Author: rescue@crimefire.in

November 22, 2022 – Globally, there is a severe talent shortage in the cybersecurity job market. The World Economic Forum (WEF) recently reported a shortage of 3 million cybersecurity professionals around the globe. Furthermore, Cybersecurity Magazine, recently revealed that there will be 3.5 million open positions in cybersecurity by 2025 due to the global workforce shortage. The lack of cybersecurity experts has left many businesses in a tight spot, according to new report from TriSearch’s Travis Thomas. The National Center for Education Statistics (NCES) says that companies now see cybersecurity as a mission-critical task, so the demand for cybersecurity professionals is growing faster.
In the wake of the digital transformation, cyber attacks have become more prevalent. “Consequently, there is a high demand for cybersecurity professionals in the job market due to a lack of qualified individuals to manage and secure the online world,” said Mr. Thomas. “An acute shortage of cybersecurity workers in the United States is hurting organizations irrespective of their size.”  According to a recent IBM report, cyber security job postings currently account for 13 percent of all IT jobs.

What are the causes of the cybersecurity workforce shortage? Mr. Thomas says that it is difficult to attract and retain qualified cybersecurity professionals without the help of an external search firm specializing in the network security and cybersecurity market. He also offers up some of the main causes for the shortage:
“The lack of cybersecurity professionals has led to various issues, such as an increase in malicious breaches and the theft of personal and financial information.,” said Mr. Thomas.. “The nation’s digital and cyberinfrastructure, including its economic, utility, and transportation networks, is under threat, and the situation appears to worsen by the day. Cloud security, application security, and security assessment/investigations are the top three technological domains most impacted by a cybersecurity skills shortage. When there aren’t enough people with these skills, employers must pay more for them.”

Source: Tech Target
Everyone Is at Risk from Cybercrime
From high-profile multinational corporations, SMEs, to start-ups, and government agencies, no one is immune to cybercrime threats. According to IBM, SMEs are hit by 62 percent of all cyber attacks, about 4,000 per day. Cybercrime in a Pandemic World: The Impact of COVID-19 Findings, a report released in 2021 by McAfee Enterprise and FireEye, emphasized the urgent need for enterprises to prioritize and upgrade their cybersecurity infrastructure. On average, cybersecurity jobs are currently more lucrative than others in IT. According to the statistics, 81 percent of enterprises saw elevated cyber attacks during the pandemic. In May 2020, the chief of UN Disarmament said that even though the COVID-19 pandemic has led to more technological innovation and online collaboration, it has also led to more cybercrime. During the current crisis, the number of malware emails has gone up by 600 percent.

Source: Palo Alto Exam
“Furthermore, small businesses are an easy target for cybercriminals,” Mr. Thomas said. “They steal data in order to hijack bank accounts, submit false tax returns, and even obtain customers’ personal identification information to perpetrate health insurance fraud.”
The Demand for Seasoned Cybersecurity Professionals is Surging Substantially
As technology becomes more digitally connected, the need for cybersecurity specialists will increase in the coming years, according to Mr. Thomas. “Security threats will grow in parallel with the Internet of Things and cloud computing,” he said. “As a result, the demand for expertise to tackle these issues will also surge. Managing cybersecurity is important, and employers need to look for people with experience and a good track record.”
The Best Solution to Tackle the Issue of the Cybersecurity Skills Gap
Mr. Thomas notes that the best way to tackle the skills shortage problem is to hire cybersecurity professionals you cannot afford. “Regardless of how crazy it sounds, hiring even one seasoned cybersecurity professional instead of five average cybersecurity professionals can make a big difference,” he said. “A beginner will not provide the same level of quality work as a seasoned cybersecurity professional.
Hiring seasoned cybersecurity professionals is not as expensive as you might assume. You need to find the right candidate.”
Travis Thomas ,VP, U.S. technology practice at TriSearch, has spent two decades unlocking hidden value for his clients at the intersection of talent, leadership, culture, strategy, and innovation. He is an experienced strategic leader and active listener with experience working in executive search, professional services, account management, and knowledge management. 
“To encourage seasoned cybersecurity professionals, you can provide them with enticing benefits such as competitive compensation packages, free lunches, healthcare coverage, flexibility, bonuses, and even stock options,” Mr. Thomas said. “It would be best if you made them aware of what you could offer now and in the future. Only lucrative opportunities can help retain good employees and make them loyal and committed to their employer. Simultaneously, you must take steps to limit burnout by reducing the burden of cybersecurity teams so that the staff does not feel intimidated by dealing with various challenges.”
Related: Retaining Your Employees During the Great Resignation
The longer an employee continues working with the company, the less it costs in terms of recruitment, replacements, and training. Consequently, this helps employers save a lot of money in the long run. Mr. Thomas offers a few reasons why hiring an expert you think you probably couldn’t afford in the competitive cybersecurity market makes sense:
These solutions can help organizations attract competent security personnel and confidently address their cybersecurity demands, according to Mr. Thomas. “As more people enter the cybersecurity industry with suitable degrees and reduce the existing gap, the talent shortage will not last forever,” he said. “Until then, businesses must implement strategies to mitigate the impact of the ongoing skills shortage by building a happy and content cybersecurity staff of seasoned individuals. If you choose the wrong candidate, you will end up exposing your company to more cyber threats and having to start back at the drawing board to search for the right talent. If you hire the right talent, you will be well-positioned to fend off attacks, safeguard your organization, and outperform your competitors in all business aspects.”
Mr. Thomas also notes that choosing the right candidate implies that you have made a substantial investment that is likely to pay off in the long run. “Again, once you are used to employing the best, you will soon learn to identify top-notch talents,” Mr. Thomas said. “Last but not least, well versed and brighter professionals will not only benefit your organization; they will also challenge you to be a better version of yourself with their enthusiasm, ideas, and commitment. Hire the professionals you think you can’t afford, and you will soon realize how valuable and affordable they prove to your company in the long run.”
Related: Hiring Top Talent in Unprecedented Times
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media
Bespoke Partners Launches Strategic Resourcing Group to Serve PE Outfits
Building the Best PE and VC Leadership Teams in 2023
Reasons New Hires Don’t Always Work

source

Following on from our alert in relation to technology, data privacy, cybersecurity and IP legal developments to look out for in 2023, this update outlines some of the potential developments and trends in the UK cyber incident response landscape for 2023. 
Increased litigation risk for cyber breach victims – the Information Commissioner’s Office begins naming and shaming data breach victims
At some point in summer 2022¹, the UK Information Commissioner’s Office (the “ICO“) quietly began publishing the names of organisations who have notified them of a data breach or cyber incident. Historically, the ICO would keep such notifications confidential in an effort to promote prompt and transparent notifications from such companies.
However, since as early as 2019, the ICO have publicly committed to an open and transparent approach to its work and in particular in relation to the organisations which it regulates and the data breaches suffered by such organisations. This shift was further emphasised in a November 2022 speech by the Information Commissioner himself, John Edwards, and the move towards the publication of breach data appears to be related to this commitment to an open and transparent approach. It is unclear why the ICO have only moved to implement such an approach now, however.
In his speech, Mr Edwards sought to redirect the emphasis of the ICO’s enforcement activity away from the use of fines and private reprimands (for those breaches those deemed to be the most serious in nature) as the ICO’s primary method of enforcement towards one in which all reprimands in relation to cyber breaches would be made public, subject to there not being a good reason not to publish such reprimand.
This approach, Mr Edwards argued, is necessary not just because it is in line in with the ICO’s commitment to open and transparent regulation but also to act, in and of itself, as a form of enforcement and/or deterrent by way of public ‘naming and shaming’. In relation to public authorities in particular, Mr Edwards argued that fines alone were not enough as such fines simply passed between government authorities and ultimately into the consolidated account at the Treasury and thereby did not act as an effective deterrent.
In relation to private organisations, the levels of fines seen to date (although at times significant) may not, in the view of the ICO, act as sufficient deterrent. In introducing the publication of data breach reprimands, the ICO therefore hopes to introduce deterrent through making such organisations publicly accountable for their failures in relation to the data breach in question.
What data does the ICO publish?
The details in relation to breach and cyber incidents are now published in three datasets relating to the following, and are available in relation to incidents from Q4 2021 onwards:
The datasets published by ICO are high-level and do not contain detailed information beyond the name of the victim, the categorisation of the incident and the outcome of the ICO information. Detailed information in relation to the nature, extent or method of attack or of the nature of the affected data is not included in any public ICO datasets.
What does this mean for litigation risk?
The success of such measures in meeting the ICO’s stated aims (i.e. deterring poor behaviour or encouraging good practices in relation to cybersecurity) remains to be seen. However, the effect on organisations named in the data published by the ICO may have a profound effect on the litigation risk landscape for such companies.
In particular, it is likely that claimant law firms may begin monitoring ICO publications for the details of such data breaches and, depending on the nature of the breach, the organisation in question and the potential pool of claimants, may look to bring collective actions. It is likely that ‘repeat offender’ organisations will be the particular target of such claimant law firms, given the fact that repeated incidents are likely to increase the viability and/or quantum of potential claims. Similarly, individuals who are customers, employees or other potential data subjects of victim organisations may make data subject access requests or bring their own individual actions against such companies.
In addition to the development of a robust incident response plan in case of a cyber incident, companies should be aware that any report made to the ICO may now become public information. Victim organisations should therefore consider engaging outside legal counsel at the earliest possible stage of any incident in order that the increased litigation risk arising from the potential ICO publication of the fact of the incident can be considered alongside the other legal and business factors arising in the course of any incident.
Cyber-risk and insurability – companies facing increased premiums and cyber-related requirements from insurance providers
In the wake of an increase in the frequency and severity of cyber-related incidents, several insurers have warned of the risk that cyber incidents could become uninsurable, particularly in the case of ransomware attacks and for organisations whose cyber architecture relates to or is connected to critical national infrastructure.
This increased risk is being reflected in significantly increased premiums and, in many cases, increasing cyber insurance exclusions related to certain types of software or known vulnerabilities. Lloyd’s of London forecast in December 2022 that the global cyber insurance market is likely to grow from US$12 billion in annual premiums today to over US$60 billion in the next five to 10 years. Similarly, Lloyd’s announced in September 2022 that all standalone cyber policies would have an exemption for state-backed cyber-attacks.
Companies are likely to face increased pressure from insurance providers to develop and demonstrate a documented strategy to mitigate their cyber threat in order to ensure that they are able to renew or enter into cyber-related insurance policies, without facing unacceptably high premiums. Such measures are likely to include a detailed consideration of IT-related measures in addition to a cyber response plan developed and tested in conjunction with external counsel, where appropriate.
Ransomware attacks continue to proliferate – the preservation of evidence in anticipation of litigation during cyber incident response
The first high-profile UK ransomware-related cyber incident of the year occurred just 12 days into 2023. The attack on Royal Mail on 12 January 2023 which, according to reports was carried out by an affiliate of the LockBit ransomware group². The incident led to Royal Mail suspending international shipping services for five days and is thought to have had a significant indirect impact on UK-based businesses that rely on international orders.
The cyber incident at Royal Mail comes just weeks after The Guardian suffered a similar ransomware incident, impacting all areas of its IT infrastructure and forcing staff to work from home until at least the end of February 2023. There have also been several other high profile cyberattacks in the opening weeks of 2023.
These are just the attacks that are made public. As explored in our November 2022 update, such attacks are likely to continue to increase in frequency and scale, and companies should therefore be prepared, both in relation to increasing cybersecurity measures by way of defence against such attacks, and in relation to its cyber incident response should the worst happen. A study by Gartner in 2022, predicted that by the end of 2023, modern data privacy law will cover 75% of the world’s population. Given the increased applicability and scope of such legislation, the possibility of cyber incident related litigation has only increased.
The litigation risk arising out of such cyber incidents is potentially significant, and organisations that are impacted by such attacks should be mindful in particular of the importance of preserving evidence in relation to such attacks. The preservation of evidence has a two-fold benefit: i) to obtain a full incident overview and to establish a basis for threat containment and/or eradication, and ii) to fulfil the evidentiary requirements for possible litigation at a later date. The latter consideration is often neglected during the development of a cyber incident response plan and should be carefully considered at the outset of any response. Similarly, whilst a resumption of normal operations is always a priority, care should be taken to avoid the inadvertent destruction of evidence during the rebuild or remediation phases of an incident. 
The applicability and scope of whether a litigation-related duty to preserve evidence arises is highly dependent on the facts of the individual incident in question, and includes complicated considerations of the applicable legal framework arising out of the jurisdictions involved in the incident. Organisations should, in conjunction with external counsel, adopt a risk-based approach to the preservation of evidence which in any event should involve steps to preserve key information in relation to any incident including (but not limited to) metadata, a forensic image of the affected systems, security logs and other relevant incident-related data.
The UK Ransomware Enquiry – potential for significant regulatory changes in relation to cyber incident response for UK companies
In the UK, there are a number of cyber-related regulatory changes recently implemented or in the works. In particular, the UK Ransomware Enquiry was launched by the Joint Committee on the National Security Strategy in October 2022 (the “Enquiry“), in conjunction with UK National Cyber Security Centre (“NCSC”). The Enquiry closed for written evidence on 16 December 2022. The purpose of the Enquiry is to explore the increasing trend of ransomware attacks and the impact on organisations in the UK. It is primarily aimed at understanding the threat posed by ransomware attacks, the impact on victims, and the measures organisations can take to prevent or respond to these attacks.
It is difficult to predict the exact outcome of the Enquiry, as it is still ongoing and the findings have not yet been released. However, the NCSC is likely to make recommendations for improving the security of organisations in the UK in the face of increasing ransomware attacks. Some potential outcomes of the Enquiry may include:
Ultimately, the outcome of the Enquiry is expected to assist organisations in the UK better understand the threat posed by ransomware attacks and take steps to improve their security posture. Mayer Brown will issue a further update in relation to the findings of the Enquiry after the committee has published its findings but companies should be aware that the changes arising out of the Enquiry, and the actions required by in-scope companies, could be significant.
A number of other significant technology, data privacy, cybersecurity and IP legal developments are also expected in 2023 and are explored in detail in our January 2023 update, Looking Ahead – Technology, Data Privacy, Cybersecurity and IP developments in 2023.
Next steps for organisations
Organisations should take steps now to ensure they have a robust cyber incident response plan in place, developed in conjunction with external legal counsel. Such a plan should be thoroughly tested and periodically updated to ensure it captures and responds to changes in best practice (including any new applicable government guidance) as well as developments in the organisational or technological infrastructure of the organisation. The plan should be developed by reference to the relevant cyber insurance policy, ensuring that any specific policy requirements or exclusions are considered and the incident response plan developed accordingly.
¹ The ICO made no public announcement about the introduction of cyber breach victim lists but data from archived webpages suggests they were introduced at some point in July or August 2022.
² See: ‘LockBit ransomware gang claims Royal Mail cyberattack’ https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/
European Data Protection Board Issues Opinion on EU-US Data Transfers
White House Releases National Cybersecurity Strategy
Illinois Supreme Court’s Most Recent BIPA Decision Exponentially Increases Potential Exposure for Businesses
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.
Attorney Advertising. Prior results do not guarantee a similar outcome.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
JavaScript appears to be disabled on this computer. Please click here to see any active alerts.

March 3, 2023
WASHINGTON – Today, the U.S. Environmental Protection Agency (EPA) is releasing a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water. While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cyber security best practices at PWSs.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health,” said EPA Assistant Administrator for Water Radhika Fox. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
“Americans deserve to have confidence in their water systems resilience to cyber attackers. The EPA’s new action requires water systems to implement adequate cybersecurity to provide that confidence. EPA used a flexible approach to enable water systems to craft the most effective ways to protect water services. The EPA’s action is another step in the Administration’s relentless focus on improving the cybersecurity of critical infrastructure by setting minimum cybersecurity measures for owners and operators of the water, pipelines rail other critical services Americans rely on,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.
The memorandum conveys EPA’s interpretation that states must include cybersecurity when they conduct periodic audits of water systems (called “sanitary surveys”) and highlights different approaches for states to fulfill this responsibility.
EPA is providing technical assistance and resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. EPA’s guidance entitled “Evaluating Cybersecurity During Public Water Sanitary Surveys” is intended to assist states with building cybersecurity into sanitary surveys. It includes key information on options for evaluating and improving the cybersecurity of operational technology used for safe drinking water. While this guidance is designed to be used right away, EPA is also requesting public comment on Sections 4-8 of the guidance and all Appendices until May 31, 2023. To submit comments, please email wicrd-outreach@epa.gov. EPA plans to revise and update this document as appropriate based on public comment and new information.
EPA’s robust technical assistance program has already proven effective in aiding systems with their cybersecurity and EPA looks forward to working with other entities in the future.
“The Minnesota Department of Health Drinking Water Protection program is looking forward to EPA’s release of guidance related to cybersecurity at public water supplies,” said Kim Larsen, Minnesota Department of Health Regional Supervisor. “This guidance will help to support our programs overall mission to protect public health.”
“EPA’s cybersecurity technical assistance program provided a wonderful jumping-off point to work on improving the cybersecurity of the water and sewer systems,” said Amy Rusiecki, Assistant Superintendent of Operations, Town of Amherst Public Works, Massachusetts. “The program armed us with the tools to have the appropriate conversations with the Town’s IT staff and our water/sewer staff to take small steps towards improvement. The roadmap for how to correct the Town’s vulnerabilities is still driving decisions today.”
“With the help of the EPA’s cybersecurity technical assistance program’s free cybersecurity assessments and technical assistance, [we] were able to submit our cybersecurity program to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) with a Security Scorecard of 83 out of 100,” said Martin O. Hawlet, Superintendent, Atlantic Highlands Water Department, New Jersey.
“While cybersecurity can be a bit overwhelming for Operators in the water sector, it is comforting to know that we can engage with EPA’s cybersecurity technical assistance program to assist with a comprehensive assessment of risk and vulnerability for our community’s water system,” said Jason C. Randall, Superintendent, Plymouth Village Water & Sewer, New Hampshire. “The Cyber Action Plan deliverable is now our roadmap to implement recommended best practices, improving our cyber incident preparation, response, and recovery. These cyber actions ultimately protect our assets, employees, and the citizens we serve.”
“Cybersecurity is very important to our water utility. We understand its importance; however, we don’t have any employees that are professionally trained to ensure the safety of our network. Thankfully, USEPA offered assistance to our utility at no cost via the Cybersecurity Technical Assistance Program,” said Eric Kiefer, Manager, North Shore Water Commission, Wisconsin. “As a participant of this program, our water utility was able to identify and rank the severity of our vulnerabilities. With targeted improvements, we have significantly reduced our exposure to cybersecurity threats and improved our ability to successfully recover from a disaster.”
To further assist public waters systems and states, EPA will be offering additional training on how to implement best practices for cybersecurity and use the available resources. EPA is also offering consultations with subject matter experts and direct technical assistance to water systems to conduct assessments of their cybersecurity practices and plans for closing security gaps.
Additional tools, updates on training, resources, and information about assessing cybersecurity in sanitary surveys.
Background
Cybersecurity represents a substantial and increasing threat to the water sector, given the relative ease of access to critical water treatment systems from the internet. Currently, many water systems do not implement cybersecurity practices. Efforts to improve cybersecurity through voluntary measures have yielded minimal progress to protect the nations vitally important drinking water systems.
Water security planning has been a critical component of EPA and of state efforts to ensure the provision of clean and safe water since the increased threat of terrorism and malevolent attacks after 9/11. Through their sanitary survey programs, states have worked with PWSs to identify and protect against physical security vulnerabilities. PWSs have increasingly relied on the use of electronic systems to operate drinking water systems efficiently. As a result, incidents of malicious cyber activity on PWSs have shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations. Including cybersecurity in PWS sanitary surveys, or equivalent alternate programs, is an essential tool to address vulnerabilities and mitigate consequences, which can reduce the risk of a successful cyberattack on a PWS and improve recovery if a cyber incident occurs.
EPA engaged extensively with states, the Water Sector Coordinating Council, the Water Government Coordinating Council, and individual water associations to build their awareness, understand issues, and address concerns while developing the Memo and guidance. 

