Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

MFA momentum gathers after AWS adoption and Snowflake breach

Multi-factor authentication (MFA) got a boost on two fronts recently. One of the largest tech companies, Amazon Web Services, has now made it mandatory for privileged accounts. Another reason is that the absence of MFA enabled criminals to carry out the Snowflake breach, commentators claimed.

The cloud storage company suffered one of the world’s biggest breaches that compromised at least 165 high-profile clients including Ticketmaster and Santander Bank. Security Week reported that Mandiant’s investigation traced the incident back to stolen credentials and found that targeted accounts weren’t using MFA. Criminals subsequently demanded payments of between $300,000 to $5 million from victims.

MFA is seen as a critical control in reducing the risk of account takeovers. The Register noted that AWS’ move follows Microsoft and Google’s adoption of the technology. Writing in the SANS newsletter, BH Consulting CEO Brian Honan welcomed AWS’ move. He added that IT professionals relying on strong passwords or the ability to spot phishing isn’t enough. “Sadly, making things mandatory is often the most effective way to manage this risk. However, we as an industry have a long way to go to make identity and access management something that is painless and user friendly both for those administering and running systems and platforms, and those that use them.”

Data protection and privacy newsround: AI Act’s reach and very personal data

Good news – maybe? – for anyone who’s been working in data privacy roles since 2018: you ain’t seen nothing yet. The architect of the EU’s AI Act says the legislation’s impact will dwarf that of GDPR. Which is probably just as well, since one of that regulation’s creators says national supervisory authorities missed the point. Former European Commission vice president Viviane Reding said she intended the GDPR to protect people from large tech companies and Government overreach. Instead, she told the European Data Protection Symposium that: “national regulators looked more for the nitty gritty than for the real problems with the big platforms”.

In the Irish Independent, Adrian Weckler weighed the pros and cons of greater regulatory oversight around AI. And lastly, Javvad Malik’s excellent blog paints a heartfelt picture with a human story behind a security breach. It’s a timely reminder of the ‘person’ in ‘personal data’.

Cyber insurance: whisper it, but it seems to be working

Cyber insurance premiums have dropped by 15 per cent compared to their peak in 2022. Howden’s annual report found that reported ransomware incidents were up by 18 per cent in the first five months of this year compared to 2023. Even though more companies are buying cyber insurance, Howden found prices are falling through a combination of more providers in the market, and companies improving their security. The specialist broker is forecasting the total cyber insurance market will reach $43 billion by 2030.

The findings echo Coalition’s 2024 Cyber Claims report. “Despite critical vulnerabilities reaching an all-time high and global ransom payments surpassing $1 billion in 2023, businesses that reinforced their security controls and embraced partnership with cyber insurance providers were generally more secure,” it stated. Other nuggets from the report include the stat that 56 per cent of all claims last year were a result of funds transfer fraud (FTF) or business email compromise (BEC). Coalition said this highlights the importance of email security as a critical part of cyber risk management.

A separate report on cyber insurance from Sophos also drew a connection between effective security controls and lower priced risk. It said cyber insurance acts as a carrot and a stick for security investments by setting minimum security control requirements to attain coverage. “The insurance industry is effectively forcing many organisations to elevate their cyber defenses. A common example is multi-factor authentication (MFA), which is often a prerequisite for policy purchase.”

Links we liked

Google Maps for security? How to chart your organisation’s landscape. MORE

Eight lessons from the Change Healthcare ransomware incident. MORE

MITRE has a three-part deep dive into its recent security breach. MORE

A risk management framework for AI, courtesy of NIST. MORE

The US CISA agency has a guide to implementing DNS protocols. MORE

Can LLMs work for vulnerability research? Not yet, Google researchers say. MORE

Why is more than 70 per cent of Irish internet traffic malicious? MORE

The UK NCSC has guidance on defending against business email scams. MORE

Presentations from IRISSCON 2023 are now up online in living colour. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.