities like remote monitoring has prompted manufacturers to add more of this functionality.
Eaton responded by introducing the Gigabit Network Card, the first UL 2900-1 and IEC 62443-4-2 approved UPS communication card. Additionally, Eaton’s continued focus on cybersecurity has helped ensure that all of our products, from UPSs to power distribution units (PDUs) and power management software, already meet California’s criteria.
Customers will be reassured that VARs are aware of the threats that exist on the internet and are serious about resolving them as their knowledge grows. They exhibit a continued commitment to ensuring their goods meet the highest of standards.
Q: How critical is it for a VAR to urge its customers to improve their cybersecurity skills?
VARs are in a unique position to support and coach their customers, who must frequently adapt rapidly to stay on top of an ever-changing IT market. Customers can’t afford the high expenses and time delays that come with crippling cyberattacks. However, they may prevent being left behind by being more knowledgeable about cybersecurity and implementing secure-by-design goods.
Companies will seek to deal with VARs that can demonstrate a long-term commitment to cybersecurity as cyber threats continue to grow. As a result, VARs will be in the greatest position to meet their clients’ current and future demands by embracing a security-first strategy and maximizing cyber safety standards from the ground up – ensuring solutions across their portfolio are optimized for protection.
Five Reasons to Hire a VAR
Working with a value-added reseller can help organizations overcome the hurdles of maintaining complex cybersecurity infrastructures (VAR). However, a VAR is more than just a reseller of security goods. It offers a fully integrated, turnkey solution that includes:
A holistic approach: The value-added reseller considers all of your business demands and offers a comprehensive solution that addresses them all. The VAR installs the equipment and customizes it for your environment, and offers maintenance and troubleshooting.
There are several options: Many VARs may supply you with options from various vendors, allowing you to choose the ideal one for your needs. The vendor will also make certain that your security infrastructure isn’t overly complex and that it’s made up of technologies that operate well together and can be managed centrally.
Technical knowledge: A VAR is like having a dedicated on-call cybersecurity specialist for many smaller firms that don’t have committed security professionals. Even if you have a security team in-house, an outside expert may give an unbiased examination of your systems as well as up-to-date knowledge of all security trends and threat intelligence.
Everything is included in the package: A VAR is a one-stop-shop for all of your IT and data security requirements. The VAR can handle upgrades, patches, and other sorts of maintenance in addition to selling you the items and giving expertise. Often, you’ll obtain a better deal than if you went to a different dealer.
Insider pricing: Another benefit is the cost. VARs save money by purchasing huge quantities of hardware and software. Many of these savings are passed on to consumers, which means you’ll profit from the VAR’s purchasing power. This can result in the most competitive pricing for your IT solution.