source

We’re taking a look at the cybersecurity companies that launched products and partner program updates, raised major funding, announced acquisitions or made key executive changes in February.
It was a short but busy month for the cybersecurity industry, which continued to show signs of being quite resistant to the effects of the economic slowdown that’s been impacting the overall tech sector. While a handful of cybersecurity companies did announce layoffs in February, far more had other types of announcements to share during the month — including major funding rounds, new partner programs, notable product launches, acquisitions and key executive hires.
[Related: Palo Alto Networks CEO Nikesh Arora On SASE, AI And Why Partners Are ‘More Important’ Than Ever]
In February, major moves by cybersecurity companies included a massive funding round and valuation boost for fast-growing cloud security startup Wiz, while Proofpoint was among the cybersecurity companies that unveiled new partner programs last. Check Point announced several big executive moves, including a major hire, and Zscaler announced a new product line as well as an acquisition of a security startup. And in an interview with CRN, Palo Alto Networks CEO Nikesh Arora signaled that he’ll be a lot more involved in the cybersecurity giant’s channel-related efforts going forward.
What follows are details on 10 of the cybersecurity companies we’re following that made big moves in February.
Kyle Alspach is a Senior Editor at CRN focused on cybersecurity. His coverage spans news, analysis and deep dives on the cybersecurity industry, with a focus on fast-growing segments such as cloud security, application security and identity security.  He can be reached at kalspach@thechannelcompany.com.

source

Today more than 300 million people are working remotely — creating, accessing, sharing, and storing data wherever they go — and data breaches arising from insider threats and simple mishaps can cost businesses an average of $7.5 million annually. Ultimately it doesn’t matter if a breach is intentional or accidental. Insider risk programs should be part of every company’s security strategy. To be successful, organizations should lead with their employees as partners in the effort and supplement their program with advanced tools that detect and mitigate insider risks wherever they arise. The author offers four lessons he’s learned as Microsoft’s chief information security officer.
As the digital world continues to grow, so do the volume, variety, and velocity of cyber threats and attacks. The world is awash in data, and there is always someone trying to turn it into their own virtual currency.
Today malware and ransomware are hitting everything from our personal cell phones to mission-critical infrastructure and supply chains. Whether it’s phishing, smishing, or vishing, attackers are getting more sophisticated too, using details about our personal and work lives to tempt us to share our data.
But in a world where everyone is a target, companies also need to understand their exposure to risks that come from inside their organizations. Today more than 300 million people are working remotely — creating, accessing, sharing, and storing data wherever they go — and data breaches arising from insider threats and simple mishaps can cost businesses an average of $7.5 million annually. Consider the 2022 data breach of Cash App, where a former employee accessed customer financial reports after being terminated. The breach likely affected 8.2 million current and former customers.
Ultimately it doesn’t matter if the breach was intentional or accidental. Insider risk programs should be part of every company’s security strategy. To be successful, organizations should lead with their employees as partners in the effort and supplement their program with advanced tools that detect and mitigate insider risks wherever they arise.
Here are four lessons I’ve learned as CISO at Microsoft, managing our insider risk program as it grew from a small internal initiative into a business unit that reports to the CEO.
This point comes first for a reason. In business and in life, trust is the key to any functioning relationship. The best insider risk programs emphasize the balance between employee privacy and company security. It’s critical to come up with privacy controls and policies that maintain, and even boost, trust.
Setting up tools to indiscriminately sift through employee activities for wrongdoing is not only ineffective and counterproductive — it’s just plain wrong. It’s an invasion of privacy that creates anxiety and erodes the relationship. Organizations need to be able to detect insider risks, but they need to do it the right way, acting transparently and within a narrowly defined scope to demonstrate respect and extend trust to employees.
Setting up privacy controls that protect identities at work — even during investigations — lets people know you’re protecting them too. Using role-based access for insider risk management tools also helps ensure that the right person is reviewing compliance alerts, keeping unwarranted suspicion from creeping into the organization.
While IT and security groups will lead the way, insider risk is a business problem that involves the entire company. At Microsoft, we learned this over time. What started as an initiative in our security organization evolved into a unified effort across the business groups, including legal, HR, and senior leadership.
This broad involvement helps ensure wider buy-in and provides additional perspectives and resources, such as the legal department prioritizing emerging regulations and HR facilitating training programs and surveys. An insider risk committee or ombudsperson can help get the conversation going. One of their first tasks should be creating a response plan that outlines how information is shared, when and what each group contributes, who makes which decisions, and who is accountable.
It’s also important to have shared goals with clear measures of success. You can fine tune the process by quantifying key metrics such as the number of cases raised, the true positive and false positive flags, and actions taken as the result of findings. If you have a high number of false positives, you risk burdening your HR and legal teams with unnecessary and expensive investigations.
Getting employees to engage with data protection and compliance training can be challenging, but it’s important that they know how to mitigate security risks and why it’s a priority. Trainings that emphasize stewardship of data show that the organization is extending its trust to employees as they serve the business.
Train people on how to handle the organization’s data properly, and repeat that message regularly so it’s always fresh. It also helps to make it personal. Most people immediately understand and engage on how to protect their own financial and health care data. Infusing a personal aspect into the training connects the dots on the importance of data protection for the business as well.
Training people on the principle of “see something, say something” in a risk-free way is a critical capability for an insider program. By improving data security education and training, companies can empower employees as a first and last line of defense that is complemented by detection tools.
Gartner defines insider risk management as “the tools and capabilities to measure, detect, and contain undesirable behavior of trusted accounts within the organization.” And insider risk management tools have gotten much more precise and effective in recent years.
Older tools tend to overlook subtle indicators that can identify a bad actor trying to hide their tracks. They also often feature overly strict controls that lower productivity and encourage workarounds. Today a new breed of insider risk management tools is emerging with adaptive security capabilities that can detect risky activities and mitigate any potential impact while staying out of the way and keeping user information private.
Where an activity like printing a confidential file might not show intent, a sequence of connected activities like renaming the file and then deleting it after printing could indicate something more serious. Using machine learning, these tools can separate the signal from the noise and identify subtle actions, reducing the false positives that can bog down the organization.
Managing both internal and external risks is vital to the security of any organization. Each comes with their own challenges, but what makes insider risk management especially tricky is the need to balance people, processes, and technologies.
Powerful tools can help impede, detect, and respond to insider risks — but they won’t address the root causes. That’s where detailed onboarding, security trainings, team-building exercises, and work-life balance programs are useful. Building a healthy work environment helps reduce the risk of an employee intentionally engaging in dangerous behavior. But at the end of the day, striking the balance between people and technology matters most of all. Risk management has to be proactive and continuous, and it takes trust, transparency, and collaboration to keep that engine running. This philosophy — people first, backed by powerful technology — is the only way to prevent incidents before they happen, detect them if they do, and respond to them quickly and effectively.

