December 10, 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. 

The round-up: 

The hand of government was particularly apparent in cyberspace this week. From new legislation to new cyber security guidance, high-profile arrests and technology procurement decisions, it’s a reminder that actions of international governments heavily shape the cyber environment, which in turn influences how individual organisations experience cyber security and privacy risks.

Key articles: 

CISOs given cyber leadership role in Australia’s new Information Security Manual

Summary: The Australian Government released its latest Information Security Manual, which draws on government experiences and frameworks to help organisations protect their information and systems from cyber threats.

Key risk takeaway: In line with thinking in the private sector, effective risk management versus “tick box compliance” is a key message of the government’s latest Information Security Manual. Practically, organisations are encouraged to consider and apply security controls in the context of their business requirements, specific threat environment and with reference to their own risk management frameworks. The manual is a useful reference for any organisation – public and private alike – and promotes guidelines such as the Australian Signals Directorate’s ‘Essential Eight’ – widely accepted to be a highly effective way of addressing the most common cyber-attacks.

Tags: #cyberriskmeasurement #securityadvice

Clues in Marriott hack implicate China – sources

Summary: The scale of the Marriott International data breach – 500 million customers’ records – has propelled it into a further week of heady media coverage. Investigators have reportedly found hacking tools, techniques and procedures suggesting the perpetrators were working for the Chinese government.

Key risk takeaway: While not officially confirmed, the reported targeting of Marriott International by nation-state aligned actors is a reminder that understanding the data your organisation holds is a useful starting point for anticipating the likely cyber threats you will face. In this instance, the types of data compromised – including names, passport numbers, birth dates and card data – could be used in support of activities ranging from espionage to financial fraud. Reporting on the breach this week also reminded us of the growing financial cost of breaches, with a class action lawsuit against Marriott International already seeking $12.5 billion in damages.

Tags: #breach #privacycapability #response

Australia passes world’s first law authorizing encryption backdoors

Summary: The Australian Parliament has passed the Assistance and Access Bill – the world’s first law requiring technology companies to give law enforcement officials access to encrypted messages and communications. The bill passed in the face of intense criticism from technology companies and privacy and security advocates.

Key risk takeaway: A key argument made by opponents of the legislation is that any means of accessing encrypted communications introduced for law enforcement officials will likely be exploited by wily cyber criminals. As such, organisations whose services rely heavily on encrypted communications would be wise to re-assess their risks in light of the new legislation. Though the legislation focuses on technology and communications companies, the debate surrounding the bill highlights the strong public sentiment and expectation around data protection and privacy, even when national security is being considered. Protecting customer data with appropriate security measures should thus continue to be a priority for organisations.

Tags: #legislation #privacy #security

Canada arrests Huawei’s global chief financial officer in Vancouver

Summary: Canada arrested the chief financial officer of China’s Huawei Technologies on suspicion she has violated US trade sanctions against Iran.

Key risk takeaway: The arrest of Meng Wanzhou adds more tension into what is fast emerging as a cyber cold war, with potential implications for any business with operations in China. Meng’s arrest coincided with Britain’s BT Group announcing it would remove Huawei equipment from existing mobile operations and the New Zealand government also announcing its decision to ban a local mobile company from using the Chinese manufacturer’s equipment. These developments follow the Australian Government’s decision earlier this year to ban Huawei from the rollout of 5G mobile infrastructure due to security concerns. Some analysts fear these actions by “Five Eyes” nations could lead to retaliatory bans by China and the introduction of other digital trade barriers. China’s cyber security law, passed last year, already places stringent security provisions on firms operating in China. The Huawei ban is also a reminder of a key cyber risk challenge: the management of supply chain risk.

Tags: #cyberspace #cyberregulation #securitysupplychain