Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up:

Nation state activities dominated the news this week, from reports of a major supply chain compromise by China to the Australian and UK governments publicly attributing Russia as the source of a number of cyber-attacks. Though these issues are often framed in terms of geopolitics and international relations, each of these stories has important practical takeaways for private sector organisations.

Key articles:

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

Summary: According to an investigation by Bloomberg, the Chinese military hid malicious microchips in motherboards bound for US companies including Amazon and Apple. The tech companies have have issued strong denials, which have been backed by US and UK government agencies.

Key risk takeaway: Notwithstanding the denials, the explosive story – similar to the debate earlier this year about banning Chinese communications company Huawei from Australia’s 5G network –  underscores the potential security risks that exist in hardware and software supply chains. Supply chain attacks have increased significantly in recent years. Businesses must manage vendor and supplier security risks – via a comprehensive supplier security assessment framework –  with the same vigour as they do risks in their own infrastructure.

Tags: #supplychain #security #suppliersecurityassessment

Apple’s Tim Cook is sending a privacy bat-signal to US lawmakers

Summary: Apple’s CEO Tim Cook doubled down on the centrality of privacy to Apple’s business model this week, declaring privacy a “human right” and “essential to liberty”. Cook also indicated some form of government regulation was necessary to protect privacy, and that Apple’s commitment to privacy remained steadfast even as it operated in China.

Key risk takeaway: As one of the world’s largest and most influential companies, Apple’s pro-privacy pronouncements may have an impact on public expectations. In particular, Cook’s dismissal of the idea that companies need large amounts of data in order to deliver high quality digital services has strong relevance to ongoing discussions about what constitutes appropriate data collection and use.

Tags: #privacy

Tesco Bank Hit With £16 Million Fine Over Debit Card Fraud

Summary: The UK’s Financial Conduct Authority handed down a record cyber-related fine to the banking arm of the UK’s largest supermarket chain Tesco, for failing to protect account holders from “foreseeable” cyber risks.

Key risk takeaway: Regulators have noticeably increased scrutiny over the management of cyber security risks in recent years. The Australian Prudential Regulatory Authority has issued draft information security regulation, CPS 243, which sets out clear rules on how regulated Australian institutions should be managing cyber risk. In this climate, it is possible and likely that similar fines could be applied by local regulators to instances of non-compliance. Organisations should understand their regulatory obligations and the relevance of standards such as ISO 27001 in presenting a proactive approach to mitigating cyber risk. Read more in our recent blog post.

Tags: #regulations #compliance #security #standards

Facebook says hackers did not use stolen logins on third-party sites

Summary: Investigations continue into the major breach that allowed hackers to gain access to nearly 50 million Facebook accounts. The social network confirmed hackers had not been able to access third-party sites that use the Facebook’s single sign-on as a result of this breach. However still no news on the actors behind the breach.

Key risk takeaway: After a series of recent scandals, the large scale data breach further undermines Facebook’s public standing on privacy and security issues. The response to this breach also reinforces the climate of increased scrutiny and expectation around data breaches that all organisations now operate in, particularly those servicing EU residents. Commentators highlighted that Facebook – under pressure to comply with GDPR’s 72-hour breach disclosure deadlines – may have been forced to paint a more dire, and perhaps premature, picture of the extent of this breach than had it been able to wait until investigations were complete. Observers also noted that while the number of affected users from European countries had been made known, details for US users were being revealed more slowly.

Tags: #breach #privacy #regulations #GDPR

Canadian restaurant chain suffers country-wide outage after malware outbreak

Summary: A Canadian restaurant chain suffered a country-wide outage of its IT systems in what was described as a “malware outbreak”, later confirmed as ransomware.

Key risk takeaway: Ransomware has risen from having no presence as a threat category a few years ago to now being a multi-billion dollar revenue stream for cybercriminals. Just as critical, ransomware can have critical real-world impacts for business operations. The Canadian restaurant in this story was reportedly forced to close locations as a result of the ransomware. A few weeks earlier, two major international ports – Barcelona and San Diego – were disrupted as a result of what has been reported as ransomware attacks. User education – particularly awareness of detecting emails that contain malicious links or attachments – remains one of the strongest defences against ransomware infection.

Tags: #ransomware #securityawareness #malware

Australia, UK accuse Russia of cyber-attacks aimed at undermining Western democracies

Summary: The Australian and British governments publicly condemned a pattern of malicious cyber activity conducted by Russia and targeting political, business, media and sporting institutions. The attribution is part of a growing push by western parties to establish norms of behaviour in cyberspace and signal consequences for activity that breaches those norms.

Key risk takeaway: Though the Australian government indicated Australia was not significantly impacted by this activity, previous malware attributed to the Russian government is known to have been indiscriminate. For instance, NotPetya malware initially targeted businesses in Ukraine but ultimately affected a large number of organisations internationally. While preventing compromise from advanced and targeted nation state attacks is difficult, user awareness training and regular patching can play a key role in mitigating the risk from less targeted attacks.

Tags: #nationstate #securityhygiene #securityawareness