Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: ENISA predicts the future, a future when even teddy bears need to be cyber aware. And we get a clear answer to the question ‘What did the NCSC ever do for us?’
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1. Predicting the future
ENISA (the EU Agency for Cybersecurity) undertook an exercise in 2022 to try to predict what the cybersecurity threats of 2030 could be.
Putting aside minor “distractions” like ‘advanced disinformation campaigns’ and ‘risk of digital surveillance / loss of privacy’, its Top 10 also includes:
- Supply chain compromise of software, and
- Targeted attacks against cross-border IT service providers.
These predictions show us once again why Third Party Risk Management, and Risk Management of IT Service Providers in particular, are such key themes in the EU’s DORA and NIS2 regulations.
2. Even teddy bears need to be cyber aware.
As if the EU’s DORA regulation wasn’t enough to keep us busy, there is also a Cyber Resilience Act (CRA) in the works.
CRA will target any products sold in the EU ‘with a digital element’. This will include:
- Smart speakers
- Password managers
- Operating systems
- Teddies and dolls (if they have any online capability).
It will require producers to ensure their products are appropriately secure -i.e. Unlike the Cayla doll that a German watchdog told parents in 2017 to destroy because of the risk that a stranger could use it to talk to their child.
PS Chris Horn summarised the likely implications of the Cyber Resilience Act (CRA) a few months ago in the Irish Times.
3. What did the NCSC ever do for us?
Ireland’s National Cyber Security Centre (NCSC) recently released a “Secure Configuration Framework for Office 365”. Developed in coordination with Microsoft and Ekco, the framework builds on the previously-released Public Sector Cyber Security Baseline Standards.
I know that when I see the phrase ‘Public Sector’, my eyes tend to glaze over. However, these are not green papers or white papers to be filed in a filing cabinet. They contain actionable guidance, organised in a very logical way.
I guide my clients so they baseline their security measures against a recognised security framework or benchmark. This ensures they benefit from the knowledge and experience of the whole cyber security industry. In future, when a client relies heavily on Microsoft 365 (i.e. 95% of them!), the NCSC’s framework is likely to be one of my reference points.
FYI Transparency: I have no professional relationship with Ekco, but I have previously engaged the services of Ward Solutions (now part of Ekco) for a number of clients.
This week’s numbers come from a survey first published by First Trust in January, and which I stumbled upon on the website of Seaspray Private.
22.4% – Financial and Insurance businesses were the target of 22.4% of cyber attacks in 2021, according to the survey. This puts them in second place, just behind manufacturing companies.
12.7% – Professional & Business Services firms were the target of 12.7% of attacks in the same period, meaning they are the third most popular targets for attackers. For the accountants and lawyers at the back of the room, this includes you!
ONE THING TO THINK ABOUT
Staff don’t care about your cybersecurity.
Earlier this week, I wrote about the first time I ran a cyber security training session. I will never forget the experience.
It taught me that people will not engage with the topic unless it has a meaningful connection with their personal lives*.
Learn from my experience and ensure the content presented to staff in your ongoing awareness campaigns is meaningful to their personal lives.
* It’s probably why the individual accountability that is now so prevalent in regulations – e.g. Senior Executive Accountability Regime (SEAR) in Ireland – is also so necessary.