Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Risk. Show all posts
virtual CISO
Compliance Cyber Risk Cyber Security Cybersafety outsourced security Risk Management strategic planning Technology virtual CISO

Embracing the Virtual: The Rise and Role of vCISOs in Modern Businesses

 

In recent years, the task of safeguarding businesses against cyber threats and ensuring compliance with security standards has become increasingly challenging. Unlike larger corporations that typically employ Chief Information Security Officers (CISOs) for handling such issues, smaller businesses often lack this dedicated role due to either a perceived lack of necessity or budget constraints.

The growing difficulty in justifying the absence of a CISO has led many businesses without one to adopt a virtual CISO (vCISO) model. Also known as fractional CISO or CISO-as-a-service, a vCISO is typically an outsourced security expert working part-time to assist businesses in securing their infrastructure, data, personnel, and customers. Depending on the company's requirements, vCISOs can operate on-site or remotely, providing both short-term and long-term solutions.

Various factors contribute to the increasing adoption of vCISOs. It may be prompted by internal crises such as the unexpected resignation of a CISO, the need to comply with new regulations, or adherence to cybersecurity frameworks like NIST's Cybersecurity Framework 2.0 expected in 2024. Additionally, board members accustomed to CISO briefings may request the engagement of a vCISO.

Russell Eubanks, a vCISO and faculty member at IANS Research, emphasizes the importance of flexibility in vCISO engagements, tailoring the delivery model to match the specific needs of a company, whether for a few days or 40 hours a week.

The vCISO model is not limited to smaller businesses; it also finds applicability in industries such as software-as-a-service (SaaS), manufacturing, industrial, and healthcare. However, opinions differ regarding its suitability in the heavily regulated financial sector, where some argue in favor of full-time CISOs.

Key responsibilities of vCISOs include governance, risk, and compliance (GRC), strategic planning, and enhancing security maturity. These experts possess a comprehensive understanding of cyber risk, technology, and business operations, enabling them to orchestrate effective security strategies.

Experienced vCISOs often play advisory roles, assisting CEOs, CFOs, CIOs, CTOs, and CISOs in understanding priorities, assessing technology configurations, and addressing potential cybersecurity vulnerabilities. Some vCISOs even assist in defining the CISO role within a company, preparing the groundwork for a permanent CISO to take over.

When seeking a vCISO, companies have various options, including industry experts, large consulting firms, boutique firms specializing in vCISO services, and managed services providers. The critical factor in selecting a vCISO is ensuring that the candidate has prior experience as a CISO, preferably within the same industry as the hiring company.

The process of finding the right vCISO involves understanding the company's needs, defining the scope and outcome expectations clearly, and vetting candidates based on their industry familiarity and experience. While compatibility with the company's size and vertical is essential, the right vCISO can outweigh some of these considerations. Rushing the selection process is discouraged, with experts emphasizing the importance of taking the time to find the right fit to avoid potential mismatches.
Read more »
The Reserve Bank
Banks Cyber Risk Cyber Security Economy NZ RBI The Reserve Bank

Reserve Bank Stress Tests Simulate Stagflation


As part of their latest Reserve Bank solvency stress test, New Zealand banks were asked to take into account a cyberattack for the first time. Despite a severe stagflation-like scenario, the Reserve Bank says most firms would have to raise capital, restrict dividends and cut expenses to be able to keep functioning, even though they will have to raise fresh capital, limit dividends, and cut expenses to do so. 

During the stagflation scenario considered in the model, high inflation, increasing interest rates, and a severe recession resulting in a surging unemployment rate are some of the features modeled. Since 2014, it has been the first time a reserve bank has conducted a stress test in which high-interest rates were present. 

Banks included in the annual stress test were ANZ NZ, ASB, BNZ, Westpac NZ, Kiwibank, Heartland Bank, TSB, ICBC, and Bank of China. They received instructions from the Reserve Bank in April. 

6% was the Consumer Price Index inflation rate for the NZ economy. According to Statistics NZ, this was below the 7.2% reported in the current year, as well as the 6.9% reported by Statistics NZ in May for March. 

