|No doubting the summer’s big data protection news: the European Court of Justice (ECJ) has invalidated Privacy Shield, the EU-US data sharing mechanism. Following the legal case dubbed ‘Schrems II’ after the Austrian privacy campaigner Max Schrems, the ECJ struck out the agreement. In its ruling, the court said it didn’t sufficiently protect European citizens’ data as it allowed US intelligence services access to it. But with an estimated 5,300 companies potentially affected, many SMEs, what will a new data sharing regime look like? The European Data Protection Board followed up with a six-page FAQ. Although there are alternative transfer mechanisms to Privacy Shield, such as standard contractual clauses and binding corporate rules, the EDPB said organisations must account for the CJEU’s assessment of US law.
The ECJ’s decision looks likely to have far-reaching consequences. Brian Honan wrote that it would have implications for many cloud-based companies and for US companies operating in the EU who need to transfer personal data back to the US. The BBC and Washington Post noted how Privacy Shield had underpinned transatlantic digital trade. TechCrunch’s report noted that the decision refers to bulk transfers and doesn’t concern ‘necessary’ data transfers such as sending an email to book a hotel room, for example. BH Consulting COO Valerie Lyons wrote an analysis of the ruling along with key questions.
The people problem: security’s evergreen challenge
Good security is a mix of people, process and technology, and the ‘people’ element can cause significant challenges. Some of this undoubtedly stems from the longstanding industry cliché that ‘humans are the weakest link’. For his publication ‘In Defence of the Human Factor’, psychologist Dr Ciaran McMahon unpicks this line of thinking. He argues that it’s a negative stereotype that stops professionals from engaging with the problem in a meaningful way. The publication is free to download from Frontiers in Psychology and the author hopes it will be useful to the security community.
Speaking of free security resources, SANS Institute has a planning kit to help build, or improve upon, security awareness programs. These initiatives can help to empower an organisation’s people by giving them the information to spot potential scams and security threats.
Twitter takeover offers lessons for security professionals
Last month, hackers took over dozens of high-profile Twitter accounts to promote a bitcoin scam that netted them $120,000. After the scam was discovered and stopped, Twitter said the attackers had targeted some of its employees in a “coordinated social engineering attack” to take control of the accounts. Initial commentary from security experts said this showed the importance of having multi-factor authentication to guard against such a takeover. However Twitter subsequently said the attackers were able to get around two-factor controls. Authorities later arrested three suspects for the attacks, with the alleged ringleader a 17-year-old male.
Reuters broke the story that more than a thousand Twitter employees and contractors had access to internal tools that could change user account settings and hand control to others. To put this into perspective, Twitter has 4,600 employees, so almost 1 in 4 people had these privileges. Brian Honan commented that “making things easier, or not taking the time to set up properly, comes at the cost of being less secure”. The story has plenty for security professionals to analyse. ZDNet carried a good timeline of the attack using unsealed FBI documents. Twitter itself published a lengthy blog with detailed explanations of the incident and what the attackers were able to accomplish. And, in a link to our previous story, there was also the obligatory nod to the ‘humans are the weakest link’ trope.