December 17, 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up: 

It’s been a big year for the tech giants when it comes to privacy and security, and they keep finding their way into the headlines even as 2018 nears its close. A couple of key security investigations reported back this week as well – including the US Congress probe into the 2017 Equifax breach, which gave a fairly unvarnished assessment of the credit reporting agency’s competency in protecting data.

Key articles: 

Google, Facebook face crackdown under ACCC recommendations

Summary: The Australian Competition and Consumer Commission (ACCC) released a draft report with recommendations to reduce the market power of Facebook and Google and proposing an overhaul of privacy legislation to empower consumers to make informed decisions about data being collected by these platforms.

Key risk takeaway: This report, emerging from the ACCC’s Digital Platforms Inquiry, is highly focused on the market dominance of technology platforms, particular in the realms of advertising and news publishing. However, the privacy recommendations reflect enhanced concerns generally among regulators about the state of consumer data protection, and could foreshadow further regulatory changes ahead. Echoing Europe’s General Data Protection Regulation, the report’s recommendations include requirements for data collection notifications to be more transparent and clearly written, that consent requirements be strengthened, and proposed increases to privacy breach penalties. In light of more privacy-aware consumers and regulators, organisations should take a proactive approach to privacy that includes assessing compliance against existing regulations and conducting privacy impact assessments against key processes and services. Read the ACCC’s full report here.

Tags: #privacycapability #privacyimpactassessments #regulations

Supermicro concludes ‘Big Hack’ investigation, says no tampering

Summary: Supermicro is a motherboard manufacturer for companies including Apple and Amazon, and in October sensationally found itself at the centre of reports that China had implanted malicious hardware into its devices and compromised them. An investigation by the company has concluded no such malicious activity had occurred.

Key risk takeaway: This a tale about the significant damage that can result from unfavourable stories about a brand’s security or privacy protections, and the value in considering a proactive approach to shaping your reputation on these topics. While Supermicro, Apple, much of the security press and a range of government agencies denied the claims in the original Bloomberg story, the hardware manufacturer company nevertheless suffered a substantial fall in market value and has yet to fully recover. The Supermicro story broke in a climate where clients are increasingly seeking greater assurances about security and privacy from their suppliers. Suppliers can thus benefit from proactively building a compelling, credible and consumable public narrative about their security practices. In releasing the results of its investigation, Supermicro published a video on its supply chain security processes that is a good example of this.

Tags: #supplychain #securitycommunications #reputationmanagement

Kanye West Tops Dashlane’s List of 2018’s “Worst Password Offenders”

Summary: Two password management companies this week published their list of the worst passwords for 2018 – Kanye’s ‘000000’ iPhone password topping one of the lists while “donald” (after the US President) trumped the other.  A set of MAGA hats for our winners please.

Key risk takeaway: Businesses should regularly remind staff and customers of the critical role that they and their passwords play in protecting valuable data. Be thoughtful about how you educate on this topic – a great deal of published advice for end users is either too high-level to be useful (“use a strong password”) or so cumbersome that the advice is ignored (“have a different, complex, hard-to-guess password for all your services”). Also ensure those crafting security awareness messages have their finger on the pulse – password advice has evolved in recent years. Use of long passphrases, two-factor authentication and password managers are increasingly considered best practice.

Tags: #securityawareness

Equifax data breach was “entirely preventable,” congressional report finds

Summary: The 2017 breach of credit reporting company Equifax, which exposed data on 148 million people was “entirely preventable” had the company applied proactive security measures, according to a congressional investigation.

Key risk takeaway: In the committee’s own words, “a lack of accountability and no clear lines of authority” in IT management was a primary reason for the failures that resulted in the breach. The distancing of the security function from the operational IT function led to accountability and coordination gaps, resulting in critical failures such as not patching a known security vulnerability, and which ultimately led to the breach. The CEO also did not prioritise security and did not receive timely information about Equifax’s security posture, according to the committee. In security-conscious organisations, heads of security will have the opportunity to present to their CEO and boards multiple times a year.

Tags: # securitygovernance #executivereporting

New flaw prompts Google to shut down Google+ for consumers within 90 days

Summary: Google will shut down the consumer version of its social media platform Google+ months sooner than planned, after discovering a security flaw impacting the privacy of 52.5 million users.

Key risk takeaway: Having started this edition of the news roundup on the dominance of tech platforms, we end on how a bad security outcome can bring companies even as large as Google undone (if ever-so-slightly), with the search giant fast-tracking its decision to shut down its Google+ platform. The discovery of this bug illuminates the value of prioritising security software testing and, increasingly, educating developers in secure coding practices. Google’s decision to disclose the bug despite there being no evidence of any breach or exploitation also points to the question of what is expected and accepted practice for security and privacy disclosures (Australia’s Notifiable Data Breaches scheme, for instance, requires disclosure of those breaches of personal information that are likely to result in serious harm).

Tags: #securitytesting #breachdisclosure