Cyber Risk Governance Insights | October 28, 2024

Cyber Risk Governance Insights | October 28, 2024

WEEK IN HEADLINES

HEALTHCARE – Confirmed Exposure of 100M Americans’ Medical Records

The well-known ransomware attack on Change Healthcare , a subsidiary of UnitedHealth [NYSE: UNH ], has resulted in the exposure of personal health information for 100 million Americans. The breach, which occurred in February 2024, is one of the largest in U.S. history, affecting medical records, social security numbers, and other sensitive data. The incident has caused significant disruption across the healthcare sector, prompting multiple class action lawsuits.

INSIGHT: Implementing Zero Trust Architecture (ZTA) would have been a prudent decision for UnitedHealth (UNH), despite the significant resources required for its implementation. In hindsight, this investment might have proven cost-effective, given the scale and impact of the data breach.

FINANCIAL SERVICES - Breach Exposes PI of Nearly 1Musers

Landmark Admin has disclosed a significant data breach affecting 806,519 individuals. The breach, resulting from a ransomware attack, led to the theft of personal information, including names, addresses, and social security numbers. The company has since taken measures to contain the breach and is working with third-party security experts to enhance its cybersecurity posture.

INSIGHT: There is value in engaging a 3rd party to conduct a security audit and risk assessment.? You need to know the current state of your cyber posture.

TECHNOLOGY - Ransomware Exploits Microsoft Teams to Breach Enterprises

The Black Basta ransomware group has been impersonating Microsoft Teams IT support to gain access to enterprise systems. By flooding employees’ inboxes with spam and then posing as helpdesk staff via Teams, the attackers trick users into granting access, leading to significant data breaches. This sophisticated social engineering attack highlights the vulnerabilities in enterprise communication platforms.

INSIGHT: Implement strict access controls and verification for external communications to prevent unauthorized access. You might consider configuring Microsoft Teams to only accept messages from verified domains and enable MFA for all communications.

HEALTHCARE – Data Breach Revealed A Year Later

Henry Schein , [NASDAQ: HSIC ]a global distributor of healthcare products and services, finally got around to reporting a data breach following a ransomware attack last year conducted by the BlackCat group. The breach compromised the personal information of over 160,000 individuals. The attackers stole 35TB of sensitive data, including patient medical histories and financial information. The company has since taken steps to enhance its cybersecurity measures and is offering identity theft protection to affected individuals.

INSIGHT: Ensure proper encryption of sensitive data both in transit and at rest. Regular offline backups will help prevent data loss during an attack.

NONPROFIT - $1.3M Demanded by Rhysida Ransomware

Easterseals , a nonprofit organization supporting disabled individuals, has suffered a significant data breach due to a ransomware attack by the Rhysida group. The breach, reported in April 2024, compromised the personal information of 14,855 individuals, including names, addresses, social security numbers, and medical details. The attackers demanded a ransom of $1.3 million, as of this report, Easterseals has not paid the ransom.

INSIGHT: Network segmentation may have been effective in limiting the impact.? By segmenting your network, you restrict the lateral movement of the attackers, confining the attack to a smaller portion of your network. While an attack may affect a “room in your house”, you don’t lose your entire home – so to speak.?

PUBLIC SECTOR - Mass Phishing Attack Targets Citizens’ Personal Data

Ukrainian authorities have warned of a mass phishing attack aimed at stealing sensitive personal data from citizens. The attackers, identified as UAC-0218 , send phishing links disguised as bills or payment details, leading to the download of data-stealing malware. This malware searches for and exfiltrates documents from victims’ devices, compromising personal and financial information.

INSIGHT: Implementing email filtering with advanced phishing detection systems, combined with a continuous security awareness education program, significantly reduces the likelihood of employees falling victim to phishing attempts. This approach will prove to be a high-return investment in your cybersecurity posture.


INSIGHTS & EXPERT PERSPECTIVES

PRIVACY - PII Valued in Bankruptcy: What Could Possibly Go Wrong?

Daniel Solove ’s recent article, Bankruptcy Sale of DNA Data: From Toysmart to 23andMe , discusses the implications of private companies selling personal data during bankruptcy proceedings, focusing on the historical case of Toysmart and the potential sale of 23andMe ’s genetic data. It highlights the privacy risks and regulatory challenges associated with such transactions, emphasizing the need for stringent data protection measures.

Key takeaways

  1. Regulatory Intervention: The FTC’s intervention in Toysmart’s bankruptcy sale set a precedent for limiting the sale of personal data to companies with similar privacy policies.
  2. Privacy Risks: The sale of genetic data from 23andMe raises significant privacy concerns, as sensitive information could be accessed by third parties without users’ consent.
  3. Data Protection: There is a critical need for robust data protection regulations to safeguard personal information during corporate transactions, especially in bankruptcy cases.

INSIGHT: Bankruptcy proceedings are complex and selling personal data is a contentious issue. While the goal is to maximize asset value for creditors, including consumer data raises ethical and privacy concerns.

