Author: rescue@crimefire.in

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Across the nation, CISA offers a range of cyber and physical services throughout our 10 regions
CISA’s program of work is carried out across the nation by personnel assigned to its 10 regional offices. To contact your region’s office, click on the appropriate Region below based on your state.
Across the nation, the Cybersecurity and Infrastructure Security Agency (CISA) offers a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators and state, local, tribal, and territorial partners. Our experts collaborate with critical infrastructure partners and communities at the regional, state, county, tribal, and local levels to:
Within each CISA Region are your local and regional Protective Security Advisors (PSAs), Cyber Security Advisors (CSAs), Emergency Communications Coordinators (ECCs), and Chemical Security Inspectors (CSIs). In order to build stakeholder resiliency and form partnerships, these field personnel assess, advise, and assist and provide a variety of risk management and response services.  
CISA maximizes its resources through unified integrated and cohesive stakeholder activities by engaging in speaking events and conferences.
Please direct media inquiries to CISAMedia@cisa.dhs.gov or call 703-235-2010.
Sign up to receive automatic e-mail updates from CISA.gov to keep up with breaking news and information about our various topic areas. 

source

About Us
Events
Media
More from the Forum
Partners & Members
Language Editions
Privacy Policy & Terms of Service
© 2023 World Economic Forum

source

On 15 December 2022, the Notification of the Personal Data Protection Committee re: Rules and Methods for Notification of the Personal Data Breach B.E. 2565 (2022) dated 6 December 2022 (“Notification”) was published in the Government Gazette and became immediately effective thereafter.
One of the obligations of the data controller under the Personal Data Protection Act (“PDPA”) is to make a notification of any personal data breach (“Personal Data Breach”)¹ to the Office of the Personal Data Protection Committee (“PDPC Office”) and/or the data subject². The Notification therefore elaborates on the definition of a Personal Data Breach and the details of the Personal Data Breach notification, which we aim to provide a summary thereof in this article.
The data controller has the duty to notify the PDPC Office when a Personal Data Breach incident as defined in the Notification occurs due to an action of the data controller, data processor, or a staff, employee, contractor, representative, or related person of the said data controller or the data processor, or any other persons, or any other factors (“Data Breach Incident”). Such Data Breach Incident may occur in various forms, as follows:
In the case of a Data Breach Incident, the data controller must:
(1) assess the credibility of such information and preliminarily investigate the Personal Data Breach without undue delay, which includes assessing the risk level of such Personal Data Breach;
(2) prevent, cease, or rectify the Personal Data Breach if the data controller finds that such Personal Data Breach poses a high risk of impacting the rights and freedom of a person;
(3) notify the PDPC Office of the cause of the Data Breach Incident without undue delay and within 72 hours from the time that it becomes aware of the cause, unless such breach does not pose a risk of impacting the rights and freedom of a person;
(4) notify the data subject of the cause of the Data Breach Incident together with the remedy approach without undue delay in the case of such breach posing a high risk of impacting the rights and freedom of a person; and
(5) proceed with the necessary and appropriate measures to cease, response, rectify, or remedy the condition resulting from the Personal Data Breach, and to prevent and reduce the impacts of any similar Personal Data Breach in the future, which includes the review of security measures to ensure their effectiveness.
To supplement the obligations in item 2.2 (3) and (4) above, the details of the notification of the Data Breach Incident shall be as follows:
(1) A notification of the Data Breach Incident to the PDPC Office shall be performed in accordance with the following details:
 
The data controller may rely on an exemption not to make a notification to the PDPC Office if the data controller can prove, for example, that such Data Breach Incident does not pose a risk of affecting the rights and freedom of a person, etc. In this regard, to rely on such an exemption, the data controller has the duty to provide information or evidence for the PDPC Office to consider.⁷ However, the method and timeline of the provision of information and evidence in relation to such exemption is not stipulated in the Notification.
(2) Notification of the Data Breach Incident to the data subject shall be performed in accordance with the following details:
 
