Leaked chat logs have exposed connections between the BlackBasta ransomware group and Russian authorities, according to new analysis by Trellix

Read More

Google is set to acquire Wiz, a cloud security platform founded in 2020, for $32bn in an all-cash deal

Read More

Flashpoint data points to a surge in data breaches fueled by compromised credentials, ransomware and exploits

Read More

Bitdefender said the malicious app campaign has resulted in more than 60 million downloads of malicious apps from the Google Play Store

Read More

Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama:

Abstract: In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.

The moral may be that human factors and usability needs to be localized.

Read More

Bitsight reveals that UK companies are more exposed to cyber risk than global peers via their digital supply chains

Read More

An ingenious phishing scam is targeting cryptocurrency investors, by posing as a mandatory wallet migration.

Read more in my article on the Hot for Security blog.

Read More

Evolving Regulatory Requirements

Governments across the globe have introduced new legislation to address the escalating risks of cybersecurity threats.

In 2021, the United States issued executive order 14028, requiring government agencies to develop a plan for implementing a zero-trust security strategy. This included rolling out multi-factor authentication (MFA), data encryption, and ensuring employees have secure access to the data and applications they need on their devices according to the principle of least privilege access.

A year later, the Cybersecurity and Infrastructure Security Agency (CISA) passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA mandated that organizations report to CISA within 72 hours when a cybersecurity incident occurs. In the case of a ransomware attack, organizations must report ransom payments made within 24 hours of making the payment.

In 2023, the Securities and Exchange Commission (SEC) passed new regulations for incident reporting and risk disclosure:

Item 1.05 from Form 8-K: Organizations must disclose any cybersecurity incident that could have a material impact on a business, and include the scope, timing, and impact of the incident in their report. This report must be submitted within four business days of recognizing the incident.
Regulation S-K Item 106: Companies must disclose their cybersecurity risk management strategy and governance on an annual basis.

In the EU, new legislation has been introduced to address evolving cybersecurity threats. The NIS2 Directive, which came into force in 2023, builds upon the initial NIS1 framework that established the first EU-wide legal standards for cybersecurity readiness. NIS2 broadens the scope of NIS1 to encompass not just sectors like energy, healthcare, and finance, but also digital services, communications, and manufacturing. This direction outlines essential requirements for companies, including incident response, supply chain security, encryption, and vulnerability disclosure. Additionally, NIS2 introduced a two-step incident reporting process, requiring companies to submit an initial report with 24 hours of an incident and a final report within one month.

The Costs of Non-Compliance

Due to increased legislation, many organizations are now tasked with rethinking their security strategy to stay in compliance with federal, state, and industry specific requirements. The costs associated with non-compliance extend beyond legal consequences. Organizations that are unprepared risk reputational damage and business disruption. In Forrester’s Security Survey 2023, 78% of security decision makers estimated their organization’s sensitive data was potentially compromised or breached at least once in the past 12 months.

Recovering from data breaches can incur high costs and considerable time and effort. In the Top Cybersecurity Threats In 2024 report by Forrester, half of the survey respondents who experienced a cyber incident estimated the cumulative cost to deal with the aftermath exceeded $1 million.

Addressing Common Challenges

Organizations of all sizes face difficulties with reforming their risk management strategy to be compliant with the latest federal and industry-specific requirements:

Resource Constraints: Organizations have limited budgets and personnel, making it difficult to allocate sufficient resources with the specialized knowledge required for risk management and reporting.
Operational Inefficiencies: Disconnected tools, processes, and siloed departments can lead to inefficiencies and errors, making it hard to maintain a cohesive risk management approach.
Rapidly Evolving Regulatory Environment: The rapid introduction of new laws and amendments complicates staying current, and failure to comply can result in hefty fines, legal penalties, and reputational damage. Organizations need the right tools and strategies to not only maintain compliance but also report to regulators.

Maintaining an internal team of security analysts can be costly, and developing an effective risk management strategy requires both specialized skillsets and the right set of tools. Managed security service providers (MSSPs) offer a cost-effective alternative to maintaining in-house teams, providing expert guidance to simplify management and mitigate risks.

The 5 Cs of Risk and Compliance Management

Many organizations fall victim to overemphasizing the technology component of their risk management program, while neglecting the people and processes necessary to ensure oversight and efficient incident response.

The 5 Cs framework of risk and compliance management can help provide direction in building a successful strategy, bringing together the people, processes, and technology:

Clarity: Develop clear, documented risks and compliance policies that consider both government and industry-specific regulations. Use frameworks like NIST and the CISA Zero Trust Maturity Model or similar standards to connect compliance to the organization’s overall risk management objectives.
Collaboration: Emphasize communication and collaboration across the organization to avoid security gaps created from teams working in silos.
Controls: Assess existing security controls and data feeds to identify any gaps and seek out new technology to enhance overall risk posture. Implement risk and security management systems that are adaptable, modular, and centralized, and develop protocols that can scale and support business innovation.
Continuity: Move from reactive risk and compliance protocols to automated, continuous management using technology and support from third party vendors to take the burden of manual work off internal teams.
Culture: Foster a culture of security awareness and accountability across the organization.

Simplify Risk Management

LevelBlue helps organizations evaluate, design, implement, and operate their cyber risk management programs. Our comprehensive approach provides a thorough view of risks and delivers actionable recommendations for improvement. This enables you to make informed decisions, quickly anticipate and respond to potential threats, and operate with accountability and transparency. By recognizing and adhering to risk management standards, organizations ensure ongoing compliance, build stronger risk management cultures, and enhance the reliability of their daily operations. We offer a variety of risk management services:

Cyber Risk Program Maturity Assessments: Our maturity assessment provides a clear picture of your current security posture and outlines a roadmap for improvement. We help you understand your strengths and identify areas where you can enhance your security measures.
Cybersecurity and Privacy Risk Assessments: Privacy isn’t just about compliance – it’s about trust. Our comprehensive assessment looks at both security and privacy risks, helping you to protect sensitive data while maintaining regulatory compliance and stakeholder confidence.
Cyber Risk Posture Assessment: Based on the 23 categories of the NIST cybersecurity framework, we provide a high-level view of your security program’s maturity. We evaluate everything from policies and procedures to the practice implementation of security controls, giving you a clear picture of where you stand and where you need to go.
Third-Party Risk Management (TPRM): Our comprehensive solution leverages our expertise and a specialized scoring tool to automate compliance, manage third-party risks, and enhance transparency. The service includes workflow automation, dynamic monitoring, risk reporting, and the development of risk profiles and categorizations.
 AI Governance and Risk Management: We provide a comprehensive evaluation for organizations of all sizes and industries considering integrating AI into their operations. This assessment serves as the foundation for identifying and addressing security risks within AI systems and their deployment, ensuring that cybersecurity measures are robust and up to date.

Meet Compliance Requirements

LevelBlue helps organizations understand, navigate, and adapt to today’s growing rules, regulations, and standards. We evaluate your status against specific requirements (e.g., HIPAA, PCI-DSS, SAQ) or industry frameworks (e.g., ISO 27001, NIST) and provide a prioritized plan to help you achieve and report on those regulations and frameworks to any auditors. LevelBlue’s compliance services include:

Compliance Assessments: Specific compliance or framework assessments to ensure adherence to your chosen industry frameworks (e.g., ISO 27001, NIST, HITRUST) or compliance requirements (e.g., HIPAA, PCI-DSS). These can be one-time assessments, or ongoing assessments tailored to your needs.
Compliance Management with Compliance-as-a-Service: Ongoing support and management of compliance efforts, including gap analysis, remediation planning, and continuous monitoring tailored to your chosen framework or regulation.

Our services are designed to help you build a stronger risk management culture that enhances your daily operations while ensuring ongoing compliance with industry standards. Ready to transform your cyber risk management program? Contact us today.

Read More