source

In 2022, 59 percent of business in the Asia-Pacific region reported being the victim of a cyber attack, 32 percent reported being the victim of multiple cyber attacks and the region suffered a shortage of 2.1 million cyber security professionals.
This has culminated in the Asia-Pacific region being victim to a number of high-profile cyber attacks within the last 12 months. In this article, Cyber Security Hub explores seven of these attacks.
In December 2022, an IT managed service provider that supports a range of organizations across New Zealand including several within its government suffered a cyber attack, compromising access to its data and systems.
Those affected by the cyber security incident includes some providers contracted to Te Whatu Ora (Health New Zealand), although health service delivery was not been affected. 
The Ministry of Justice was also affected by the third-party data breach and confirmed the cyber attack impacted access to some coronial data. This allegedly included thousands of autopsy reports.
New Zealand’s National Cyber Security Center (NCSC) said that it was coordinating governmental response to the cyber attack, both within the Government Communication Security Bureau and alongside the New Zealand Police, CERT NZ and the Privacy Commissioner.
Lisa Fong, deputy director-general of the NCSC, said that the organization is working with the compromised third party to “understand more fully the nature of the data that has been impacted” and how the cyber attack occurred. 
On October 13, 2022, Australian health insurance provider Medibank suffered a data breach which affected 9.7 million people.
The malicious actor responsible for the breach attempted to extort the company by contacting them directly to negotiate the release of the data. Medibank refused, which led to the hacker releasing private medical information obtained in the breach on the dark web.
The hacker posted a file labelled “abortions” to a site backed by Russian ransomware group REvil on November 10, 2022, which apparently contained information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.
They also released files containing customer data called “good-list” and “naughty-list” on November 9, 2022. The so-called “naughty-list” reportedly includes details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.
The hacker added to the November 10 data leak post, saying: “Society ask us about ransom, it’s a 10 millions (sic) usd. We can make discount 9.7m 1$=1 customer.”
During question time in Australian Parliament on November 10, minister of home affairs Clare O’Neil hit back at the hackers, saying: “I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming [at] you.
“I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cyber-security but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”
David Koczkar, CEO of Medibank, called the release of the data “disgraceful” and a “weaponization of people’s private information”. He also called those involved in the cyber-attack and data leak “deplorable”.
In an attempt to protect those affected by the cyber security incident and the subsequent data leaks, Medibank urged members of the public and the media to not “unnecessarily download sensitive personal data from the dark web” and to “refrain from contacting customers directly”.
On October 7, 2022, Japanese car manufacturer Toyota issued a statement and an apology after it was discovered that third parties may have gained unauthorized access to customer details between December 2017 and September 2022. 
The breach occurred because a section of the source code for T-Connect, an app which allows customers to connect their phone to their car, had been posted on source code repository GitHub in December 2017. As the source code contained an access key for the server, this may have allowed unauthorized access to customer data for five years.
Any customers who registered for the app from December 2017 to September 2022 were at risk for their data being accessed, meaning the data for a potential 296,019 customers may have been leaked. The information available for access included email addresses and customer management numbers. Personal or sensitive information including payment card information, name and address were not accessed.
Following a security investigation, Toyota said that while it “cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time [it] cannot completely deny it”.
Toyota also said that it would individually notify all those who were affected by the breach.  
Australian online retail marketplace MyDeal confirmed in October 2022 that it was the victim of a data breach that exposed the data of around 2.2 million customers.
The retailer, which is a subsidiary of supermarket chain Woolworths, said that it would be contacting all those affected by the breach via email, as well as alerting the “relevant regulatory authorities and government agencies”.
Woolworths said that the breach was caused by a malicious actor using “a compromised user credential” to gain unauthorized access to MyDeal’s Customer Relationship Management (CRM) system.
Customer information exposed during the cyber-attack included names, dates of birth, phone numbers and email addresses. For 1.2 million customers, the data exposed was limited to their email address. Confidential information like passport, payment card and drivers license details is not stored by MyDeal, and therefore was not exposed in the hack.  
A GPS tracker manufactured by Chinese company MiCODUS was been revealed to have numerous critical cyber security vulnerabilities that could allow bad actors to remotely hack a vehicle’s system in August 2022. 
At the time of the discovery, the MiCODUS MV720 GPS tracking device had been sold to customers across 169 countries and installed in more than 1.5 million devices. 
The critical cyber security issues were first discovered by cyber security startup BitSight. Following the discovery of the vulnerabilities, BitSight informed the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The CISA confirmed that “successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands and the disarming of various features (e.g. alarms)”. 
In a report on the vulnerabilities, BitSight said it had found MiCODUS devices were being used by a range of organizations including “a Fortune 50 energy company, a national military in South America, a national government and a national law enforcement organization in Western Europe, and a nuclear power plant operator”.
It was also revealed that MiCODUS has a global customer base of 420,000, with 1.5 million devices sold. However, BitSight did note that it was unable to determine the number of MiCODUS MV720 units currently in use globally, as well as the number of MiCODUS devices used for personal or businesses uses.
Australian telecommunications company Telstra revealed on Tuesday that it had been hit by a data breach that had revealed the details of 30,000 current and former employees.
The details included employee’s first and last names and email addresses, and were posted on hacking forum BreachedForums.
In a tweet, Telstra confirmed that the data leak “wasn’t a breach of any Telstra system” and that it has notified its employees and authorities first, before notifying former employees, despite “minimal risk” to them.
You may have heard about a data breach involving Telstra employee details. Here are the key facts:

