Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Verizon DBIR 2022 findings highlight the human factor in breaches

The 2022 Verizon Data Breach Investigations Report has found – once again – that people were the main driver behind most breaches. In this year’s edition, 82 per cent of incidents were due to a human element, whether that’s being phished, socially engineered, or simple error.

Security figures on social media debated exactly what the human factor percentage means. What accounts for the remaining 18 per cent of incidents, if not people? Some argued that it just proves the industry needs to raise the bar so it’s harder for mistakes or social engineering to lead to serious breaches. BH Consulting CEO and principal consultant Brian Honan said the high percentage of breaches attributable to human issues shows that the industry needs to do more to reduce this number. It should focus on security controls the same way car makers build in safety features, he said.

The Register led with the DBIR’s finding that ransomware accounted for 25 per cent of the observed security incidents between November 1, 2020, and October 31, 2021. Ransomware outbreaks rose 13 per cent year on year – a larger increase than the previous five years put together. Threatpost’s coverage looked closer at the report’s findings on supply chain attacks. The 107-page report is recommended reading for security practitioners and professionals. It’s packed full of findings and analysis from 23,896 security incidents and 5,212 confirmed intrusions. And as always, it’s free to download.

Opportunity ahead for Irish cybersecurity industry – if it can crack the talent challenge

It’s said that ‘challenge’ is another word for ‘opportunity’; that’s the one way to describe a new analysis of Ireland’s cybersecurity sector. Cyber Ireland and Cyber Skills’ ‘State of the Cyber Security Sector in Ireland’ report profiles the industry and highlights its growth potential. It found 83 per cent of cybersecurity companies expect to grow by 25 per cent or more over the next year – that’s the opportunity. But – and here comes the challenge – 61 per cent have issues with recruiting staff. RTE’s coverage quoted the report’s finding that talent challenges include a lack of appropriately skilled candidates in the labour market, competition from other cyber security businesses, a lack of non-technical skills and unaffordable salaries.

There are 7,351 cybersecurity professionals employed in Ireland, in 489 firms offering products or services to the market or employing staff in internal cyber security operations. Based on current estimates, the report suggests the ecosystem could employ more than 17,000 people by 2030. Business Plus went for this more upbeat take on the findings.

The report makes recommendations for government, industry and academia to address the skills gap and promote the industry’s sustainable growth. The first of these is developing a talent pipeline. Blogging about the report, Brian Honan called on the industry to be “more inventive and imaginative” in where it looks for talent. “Instead of focusing only on hiring technical skills – which can be learned on the job – we need to attract people from a diverse range of backgrounds who can bring invaluable insights to the roles and strengthen our ability to improve security in the organisations we work for or represent.”

“The biggest data breach ever recorded”. That’s the headline

The real-time bidding system that processes people’s data billions of times a day for ad tracking and targeting represents “the biggest data breach ever recorded”, claims the Irish Council for Civil Liberties (ICCL). Its new report sheds light on the scale of RTB’s activity – an industry that generated €117 billion in 2021. It “tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day”, the ICCL said.

“Real-Time Bidding (RTB) operates behind the scenes on websites and apps. It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report says. TechCrunch’s excellent summary of the report notes that moves by data protection authorities to curb RTB over GDPR concerns have largely stalled. Karlin Lillington’s Irish Times column skewers the industry’s claims that increased privacy scrutiny stifles innovation. In other data protection news, the European Data Protection Board has adopted new guidelines for calculating fines under the GDPR. All data protection authorities throughout the EEA must use the same five-step method for determining financial penalties.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here