This week:

  • Why Dry January was never going to work,
  • What 45 billion attacks tells us about JPMorgan’s cyber security, and
  • Why we need to stop worrying about zero days.

 

3 – Why Dry January was never going to work.

I have some bad news for anyone trying to get through Dry January. It’s time for champagne because the regulators have (finally got the finger out and) released the first batch of DORA Technical Standards.

The standards cover:

  • IT risk management frameworks,
  • Criteria for the classification of IT-related incidents
  • Third party risk management policies, and
  • Contract registers.

So what? Maybe we shouldn’t pop the champagne just yet, because these standards are only in draft form. They have been sent to the European Commission, “who will now start working on their review with the objective to adopt these first standards in the coming months”.

Ah sure, that’s grand. It’s not like we have to comply within the next 12 months or anything..

 

2 – What 45 billion attacks tells us about JPMorgan’s cyber security.

JPMorgan Chase is attacked by hackers 45 billion times per day, according to an executive of the bank at a recent discussion at the (Western Elitist Funzone) World Economic Forum. (And thanks to everyone who sent me this story).

In response to these attacks, according to its Investor Day Pack:

  • It invested $15 billion in technology (not just cyber security) in 2023. This has increased at a Compound Annual Growth Rate (CAGR) of 7% since 2019 (slide 2).
  • Its investment in cyber related defences has increased at a CAGR of 4% since 2020 (slide 8).

In other words, it looks like investment in cyber-related technology defences is not keeping pace with its spend on technology in general.

This is not necessarily a bad thing – As I’ve mentioned before, cyber security risk management is not just about technology.

So what? All of these numbers tell us very little about how the bank is really responding to 45 billion attacks per day (which is also a pretty meaningless number without an explanation of what they regard as an ‘attack’).

 

1 – Why we need to stop worrying about zero days.

“More than 178,000 SonicWall firewalls across the world are still unpatched and vulnerable to vulnerabilities disclosed ten months ago”.

This is according to a recent article by Risky Business News, and is based on research published by security firm Bishop Fox. You may know that a Zero Day Attack is an attack that takes advantage of a security hole that no-one previously knew about. Using the same terminology, a 300-Day Attack is an attack that takes advantage of a security hole that was known about, and probably fixed, 300 days ago.

So what? If someone is the victim of a Zero Day attack, they deserve sympathy. But, if they are the victim of a 300-Day Attack, they deserve… something less appealing than sympathy.