Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Cloudy outlook for security?

Cloud technology use is growing, but are organisations’ taking precautions to secure these services? Datadog’s latest annual report uncovered common weak security practices from analysing thousands of organisations using platforms like AWS, Microsoft Azure and Google Cloud. They include credentials that stay in use for a long time, inconsistent use of multi-factor authentication, and cloud workloads with non-administrator permissions. It also found instances where virtual machines are exposed to the internet. These practices can lead to account compromise, or enabling unauthorised users to access sensitive data and escalate privileges. 

The report recommends steps to prevent breaches, such as making MFA mandatory, turning on features that make storage buckets private, and discovering any publicly exposed workloads. Cloud security was also a theme in Microsoft’s ‘Cybersecurity Trends in Ireland 2023’ report. It noted that attackers are adept at finding gaps in security defences, especially in multi-cloud environments. The report uses a survey of 200 C-suite leaders in Ireland, where over 70 per cent of leaders said they’re either not aware of, or prepared for, compliance with the upcoming NIS2 Directive or DORA legislation. On the bright side, 74 per cent haven’t reduced their spend on cybersecurity in the last three years.

Security skills in strong demand

There are more people working in cybersecurity roles than ever – but is it enough? ISC2 figures estimate the global workforce in the field is 5.5 million people; an all-time high. It’s up 440,000 (8.7 per cent) from 2022 and a huge leap since 2019, when there were an estimated 2.8 million security professionals. The security training and certification group found that two-thirds of organisations (67 per cent) say they’re short of staff who can prevent and troubleshoot security issues. What’s more, 92 per cent of cybersecurity professionals report skills gaps at their organisations. The top three missing skills are cloud security (35 per cent), AI/machine learning (32 per cent), and zero trust implementation (29 per cent). 

The organisation isn’t on such solid ground when it claims there’s a shortfall of four million security jobs. Ben Rothke has a well argued rebuttal of this questionable statistic that’s worth reading. No-one’s arguing the world doesn’t need more security professionals, but why hype the problem, Rothke says. And when it comes to hiring security roles, it’s always worth asking the question: are you looking for a qualification above all, or is your search broad enough to find smart, motivated people who can gain the skills over time?

Data protection and privacy developments 

Here’s an interesting privacy case study from the United States, where a California community college has been keeping a *very” close eye on its students. An excellent writeup in The Markup shows how the college was monitoring activity to find out what web pages students were visiting, how long they were spending on classroom reading, and even where they were parking their cars. Sounds like excessive surveillance?

There was an interesting data protection angle to the Microsoft survey covered in the story above. RTÉ noted that although 33 per cent of companies had experienced a data breach, only 14 per cent had to report the incident to the Data Protection Commission. 

Meta is rolling out end-to-end encryption across its Facebook and Messenger platforms, used by more than a billion people. The move had been in the works for a while. Privacy group the Electronic Frontier Federation welcomed Meta’s decision which would protect users from dragnet surveillance of the contents of their Facebook messages, “and not a moment too soon”.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here