With new laws, new threats and data breach cover-ups, 2017 was another big year for cyber security. Here are the stories everyone was talking about.
In March, a new bill introduced to the US senate highlighted the fact boards must take responsibility for cyber security. There’s no doubt the topic of cyber security came up in more boardroom meetings this year than ever before. But there’s also no doubt some continue to swerve the topic completely.
In a Microsoft’s statement following WannaCry, President and Chief Legal Officer Brad Smith accepted his employer’s role in the attack before highlighting ‘the degree to which cybersecurity has become a shared responsibility’ – and understandably so. The attack may have exploited a Microsoft vulnerability. But software patches existed. Long before the attack, people had the power to safeguard vulnerable devices.
Also on the subject of WannaCry, malware researcher Amanda Rousseau spoke of her shock on seeing how cyber attacks can determine whether someone lives or dies. She ultimately reached the same conclusion as Microsoft’s Brad Smith: cyber security must now be a responsibility shared by technology companies, employers and the people running organisations.
In a well-researched post, HBR’s Alex Blau revealed why executives underinvest in cyber security and what we can all do to help rectify the situation.
Far too often, we think of cyber security as an important issue for large organisations only – but the £60,000 fine the ICO handed out to Boomerang Video Ltd in June suggested otherwise. ‘Regardless of your size,’ said ICO enforcement manager Sally Anne Poole ‘if you are a business that handles personal information then data protection laws apply to you.’
Erlend Andreas Gjære applies academic research on human fallibility to cyber security before concluding people aren’t always a hazard. When well prepared, Andreas Gjære writes, people can be as much a defence as our technology and processes.
Following an increase in scaremongering around GDPR, Elizabeth Denham published a series of posts (also see here and here) on 8 myths relating to the imminent new law. Amongst her points: fines should not be the concern, consent is not the only way to comply with GDPR and organisations better get a move on to prepare for the regulation.
WannaCry – probably the year’s biggest attack – was a category 2 level breach. Technical director of the National Cybersecurity Centre, Ian Levy, predicts a category 1 level incident is just years away. His advice to organisations wishing to prevent such an attack was clear: stop relying on off-the-shelf security solutions and instead work with people to keep data secure.
Towards the end of the year, Uber gave us a lesson in how not to deal with a data breach.
The human aspect of cyber security garnered more attention than ever in 2017, as more and more people began to see people as a potential defence. In an enlightening article for the Huffington Post, CybSafe founder Oz Alashe discusses the human biases that can can cause cyber attacks – and a simple way we can overcome them.