Intercast December 2023 – Security Storytelling

Welcome to the December edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.  In This Issue:

  • Client Insight: Steve Katz, RIP
  • Bank Pays The Price For Administrative Blunder
  • Major Library Hit Hard By Ransomware
  • Cybersecurity Boss Hacked Hospitals In Misguided Promotion Drive
  • Security Staff Should Be Storytellers

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month many have shared their sadness at the death of Steve Katz, the world’s first Chief Information Security Officer. Katz, who was given the title at Citicorp in 1995, was truly a pioneer in the industry. His work in the role established the idea that cybersecurity is not simply a self-contained department but plays a key role in the operation and strategy of any large business.

As BankInfoSecurity recalled, the role was created after reports of Citicorp being hacked. The problem wasn’t the rumor itself, rather that the company didn’t have a clear way to know for certain if it was true.

Ironically, Katz only accepted an invitation to interview in the hope of finding out more about the apparent attack and what lessons to learn. Thankfully for Citicorp he took the role and established security as being as much an organizational and management issue as a technical one.

Bank Pays The Price For Administrative Blunder

Royal Bank of Canada must pay a fine of nearly C$7.5 million for failing to adequately combat money laundering and terrorist financing. It’s the largest such fine ever imposed in Canada and highlights the importance of administration and risk management.

The Financial Transactions and Reports Analysis Centre of Canada (FinTRAC) found RBC responsible for three violations of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

There’s absolutely no suggestion RBC had any involvement in money laundering or terrorist finance, or that it acted intentionally. Instead the penalty is for administrative failings in not submitting reports of 16 cases where there was reasonable grounds to suspect the transactions related to money laundering or terrorist financing. There’s no word on whether those suspicions would have proven correct, though that’s not relevant for these breaches.

It’s a reminder that risk management and regulatory compliance is key for avoiding not only financial penalties, but also negative publicity and reputational damage. The failure to report the transactions is likely a sign of inadequate procedures and checks within the bank. That’s a failing that can affect any aspect of an organization, including security.

Major Library Hit Hard By Ransomware

As the home of one of the biggest collections of printed documents in the world, you wouldn’t think of the British Library as an obvious cyber risk. However, it suffered a major ransomware attack that’s a perfect example of the two-pronged approach used by criminals.

The attackers locked up access to all manner of computer systems, including the database used to manage access requests for the vast majority of the book and document collection that is not on public display. The outages have also delayed payments to some authors who earn royalties every time their book is borrowed from any public library in the United Kingdom.

The Rhysidia ransomware group, which has claimed responsibility for the attack, has also threatened to sell employee data including scans of passports. The Library has not publicly commented on whether it has been hit with a ransom demand to stop this or whether any negotiation ensued.

The big takeaway is that it’s not enough to simply try to stop ransomware attacks. Organizations need to think about how to isolate sensitive data and indeed whether it’s necessary to permanently store it electronically.

Cybersecurity Boss Hacked Hospitals In Misguided Promotion Drive

A former cybersecurity chief has pleaded guilty to hacking two hospitals to promote his business. Viklas Singh admitted breaching a VPN and stealing personal data about more than 200 patients by accessing a mammogram digitizing device. Singh then remotely printed the data on 200 printers around the hospital, along with an anonymous message reading “WE OWN YOU”.

Singh later sent promotional emails to hospitals, referencing the attacks (without noting his involvement) and offering his services to prevent similar breaches.

As part of a plea deal, he will pay $817,000 in damages to the hospitals. Prosecutors will recommend a sentence of 57 months probation, based on Singh’s medical condition. Sentencing is scheduled for February and a judge could impose a maximum sentence of 10 years.

Security Staff Should Be Storytellers

Ask somebody to list key cybersecurity skills and they’ll often mention technical knowledge. However, communication and storytelling could be just as important.

That’s the view of Andy Ellis of Orca Security, writing in Dark Reading. He explains that approaches to business are changing, with many companies breaking down “organizational silos and barriers.” Managers and executives now want to know what is happening in cybersecurity departments and how it fits into the big picture. That means CISOs must be able to show how their work solves specific problems for the business.

Ellis argues that cybersecurity communication is particularly important in startups. That’s because money is tight and they need to be able to prove that money invested in security brings a clear and measurable return.

Best of the Rest

Here’s our round-up of some of the other stories you need to know about: