Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
A number of articles in this roundup speak to a growing challenge for businesses – managing privacy and security risks in relation to third parties they work with, including cloud services and outsourced software developers. Meanwhile data protection regulators around the globe continue to increase their focus and expectations on privacy issues, while the tornado that is the Israel Folau controversy veers into the cyber realm.
Summary: Rugby star Israel Folau, who has been at the centre of a long-running controversy over his sacking by Rugby Australia because of posts on social media, revealed his website was brought down in a cyber attack.
Key risk takeaway: We’ll choose to sidestep the vortex of social, political, religious and philosophical disagreements that comprise this issue. But from a digital risk perspective, the successful cyber-attack on Folau’s website – brought down for 12 hours – reminds us that cyber actors take many forms (in this case ideologically-motivated groups or individuals as opposed to financially-motivated criminals) and have ready access to a variety of disruptive capabilities. So-called “booter services” can help such attackers cheaply execute distributed denial-of-service attacks in order to bring down websites. Threat modelling can help organisations better understand the spectrum of attackers – and attacks – they are likely to face, and to implement defensive controls accordingly.
Summary: Two reports paint an unfavourable picture of the security and privacy of mobile apps we use every day. One study found three quarters of mobile applications had vulnerabilities relating to insecure data storage, while another revealed major US banking apps leaking data.
Key risk takeaway: Businesses today move quickly to turn their services into mobile apps, and these apps need the same attention to privacy and security as any other digital service. These studies reveal this may not always be the case – with one study finding poor coding practices and the use of outdated open-source libraries being a key reason for security flaws. Training for developers in secure coding practices is becoming a growing focus in many enterprises, as is the practice of building privacy considerations into the early stages of app development. This approach – called privacy by design or privacy engineering – may not have been in place at Instagram, which was recently revealed to be allowing tens of thousands of minors to publish their email addresses and phone numbers to the public via its platform.
Tags: #securecoding #privacybydesign
Summary: Multiple city governments in the US have fallen victim to ransomware, with more than one opting to pay the ransom in order to unlock valuable information and resume continuity of their services.
Key risk takeaway: Ransomware remains a key risk for businesses – threat reports released earlier this year show that while overall ransomware infections fell 20 per cent, enterprise infections went up 12 per cent. Preventing the impact of ransomware – in which a victim’s files are locked until a ransom is paid – is best achieved through having system backups, installing reputable antivirus and educating users to detect malicious emails. But when an infection hits, businesses increasingly find themselves vexed by the question of whether to pay the ransom. Government advice urges against doing so, but as these stories from the US show, some victims choose to roll the dice to get back online. Ultimately, it’s a decision based on risk and circumstance – organisations considering paying a ransom should factor in the possibility that an attacker may still not unlock the files, and the possibility that paying a ransom may increase the likelihood of being targeted again in the future.
Tags: #ransomware #risk
Summary: The UK’s data protection regulator has set out a range concerns relating to the online behavioural advertising industry and its profiling of internet users.
Key risk takeaway: While this is not a formal ruling, it’s a sign of the continued momentum towards regulators taking a closer interest in business practices and business models that impinge on privacy. Critics however have questioned the lack of firm action in light of these findings about the advertising industry – this may ratchet up pressure on regulators to take more strident steps to force industry to change. Locally we are seeing chief data officers using regulatory developments around privacy in Europe to set the tone for its data architecture decisions.
Summary: Some US government agencies have pushed towards adopting cloud services on the basis of their cyber security features.
Key risk takeaway: Cloud computing offers businesses a range of benefits, notably cost and agility. Security and privacy considerations often prevent or slow some organisations from proceeding down the path of cloud, most notably due to concerns about moving sensitive data from servers or data centres that they manage to third-party infrastructure. As this story shows, many enterprises recognise that major cloud providers can offer more rigorous security protections than in-house legacy environments. Regardless, any digital transformation that involves the uptake of cloud services requires an assessment of data protection risks.
Summary: Longtime Boeing engineers claim the software issues that led to the 737 Max being grounded are partly the result of a push to outsource work to lower-paid contractors.
Key risk takeaway: While not a security story, this article highlights the potential risks that can be introduced through use of outsourced or third-party software development processes. In many enterprises, regular software assurance activities (eg. penetration testing) and deployment of secure coding training for developers help security teams mitigate the risk of security flaws in critical software.
Tags: #securityassurance #supplychainassurance
Summary: Australia’s largest bank has committed to a court-enforceable undertaking to substantially improve privacy practices in the wake of data loss incidents.
Key risk takeaway: Commentary from the Australian privacy regulator in relation to CBA’s enforceable undertaking reinforces the expectation on businesses be proactive in taking steps to protect personal information. CBA’s response as part of the undertaking also provides some insight into what the regulator sees as the constructive steps in protecting personal information, including developing work plans to address privacy obligations, reviewing policies, procedures and data retention standards, and providing training for staff to ensure compliance.
Click here to see past editions of the elevenM News Roundup