Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Finland finds state support sharpens SME security

A report has found “significant improvements” to the security of 50 small businesses in Finland after a national fund was set up to help them. Between 2023 and 2024, Traficom’s Finnish Cyber Security Centre’s National Coordination Centre (NCC-FI) allocated approximately €2 million to 50 micro, small, and medium-sized enterprises to enhance their cybersecurity infrastructures. The chosen companies were in sectors including ICT, health, digital services and digital infrastructure. Each project received between €6,622 and €60,000, covering up to 75 per cent of total project costs.

Now, an impact assessment by 4Front Oy revealed significant improvements in the recipients’ cybersecurity capabilities. Survey responses from 44 recipients indicated that the funded projects addressed various cybersecurity challenges, primarily focusing on data protection of customer information, trade secrets, and financial transactions, as well as network security, and administrative security. It also found positive effects on national cybersecurity resilience. “Beneficiaries report that they have an indirect effect on sectors considered critical for society, for instance through their customer relationships and supply chains. As a result, financial support can also be assessed to have a wider positive impact on society,” the report said.

Phishing season persists; but are passkeys the answer?

Phishing is still the most successful way for attackers to access systems, new analysis has found. Kroll’s latest threat research found that email compromise “soared” in Q4 last year. Phishing accounted for 35 per cent of compromises. Using valid accounts (27%) and social engineering (13%) both went up from 2023, showing the importance of managing access to accounts.

Separately, Cloudflare found that 41 per cent of successful logins on websites it protected involved compromised passwords. It tracked this activity over a three-month period in 2024, and concluded that password reuse is “rampant”. Last year, NordVPN analysed the top 200 passwords in personal and work settings and, wait for it, found widespread use of easily guessed or cracked credentials.

Research from the FIDO Alliance shows that growing numbers of organisations are replacing passwords with passkeys, but there’s a cloud on the horizon. (It’s cybersecurity: isn’t there always?) Security researcher Tobia Righi recently demonstrated the first successful passkey phishing attack. However, the vulnerability only existed in mobile browsers and has been patched. The attack was more difficult to execute than current phishing methods, and showed that while not perfect, passkeys are superior to traditional credential pairs and multi-factor authentication solutions.

Data protection and privacy roundup: data subjects strike back and DNA for sale?

Two recent stories involve Article 15 of the EU GDPR, concerning an individual’s right to obtain information that an organisation holds about them. Europe’s highest court has ruled that a data subject’s rights override a data controller’s trade secrets. In a “significant” decision, the EU Court of Justice decided that a data controller claiming trade secrets must provide the allegedly protected information to the supervisory authority so it can determine what information the data subject has the right to access.

The Data Protection Commission has published new guidance on handling subject access requests (SARs). The updated notice clarifies certain points around mixed records involving data of multiple parties. It’s intended to supplement the DPC’s existing controller’s guide and FAQs.

The European Commission has been busy, having published key updates to AI model contractual clauses. These are intended to support responsible procurement around AI, based on last year’s AI Act. Separately, the EC has also written to Apple and Google, informing them about preliminary findings of non-compliance with the Digital Markets Act.

This one could be a privacy story to follow: 23andme, the DNA testing company, has filed for bankruptcy protection. Which raises an obvious question: what happens to all that sensitive data now? It’s been a dismal year for the company; last year a security breach exposed information about 7 million customers.

Links we liked

How to get leadership buy-in for security awareness programmes. MORE

Where security and IT leadership clash (and how to fix it). MORE

Why AI deployment calls for new levels of governance. MORE

Signal CEO Meredith Whittaker on the state of personal online security. MORE

How the largest crypto heist in history happened, via the New York Times. MORE

Author Geoff White talks to SANS about the murky business of online crime. MORE

Europol tracks the evolution of organised crime, with cyber to the fore. MORE

Guidance from UK NCSC on digital forensics for network devices. MORE

Assess your readiness for the Cyber Resilience Act (CRA). MORE

A postgraduate programme for leading a cybersecurity startup. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Name*

First Last

Company Name*

Phone

Email address*

Service interested in*

Name

This field is for validation purposes and should be left unchanged.

Security Roundup March 2025