Xing Xin of Upfort On 5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity

Invest in cyber insurance — The financial repercussions of a cyber breach can be staggering. Resilient organizations incorporate quality cyber coverage for financial protection and proven incident response assistance in case of emergencies.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Xing Xin.

Xing Xin is the CEO and Co-Founder of Upfort, a leading platform for cyber security and insurance that provides holistic protection from evolving cyber threats. Xin is passionate about closing the cyber protection gap through technology, data, and partnerships. Upfort delivers turnkey security proven to proactively mitigate risk and comprehensive cyber insurance from leading insurers. Xin began his career as a management consultant focused on the intersection of organizational restructuring, predictive modeling, and product development. Prior to founding Upfort, Xin was the Head of US Business and Product Development for Tractable. As the first US hire, he was responsible for building and leading the US and Japanese markets. He holds a Bachelor’s Degree in Information Systems from Carnegie Mellon University and a Master’s Degree in Information Management Systems from Harvard University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Growing up, my parents were both electrical and computer engineers. From observing their work over the years, I was always fascinated with the transformative power of technology. In school, I chose to study systems engineering and decision science for both my undergraduate and graduate degree. My goal was always to help solve the biggest problems I could get my hands on using software and data. After graduating I started my career as a management consultant focusing on the intersection of organizational restructuring, predictive modeling, and product development. I always found myself looking for bigger problems to tackle–eventually I decided to build early stage startups where data and software are utilized to transform how industries work and set a new standard for the customer experience. This is something I continue to prioritize each day as the CEO and Co-Founder of Upfort.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

In my family and with my friends, I have always been the geek and the go-to for tech questions and help with fixing computers. I even started my own company, building and selling computers, at the age of 12 when I got to high school.

Fast forward to early 2017, my friend who owned a small accounting firm reached out because his computer seemed locked and his files were encrypted. He was incredibly stressed because he was handling multiple urgent client tax deadlines and was worried about the implications to these clients and his business. After doing some digging, I realized that he had fallen victim to Locky ransomware, which infected his computer because he opened an invoice that appeared legitimate but was actually malicious.

Later that same year, two of the largest ransomware attacks in history occurred, NotPetya, estimated financial damage was ~$10 Billion, and WannaCry, estimated financial damage was ~$4 Billion.

It was then when I realized, cybercrime and ransomware were fast accelerating with no breaks in sight. Companies both large and small were at risk and I wanted to be part of a solution that could help level the playing field against cybercriminals, especially for the 99% of businesses out there.

Can you share the most interesting story that happened to you since you began this fascinating career?

I’ve been lucky enough to experience a number of highlights in my career so far. In cybersecurity specifically, we’ve long heard that the perception around SMBs is that their employees don’t care about cybersecurity. We’ve always felt that it hasn’t been productized in the right way to properly serve the vast majority of companies out there.

When Upfort released an update within Upfort Shield that gamified cyber security by rewarding users for taking positive actions and removing points for risky behavior, I was excited to see the reaction from employee users.

There were many folks who reached out after seeing their cyber readiness score and ranking within their company. They were engaged in becoming cyber smart, asking how to earn a new badge or more points to get to the next cyber readiness tier.

It has been amazing feedback to receive and I am delighted with the increase in interest we are seeing from employees to learn more about cybersecurity in order to protect themselves and their organizations.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Founding Upfort has been an incredible journey so far. The company would not be where it is today without the work from my fellow co-founders, Josh Riley and Han Wang. After returning from deployment leading a cyber security field team for the US Army, Han saw a gap in the market for a comprehensive cyber protection solution that would address evolving threats facing underserved businesses. The three of us co-founded Upfort with the mission to expand global access to cyber resilience, making cyber risk easy to manage and simple to insure. I am grateful for our team and the work we’ve been able to accomplish so far.

Are you working on any exciting new projects now? How do you think that will help people?

In short, yes we are working on a number of new projects that we are excited to push over the finish line to expand protection for businesses. The world of cybersecurity is incredibly sophisticated and constantly evolving which requires us to regularly update and improve our platform. In order to provide holistic protection for businesses to improve cyber resilience our platform needs to remain relevant and address current cyber attacks.

