Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: Some key insights from the annual report of Ireland’s data protection regulator, and an introduction to Cyber Essentials.
This week’s action: Backups – Have them, test them, secure them.
- Cybersecurity is a data protection problem
The DPC (Data Protection Commission, Ireland’s data protection regulator) released its 2020 Annual Report last week. In section 3 of the report, the DPC expresses its concerns about “an increase in the use of social engineering and phishing attacks to gain access to [IT systems]”. It believes businesses are victims of these types of attacks because they are “not taking proactive steps to monitor and review [security] measures, or to train staff to ensure they are aware of evolving threats”. If your business is a victim of a cyber-attack which results in an unauthorised individual gaining access to personal data, you don’t just have a cybersecurity problem. You have a data protection problem. And the data protection problem may be more costly than the damage caused by the cyber-attacker.
Read more: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2020-annual-report (page 36)
- Data protection is not a cybersecurity problem
Sticking to the DPC annual report and the section discussing data breaches: When we think about data breaches, we imagine bad guys hacking into systems and stealing data. But this is not the main cause of reported data breaches – Only 146 of the 6,783 data breaches handled by the DPC in 2020 were classified as ‘hacking’. In contract, 86% of data breaches are classified as ‘unauthorised disclosure”. Unfortunately, the DPC has not taken the time to describe the types of incidents that get classified as ‘unauthorised disclosure’ and a search of the DPC site does not reveal a definition. But it is fair to assume a high percentage will be caused by staff error. For example, sending emails / attachments to the wrong recipient. It is right to be concerned about the threat of external criminals attacking our businesses. But we shouldn’t forget about the threat of internal staff exposing our businesses through simple errors.
Read more: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2020-annual-report (page 37)
- Cyber Essentials – The next step after the basics
If you have followed my guide to cybersecurity basics for small businesses, you will have basic measures in place to defend against the most likely attacks. You then consider the next step in the cybersecurity ladder. Cyber Essentials may be that step. It is a set of requirements (split across five themes) that will help any business identify the appropriate technical security measures that should be put in place to protect against common cyber attacks. The requirements are described in plain English within a 10-page document. Cyber Essentials does not cover many important elements of your defences – For example, staff defences or cloud-based SaaS services that most businesses rely on. However, it is a valuable step in the cybersecurity ladder. As a bonus, you can also self-certify your compliance with the Cyber Essentials requirements, which may reassure your clients and business partners that you are doing something to manage cybersecurity risk. I have written a detailed explanation of Cyber Essentials, who it is for, its benefits and shortcomings, etc.
Read more: https://codeinmotion.ie/cyber-essentials
- 86%: The percentage of notified data breaches that were classified as “unauthorised disclosures” by Ireland’s data protection regulator. I know I mentioned this percentage earlier but it is worth repeating it. If your business is obliged to report a personal data breach to the regulator in the next 12 months, it is almost guaranteed to be because personal data was disclosed to someone who should not have seen it. This is not because of a hacker. It is far more likely to be due to a staff member making a mistake and sending personal data to the wrong person. Cybersecurity is important. But cybersecurity is not everything.
https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2020-annual-report (page 37)
- A few hundred euro: The likely fee that a recently-arrested 22-year-old Irish man earned for allegedly being a ‘money mule’ in a cyber-crime. In plain English, he allowed his bank account to be used by cyber-criminals as they attempted to commit a €1.1m payment redirection fraud. If you know someone who might be keen to earn some extra income (e.g. a teenager or someone trying to make ends meet), they need to know that they are targets for these criminals. If they receive a large sum of money into their account and are then told to ‘refund’ it (i.e. transfer it) to a specific bank account, it is a red flag.
ONE ACTION: If you do only one ‘cybersecurity’ thing this week, do this:
- Backups: Identify your valuable data and ensure you have multiple backups of the data, with at least one stored offline (i.e. disconnected from your laptop and other IT systems). If you are the victim of a ransomware attack, you will have two choices: Pay the ransom or restore your backups. Also, make sure you frequently test your backups to make sure they work – A backup is as useful as an chocolate teapot if you don’t confirm that it has all of the data you need and that you can get at the data.