Cybersecurity trends and advice from around the web.

Email compromise is their business, and business is good

Business email compromise was responsible for almost half of all cybercrime-related financial losses the FBI recorded in 2019. Also called CEO fraud or fake invoice scams, BEC was responsible for $1.7 billion (€1.52 billion) out of a total cost of reported incidents of $3.5 billion (€3.1 billion). By contrast, corporate data breaches cost $53.3 million and ransomware only clocked up adjusted losses of over $8.9 million (€7.9 million).

The FBI 2019 Internet Crime report (PDF) calculates the totals from 467,361 incidents that victims reported to it. Actual losses may well be higher. As Professor Alan Woodward commented: “That’s just what was reported. In the UK it’s costing us something close to £200k per day, that we know of. If you’re a victim please report it.” Europol’s EC3 has a helpful page which shows how to report cybercrime in each EU country. Meanwhile Emsisoft published a country-by-country guide to the cost of ransomware.

DPC report 2019. A lot done, more to do…

Data security breaches reported to the Data Protection Commission rose 71% in the first calendar year since GDPR came into effect. The agency’s 2019 report (PDF) shows there were 6.069 valid breaches, up from 3,542 logged in 2018. There were 712 new Data Protection Officers announced during 2019, bringing the total number to 1,596 at year end.

We still await fines against the multinationals under investigation in Ireland. The Daily Swig noted that France imposed fines of €51.1 million and Germany €24.6 million since GDPR was introduced. “By contrast, Ireland has so far collected nothing from GDPR transgressors.”
The Irish Independent quoted Commissioner Helen Dixon saying that financial penalties were “an inevitability”. It also reported that the DPC has engaged specialist legal expertise to guide on the scale of fines. Separately, FireEye’s M-Trends report found the global mean time to detect incidents has fallen from 78 days to 56 days.

Scanning stacks for security shortfalls

Edgescan’s 2020 Vulnerability Statistics Report found that high or critical risk vulnerabilities in external-facing web applications significantly increased in 2019. That’s up to 34.78 per cent from 19.2 per cent in 2018. It found that high or critical risk vulnerabilities discovered in externally facing network layer systems more than doubled in 2019, going up to 4.79 per cent from just 2 per cent the previous year. Last year, it took organisations an average of 50.55 days to remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet-facing network layer critical risk vulnerabilities.

Now in its fifth year, the report gives a picture of security globally. Edgescan also discovered a 20-year-old vulnerability still ‘in the wild’ in over 3,500 systems across Europe and North America. The CVE-1999-0517 vulnerability has the potential to cause a serious data breach. “Effective patching on a consistent basis still appears to be a challenge, but also detection on a constant basis needs improvement,” said Edgescan founder Eoin Keary.

Links we liked

Commonly used open source components and their security issues – a report. MORE

Cybersecurity is a board-level issue: three CISOs explain why. MORE

Europe’s most and least secure countries, as logged by Statista. MORE

Cybersecurity in Europe: who’s who in the EU. MORE

One for privacy advocates: Ring and Nest ask surveillance to come in and stay a while. MORE

Google users in the UK look set to lose EU data protection, sources claim. MORE

8.4 million: the number of DDoS attacks in 2019 alone, NetScout ound. MORE

Emotet ransomware, now available on Wi-Fi. MORE

ISACA survey into cybersecurity hiring and retention practices, as shown at RSA. MORE

Test your CISSP knowledge with flash cards. MORE