Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: There’s one for everyone in the audience, including the board of directors and anyone who relies on an IT MSP to manage their cloud systems. The two numbers this week remind us why invoice fraud is so rampant – Because that’s where the money is!
The thing to think about this week? Take two minutes to try my new toy AND find out your cybersecurity score at the same time. It’s a win-win!
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1. Here’s one for any directors out there
A recent opinion piece in The Hill (and included in a recent ISACA newsletter) argues that the board of directors should be seeking more frequent and in-depth reports on the organisation’s cybersecurity defences, to ensure the directors do not find themselves being held personally liable for failures in these defences in the future. The author’s argument centres on a legal precedent in the US legal jurisdiction of Delaware, referred to as the ‘Enhanced Caremark Standard’. Given cybersecurity is mission critical for most companies, the author argues that this standard requires the board to “establish procedures to get regular reports from management on cybersecurity’. The author also suggests that “a board sub-committee should be designated whose main responsibility is cybersecurity [and that this] cannot be the audit committee, given the different skill sets needed for audit and cybersecurity governance.” I have presented to many boards on the topic of cybersecurity, but this is frequently an annual exercise and usually reveals significant gaps in the breadth and accuracy of reporting to the board. I wonder how this will change now that we see directors being held to account by things like the Irish Central Bank’s Senior Executive Accountability Regime (SEAR), the UK FCA’s Senior Management and Certification Regime (SM&CR), and Australia’s Banking Executive Accountability Regime (BEAR).
2. Here’s one for anyone who has outsourced to an IT MSP
The UK’s National Cyber Security Centre (NCSC) has recently published guidance on the things you need to think about when relying on a 3rd party Managed Service Provider (MSP) to manage a cloud service (e.g. Microsoft 365) on your behalf. There are many benefits from such an arrangement – After all, you’d assume the MSP knows more than you do about how to manage the security of the service (although in my experience, this assumption turns out to be wrong). However, the NCSC flags that there are also risks from this type of outsourcing because the MSP has significant access into your system but you do not have visibility into their organisation (and their security measures). Using a 3rd party MSP is also an additional attack pathway, and one that cyber attackers know can be quite valuable to target. After all, why target one business when they can target an IT MSP that has access into the systems of dozens of businesses. [My thanks to https://www.cyberrescue.co.uk/
for mentioning this NSCS guidance].
3. And finally, one for everyone!
On a similar theme, Bleeping Computer reported a few weeks ago on how some cyber attackers are gaining access into organisations by sending emails that fool recipients into downloading and installing a remote access tool that is frequently used for genuine purposes by IT MSPs. The attacker’s email is usually sent from a compromised email account, so the recipient is more likely to trust it and therefore more likely to open an attachment or download a file. The attachment on the malicious email is frequently a HTML file. The likelihood of such an attack succeeding can be significantly reduced by training / reminding staff about how they are targeted by cyber attackers, removing local administrator privileges so they can’t install applications on their devices without approval, and automatically blocking emails that have unusual file attachments. After all, how frequently do you receive genuine emails with HTML file attachments?
0 (zero) – The number of bank robberies in Denmark last year, down from 221 robberies in 2000. This is according to a report in Computer Weekly (and first mentioned in the excellent AML Intelligence newsletter).
€14,000 – In completely unrelated news, Irish businesses lost an average of €14,000 due to invoice fraud in the first half of 2022, according to research published by FraudSMART a few months ago.
“Invoice fraud”. “Payment Redirection Fraud”. “CEO Fraud” – Call it what you will. The fraud succeeds because of an organisation’s poorly-defined or poorly-enforced payments processes.
Sutton’s Law states that when diagnosing a problem, we should first consider the obvious.
- Why did criminals rob banks – Because that’s where the money was.
- Why do criminals now target your payments processes – Because that’s where the money is.
Make sure your payments processes (i.e. how you pay invoices, and how you setup the are not leaving the vault doors wide open for the cyber criminals.
ONE THING TO THINK ABOUT
In case you didn’t know, I help organisations to improve their cybersecurity defences.
Every organisation is unique and every organisation’s end goal is specific to its risk appetite, strategic goals, and capabilities.
But my recommended starting point is nearly always the same: Ensuring you are not missing a simple defence that could significantly reduce the risk of you being the next victim of a common, unsophisticated cyber-attack.
What do I mean?
I’m glad you asked – I’ve been working on something that shows you what I mean.
It’s called the ‘Security Foundation Scorecard’.
It’s free, it takes two minutes and you receive tailored advice immediately.
Give it a whirl and let me know what you think – All feedback is appreciated.
Go to https://score.codeinmotion.ie and Get Your Score!