Intercast November 2023 – Threat * Vulnerability = Risk

Welcome to the November edition of Intercast’s monthly newsletter  for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In This Issue:

  • Client Insight
  • Cyber Crimes Could Be Prosecuted In International Criminal Court
  • Shareholders Speak Out On Cyber Security
  • Surveys Raise Cyber Fraud Concerns
  • Who Watches The Watchmen?
  • Cyber Threats On The High Seas

Client Insight

Each month we ask our clients and partners what’s on their minds as they look to manage their organization’s cyber risk:

Our basic equation of the month is:  (threat * vulnerability = risk)

This is a core tenant of the CISSP (Certified Information Systems Security Professional) program which is a significant differentiator when it comes to applying to cyber roles.

While we’re on the subject of CISSP, check out this compelling piece from the Dave on Cyber blog on the challenging but achievable task of passing its certification:

Cyber Crimes Could Be Prosecuted In International Criminal Court

Until now, war crimes and crimes against humanity have usually involved physical actions. However, a recent discussion concluded that cyber crimes could qualify for prosecution at the International Criminal Court.

The International Humanitarian Law Roundtable explored cyberattacks in the context of the Rome Statute, which sets out international rules on war crimes. Participants backed ICC prosecutor Karim Khan’s argument that a cyber operation which led to “serious loss of life or physical damage” could meet the threshold for prosecution.

It’s an important recognition of the importance of cybercrimes and security, though it has some major practical limitations. Participants noted the difficulty in conclusively identifying the perpetrators of cyber crimes. In particular, some offenses that come under the ICC’s jurisdiction would require proof of involvement or backing from a national government.

Shareholders Speak Out On Cyber Security

Shareholders are becoming increasingly demanding on topics other than a business’s raw profit figure: witness the drive for ethical or environmental responsibility. Now it appears improved cybersecurity is on their list of demands.

Writing in Forbes, Bob Zukis of Digital Directors Network predicted shareholders will begin demanding changes to cyber governance policies. They are becoming increasingly aware that cyber failings can hit the bottom line and eventually affect the value of their investments.

One possible demand is to no longer cover cyber issues within wider audit committees. Instead, shareholders may call for dedicated board-level committees to cover digital and cyber topics.

Surveys Raise Cyber Fraud Concerns

Two recent surveys bring worrying news about consumer-targeted fraud. Pew Research found that 34 percent of Americans have suffered an email or social account hijacking or a fraudulent card charge or credit application in the past year.

The survey suggests users could do more to protect themselves, but also highlights a general sense of resignation about tech companies securing personal data.

Meanwhile a poll conducted for the RBC bank found students were underestimating their risk of fraud. Only 44 percent said they were worried about financial scams, with 30 percent saying the risk “never crosses their mind.”

That perception doesn’t match the reality, with 46 percent saying they’ve suffered more fraud attempts since starting at university. Perhaps most concerningly, 80 percent say they need to learn more about fraud.

Who Watches The Watchmen?

You’d think financial regulators would be more on top of security and risk than most organizations, but banks are now worrying about security when they provide data for audits.

The concerns are with the Federal Deposit Insurance Corporation. That’s the organization that guarantees at least some saver deposits are safe if a bank goes under. reports that a recent audit found “Security control weaknesses that reduced the effectiveness of the FDIC’s information security program.” These included problems with some basic controls such as restricting employee access to systems and removing access when they leave.

Risk managers in regulated banks and former FDIC executives both shared concerns, understandably speaking anonymously. These included worries about how well the FDIC was securing any sensitive data handed over by banks. There’s also a concern that it undermines the FDIC’s own work in assessing the risk that security breaches could cause critical problems for banks.

Cyber Threats On The High Seas

Commercial shipping remains one of the least appreciated fields under increasing cybersecurity threat. Not only is the sector key to infrastructure, but it’s inherently reliant on a limited range of wireless technologies. At the same time, ship staff are increasingly expecting to have reliable internet access while at sea for extended period, for example for video calls home.

Specialist security firm Marlink reported a 20 percent rise in ransomware attacks against shipping, leveraging the significant disruption caused by blocked access to data and navigation tools.

It’s not just a financial issue either, but a political and military one. A new database, the Maritime Incident Tracker, identified 73 cases in the past four years where a nation-backed cyber attack led to commercial ships being “harassed, harmed or seized.”

Best of the Rest

Here’s our round-up of some of the other stories you need to know about: