Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Palms are sweaty, knees weak, arms are heavy … there’s hackers in your IT already
Ever wanted to put yourself in the CEO’s hot seat during a ransomware outbreak that threatens to engulf your business? Feel the dread rising in the pit of your stomach as extortionists threaten to leak your data? The Financial Times has created an online simulation where you get to experience those emotions, roleplaying as CEO of a fictional medicine company. It’s all eyes on you to negotiate your way out of a financial timebomb and protect your company from disruption. The game presents a series of multiple-choice questions where your answer leads to different outcomes. All the while, a ticking clock reminds you of the impending deadline. It’s free to play. Attackers often exploit target systems long before victims become aware. It takes eight days on average for a vulnerability to be exploited, and it can be as little as a few hours at times too. That was a finding from a presentation by the NCSC at the recent Cyber Ireland conference.
Staying with the Financial Times, it’s safe to say cybersecurity is mainstream when you’re reading about it in its pages. (As much as we love the many excellent security industry news sites). The FT recently led with news that the world’s largest sovereign wealth fund now ranks cybersecurity as its biggest concern. Despite tumultuous market conditions, an increase in serious and sophisticated hacking attempts has caused the change in outlook. Norway’s Norges Bank Investment Management, which manages a fund worth $1.2 trillion, said it experiences close to 100,000 cyber attacks a year. It classifies one in every hundred of those incidents as serious. The level of attacks have doubled in the past two to three years, the fund told the FT.
G7 privacy regulators met last month to discuss a new transatlantic data sharing agreement. Though highly anticipated, there’s no date yet for final approval. The Data Protection Commission has published three short guides about children’s data protection rights. They’re primarily aimed at children aged 13 and over, as that’s the age at which they can start signing up for social media accounts. Staying with school-age children, an Australian school’s bid to install biometric fingerprint scanners at bathroom entrances came under fire from a privacy expert for being “unreasonable and disproportionate”. The Guardian has the full story. Back to Ireland, and new data retention laws are on the way. The Communications (Retention of Data) (Amendment) Act 2022 updates existing Irish law, on foot of recent EU case law.
Will the European Commission’s proposed Cyber Resilience Act do for security what the EU GDPR did for privacy? The legislation, which is going before the European Parliament and Council, aims to improve the security of network-connected devices. It will oblige manufacturers to report vulnerabilities to ENISA within 24 hours of detection and handle them “effectively” for five years or the product’s lifetime. As the Act’s website explains, hardware and software “are increasingly subject to successful cyberattacks”. ZDNet’s coverage leads with the possibility of heavy fines for companies found to have breached the rules. The EU’s announcement contains a useful overview of the Act and related links to find out more.
As Brian Honan noted recently, many organisations that suffer a breach will often claim to take the security of their customers’ data seriously. “However, many won’t take security seriously until they are required to do so by regulations. We witnessed that with the introduction of the EU General Data Protection Regulation (GDPR) and to some extent with PCI DSS,” he said. The EU’s raft of regulations around cybersecurity, such as the Cyber Resilience Act, “hopefully will make organisations take ownership of their responsibilities with regard to cybersecurity and not leave it a pure technical issue for the IT team to worry about.”
Links we liked
A useful cheat sheet for anyone developing an incident response plan. MORE
An in-depth look at the work of Ireland’s National Cyber Security Centre. MORE
Newly relaunched, Shadowserver Alliance has expanded its free security services. MORE
Vague descriptions of security incidents hinder the fight against ransomware. MORE
Shane Curran of Evervault, an encryption company, explains ‘day zero’ security. MORE
A major survey of security incident responders uncovers stresses of the job. MORE
An excerpt from Mikko Hypponen’s new book, “If It’s Smart, It’s Vulnerable”. MORE
The self-taught “misfits” fighting cybercrime and ransomware. MORE
Making the case for more dedicated security awareness roles. MORE
CISOs, CSOs and their fate: a Twitter thread. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here