In this episode of The Cybersecurity Insider hosted by Yigal Behar, he is joined by guest, Karla Reffold, who runs recruitment, e-commerce, and cybersecurity businesses.
According to Yigal, they had previously connected on LinkedIn in 2018. Karla had reached out about a contract position in Manhattan, but Yigal admits he didn’t see the message then.
Yigal reminds listeners that not receiving a response to a message is not a reason to be discouraged, especially when networking. Karla agrees, adding that persistence is key as people may be busy or have missed the message.
About Karla
Yigal transitions to discussing Karla’s background, sharing that she previously ran a recruitment agency for several years before selling it. After the sale, she continued to help grow the business in America, where she has now lived for two years.
Karla reveals that she has transitioned from cyber security recruitment to a role within the industry itself. She is now the CEO of a threat intelligence company that specializes in cyber risk ratings.
Differences In Culture
Yigal steers the conversation towards the differences in business and cybersecurity approaches between the UK and the US
Karla maintains that while they share a common language, there are notable differences in both general life and cybersecurity practices. She notes that Americans tend to be more positive and proactive, with things happening at a faster pace and larger scale. She observes that cybersecurity teams in the US may be slightly bigger.
While she doesn’t see major differences in the overall level of cybersecurity advancement, she points out specific areas where each country excels. For example, the UK seems to be more advanced in banking security measures like PINs and contactless payments.
Karla believes that the differences are more cultural than fundamental in their approach to cybersecurity. She cites the example of how card payments are handled in restaurants is a cultural difference, not a sign of differing security strategies.
UK vs US
Yigal reflects on how even 30 years ago, Israel was ahead of the US in online banking services like paying utility bills. He finds it curious that the US, despite being considered technologically advanced, was lagging in this area. He notes that while the US is making progress, the UK might be even slower to adopt new technologies due to bureaucracy.
Karla agrees saying that the UK tends to be more cautious and slower in implementing changes, especially in smaller businesses. She attests that there’s a cultural difference in the attitude towards cybersecurity risks, with the UK often downplaying the severity of the problem compared to the US.
Karla acknowledges that the US generally has more financial resources, allowing companies to invest more in cybersecurity programs and adopt emerging technologies sooner. However, she says that UK is not far behind and she thinks the UK has a lot of innovation. “They have a lot of very cool startups doing some great things, and companies there are adopting those, so the difference isn’t as big as I think we sometimes think it is.”
Cyber Insurance
Yigal recalls Karla mentioning insurance in their previous conversation about cybersecurity and asks her to elaborate on her perspective. He’s curious about the connection between threat intelligence and insurance.
Karla explains that her company’s risk-rating product is driven by threat intelligence, focusing on the specific threats facing each company rather than just their attack surface. Insurance companies find this approach valuable as they grapple with the challenge of pricing and underwriting cyber risk.
Karla points out that cyber risk is unlike any other risk that insurers are used to dealing with. This has led to many insurers hesitating to enter the market and a wide range of opinions on how to approach cyber insurance. Some believe that insurers are fueling the ransomware problem by paying out claims, while others, including Karla, believe that paying out is currently the best course of action.
Karla sees potential in the cyber insurance space and believes that integrating threat intelligence into the underwriting process could be a key factor in improving risk assessment and ultimately, making cyber insurance more effective.
Threat Intelligence for All Businesses
Yigal transitions the conversation to insurance and how insurers assess risk for potential clients. He recalls a previous conversation with an insurance broker who explained that insurers typically gather basic information about a company’s size and employees, revenue, and history of breaches to evaluate their risk.
These scans are external and aim to identify low-hanging fruit vulnerabilities. If the scan results are satisfactory, the client is deemed less risky and more insurable.
Yigal asks Karla how her company’s risk-scoring system, which is based on threat intelligence, can provide more accurate risk assessments.
Karla explains her company’s process for assessing a company’s risk profile. Starting with the URL and associated information, they examine not only the company’s attack surface (vulnerabilities, email security) but also its industry, operating countries, technology, and presence on the dark web.
