May 2023 Newsletter – Cybersecurity Breach and Company values
Welcome to the May edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In this issue:
- Client Insight
- Current Openings + Recent Hiring Projects Supported
- Suffering A Cyber Breach Could Boost A Company’s Value
- New FDA Policy To Secure Medical Devices Gets Thumbs Up
- Nations Unite To Urge Secure Software Design
- Government Shocks IT Sector With Lowball Offer
- Best of The Rest
Each month we ask our clients what’s on their minds and what it means for security professionals. This month we liked a short and simple point from Kevin Mandia, CEO of Mandiant: “Security is an altruistic domain. We need to share.” It’s all about perspective. Yes, naturally every security company in the commercial sphere sees itself in competition with rivals. But there’s also the wider battle between the security industry and cybercriminals. Kevin certainly isn’t suggesting that security firms reveal their “secret sauce” or give up commercial advantages. But sharing data about attacks, particularly evolving tactics by cybercriminals, can be a win for the concept of security itself.
Suffering A Cyber Breach Could Boost A Company’s Value
In a statement that sounds baffling until you examine it, CYPFER says its CEO Daniel Tobok believes “it’s a good thing when a mergers & acquisitions deal involves a potential entity that has experienced a breach.”
While you might think potential suitors would run a mile at the merest hint of a security breach, Tobok explains that surviving a breach can be a positive if it leads to a rigorous – and demonstrable – overhaul of security practices. The key is not only fixing the initial problem, but tightening the security culture and practices to reduce the risk of future attacks.
Tobok cites one company as boosting its sale price by 4.5 percent after showing evidence of proactive defenses against a barrage of attacks. Contrastingly, companies that proudly state they’ve never had an incident may be revealing they’ve simply been lucky rather than smart. The suggestion a company may have unplugged security gaps could reduce its sale price by as much as 22 percent.
New FDA Policy To Secure Medical Devices Gets Thumbs Up
All too often, government cybersecurity programs are written off as too weak, unworkable or laughably outdated. That’s not the case with the Food & Drug Administration’s new guidelines on protecting medical devices.
DarkReading’s Nate Nelson reports several industry sources praising the new rules as potentially effective and game changing. In simple terms, the FDA is telling manufacturers to make security a key part of developing new products. This includes using “security by design”, having clear plans for an update cycle and being ready to distribute emergency patches when needed.
The rules are now in effect, though compliance enforcement won’t start until 1 October. Falling short could mean devices are simply blocked from sale, a threat the FDA appears prepared to carry out. However, some skeptics question whether it will have the capacity for the ongoing oversight needed to enforce the update and patch rules.
Nations Unite To Urge Secure Software Design
10 security agencies have teamed up to produce international guidelines for software developers to follow both “security by design” and “secure by default” principles. The agencies represent Australia, Canada, Germany, the Netherlands, New Zealand, the United Kingdom and the United States. Among the key points stressed in the guidance are:
- Security must be a core business goal regardless of the industry.
- Users should be able to run software securely right away without paying extra or
- carrying out significant configuration.
- Security patches, particularly those that require user deployment, should be a last
- resort safety net. Developers should not rely on them as a way to mitigate sloppy
- security practices in development.
The guidance also noted businesses have their role to play. It urges executive management to give IT departments the authority to hold developers accountable for security. IT staff should also regularly present a risk assessment of the technology they use to their board of directors.
Government Shocks IT Sector With Lowball Offer
The United Kingdom’s Treasury department has sparked outrage after advertising for a head of cyber security with a listed salary starting as low as low as £50,550 (approx US$63,000). The successful applicant would be responsible for protecting the department that manages spending across all government departments in the country.
Industry analysts are united in saying this is significantly below what somebody performing the same role in a similarly-sized business would be paid. Estimates vary between the private sector paying two to seven times the salary. One suggestion is that the people setting the pay offer aren’t pegging it to the market rate or the actual value the person could provide (and the costs that could arise if the job is done badly.) Instead it may be based on a public official salary model that’s influenced more by the number of levels of management above and below the cyber security chief.
Either way, it’s certainly led many to question how seriously the government is taking cyber security.
Best Of The Rest
Here’s our round-up of some of the other stories you need to know about:
- Legal, privacy and security issues may be harming efforts to tackle cross-border anti-money laundering efforts: https://www.risk.net/risk-
management/7956422/hurdles-to- cross-border-data-sharing- impede-aml-fight (free registration required to view)
- Open source developers are concerned European cybersecurity laws could leave them on the hook for commercial product failings: https://www.theregister.com/
- Average cyber intrusion detection time falls to all-time low: https://www.infosecurity-
- Satellite networking CEO describes his unique security challenges: https://satellitenewsnetwork.
com/redefining-cybersecurity- in-space-an-interview-with- rivadas-declan-ganley/
- Take of the month: Enrique Dans on how cybersecurity and its skills need to be a fundamental part of school education, not just a standalone course: https://medium.com/enrique-
dans/well-never-improve- cybersecurity-until-we-start- educatingour-children- properly-90c40bc800f0