As a cyber insurance platform, our work is two-fold. We are currently working on expanding our scanning capabilities to improve overall detection software as well as insurance capabilities that will offer better access to cyber insurance coverage and lower loss ratios overall.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

In order to prevent burn out, I believe that communication is key. It is important for teams and individual employees to align on what is important, discuss how to divide and conquer work loads, and keep each other updated on the status of work.

One specific tool that I have personally found helpful is the Eisenhower Matrix, which is a time management approach popularized by Dwight D. Eisenhower as the 34th President of the United States and a five-star general during World War II. In a 1954 speech, Eisenhower quoted an unnamed university president when he said, “I have two kinds of problems, the urgent and the important. The urgent are not important, and the important are never urgent.”

It’s an extremely effective time management tool to help clearly divide your tasks into four categories: the tasks you’ll do first, the tasks you’ll schedule for later, the tasks you’ll delegate, and the tasks you’ll delete. It is a tool that I still practice today.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Over the last year, the cybersecurity industry has grown exponentially for both attacks and awareness. There are a few areas I am most excited for as we continue to see necessary growth within the industry.

• Leveraging AI — there is significant opportunity to better leverage AI to better assess and mitigate risk overall. We’re in the early innings.
• Adoption and Collaboration of Cyber Insurance — increasing adoption of cyber insurance is helping organizations to improve outcomes of attacks and leads them towards cyber resilience. Increased collaboration between the cybersecurity and cyber insurance industries is key to sustainable growth
• Awareness of Risk — as attacks continue to grow, more businesses are doing the work to understand the risk and increase their awareness overall to improve protections

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Threats are becoming more sophisticated as cybercriminals continue to adopt new technology. Companies should be prepared for growth of ransomware attacks, funds transfer fraud (FTF) within phishing attacks, and new developments in supply chain attacks.

Ransomware can be defined as a form of weaponized encryption and is considered to be one of the most profitable forms of malware. We’ve been seeing an alarming uptick.

Funds transfer fraud and financial fraud continue to be an issue given how cheap and easy phishing attacks are. This is leading to increased financial losses for both individuals and organizations who are not properly trained to identify these attacks. Supply chain attacks are fairly newer and require more widespread awareness in order to improve protection. Cyber criminals are finding ways to gain access to a very large amount of end users through a single piece of vulnerable software.

Building security awareness is a key factor in improving an organization’s cyber-resilience. It takes every employee being trained and vigilant to help an organization stay secure as human error is such a key factor in the absolute majority of attacks. As more companies embark on this journey, becoming aware of more threats will help to enforce protection.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

There have been a few instances where Upfort was able to monitor a cybersecurity breach in real-time and work with our customers to minimize the attack, each of these events reinforces Upfort’s commitment to building cyber resilience for all businesses.

A specific story that comes to mind was the widespread security vulnerability, Log4J, that affected a very meaningful percentage of companies and the wholesale internet. This became a critical security threat for businesses, as all it took was a bad actor to send a single message to a system that would allow a cyber criminal to gain access and send malicious codes that could infiltrate an entire system.

Upfort helped to create custom scanning tools that would detect which of our customers might be vulnerable to this threat and our team messaged them immediately to fix this threat within 24-hours to eliminate their risk. To expand customer protection, we made additional updates to Upfort’s browser firewall to block some of the attack methods offering multiple ways to prevent an infiltration.

The widespread vulnerability Log4J created, highlighted the need for real-time, fresh data regarding a company’s risk profile and overview of their system. Upfort has scaled its architecture to access this data quickly in order to provide accurate insights to our customers. The freshness of this data helps to minimize the amount of time that a company spends sitting exposed during an active attack, ultimately reducing the data stolen and overall financial costs.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Upfort focuses on cybersecurity tools that provide meaningful, holistic cyber protection that are easy for businesses to deploy and manage.