In the case where the data controller enters into an agreement with the data processor with respect to an entrustment of data processing, the data controller shall stipulate in such agreement the obligation of the data processor to notify the data controller of the Data Breach Incident without delay within 72 hours from the time which the data processor becomes aware of the cause.⁹
For the assessment of risk of the Personal Data Breach regarding its impact on the rights and freedom of a person, the data controller may take into account factors as itemized in the Notification, such as the category of the breach, personal data that has been compromised, number and status of affected data subjects, security measures that have been taken or will be taken by the data controller, and the impact of the breach on the public, etc.¹⁰
The notification of the Data Breach Incident to the PDPC Office and the data subject is one of the key obligations of the data controller and/or data processor in the perspective of the personal data protection.
To enhance the understanding of the said obligation, the PDPC also published the Manual on Guideline for Assessment of Risk and the Notification of the Personal Data Breach Version 1.0, dated 15 December 2022.
If the data controller fails to make a notification of the Data Breach Incident as required under the PDPA and the Notification, it shall be liable for an administrative fine not exceeding THB 3,000,000 (Three Million Baht).¹¹ Therefore, any person who is considered as a data controller and/or data processor should ensure that they duly comply with the obligation related to the Data Breach Incident under the PDPA and the Notification.
Footnotes
1. Clause 3 of the Notification. In this Notification,
“Personal Data Breach” means a breach of security measures that causes loss, unauthorized or unlawful access, use, alteration, editing, or disclosure of personal data, whether it is intentional, willful, negligent, an unauthorized or unlawful act, computer crime, cyber threat, error or accident, or other causes.
2. Section 37(4) of the PDPA.
3. Clause 4, Paragraph One of the Notification. A Personal Data Breach of which the data controller has the duty to notify the Office or the data subject…may involve a breach of one or more categories as follows:
4. Clause 6 of the Notification.
5. Clause 6 of the Notification.
6. Clause 7 of the Notification.
7. Clause 9 of the Notification.
8. Clause 11 of the Notification.
9. Clause 8 of the Notification.
10. Clause 12 of the Notification. For an assessment of risk that the Personal Data Breach poses in relation to the degree of impact on the rights
and freedom of a person, the data controller may take into account the following factors:
11. Section 83 of the PDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
  © Mondaq® Ltd 1994 – 2023. All Rights Reserved.
Email
Password

Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.
Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

source

February 28, 2023
Tom Spring March 3, 2023
Credential-stuffing attack compromises fast food chain Chick-fil-A customers loyalty accounts.
SC StaffMarch 2, 2023
Government Technology reports that Southeastern Louisiana University had its network shut down following a possible cyberattack on Feb. 23, resulting in difficulties in coursework completion and the need for remote classes.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

Report: Data breach notices lack key details, enable identity theft ‘Scamdemic’  KOMO News
source

source

By Sandra Wheatley |
CISOs today face an expanding attack surface, increasingly threats, and a cybersecurity skills gap. An integrated and automated approach to security is needed to protect across the infrastructure.
According to the global Fortinet 2022 Cybersecurity Skills Gap Report organizations surveyed say that the cybersecurity skills gap has contributed to 80% of their documented breaches. Clearly, the cyber talent shortage is severely hampering business productivity and progress. The survey of organizations highlighted in the Fortinet report also reveals that globally 64% of organizations have experienced breaches that resulted in loss of revenue, recovery costs, and/or fines.
It’s no wonder that the lack of qualified cybersecurity professionals has become a major concern for leaders everywhere. The lack of cyber skills across the workforce is having many negative effects on organizations, including damage to their reputations and financial losses.
More Stats to Contend With
The cybersecurity workforce needs to expand by 65% to adequately defend organizations. This is a fact according to the (ISC)² 2021 Cyber Workforce Report. While the number of unfilled cybersecurity jobs went down around 400,000 in 2021, there are still 2.72 million unfilled positions that need individuals with the appropriate cybersecurity skills. This is still a significant void in skills that leaves organizations around the world ill-prepared against cybercrime threats. Something must be done to address this shortage of qualified cybersecurity personnel or the working world will face the future shorthanded and very vulnerable to attacks from aggressive and evolving cybercriminal.
The global 2022 Cybersecurity Skills Gap Report also found that 60% of executives surveyed confessed that their organizations are struggling to recruit qualified individuals as well as hang on to current cybersecurity staff. The competition for the cybersecurity talent to fill critical roles ranging from cloud security specialists to SOC analysts is so fierce that more than half (52%) of the same surveyed executives say they are having significant trouble retaining their valuable employees.
What the Numbers Tell Us
The Fortinet skills gap research also indicates that globally 70% of leaders see the recruitment of women as a hurdle, 71% find recruiting new graduates as challenging and 61% say hiring minorities is difficult. All organizations should be focused on developing better ways to recruit women, new graduates, and minorities.
Growing the candidate pool for filling cybersecurity openings by proactively pursuing those in under-represented communities is an excellent method for bridging the gap. The report provides evidence that organizations are doing more than just providing lip service to building more diverse teams:
In addition to proactively recruiting individuals from under-represented communities, providing training and certifications is another method for expanding the cybersecurity candidate pool. The report also reveals that offering employees continuing education and rewarding them for their efforts are effective ways for organizations to counteract the skills gap. The report says that:
Something Must Be Done
Fortinet is committed to addressing the problems outlined in the skills gap report. The Fortinet Training Advancement Agenda (TAA) and Training Institute programs are initiatives focused on educating anyone who is exploring a career change and helping current cybersecurity professionals, who want to expand their knowledge base, achieve certifications. As part of this commitment, we have pledged to train one million professionals by 2026 in cyber skills and awareness. Key to achieving this goal is recruiting more women into the cybersecurity industry.
Fortinet is preparing the cybersecurity workforce of tomorrow through our various Fortinet Training Institute programs, including the award-winning NSE Certification program. The Fortinet Training Institute relies on public and private partnerships to help address the skills gap by increasing the access and reach of its cybersecurity certifications and training. For example, we work with organizations like the World Economic Forum on the most pressing cybersecurity issues. Other partnerships include leaders in industry, academia, government, and nonprofits to reach as many interested parties as possible and help remove the wedges issues that create the cybersecurity skills gap.
 
