Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Do we really have to look back at 2020?

It turns out COVID-19 was far from the only bad news during the past year. From a cybersecurity perspective, the year had more than its share of incidents. Unsurprisingly, the SolarWinds supply chain attack stars in the year’s worst hacks and breaches from both Wired and Ars Technica. (Computer Weekly had a different but still useful take for its own top 10 list.)

Investigators are still assessing the full extent of the SolarWinds breach, but Brian Honan said an early lesson is: “Do not think of your defensive controls as ways to stop attackers but as ways to detect an attacker fast enough and delay the attacker long enough for you to respond to them.” Other prominent security incidents in 2020 included the Twitter compromise, and ransomware attacks on hospitals. The latter would be bad at any time, but feels especially wrong during a pandemic. The Ars piece also called out the “impressive” hacking of iPhones through Wi-Fi. We include them because they are useful examples to study and learn from: some may find their way into board presentations or budget requests. Others should prompt checks to see if similar weaknesses exist in your infrastructure. 

Looking ahead: how to get better security outcomes

In a neat segue from our previous story, the newly published Cisco Security Outcomes Study aims to guide security leaders in their investments and help them to manage risk. The 39-page report draws on a survey of more than 4,800 respondents across 25 countries, along with experts worldwide. Among the findings: getting a strong security culture that’s embraced by everyone stems from focus on good equipment, clear direction, accurate alerts, and timely fixes of security issues. 

The report also found that the keys to achieving successful security programs are to refresh technology proactively rather than waiting for it to break. This also helps IT and security to keep pace with business growth. Having an integrated technology stack also helps with recruiting and retaining security teams. In the words of Duo Security’s Head of Advisory CISOs Wendy Nather, “This is not a marketing report to toss in your swag bag and ignore …this report will change how we think about running infosec programs.” The report is available to download free from the Cisco website.

Data Privacy Day with a difference

Data Privacy Day is the annual international effort to raise awareness about how people’s personal information can be used. This year’s celebration on Thursday January 28 will be different because of COVID-19, for multiple reasons. Any events will be strictly virtual, for one thing. Then there’s an argument that the pandemic has put paid to our digital privacy, as this thought-provoking Recode article suggests. When much of the world shut itself indoors during the Coronavirus restrictions, many people effectively waived their privacy so they could access online services. 

Privacy campaigners are always watching for potential mission creep in projects involving personal data. A recent ZDNet story showed how Singapore police can now use contact tracing data to help criminal investigations. The year ahead may also tell us more about how regulators will oversee privacy practices at the social media giants. And speaking of regulators, the Data Protection Commission is seeking consultations on how to enhance protection for processing children’s data. 

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here