Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Board of the subject: business leaders lack resilience to reduce cyber risks
Many Irish boards lack the ability to understand and respond to cybersecurity risks effectively. The Irish Computer Society has highlighted these gaps from its cross-sector survey of 169 board members. It found 80 per cent haven’t taken part in testing incident response plans in the past year. One in five aren’t discussing cyber resilience or are not being briefed about ongoing developments. One-third of respondents said they haven’t received any form of security training in the last 12 months.
Only half of those polled said they received assurances either from management or independent external partners about testing the strength of their cyber defences. One in six said their organisation does not have a statement of risk appetite. Of those that do have such a statement, only half are satisfied or very satisfied that it reflects the board’s position on cyber resilience. The ICS has published the findings in a report you can read here. The concept of resilience, and its link to security, has been gaining ground for some time. Here’s the blog we wrote about it last year.
Another fine mess? Eventual GDPR penalties fall short of expectations
Remember the Marriott and BA data breach cases that came to public attention within weeks of each other in 2019? It looked like they would usher in an era of heavy fines promised under the EU GDPR. The airline had a £184 million fine in its flightpath while the hotel chain’s £99 million levy was an unwelcome guest. Except that’s not how it turned out.
The UK Information Commissioner’s Office ultimately issued greatly reduced penalties against both. It fined BA £20 million and Marriott £18.4 million. In BA’s case, the reduction was partly due to the regulator considering the “economic impact” of COVID-19. As The Register noted, Marriott’s fine amounts to 5p for each of the 338 million guests whose details were stolen. What was that about data having a value?
Ransomware evolves with extortion and blackmail
As ransomware has evolved, attackers no longer just block people from accessing their data; now they threaten to leak it. A recent troubling case in Finland sums up this development. An attacker calling themselves ‘ransom_man’ published 300 treatment records originally belonging to Vastaamo, a healthcare provider, on Tor. He then tried to contact victims individually to blackmail them. Shockingly, some of the records concerned psychotherapy sessions for minors. We can’t expect too much virtue from criminals but even by that low standard, that’s pretty despicable.
Two lessons emerge from this incident: the first is accountability. The breach happened in 2018 but Vastaamo’s CEO kept knowledge of the incident from the board and the public. (Which helps to explain why we’re only hearing about this story now.) Vastaamo fired that CEO. The second lesson highlights the intersection of security and data protection. Under the EU GDPR, a ransomware attack that leads to personal data being encrypted is deemed a data breach. This new trend was another reason why we chose to update our guide to tackling ransomware. It’s free to download from our white papers page. And just to end this depressing story on a positive note, the ransomware group Maze – which helped popularise the tactic of threatening to leak stolen data – has announced that it’s closed. Good riddance.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here