What are the biggest, most interesting stories in the ever-changing worlds of cybersecurity, risk mitigation, and information governance?
It’s harder than ever to narrow the field – because the world is moving just that quickly. But we’ll give it our best shot with 9 stories that caught our eye this quarter, an interesting mix of GRC and cybersecurity items that show how many different forces and trends are at work the world over.
> Employees and social media cybercrime? It’s costing companies billions
One in five organizations has been infected with malware distributed via social media, and social media-enabled cybercrime is generating at least $3.25BN in annual global revenue for the bad guys, according to an extensive study by a leading academic at the University of Surrey.
One notable threat comes from cryptojacking, where employee or personal computers are hijacked to perform cryptomining operations, and it’s actually surpassed ransomware as the top threat to individual and corporate computer systems.
Four of the top five global websites hosting cryptomining code are social media sites, and those sites contain up to 20% more methods of malware delivery than ecommerce, digital media, or corporate sites. So having a solid social media policy management solution in place as one arm of your cybersecurity strategy is more indispensable than it’s ever been.
> Is Russia cracking down on cybercriminals, or shielding their own?
The Russian government handed down stiff sentences to a former head of its cyber-intelligence operations and an executive at Kaspersky Labs. The “treason” they’ve been convicted of is the real source of furor. News organizations and observers claim the two are being punished for tipping off U.S. intelligence officials about those responsible for Russian hacking activities surrounding the 2016 U.S. presidential election.
Kapersky is one of the world’s leading cybersecurity firms, of course, and provider of tools like their hypnotic (and frightening) real-time cyberthreat map. If Russia’s definition of “treason” extends to security professionals cooperating with foreign law enforcement officials, it may have a chilling effect on future cross-border cooperation to battle cybercrime. At least, that’s likely the case when one of the countries in question seems to be following its own nationalist agenda when it comes to cybersecurity.
> U.K. financial services data breaches rose 480% in 2018
You read that right. According to a new (paywalled) report from the Financial Times, hackers have put their crosshairs on U.K. FinServ firms. Data from the country’s Financial Conduct Authority indicated there was a 5X increase in data breaches among financial services companies last year.
“Companies reported 145 breaches to the FCA last year, up from 25 in 2017, with investment banks reporting the highest number of incidents at 34, up from just three the previous year.”
The research implies cybercriminals are aiming at investment banks because of a sense their security safeguards are inferior to those of retail banks. The types of data investment banks store are potentially more lucrative; M&A data, for instance, could be leveraged for inside trading.
Other areas that saw sizable upticks in FinServ data breach reports?
- Insurers reported 33 breaches in 2018, up from seven in 2017.
- Consumer retail lending firms reported 21 breaches in 2018, up from four the year before.
- Retail investment firms saw 11 breaches in 2018, versus none in 2017.
Are there positives? Some think this jump is more a sign that the arrival of the GDPR and greater awareness of cyberthreats has improved the level of reporting by financial services companies. It may be no coincidence that June 2018, the first month under the GDPR, saw the highest total of breach reports.
> Data privacy protection is getting tougher in California
The Golden State is already a golden opportunity for class action lawsuits in the eyes of some critics, thanks to its penchant for consumer protection regulation. If new data privacy amendments proposed for the existing California Consumer Privacy Act (CCPA) go into effect, consumers will be able to sue tech giants like Google and Facebook if they feel their data privacy rights have been violated.
Lobbyists and spokespeople for Silicon Valley are already on the warpath against the bill, saying they’ll benefit no one but those class action lawyers. But proponents point to incidents like Facebook’s Cambridge Analytica debacle as evidence of a need for further regulation.
“The tech industry, by its very nature, has been very much opposed to any form of regulation,” says the bill’s sponsor, Senator Hannah-Beth Jackson, a Democrat from Santa Barbara. “It’s an industry that’s reincarnated the Wild West; no rules, no limits, no regulation. We’ve reached the tipping point.”