She says that this approach provides a more accurate risk assessment than just looking at vulnerabilities. Factors like industry and location can considerably affect risk levels. Insurance companies use this information to better understand the company’s risk profile and tailor insurance policies accordingly.
Karla mentions that some companies proactively use her company’s risk rating to improve their security posture before renewing their insurance.
Yigal questions the necessity of cyber threat intelligence, particularly for small businesses. According to Karla, threat intelligence is essential for any business to effectively mitigate risks and make informed cybersecurity decisions.
Do You Need Intelligence?
Yigal challenges Karla’s statement by pointing out that one doesn’t need threat intelligence to know that phishing (or smishing) emails are a major attack vector. He argues that personal experience with spam filters and phishing attempts is enough to realize the importance of improving email security.
Karla acknowledges his point and that the level of threat intelligence needed depends on the size and nature of the business. “
For small businesses, staying updated with industry news might be sufficient. However, larger organizations would benefit from more detailed intelligence to understand evolving threats and tactics.
Karla cites a recent report about a group that breaches law firms to access their clients. She insists that threat intelligence can help companies identify sophisticated attacks that might otherwise appear legitimate. “It’s having the intelligence around scenarios, what attackers are doing, what’s new—that will enable you to keep up with that, right? And how the intelligence helps.”
How Intelligence Helps
Yigal expands on the phishing scenario, highlighting smishing (SMS phishing) and attacks through social media messengers like Facebook and LinkedIn. He expresses concern about being a “sitting duck” due to a lack of protection and asks Karla what actions to take.
Karla explains that simply knowing about these threats is the first step towards protection. This awareness, obtained through threat intelligence, helps individuals and organizations understand the potential attacks, their likelihood, and who they might target. This knowledge enables them to prioritize their security efforts effectively.
Karla contends that threat intelligence is about assessing the relevance and urgency of threats, not just identifying them. Armed with this information, businesses can make informed decisions about where to allocate their resources, whether it’s investing in security measures, training employees, or simply staying vigilant.
Cybersecurity Risk Score
Yigal agrees that prioritizing risks is critical and shares his experience in the military, where intelligence was essential before any mission. He sees a parallel with cybersecurity, where protecting data requires understanding the threat landscape.
Yigal then shifts the focus to the concept of a cybersecurity risk score, questioning its practicality and how it can be applied to real-world situations.
Karla explains that their risk scores range from 0 to 1000, with higher scores indicating higher risk. These scores are not absolute but rather indicators that companies can use to prioritize their security efforts. Different companies have specific risk appetites and can set their own thresholds for acceptable risk within their supply chain.
Karla suggests that risk scores can be used to identify critical suppliers with high-risk profiles, prompting companies to engage with them more actively. Conversely, companies with lower risk scores might be addressed later. She notes how important it is to apply the risk score to make informed decisions rather than treating it as an absolute value.
How to Apply the Risk Score
Yigal clarifies how Carla’s company provides services to its clients. He asks if the company provides reports to clients, like insurance companies and brokers, and whether clients then seek further assistance on how to interpret and apply the information.
Carla confirms that they provide reports and that some clients, especially larger companies with dedicated teams, can interpret the findings themselves. However, smaller companies or those without in-house expertise often seek further guidance on how to address the identified risks.
He inquires whether Carla’s company offers mitigation services or refers clients to partners. Carla says that they primarily provide the assessment and analysis by leaving the actual mitigation to partner organizations specializing in those services.
Yigal recognizes this approach and notes that smaller companies often lack the internal expertise to address risks, thus making partnerships crucial for effective mitigation.
If you found this discussion on cybersecurity intelligence insightful, don’t miss out on future episodes! Yigal will continue to bring you engaging conversations with experts and leaders in the field. Subscribe to The Cybersecurity Insider on YouTube, Apple Podcasts, or Spotify to stay up-to-date with the latest trends, threats, and strategies in cybersecurity.
This time we had Karla Refolld talking about Cybersecurity Intelligence and why it’s important to have it. Thanks Karla! TheCybersecurityInsider Host: Yigal Behar