Learn more about the Fortinet free cybersecurity training initiative and Fortinet’s Training Institute, including the NSE Certification program, Academic Partner program, and Education Outreach program which includes a focus on Veterans.
 
 
Copyright © 2022 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

by D. Howard Kass • Dec 23, 2022
The U.S. is ranked 10th in a listing of countries with the highest rates of cybercrimes, according to Bscholarly, an academic and legal blog.
Crime categories range from stealing and fraud to identity theft, money laundering, intellectual property heists, kidnapping, sex trafficking, espionage and more.
Here’s Bscholarly’s full list of countries their unique security issues:
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Notify me of followup comments via e-mail. You can also subscribe without commenting.


Δ

source

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it’s up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.
Here’s a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.
With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren’t even likely to happen because supply chains weren’t connected to the internet. But now that they are, supply chains need to be secured properly.
The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essential to uncover in order to protect your organization in 2023.
If you’ve introduced new software supply chains to your technology stack, or plan to do so sometime in the next year, then you must integrate updated cybersecurity configurations. Employ people and processes that have experience with digital supply chains to ensure that security measures are implemented correctly.
It should come as no surprise that with the increased use of smartphones in the workplace, mobile devices are becoming a greater target for cyber-attack. In fact, cyber-crimes involving mobile devices have increased by 22% in the last year, according to the Verizon Mobile Security Index (MSI) 2022 with no signs of slowing down in advance of the new year.
As hackers hone in on mobile devices, SMS-based authentication has inevitably become less secure. Even the seemingly most secure companies can be vulnerable to mobile device hacks. Case in point, several major companies, including Uber and Okta were impacted by security breaches involving one-time passcodes in the past year alone.
This calls for the need to move away from relying on SMS-based authentication, and instead to multifactor authentication (MFA) that is more secure. This could include an authenticator app that uses time-sensitive tokens, or more direct authenticators that are hardware or device-based.
Organizations need to take extra precautions to prevent attacks that begin with the frontline by implementing software that helps verify user identity. According to the World Economic Forum’s 2022 Global Risks Report, 95% of cybersecurity incidents are due to human error. This fact alone emphasizes the need for a software procedure that decreases the chance of human error when it comes to verification. Implementing a tool like Specops’ Secure Service Desk helps reduce vulnerabilities from socially engineered attacks that are targeting the help desk, enabling a secure user verification at the service desk without the risk of human error.
As more companies opt for cloud-based activities, cloud security—any technology, policy, or service that protects information stored in the cloud—should be a top priority in 2023 and beyond. Cyber criminals become more sophisticated and evolve their tactics as technologies evolve, which means cloud security is essential as you rely on it more frequently in your organization.
The most reliable safeguard against cloud-based cybercrime is a zero trust philosophy. The main principle behind zero trust is to automatically verify everything—and essentially not trust anyone without some type of authorization or inspection. This security measure is critical when it comes to protecting data and infrastructure stored in the cloud from threats.
Ransomware attacks continue to increase at an alarming rate. Data from Verizon discovered a 13% increase in ransomware breaches year-over-year. Ransomware attacks have also become increasingly targeted — sectors such as healthcare and food and agriculture are just the latest industries to be victims, according to the FBI.
With the rise in ransomware threats comes the increased use of Ransomware-as-a-Service (RaaS). This growing phenomenon is when ransomware criminals lease out their infrastructure to other cybercriminals or groups. RaaS kits make it even easier for threat actors to deploy their attacks quickly and affordably, which is a dangerous combination to combat for anyone leading the cybersecurity protocols and procedures. To increase protection against threat actors who use RaaS, enlist the help of your end-users.
End-users are your organization’s frontline against ransomware attacks, but they need the proper training to ensure they’re protected. Make sure your cybersecurity procedures are clearly documented and regularly practiced so users can stay aware and vigilant against security breaches. Employing backup measures like password policy software, MFA whenever possible, and email-security tools in your organization can also mitigate the onus on end-user cybersecurity.
We can’t talk about cybersecurity in 2023 without mentioning data privacy laws. With new data privacy laws set to go into effect in several states over the next year, now is the time to assess your current procedures and systems to make sure they comply. These new state-specific laws are just the beginning; companies would be wise to review their compliance as more states are likely to develop new privacy laws in the years to come.
Data privacy laws often require changes to how companies store and processing data, and implementing these new changes might open you up to additional risk if they are not implemented carefully. Ensure your organization is in adherence to proper cyber security protocols, including zero trust, as mentioned above.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

