Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thought.

This week: An outsourced HR provider reports a breach 60 days after it was identified, the European Commission agrees a new directive to oblige service providers to do better, and what the data protection regulators think about security.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1. Wired reports that Sequoia One, a leading outsourced HR provider, has disclosed to customers that an array of sensitive employee data was breached due to unauthorised access to its cloud computing storage account between September 22 and October 6, including “dates of birth, Social Security numbers, as well Covid-19 test results, and vaccine cards that individuals uploaded to the employment system”. The provider informed clients about the breach in early December, almost 60 days after the breach was discovered. 60 days to notify customers of a breach involving sensitive personal data: I’m assuming Sequoia has never heard of GDPR.

2. Cyber Ireland recently mentioned that The European Council has adopted legislation for a new Network and Information Systems Directive called NIS2. “NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive”. As reported by IT Governance, this could include IT managed services providers. We have until September 2024 to get ready.

3. Secure The Village recently mentioned a story published on INFORUM, the website of ‘The Forum’ newspaper in Fargo, North Dakota – Yep, Fargo is a real place. The story describes how a US couple were conned into sending their life savings to a cyber criminal. Despite many warnings from their bank and others, they continued to believe that they were not being scammed. We can read this and wonder ‘how were they fooled?’. Or we can read this and wonder ‘How could we or our loved ones be fooled?’. We’re all experts at reading the label on the jar – until we’re the ones in the jar.

TWO NUMBERS

The two numbers this week come from the report / decision issued by the DPC in relation to a cyber attack on one Irish organisation, which I mentioned earlier in the week.

€60,000 – The administrative fine issued by the Data Protection Commission (DPC) following an investigation into how one victim of a cyber attack was protecting personal data. The investigation followed a cyber attack on the organisation in early 2020, which had resulted in about 300 email being automatically forwarded to a Gmail account set up by the cyber attacker. (Subsection 8.81 of the report)

2 – The number of email accounts that were breached in the cyber attack, apparently because two staff members were phished (i.e. conned) by a phishing email. (Subsection 3.5 of the report)

ONE THING TO THINK ABOUT

One common complaint about GDPR (and data protection regulations in general) is that they say we must have appropriate security in place (e.g. GDPR calls it ‘appropriate organisational and technical measures’), but they don’t say a lot about what ‘appropriate security’ looks like.

However, included in the DPC’s report / decision document are numerous statements about what the DPC regards as appropriate security.

While these statements do not define a baseline, they certainly give a clear indication of what the minimum needs to include.

if we don’t have evidence that we at least considered the measures mentioned by the DPC, we can’t assert that we have appropriate security in place.

This is why I recommend that we all read the report and ensure our organisations have considered the measures flagged by the DPC. For example:

  1. Tight control of auto-forwarding (section 6.26)
  2. Enforced use of Multi-Factor Authentication (section 6.33)
  3. Disabling legacy authentication methods (section 6.33)
  4. Configuration of the more advanced protection capabilities of Microsoft 365 (section 6.25 and 6.34)
  5. A clear staff policy to ensure files containing personal data are not sent as unencrypted email attachments, even internally (section 6.24 and 6.28 and 6.32)

If you don’t have the time or the knowledge to assess your organisation’s alignment to the DPC’s expectations, I can help:

  • If you want to drive – I can guide you through a very focused and time-boxed process so you can quickly assess your organisation’s alignment to the expectations defined by the DPC in this report and identify what you need to do to get fully-aligned.
  • If you want me to drive – I can lead the assessment for you, and work with your staff and third party IT provider to define a clear and achievable action plan that will ensure you get aligned.

Why not invest the equivalent of 5% of this DPC fine in return for some clarity?