Q2 Cyber Threat Report: Ransomware Season Arrives Early
In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.
Meet Jason Rebholz. As Corvus’s CISO, he’s responsible for a lot of the behind-the-scenes work that keeps our organization and our policyholders safe. You might recognize him from his daily cyber security updates and insights on LinkedIn (he’s a star!) but to us, he's a go-to cybersecurity expert best known for simplifying the most tricky and technical concepts.
Join us as we discuss his career background, his journey to cyber insurance, and his hopes for the future of cybersecurity (hint: it’s about empathy). Find out the rest in our latest Corvus Q&A.
What do you do when you are a self-proclaimed nerd in high school with a love for puzzles? First, you get really into speed-solving Rubik’s Cubes, emphasis on the speed, with a record of 41 seconds. Then you expand your strategic horizons. For Jason, that meant discovering programming (and then quickly realizing it wasn’t for him).
“[Programming] was something I could do, but I didn’t have that passion for it. My teacher at the time, who is still a great mentor to this day, introduced me to the concept of computer networking. I started doing research on that, stumbled into the security aspect of it, and fell in love.”
But solving puzzles and computer networking weren’t his only career inspirations. Next, he became “the nerd in high school who loves debate club” — his words, not ours. With a combined passion for solving complicated things and effective communication, his career trajectory started to become clearer. Cybersecurity expert, with a side of executive team whisperer?
“I found I had a unique ability to translate complex technical topics so that normal people can understand, specifically business people. When I was doing consulting early on in my career, I could go deep on the technical side — but I was also the person that could explain our findings to a CEO. Having the ability to translate those things has been the most important skill set in my career.”
A major obstacle cybersecurity professionals face is the communication barrier of explaining risk to business people when it’s directly tied to tech-heavy jargon. If it feels like you’re not being listened to or understood, there may be room to meet halfway (such as empathizing with knowledge gaps on both sides).
As the metaphorical bridge between business and tech, Jason joked, “People walk all over me every day.” Fortunately, that sacrifice helps us all understand each other a little better.
After a decade of working in the incident response space, the excitement initially tied with solving the mystery — what happened and how did it happen?— started to dwindle. A lot of the attacks looked very similar, creating a Groundhog Day experience.
“I felt like I was playing Mad Libs, but it was the same exact story every time. You switch out a couple verbs, nouns and adverbs here and there, and you’re just dealing with another client.”
The patterns continued. Repeatedly witnessing what worked for threat actors, and hurt organizations, became disheartening. For all of his time in incident response, he also had a lot of hands-on experience with cyber insurance companies. That opened his eyes to a systemic opportunity the insurance industry had that he couldn’t access alone on the incident response level.
“Seat belts came to be because insurance companies pushed for it. They saw the value that it had for saving lives. Maybe that’s putting too much of a hero’s cape on cyber insurance, but there are very few companies that are positioned in such a way that they can mandate certain controls to negate the impact of cyber incidents. For me, it was the shift of helping one company at a time, to now helping thousands of companies at the same time drive towards a better security program.”
Jason embarked on a new path — and found a much bigger puzzle to solve as Chief Information Security Officer (CISO) at Corvus Insurance. As opposed to the classic role of CISO, where the focus is primarily on internal security, Jason gets to tackle several different areas, such as supporting policyholders on their security journey and working with the product team to create a frictionless cyber insurance experience. Seems easy.
Entering a relatively young MGA meant that Jason was working from the ground up to build out a full security team. His advice for hiring from scratch?
“You have to hire people that are smarter than you,” he said. “But it’s also about who is really passionate about what they do. Part of this is being self-aware at what you’re good at and what you’re not good at. You are hiring people to cover the areas where you lack.”
None of us have a crystal ball to see into the future of cyber threats. But we have something a little more scientific: data. As someone who experienced first-hand as ransoms rose from $5,000 to $500,000, Jason knows to watch where the money is going.
“We are seeing a shift in the approach to ransomware due to threat actors facing better security and resilience controls. I don’t think we’ll see it ever go completely away, but it’ll continue to shift to the targets that will pay. After sanctions have proven successful, we are seeing an uptick in data theft and the tried-and-true business email compromise,” he said. “There will probably be more attempts at trying to bypass existing controls, like MFA. Nothing groundbreaking, but more of the same. Attackers will continue to evolve and poke holes in defenses and we’ll see potential shifts in where they’re going to monetize.”
But one thing he’s certain that the future needs? A little more empathy for organizations who experience these attacks. For every incident, there are lessons that can be learned. It’s not coincidental that you’re regularly hearing about implementing MFA (now phishing-resistant is recommended!) or to invest in endpoint detection response. We find out what works! But so do threat actors. The sooner we can accept it’s not a fair fight, the better.
“One aspect of the media coverage I don’t enjoy is that there’s a lot of victim shaming. Hindsight is always 20/20. Cybersecurity is very difficult to do correctly and very expensive, and it’s you against the world of attackers. The media and the peanut gallery will attack before they seek to understand and empathize. We have all this media attention without the right takeaways, we need to shift our focus and the outcome to benefit everyone.”
Jason highlighted two key goals he’s working on for the upcoming year at Corvus: engaging policyholders and addressing common cyber insurance misconceptions.
Since cyber insurance is all about the partnership between the insurer and the policyholder — a mutual interest! — how do we get policyholders engaged? “We need to make it easier to get and keep cyber insurance, which means removing the surprises. Policyholders just wanna know what it takes to stay insurable.”
On that note, there’s a need to dispel the myth that cyber insurance is the bad guy here to take your money. “There is no other company that has as vested interest in your security other than cyber insurance. When you lose, we lose. We are a partner to help you. Our data and insights help us make better recommendations for your security posture, as well as establishing baselines across the industry.”
As for Jason’s future plans off the clock? He’s going to keep reading, primarily biographies and books on personal development. “I love learning about how people have approached different problems and how they’ve overcome them. I also love anything about personal development because there’s always something else you could be learning to improve.”
Cheers to many more puzzles in the next year.