As part of the arrangement, the Reserve Bank also had to increase the Official Cash Rate (OCR) from just 1% – the rate it had at that time – to 3% by the year 2022. Currently, the OCR stands at 3.5%. It is expected to increase to at least 4% on November 23, 2022. This is when it will be reviewed for the last time of the year. A significant part of this scenario includes the sale of the NZ dollar. This has been an element of inflation that has been imported, and which has been occurring this year as well. 

The Reserve Bank will incorporate a specific cyber risk event into the stress test that will be administered to participating banks in 2022 for the first time. Over time, this resulted in 1.3 billion dollars in aggregate costs. 

In addition to considering how a cyberattack would impact the banks' business, this year's solvency stress test also asked banks to consider how low the likelihood of such an attack was. This is in response to a one-in-25-year cyber risk event that may threaten the general banking system. 

To tackle this challenge, banks have come up with several strategies, such as modeling the impacts of different scenarios. These include distributed denial of service attacks, attacks that lock banks out of critical infrastructure, kill chain malware, ransomware, and other threats. These attacks are modeled to last for at least one to two months in the event of a significant attack.

It can be assumed, therefore, that the estimated losses resulting from each event will vary as expected. This is based on the benchmark and the operational risk of the bank at the time. There is an assortment of reasons why companies lose money, including reimbursements from customers, consultancy and legal fees, losses in business, technology upgrades, communications and media expenses, and technology upgrades, according to the Reserve Bank of Australia. 

Banks should be aware that multiple risks can crystallize and need to be managed during economic downturns, the Reserve Banks emphasize. The Reserve Bank also shared, "this is even though the aggregate cost of the cyber risk event was small compared with impairment expenses in this stress test. Our understanding of banks' handling and quantification of cyber-risk stress events was enhanced by the exercise." There is one thing in your life that you have no control over:

Last week, in an interview with interest.co.NZ, ANZ NZ CEO Antonia Watson told the website that attackers strive "all the time" to penetrate the bank's security system. 

According to Watson, "This is one of the things you cannot do anything about since there will always be someone who will find some way of finding a backdoor."

Cyberattacks can happen to organizations of all sizes, which is why it plays a crucial role in our risk management strategy as a business. Because of that, it is one of the key risks that we see as a business. This is why we invest so much money to help educate our customers regarding these types of attacks.

National Australia Bank's Ross McEwan, the CEO of the bank's parent company BNZ, revealed last week that NAB's digital channels receive approximately 50 million attacks every month. He further notes that this incident along with the recent cyber-attack on Optus in Australia is what keeps CEOs awake at night. 

The scenario

During the NZ economy's stress test scenario, the following scenarios will be experienced:

• In comparison to the peak in November 2021, house prices have fallen by 42% (47% from its peak in November 2021) 

• A 38% decline in equity prices has been recorded since December 2021 (42% in the past year). 

• At the same time, the unemployment rate rose from 3.3% to 9.3%. 

• During the period of the recession, the gross domestic product decreased by 5%. 

• A peak in the OCR has been recorded at 5.5%, as well as the peak in the 2-year mortgage rate of 8.4% (the average bank's 2-year rate at the moment is 5.8%, but the big five banks all have rates above 6%); 

• There is one more aspect of the economic scenario that banks must take into account and model as well, which is a cyber-risk event that occurs once every 25 years. 

A scenario like this has the potential to generate aggregate impairment expenses for banks of $20.8 billion over the next four years, which is higher than the $1.7 billion that has been incurred from the COVID-19 pandemic in the last four years, according to the Reserve Bank. During the second year of the four-year stress test, banks have been sinking into the red. 

During the stress test, the common equity Tier 1 ratio for the aggregate company fell by 3.3 percentage points to a minimum of 8.9% before mitigation. This is well above the regulatory minimum of 4.5% as shown in Figure 1 [below]. 

According to the Reserve Bank of Australia's report on its 2022 stress testing program, this annual solvency stress test was included in the Reserve Bank's stress testing program for the year 2022. Additionally, a liquidity stress test and a test to determine whether the residential mortgage portfolio is sensitive to flooding risks were also included in the study. As part of the Reserve Bank's Financial Stability Report released on Wednesday, the Reserve Bank will present a summary of the "high-level results" in these two areas. 