The results in this report are from the Cyber Security Hub survey which we fielded to subscribers from May and June 2020 to benchmark actual results from H1 2020 vs. expectations for H2 2020. A balanced representation of the enterprise cyber security mindset, the largest segment of survey respondents (41 percent) describes their job function as cyber security. The next largest segment is IT at (27 percent) followed by corporate management at (9 percent).

Qualified respondents were truly cross industry coming from automotive, education, financial services, government, healthcare/life science, manufacturing, media/telecommunications, retail/consumer packaged goods (CPG), technology, travel/hospitality and utilities/oil and gas/energy.
Also read: CISO Stratgies for proactive threat prevention
There were potentially alarming responses to our global pandemic related questions in this mid-year survey. When asked “Has your approach to security changed as a result of the global pandemic and an increasingly remote workforce?” 40 percent said no.

Roughly two in five cyber security organizations have not changed their approach to security as a result of the global pandemic. Such a large percentage of the CISO community not having changed their approach to cyber security as a result of the global pandemic that has hurdled us all into a new workforce infrastructure is truly concerning.
How the cyber security landscape has changed due to the pandemic:
Why did 40 percent of the cyber security community not change their approach?
In addition to an inert mindset change from a significant portion of the community, the reduction in staff due to financial pressures on companies during the pandemic was similarly concerning. A past potential insider threat now had the potential to become a nefarious external threat.

As reported on Cyber Security Hub in Why Is Top Cyber Security Talent Suddenly In Flight, when asked about the 19 percent unemployed DevOps/DevSecOps community Parag Deodhar, director of information security, Asia Pacific for VF Corporation noted: “when people do not have access to enough money, food or resources, there will be more actors coming up”. Deodhar explained also that the pandemic has expanded the threat landscape, meaning that “not only were folks pushed [towards cyber crime], but also, the landscape open[ed] up for folks as well.”
Jamal Hartenstein, who has worked with the department of defense on military bases as a part of joint task forces and has experience with every branch of service, notes that there was industry realization that organizations needed to be more proactive and better focus on detection and that the global pandemic has accelerated that focus.
When asked what about his perception, he explains that, “if you do not increase your security measures, you have exponentially just multiplied in magnitudes the risk based on all the threat and vulnerability and risk.”
In 2021, 40 percent of the cyber security community said they had not changed their mindset in the face of the global pandemic, while 20 percent of top cyber security talent was made redundant. With this in mind, it was unsurprising that 67 percent of the cyber security community reported their budgets were decreasing or staying the same.

