Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: Irish doctors are terrified about ransomware, Australian firms are under attack, and the Swedish regulator issues a €75 million sanction.
3 – Doctors ask: “Is anyone else terrified?”
GPs in Ireland have expressed their fears of “being targeted by hackers in ransomware attacks, after learning that at least one practice falls victim on a monthly basis.”
According to a report in The Journal, GPs asked if they should be paying for a security penetration test. They were told “it is very expensive, and that it wouldn’t prevent them from being hacked down the line if software is not updated, and the basics of cyber security are not implemented.”
If you don’t have a secure foundation, you don’t need a penetration test to tell you that you’re exposed.
Don’t know what a secure foundation looks like? Look here.
Think you have a secure foundation? Find out here by answering 10 questions.
2 – Australia’s ABC News reports on cyber attacks. Australians ask for reports about lax security controls.
Australia’s ABC News recently reported on how cyber-crime has become organised warfare, comparing cyber attackers to the mob having control over the equivalent of the third-largest economy in the world.
You can watch the In-depth episode on YouTube*.
While the report is very interesting, the 200+ comments on YouTube are even more interesting. The majority reveal a perception that the victims did not try hard enough to secure their systems, and that the lack of a regulation like GDPR in Australia didn’t help. Here are just two of the comments: “We need to look at the incompetence of the victims.”; “You should be reporting on the disgustingly lax security control measures used by Australian organisations.”
Most days, I may question the reasoning (and sanity) of many social media commentators. However, if their perception here is shared by the general public, it looks like organisations are facing an increasingly hostile audience when they are hit by a cyber attack.
* Thanks to Rachael Greaves of Castlepoint Systems for sharing this in LinkedIn.
1 – Swedish bank fined €75 million for poor change management
Swedbank (the largest banking group in Sweden) has been fined for an incident in April 2022 which caused customers to see incorrect balances on their accounts, and prevented 160,000 customers from making payments. The issue was resolved 2 days later.
According to the regulator’s report*, Finansinspektionen (the Swedish regulator) decided that a large sanction of SEK 850 million (approximately €75 million) was appropriate because the incident was caused by a system change** which was made without first going through the Bank’s change management process.
We don’t need to wait for regulations such as DORA (Digital Operational Resilience Act) – The European Banking Authority (EBA) and national regulators have already published clear guidance on how they expect firms to manage risk and ensure operational resilience.
Writing policies and procedures that align to these expectations is important. But following the policies and procedures is also important.
* Thanks to Stefan Petterson of Springflod for mentioning this to me.
** Ironically, the system change was made to ensure the system complied with a new regulatory requirement.
PS I talk about these news stories, and delve into how to manage cyber risks and regs without losing your sanity, on the “Cybersecurity Without Insanity” podcast.
All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.