Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: SEC requires public disclosures of cyber attacks, Russians target staff through Microsoft Teams, and 5,000 businesses in Ireland suffer because staff members were fooled by SMS messages.
3 – No more hiding for US publicly-traded companies.
The SEC (The US Securities and Exchange Commission) is now requiring “publicly traded companies to publicize details of a cyber attack within 4 days of identifying that it has a “material” impact on their finances.”
As recently reported in The Hacker News, the public disclosure may be delayed by up to 2 months if there is a risk that it “would pose a substantial risk to national security or public safety.” The SEC will also require companies “to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats”.
Key takeaway: Some executives will state that their sole purpose is to protect and improve their company’s share price. Now that the impact of their cyber security investment decisions could become a matter of public record and have a more direct impact on the share price, perhaps they will be motivated to make better decisions.
2 – The Russians are now phishing in Teams
“A Russian government-linked hacking group took aim at dozens of global organizations with a campaign to steal login credentials by engaging users in Microsoft Teams chats pretending to be from technical support.”
According to Microsoft researchers and recently reported by Reuters and ASPI, the attackers “set up domains and accounts that looked like technical support and tried to engage Teams users in chats and get them to approve multifactor authentication (MFA) prompts”.
Key takeaway: Make sure your staff training doesn’t just focus on email scams.
1 – SMS is still profitable for scammers.
“[Ireland’s] telecoms regulator ComReg has revealed scam phone calls and texts are costing Irish businesses and individuals €300 million a year.”
According to a recent report in The Irish Times, “there have been multiple reports of different scams, including those posing as motorway toll operators, banks, An Post, or even a child in distress.” This news comes as a shock to absolutely no-one in Ireland, as I’m pretty sure we’ve all received these messages in recent months. Apparently, 5,000 businesses have been victims of fraud because their staff members were fooled by these SMS messages.
Key takeaway (again): Make sure your staff training doesn’t just focus on email scams.