Cybersecurity Chronicles | December 4, 2023
Netswitch Technology Management
Gartner "Pioneer" in Managed Detection and Resolution Cybersecurity with our Prevention to Recovery? Proven Process
Week In Headlines
FIN SERVICES - 3rd Party Ransomware Causes Credit Union Outages
Approximately 60 credit unions are grappling with outages following a ransomware attack on Ongoing Operations, a cloud services provider owned by Trellance , a credit union technology firm. The incident highlights the vulnerability of the credit union system to cyber threats, prompting calls for increased regulatory oversight and security measures.?
HEALTHCARE - Group Faces Lawsuits in Massive Data Breach
Proliance Surgeons , a prominent Seattle-based surgical group serving over 800,000 patients annually, recently reported a ransomware and data theft incident affecting nearly 437,400 individuals. The breach involved unauthorized access, encryption, and removal of sensitive information - names, birthdates, SSNs, treatment details, and more.
EDUCATION - Another University Among Attack Surge on Colleges
DePauw University, a liberal arts school in Indiana, faced a cyberattack on October 31, with the Black Suit ransomware gang claiming responsibility. Approximately 1,700 students were alerted this week about a data breach, prompting the university to offer one year of free identity protection services.?
INFRASTRUCTURE - Facilities Using Israeli Tech at Risk
The hacking group CyberAv3ngers , tied to Iran, is actively targeting U.S. facilities employing an Israeli-made computer system, warns the Cybersecurity and Infrastructure Security Agency (CISA). Infiltrating systems with anti-Israel messages, they've hit water facilities, exposing vulnerabilities in critical infrastructure nationwide.?
TECHNOLOGY - Bluetooth Flaws Pose Global Threat
Cybersecurity researchers have unveiled vulnerabilities, dubbed "BLUFFS ," in Bluetooth communication (CVE-2023-24023), affecting Bluetooth from version 4.2 onwards, enabling device impersonation or man-in-the-middle attacks. Attackers within Bluetooth range can compromise the session key, potentially eavesdropping on communications. With six attack scenarios outlined, the researchers developed a toolkit, emphasizing the global risk to billions of devices.
HOSPITALITY - Customers Targeted in Sophisticated Social Engineering Scam
A year-long social engineering campaign is exploiting Booking.com , (NASDAQ: BKNG ) with cybercriminals using Vidar infostealer to compromise partner hotels. Phishing emails, posing as Booking.com , trick customers into divulging payment details, yielding up to $2000 per set of credentials on the dark web. The attack chain involves intricate tactics, from impersonating lost documents to exploiting hotel staff.
INSIGHTS AND EXPERT PERSPECTIVES
COMPLIANCE - SEC Rules for Cybersecurity Disclosure: What You Need to Know
The Securities and Exchange Commission (SEC) has issued new rules that require public companies to disclose material cybersecurity incidents and their risk management, strategy, and governance practices. The rules aim to enhance transparency and accountability for investors and regulators, as well as to encourage companies to improve their cybersecurity posture. The rules apply to both domestic and foreign companies that are subject to the SEC’s reporting requirements, and they require the use of Inline XBRL for tagging the disclosures.
INSIGHTS: SEC's cyber disclosures will be enforced sooner than later placing significant disclosure requirements on all publicly traded companies’, investment and securities transacting firms. This all means that lawyers will need to do their best work as the financial world, risk management pros, regulatory agencies, and the world are watching.
Materiality determination may not be straightforward, and external legal counsel may need to coordinate with other parties - law enforcement, regulators, clients, vendors, and insurers, to ensure consistent and appropriate disclosure. And in doing so, making sure they also protect the confidentiality and privilege of client company information. There may be a lot of line-walking to preserve the attorney-client privilege and avoid waiving them by disclosing information to third parties or the public.
Attorneys will also need to comply with not only the SEC’s rules, but also other federal, state, and international laws and regulations that govern cybersecurity and data protection, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the New York Department of Financial Services Cybersecurity Regulation, which may have conflicting requirements and standards of compliance.
