Tag Archives: cybercrime

Data Privacy Day: the 2020s can be the decade of privacy-by-design everywhere

By Ian Heritage

Internet trends come and go. But one concept that has steadily gathered momentum over the past decade is that of dataprotection and privacy. It’s now enshrined in EU law thanks to the GDPR, and today consumers and businesses are far more aware than they’ve ever been about their rights and responsibilities online. That’s why the coming decade offers a fantastic opportunity to embed privacy-by-design principles into every single organisation. But there’s still much to do, to raise awareness and change behaviours, especially among corporates.

That’s why Trend Micro is a proud sponsor and champion of the annual Data Privacy Day initiative, which is celebratedaround the world on 28 January.

Back to the beginning
It was on this day way back in 1981 that the Council of Europe opened for signature Convention 108, the first legally binding international treaty dealing with privacy and data protection. The first European Data Protection Day was held in January 2007 to drive greater engagement with online privacy issues, and the rest is history. 

Over the past 13 years, countless organisations have come unstuck in a very public manner. From a now-infamous HMRC blunder in 2007 to 2018’s Cambridge Analytica scandal, each incident has highlighted the potentially catastrophic impact of negligent data protection programmes. Yet these incidents have also raised public awareness and galvanised lawmakers. Thanks to the GDPR, European citizens are more in control of their personal data than they have ever been, while businesses must clear a high bar to prove they are responsible custodians of that data.  

Still work to do
But there’s still much to do. Highly sensitive personal browsing data is still shared across the adtech digital supply chain billions of times a day without any consent from consumers. Social media companies continue to harvest vast troves of customer data, IoT devices and smart assistants listen to our most intimate conversations, and the growing pervasiveness of digital technology continues to raise concerns among worried parents. 

There are also concerns for businesses. GDPR compliance is no easy thing: its vague references to “state of the art” technology and focus on broad principles rather than prescriptive controls, mean there’s no simple tick-box solution here. For many, there’ll be no 100% way of knowing whether they’re compliant until an incident occurs and the company waits for an official verdict.

There have already been over 160,000 breach notificationsacross Europe since the regulation landed nearly two years ago, leading to fines of €114m (£94m). These will certainly ramp up, as regulators across the region sharpen their knives. The ICO has already stated its intent to fine Marriott International and BA a combined £282m for serious breaches at the companies.

What happens next?
For now, this means that organisations must ensure their data protection policies are aligned with the GDPR, even in post-Brexit Britain. They must focus on best practice approaches and frameworks like those produced by NIST, Cyber Essentials and ISO. And they must look to partner with the right security experts: vendors that can offer multi-layered protection across all parts of the IT infrastructure, from endpoint to servers, networks to web and email gateways. The end goal is privacy-by-design: a commitment to embedding data protection into everything an organisation does.

At Trend Micro, we sit on both sides of the data privacy debate. Our Internet Safety for Kids and Families (ISKF) programme has offered vital resources for concerned parents for over a decade. But we also provide expert advice and support for organisations struggling to navigate a complex regulatory landscape while ensuring they do right by their customers. 

As a Data Privacy Day Champion, we’re working hard on both fronts — to ensure consumers know their rights, and have the tools and knowledge to stay safe online, and that businesses have the right controls and processes in place to meet their data protection responsibilities. As we travel through a new decade, there’s still plenty of work to do.

Protecting your enterprise after another major Windows end-of-support deadline

By Bharat Mistry

Cyber-criminals are always on the lookout for weaknesses in corporate IT systems. Whether these are manifest in human credulity or technical deficiencies, hackers have become past masters at exploiting any chinks in the armour. In this context, the retirement of major software and operating system versions represents a huge opportunity for the ever-agile black hat community. IT security teams should therefore be well prepared for this week’s end-of-support deadline for Windows 7 and Server 2008/Server 2008 R2.

For those companies unable or unwilling to upgrade, however, help is at hand.

Continue reading

Supply chain risk to dominate 2020: from the cloud all the way to the remote worker

by Bharat Mistry

We all know that the success or otherwise of most modern organisations depends to a large degree on their supply chains. From professional services partners to software providers and transportation contractors, an average enterprise could maintain hundreds of these partnerships. But these all threaten to introduce extra risk to the business, especially in the cyber domain.

Trend Micro’s newly released 2020 predictions report highlights some of the key areas where organisations may be exposed next year: from cloud and managed service providers (MSPs), new DevOps dependencies and even supply chain risks associated with their remote workers.

A new spin on an old risk
Supply chain risk is not a new phenomenon per se. The infamous NotPetya ransomware attacks of 2017 were introduced via the software supply chain, for example, while Operation Cloud Hopper was a major attack campaign targeting global organisations via their MSPs.

However, the scale of the threat coming down the line requires urgent attention. It stems to a large degree from the way organisations are changing the way they work. Digital transformation is viewed by many as an essential driver of business growth, enabling firms to respond with agility to changing market demands. In practice, this means cloud and DevOps increasingly taking centre stage in the IT departments of the coming decade.

More agility, more risk?
Unfortunately, this will introduce new cyber risk. First, organisations’ increasing reliance on third-party cloud providers will encourage attackers to go after data stored in these accounts, via code injection attacks exploiting deserialisation bugs, cross-site scripting and SQL injection. They’ll also capitalise on mistakes made when misconfiguration of these accounts leaks data to the public-facing internet.

Next, they’ll look to exploit the reliance of DevOps teams on third-party code in container components and libraries to compromise microservices and serverless environments. As these architectures become increasingly commonplace, so will attacks.

The risk posed by MSPs will also escalate, enabling a much higher ROI for attackers because they can access multiple customers via a single provider. Such threats will imperil corporate and customer data, and even pose a risk to smart factory and other environments.

Finally, supply chain risk may come from an unlikely source in 2020 and beyond. As remote and home working becomes the norm for many employees, hackers may come to view these as a handy stepping-stone into corporate networks. Whether they’re logging-on via unsecured public Wi-Fi hotspots or at home, where smart home flaws could provide an unlocked door to sneak through, these employees need to be considered as part of holistic enterprise risk management strategies.

What to do
I
t will be tough for CISOs to keep up with the rapid pace of technological change as we head through the next decade. But it’s vital that teams are equipped with the right tools and strategies to manage these third-party risks and other threats to the bottom line and corporate reputation. Here’s a snapshot of advice offered in the report:

  • Improve due diligence of cloud providers and MSPs
  • Conduct regular vulnerability and risk assessments on third parties
  • Invest in security tools to scan for vulnerabilities and malware in third-party components
  • Consider Cloud Security Posture Management (CSPM) tools to help minimise the risk of misconfigurations
  • Revisit security policies regarding home and remote workers

To find out more on our predictions for 2020 and advice on how best to manage risk in your business, check out the report here.

Industry 4.0: protecting the smart factory from escalating cyber-threats

by Ian Heritage

As in many other sectors, manufacturing organisations are rapidly embracing digital transformation to drive efficiencies, agility and growth. In so doing, they’re investing in new industrial Internet of Things (IIoT) systems to accelerate convergence between previously siloed IT and OT spheres. But this digital revolution also opens the door to new threats, as previously air-gapped systems and proprietary technologies are brought online and exposed to remote hackers.

That’s why Trend Micro has just announced major new security products designed to enhance visibility and protection for imperilled industrial control system (ICS) environments.

Continue reading