Cybersecurity Without Insanity? It’s as simple as 3 – 2 – 1…
This week: Bank failure, cyber fraud, security scorecards, and DORA: Just another day in cyber paradise!
3 – WHEREVER THERE IS (BANK) FAILURE, THERE IS (CYBER) FRAUD.
Silicon Valley Bank (SVB) in the USA recently collapsed, generating plenty of news headlines around the world. As reported by Frank on Fraud, it also caused a spike in SVB-related domain names.
It’s just the latest evidence that shows how scammers use big news stories to try to fool people into clicking links and visiting malicious websites.
Your staff need to be reminded about the potential danger of any emails or phone messages that suggest they need to take urgent action, or that try to lure them with the latest breaking news.
2 – A QUICK WAY TO ASSESS YOUR SECURITY DEFENCES.
The UK’s National Cyber Security Centre (NCSC) has launched an online cyber assessment and planner for small businesses and individuals / families.
It’s easy to follow, and involves a few simple questions. You can access it here.
FURTHER HELP: If you want to dig deeper into the areas that the questionnaire covers (plus others that are just as important to consider), try my Secure Foundation Scorecard. You get an immediate Cyber Score and tailored advice on how to improve your defences.
1 – DORA IS SIMPLE TO READ, BUT NOT SO SIMPLE TO IMPLEMENT.
The DORA (Digital Operational Resilience Act) regulation that will apply from January 2025 sets a clear minimum baseline for how regulated financial firms manage operational resilience and cyber risk. The Securities and Markets Stakeholder Group (SMSG) of the European Securities and Markets Authority (ESMA) recently issued an advisory note on the key challenges that it believes regulated entities will face as they try to comply with DORA’s requirements.
SMSG notes that the timetable is challenging, especially without clear guidance from regulators such as ESMA about how firms should address the overlap between DORA and existing guidance (e.g. ESMA’s Guidelines on outsourcing to the cloud). It also questions whether DORA compliance really requires a firm to have a dedicated IT risk management function.
The DORA regulation is simple to read (if you’re into that kind of thing), but the SMSG advice to ESMA shows how the requirements may be challenging for many firms to implement.
FURTHER HELP: DORA will drive the ‘compliance agenda’ for many of the firms that I seek to help, so I’ll be spending an increasing amount of my time over the next few months trying to interpret DORA into actionable advice. As part of this, I am putting the final touches to a “DORA Bootcamp” video course (with live Q&A), as well as setting up a private online community where we can discuss how to meet the obligations of the regulation. To keep it manageable, I will limit the number of people who can join. Access to the course and community will be free for the first group of testers participants. Get in touch if you’re interested in learning more.
PS To listen to Cyber 3-2-1 and a roundup of my other articles this week, all episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.