Selling consumer data can provide substantial financial recovery for creditors, crucial in bankruptcy cases. It helps settle debts and allows for business continuity or restructuring. Consumer data is often a company’s most valuable asset. Excluding it from asset valuation could significantly reduce potential recovery, leading to greater financial losses.

Allowing the sale of consumer data can facilitate market dynamics where data can be utilized by other companies to enhance services, encourage innovation, and create new or additional value. This can be seen as a way to ensure that the data continues to be used productively rather than being wasted.

However, these “positive” perspectives must be balanced against the need to protect consumer privacy:

  • Privacy Concerns: Selling personal data without explicit consent of individuals can lead to privacy violations, erode consumer trust, and cause harm to individuals.
  • Regulatory Compliance: Legal and regulatory frameworks protect consumer data, even in bankruptcy. The FTC and other bodies ensure data sales comply with privacy policies and consumer protection laws.
  • Ethical Considerations: Consumers’ personal information should not be treated purely as a commodity. Respecting privacy and consent is paramount, and any bankruptcy transaction involving personal data should prioritize these principles.
  • Consumer Awareness: Consumers may not be aware of their rights to prohibit the sale of their personal information if the bankrupt company chooses to sell it. The necessary language is likely buried deep in the Ts & Cs, and this lack of consumer awareness can lead to unintended consent, complicating the ethical landscape.

The real lesson for all of us: Always read the Terms and Conditions of anything you download, install, or use. If you don’t pay for a product, you are the product. If you pay a discounted price for a product or service, consider what you might be giving up, as there is usually a reason for the discount.

COMPLIANCE - SEC Fines Companies for Misleading Supply Chain Attack Disclosures

?The SEC has fined four companies —Unisys, Avaya, Check Point, and Mimecast—$7 million for misleading disclosures related to the 2019 SolarWinds hack. These companies downplayed the impact of the breach, violating securities laws. The fines highlight the importance of transparency in cybersecurity disclosures and the need for robust cyber resilience measures.

?Takeaways:

  1. Transparency in Disclosures: The SEC’s action underscores the critical need for accurate and transparent disclosures about cybersecurity incidents to maintain investor trust.
  2. Financial Penalties: The fines imposed serve as a financial deterrent, emphasizing the cost of non-compliance with disclosure regulations.
  3. Regulatory Scrutiny: Increased regulatory scrutiny on cybersecurity practices signals a growing emphasis on corporate accountability in managing cyber risks.

?INSIGHT: While the fines aim to enforce compliance and transparency, the financial penalties may not be sufficient to drive significant changes in corporate behavior. For large corps, these fines might be seen as a cost of doing business rather than a compelling incentive to enhance cybersecurity measures. A more effective approach will likely require higher penalties to ensure that organizations prioritize cyber resilience and proactive risk management.

The fines imposed by the SEC appear to be an initial signal that the SEC is serious about enforcing its cybersecurity disclosure rules. This action demonstrates the SEC’s commitment to holding companies accountable for transparency in reporting cybersecurity incidents. It should also serve as a warning to other organizations that non-compliance with these rules can result in significant financial penalties and regulatory scrutiny. This move is likely to encourage companies to take proactive steps to improve their cyber resilience.

If you're an SMB executive, consider how you might earn new customers by taking these proactive steps while enhancing your company's cyber resilience posture by doing the following: ?

  1. Complete a Business Impact Analysis: A BIA helps identify critical business functions and the impact of a disruption on these functions. It assesses the potential consequences of a cyber incident, including financial, operational, and reputational impacts.
  2. Conduct a Cybersecurity Assessment: Perform an unbiased security and risk assessment to understand the current state of your company’s cyber resilience. This assessment should identify vulnerabilities, evaluate existing security measures, and determine areas for improvement.
  3. Develop a Cybersecurity Strategy: Based on the assessment results, develop a robust cybersecurity strategy that includes policies, procedures, and technologies to mitigate identified risks. This strategy should align with industry best practices and regulatory requirements.
  4. Implement Security Measures: Take the necessary security steps, i.e., multi-factor authentication (MFA), endpoint detection and response (EDR), and regular software updates. Ensure that all employees are trained on cyber/info security best practices and aware of potential threats.
  5. Review Incident Response Plans: Develop or update your incident response (IR) plan so your reaction is swift and effective to any cybersecurity incidents. This plan should include clear roles and responsibilities, communication protocols, and recovery procedures.
  6. Regular Monitoring and Audits: Establish continuous monitoring and regular security audits to ensure ongoing compliance and to quickly identify and address any new vulnerabilities.
  7. Join the Cyber Risk Governance Community : you can join other executives and risk professionals willing to share what works and doesn't so you don't waste time or money.

By taking these steps, you will significantly improve your company’s cyber resilience and better protect against potential cyber threats. This approach not only helps in complying with your customer's expectations but also builds trust with customers and stakeholders.


Netswitch Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

  1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA) . Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
  2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

  • Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Community on LinkedIn. Share insights and stay ahead of the curve.
  • Live Events: Participate in interactive LinkedIn Live sessions . Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch Technology Management today to know your cyber resilience.


Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.



要查看或添加评论,请登录