In its description of the stress test on solvency, the Reserve Bank thinks that it is predominantly a bottom-up exercise, where banks normally use their models, sometimes on a loan-by-loan basis, to estimate the impact of the Reserve Bank's specified scenario on capital ratios in the future. 

During the release of the instructions and templates for the solvency stress test, the company noted that it is the first time that these have been published publicly.
Read more »
Security
Cyber Risk Cyber Security Ransomware Safety Security

Financial Services Firms Operating Under False Sense of Security

 

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, disclosed today that financial services firms are more confident in their ransomware protection than any other industry. At the same time, they are vulnerable due to supply chain risk and inadequate detection capabilities. 

As part of a larger cross-industry report on ransomware, Trend Micro commissioned Sapio Research to poll over 355 financial services IT and business leaders worldwide. It discovered that 75% of respondents believe they are adequately protected from ransomware, which is significantly higher than the overall average of 63%. This confidence is justified in part: 99% say they patch servers on a regular basis, 92% secure remote desktop protocol (RDP) endpoints, and 94% have rules in place to mitigate risks from email attachments.

However, 72% of respondents admitted that their organization had previously been compromised by ransomware, and 79% believe that their industry is a more appealing target for threat actors than others. The current level of threat awareness in the financial services sector does not always translate into action.

Two-fifths do not use network detection and response (40%) or endpoint detection and response (39%), and half (49%) do not use extended detection and response (XDR). This could explain the low detection rates for ransomware activity. Only one-third (33%) can accurately detect lateral movement, while 44% can detect initial access.

Trend Micro also uncovered significant third-party cyber risk for financial services organizations:
  • 56% have had suppliers compromised by ransomware, mostly partners (56%) and subsidiaries (29%)
  • 54% believe their suppliers make them a more attractive target
  • 52% say a significant number of their suppliers are SMBs, who may have fewer resources to spend on security
"Greater collaboration and information sharing with third parties could help to improve the security posture of the overall supply chain," said Bharat Mistry, Technical Director at Trend Micro. "However, without adequate detection and response capabilities, they may not have the intelligence to hand in the first place. Financial services leaders recognize they're a top target for ransomware actors. It's time to turn that awareness into action."

In accordance with the research, a quarter (24%) of financial services firms do not share threat information with their partners, 38% do not share with suppliers, and even more (42%) do not engage with the broader ecosystem.
Read more »
Privacy News
Cloud Cloud Security Cyber Risk Cyber Security New Technology Privacy News

A Large Number of Ventures Suffering From Cloud Security Attacks

The advent of technology led malicious actors, to invade the privacy of users' systems in a few steps. Cloud security is one such technology that has increasingly worked to fortify users' data from threat actors. 

However, as per the statistics, even the latest cyber security is at risk; a report publicized by Synk shows, that 80% of the enterprises suffered from these actors’ invasion in just the past 12 months. The wide adoption of cloud security has been considered a major reason for a rapidly increasing number of cases. 

There have been several bigger cases that show the breach of cloud security. Accenture is one of them which came under the claws of cloud security attacks. Once in 2017 when the company's AWS S3 storage was unsecured and was made available for public reach. The attackers found confidential API data, digital certificates, meta info, etc. and they used it to blackmail and squeeze money from the. The second was when in 202, the firm got struck by LockBit ransomware. 
 
As per Synk’s report, 58% of the people were predicting that they again will face another cloud security attack in the future, and 25% were afraid that they must have endured a breach in their cloud storage but were not aware of it. These thoughts were creating a negative impact on cloud security. Whereas, there are many other similar cases like Accenture, where organisations left their cloud storage open to be accessed publically, and did not have even basic security. 

The CEO and Co-founder of Orca, Avi Shua stated that other than the cloud platforms providing safe spaces for data storage in cloud infrastructure, the state of the business’s workloads, identities, etc. stored in the cloud are also equally responsible for the security of the public cloud data.

