Cyber 321: 3rd September 2021

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: Reliance on passwords has made it onto the cybersecurity naughty list; Cyber insurance is getting more expensive; Use of the cloud is not a guarantee of security; How to convert 21gb of data into 10 years of jail time.

This week’s action: A checklist for working from home.

>>>>> THREE ARTICLES <<<<<

1: A password is sufficient to get remote or administrative access = Bad, bad, bad

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a new ‘Bad Practices’ list of “non-recommended cybersecurity practices, techniques, and configurations”.

The latest item to be added to the very short list is “the use of single-factor authentication for remote or administrative access”.

The current list, and the candidates being considered for inclusion, are fine. But how long will it take them to add “the non-use of the intelligence of your staff to protect the organisation” to the naughty list?

2: Cyber insurers are trying to keep up with cyber threats

“The effect of ransomware and then your standard garden-variety data breaches, business email compromises, because the payouts have been pretty significant on the insurance side, we’ve seen a really different approach [..] underwriters are putting greater emphasis on insureds’ security controls [..] multifactor authentication being the biggest one. Underwriters are also considering backup systems, the quality of the insured’s information technology team, and remote work protocols.”

Cyber-insurance coverage is going to get more expensive. If you don’t have some basic security measures in place, coverage may become impossible to obtain. And rightly so. Insurance is a risk transfer mechanism – It may reduce the financial impact of an attack but it doesn’t reduce the likelihood of an attack. You need to take responsibility to protect yourself.

3: A Microsoft Azure vulnerability exposed data belonging to thousands of clients for over 2 years

“Microsoft is warning customers of its Azure cloud platform about a software vulnerability that exposed data belonging to thousands of clients for roughly two years. The flaw would have allowed any Azure Cosmos DB user to read, write and delete another customer’s information without authorization.”

God, grant us the serenity to accept the things we cannot control, and the courage to implement other measures (e.g. data minimisation; pseudonymisation) to minimise the impact.

>>>>> TWO STATISTICS <<<<<

1: 25.5%

Cyber insurance premium costs rose 25.5% in Q2 2021, according to this report by Business Insurance, following an 18% increase in Q1 2021

“A rise in ransomware attacks, lacklustre risk management protocols and lack of employee training were among the primary drivers behind the notable increase in cyber prices. [..] As well as price increases, insurers are cutting limits and demanding buyers complete additional risk management protocols”

PS Examples of risk management protocols would include alignment to a recognised cybersecurity framework (e.g. CIS Controls; NIST CSF); use of multi-factor authentication; ongoing staff awareness training.

2: 21GB

A disgruntled part-time employee of a US credit union deleted 21gb of data (including more than 20,000 files and 3,500 directories), two days after she was fired.

The organisation was able to restore the data from a backup, with a cost of about $10k to recover. The employee now faces 10 years in jail.

>>>>> ONE ACTION <<<<<

1: Working From Home – Check the Checklist

I know we’ve all been working from home for almost 18 months now, but it’s never too late to assess our home working environment and our behaviours. This plain English checklist from Data Protection Network is worth a look.