September 7, 2023
In this Episode:
Edwin Kwan: The Office of the Australian Information Commissioner, OAIC, has just released a report of data breach notifications made between January to June, 2023. The top sectors to notify of data breaches were health service providers, financial services and recruitment agencies.
Katy Craig: The US Securities and Exchange Commission’s new cyber incident disclosure rules have recently come into effect. Although the specific requirement will not be enforced until December, experts recommend that companies begin preparations immediately
Ian Garrett: Armis, a security company, conducted a study focused on cyber assets with the highest number of attack attempts and weaponized common vulnerabilities and exposures, or CVEs. The most vulnerable assets are among the Internet of Medical Things, or IoMT, and the most targeted among Operational Technology, or OT assets.
Hillary Coover: Curious about how TikTok is handling your data and whether it’s safe from prying eyes? TikTok’s recent move to open its first European data center, along with third-party security audits, aims to ease concerns. But the real question is, will these steps truly safeguard your privacy?
The Stories Behind the Cybersecurity Headlines
Australian Data Breach Notifications in the First Half of 2023
This is Edwin Kwan from Sydney, Australia.
According to the report, the number of data breach notifications decreased down 16% to 409 notifications.
The top sectors to notify of data breaches were health service providers, financial services and recruitment agencies. 63% of the data breaches affected fewer than 100 people. The main source of data breaches were malicious or criminal attacks, followed by human errors.
For data breaches due to malicious or criminal attacks, 27% were from social engineering, 7% were insider threat, and 7% were due to theft of paperwork or data storage device. As for human error, 46% was due to personal information being sent via email to the wrong recipient. As for time taken for breaches to be identified, 78% were identified within 30 days, and 6% were identified after 12 months.
The OAIC publishes twice-yearly reports on notifications received to track the leading sources of data breaches, and highlight emerging issues and areas for ongoing attention.
Office of Australian Government Commissioner – https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023
How to Comply with SEC’s New Cyber Disclosure Rules
The U.S. Securities and Exchange Commission’s new cyber incident disclosure rules have recently come into effect. These regulations mandate that public companies report a cyber incident to the SEC within four days, provided the incident is deemed “material” in nature. Although this specific requirement will not be enforced until December, experts recommend that companies begin preparations immediately.
This is Katy Craig in San Diego, California.
The term “material” is defined by the SEC as an incident that would likely influence the judgment of a reasonable person relying upon the report. However, cybersecurity experts have expressed concerns about the ambiguity of this definition, particularly given the time-sensitive nature of cyber incident reporting.
Additionally, the new rules have raised questions about how companies should handle third-party and supply chain attacks, which are increasingly prevalent. The regulations currently offer limited guidance on this matter, adding complexity to the reporting process.
Harley Geiger, a cybersecurity policy lawyer, advises that public companies should align their security, legal, and corporate communication teams to adapt their cyber incident response plans and financial reporting processes in accordance with these new obligations.
Companies are advised to review and adjust their cyber incident response strategies in light of the SEC’s new disclosure rules.
This is Katy Craig. Stay safe out there.
SEC.gov – https://www.sec.gov/news/press-release/2023-139
Most Attacked and Most Vulnerable Cyber Assets
What are the riskiest cyber assets threatening global businesses? Armis, a security company, conducted a study focused on cyber assets with the highest number of attack attempts and weaponized Common Vulnerabilities and Exposures (or CVEs). The study highlights the most vulnerable assets are among the Internet of Medical Things (or IoMT) and the most targeted among Operational Technology (or OT) assets.
Hey folks, this is Ian Garrett in Arlington, VA.
Which are the most vulnerable to unpatched CVEs? Armis identified a substantial number of network-connected assets vulnerable to unpatched, weaponized CVEs. The research revealed the assets most susceptible to these vulnerabilities, presenting significant risks to businesses. The top three and their categories are: media writers (which is IoMT), Infusion pumps (also IoMT), and IP cameras (which are IoT). IT targets like Routers and OT targets like SCADA servers also made the list.
While the previously listed items were the most vulnerable, the study also looked at the most targeted assets. Armis discovered that the top 10 asset types with the highest number of attack attempts span IT, OT, IoT, IoMT, Internet of Personal Things (or IoPT), and Building Management System (or BMS) assets. This emphasizes attackers’ focus on potential access rather than asset type, underscoring the importance of a comprehensive security strategy encompassing all assets.
The top 3 device types with the highest number of attack attempts include engineering workstations (which is OT), imaging workstations (which is IoMT), and media players (which is IoT). A number of IT assets such as personal computers also made the top 10 list. These assets are attractive targets due to their external accessibility, extensive attack surface, and known weaponized CVEs.
Armis also explored asset types with common high-risk factors. Devices that are challenging to replace, such as servers and programmable logic controllers, often run on end-of-life or end-of-support operating systems. These assets are at high risk, as end-of-support assets no longer receive manufacturer support or patches for vulnerabilities.
This research highlights the critical need for organizations to address vulnerabilities across various asset types to mitigate cyber risks effectively.
Can TikTok Truly Safeguard
Curious about how TikTok is handling your data and whether it’s safe from prying eyes? TikTok’s recent move to open its first European data center, along with third-party security audits, aims to ease concerns. But the real question is, will these steps truly safeguard your privacy?
Hi, this is Hillary Coover in Washington, DC.
TikTok has opened its first European data center to address concerns over Chinese state surveillance. The company insists it’s never shared user data with Beijing, but skepticism remains. European user data is now being migrated to servers in Dublin, a move aimed at reassuring users about data privacy. However, whether this will effectively allay fears is uncertain.
To enhance transparency, TikTok is allowing a European security company, NCC Group, to audit its data controls in the Dublin Center. This step acknowledges the skepticism surrounding the platform’s data handling practices. While it’s a positive move, the impact on skeptics remains to be seen.
Earlier this year, TikTok faced government restrictions and bans in various regions due to cybersecurity and privacy concerns, underlining the mistrust surrounding the platform. The success of these measures in addressing skepticism will hinge on their implementation and ability to maintain independence in the auditing process.
BBC – https://www.bbc.com/news/technology-66717589
That’s our update for today, September 7th, 2023. I’m Hillary Coover. We’ll be back tomorrow… at 5:05.