For making 100% from cloud storage and evading the problems in cloud securities, it is important to include experts in cloud-native security. and to avoid such incidents as Accenture cases it becomes a necessity to add additional training and education. As an institute can’t deal with such a situation without planning, they should work with proper strategies and focus on how to avoid the risk of 

To make the best of cloud storage and avoid falling prey to problems related to cloud security, it becomes pertinent to include experts in cloud-native security. To avoid such incidents from occurring in Accenture and other such companies, it's important that additional training and education about cloud security handling is provided by the relevant institutes and organisations. It's implausible to deal with such a situation without planning, the companies should work with proper strategies and focus on how to avoid the risk of data theft.  
Read more »
Singapore
Critical Data Cyber Risk Cyber Security Safety Security Programmes Singapore

Singapore Ups Investemnt in Quantum Technology, to Stay Ahead of Security Risks

 

Singapore focuses on enhancing its quantum computing capabilities through new initiatives to build necessary skill sets and quantum equipment. It emphasises the importance of doing so in order to keep encryption technology resilient and capable of withstanding "brute force" attacks. 

The Singapore government announced on Tuesday that it will set aside SG$23.5 million (17.09 million) to support three national platforms under its Quantum Engineering Programme (QEP) for up to 3.5 years. The initiative is a component of the country's Research, Innovation, and Enterprise 2020 (RIE2020) strategy. 

Two of these platforms were announced on 31st May, including the National Quantum Computing Hub, which will pool knowledge and resources from the Centre for Quantum Technologies (CQT), local universities, and research institutes to strengthen key skill sets. University, A*STAR's Institute of High Performance Computing (IHPC), and the National Supercomputing Centre (NSCC) would seek to establish international collaborations and train new talent in order to address a skill scarcity in the emerging industry. CQT and IHPC researchers would also create quantum computing hardware and middleware, with potential applications in finance, supply chain, and chemistry. 

The National Supercomputing Center (NSCC) would offer the supercomputing capacity required to design and train algorithms for usage on quantum computers. A second programme, National Quantum Fabless Foundry, was launched to facilitate the micro and nano-fabrication of quantum devices in cleanrooms run by industrial partners. 

Both efforts would boost local talent and allow academics to investigate how quantum computing may help diverse businesses as well as build quantum gadgets. The Quantum Engineering Programme also included a quantum-safe network that was billed as demonstrating "crypto-agile connectivity" and supporting experiments with both public and commercial entities. 

The initiative, which was announced earlier in February, intended to improve network security for vital infrastructures and had 15 partners at the time of introduction, including ST Telemedia Global Data Centres, Cyber Security Agency, and Amazon Web Services. 

Singapore's Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, stated in his address announcing the new efforts that the country needs to stay alert in the face of growing dangers. Heng likened cyber threats to a "cat and mouse game," adding that efforts were made to keep ahead of hostile actors who were always looking for new loopholes to attack. With the cyber world rapidly developing, he believes quantum technology has the potential to be a "game changer." "Strong encryption is key to the security of digital networks. The current encryption standard, AES 256, has held up, as few have the computing power to use brute force to break the encryption. But this could change with quantum computing," he cautioned. 

"For some cryptographic functions, the fastest quantum computer is more than 150 million times faster than the fastest supercomputer. Quantum computers can solve in minutes a problem which takes a supercomputer 10,000 years." According to the minister, this highlights the significance of quantum technology research. 

He added, "Our investment in quantum computing and quantum engineering is part of our approach of trying to anticipate the future and proactively shaping the future that we want." 

He noted that as digitalisation grew, so did cyber concerns and that Singapore must continue to invest to keep ahead of possible threats. He went on to say that the fabless foundry will use the country's manufacturing skills to create quantum devices that would tackle "real-world challenges" in collaboration with industry partners.
Read more »
User Security
Bank Cyber Security Bank fraud Bank Security Banks Cyber Risk Cyber Security Finance Financial Regulators RBI User Privacy User Security

How Banks Evade Regulators For Cyber Risks

 


As of late, the equilibrium between the banks, regulators, and vendors has taken a hit as critics claim that banks are not doing enough for safeguarding the personally identifiable information of the clients and customers they are entrusted with. As there has been rapid modernization in internet banking and modes of instant payments, it has widened the scope of attack vectors, introducing new flaws and loopholes in the system; consequently, demanding financial institutions to combat the threat more actively than ever. 

In the wake of the tech innovations that have broadened the scope of cybercrime, the RBI has constantly felt the need to put forth reminders for banks to strengthen their cyber security mechanisms; of which they reportedly fell short. As financial frauds relating to electronic money laundering, identity theft, and ATM card frauds surge, banks have increasingly avoided taking the responsibility.  

