Intercast October Newsletter – Software Regulation

Welcome to the October edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In This Issue:

• Client Insight: Software Regulation
• Cyberskills Shortage Still A Major Problem
• It’s CyberSecurity Awareness Month
• Stress And Burnout Compromising Security
• Japan’s National Cyber Security Agency Hit By Hackers
• ZD Net Shares Six Of The Best

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month there’s something of a debate raging about software regulation. While some find the idea unimaginable, others suggest compromised software is a threat to society in the same way as substandard food or unsafe medicines.

One suggestion is encouraging or even requiring businesses to put together a Software Bill of Materials. That means not just auditing what applications you use, but also breaking down the full list of components. That not only gives you a greater understanding of your risk exposure but makes it much easier to isolate any components that turn out to have vulnerabilities or even malicious code.

Cyberskills Shortage Still A Major Problem

New figures show that while 4.7 million people work in cybersecurity worldwide, another 3.4 million roles remain unfulfilled. The stats come from cybersecurity members association ISC2, which says more than half of businesses it surveyed say a shortage of security staff has put them at risk of attack.

The biggest shortages appear to be in the relatively new field of cloud security, while Many of the vacancies are in roles focused on “soft skills” such as communicating risks to non-technical staff.

Salaries continue to remain high as businesses look to attract from the existing talent pool, but training new cybersecurity pros looks to be the only long-term answer. It’s prompted ISC2 to offer up to a million free training places on an “Online Self-Paced Training Course” with certification for those who pass an examination.

It’s CyberSecurity Awareness Month

October is Cyber Security Awareness Month in the US, Canada and Europe. While our industry needs to always be spreading the work, a campaign from the Communications Security Establishment certainly helps focus the mind.

This year organizers have put together a week-by-week push to get the message across, starting with broad principles, expanding to cover specific techniques such as multi-factor authentication and VPNs, then finishing with advice on how to educate children, work colleagues and elderly relatives.

Stress And Burnout Compromising Security

We’ve seen several reports this year of burnout and stress in the cyber industry, fuelled by staff shortages and increasing attacks on businesses. Now a survey says that organizations which don’t tackle the problem could be compromising security.

Devo Technology found a whopping 83% of security pros said either they or a colleague had suffered so badly from burnout that they made errors which allowed a security breach. Meanwhile 77% said stress was limiting their ability to protect customer data.

It’s as much a management issue as a technical one, with 82% saying superiors had dismissively told them to consider burnout and stress a “normal part of their job.”

Japan’s National Cyber Security Agency Hit By Hackers

Some cyberattacks are particularly unfortunate, and few more so than a recent one in Japan. Reports suggest the country’s National Center of Incident Readiness and Strategy (NISC) for Cybersecurity may have been compromised for nine months.

It’s not just a matter of embarrassment, however. The attack reportedly led to an investigation into fears that attackers may have reached beyond the NISC to reach other sensitive servers in a central government building. Fortunately that appears not to be the case.

The ramifications go beyond domestic operations. The Financial Times notes government officials in countries such as the US and UK are now concerned about whether Japan has the capacity to deal with sensitive data. That could be a major problem for plans to work on joint military projects to counter Chinese dominance of the region.

ZD Net Shares Six Of The Best

ZDNET’s Ed Bott has published an interesting list of six key recommendations for consumers to deal with cybersecurity threats:

1. Don’t panic – take time to think before responding to supposed threats such as an unexpected bank charge or real threats such as ransomware.
2. Don’t open unknown attachments.
3. Don’t click on a link unless you specifically asked someone to provide it.
4. Don’t believe you have to pay for security software.
5. Don’t install apps from unknown and untrusted sources.
6. Use a password manager (and turn on two-factor authentication).

We’d love to hear your takes: Is this good advice? Would you say the same to staff in your organization? And would you have chosen different “rules”?

Best of the Rest

Here’s our round-up of some of the other stories you need to know about:

• Cisco buys cybersecurity firm Splunk for $28 billion: https://www.forbes.com/sites/rscottraynovich/2023/09/21/ciscos-got-splunk-but-siem-challenges-abound/
• “Live” deepfake videos pose as students to cheat in online English exams:https://thepienews.com/news/preventing-deepfake-threat-to-english-test-security/
• UK government agencies explains the specific security threats to AI systems:https://www.ncsc.gov.uk/blog-post/thinking-about-security-ai-systems
• Casino showdown: MGM and Ceasar’s were both hacked, but who responded better?: https://www.casino.org/news/mgm-v-caesars-cybersecurity-expert-rates-hacking-responses/
• SuperBowl cybersecurity exercises are already underway:https://www.securitymagazine.com/articles/99929-cisa-holds-cybersecurity-exercise-in-preparation-for-super-bowl-lviii