25 September 2019

News round-up 26 September 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

As practitioners and followers of the developments in this field, we’re particularly conscious of the changing sentiments taking shape around privacy and security. The introduction of regulations like GDPR have been size-able shifts, while we also see smaller, more incremental, but nevertheless significant changes happening all the time. In this roundup, we observe more of the latter, including standards bodies and major platforms picking up the torch for privacy, and a growing mood for collaboration.

Key articles: 

Web feature developers told to dial up attention on privacy and security

Summary: A global standards body is warning web developers to pay more attention to privacy and security.

Key risk takeaway: Rather than securing digital services after they’ve been built and installed by adding “compensating” security or privacy controls, there’s a growing orthodoxy around the importance of pushing privacy and security considerations into earlier stages of the product development process. This edict by the W3C standards body (that “features should be secure and private by default and issues mitigated in their design”) strongly reflects growing expectations on businesses to more proactively defend customers’ privacy and data rights. In another example of this focus, Facebook has suspended tens of thousands of apps on its platform that it suspects of collecting large amounts of user data. In forward-thinking organisations, we’re now seeing imperatives such as secure coding, “privacy by design” and “privacy engineering” gaining greater momentum.

Tags: #applicationsecurity #privacybydesign

Australian government’s data sharing principles far from agreed upon

Summary: The Federal Government’s recently released Data Sharing and Release discussion paper is garnering criticism from cyber security and privacy experts for glossing over issues of consent.

Key risk takeaway: Consent, transparency and control have long been regarded as the foundations of effective privacy practice, and these principles ought to continue to underpin newer, data-driven initiatives across government and the private sector. The Government’s discussion paper has attracted criticism for proposing to remove the requirement for Australian Government agencies to obtain consent before sharing personal information across the Government. Critics argue that the Government’s approach risks undermining trust in the entire data ecosystem, including the private sector. Businesses can voice their thoughts on the discussion paper via the submission process, which is open until 15 October 2019

Tags: #privacy #consent

281 Alleged Email Scammers Arrested in Massive Global Sweep

Summary: The US Government has arrested 281 suspects involved in email scams and wire transfer fraud, in what is reportedly the biggest take-down against so-called “business email compromise” (BEC) scam.

Key risk takeaway: These arrests are a positive development, but the scale of this form of fraud – which has generated $26bn in losses in just three years – indicates BEC will continue to be a pervasive threat for businesses. Staff awareness of the psychological triggers that attackers prey on (such as fear and anxiety) is critical to defending against this form of fraud – which is characteristically relies less on technical capabilities such as malware, as the article highlights.

Tags: #businessemailcompromise #staffawareness

Why Companies Are Forming Cybersecurity Alliances

Summary: Reports reflect a number of companies now entering into various cyber security alliances and pacts to both drive improved operational security outcomes and to shape digital values.

Key risk takeaway: Increasingly, businesses recognise they can’t go it alone on cyber matters. The inter-connectedness of the digital economy, growing reliance on third parties, and the influence of global policy settings and regulations all mean that mitigating cyber security risk must be a collaborative effort. Having established foundational cyber security capabilities, businesses should look towards partnerships and collaborations that can extend the maturity of their programs and address these elements of risk that derive from the ecosystem. These could be (as the article usefully distinguishes) either practical, operational alliances (like threat intel sharing groups, or educational partnerships) or normative alliances aimed at promoting a set of values and ways in which companies and states should behave online.

Tags: #cyberoutreach

Millions of Australians’ sensitive medical images, data left openly accessible

Summary: Security researchers have again discovered a series of online servers exposing large quantities of sensitive data online. This includes personal details of almost every person in Ecuador, internal source code belonging to Canadian financial services company Scotiabank and millions of sensitive medical images belonging to Australians.

Key risk takeaway: “Leaky” servers – in which organisations fail to sufficiently protect data held on online servers – continue to be a concerning source of data breaches. Typically, these exposures are the result of poor or negligent configuration settings of online cloud instances. While some make the case that cloud service providers must improve their security, the prevalent “shared security model” means organisations must be vigilant about the data they are storing online, and about enforcing the right settings to ensure that data is sufficiently protected.

Tags: #privacy #cloudsecurity #dataprotection