It's a well-known fact that banks hire top-class vendors to circumvent cyber threats, however, not a lot of people would know that banks have gotten complacent with their reliance on vendors to the point of holding them accountable for security loopholes and cybersecurity mismanagement. Subsequently, regulators fine the third-party entity, essentially the 'vendors' providing diligent cyber security risk management to the banks.  

The question that arises is that are banks on their own doing enough to protect their customers from cyber threats? Banks need to understand monitoring and management tools available to manage cyber security and mitigate risks. Financial institutions have an inherent responsibility of aggressively combating fraud and working on behalf of their customers and clients to stay one step ahead of threats.  

Banks can detect and effectively prevent their customers' privacy and security from being jeopardized. For instance, banks can secure user transactions by proactively monitoring SMS using the corresponding mobile bank app. They can screen phishing links and unauthorized transactions and warn customers if an OTP comes during a call.  

Further, banks are expected to strictly adhere to the timeframe fixed for reporting frauds and ensuring that customer complaints regarding unscrupulous activities are timely registered with police and investigation agencies. Banks must take accountability in respect of reporting fraud cases of their customers by actively tracking the accounts and interrupting vishing/phishing campaigns on behalf of their customers as doing so will allow more stringent monitoring of the source, type, and modus operandi of the attacks. 

“We are getting bank fraud cases from the customers of SBI and Axis Bank also. It is yet to be verified whether the data has been leaked or not. There might be data loss or it could be some social engineering fraud,” Telangana’s Cyberabad Crimecrime police said. 

“Police said that the fraudsters had updated data of the thousands of customers who received new credit cards and it was a bank’s insider who is the architect of this whole fraud,” reads a report pertaining to an aforementioned security incident by The Hindu.  

“This is a classic case to explain the poor procedure practised by the network providers while issuing SIM cards, and of course the data security system at the banks,” a senior police officer said. 

In relation to the above stated, banks should assume accountability for their customers’ security and shall review and strengthen the monitoring process, while meticulously following the preventive course of action based on risk categorization like checking at multiple levels, closely monitoring credits and debits, sending SMS alerts, and (wherever required) alerting the customer via a phone call. The objective, essentially, is for banks to direct the focus on aspects of prevention, prompt detection, and timely reporting for the purpose of aggregation and necessary corrective measures by regulators which will inhibit the continuity of crime, in turn reducing the ‘quantum’ of loss.  

Besides, vigorously following up with police and law authorities, financial institutions have many chances to detect ‘early warning signals’ which they can not afford to ignore, banks should rather use those signals as a trigger to instigate detailed pre-investigations. Cyber security is a ‘many-leveled’ thing conception, blaming the misappropriations on vendors not only demonstrates the banks’ tendency to avoid being a defaulter but also impacts the ‘recoverability aspects’ like effective monitoring for the customers to a great degree.
Read more »
Outage
Cyber Risk Cyber Security Digital Security Facebook Facebook Security Outage

Facebook Outage Caused Agitation in Nations And Highlighted Risks Of Social Networking

 

The global breakdown of Facebook Inc. highlighted the dangers of depending on its social networking platforms, supporting European regulators' efforts to limit the company's influence just as a whistle-testimony blower's in the United States threatened to draw even more undesirable attention at home. 

While Europe awakened to find Facebook, Instagram, WhatsApp, and Messenger back online and running, the extent of Monday's shutdown drew immediate and extensive outrage. Margrethe Vestager, the European Union's antitrust director and digital czar, said the Facebook failure will bring attention to the company's dominance. 

The networking issue that caused operations to go down for almost 2.75 billion people couldn't have happened at a worse moment. Following a Sunday television interview in the United States, whistle-blower Frances Haugen will testify before a Senate panel on Tuesday, telling legislators the "frightening truth" about Facebook. As Facebook services were offline, Haugen's charges that the business prioritized profit ahead of user safety were still making the headlines. 

“It’s always important that people have alternatives and choices. This is why we work on keeping digital markets fair and contestable,” Vestager said. “An outage as we have seen shows that it’s never good to rely only on a few big players, whoever they are.” 

