Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Creeping cyber risk grabbing global headlines

Ransomware keeps reminding us of the strong connection between a cybersecurity incident and financial loss. CNN reports that ransomware victims in the US healthcare sector say they’re “haemorrhaging money”, as disruption affects their daily operations. Some are struggling to the point where they are considering loans just to keep operating. The UK outsourcing provider Capita said £25.3 million out of £106 million in financial losses in its 2023 fiscal year were due to a ransomware attack. The news triggered a 20 per cent fall in Capita’s share price. Ouch.

Writing an op-ed column in The Times, Prof Ciaran Martin, former head of the UK’s National Cyber Security Centre, argued it’s time to ban ransomware payments. “Ransomware is by far the most damaging cyber-threat to most businesses right now,” he wrote. It’s reached a point where it’s too profitable for criminals, “and paying only encourages more ransomware”. Even as the authorities get better at disrupting ransomware operators like LockBit, many other gangs remain active.

The report identified a “widening” inequality between organisations that can withstand security incidents and those that are struggling. Scale is a factor: larger organisations seem better equipped than SMEs to react to risks. And to complicate things, emerging technology is challenging organisations’ ability to stay resilient. The overall numbers aren’t good: there was a 30 per cent fall in the number of organisations with minimum viable cyber resilience, compared to last year. A recurring theme throughout this year’s edition is collaboration. The survey included with the report calls for urgent action to address the gap in readiness.

Meanwhile, it was a similar story from a separate source, with AON’s Global Risk Management Survey also tracking global volatility and risk. Its findings included data from Irish businesses, which ranked cyber attacks and data breaches as their top risk they face.

Fortunately, there’s a growing body of knowledge about how to deal with the threat. Symantec has identified many of the tools gangs use to remove data from compromised networks. The British Library published a full report about the crippling attack it suffered last year, which incident responders can learn from. Returning to the healthcare space, the Irish Pharmacy Union has a guide to avoiding ransomware, produced by BH Consulting’s information security consultant Brendan Mooney.

ENISA shares best practice on cyber crisis preparedness

ENISA has published a study on best practices for crisis management during a cybersecurity incident. The agency says the publicly available study can help with implementing the NIS2 Directive’s provisions, the EU-wide legislation on cybersecurity. It proposes a series of best practices, grouped into four phases: prevention, preparedness, response, and recovery, along with a series of recommendations.

ENISA acknowledges that it’s publishing the guide against the backdrop of a geopolitical situation that is impacting the cyber threat landscape. Its goal is to build expertise and establish knowledge-sharing among Member States in order to increase cybersecurity prevention and detection capacities, strengthen cybersecurity situational awareness, support capabilities to respond to cyber threats and incidents, build up cyber preparedness and help with a cyber exercises and capabilities’ assessment.

Data protection and privacy developments 

The European Data Protection Board has launched a free tool to audit websites for The European Court of Justice has ruled that IAB Europe’s transparency and consent framework (TCF) breaches the GDPR. Some of the world’s biggest online advertisers had used the TCF to gather user preferences. Privacy campaigner Johnny Ryan wrote: “People across Europe have been plagued by fake “consent” popups every day on almost every website and app since the GDPR was introduced almost six years ago. IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight.”

Meanwhile, plans for an EU-wide digital wallet gained momentum with regulation adopted in late February, to introduce a system to allow citizens to identify and authenticate themselves online. The EU said the voluntary wallet would remove the need to resort to commercial providers, “a practice that raises trust, security and privacy concerns”.

As AI regulation looms, this Stanford paper by Jennifer King and Caroline Meinhardt presents arguments and predictions about how existing and future privacy and data protection regulation will impact the development and deployment of AI systems.

Lastly, two new data protection commissioners will take up their posts following Helen Dixon stepping down in February after almost a decade as head of the Irish regulator.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here