Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Strengthening security awareness stops scapegoating staff for shortcomings

A time of upheaval in the way we work has meant employees to follow the right security behaviours in vastly different circumstances. The 2021 SANS Security Awareness Report offers an interesting look back over the past year. The subtitle ‘managing human risk’ is deliberate, acknowledging the critical role of people in  strengthening security, if trained properly. The report is based on the experiences of 1,500 security professionals whose biggest challenges for building a mature awareness programme include lack of time and a lack of personnel. 

The SANS report contains analysis and data that show how to make awareness programmes successful. It also has benchmarking models to help gauge the maturity of those programmes. The report is free to download at the SANS site. Report author Lance Spitzner of SANS blogged: “The more that managing human risk becomes a dedicated, prioritised effort, the more effective organizations will become at managing their human risk.” In a related story, Help Net Security carried an op-ed noting that a culture that’s strong in security awareness is a must for all organisations, given that 90 per cent of security incidents are due to human error. 

FBI finds cybercrime losses reached 

Polish up those PowerPoint presentations, here come some heavy-duty cybercrime figures. Reported financial losses due to cybercrime exceeded $4.2 billion last year, the FBI’s 2020 Internet Crime Report shows. Business email compromise alone accounted for more than 40 per cent of those losses ($1.8 billion). Phishing, meanwhile, was the most frequently reported crime. ZDNet reported that the losses increased from $3.5 billion in 2019. That’s a 20 per cent jump in one year. 

While the headline number is an arresting figure (sorry), it is worth stating that it only covers reported complaints to the FBI. Commentator John Pescatore noted that many industries lose large multiples of this amount to traditional crime. What’s more, Bleeping Computer said the report “grossly misrepresented” the threat of ransomware because many victims don’t report the incidents to law enforcement to avoid legal complications. Nevertheless, the report is still useful because it shows which types of crime concern law enforcement the most. Its data can also help to guide risk management decisions. 

Facepalm? Hackbook? Whatever, it’s not good.

A dataset containing details of 533 million Facebook users leaked online to a public hacking forum. The data includes identifiable information like full names, phone numbers, birthdates, and email addresses. Even though the data set reportedly predates GDPR, this is still a significant breach of around one-fifth of the social network’s users. The Data Protection Commission warned: “Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.” 
 
Adrian Weckler’s story in the Irish Independent called the trove a “stalker’s paradise”. Brian Honan tweeted that the breach “highlights why people calling for social media networks to get more personal data for age verification purposes don’t understand the risks”. Todd Fitzgerald of the Cybersecurity Collaborative said the lesson from the breach was “clear demonstration of the need for all organisations to know where their data is flowing,who has it, and how it is being protected. You don’t want the answer to be ‘we dunno’.”

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here