Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

BH Consulting Celebrates 20 Years in Business 

We are thrilled to announce and celebrate a significant milestone in our journey – 20 years of dedicated service in the field of cyber security and data protection.

Since our inception in 2004, we have been committed to delivering cutting-edge so services, staying ahead of the ever-evolving landscape of cyber security and data protection whilst always safeguarding the digital assets of our clients.

Over the past two decades, we have witnessed unprecedented changes in technology. Our journey has been marked by innovation, resilience, and a relentless pursuit of excellence.

To our clients, thank you for entrusting us with the responsibility of helping you to protect your most valuable assets. Your faith in our expertise has been the driving force behind our longevity.

As we look towards the future, we remain committed to staying at the forefront of cyber security and data protection, anticipating challenges, and providing services that exceed expectations.

Please join us in celebrating this milestone as we raise a toast to 20 years of shared success with our customers. Here’s to the next chapter and the exciting challenges and opportunities it will bring.

2024: the year of the ra…nsomware?

The year may have changed but ransomware shows no signs of slowing. The Economist closed 2023 by quoting experts who believe it could be the worst year on record for these attacks. It warned that the problem “could cripple countries, not just companies”. Symantec discovered a new ransomware strain in the wild, called TISAK. Meanwhile Wired named two ransomware gangs, Alphv and CIOp, among its ‘most dangerous people 2023’ list. (The Alphv gang went so far as to report one of its victims to the US Securities and Exchange Commission for failing to report its security breach.) Although the US Department of Justice later seized Alphv’s leak site and developed a decryption tool at the end of the year, the group claimed it had set up a new website.

Emsisoft, which provides ransomware decryption tools, published an extensive report into the state of ransomware. It opened with some arresting stats including an estimate by the University of Minnesota that ransomware attacks led to the deaths of between 42 and 67 medicare patients. Although the blog focuses on the U.S., its central thesis calls for a ban on ransomware payments. Some security experts disagree with this approach, as Infosecurity Magazine reported and The Register also covered.

Fortunately, we know enough about the problem to take some preventative action. A recent joint advisory from US and Australian cybersecurity authorities outlines the tactics and techniques of the Play ransomware group. The notice shares signs of how this ransomware compromises its victims. Covering the story, Bleeping Computer noted how the gang steals sensitive documents from its victims before deploying ransomware. This way, the Play group can threaten to leak this information, heaping pressure on its targets to pay up.

BH Consulting is in the process of updating our guide to protecting against ransomware infections. We’ll share a link to it on our social channels and in this newsletter when it’s ready.

A patch in time

In need of a New Year’s Resolution? Updating patch management might be a useful place to start. Qualys’ Threat Research Unit has a comprehensive review of the past year, covering the vulnerability threat landscape, top vulnerability types, top MITRE ATT&CK tactics and techniques, and other topics. It found close to 100 high-risk, likely-to-be-exploited vulnerabilities that were not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue. and 25 percent of high-risk CVEs are exploited the same day the vulnerability was disclosed.

Qualys’ data indicates an adversary can develop code to exploit a newly discovered high-risk vulnerability in as little as 24 hours. That’s substantially down on previous estimates of 36-48 hours. That timescale forces organisations to run highly efficient patch management processes to defend themselves. Writing for SANS, Brian Honan said it means vulnerability management programmes shouldn’t rely on patching alone. “You should look at other mitigations you can put in place to prevent known vulnerabilities being exploited while you wait for a patch to be released, or to get it scheduled into your patch management programme.”

Data protection and privacy developments 

More than 50 per cent of Irish compliance officers say their organisation has breached data protection rules. Even more of them said they knew of breaches at organisations where they previously worked. The findings come from Compliance Ireland’s survey of 230 professionals, mainly working in Ireland’s financial sector. Asked for reasons why they don’t report, half of the respondents said they believed their businesses didn’t intentionally neglect to inform authorities. Some were concerned about reputational damage, but fines and regulatory scrutiny didn’t seem to figure highly as a concern for others.

Staying in Ireland, and Karlin Lillington’s Irish Times column argues that fines don’t seem to have swayed Big Tech companies to tackle the spread of misinformation and , so now authorities should go after their algorithms.

From this month, Google will start phasing out third-party cookies in its Chrome browser. This technical step will help to protect individuals’ privacy rights as it will limit the ability to track people across different websites as they browse. The Register warned to expect some web services to break, since third-party cookies can also help people to log in or show them ads they want to see. For this reason, Google plans to roll out the service to a randomly selected group of 1% of Chrome users, to give developers time to start working on websites that don’t use third-party cookies. It hopes to move all its users over by the second half of this year. Chrome is the most widely used browser by market share, and reports like in PC Magazine highlighted that rival browsers have been blocking third-party cookies for years.

Book launch: The Privacy Leader Compass

On Wednesday January 17th, join us for the launch of “The Privacy Leader Compass”, a groundbreaking book by BH Consulting COO Dr. Valerie Lyons, and Todd Fitzgerald, CISO, cybersecurity and privacy leadership author.

Already a bestseller on the Taylor & Francis infosec and privacy list, the book offers a comprehensive business-oriented roadmap for building and leading practical privacy programmes. The Dublin launch consists of a fireside chat with the authors and the opportunity to network with fellow attendees.

The launch takes place at Dogpatch Labs in Dublin, from 6.30 to 8.30pm, and there are a limited number of tickets still available. Book your place at the link below.

Register now

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here