The disclosures caused United States Representative Alexandria Ocasio-Cortez to call attention to the dangers that nations that depend on these services face. In New York, Facebook rose as high as 1.3 percent to $330.33, reversing a 4.9 percent drop on Monday. 

Facebook has increasingly been the subject of multiple antitrust and privacy probes in Europe, as well as intensive scrutiny of even minor transactions, such as its planned acquisition of a customer-service software company. Last month, the firm was fined 225 million euros ($261 million) for data privacy violations, and it is currently under investigation by the European Commission and the German competition agency Bundeskartellamt. 

In the next few months, EU lawmakers will decide on new legislation limiting the capacity of strong Internet platforms like Facebook to expand into new services. According to Rasmus Andresen, a German Green member of the European Parliament, the service outage demonstrated the "serious consequences" of relying on one firm for crucial channels of communication, and that Facebook should have never been permitted to buy Instagram and WhatsApp. 

Further, facing a political fallout - Turkish President Recep Tayyip Erdogan, who has a low tolerance for political criticism on social networking sites, has called for a new digital "order" as a result of the incident. According to Fahrettin Altun, his presidential communications director, the closure demonstrated how "fragile" social networks are, and urged the speedy development of "domestic and national" alternatives. 

“The problem we have seen showed us how our data are in danger, how quickly and easily our social liberties can be limited,” Altun said in a series of Twitter posts. 

President Muhammadu Buhari's communications staff, government officials, and governors in 36 Nigerian states were all silenced for six hours as a result of the outage. After Twitter's services were banned in Africa's most populous country on June 5th, the administration has become increasingly dependent on Facebook to keep the people informed. 

Facebook is “for us opposition politicians one of the last media outlets where we can talk to you and which isn’t dominated by” Fidesz, Orban’s political party, Budapest Mayor Gergely Karacsony said in a video posted on Tuesday. 

“This outage does show the over-dependence we have on a single company, and the need for diversity and greater competition,” Jim Killock, executive director of the Open Rights Group in London, said in an interview. “Their reliance on data-driven, attention-optimizing products is dangerous and needs to be challenged through interventions enabling greater competition.” 

Some telecommunications companies were forced to intervene as a result of the shutdown. In a blog post on its website, the Polish Play unit of Paris-based telecommunications operator Iliad SA reported an eightfold surge in the number of calls as of its customer service. To avoid overloading, it had to modify its network.
Read more »
Technology News
Cyber Risk Cyber Threat Intelligence Russian Security Researchers Technology Technology News

Russian researchers developed methodology to predict cyber risks

 Scientists from St. Petersburg Polytechnic University have developed a methodology for assessing cyber risks in smart city systems. The developed methodology has been tested on the "smart intersection" test bed (a component of smart transport system of smart city).

It should be reminded that St.Petersburg participates in the formation of Smart City program, which will provide new services for the residents of megacities, increasing the safety of citizens. Digital services are an integral part of such system.

Experts explained that cybercriminals have new goals: to disrupt the functioning of large enterprises and urban infrastructure, as well as to intercept control over them. Attackers using wireless channels can remotely penetrate a target subnet or device, intercept traffic, launch DoS attacks and take control of IoT devices to create botnets.

"At present, traditional cyber risk analysis strategies cannot be directly applied to the construction and assessment of smart city digital infrastructures, as the new network infrastructure is heterogeneous and dynamic," said Vasily Krundyshev, a researcher at the Institute of Cybersecurity and Information Protection.

At the same time, he stressed that the purpose of this project is to provide the level of protection of information assets of the smart city taking into account specific features of modern cyber threats.

The methodology of cybersecurity risk analysis of the smart city includes the stages of assets type identification, threat identification, risk calculation and analysis of obtained values. The proposed methodology is based on a quantitative approach. At the same time, according to scientists, it is easily and quickly calculable, which is especially important in conditions of modern dynamic infrastructures.

Experimental studies using a set of developed simulation models of typical digital infrastructures of a smart city (Internet of Things, smart building, smart intersection) have demonstrated superiority over existing Russian and foreign counterparts.

It is interesting to note that earlier St. Petersburg scientists created an innovative installation for cleaning water reservoirs.

Read more »
Subscribe to: Posts (Atom)