Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: A Cyber Security Baseline Standard has just been published in Ireland, Bank of Ireland has been fined €24m for risks that never materialised, and Ireland’s DPC tells us that If we have a complaint about a neighbour’s use of CCTV, we need to take it up with the courts.
This week’s action: Review your Incident Response Plan.
>>>>> THREE ARTICLES <<<<<
1: Cybersecurity Baseline for Irish Public Sector Bodies
A “Cyber Security Baseline Standard for Government ICT Services” has been developed to “put Public Service Bodies [in Ireland] in a much better position to identify, protect, detect, respond to, and recover from an attack, minimising damage and impact.”
While this is written for the public sector In Ireland, most of it is applicable to the private sector in any jurisdiction.
From my initial read, there are a lot of positives:
- The baseline is aligned to the NIST CSF cybersecurity framework, so the wheel hasn’t been reinvented here.
- Staff training is a mandatory requirement (section 1.4).
- The requirement that multi-factor authentication (MFA) “must be used for day-to-day activities. Where this is not possible, a risk analysis and risk assessment shall be undertaken and, where appropriate, mitigations shall be approved at an appropriate level, applied and documented.”
- The recommended separation of privileged user accounts from standard user accounts, although this is a ‘should’ rather than a ‘must’ (section 2.11.3)
- The mandatory requirement for “a clear and documented shared responsibility model between the organisation and suppliers/service providers” to be documented (section 1.6), and for “third-party suppliers for the provision of services [to] be managed [using] a formal process [that is] continually reviewed” (section 1.7). No assumptions allowed.
- The need for both a documented and tested Cyber Incident Response Plan (CIRP) and Disaster Recovery (DR) plan.
- The inclusion of a detailed template that will ensure all of the valuable information that should be included in a cyber incident response plan is captured.
For anyone seeking an appropriate security baseline for their organisation, it is worth a look.
2: Bank of Ireland fined €24.5m by regulator for deficiencies in its IT Service Continuity
“Bank of Ireland has been fined a record €24.5m and publicly reprimanded by the Central Bank of Ireland for IT failures dating back to 2008. [..] The fine is dramatically bigger than Ulster Bank’s €3.5m for IT failures back in 2012 that left its customers locked out of their accounts, in some cases for weeks [..] and despite the fact the failures at Bank of Ireland did not impact customers, and instead related to lax internal systems including weak internal controls that meant management did not act even though issues were raised. [..] the lack of a robust back-up meant the bank’s IT service continuity framework would potentially not have been able to cope if the bank had suffered a major IT incident between 2008 and 2015. That could have had a devastating effect on consumers.[..] The report identified failings relating to management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.”
The key takeaway: A regulated entity can suffer financial and reputational damage for failings relating to its management and oversight of its third party IT vendors (aka “Third Party Risk Management”) and failings to inform the “management body” regarding its IT deficiencies, even if the risks never materialise and customers are not impacted.
“The scale of the fine will be seen as a shot across the bows of the boards of all financial institutions.”
3: CCTV: DPC does not offer a mediation service for disputes between neighbours
Moving from security to data protection, Ireland’s Data Protection Commission (DPC) has published guidance on domestic us of CCTV, and how it will now deal with complaints from individuals who believe their data protection rights are being infringed by a neighbour’s CCTV camera (e.g. a smart doorbell). The paper also includes three interesting examples of recent complaints.
“Many of these cases are neighbour disputes [relating to broader issues] and would be better addressed through mediation as a more appropriate channel to address these wider issues. The DPC does not provide a mediation service [..]The DPC will usually attempt to identify the relevant data protection issue(s) for the parties and provide appropriate advice. – It will be open to an individual to rely on this advice in the context of how they deal with the wider issues in dispute.”
In other words, “within the context of the thousands of complaints it receives annually”, the DPC will tell you what the data protection issues are, but you will need to use the courts or a mediation service to try to get it resolved.
>>>>> TWO STATISTICS <<<<<
1.2 million websites were exposed after GoDaddy suffered a data breach which enabled a cyber attacker to obtain the email addresses and initial WordPress passwords of many of their customers. The sFTP (i.e. file access) login details for many sites were also exposed. The attacker gained access in early September but the breach was only discovered in mid-November.
“[T]he unauthorised third party gained access to the system using a compromised password.”
All the security in the world means sweet FA if 2FA is not set up on externally-accessible systems.
$120m in cryptocurrency was apparently stolen from Badgerdao, a Decentralised Autonomous Organisation (DAO). While I still try to figure out what a DAO is, others are trusting them – Apparently, in some cases, with their life savings and college funds.
I know I am from the old world, but why would you trust a DAO with your life savings, rather than a boring bank with its many years of experience doing all of the boring things necessary to keep the bad guys’ hands away from your money?
>>>>> ONE ACTION <<<<<
1: Review your incident response plan
I mentioned the Cyber Security Baseline Standards that were recently published in Ireland. Annex 3 of the document contains a ‘Cyber Incident Response Plan Checklist’ template. Structured around the NIST framework pillars of Identify, Protect, Detect, Respond, Recover, it is a list of things you should consider across your organisation to minimise the likelihood and impact of an attack.
This week, see how your preparation compares to this baseline.