Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Microsoft moves to lock down admin accounts against exploits

Microsoft is introducing a new security feature for Windows 11 called Admin Protection, designed to make admin accounts more secure during privileged or sensitive actions. Currently in testing, Admin Protection isolates high-level privileges within a locked ‘super admin’ account embedded in the operating system. When admins choose ‘Run as Administrator’ mode, they’ll now be prompted to authenticate with a password, PIN, or other methods, rather than just clicking ‘Yes’ or ‘No’. This feature revamps the classic User Account Control (UAC) by fully separating elevated privileges from regular use, making it harder for attackers to exploit admin accounts. Spotted by Microsoft MVP Rudy Ooms, Admin Protection enhances security by creating a more controlled, system-managed account for privileged actions. Microsoft reportedly plans to unveil more details about this feature at its Ignite conference in late November.

National Cyber Security Centre launches annual update

Ireland’s National Cyber Security Centre (NCSC) opened 309 investigations during 2023. There were 721 confirmed security incidents following 5,276 reports received. The agency said most of the incidents were not severe, and none qualified in the top two rankings. “This shows the successful preventative work being done by the NCSC to ensure threats are being stopped before they can severely impact the State’s infrastructure,” the report said.

The data comes from the agency’s inaugural annual update, published to mark the midway point in the national cybersecurity strategy. As well as using NCSC data, the report contains inputs from multiple Government departments, the defence forces and An Garda Síochána. RTÉ’s coverage quoted the Minister of State, Ossian Smyth, saying that the update was “a direct response to the public’s calls for more frequent reporting, for greater insight, and transparency into the Government’s efforts in the cybersecurity arena.” Meanwhile, last month the NCSC also published a guide for organisations to check if they’re in scope for the NIS2 Directive.

Data protection and privacy newsround: controller clarity and regulators regulate

LinkedIn has landed a €310 million fine from the Data Protection Commission over EU GDPR violations with its targeted ads. The inquiry follows a complaint that was originally submitted to France’s Data Protection Authority. The DPC has a news release and infographic on its website which outlines the main points of the ruling. It plans to publish its full decision and more supporting information in due course. LinkedIn claimed innocence but added “we are working to ensure our ad practices meet this decision by the IDPC’s deadline”. Another social network, Pinterest, is also under scrutiny over targeted ads, following a complaint by the privacy rights group noyb.

The European Data Protection Board has adopted its first report under the EU-US Data Privacy Framework. In it, the EDPB welcomed attempts by both sides to implement the rules, which came into effect in 2023. This includes the US Department of Commerce developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. The board also noted there is now a redress mechanism for EU individuals, along with complaint-handling guidance published on both sides of the Atlantic.

Separately, the EDPB has emphasised the importance of controllers maintaining detailed oversight of processors in GDPR guidance. IAPP’s coverage said this “works through a number of tricky areas affecting controller-processor-subprocessor relationships”.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here