While over two thirds of cyber security professionals noted their budget was staying the same or decreasing in July 2020, just one year ago 59 percent reported an increase in budget in the Mid-Year Market repor 2019. This means the pandemic had a significant impact on cyber security spend.
In the wake of the global pandemic with attacks on the rise, it would be expected that cyber security budgets would increase to combat this. Those in the cyber security community, however, disagree with 62 percent expecting budgets will decrease or stay the same.


Taking a step back shows that the industry feels that things are positive and getting better. When asked “Do you feel as though the overall state of cyber security, meaning resiliency, compliance, awareness, etc., is improving?” 84 percent said ‘yes’.



The top three areas of focus for respondents during the pandemic were security awareness, detection and incident response and access controls, inkeeping with the results of the last three Cyber Security Hub surveys. Just outside of that group is elevating cyber security with top-level management, a topic that was similarly highlighted over the previous two surveys.

As a majority of cyber security budgets had not yet shifted in the face of a momentous societal occurrence, how money is spent became all the more important. Endpoint security went from the fifth highest to the second highest spend in the from November 2019 to June 2020, most likely as a response to employees working from home and therefore increasing the chance of an endpoint being used as a vector for attack.

While compliance priority decreased 17 percent from 2019 to 2020, this may be because those in cyber security had finished making the inital major chanegs needed to comply with GDPR. The 9 percent increase in SIEM focus showed that the community was looking to further adopt automation tools, potential due to the decrease in workforce and need to streamline cyber security.
Whether it is cloud or devices perimeter, there is a level to which a human element can make them fail but it is rare. Generally, people who play with firewalls tend to be security savvy. So, if they make a mistake, for example opening up a hole for a vendor or for an audit and then not shutting it down, that is generally when they are overworked.
Corporate email and personal email relies on common security awareness and intelligence, and the lowest common denominator usually wins. Malicious actors can go and find the CFO administrative assistant’s Facebook page, find out who their kids are and what school they go to, then easily craft an email that will make the CFO think, “Hey, my secretary just asked me to contribute to her son’s scholarship fund on GoFundMe.”
People naturally want to trust and playing on that trust is so easy to do and to make it look good. Especially in this Covid-19 world while most of us are working from home, you drop your guard a little bit because you are in unfamiliar surroundings. You are in that home setting rather than that work setting. That is what scares the tar out of me about email.
If you have got a great team, each member usually does one thing well. Even if you have already got the technology in place, can one person take care of firewall, compliance, intrusion detection, threat intelligence? Can they execute on multiple things? Each of these takes time, and if each member has to take care of three of them, how are they actually going to get each done well?
Our biggest customer was bringing in three new technologies simultaneously. Each technology takes six months to get right. They tried to go it alone with vendor products and failed. When they came to us they said, “We missed a breach,” because either their SIEM or SOAR were not tuned properly, or they never got our end point fully deployed.
I am not sure how much of a shameless plug this should be, but a different way to deal with the staffing issue depending upon where you are is to rely on third parties who may have more people. One of our key selling advantages is that because we deal with thousands of customers, I can take that really good smart security person, and maybe she can look at a bank in the morning and hotel chain in the afternoon and a web front the next day. So, we provide variety. We provide something always challenging to our talent. Complacency hopefully never sets in and I have got the staffing capabilities to have a person work on a project three months to avoid burnout. That is really difficult to do unless you are a Fortune 100 company.
“You drop your guard a little bit because you’re in unfamiliar surroundings.”
Sam McLane
Head of Security Engineering, Arctic Wolf
 
There are two main issues that faced the cyber security community in building teams during the pandemic – a perceived shortage of talent and insufficient budget.


As nearly half of the community perceived a shortage of talent, it is important to consider what companies were doing to acquire talent during the pandemic. More than one in five respondents reported implementing mentor programs. Another 20 percent saw interns as the answer, with nearly 10 percent reported engaging with universities to procure employees.
It was not all change, however, as just under two in five noted that they were simply going to maintain current behaviors and activities to move forward.
Also read: Automating enterprise cyber security report
There was a marked shift in industry thinking from November 2019 to June 2020 around the concept of defense in depth. There was been a 10 percent composite swing from the concept of industry consolidation to defense in depth.

The industry craves standardization as so indicated by the continued increased use of industry frameworks.
 
In 2020, the state actor hacker space was becoming ever more crowded. Unemployed cyber security talent was a new and looming threat. Dovetailing with cyber-criminal sophistication and collaboration was a brand-new wide-open threat landscape. This all put increased pressure on cyber security professionals.

Read the PDF report here
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source