👉 This wasn’t a breach of any Telstra system
👉 No customer account info was included
👉 The data includes first/last names and employee email addresses
👉 The data is from 2017


A Telstra spokesperson said the company had been “made aware of a data breach affecting a third party that included limited Telstra employee information from 2017.”
Of the information shared, 12,800 of the employees named were current employees.
Australian telecommunication company Optus suffered a devastating data breach on September 22, 2022 that led to the details of 11 million customers being accessed.
The information accessed includes customers’ names, dates of birth, phone numbers, email addresses, home addresses, driver’s license and/or passport numbers and Medicare ID numbers. Payment detail and account passwords were not compromised in the breach.
Optus confirmed that it has now contacted all customers to notify them of the cyber-attack’s impact, beginning with those who had been affected by the breach and finishing with those who had not had their data accessed.
Someone claiming to be the hacker told Australian journalist Jeremy Kirk that they had “accessed an unauthenticated API endpoint” meaning that they did not have to log in to access the data and that it was “all open to internet for any one[sic] to use”.
A person claiming to be the hacker responsible for the data breach posted a small sample of the customer data stolen to the hacking forum BreachedForums on September 23. 
Using the alias optusdata, the hacker demanded that Optus pay them $1mn ransom, or they would leak the data of all 11 million customers affected by the breach. When Optus did not respond to the ransom demand, optusdata then posted a text file of 10,000 customer data records on September 26, allowing other malicious actors to use the data in their own phishing campaigns.
Victims of the breach reported on September 27 that they had been contacted with demands that they pay AU$2,000 (US$1,300) or their data will be sold to other hackers.
However, on the same day, the supposed hacker posted a new message on BreachedForums, rescinding their demand and apologizing to Optus.
The hacker said there were “too many eyes” so they will not be selling the data to anyone and claimed that they had deleted all the data from their personal drive, and that they had not made any copies. They offered an apology also to the 10,200 people who had their data exposed via their posts on BreachedForums, and to Optus itself, saying “hope all goes well with this”.
They finished by saying they “would have reported [the] exploit if [Optus] had [a] method to contact” and that while the ransom was not paid, they “dont[sic] care anymore” as it was a “mistake to scrape publish data in the first place”.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
Join Now
08 – 09 March 2023
Free CS Hub Online Event
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

05 April, 2023
Online
Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

SYDNEY, Feb 27 (Reuters) – The Australian government on Monday said it planned to overhaul its cyber security rules and set up an agency to oversee government investment in the field and help coordinate responses to hacker attacks.
The move follows a rise in cyber attacks since late last year with breaches reported by at least eight companies, including health insurer Medibank Private Ltd (MPL.AX) and telco Optus, owned by Singapore Telecommunications Ltd (STEL.SI).
Current cyber security rules, government policies and regulations "are simply not at the level that we need them to be," Prime Minister Anthony Albanese said during a meeting with industry leaders and experts.
"This is really fast moving. It's a rapidly evolving threat, and for too many years Australia has been off the pace," Albanese said.
The government will set up a coordinator for cyber security, supported by a national office within the department of home affairs, tasked with ensuring government agencies work together during cyber incidents.
View 2 more stories
The coordinator will also oversee the government's investment strategies on cyber security and help lead the response when hackers attack.
The government has published a discussion paper on a new cyber security strategy, which it aims to implement next year, and is seeking feedback on how businesses can improve their cyber security in partnership with the government.
Though the government and the private sector are undertaking critical security measures, the current rules do not ensure smooth coordination during cyber incidents, Minister for Home Affairs, Clare O'Neil said, blaming the previous government for implementing them.
"That law was bloody useless, like not worth being printed on the paper when it came to actually using it in a cyber incident," O'Neil told ABC Radio in an interview. "They're not fit for purpose at the moment, and I do think they need reform."
Our Standards: The Thomson Reuters Trust Principles.
Reuters, the news and media division of Thomson Reuters, is the world’s largest multimedia news provider, reaching billions of people worldwide every day. Reuters provides business, financial, national and international news to professionals via desktop terminals, the world's media organizations, industry events and directly to consumers.
Build the strongest argument relying on authoritative content, attorney-editor expertise, and industry defining technology.
The most comprehensive solution to manage all your complex and ever-expanding tax and compliance needs.
The industry leader for online information for tax, accounting and finance professionals.
Access unmatched financial data, news and content in a highly-customised workflow experience on desktop, web and mobile.
Browse an unrivalled portfolio of real-time and historical market data and insights from worldwide sources and experts.
Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.
All quotes delayed a minimum of 15 minutes. See here for a complete list of exchanges and delays.
© 2023 Reuters. All rights reserved

