Intercast Staffing – June 2022 Newsletter
Welcome to the Intercast newsletter for June 2022. As always we’ll bring you all the latest industry news and views to help you be a better candidate. In this edition:
- Client Insights
- Six-Hour Deadline For Breach Reports
- Passwords Under Threats
- Survey Surprises
- Best Of The Rest
We’re always talking to our clients to find out what they are looking for in candidates and what advice they have. This month the big theme is thinking about how you communicate with clients. Some of the points raised include:
- Remember that your security advice will filter out to the entire organization, so think of risk in that bigger context.
- Don’t just relay information: think about what it means to the recipient and those they’ll pass it on to.
- As well as answering the question “What is the security issue and fix?”, think about the wider question of “What does this mean for the business?”
- Work out exactly what points you need to communicate to clients, then concentrate on making the message easily digestible.
India Makes Time Of The Essence
Tough new rules in India mean the clock starts ticking as soon as organizations become aware of a data breach. They’ll have just six hours to tell the government’s Computer Emergency Response Team (CERT-In).
The legislation covers a wide range of cyber threats from unauthorized access to IT systems and DDoS attacks to unauthorized social media access and even targeted scanning or probing of systems.
Organizations will also need to have a single point of contact for CERT-In and keep secure system logs for 180 days.
It’s one of the shortest such deadlines in the world. As a comparison, the SEC recently announced plans to make publicly traded companies report breaches within four days.
Such rules mean that the notification deadline needs to be a key part of breach detection and response plans. A six-hour deadline could mean waiting to get a clearer picture of the situation is no longer possible.
Passwords Under Threat?
Tech giants have taken a small step towards the much-hyped but rarely-seen “death of the password.” Apple, Google and Microsoft are all working to boost passwordless sign-ins through the FIDO Alliance standards.
They’ve announced cross-platform support that would mean a phone app was all that was necessary to sign-in to a website. It uses Bluetooth, not to transfer data, but rather to confirm the phone is near to the computer.
The logic is that even without a password, the set-up still has two-factor authentication by requiring both physical possession of the phone and then either bio-metric identity or knowledge of a passcode to unlock the phone.
Whether it makes much difference remains to be seen, meaning cybersecurity professionals could continue to get both a source of work and a source of frustration from password breaches and phishing. The problem is that the password doesn’t necessarily survive for its technical benefits – it rarely offers the right balance of convenience and security – but rather for its familiarity. There’s also an argument that ditching passwords doesn’t solve the problem: it just changes the target for cybercriminals.
A government survey in the UK suggests cyberattacks are more frequent than some might assume. Of those businesses that reported having been attacked in the previous year, 31 percent said they were attacked at least once a week. Sadly the figure wasn’t much lower for charities at 26 percent.
The survey also revealed IT and cybersecurity outsourcing is now the norm, regardless of business size. Small, medium and large businesses outsourced in 58, 55 and 60 percent of cases respectively. It wasn’t just a cost issue either: they cited access to greater expertise and resources as the main benefits.
Perhaps worryingly, this may lead to complacency in-house. Only 13 percent of businesses say they assess whether immediate suppliers and their operations may pose a security risk. Meanwhile just 19 percent of businesses have a formal incident response plan, while only 39 percent even have assigned roles for dealing with an incident.
It also looks like ransomware could be a key subject for cybersecurity service providers. While the proportion of businesses who’d actually suffered a ransomware attack was lower, many considered it a “major threat”. With 56 percent of businesses saying they had a policy of not paying ransoms, reliable and practical back-up systems will remain a vital part of any cybersecurity service.
Best Of The Rest
Here’s what else you need to know this month:
Singapore is introducing mandatory licensing for cyber security professionals, starting with those offering penetration testing and managed security operations centre services:
The UK’s National Cyber Security Centre has launched a free tool for businesses to check if there email domain has the recommended anti-spoofing measures and that they are correctly configured:
Start-up company Sunday Security is launching specialist protection not for an organization or a network, but rather for a specific high-risk individual such as a senior executive:
George Platsis has a thought-provoking piece at the Security Intelligence site addressing the risks of unintended consequences of enforcing a strict cybersecurity policy:
Heather Gantt-Evans of SailPoint writes at VentureBeat about some of the most frustrating myths that may deter women from entering the cybersecurity field: