It’s that time of year again, where we look back at, and reflect on, the previous 12 months. In that spirit, here’s the BH Consulting review of 2019. The roundup we present is our take on cybersecurity, data protection and privacy issues.
As regular readers will know, we don’t aim to be a website of record when it comes to chronicling the latest malware outbreaks or data breaches. (For that, we respectfully suggest Infosecurity Magazine or Information is Beautiful.) Some of our coverage below features breaking news and major developments that happened during the year. Many times, though, we looked at security through the lens of issues we were seeing in the market. Other times, we wrote about areas of security that our team wanted to draw attention to. We hope you enjoy it.
The new year got off on the wrong tracks for the Luas tram operator. In a case that got lots of headlines due to the victim’s high profile, its website was defaced, exposing 3,226 user records. It’s worth noting the tram service wasn’t derailed in any way (sorry, but it’s almost Christmas and we reserve the right to crack bad jokes). Fortunately the affected website didn’t process any payment information, but it showed once again that non eCommerce sites are targets too.
On our blog, senior data protection consultant Tracy Elliott looked at data sharing and consent in health research. In a theme he would return to, David Prendergast pondered the question of security culture rather than point-in-time awareness training.
It’s been an interesting year for cyber insurance. The food giant Mondelez and Allianz ended up in court over an unpaid $100 million damages claim due to ransomware. The insurer refused to pay, saying the infection was “a warlike action” and therefore not covered under the policy.
Closer to home, Ireland’s National Cybersecurity Centre published an accessible 12-step guide to help businesses improve their security. Our team analysed the main points. The PDF guide is written for a wide audience, not just technical staff, and is free to download here.
For those interested in cloud forensics, in February we published the fifth in our series of practical guides to working with AWS. In this blog, Neha Thethi looked at the issue of incident response.
In March, we tackled the dilemma of whether to pay or not to pay in order to stop a ransomware infection. The company in question was Apex Financial Management, but it’s an issue that every victim must face. We also shared a useful free guide to reporting a cybersecurity crime incident.
Good preparation helps to mitigate risks like ransomware, so we blogged about the value of cybersecurity planning. The Data Protection Commission’s first annual report of the GDPR era made for interesting reading. Tracy Elliott spotted five tips and takeaways for privacy professionals.
April showered us with more ransomware news, but this story had an unexpected twist: the good guys won (sort of). Norsk Hydro became a “case study in effective incident response” after swift action minimised fallout from a ransomware infection. It didn’t pay the ransom, contained the infection, and was back at almost full operations within a week. All this while keeping customers and the public informed.
This month, we also wrote about Google’s FIDO2 initiative to provide passwordless logins to browsers for users of Android 7.0 or higher. The days of needing passwords to log in to the many services we use are hopefully drawing to a close.
Staying with passwords, in May, we reported on the UK National Cyber Security Centre and Troy Hunt’s work in listing the most hacked logins. As you’d expect, there were some unsurprising and unwelcome entries, including gems like ‘123456’ (groan), ‘123456789’ (double groan) ‘qwerty’, ‘password’ and 1111111.
A new strain of MegaCortex ransomware started making its way across the globe, with sightings in Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere. That was our cue to look back through the BH Consulting blog to trace ransomware’s rise and outline steps to avoid falling victim.
At BH Consulting, we have always promoted the idea that good security starts with knowing what are the most important things you want to protect. With this in mind, David Prendergast wrote about data classification (and why you shouldn’t call it that).
Nothing beats a good number when security professionals have to make the case for more budget or resources. In June, we reported on a new academic paper counting the cost of cybercrime. An update to previous research from 2012, it found that close to half of all property crime is online. The research paper is free to download here. If you prefer your numbers on the larger side, how about this: €3.5 billion a year. That’s what Dermot O’Shea of the NYPD no less, puts the cost of fraud and cybercrime to the Irish State.
Elsewhere on our blog, we looked back through our archive to look at the importance of cybersecurity awareness initiatives. Our main lesson was that while employee training and awareness efforts are valuable and necessary, it’s important to communicate those lessons clearly for every person in an organisation.
We also covered the ongoing Huawei controversy, as Brian tackled a subject that’s been brewing at the intersection between security and geopolitics. In a video interview with Infosecurity Magazine, Brian pointed out that many accusations against the Chinese company have little evidence to back them up. The internet is designed for sharing information, he added. With that in mind, security professionals should focus on essentials like protecting information in transit and at rest.
Stay tuned for the second part of our year in review next week on our blog.