Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Data privacy takes stage as an ESG goal

The need to embed privacy into the environment, social and governance (ESG) agenda, was highlighted at RSA 2022 by a panel of chief privacy officers from Apple, Google and LinkedIn. Their panel discussion concluded that consumers are increasingly engaging with companies based on how they approach the protection of personal information beyond the minimum compliance requirements. It’s no longer a legal issue but a business issue, said Infosecurity’s report of the event.

We are privileged to have one of the worlds leading experts in ‘Privacy as an ESG’ on our team. BH Consulting’s Chief Operations Officer, Dr. Valerie Lyons, has developed and published a taxonomy and framework for Privacy as an ESG, as part of her PhD research. She has also researched the influence that different ESG-based privacy activities have on consumer attitudes, such as consumer trust. These activities are important as studies have found that increased consumer trust leads to higher sales, greater profitability and increased consumer loyalty. Research from Columbia Business School revealed that 75 per cent of consumers are willing to share data if they trust the brand.

Expect to see more of ‘Privacy as an ESG’ in the future, as more and more poor privacy practices come under increasing scrutiny. Adrian Weckler’s Irish Independent column noted how easy it is to discover how little of our data is really protected. The Register recently shone a light on the correlation between online advertising prices and smart speakers that listen to conversations. It previously covered research into Google’s opaque data gathering practices.

Dr. Lyons is available to provide advisory services for companies considering embedding privacy into their ESG programs.

Two new security-focused guides help cloud adoption plans

For anyone grappling with adopting cloud computing, two new resources are available to help manage the security risks. The Cloud Security Alliance’s latest report identifies 11 security threats and vulnerabilities, based on a survey of 703 industry experts. The 47-page guide details the business impact of each risk, giving examples and suggesting key actions and guidance. The top risk was insufficient identity, credentials, access, and key management. In second place, insecure interfaces and APIs, followed by misconfiguration and inadequate change control. One trend the CSA noted was the shift in responsibility from the cloud service provider to the cloud adopter. The report is free to download.

Another recent guide for cloud adopters is the US Cybersecurity and Infrastructure Security Agency (CISA) cloud security technical reference architecture. Though aimed at federal agencies, it’s a useful resource that any organisation engaging with the cloud can use to review and check for security. At 70 pages, it’s a comprehensive document with an overview of cloud service models and guidance on designing software for the cloud, developing a migration strategy, along with scenarios and more.

Power move: don’t ditch Windows tool, configure it securely instead

Instead of removing the PowerShell command-line tool, users just need to secure it better. That’s the key message in joint guidance (PDF) from the UK, the US, and New Zealand’s cybersecurity authorities. Although criminals often exploit PowerShell vulnerabilities to gain access to systems, the agencies recommend against disabling or removing it. That’s because it can be useful in defensive situations and forensic investigations.

The eight-page guidance offers specific advice for using PowerShell to detect and reduce abuse. There are also useful summaries and writeups about it at ZDNet, Bleeping Computer, and The Register. BH Consulting’s Brian Honan described the document as “an excellent resource and one I encourage all cybersecurity professionals to read and implement”.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here