[Reading time: 6 minutes]
Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: Love is in the air, an Irish university responds to a ransomware attack, and CROs believe cyber risk is a higher priority than credit risk.
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
THREE ARTICLES
1. Love is in the air.
As we approach the annual ‘Support Hallmark’ fundraiser on February 14th, Tripwire reports on analysis by the UK’s TSB bank of the financial cost to victims of romance scams*.
Victims of a romance scam believe they have met their perfect match online, but the other person is in fact a scammer using a fake profile to slowly gain the victim’s trust so they can eventually ask them for money.
According to TSB’s analysis, all age groups are vulnerable to falling for a romance scam. The average age of a victim is 47. Females are victims in two-thirds of cases. In 35% of cases, the victim met their scammer on Facebook. On average, a victim is usually fooled into making payments over a period of two months before realising their relationship is a scam.
Credit to Graham Cluley for mentioning this in his excellent GCHQ newsletter.
2. Munster Technological University (MTU) impacted by a ransomware attack.
Ireland’s MTU is recovering from a ransomware attack, resulting in its facilities remaining closed to its staff and 13,000 students.
There’s plenty of reporting about the ongoing incident, so I won’t speculate about what is going on. In time, the full facts will emerge.
However, I will say that this 5 minute interview with Paul Gallagher (MTU’s Vice President of Finance and Administration) on RTE’s Morning Ireland yesterday suggests MTU’s incident response has been excellent.
I don’t know Paul but given his role, I assume he is not a cyber expert. And yet in the interview, he comes across as well-informed about both the incident and the response activities that are still underway within the organisation.
If you work in a role similar to Mr Gallagher’s, you should consider whether you would be in a similar position if such an incident occurred in your organisation. If you doubt you would, is there anything you (or we) could do now to improve the situation?
3. I find a way to mention Multi-Factor Authentication
Mint recently reported on an initiative by The Quad*, a shared effort between India, Australia, Japan and the US, that aims to improve people’s awareness of cyber threats and steps they can take to reduce the risks.
According to The Quad, “many cyberattacks can be guarded against by simple preventive measures [and] together, Internet users and providers can take small steps to significantly improve cybersecurity and cyber safety. These steps include routinely installing security updates [and] knowing how to identify common online scams such as phishing.”
The initiative also mentions the importance of using Multi-Factor Authentication (MFA), so your password is not the only thing a criminal needs to gain access to your account. I was concerned that I’d complete this week’s Cyber 3-2-1 without mentioning MFA.
* No, I never heard of it either, so it may just have been made up by a marketing guru.
TWO NUMBERS
This week’s numbers come from EY’s Global Risk Management Survey, which was recently mentioned by Cyber Risk Alliance. The results come from a survey of chief risk officers (CROs) in the banking industry.
72% of banking CROs believe managing cyber risk is a top priority for the next 12 months (ahead of credit risk in second place, and significantly ahead of climate risk in third place).
34% of CROs believe aligning to regulatory expectations and/or improving operational resilience are top priorities (meaning these priorities share fourth place in the Top Priorities list). I bet the arrival of DORA in 2025 will push these items up the priority list next year. (PS I talked about DORA earlier this week.)
ONE THING TO THINK ABOUT
Your staff can be your weakest security link, or your strongest security link.
If you do not regularly show them why and how they are targeted by criminals, you only have yourself to blame when they are fooled into welcoming a criminal into your organisation.
Where can you find relevant content to share with staff?
- If you use an awareness training platform, I hope it provides regular content updates.
- There are also plenty of experts sharing valuable insights online.
Based on feedback from a recent survey of my email subscribers, I’ll share more examples of their excellent work in the future.
For example, earlier this week, I mentioned two techniques used by criminals that you should bring to the attention of your staff.
1. QR codes – https://codeinmotion.ie/qr-codes-are-handy-and-hazardous/ (Credit goes to Stephen Burke for this one).
2. Online ads – https://codeinmotion.ie/do-not-click-on-online-ads/ (Credit goes to Secure The Village for this one).
Sharing is caring.
Sharing is securing.