As a business leader, you need to be aware of the legal risks associated with cyber incidents and the expectations of shareholders and regulators. These new rules provide an opportunity for your organization to review and enhance your cyber risk policies, procedures, and controls (governance and technical), and to communicate your proactive efforts to your investors and customers.? Also, you may want your legal counsel to review and update your vendor and customer contracts and policy clauses relating to information security and data protection to ensure adequate insurance coverage and indemnification provisions.
LINKEDIN LIVE EVENT - The Ultimate Insider Guide To Navigating The New SEC Cyber Rules Now
This event is specifically for Boards, Directors & C-Suite.
In the December 7th LinkedIn Live Event at 2p – 3p ET, Stanley Li and cyber risk consultant Alex Sharpe will discuss the new SEC Cyber Rules to be enforced in December 2023. They will provide insights into how these rules could impact business operations and strategies and share strategies for automating processes to reduce costs and maintain productivity. They will also discuss how to use existing tools and vendors to save time, effort, and money, and how to thrive in 2024 and beyond.
Alex Sharpe, with over 20 years of experience in the field, has worked with clients across various industries, helping them implement effective cybersecurity strategies. He is a regular contributor to several publications and often a panelist for conferences on information security and cyber risk topics.
If you’d like to learn more, register your place here on LinkedIn.
STRATEGY - A Roadmap to Global Leadership
The Australian Government recently released - Cyber Security Strategy for 2023-2030 .? It outlines a vision for Australia to become a world leader in cyber security by 2030. The strategy is anchored by six ‘cyber shields’ that aim to protect citizens, businesses, critical infrastructure, and the region while promoting a safe technology ecosystem and global leadership. The strategy also includes an action plan detailing key initiatives to be implemented over the next two years.
领英推荐
INSIGHTS: Yes, we know you're likely not in Australia, but the Australian Strategy can still be meaningful and relevant to where you're located.? Firstly, align your organization's cyber measures with what they term "the six cyber shields."? That's going to be strengthening your business and stakeholders, validating safe technologies, and sharing info about threats and ways to block them.? Audit, measure, and monitor your business cyber risk controls, especially considering the gaps in existing laws and regulations. Invest in appropriate cyber solutions and staff (internal or outsourced) with the expertise to address the evolving threats.?
Cyber threats know no industry limitations or national borders. Stay informed about cyber risk mitigations against threats, and local/regional/industry/national/global regulations can often be applied in general as best practices, which can help elevate your organization's cyber risk strategy.
Ways We Can Help You
Elevate Your Cyber Risk Cognizance
Get a Fast and Comprehensive Risk Assessment
Our fully automated Security And Risk Assessment (SARA) performs as an auditor to provide an unbiased audit of your technical and risk controls.
Contact Netswitch for more info.
Attend a LinkedIn Live Event
We host regular LinkedIn Live Events to provide insights to elevate your cognizance.
Our intent is to facilitate communication and collaboration among stakeholders - Business Executives, Technologists, and Governors – to achieve alignment of technical controls to meet GRC objectives and improve processes to meet both.
Keep up to date about future events by following Netswitch.
Signup for Our "Quick Start" Pilot Program
Know your risk level in cybersecurity and governance at NO COST.
To find out more just contact Netswitch on LinkedIn for more info. and we'll get a Demo Scheduled
Join Our CyberRisk Governance Group
Consider joining risk professional peers in the fast-growing LinkedIn group specifically about CyberRisk Governance.
The aim of the group is to help technologists, risk & compliance managers, and business leaders better manage their CyberRisk.
Would you like to join us?
Here's the link: https://www.dhirubhai.net/groups/13991569
DISCLAIMER: Any articles, information, or links are provided by Netswitch for reference only. While we strive to keep the information and links correct and safe, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, or related graphics contained on the destination website. Any reliance you place on such information is therefore strictly at your own risk.