Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.

This week: PayPal and Norton breaches, predictions of imminent cyber catastrophe, and taser-equipped drones. What more could you ask for?

To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

 

THREE ARTICLES

 

1. PayPal and Norton: “It’s not me. It’s you.”

Bleeping Computer (via Secure The Village) recently reported that both PayPal and Gen Digital (the-company-formerly-known-as-Norton) have reported data breaches in recent weeks.

But as a regular reader of my emails and someone who always follows my advice, I am confident you are not one of the 35,000 users impacted by the PayPal breach or the undisclosed number impacted in the Norton attack.

That is because these breaches were not PayPal’s or Norton’s fault. The breaches were caused by “credential stuffing” attacks.

Bleeping Computer explains that credential stuffing attacks are “attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites” and they succeed because people continue to use the same password on multiple sites.

And as a regular reader, I am sure you do not reuse passwords on multiple sites.

But for anyone who does reuse passwords and is impacted by a such a breach, they need to recognise that this is their own fault.

(As an aside: I can’t go any further without mentioning Multi-Factor Authentication (MFA). If you have MFA enabled on your account, then your password is less important. But it’s still important. You know what I mean…)

 

2. Predictions of a catastrophic cyber event

The World Economic Forum (in association with Accenture) recently launched the “Global Cybersecurity Outlook 2023” report. It’s an interesting read, and by comparing the opinions of cyber leaders and business leaders, we can identify any divergence in their thinking.

Something that both groups seem to agree on is the likelihood of a catastrophic cyber event within the next two years. This prediction (supported by 93% of cyber leaders and 86% of business leaders) arises from current global geopolitical instability.

So, my concern that such an event will arise by the likely escape from human control of an autonomous and buggy Artificial Intelligence may need to wait until next year’s report!

 

3. Taser-armed drones in classrooms

Finally, here is an interesting story from Recorded Futures about one proposed solution to the problem of mass shootings in US schools.

The idea is to place a taser-armed drone in each school, which can be remotely flown and operated by a police officer in the event of a shooting incident. Putting aside the issues of shooters usually wearing body armour and closing classroom doors, thus preventing such a drone from getting to them, the story shows a fundamental flaw in how many technology companies try to ensure their innovations have a positive impact on the world.

Many tech firms establish an independent ethics board, which is responsible for considering the benefits and risks before anything is developed. In theory, an ethics board is a trustworthy way to reduce the risks that may arise from a new innovation. That is until the CEO decides to ignore the ethics board’s decision and fires ahead anyway.

This is a lesson we need to be mindful of, as we watch many firms racing to develop AI (Artificial Intelligence) into SI (Superior Intelligence) without any thought about the ethical implications of these developments.

 

TWO NUMBERS

 

40% – According to analysis by Chainalysis, and reported by Infosecurity Magazine, ransomware payments fell by over 40% in 2022 compared to 2021. Apparently, “one reason [..] is growing government pressure and implications around paying ransomware demands”. Many organisations are fearful that paying a ransom may be too risky, as the payment may be linked to a sanctioned entity. Cyber insurance policies are also less likely to include coverage for ransom payments, limited a victim’s ability to pay. Before anyone thinks ransomware is no longer a threat, the value of ransomware payments made in 2022 still exceeded USD $400 million, according to Chainalysis’ report. Payments may be down 40%, but it’s still a thriving industry.

 

USD $10.5 trillion – The estimated total revenue generated by cybercrime in 2020, according to a 2020 report by Cybersecurity Ventures, and quoted by the Albanian Prime Minister during his appearance at the World Economic Forum (and reported by Infosecurity Magazine this week). Apparently, if cybercrime was a state, it would be the third largest economy in the world.

 

ONE THING TO THINK ABOUT

By the time you read this, my Cybersecurity for Regulated Firms webinar will be over. You can go to https://codeinmotion.ie/irishfunds over the next few days to access the slides and audio / video recordings of the session.

In preparation for the session, and to assist firms that have concerns about their alignment to regulators’ cybersecurity expectations, I have developed a self-service scorecard that enables you to do a quick check on your compliance with some of the guidance from the Central Bank.

You can give it a whirl at https://codeinmotion.ie/RegulationScore.

I’d really appreciate your feedback – If enough of you find it useful, I will enhance it over the coming weeks to cover more of the regulatory expectations.