Plain English cybersecurity advice in 3 articles, 2 numbers and 1 action.
This week: In Cyber: What the cost of complying with the current NIS directive is, what the new NIS 2 directive looks like, why a Romanian city is nicknamed Hackerville, and why BOI has made its customers a little less appealing to the bad guys. In Crypto: The Love / Hate saga continues.
This week’s action: When it comes to payment processing, it takes two.
>>>>> THREE ARTICLES <<<<<
1: NIS Directive: How much did it cost firms to comply?
“The NIS Directive [aka Directive on Security of Network and Information Systems] represents the first EU-wide legislation on cybersecurity, with the objective to achieve a high common level of cybersecurity across all EU Member States.”
ENISA (European Union Agency for Cybersecurity) has published a report which “analyses the economic impact of cybersecurity incidents and assesses how these organisations monitor their budget and invest in order to meet their [NIS] cybersecurity requirements.“
The most interesting findings include:
- 50% of firms acknowledged that complying with the directive had a significant impact on their management of information security, and almost as many believe it also strengthened their detection capabilities.
- 67% believe they still need to invest more money to fully comply with the requirements of the directive.
- The median firm has 60 IT staff, 7 of whom worked on information security and 2 were allocated to incident response.
- Banking and healthcare suffered the highest direct costs of major security incidents, ranging from €213-300k (compared to an average of €100k across all industries).
Read more: https://www.enisa.europa.eu/news/enisa-news/cybersecurity-spending-an-analysis-of-investment-dynamics-within-the-eu
2: NIS 2: Europe gets a bigger stick
Draft text has been published of a new ‘NIS 2’ directive that will force more industries to improve their cybersecurity defences.
“All medium-sized and large companies in selected sectors would be covered by the legislation. [..] [T]he requirements include incident response, supply chain security, encryption and vulnerability disclosure. [..] while cybersecurity would become the responsibility of the highest managerial level.”
Supply chain security: Not only do you need to get a handle on your own security. You also need to get a handle on the security of your suppliers.
If you are within the scope of NIS 2 (which includes banking, health, financial markets, and digital service providers), a beefed-up law is coming your way. If you sell to such industries, expect to see more 300-question questionnaires in your inbox.
And if you want to learn what ‘ghosting’ means in a professional context, just ask a small firm that has tried to engage their large global service provider in such a process.
Read more: https://www.europarl.europa.eu/news/en/press-room/20211022IPR15610/cybersecurity-meps-strengthen-eu-wide-requirements-against-threats via PDP newsletter
3: Love / Hate in the Crypto world
I continue on my journey down the blockchain / crypto rabbit hole. What has this got to do with cybersecurity? Nothing. But he who clicks the keyboard controls the content.
This week, I’ve been reading plenty of articles about cities and countries trying to woe the latest kool kids on the block. But I’m also reading plenty of articles about the challenges faced by many of these kool kids when their new world order hits old world regulation.
The Sunday Times has a good article on how this all looks within Ireland at the moment. (If you have a subscription, you can read it at https://www.thetimes.co.uk/article/the-bitcoin-identity-zpnxmf2nt)
But I think Bloomberg nails the challenges in this insightful piece on the aspirations of New York City’s mayor and the realities of New York State’s regulations.
“Since his [mayoral election] victory, [NYC Mayor] Adams has been selling New York as a crypto-friendly hub. [..] suggested schools teach cryptocurrency and its technology; pledged to explore a mechanism to allow New Yorkers to be paid in virtual currencies; and even vowed to take his own first three paychecks as mayor in Bitcoin.” However, “There are many, many practical obstacles [as] New York state is perceived as one of the tougher states to establish a virtual currency business.”
Read more: https://www.bloomberg.com/news/articles/2021-11-13/can-eric-adams-new-york-crypto-dreams-become-reality
>>>>> TWO NUMBERS <<<<<
A new lower limit will be applied by Bank of Ireland when one of their customers transfers funds to a new payee. The €5,000 daily limit will apply for 48 hours after the payee has been set up. After 48 hours, the normal limit of €20,000 per working day will apply.
Bank of Ireland says it has put this temporary lower limit in place to “protect customers from fraud when new payees are being set up.”
There is always a tug of war between security and convenience. But I think most people would feel this change is a good one.
Read more: https://www.bankofireland.com/help-centre/faq/much-can-transfer-365-online/
The number of bank accounts that a former chef based in Ireland set up as part of an online fraud. The fraud involved the creation of websites that looked like legitimate sites such as booking.com, and which fooled people into revealing their credit card details. €130,000 is believed to have been laundered through the suspect’s accounts. He was arrested as part of an EU crackdown on a fraud mob that apparently included over 100 inhabitants from one Romanian town, now nicknamed ‘Hackerville’.
Read more: https://www.independent.ie/irish-news/crime/former-chef-and-key-member-of-hackerville-crime-group-held-on-suspicion-of-setting-up-16-bank-accounts-with-fake-ids-to-launder-130000-41063166.html
>>>>> ONE ACTION <<<<<
1: Payment Processing
Bank of Ireland’s policy change should be a reminder to us all to check our own payments processes, especially the process we follow when setting up new payee details.
It is possible to fool one person, but far more difficult to fool two. Ensure your process involves two people.
And ensure your verification process includes a phone call to the person or organisation that has provided you with their payee details (using a phone number that you already have on file for them)