Here is our bi-monthly information security news and resources blog, providing some of the news items and interesting resources you may have missed, together with links to 3rd party sites which provide more information.
Information Security News
UK Data Breach Reports quadruple since GDPR
Under The General Data Protection Regulation (GDPR), it is a legal requirement to report a personal data breach to the Supervisory Authority (Information Commissioners office (ICO) in the UK), within 72 hours of it being discovered if the breach is likely to present a risk to affected data subjects.
Perhaps unsurprisingly, since GDPR came into force on 25 May 2018, the number of incidents reported to the ICO is up fourfold to 14,072, compared to 3,311 reports received from April 2017 through April 2018. Security experts believe that the actual number of data breaches has not risen and the rise in reported incidents is due to companies not understanding what constitutes a data breach.
We’d agree. Most breaches we have advised on have not, in our opinion, been reportable. There is a view among some organisations that it can’t hurt to report everything however, ‘just in case’. Remember, not all breaches will result in harm to data subjects.
The full article can be found here.
Microsoft drops password expiration policies
With the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903, Microsoft have dropped their password expiration policy which was previously set at 42 days.
In the blog post announcing this change (you need to scroll down a bit) Microsoft provide a very good explanation for dropping this policy. It’s quite an amusing read and it essentially points out that regularly changing passwords will not help keep information secure if the password is already weak. The Microsoft blog can be found here.
￼When writing your security policy, you should provide advice on how to choose strong and memorable passwords. The NCSC has excellent guidance on this.
In truth, it’s long been known that forcing people to change passwords can encourage reuse of existing passwords and weaker passwords. Our advice is non-changing complex passwords, saved in a password manager and combined with two-factor authentication.
FTSE 250 firms exposed to possible cyber-attacks
A report issued by cybersecurity company Rapid7, has found that FTSE 250 companies are currently at risk of 35 different avenues of attack.
The company scanned systems and devices on the internet used by FTSE 250 companies to find these vulnerabilities which is the same method that hackers would use.
The full article can be found here.
The higher the number of systems and devices you have exposed to the internet, the larger your attack surface. Keeping systems up to date with a robust patch management regime is a basic cyber hygiene principle.
Radiohead outwits hackers OR Radiohead flips hackers the bird!
In a heart–warming story, following the theft of a vast collection of unreleased Radiohead material through a hack of frontman, Thom York, rather than pay the $150,000 ransom, the band have released the material for a limited time for £18 with proceeds going to Extinction Rebellion.
I bet that felt good!
The full story can be found here.
Information Security Resources
Recent third-party resources we liked include:
Boards are pivotal in improving cyber security
Board awareness and understanding of cyber security risks are paramount if a company is going to successfully handle security. Board members don’t need to be technical experts, but they do need to have a basic understanding in order to have a conversation and comprehend the importance of what is required. We cover this topic in our blog on The Cyber Governance Healthcheck.
The National Cyber Security Centre has released a really useful toolkit designed to help essential discussions about cyber security to take place between the Board and their technical experts.
You can download the toolkit here.
Cyber Exercise is good for you
Carrying out mock scenarios, just like a fire drill, is one of the best ways to train you teams for emergency situations such as a cyber incident. Scenario training, ‘exercising’ should be included in your Incident Response Plan, we have a helpful blog on this here.
The NCSC have developed an excellent toolkit called Exercise in a Box, which includes various scenarios, based on common cyber threats, which your organisation can practice to get cyber fit.
The toolkit is free and can be downloaded here. Get in touch