Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.
“If you can’t beat them, join them.”
We hope that wasn’t the catchphrase issued by three prominent privacy advocates as they joined Facebook in recent weeks. The trio will have plenty to do on day one, as news of their employment coincided with another serious data scandal at the social media giant. In other news, both the alleged blackmail attempt against Jeff Bezos and the latest national data breach report affirm the importance of staff and user awareness in mitigating against digital risk.
Summary: Facebook has again faced criticism and government questioning after revelations it paid consumers as young as 13 to download a “Facebook Research” application that gave it wide-ranging access to the users’ mobile devices. In response, Apple – which had its own security troubles to contend with last week – revoked Facebook’s access to its Developer Enterprise Program, under which the app was being distributed.
Key risk takeaway: The latest Facebook scandal intensifies calls for stronger action on privacy from consumer protection bodies. Given Facebook’s recent track record and repeated promises to do better, details of this latest practice led critics to characterise Facebook as defiant and engaging in doublespeak in the face of public demands for privacy protection. Consumer watchdogs – the Federal Trade Commission in the US and the Australian Competition and Consumer Commission in Australia – are considering their options in relation to stronger privacy enforcement. Some commentators argue that privacy will continue to suffer, and that the behaviour of tech companies will continue to fall short of consumer expectations, unless there are fundamental changes to the incentives and structure of the data-driven economy.
Tags: #privacy #facebook #regulations #compliance
Summary: Facebook has hired three prominent privacy advocates, all previously outspoken critics of the tech giant.
Key risk takeaway: If we briefly place a hold on the cynicism, these appointments by Facebook reflect the growing importance for any business to demonstrate it has dedicated and skilled personnel in its ranks that advocate for privacy and security. This can include appointments of policy managers (which is the case here), but also includes C-level executives and board directors consistently publicly demonstrating a commitment to privacy and data protection. This week, Facebook also revealed it had approximately 30,000 employees working on safety and security, though it was unclear in what capacity.
Tags: #privacy #security #executive #workforce
Summary: India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, including bank balances and recent transactions.
Key risk takeaway: The exposed bank data in this story was discovered by a security researcher. Increasingly, disclosure of vulnerabilities and exposed data comes from external sources, and organisations need processes in place to receive these reports, assess their criticality and remediate vulnerabilities as necessary. The bug was discovered in a relatively new service developed by the bank to allow customers to retrieve account balance information by sending an SMS or leaving a missed call. Organisations must also devise effective ways to embed strong security processes into increasingly rapid development cycles for new services, for instance, by introducing secure coding training programs for developers.
Tags: #servermanagement #vulnerabilitydisclosure #securityassurance
Summary: Google reported spending US$4.9 million to lobby on cyber security, privacy and data security, among numerous other issues. A range of other US businesses also spent large amounts lobbying the US government on cyber issues.
Key risk takeaway: While financially-driven lobbying may be more pronounced in the US, in Australia the private sector nevertheless played a key role in shaping national digital policy, such as the review process that led to the Australian cyber security strategy. With federal and state elections taking place in Australia in 2019, businesses should take an active interest in and – if appropriate – seek to comment on policy proposals being put forward. Organisations like AustCyber also provide a vehicle for advocating on policy and regulatory development.
Tags: #policy #governmentoutreach
Summary: Amazon CEO Jeff Bezos accused a US tabloid of blackmailing him by threatening to publish intimate photos it has obtained of him.
Key risk takeaway: As we become increasingly accustomed to reports of large-scale data exposures, this story affirms that even the wealthiest and most powerful are not immune from embarrassing privacy breaches. In fact, private data belonging to high-profile individuals may be particularly lucrative to those with ill intent – precisely because of its value as a tool of extortion. At a minimum, organisations should consider providing senior executives and high-profile staff with targeted training that outlines why their personal information might be targeted and the practical actions they can take to protect their privacy. Some organisations even use internal security teams to conduct red team missions to assess the security or digital footprint of their senior executives, usually with some level of prior approval.
Tags: #personaldata privacy #securityawareness #executive
Summary: NSW government agencies will be required to identify their most critical systems and data and report them to the state’s chief information security officer under a new cyber security policy.
Key risk takeaway: NSW Government’s approach – outlined in this directive – reflects two imperatives deemed increasingly necessary by those charged with securing large organisations. First, the approach of issuing mandated security requirements is something we are seeing introduced at many large organisations as a way to create a minimum baseline for security. Such an approach obviously requires strong executive endorsement and organisational change management to succeed. Secondly, the requirement that agencies identify their most critical systems, or crown jewels, is a foundational part of any risk-based enterprise cyber security strategy. In the face of a growing number of threats and rapidly expanding IT infrastructure, organisations need to prioritise investments in critical areas.
Tags: #cybersecuritystrategy #riskbasedapproach
Summary: The number of Australian organisations reporting data breaches hit new levels last quarter, with the majority continuing to result from malicious or criminal attack.
Key risk takeaway: Companies should continue to educate staff to detect and report phishing emails, use multi-factor authentication and avoid reusing passwords (with help from password managers). These behaviours mitigate the risk from compromised credentials, which were a key factor behind the malicious attacks leading to breaches this quarter, according to the Office of the Australian Information Commissioner’s (OAIC) latest report. Health was the top sector to report breaches. The growing risk of social-engineering emails to perpetuate fraud is further affirmed by a report this week that shows business email compromises scams jumped 60 percent over the past year.
Tags: #privacy #securityawareness #passwords #phishing
Summary: Australia’s security agencies are investigating whether Beijing was behind a cyber breach that may have exposed the parliament’s computer system to foreign hackers.
Key risk takeaway: The breach on Australia’s “seat of democracy” allegedly by a foreign power is, on the face of it, cause for panic – particularly in the lead up to a Federal election and with the cyber tampering of the 2016 US Presidential election fresh in mind. However, at this stage authorities have stated there is no evidence of data had been stolen, with its focus being on containing harm and the continued investigation.
Tags: #security #securityresponse