Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

EU Court dismantles Privacy Shield: what’s next for EU-US data sharing?

No doubting the summer’s big data protection news: the European Court of Justice (ECJ) has invalidated Privacy Shield, the EU-US data sharing mechanism. Following the legal case dubbed ‘Schrems II’ after the Austrian privacy campaigner Max Schrems, the ECJ struck out the agreement. In its ruling, the court said it didn’t sufficiently protect European citizens’ data as it allowed US intelligence services access to it. But with an estimated 5,300 companies potentially affected, many SMEs, what will a new data sharing regime look like? The European Data Protection Board followed up with a six-page FAQ. Although there are alternative transfer mechanisms to Privacy Shield, such as standard contractual clauses and binding corporate rules, the EDPB said organisations must account for the CJEU’s assessment of US law. 

The ECJ’s decision looks likely to have far-reaching consequences. Brian Honan wrote that it would have implications for many cloud-based companies and for US companies operating in the EU who need to transfer personal data back to the US. The BBC and Washington Post noted how Privacy Shield had underpinned transatlantic digital trade. TechCrunch’s report noted that the decision refers to bulk transfers and doesn’t concern ‘necessary’ data transfers such as sending an email to book a hotel room, for example. BH Consulting COO Valerie Lyons wrote an analysis of the ruling along with key questions. 

The people problem: security’s evergreen challenge

Good security is a mix of people, process and technology, and the ‘people’ element can cause significant challenges. Some of this undoubtedly stems from the longstanding industry cliché that ‘humans are the weakest link’. For his publication ‘In Defence of the Human Factor’, psychologist Dr Ciaran McMahon unpicks this line of thinking. He argues that it’s a negative stereotype that stops professionals from engaging with the problem in a meaningful way. The publication is free to download from Frontiers in Psychology and the author hopes it will be useful to the security community. 

Speaking of free security resources, SANS Institute has a planning kit to help build, or improve upon, security awareness programs. These initiatives can help to empower an organisation’s people by giving them the information to spot potential scams and security threats. 

Twitter takeover offers lessons for security professionals

Last month, hackers took over dozens of high-profile Twitter accounts to promote a bitcoin scam that netted them $120,000. After the scam was discovered and stopped, Twitter said the attackers had targeted some of its employees in a “coordinated social engineering attack” to take control of the accounts. Initial commentary from security experts said this showed the importance of having multi-factor authentication to guard against such a takeover. However Twitter subsequently said the attackers were able to get around two-factor controls. Authorities later arrested three suspects for the attacks, with the alleged ringleader a 17-year-old male. 

Reuters broke the story that more than a thousand Twitter employees and contractors had access to internal tools that could change user account settings and hand control to others. To put this into perspective, Twitter has 4,600 employees, so almost 1 in 4 people had these privileges. Brian Honan commented that “making things easier, or not taking the time to set up properly, comes at the cost of being less secure”. The story has plenty for security professionals to analyse. ZDNet carried a good timeline of the attack using unsealed FBI documents. Twitter itself published a lengthy blog with detailed explanations of the incident and what the attackers were able to accomplish. And, in a link to our previous story, there was also the obligatory nod to the ‘humans are the weakest link’ trope. 

Links we liked

Here’s how covert code enables a phone’s apps to spy on its owner. MORE

A new report from Interpol shows an “alarming” rise in cyberattacks during COVID-19. MORE
 
Microsoft has retired SHA-1 Windows content, saying it’s no longer secure. MORE

The European Union has imposed the first ever sanctions against cyber-attacks. MORE
 
A cross-industry collaboration aims to improve the security of Open Source software. MORE
 
The third edition of Prof Ross Anderson’s ‘Security Engineering’ guide is now free. MORE
 
Security researcher The Grugq analyses a cybercrime gang’s operations. MORE
 
Brian Krebs has some advice for anyone thinking about a career in cybersecurity. MORE
 
A politician has warned devastating cyber attacks against Ireland are “a matter of time”. MORE
 
How security leaders can deal with stress and burnout. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here