We round up interesting research and reporting about security developments from around the web. This month: blaming the user (or not), passwords, protecting data and privacy, and security leadership (or the lack of it).

The blame game

Who’s to blame when poor passwords lead to breaches? That was a matter for debate among the respected security professionals Troy Hunt and Javvad Malik recently. Hunt began by blogging that when security incidents come to light, bad password choices are often the root cause. “The account holder is the victim but they must also share the blame,” he said. Javvad Malik responded with a rebuttal, taking security professionals to task for an ‘us vs them’ mentality. There’s also a wider issue of technologists building systems with poor security that pushes responsibility back on people who are least qualified to know what’s best, he said. Both blogs are worth reading in full; in Javvad’s words they are “a natural part of a much-needed dialogue in the security industry”.

GDPR guidance on protecting data with passwords

The UK’s Data Protection Authority, ICO, has published new guidance on passwords as a means of protecting data in light of GDPR. Although the GDPR doesn’t specifically mention passwords, it requires organisations to process personal data securely using appropriate technical and organisational measures, and passwords are a common way of doing this. The guidance includes details of what to consider when designing and implementing password systems. The page includes links to the relevant sections of GDPR, along with password guidance from the UK National Cyber Security Centre. It also suggests that organisations should think about whether there are any better alternatives to using passwords.

GDPR slows the M&A train

Call it the (corporate) law of unintended consequences: could GDPR compliance concerns be causing M&A activity to slow down? That seems to be the key finding in a survey of more than 500 EMEA M&A professionals from Merrill Corporation. More than half said compliance and data protection at a target company was the main reason why deals collapsed. The Times described the regulation as “a significant fetter” on mergers and acquisitions. Two-thirds of those surveyed believe that GDPR will increase potential buyers’ scrutiny of a target company’s data protection policies and process. This will further complicate the deal-making process, Merrill concluded.

Separately, Irish business leaders say GDPR has been beneficial for society and individuals. In a survey from Mazars and McCann Fitzgerald, 73 companies said complying with the regulation had been a challenge but many were confident in their efforts. A massive 88 per cent of the firms believe they have interpreted their obligations correctly.

“Who’s in charge here?” “Ain’t you?”

No one senior executive function is taking responsibility for managing security, a new survey has found. The NTT Security 2018 Risk:Value report found a “narrowing gap” between the roles of CEO, CISO and CIO for security. Its report is based on responses from 1,800 decision makers from non-IT functions. The report suggests that this lack of cohesion at the top means that many organisations are struggling to secure their most important digital assets. Just 48 per cent of respondents globally say they have fully secured all of their critical data.

NTT Security’s Azeem Aleem said: “Responsibility for day-to-day security doesn’t seem to fall on any one particular person’s shoulders among our response base. This narrow gap between the roles of CIO, CEO and CISO shows that no one executive function is stepping up to the plate. It could be a sign of unclear separation between the CIO and CISO though, as often they are the same or collaborate closely.”

Worryingly, one-third of respondents also said they would pay a ransom to malicious attackers rather than investing in information security. For those troubling stats and more, the full report is here.

Simple SME security from the US FTC

The US Federal Trade Commission has launched a website with free security resources aimed specifically at small businesses. In a similar vein to the UK NCSC’s excellent site, the American equivalent covers areas like phishing, ransomware, email authentication, physical security, fraud and securing remote access. The site has a clean design that’s easy to navigate. It also has a guide for employers along with links to useful security materials and a series of videos.