Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: The Central Bank reminds us that cybersecurity has not gone away. The US Justice Department proves that bitcoin does not necessarily mean anonymous. And a Microsoft study makes me bang my head against a wall.
This week’s action: Baseline like it’s 2016.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.buzzsprout.com/1914497/10048463 or wherever you get your podcasts.
1: When our actions could become public knowledge, our attitudes change
According to a survey by TechRadar, 57% of IT security pros would think twice about paying a ransom demand following a cyber-attack if they had to publicly announce that they made a payment.
We could discuss the effectiveness of paying a ransom – After all, by the time you get the demand for a ransom payment, the horse has bolted and the barn door that let the bad guys in is still wide open.
But the more interesting point here is how attitudes change when actions could become public. It might be one way to reduce the payoffs being achieved by cyber criminals.
2: Irish regulator reminds firms that cybersecurity is not going away
The Central Bank of Ireland released their ‘Securities Market Risk Outlook Report 2021’ earlier this week. For a change, I will make no comment and leave it to the authors:
“Recent high-profile cyberattacks on institutions have highlighted, once again, the damage that can occur if adequate risk mitigation is not in place in an organisation.”
“Cyber security has long been an area of focus for the Central Bank, and recent domestic cyberattacks have strengthened our resolve to ensure regulated financial service providers are adequately addressing this issue.”
“The Central Bank expects that the Boards and senior management of regulated firms to fully recognise their responsibilities in relation to IT, cybersecurity governance and risk management and place these among their top priorities. A cyberattack on a regulated firm, which could have been avoided if deficiencies had been addressed, will be subject to enhanced regulatory scrutiny.”
3: Irish regulator tells investment firms that crypto is too dangerous for normal people
This week, the Central Bank of Ireland restated their position that it is currently unlikely to authorise an investment fund targeted at retail investors if it proposes to invest in crypto-assets.
It states that “such assets may be suitable for wholesale or professional investors”, but the risks to retail investors, including “the risk of losing all of their investment” and the lack of “the guarantees and safeguards associated with regulated financial services” means such investments are too risky for the man on the street.
1: $3.6 billion
The value of stolen bitcoin recovered by the US Justice Department following the recovery of more than 94,000 bitcoin stolen in 2016 from the virtual currency exchange Bitfinex, and as reported in The Journal earlier this week.
The Justice Department executed an old-school search warrant which allowed them to “scour the couple’s online accounts and recover the security key that gave them access to their digital wallet.”
It demonstrates that authorities can follow money through the blockchain and catch up with the criminals if given sufficient resources and time.
A big IF.
According to an article in Dark Reading, Microsoft has identified that 78% of organisations using their Azure Active Directory cloud service do not employ multi-factor authentication (MFA) on their user accounts.
I can only assume this means this 78% forgot to apply MFA to one of their many user accounts.
After all, as Microsoft’s CISO states in the article, they see 18 BILLION attempted password attacks every year and believe 99.9% of breaches would be prevented if you just implemented MFA.
Surely, 78% of organisations have not chosen to disregard a single security measure that would pretty much guarantee they will not be a victim of one of these 18 BILLION attacks.
1: Baseline like it’s 2016
As mentioned in the Central Bank’s Outlook Report, cybersecurity continues to be an area of concern and focus for the regulator. In 2016, they published their cross-industry guidance on cybersecurity risk. They have followed this with many Dear CEO letters, most recently to asset management firms in 2020.
We are now in 2022, over 5 years since the original guidance from the regulator.
If you have never baselined your firm against the CBI’s expectations, now is a good time to do so. If you did the baseline a few years ago, now’s a good time to check again so you can ensure all of the improvements you made back then are still in place.
If you’re unsure where to start, or you just need some moral support for your sanity before you engage with IT, I can help. Even a one-off advisory call could be just the thing you need to gain, or regain, momentum.
To learn more about the services I offer, go to https://www.codeinmotion.ie/services.