source

Photo: zf L/Getty Images
The average breach costs in healthcare surpassed $10 million, with the industry maintaining its the top rank for costliest industry breaches for the 12th consecutive year, according to IBM X-Force’s latest Cost of a Data Breach Report.
The average total cost of a breach in healthcare increased 9.4% from $9.2 million in the 2021 report to $10.1 million in 2022.
The study also found healthcare organizations have a higher breach cycle than any industry, requiring nearly 11 months to identify and contain a breach.
“In recent years, we’ve increasingly seen cybercriminals rely on the concept of leverage,” says John Hendley, head of strategy at IBM Security X-Force. “Healthcare is simply a very attractive and lucrative target as operations and downtime are considered both costly and urgent.”
Malicious actors use this sense of urgency as leverage to pressure their victims – often through ransomware attacks.
Another key factor driving up costs in healthcare is the very nature of healthcare records as static data, Hendley explains.
“When your credit card information is compromised, your bank will issue you a new card and you can proceed as usual; however, healthcare data fundamentally doesn’t change,” he says. “This means these records are far more valuable and, therefore, easily monetized on the dark web.”
As such, those bundles of compromised data have a much higher per record cost (about $250 per record) than the average breached record. To put it into perspective, the average data breach cost in healthcare is 80% higher than the global average (of $4.35 million).
“Finally, because of the complexity of healthcare environments, this industry sees the longest breach cycles than any other industry, which contributes to higher costs,” he says. “The longer it takes to identify and contain a breach, the higher the costs businesses will incur.”
The report shows that healthcare organizations required 232 days to detect and an additional 85 days to contain a data breach.
Hendley says the most troubling finding from the report is actually the same across all industries: breaches are contributing to the rising cost of everything.
“According to the study, 60% of businesses increased prices on their products or services because of their data breach,” he points out. “Imagine the route a scalpel takes to get from raw materials to the hand of a surgeon, and how many organizations are involved in that supply chain.”
First, there’s the company that mines and refines the metal, the company that shapes it into the tool and packages it, the logistics companies that get it where it needs to go, the hospital itself, and the insurance and billing companies that must keep track of its use.
“Now, how many of those companies have had breaches? Well, on average, our study shows it’s 83% – or four of those five,” he explains. “Many have had more than one.”
He says those costs from downtime associated with the compromise, time spent responding, and any associated regulatory fines all go somewhere, and it’s increasingly being passed to the consumer, almost like a kind of “cyber tax.”
Hendley says cyber events need to stop being considered an abstract issue and start being framed for what they are: a significant factor capable of stressing the global economy, just as pressing a matter as COVID, Russia’s war on Ukraine, or other supply chain issues.
“Now in its 12th consecutive year as the costliest industry, it’s clear that healthcare institutions need to invest in their security to avoid paying these costs in breach fines and damages in the future,” he adds.
From his perspective, it’s essential they prepare for the next breach – because there will be a next breach.
“I’m a hacker, and I’ve been inside the networks and systems of hospitals, medical supply companies, pharmaceutical organizations, and more,” he says. “There is always a way in. Always.”
But all is not lost, and he says healthcare organizations can “absolutely” fight back against modern threat actors.
“The best way to do that is creating an incident response plan and playbooks,” he says. “What do we do in the event of a breach? Who do we mobilize? What’s the protocol? How can we quickly contain the incident? The answers to these questions should be thoroughly documented and regularly tested so they know what to do in the event of a real-life cyber crisis.”
Further, while this is a longer-term process, a zero-trust security strategy can help healthcare institutions better manage the risks of their often disconnected and complex environments, while still allowing users access to the appropriate resources.
“Finally, if you’re looking for a very basic step, organizations should review their identity and access management implementations to force use of multifactor authentication,” Hendley says. “Just this one step greatly helps curb cybercriminals’ ability to use stolen credentials, which is one of their favorite methods of initial compromise.”
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209
More Whitepapers
More Webinars

