Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

New guidance helps small businesses tackle common security risks

ENISA has published new guidance for SMEs, identifying common security threats and giving recommendations on protecting their business. The agency acted to help companies that adopted new technologies during Covid-19, but failed to update their security accordingly. A combination of research, an extensive survey, and targeted interviews, highlighted the specific challenges facing small and medium businesses. Over half of those surveyed (57 per cent) said they would most likely go out of business due to a cybersecurity issue, while 85 per cent said it would have a “serious detrimental impact” on their business. 

Phishing was the number one risk, followed by web-based attacks, general malware, malicious insiders and denial of service incidents. ENISA’s guidance comes in two versions: one is a high-level overview with 12 practical steps. The second document is a detailed 63-page report that identifies pre-existing cybersecurity challenges worsened by the impact of the pandemic. Its recommendations break down into key areas: people, processes and technology, with a further section dedicated to challenges resulting from Covid-19, such as increased cloud use and remote access. BH Consulting founder Brian Honan contributed to the report. Separately, but also concerning security for SMEs, Microsoft has released a free mitigation tool for applying security updates to on-premise versions of Exchange. It’s especially intended to help smaller companies without dedicated security or IT teams.

Just doing my jab: businesses ask DPC for clarity on staff vaccination status

By now, we’re all familiar with how Covid-19 changed the way many people work, and the security challenges that followed. Now the data protection implications are starting to emerge ahead of an expected return to workplaces. Nine out of 10 Irish businesses want guidance from the Data Protection Commission about collecting employee vaccination data. The finding came from a survey of 300 organisations by the Association of Compliance Officers in Ireland.

That survey follows an earlier poll from the HR group CIPD Ireland which found that 60 per cent of employers believe they should have the right to ask their employees whether they’re vaccinated or not. Our data protection consultant Tom Knierim pondered this very problem, and blogged about it in May. “Due to its sensitivity, special category data has a higher level of protection under the EU General Data Protection Regulation (GDPR). An employer’s use of this data must be fair, necessary and relevant,” he wrote. 

EU says UK data protection regime is essentially equivalent to GDPR

The European Commission has adopted an adequacy decision for EU-UK private sector data flows under GDPR. In a statement, the Commission said personal data can now flow freely from the EU to the UK, “where it benefits from an essentially equivalent level of protection to that guaranteed under EU law”. Such an agreement had been in doubt after Brexit, given the UK’s intention to withdraw from the European Union. (A related adequacy decision relates to the EU Law Enforcement Directive.)

The headline for TechCrunch’s report on the news included the crucial words “for now”. Its story noted how the EU said it “will intervene” if the UK tries to weaken the protection that GDPR affords to people’s data. As RTE News noted, the decision is limited to four years and will be reviewed under what’s known as a “sunset clause”. Separately, the European Data Protection Board has published the final version of its recommendations on supplementary measures for international data transfer safeguards. Between Brexit-related developments and the ongoing uncertainty over EU-US data transfers, our data protection consultant Tom Knierim recently blogged his advice for EU-based businesses to manage their international data transfers correctly. 

Links we liked

A doctor reveals the human cost of the HSE ransomware attack. MORE
 
Kevin Beaumont’s excellent analysis on why we’re not ready for the ransomware crisis. MORE
 
Why hero culture in security and incident response values the wrong things. MORE 
 
You know security has gone mainstream when it’s the cover story on The Economist. MORE
 
Working on the chain gang: how a programmer gets a job with a cybercrime outfit. MORE
 
ICS-focused but still plenty of good incident response insights from this SANS blog. MORE
 
Five tips for crisis communications in the midst of a security incident. MORE
 
The hard truth about security awareness programmes. MORE
 
Security-themed mind maps, from pen tests and red teaming to app security. MORE
 
This public spreadsheet details how different countries respond to cyber attacks. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here