• Shield is a turnkey solution that provides layers of cyber protection intended to significantly lower the likelihood of ransomware, breaches, and other cybersecurity incidents.
• Cyber University is training for a business’ employees intended to lower the risk of human error. This automated training and testing reduces phishing susceptibility by tailoring training to each employee’s weaknesses.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

I’d encourage any business with a smaller team to look for solutions that are actually designed with their business profile in mind. Most solutions are designed for an enterprise user with some security expertise, which became a key driver for the development of Upfort Shield. This solution allows non-technical users the ability to implement an effective security program that is fully automated and designed so businesses don’t have to actively check on it.

In addition to this solution, there are also free actions a business can take to improve protections. This includes communicating with employees about cyber risk to build awareness, proactively setting the right policies to minimize vulnerable data, and turning on multi-factor authentication for email accounts. These are simple and practical tactics businesses of all sizes can implement to reduce cyber risk.

Security is a critical consideration for all businesses, but determining the need for hiring a Chief Information Security Officer (CISO) depends on various factors.

Firstly, businesses with high-cost associations for downtime, engaged in significant financial transactions, or handling private non-public data must prioritize cybersecurity. Such businesses are often subject to stringent regulatory compliance requirements, making an investment in a CISO imperative to drive robust security initiatives.

However, the decision to invest in a CISO or engage with a cybersecurity agency is not solely based on the scale of operations or risk exposure. It also hinges on the complexity of the company’s IT infrastructure and its tolerance for cyber risks. For instance, a small business that handles sensitive customer data may find it prudent to hire a CISO even if its operations are not as extensive as those of a larger corporation.

Regarding “over the counter” software solutions, they indeed offer valuable benefits to businesses of all sizes. These solutions are typically standardized, extensively tested, and designed to cater to a wide range of company profiles. They provide a level of protection against common cyber threats and offer scalability to accommodate a company’s growth. However, it’s essential for businesses to recognize that such software solutions may not adequately address the unique security challenges and compliance requirements they face.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

In addition to looking for the classic phishing techniques cybercriminals use like impersonating familiar people and brands, there are a few key techniques even individuals without technical expertise can use to stay vigilant against recent cybercriminal techniques. Three key areas include: Accounts, Systems, and Financial Transactions.

Accounts: Keep a close eye on account activities for any signs of unauthorized access. Look out for unusual login attempts or logins from unfamiliar locations that deviate from your typical access patterns. Additionally, thoroughly review your email inbox for any messages you didn’t send or interactions that seem out of the ordinary. Monitoring account activity is essential for detecting and responding to suspicious behavior promptly.

Systems: Regularly monitor the performance of your systems for any anomalies that could indicate a cyber threat. Be wary of sudden slowdowns or system crashes, as these could be early indicators of a potential cyber attack. Pay attention to unexpected changes in your system’s behavior, such as an increase in intrusive advertisements appearing where they shouldn’t be, which could signal malicious software.

Financial Transactions: Exercise caution when conducting financial transactions and be vigilant for any red flags. Verify the legitimacy of payment requests and scrutinize any requests to switch bank accounts or payment details, especially if they come from unfamiliar sources. Any payments directed to unfamiliar accounts should raise suspicion and prompt further investigation to prevent potential financial fraud.

By remaining vigilant and monitoring these three areas diligently, individuals can better protect themselves and their businesses from various forms of cyber threats. In today’s technology-driven environment, proactive cybersecurity measures are essential for safeguarding sensitive information and maintaining the integrity of business operations.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

After a data or security breach, immediate comprehensive action is crucial to protect both the company and its customers while minimizing damage. Here are the most important actions to take:

Containment: Isolate affected systems to prevent further damage.

Assessment & Forensic Investigation: Conduct a thorough assessment to determine the extent of the damage, including identifying the type of data compromised, how the breach occurred, and the potential impact on customers and the organization.

Notification: Promptly inform all stakeholders, including customers and regulatory bodies.

Restoration & Remediation: Implement measures to restore affected systems and strengthen security.

Customer Support: Offer assistance and identity protection services to affected customers.

Review and Improve: Conduct a post-incident review to enhance future preparedness.

As evident from the essential steps outlined above, effectively recovering from a breach often demands close coordination among a team of experts spanning various disciplines. This underscores the vital role of cyber insurance in every company’s cybersecurity strategy. Cyber insurance not only offers financial protection but also grants insured parties access to a seasoned team of experts poised to swiftly mitigate damage and facilitate a rapid recovery process.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Running an effective security program isn’t easy, and companies often face tough choices when managing their risk with limited resources.