© 2023 Healthcare IT News is a publication of HIMSS Media

source

Maksim Kabakou – Fotolia
In this era of digitalisation, the world is witnessing exponential growth in incidents that compromise the security of information owned by businesses or governments. Recently the Royal Mail’s overseas deliveries suffered severe disruption due to a ransomware attack linked to Russian criminals. In 2022, around 50 Indian government websites were hacked and eight data breaches were reported. These included a ransomware attack on some servers at the All India Institute of Medical Science (AIIMS) that paralysed operations of the premier medical institute in India for many weeks.
The tremendous increase in such incidents has fuelled the demand for qualified IT professionals who could prevent cyber attacks on critical government and business IT assets. But there exists a considerable mismatch in the supply-demand situation of qualified cyber security professionals. To complicate this further, professionals entering this field face difficulty in deciding what skills they should acquire. This article explores what paths are available in cyber security training by analysing reports released by two eminent associations in the field of information security.
The first report discussed is the latest edition of the annual report on the cyber security workforce released by (ISC)² titled 2022 Cyber Security Workforce Study. This report presents insights into the challenges and opportunities faced by cyber security professionals around the world. The report was prepared after conducting a survey among 11,779 cyber security professionals. The study estimates that the size of the global cyber security workforce in 2022 was 4.7 million people and the gap in the global cyber security workforce stood at 3.4 million people, which is an increase of 26.6% at the year-over-year (YoY) level.
Clearly, there exists a wide gap between the supply and demand of cyber security professionals, and the shortage is more evident in the EMEA and APAC regions where the YoY increase is greater than 50%. Half of the cyber security professionals under age 30 who participated in the survey started their careers in IT and then moved to cyber security. Both vendor-neutral certifications (e.g., (ISC)², ISACA or CompTIA) and vendor-specific certifications (e.g., Microsoft, Amazon or Cisco) were popular among the respondents. Most of the organisations (55%) preferred their employees to acquire a vendor-neutral certification. 
The second report examined was released by ISACA, entitled State of Cyber Security 2022. In this study, ISACA conducted a survey among 2,031 cyber security professionals from around the globe on seven major aspects of cyber security, covering areas such as staffing and skills. The main findings of this study are discussed below:
Cyber security staffing: Only 34% of the respondents felt that their organization’s cyber security team was appropriately staffed, and 60% replied affirmatively to the question if they had difficulty in retaining qualified cyber security professionals. Regarding their expectations of future demand for individual contributors in a technical cyber security role, 82 percent of respondents expected an increase in demand.
Skills gaps: A notable finding of this survey is the topmost skills gap among cyber security professionals. 54% of the respondents were of the view that cyber security professionals lacked soft skills like communication, flexibility and leadership. The (ISC)² study also came out with a similar finding. To the question of the most important qualifications required for cyber security professionals seeking employment, 44% responded with strong problem-solving abilities and 27% responded with strong strategic thinking skills.
The mismatch of competency and social skills gap among cyber security professionals is highlighted by the World Economic Forum (WEF). The authors of an article on workforce gaps note that cyber security goes beyond the realms of the traditional physical and logical layers of cyberspace—since it involves human and societal dimensions, a social layer has to be included in the management of cyber security.
Self-paced, interactive, bite-sized learning is becoming the optimum path for cyber security training in the workplace, says John Tolbert of KuppingerCole.
Bad security training is a betrayal of users, a security risk, and ultimately a waste of money, but there are some reasons to be optimistic about the future, say Mike Gillespie and Ellie Hurst of Advent IM.
Regular, small adjustments to behaviour offer a better way to keep employees on track and cultivate a corporate culture of cyber awareness, writes Elastic’s Mandy Andress.
Rob Dartnall, CEO at SecAlliance and chair of Crest’s UK Council, describes the need for formal, varied and continuous development in the cyber security sector.
How better security training can help firms tackle new cyber threats facing remote workers, writes Daniel Hoffman of Hornetsecurity.
Security training is the cornerstone of any cyber defence strategy. With ever-escalating online threats, it is now more important than ever that this training is an engaging experience.
To address the needs of the social layers, cyber security professionals should be trained in acquiring soft skills. Apart from acquiring soft skills, the ISACA study found the following skill gaps in the technical front of cyber security: cloud computing (52%), security controls (34%) and coding skills (30%). According to the ISACA study respondents, the top five most important security skills needed in their organizations currently are cloud computing (52%), data protection (47%), identity and access management (IAM) (46%), incident response (46%) and DevSecOps (36%).
The survey reports published by ISACA and (ISC)² provide very useful insights into the current state of the cyber security workforce situation and future possibilities. It may be noted that the supply-demand gap in cyber security workforce requirements is not seeing any decline in the coming few years. There is huge potential for adequately skilled professionals to enter this very exciting domain of cyber security, but the main challenge for is in acquiring the right skill sets. Both studies highlight the need for acquiring the appropriate type of soft skills along with learning the needed technical capabilities.
Sudeep Subramanian is an associate professor in the area of international business at the FORE School of Management in New Delhi, India. He has over two decades of experience in information technology and management education. His teaching experience in management courses extends over 12 years and he spent eight years in the IT industry before joining academia. His IT industry experience includes software development, project management, information systems audit, and information security consulting. He is a Certified Information Systems Auditor (CISA) and ISO 27001 Lead Auditor.
While the EU is considering new cryptocurrency regulation, the U.S. Securities and Exchange Commission is focused on heightening …
Policymakers want federal data privacy legislation limiting businesses’ ability to collect data on individuals and banning …
Public, private, hybrid or consortium, each blockchain network has distinct pluses and minuses that largely drive its ideal uses …
Instead of looking at where security operations teams excel, Enterprise Strategy Group asked security pros where teams are least …
This Risk & Repeat podcast episode discusses the White House’s National Cybersecurity Strategy and its proposal to hold …
The volume of vishing attacks continues to rise. But threat researchers say it’s difficult to attribute such threats to …
Hewlett Packard Enterprise also unveiled plans to acquire Athonet, an Italian company that provides cellular technology for …
Take this practice quiz on twisted-pair cables, sampled from ‘Networking Essentials: A CompTIA Network+ N10-008 Textbook,’ to …
This excerpt from ‘Networking Essentials: A CompTIA Network+ N10-008 Textbook’ provides an overview of twisted-pair network …
Linux admins can use Cockpit to view Linux logs, monitor server performance and manage users. Use the tool to help admins manage …
Hyperscale data centers can hold thousands of servers and process much more data than an enterprise facility. However, they can …
Organizations that build 5G data centers may need to upgrade their infrastructure. These 5G providers offer products like virtual…
The data ingestion specialist’s latest platform update focuses on enabling users to ingest high volumes of data to fuel real-time…
As data governance gets increasingly complicated, data stewards are stepping in to manage security and quality. Without one, …
Data mesh brings a variety of benefits to data management, but it also presents challenges if organizations don’t have the right …
All Rights Reserved, Copyright 2000 – 2023, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
SAN FRANCISCO – A federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber. The announcement was made by United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp following a four week trial before the Hon. William H. Orrick, United States District Judge.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
The circumstances regarding Sullivan’s violations of the law involve two separate hacks of Uber’s databases—one in 2014 and another in 2016. The evidence at trial established that Sullivan was hired as Uber’s Chief Security Officer (“CSO”) in April 2015. At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014 (“2014 Data Breach”) and that the breach related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers. In the wake of that disclosure, the FTC’s Division of Privacy and Identity Protection embarked on an investigation of Uber’s data security program and practices. In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber, which demanded both extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices. 
The evidence at trial demonstrated that Sullivan, in his new role as CSO, played a central role in Uber’s response to the FTC. Specifically, Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the FTC in March 2016, and testified under oath, at length, to the FTC on November 4, 2016, regarding Uber’s data security practices. Sullivan’s testimony included specific representations about steps he claimed Uber had taken to keep customer data secure. 
Exactly ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data. Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers. 
The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.
The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017. 
In addition, the two hackers identified by Uber were ultimately prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well. 
In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553. 
Sullivan remains free on bond pending sentencing. His sentencing will be set at a later date. 
The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI. 
 
OAKLAND – Charles Johnathen Harris made his initial federal court appearance today to face charges that he was in possession of child pornography in violation of federal law, announced United…
SAN FRANCISCO – Today, Ian Benjamin Rogers was sentenced to 108 months in prison and Jarrod Copeland was sentenced to 54 months in prison for their respective roles in crimes…
SAN FRANCISCO – Today, Anthony Francis Faulk pleaded guilty to a federal charge of conspiracy in connection with a scheme to defraud more than a dozen executives of cryptocurrency-related companies…
Northern District of California
Main Office:
Federal Courthouse
450 Golden Gate Avenue
San Francisco, CA 94102
San Francisco: (415) 436-7200
TTY: (415) 436-7221
Oakland: (510) 637-3680
San Jose: (408) 535-5061
 
Stay Connected

Have a question about Government Services?

source