24 October 2018

News round-up 24 October 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up:

The continued rise of privacy as a strategic business concern is reflected this week in a record fine by a US regulator and analyst firm Gartner identifying privacy as a strategic trend for 2019.

Key articles:

Facebook Finds Hack Was Done by Spammers, Not Foreign State

Summary: Reports of an internal investigation indicate that Facebook believes financially-motivated attackers, rather than nation state actors, were responsible for the theft of data from 29 million user accounts.

Key risk takeaway: While headlines involving nation-state actors often get the most attention, this story is a reminder that many organisations and industries are often more likely to be targeted by the thriving – and continually growing – financially-motivated cybercrime industry. These profit-driven actors typically seek the quickest path to success, which means that focusing on basic security protections – such as user awareness of phishing, or regularly applying security updates – can provide enough resistance for cybercriminals to move on in search of softer targets.

Tags: #cybercrime #securityawareness #securityhygiene

Most government domains adopt program to prevent sending of fake emails

Summary: The majority of US federal domains met a deadline to adopt an email authentication program aimed at preventing fake emails from being sent.

Key risk takeaway: Email-based fraud – known variously as Business Email Compromise and CEO fraud – has become one of the most successful tactics for cybercriminals in recent years, netting over US$12bn in the past 5 years, according to the FBI. The scam involves emailing victims with fraudulent requests for payments. These emails contain often contain sender addresses that are “spoofed” to look as though they come from a legitimate source, such as a supplier or executive. Organisations should seriously consider the implementation of DMARC, or “Domain-based Message Authentication, Reporting & Conformance”, which is considered a strong protection against email spoofing. This story also points to the positive role that strong policies and top-down directives can play in achieving certain security outcomes.

Tags: #emailsecurity #securitypolicies

Anthem Mega-Breach: Record $16 Million HIPAA Settlement

Summary: US regulators hit health insurer Anthem with a record $16 million HIPAA settlement in the wake of a cyberattack revealed in 2015 that impacted nearly 79 million individuals.

Key risk takeaway: This continues a global trend of regulators levying increasingly severe fines for poor security practices. In recent weeks, organisations including Equifax, Uber, and Tesco Bank have been hit with large fines or legal pay-outs for cyber-related incidents or breaches. The regulator made a point of penalising Anthem not just because it failed to have basic security measures in place, but because it should have known healthcare entities are “attractive targets for hackers” – emphasising ignorance of cyber and privacy threats is no longer a reasonable excuse for organisations.

Tags: #regulation #compliance #situationalawareness

Gartner picks digital ethics and privacy as a strategic trend for 2019

Summary: Digital ethics and privacy has been named as one of Gartner’s top ten strategic technology trends for 2019.

Key risk takeaway: Though Gartner usually calls out technologies such as blockchain and AI, the identification of privacy reflects the growing concern of consumers, organisations and governments about data protection. Gartner notes that the needle has shifted towards an expectation that organisations will be more proactive in addressing privacy and security concerns.

Tags: #privacy #dataprotection