One prevalent mistake is inadequate training and testing of team employees. Without proper education and regular testing, employees may overlook recent attack trends and fail to recognize potential threats. To address this, it’s crucial for companies to conduct simulated phishing attacks that mimic real-world scenarios. These exercises assess employees’ awareness and response to threats while providing valuable training in a safe environment.

Another common mistake is implementing controls and plans without proper testing. For example, while a company may have frequent backups in place, they may later discover critical data is not properly backed up in case of an incident. Similarly, having an effective incident response policy is essential, but it’s equally important to test it regularly to ensure timely and effective execution during an incident.

Lastly, opting out of or insufficiently investing in cyber insurance is a significant oversight. Many companies mistakenly believe they’re adequately covered with minimal policies (for example — $50,000 of coverage), only to face substantial financial burdens when a breach occurs. Cyber insurance is vital for covering various issues, including data loss and recovery, extortion demands, revenue loss from system downtime, forensic investigation costs, and liability arising from a breach.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Yes, the COVID-19 pandemic has indeed ushered in a historic surge in cybercrime, particularly in the realm of cybersecurity and privacy errors. As companies swiftly adapted to remote work setups, cybercriminals capitalized on vulnerabilities stemming from hastily configured and inadequately patched systems. This led to an unprecedented rise in ransomware attacks, which have evolved to include data exfiltration, thereby exacerbating privacy concerns. The widespread dispersion of workforce has significantly expanded the attack surface, making it imperative for organizations to bolster their cybersecurity defenses and prioritize privacy protection measures.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

In 2023 alone, 26,447 cyber vulnerabilities were disclosed, surpassing the previous year of 25,000. This number continues to grow and without proper cyber protection in place, more companies will fall victim to data breaches and cybersecurity attacks. Throughout my career, I’ve found that there are a few key tools that all businesses can establish that will help reduce their risk and can help improve cyber resilience.

• Understand your risk profile — Arming yourself with knowledge is the first step to overcoming most obstacles. Being aware of your company’s level of risk will help you to determine how to address it. To do this, leadership should stay up-to-date on the latest cyber attack trends and known vulnerabilities, keep all software updated, understand the private customer data you have saved, and know who has access to your data. It’s important to implement the right security policies that fit your company’s risk profile.
• Educate your employees — Building awareness in your organization is a critical component of every cyber protection strategy. I recommend not only requiring all employees to take security awareness training but also testing your team regularly with simulated phishing attacks.
• Develop a plan of action — Now that a company understands its risk profile, it’s important to devise a plan of action in the case of a cyber breach. Time is an important factor in a cyber breach. The longer it takes for a business to react, the bigger the exposure becomes. Every plan should include a cybersecurity consultant to call, ways to contain the damage, a cyber remediation team, and legal counsel.
• Invest in tools to protect your team’s inboxes and browsers — Protecting employee inboxes and browsers has never been more important. Phishing attacks are the most common cyber attacks against individuals and organizations, with an average, 3.4 billion phishing emails sent every day. As the attacks become more sophisticated, companies will need to invest in more sophisticated tools to improve their protection. A few nonnegotiables I’d recommend include advanced email security that better identifies phishing, enhanced web browsing protection that filters malicious sites, and solutions that protect data transfer on unsecure connections.
• Invest in cyber insurance — The financial repercussions of a cyber breach can be staggering. Resilient organizations incorporate quality cyber coverage for financial protection and proven incident response assistance in case of emergencies.

Cyber attacks remain a growing concern for companies around the world. Making smart decisions about cyber protection will go a long way in mitigating a company’s cyber risk.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

At Upfort, we are actively working to inspire a movement of cyber resilience. Our mission is to expand global access to cyber resilience, by making cyber risk easy to manage and simple to insure for businesses across the board.

How can our readers further follow your work online?

Readers can learn more about Upfort by visiting, www.upfort.com as well as our LinkedIn page, www.linkedin.com/company/upfort

This was very inspiring and informative. Thank you so much for the time you spent with this interview!