Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…

This week: The Central Bank of Ireland reminds us that data protection is not just about IT security. Your IT MSP + their RMM tool could be the perfect combination for cyber attackers. And startups are under attack from cyber attackers. And questionnaires!

 

3 – The Central Bank of Ireland reminds us that data protection is not just about IT security

The Central Bank of Ireland (CBoI) has reported a data breach due to the failure of a data archiving process which is supposed to delete personal data from Ireland’s Central Credit Register (CCR) after 5 years. The issue was not spotted until a member of the public raised a query over 2 months later.

As described in the CBoI’s press release, this was not a cyber security incident. The data breach was not the result of lax security controls – It was caused by the failure of an archiving process. In the words of the CBOI, it was “due to a technical error”.

(A few people that I spoke to have found it ironic that the CBoI have used the term “technical breach”, when the CBoI seldom allows a regulated firm to use such terminology when it gets into difficulty. In defence of the poor CBoI, perhaps this is because it was ‘technical’ in the sense of a failure of a technology process, rather than in the sense of a legal technicality. It does weaken its credibility, but you can stop sniggering at the back of the class there!)

Key takeaway: You can’t comply with GDPR if you do not have appropriate security measures. But this incident is a reminder that your data protection obligations go beyond the need to secure the personal data that you process. There are many other obligations, including the need to delete the data when you no longer have a legal basis for retaining it.

 

2 – MSP + RMM is the perfect combination for cyber attackers.

Remote Monitoring and Management (RMM) is software that is installed on a PC or laptop that allows your IT team or IT Managed Service Provider (MSP) to remotely manage the device. “Exploitation of RMM platforms presents a growing risk to small and medium-sized organizations.”

This is according to a recently-published “RMM Cyber Defense Plan” from CISA (The US Cybersecurity & Infrastructure Security Agency), and shared with me by Jason Scanlon of Numata. The RMM plan aims to mitigate the risks introduced by these RMM tools. For us normal people, the most valuable part of the plan is this separate Guide to Securing Remote Access Software. The guide includes very specific recommendations for both IT MSPs and their customers, to reduce the risks. It includes the use of Multi-Factor Authentication (MFA) – surprise, surprise – as well as regular software updates, and using security tools to block unauthorised RMM tools.

Key takeaway: As I mentioned last week, your IT MSP could be a cyber attacker’s Most Successful Pathway into your organisation. You need to ensure there are appropriate security measures in place to protect this pathway, and this RMM guide could be a valuable element in this. You may assume that your IT MSP is managing your security and their security appropriately. I am sorry to tell you that this is a dangerous assumption. From experience, I know that many MSPs work on a reactive basis because they operate on very tight margins. In terms of security, these tight margins mean a high margin of error. And you will still be accountable for their error.

 

1 – Startups are under attack from cyber attackers. And questionnaires.

“It’s not only the Microsofts and Googles of this world that get hacked. Startups are equally at risk of data breaches, ransomware and other forms of cyber crime — sometimes with business-ending consequences. Yet early-stage startup founders rarely give much thought to cybersecurity. Many of them only realise the importance of having robust cyber infrastructure after they fall victim to an attack.”

This is according to a recent article on Sifted.eu (and shared with me by Shannon Eastman of NB3, who I am slowly converting into a cyber security guru!). The article goes on to describe the common cybersecurity mistakes that startups make, including failing to use Multi-Factor Authentication (MFA) – surprise, surprise – , lack of data backups, lack of an incident response plan, and a failure to regularly assess where their security weaknesses are.

Key takeaway: I regularly help service providers (e.g. SaaS / fintech; consultancy, accountancy & legal firms) to avoid these mistakes (and many more). But I think the article is wrong when it suggests firms only realise the importance of cyber security after they have been attacked. In my experience, many realise the importance after they receive a 300-question security questionnaire from a prospect, and realise a very profitable deal is at risk because their answers will reveal their lax security. These firms are not under attack from cyber criminals – They are under attack from questionnaires!

(PS If this is you, I can help you to have better answers so you can get this deal over the line).