Cyber Risk Governance Insights | April 28, 2025

WEEK IN BRIEF

Cybersecurity - AI's Limited Impact on Data Breach Outcomes

SUMMARY: Verizon's latest Data Breach Investigations Report, analyzing over 22,000 security incidents, indicates that while AI-generated text in malicious emails has doubled, the success rate of phishing breaches remains stable. Experts suggest the impact of AI on breach outcomes is currently limited, and traditional attack methods like exploiting software vulnerabilities are still more prevalent. The cybersecurity market is expected to grow significantly, reaching $338 billion by 2033, urging IT leaders to monitor AI usage within their organizations and adapt security protocols.

PROBABLE CAUSE: While AI is being used in malicious emails, it hasn't significantly increased the success rate of phishing. Traditional vulnerabilities remain a primary concern.

PROACTIVE PREVENTION: Cultivate a security-aware culture specific to your organization.  Encourage and emphasize critical thinking and skepticism towards new technologies and communication methods, including those leveraging AI. Implement continuous training programs to educate employees about evolving AI-related threats, such as advanced phishing and deepfakes. Regularly update security policies and incident response plans to account for the potential impact of AI on attack vectors and organizational risks.  Review your risk register to know where AI lands for your organization.

INSIGHT: Maybe AI isn’t as smart as we were told, or maybe people are finally getting a little bit better at spotting scams. Either way, organizations should continue to prioritize addressing traditional attack vectors - known vulnerabilities and human errors, because the rise of AI-enhanced threats will continue. In the meantime, continuous monitoring, future risk assessment, and adaptive security controls should be your focus.

Supply Chain – Government Vendor Suffers Significant Data Breach

SUMMARY: Conduent, a technology vendor for government payments, experienced a cyberattack in January that resulted in the theft of personal data from a significant number of individuals. The breach, which disrupted some operations, came to light when Wisconsin officials reported delays in child support payments. Conduent is working with cybersecurity experts to investigate the incident and notify affected clients. The full scope of the affected data is still being determined.

PROBABLE CAUSE: The article doesn't specify how the attackers gained access.

PROACTIVE PREVENTION: Establish and enforce a comprehensive third-party risk management framework appropriate for your organization. This includes conducting security due diligence before engaging with vendors, implementing contractual security requirements, and your procurement staff needs to ensure adequate service level agreements (SLAs) with clear consequences for failures.  Your reputation downstream is at risk.

INSIGHT: Another day, another vendor breach. You know, trusting a vendor with sensitive data and not thoroughly vetting their infosec program is high risk poker. Consider moving beyond basic questionnaires and implement continuous monitoring and a more comprehensive audit of their IT and ecosystem. I hope those SLAs included breach notification timelines... and maybe a hefty penalty clause?

Ransomware - RansomHub's Sneaky Strategy

SUMMARY: RansomHub affiliates are employing SocGholish malware to target high-profile organizations. They gain initial access through compromised WordPress sites, tricking victims into downloading a malicious file. This file deploys a Python-based backdoor that allows attackers to strategically select targets and maintain persistence within the networks. The backdoor processes commands from the attacker's server, enabling reconnaissance and lateral movement.

PROBABLE CAUSE: Compromised WordPress sites and social engineering tactics (tricking users into downloading malicious files).

PROACTIVE PREVENTION: We believe in a Defense-in-Depth that focuses on prevention of initial access, early detection if they do break in, ensuring they lose lateral movement. This includes Endpoint Detection and Response (EDR) solutions with behavioral analysis (user and device) and script exe monitoring capabilities. Combine with continuous Security Awareness Education that emphasizes the risks of downloading files from untrusted sources. This approach significantly reduces the attack surface.

INSIGHT: Ransomware groups are getting craftier, using compromised WordPress sites as entry points. It's like burglars using the unlocked "smart" door. Organizations need to realize that their web presence isn't just about marketing; it's a critical perimeter and needs to be secured. Implementing web application firewalls and intrusion detection systems isn't optional; it's basic hygiene.

Phishing - Spoofing Google with DKIM Replay Attack

SUMMARY: A sophisticated phishing attack abuses Google OAuth to spoof Google in a DKIM replay attack. Hackers exploit a weakness in Google's DKIM implementation, sending fake emails that appear legitimate and direct recipients to fraudulent pages to steal login credentials. The vulnerability lies in Google's system, which checks the message and headers but not the envelope, allowing attackers to manipulate sender and recipient addresses.

PROBABLE CAUSE: A weakness in Google's DKIM implementation.

PROACTIVE PREVENTION: It’s become a standard for email security, and if you have not yet done so, you should assess the effectiveness of your DMARC policies and protect your organization's domain and brand from email spoofing. Conduct periodic DMARC evaluations to identify and remediate any configuration weaknesses, ensuring proper alignment of SPF and DKIM records.

INSIGHT: Even Google isn't immune to clever phishing attacks. This just screams that relying solely on technical email authentication isn't enough. Educating users to be the ultimate "human firewall" by critically examining email provenance and being suspicious of everything is paramount. Maybe we should start issuing tinfoil hats with the onboarding package?