Much as the GDPR was seen as a model for other regulation, the CCPA is being viewed by other U.S. states as a template for their own data privacy statutes; Washington, for one. As drafted, the CCPA is actually broader than even the GDPR. So companies who feel secure in their GDPR compliance might be in for a rude awakening if they run afoul of CCPA.
> U.S. regulators get tough about cybersecurity compliance
It’s not enough to have a cybersecurity compliance program in place. In the eyes of many U.S. regulators, it’s got to measure up to a higher standard – or the penalties they’ll lay down can mount up.
Case in point: On January 25, the North American Electric Reliability Corporation (NERC) asked the Federal Energy Regulatory Commission (FERC) to approve a heavily redacted settlement involving a record $10 million fine against “an unidentified utility” stemming from violations of critical infrastructure protection (CIP) standards over several years.
Even though the utility had an internal compliance program in place at the time, NERC found it deficient due to a lack of support and accountability on the part of management, poor oversight, documentation and training, and organizational silos that caused a lack of communication and confusion.
In other words? They were called out for the same factors present in too many other companies. These lapses seriously increase the risk of a similar regulatory whammy if the offender is operating in a heavily-regulated sector like financial services or healthcare. So establishing an active culture of compliance is absolutely necessary.
> “Formjacking” is in vogue with cybercrooks
Hacks that struck at big companies like British Airways and Ticketmaster are big news, but Symantec says small and mid-sized retailers of anything from clothing to gardening equipment are often victimized, too. “This is a global problem with the potential to affect any business that accepts payments from customers online,” the report stated.
> Women-only workplaces on the rise as a #MeToo response
One way of curtailing sexual harassment and gender bias claims, in the minds of some companies and entrepreneurs? That’s simple: Remove the men.
An increasing number of women-only and women-focused workspaces have established themselves across the U.S. Some were set up before #MeToo caught fire, but they’ve certainly benefitted from the movement. They’ve also taken advantage of the desire among female workers to build supportive workplace environments that are marked departures from traditional corporate cultures.
How successful this will be is a good question. Particularly since mitigating one type of risk has created another source of exposure that’s taken the place of sexual harassment claims: Gender discrimination lawsuits have been filed by men against some of these operations, forcing changes in membership policies in at least one case.
> In a #MeToo age, companies are turning to reputation management firms
As the #MeToo movement continues to roll on, with some very notable recent demonstrations of its reach, comporations are increasingly concerned with their potential for reputational damage and exposure to #MeToo claims. According to CNBC research, about 30% of the 2018 annual company reports mandated by the U.S. Securities and Exchange Commission (SEC) included “reputational risk” among their risk factors in 2018.
So they’re turning to reputation management consultants who conduct in-depth analysis of a company’s leadership and corporate culture, identifying where issues of sexual harassment occur and recommending how to address them before they go public. Sometimes, that involves showing senior executives the door.
Companies face damning legal liabilities for bad practices, and aren’t prepared for them. Workplace sexual harassment claims jumped more than 12% in fiscal 2018, according to the U.S. Equal Employment Opportunity Commission (EEOC). The EEOC recovered $70 million from companies for sexual harassment victims in 2018, up from $47.5 million in 2017.
> “Fatigue risk” a danger that’s touched 9 of 10 U.S. employers
Employee risk takes forms outside of cybersecurity or sexual harassment. Another source? Fatigue. At least that’s what the National Safety Council (NSC) says, claiming 90% of U.S. employers have been negatively impacted by tired workers.
In fact, 43% of employees in the study admitted they might be too tired to function safely on the job, making fatigue a growing workplace hazard. The NSC issued a call for all employers nationwide to implement comprehensive fatigue risk management systems that can help prevent the 13% of workplace injuries blamed on sleep issues.
The cumulative cost? Fatigue costs the U.S. economy more than $400 BN annually. A company with 1,000 employees can count on losing over $1 million per year in missed work days, lower productivity, and increased healthcare costs.
Some of the ways fatigue risk management programs address this challenge? By combining employee education and training with culture change, workplace modifications, and data-driven analytics to recognize and fix problems.