Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Scamalot: police point to ongoing online fraud…

It may be the low-hanging fruit of the security profession, but every now and again it’s worth re-familiarising ourselves with how scams work. Tom Whipple, a journalist with The Times, has an excellent thread showing just how close he came to being scammed.

While the Irish Independent reports that a fresh round of fraud and email scams involves fraudsters mimicking traditional banks. One individual alone lost close to €2 million, while the Gardaí estimate that victims lost nearly €20 million between January and October this year.

Scams also figured highly in An Garda Siochana’s Annual Report for 2022. The report details operation SKEIN, an ongoing investigation into an organised crime gang carrying out business email compromise from Ireland. Gardaí established that over €40 million was stolen and laundered through Irish bank accounts, and that a trade-based money laundering and underground banking system is operating from Ireland. There have been more than 200 arrests in the case so far. The investigation identified an extensive network the gang operated across Ireland, together with almost 800 suspects who were mostly money mules. The report also notes an increase in the closure rate for cyber crime cases last year. There were 488 new cases in 2022 and the Garda’s National Cyber Crime Bureau closed 692 cases, up from 431 closed cases the previous year.

…while cybercrime incidents increase

More than seven out of 10 Irish companies experienced at least one cybersecurity incident in the past 12 months. That’s a 50 per cent jump from the previous year and the third consecutive year of increases. The figures come from insurance company Hiscox, which tracks multiple countries for its Cyber Readiness report. Ireland seems particularly badly affected compared to the global average of companies suffering attacks (53 per cent). In 57 per cent of cases, intruders got access through a corporate-owned server. And echoing our story above, financial loss due to payment diversion fraud was the most common outcome in 43 per cent of cases.

The research also found that 77 per cent of Irish businesses are more likely to pay if they’ve been infected with ransomware. Despite this, only 33 per cent said they got all their data back after doing so. There was one positive development: the cost of attacks is falling. For 51 per cent of all incidents, the cost to victims was less than €10,000. In a separate study (but a related theme), 54 per cent of CEOs believe the cost of implementing better security is higher than the cost of an incident. The study from Accenture also found that 44 per cent of leaders believe episodic intervention is a better approach to cybersecurity than ongoing investment.

Data protection and privacy developments

A server software error exposed personal details about thousands of Irish drivers in a significant data breach. The Irish Independent broke the story, detailing how 512,000 documents were available to access. They had citizen data, including payment card details, insurance investigation notes, and vehicle registration certs, dating back to 2017. In what could prove to be a EU GDPR case study in years to come, the Data Protection Commission (DPC) is working to establish who is responsible as the data controller. The breach resulted from an unprotected database at the IT provider that works with tow truck companies working on behalf of the Gardaí.

Speaking of case studies, the DPC has compiled a handbook of 126 case studies to outline how it identifies non-compliance and applies data protection law. It lists the case studies under a range of headings including access request complaints, data breach notification, disclosure, electronic direct marketing and transparency. A useful guide for companies and specific departments that handle personal data. Take human resources, for example: 75 per cent of HR departments breach the GDPR. The survey by the software company HRLocker found that many of the breaches involve employee consent.

And finally, the European Data Protection Board has banned Meta from processing personal information to target people with behavioural advertising. Silicon Republic has a good roundup of the background to the decision (it’s been in the works for a while). From next year, Meta will offer ad-free subscriptions to both Facebook and Instagram.

Links we liked

Using certain tools could boost security for 20 per cent of your IT budget. MORE

Version 4.0 of the Common Vulnerability Scoring System is out now. MORE

Rik Ferguson proposes a new way to measure security effectiveness. MORE

Ransomware: just say no to paying criminals (like these 48 countries). MORE

Want an easier way to manage logs? CISA’s free tool to help. MORE

More free tools: 15 Microsoft 365 security training modules, gratis. MORE

How large language models can help with perimeter detection. MORE

Are soft skills still a struggle in the security sector? MORE

Do you use WhatsApp? It’s enhanced security by hiding location during calls. MORE

Cybersecurity incidents and disinformation campaigns could be connected. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Name*

First Last

Company Name*

Phone

Email address*

Service interested in*

Comments

This field is for validation purposes and should be left unchanged.

Security Roundup November 2023