Zero-Days - Urgent Patch Required for Major Application Platform

SUMMARY: A zero-day vulnerability (CVE-2025-31324) is being actively exploited in SAP NetWeaver systems. This critical vulnerability allows attackers to upload files directly to the system without authorization, potentially leading to full remote code execution and complete system compromise. The vulnerability affects the SAP Visual Composer component.

PROBABLE CAUSE: A software defect in the SAP Visual Composer.

PROACTIVE PREVENTION: Establish and enforce a comprehensive patch management program that includes timely identification, assessment, and deployment of security updates for all critical software and systems. Prioritize emergency patches for actively exploited vulnerabilities to minimize the window of opportunity for attackers.

INSIGHT: Zero-day exploits are the stuff of cybersecurity nightmares. It’s less "oops" and more "code red." Organizations running such systems need to treat patching with the urgency of a five-alarm fire. Delaying updates for "stability" is like refusing a life jacket on a sinking ship.

INSIGHTS & EXPERT PERSPECTIVES

Cybersecurity Spending Soars, But Do CEOs Know Where to Invest?

There is an apparent dichotomy between a recent survey finding that CEOs say cybersecurity is critical for business growth and a projected increase in cybersecurity spending and the uncertainty expressed by CEOs in effectively allocating those resources.

While Gartner finds 85% of CEOs say cybersecurity is critical for business growth forecasts a 12.4% growth in global cybersecurity expenditure for 2025, driven by escalating threats and regulatory pressures.

However, Oxford University reveals in "The CEO Report on Cyber Resilience," a significant unease among CEOs regarding cybersecurity decision-making, with 72% reporting discomfort in this area.

This disparity highlights a critical need for solutions that not only justify increased spending but also provide CEOs with the clarity and confidence to direct investments toward optimal risk mitigation and resilience.

HIGHLIGHTS:

• Projected global cyber spending to reach $215 billion in 2025
• Orgs prioritize cyber investments for operational resilience and build trust
• 72% of CEOs are uncomfortable making cybersecurity-related decisions.
• The complexity of cyber leads CEOs to place "blind trust" in their technical teams
• Growing shift from cybersecurity to "cyber resilience”

PERSPECTIVES: The juxtaposition of Gartner's optimistic cyber spending forecast and the Oxford report's revelation of CEO's lack of cyber confidence presents a critical challenge for the cyber leaders.

While increased investment is undoubtedly necessary to combat the constant rise of cyber threats, it's equally crucial to address the confidence gap at the executive level.

CEOs, ultimately responsible for these expenditures, require more than just budget; they need decision-making frameworks that instill confidence and provide clear pathways for effective resource allocation.

Regulatory bodies are increasingly focusing on the accountability of CEOs, C-suites, and boards for their organizations' cybersecurity posture. This heightened regulatory scrutiny requires these leaders to be not only informed but also actively involved in significant cyber decisions to ensure compliance with evolving regulations.

The emphasis on clarity for C-suite attestation underscores the need for accurate and comprehensive reporting on cybersecurity measures, risk assessments, and incident response plans, as executives are now being held personally liable in some jurisdictions.

Many solutions promise quantifiable risk assessments, clear visualization of threats, and alignment of cybersecurity investments with business objectives. These are precisely the tools needed to transition CEOs from a state of "blind trust" to one of "informed trust," enabling them to actively engage in cybersecurity governance rather than passively delegating it.

Netswitch has never believed in selling FUD - fear, uncertainty & doubt. Instead, we focus on providing CEOs with the knowledge, tools, and frameworks necessary to make strategic and confident cybersecurity investments, ensuring that increased and appropriate spending translates into genuine and resilient cyber risk governance.

The Unity Risk Indicator helps CEOs cut through the acronyms and technical complexity of compliance and cybersecurity by helping them find the “Sweet Spot” among Operational Effectiveness, Cost Efficiency, Top Down GRC Objectives, and Bottom-Up Technical Objectives.

To learn more about Unity Risk Indicator, contact us, or you can book a time with us.

Strengthen Your Cybersecurity with Netswitch

Achieve Compliance & Reduce Risk:

• Comprehensive Security Audit: Uncover network vulnerabilities with our automated Security Automation & Risk Assessment (SARA). Gain a clear understanding of your risk landscape, prioritize enhancements, and make the most of your security investments. Contact Netswitch.
• Free "Quick Start" Program: Kickstart your cyber risk and governance journey with a complimentary health check. Enroll today to build lasting resilience.

Expand Your Cyber Knowledge:

• Join: Our Cyber Risk Governance Community and connect with a dynamic network of professionals on LinkedIn. Exchange insights, transform risks into readiness, and stay ahead of evolving threats.
• Engage in Live Events: Attend interactive LinkedIn Live sessions. Dive into critical cyber risk topics with industry leaders from executive, technology, and governance backgrounds.

Take Action Now!

Reach out to Netswitch Technology Management today and seize control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.