At the start of a new year, it’s natural to look ahead – though it can help to look back first. In that spirit, we’ve rounded up five of our most popular blogs from the past year. From ransomware and scams to security frameworks and employee privacy, our 2021 ‘greatest hits’ show how broad the areas of cybersecurity and data protection can be. There’s plenty of food for thought and perspective for anyone in security leadership or privacy roles in their organisations.
We begin with a look at a contentious topic: cyber risk insurance. The blog was inspired by the growing number of organisations coming under pressure to take out insurance cover. BH Consulting’s Head of Sales and Marketing John Mangan weighed the pros and cons in a thoughtful blog.
Risk vs reward
John pointed out that tenderers asking for proof of cover might be asking the wrong question. “Surely it’s more important to know that a potential supplier has applied effective security controls to try to prevent a breach, rather than verify that it will receive a payout if it has one,” he wrote.
There is an argument that cybersecurity insurance is useful because it makes people think of business risk, not just IT. However, John warned against thinking a cyber risk policy by itself is sufficient protection. “Insurance cover should never be a substitute for making an investment in the appropriate security controls for your business, based around technology, people and processes.”
Thumbs down for fingerprint scanners?
Next, we turn to data privacy and, more specifically, the EU General Data Protection Regulation. Last Autumn, workplaces began to reopen after the Delta wave of COVID-19. This might have been the cue for some companies to think about how to improve the systems for giving employees secure access to office buildings. Fingerprint scanners might seem more attractive than swipe cards and lanyards, but as our data protection analyst Cliona Perrick wrote, these kinds of systems come with privacy concerns.
Under the GDPR, fingerprints fall under the category of biometric data. So, employers wanting to process such data need to meet nine types of legal basis. Otherwise, in order to be exempt, employers must be able to make a legitimate and reasonable argument that processing biometric data is for the vital interests of its employee or is being processed for the matter of public interest. “The onus to prove this legitimacy lies with the employer,” Cliona wrote. Before taking the plunge, she outlined nine points that employers should consider first. You can read the full blog and recommendations here.
Taking security seriously, certifiably
Halfway through our top five, and we come to the ISO 27001 information security standard. We live in a time when the statement “we take your security seriously” follows data breaches as night follows day. By contrast, as BH Consulting senior consultant David Prendergast wrote, ISO 27001 is a framework that can help organisations to prove their security “by applying repeatable policies and documented procedures”.
In his blog, David described the standard, how it works, who it’s aimed at, how the certification process works, and how to go about becoming certified. He also outlined four key business benefits from following the framework. “With a structured, independently validated way to manage information security, certified organisations benefit from being able to manage their IT security risk better, keep confidential data secure, and protect their reputation,” he wrote.
Sense of security: careful thinking to avoid trickster tactics
For our next look back, we covered a fixture in the security calendar: October’s EU Cybersecurity Month. Taking our cue from the 2021 awareness campaign slogan, ‘Think Before U Click’, the team at BH Consulting shared tips on how to avoid widespread online scams.
Criminals try to force victims into rushed decisions that give access to key systems or information. The language in phishing emails can be a clue that the message isn’t genuine. Other warning signs to watch for include a sense of urgency, bad grammar or spelling, bills for items you didn’t buy, or coercive tactics. The criminals’ goal might be to launch ransomware infections, steal data or scam victims out of money. The blog also linked to our companion video highlighting how to spot possible security risks.
Lessons hard learned from a ransomware infection
For our fifth blog of 2021, we present BH Consulting CEO Brian Honan’s in-depth analysis of the ‘Conti cyber attack on the HSE’ report. Seven months after suffering a widespread ransomware infection, the Health Service Executive published a full post-incident report. The publicity surrounding the incident raised the profile of cybersecurity nationally. As Brian wrote, one of the many advantages of the 157-page document was how other organisations can learn from the HSE’s experience.
The report identified the original source of infection, but as Brian pointed out, the email carrying the malicious payload in an infected spreadsheet still had to pass through several layers before arriving in the victim’s inbox. The report showed how an organisation’s security efforts needs to be system-wide, with an accountable leader at the helm.
The team at BH Consulting is already working on more content for our blogs, videos and white papers during 2022. Be sure to check back regularly for more analysis and commentary on cybersecurity and data protection.