July 2023 Newsletter – Diversification in cybersecurity
Welcome to the July edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In this issue:
In this issue:
- Client Insight
- Quebec’s Rule 25 Steps Up Soon
- Humans Still Key To Security
- Major Ruling Shakes Up Cyberinsurance
- Africa Gets GDPR-Like Data Protection
- Best of the Rest
Client Insight
Each month we ask our clients what’s on their minds and what it means for security professionals. Diversification in cybersecurity has been a hot button topic for some time and we’ve been hearing a lot of agreement with a recent study for the Harvard Business Review.
It found women were more likely to decide against applying for a job if they didn’t precisely meet every listed criteria. In contrast, men were more likely to view it as a “wishlist” and apply if they thought they could do the job well even without ticking off the entire checklist.
Changing that mindset may be a long-term task, but the short-term answer is for businesses to consider shortening job descriptions, only including the truly non-negotiable criteria, and making clear which experience or characteristics are merely advantageous rather than a requirement.
OR
Client Insight:
On the topic of Diversification of the cyber workforce, consider shortening job descriptions to attract more female candidates.
An HBR study identified that women are less likely to apply to a role unless they meet a certain amount of criteria in the JD. We all know that JD’s can contain a laundry list of items, often doing more harm than good to the talent attraction process.
Quebec’s Rule 25 Steps Up Soon
Quebec’s privacy law known as “Rule 25” will expand from 22 September, meaning companies operating in the province need to check they are ready to comply.
The law came into force last September but only a few measures took effect immediately, namely designating a privacy officer; notifying the Commission d’accès à l’information about data breaches or setting up a biometric database; and keeping a record of security incidents for five years.
The changes coming into force this year include:
- Mandatory privacy policy publication
- Mandatory privacy governance programs
- Collecting personal data requires clear written consent from the data subject covering each stated purpose for using the data. Data must be destroyed when no longer needed for the stated purpose.
- Any technology a business uses must follow the “privacy by design” principle.
- Data subjects have a “right to be forgotten”.
- Organizations must tell data subjects if they use their data to make automated decisions.
Although it’s a Quebec law, businesses outside the province may need to pass a Privacy Impact Assessment before a Quebec organization can disclose personal data to them.
Major Ruling Shakes Up Cyberinsurance
An insurance customer has won a $1.4 billion payout after a cyberattack. It sounds like good news for customers but may mean tighter exclusions on policies.
A US appeals court ruled that Ace Insurance was wrong to reject a claim by Merck after it was hit by the notorious NotPetya attack. Ace has said that because Russia’s government was blamed for the attack (originally targeted at Ukrainian organizations), the claim was covered by an ‘act of war’ exclusion.
The key to the court ruling was a “plain language” interpretation of the terms used in the policy. The exclusion didn’t apply here because the US government had not formally acknowledged the cyberattack as an act of war against the US.
Lawyers now expect insurers to be more specific and explicit when writing exclusions. That could mean more standard policies excluding cyberattacks, though that could boost the market for specialist policies that do cover such losses. Meanwhile both general and cyber-specific policies may put in more requirements for businesses to protect themselves against cybersecurity risks.
Humans Still Key To Security
The Fortinet Training Institute has put out its latest “global research brief” on security awareness and the big story is that the human element is still central to cybersecurity strengths and weaknesses. A survey of businesses found that 81 percent of cyberattacks in the past 12 months involved phishing, password or malware attacks. While that’s certainly a broad category, the report points out that exploiting human weakness is the common factor.
Some findings in the report backed up recent trends, with 93 percent of respondents saying their board of directors were actively asking about cybersecurity issues. It also threw up a few surprises with variations in attack patterns around the world. For example, while malware is the leading attack form in most places, password attacks are (just about) the most common method in Latin America. And while most regions have a fairly even split between attack types, malware is significantly ahead of web and password attacks in Europe, Middle East and Africa.
The big picture is clear though: cybersecurity technology can only go so far without educating staff to reduce risky behavior.
Africa Gets GDPR-Like Data Protection
A mere nine years after it was adopted, Africa’s equivalent to Europe’s GDPR has finally come into force. The Convention on Cyber Security and Personal Data Protection (aka the Malabo Convention) applies across the 55 member states of the African Union. It adopts many of the same principles including personal data rights, a consent requirement for data processing, transparency and accuracy.
There are a couple of significant administrative differences however. Unlike the GDPR, which had immediate legal effect across the EU, the Malabo Convention will be implemented through national laws. Each country is responsible for passing legislation that follows the principles, but the precise detail and the way they balance individual rights against the interests of the county and communities will vary.
While the GDPR can apply to international business processing data about Europeans (or using local servers), the Malabo Convention only has a territorial scope. That appears to mean it will only apply to data processing that physically happens in an African Union country.
Best of the Rest
Here’s our round-up of some of the other stories you need to know about:
- Germany rules out retaliatory cybersecurity attacks, aka “hackbacks”: https://www.euractiv.com/section/cybersecurity/news/german-national-security-strategy-leaves-out-cyber-counter-attacks/
- Quantum random number generator could combat quantum-based decryption: https://embeddedcomputing.com/technology/storage/blueshift-memory-and-crypta-labs-to-develop-quantum-resilient-cybersecurity-memory-module
- IT analyst tasked with investigating ransomware attack admits he changed the Bitcoin address on the attacker’s demand to point to his own wallet:
- https://www.tripwire.com/state-of-security/rogue-it-security-worker-failed-cover-his-tracks
- Cybersecurity chiefs join forces to share healthcare sector insight: https://www.digitalhealth.net/2023/05/world-cyber-security-leaders-form-council-to-tackle-healthcare-challenges/
- #22 million UK university credentials found on dark web: https://www.infosecurity-magazine.com/news/millions-uk-university-credentials/