????? The year in privacy and security

Well, we did it: we made it through another year. Thank you for joining us for the first full calendar year of FILED. We’ve had a lot of fun sharing our perspective on the world of data privacy and data security.?

This month, we had the very original idea to look back at the year in privacy and security.??

As well as the editorials themselves, we included 144 links to privacy and security news (seriously, we counted!). That’s a lot of hyperlinks. But what did they add up to? Let’s examine the major themes of the year.?

Supply chain security remains a significant issue?

We first wrote about supply chain security in July, after the MOVEit and Barracuda Networks attacks. These attacks, targeting a managed file transfer service and email security gateway devices, respectively, impacted thousands of organizations in various industries – the latest estimate for MOVEIt alone was 2620 organizations and more than 77 million individuals. These victims included government agencies like the United States Department of Energy and various healthcare organizations.?

Since these attacks, Australia has seen another supply chain attack on Australian law firm HWL Ebsworth, impacting more than 65 government agencies and departments, including Home Affairs and Defence, major banks, insurers, and numerous Australian Securities Exchange-listed companies.?

These attacks underscored that an organization’s security depends on its internal tools, team, and operational processes and those used by its entire supply chain.?

After all this upheaval, you would hope businesses take supply chain security seriously. However, a report by the Australian Security and Investment Commission (ASIC) suggests firms are still struggling with this challenge, at least in Australia. According to the regulator, 69% of those surveyed had no or minimal ability to manage third-party or supply-chain risk.?

This result is the symptom of a reactive approach to cybersecurity, one visible when you consider other themes in the year.?

Governments and organizations are searching for a response to ransomware??

Ransomware continues to be a popular hacking approach, leaving targeted organizations with the choice of paying up or seeing the sensitive information of their staff and customers made public. Organizations are unsure whether they should pay an attacker, with one survey saying that half of boards were uncertain of their policy. Some must develop it when (and it is when) an attack occurs. As we argued earlier in the year, robust data management practices – where you understand your data’s location and sensitivity and remove it when legally permitted – mean you can make informed decisions, not panicked ones.?

Meanwhile, governments seem convinced that a payment ban will solve the issue. United States officials are working hard to secure agreement from almost 50 countries not to pay ransom demands to criminals. However, banning payments from government organizations may just shift the focus to other victims who are more likely to pay up.?

Indeed, ransomware gangs are finding creative ways to apply pressure to their victims. Last month AlphV/Black Cat announced it had hacked financial software company MeridianLink and had already reported the company to the SEC for not informing the regulator of the incident within the required four days. While the rules they cited weren’t in effect at the time of the incident, they are now. Will the next victim be able to resist the pressure to pay??

?

Enjoying this edition of FILED so far? Read the full version, and sign up to get next month’s email in your inbox.?