Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Numbers up for ransomware (again) as UK considers bold move

Some interesting numbers around ransomware’s ongoing scourge from various sources. Google Cloud’s Mandiant division had some insights into trends, with two-thirds of ransomware in 2023 coming from new variants, and the remainder being variants of previously identified ransomware families. More than three out of four incidents happened outside work hours; no great surprise there. In one third of cases, attackers deployed ransomware within 48 hours of gaining access to the victim’s systems.

Separately, Arctic Wolf Networks found that 94 per cent of victims experienced “significant downtime” and delays in productivity. In 40 per cent of cases, the incident led to a complete work stoppage. As we were publishing this edition, news emerged that city governments in New York and Michigan were facing a shutdown due to ransomware attacks. Last month, UK NHS healthcare services in London were badly disrupted by ransomware. Such is the extent of its continuing threat that an exclusive in The Record revealed the UK government’s proposals for mandatory reporting of all ransomware attacks. It also plans to put forward a total ban on ransom payments for any organisation involved in critical national infrastructure. And to zoom out for a moment, the always-excellent Mikko Hypponen has an excellent video presentation rounding up the first decade of corporate ransomware.

Risks rise in embedded and connected devices

Vulnerabilities in connected devices increased by 136 per cent year on year, analysis by Forescout Research found. Its findings use anonymised data from 19 million connected enterprise units running 2,500 special-purpose operating systems, across multiple industries worldwide. Smart or connected devices are a growing part of the IT landscape. For context, Statista estimates there were 15.9 billion embedded devices worldwide in 2023, up from 13.8 billion in 2022 and forecast to reach 18 billion by the end of this year.

Forescout groups risky devices into four main categories. IT includes routers, wireless access points, servers, computers and printers. The Internet of Things includes network attached storage, IP cameras, VoIP, and network video recorders. Operational technology covers UPS, distributed control systems and programmable logic controllers. Lastly, medical devices comprises systems like electrocardiographs, DICOM workstations for viewing images and scans, and medication dispensing systems. Network devices overtook endpoints as the riskiest in 2024; wireless access points had 34 per cent of all risks, followed by routers with 20 per cent. The findings also break down open ports by industry. There’s a summary page, together with a more detailed report and a webinar explaining the key details. On X, Professor Alan Woodward commented: “IoT and embedded devices [are] so often overlooked in security but they make a great toehold for penetrating networks.” In an interview, Forescout CTO Justin Foster said that most organisations today use connected devices but the hidden challenge is visibility.

Data protection and privacy developments 

The Data Protection Commission’s annual report 2023 arrived late last month, revealing a 20 per cent rise in GDPR data breaches over 2022. There were 6,991 valid incidents in total: 3,766 from the private sector, 2,968 from the public sector, and 257 from voluntary and charity groups. BH Consulting’s senior data protection consultant Tracy Elliott shared her observations in a blog, and the 148-page report is free to download. In other DPC news, the Irish Independent reports that Facebook’s parent company Meta is temporarily pausing data collection for AI, after the DPC requested it to do so.

Meanwhile Wojciech Wiewiorowski, the European Data Protection Supervisor, has called for data protection and privacy to remain distinct, and not to be conflated with AI. To work effectively, AI tools often need vast amounts of data, which can include personal information. This makes data protection and privacy critical considerations in developing and deploying AI.

Speaking at the Computers, Privacy, and Data Protection Conference 2024, he said: “Data protection and privacy will not merge, nor will they disperse into artificial intelligence. I am here today to defend data protection and privacy against the risk of confusing them with the AI hype, as this could mean the end of this fundamental right.” And speaking of AI and privacy, Wired has a useful article with advice on how to block companies from using your personal data to train their AI models. In a similar vein, The Verge has published tips on deleting the data that Google holds about you.

Links we liked

Via Microsoft, here are all the security features shipping with Windows 11. MORE

From Help Net Security, 20 free open source cybersecurity tools. MORE

Kevin Beaumont’s excellent summary of the Snowflake data breach. MORE

Businesses are starting to see deepfakes among scam attempts… MORE

…but deepfakes aren’t the threat to elections some have claimed. MORE

Top marks: students flood phishing sites with fake IDs to fool frauds. MORE

How do European countries fare at cybersecurity education in schools? MORE

Cisco Talos: brute-force attacks on VPNs and authentication are rising. MORE

White House report reveals cybersecurity incidents affecting US agencies. MORE

Why your business needs an AI policy. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.