Cyber 321: 15th April 2021

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: How some firms handle crisis PR when they are victims of an attack, and how the bad guys love the things we share online

This week’s action: Identify your buddies – The experts you will need if you are the victim of an attack.

THREE ARTICLES

1. “The sky is falling. The sky is falling”, shouts the World Economic Forum.
   In a recent survey of corporate directors by the Internet Security Alliance (ISA) and the Word Economic Forum (WEF), “cyber risk is among the top risks facing businesses today”. “Business leaders need to immediately begin viewing cyber risk as a potentially existential concern”. Cybersecurity failure is regarded by survey respondents “as the fourth most pressing business risk in the near term (0 to 2 years), behind only infectious diseases, livelihood crises and extreme weather events”. There are lots of truisms in the report but it is summed up well by CPO Magazine: “Boards need to pay more attention to cybersecurity risk .. which manifests in very similar ways [across] all sorts of different businesses”.
   Read more: https://www.weforum.org/reports/principles-for-board-governance-of-cyber-risk via https://www.cpomagazine.com/cyber-security/new-wef-principles-for-cybersecurity-board-governance-address-expansion-organizational-scope-of-cyber-risk/

2. How some firms choose to respond to a cyber-attack.
   The Scottiish Environment Protection Agency (SEPA) and Maersk are two recent examples of how firms have chosen to respond when they have been hit by a cyber attack. Both chose to communicate clearly and transparently. SEPA also publicly stated early on that it would not pay a ransom, even while it was unclear if it could recover without doing so. Despite your best efforts, you could still be a victim. But even then, you have choices. The more you think about these choices as part of your incident response planning, the more prepared you will be. Make no mistake though – A cyber attack is still a very stressful situation so hats off to firms that can deal effectively with crisis communication alongside all of their other response activity.
   Read more: https://www.bankinfosecurity.com/blogs/post-ransomware-response-victim-says-do-right-thing-p-3013 via https://securethevillage.org/cybersecurity-news-of-the-week-april-11-2021

3. If you are interested in the world of banking, insurance, RegTech, InsureTech, or Fintech, you may be interested in MoneyFest 2020
   There are plenty of online events seeking our attention. But this one next week may be worth a look. MoneyFest 2020 runs all week from Monday the 19th of April. For those of us in Europe, the sessions start in the late afternoon each day. Among the list of sessions, you can hear how financial services can profit from NASA’s example, [one person’s opinion on] where the next decade of opportunities are likely to arise, and how the role of banks will change as open banking gets established in the market. Registration is free. It also looks like sessions are recorded so you can watch them on demand at a later date.
   Read more: https://www.money2020.com/moneyfest

TWO STATISTICS

1. $1 million and more than 3 months: The current estimated cost and service impact on the Scottish Environment Protection Agency as a result of a cyber attack launched against it on Christmas Eve. “We’ve lost access to most of our systems, what we haven’t lost is the knowledge, skills and experience of our 1200 expert staff”. According to Scottish Police, SEPA had good security defences in place but the attack was sophisticated. Despite your best efforts, you could still be a victim. (But this does not excuse you from putting some basic security measures in place. Most businesses most of the time are victims of unsophisticated attacks.)
   (https://www.bankinfosecurity.com/ransomware-cleanup-costs-scottish-agency-11-million-a-16344) 
2. 500 million: The number of people whose name, email address and other personal data is included in the latest dump of data for sale on the web. It appears to be data copied from LinkedIn and combined with other publicly-accessible data. This does not appear to be the result of a ‘hack’. It is the result of someone copying the data that you and I have chosen to publish online about ourselves and our businesses. While we might think we are ‘just’ writing this on our LinkedIn profiles, it doesn’t take a rocket scientist to gather all of these pieces of data together to build up a more complete profile of each of us. With this information, they can send more targetted phishing emails to us and increase the likelihood of us being fooled by one of these emails. This is how phishing emails play a role in most cyber attacks that impact most businesses most of the time – The information we publish about ourselves and our organisations is being used against us.
   (https://threatpost.com/data-500m-linkedin-users-online/165329/)

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1. Think about your buddies: If you suffer a cyber attack, you will need help from your ‘buddies’ – e.g. Cybersecurity forensics experts to work out how the bad guys got in so that doorway can be locked; legal experts to guide you on your legal obligations; communications experts to help you with your Crisis PR. It is difficult and expensive to call in these experts at the moment you need them. It is far easier and cheaper to have them lined up ahead of time. Check your current insurance policies to see if the coverage includes access to such a panel of experts. If not, take a look at cyber insurance. The better policies include access to such expertise. You can read more about how these buddies will be a key part of your Plan B in my Guide to the Basics.