The EU is planning to unveil the Digital Services Act at the end of the year, a major piece of legislation to overhaul rules surrounding data and digital services. The EU has invited interested parties to submit comments by September 8, and the European Commission is targeting a December deadline for the draft law.
Read full articleThe Norwegian Investment Fund, the world’s largest sovereign with over $1 trillion in assets, was the victim of a months-long cyber breach that resulted in a reported $10mn in losses. According to Norges, the breach was the result of a business email compromise.
Read full articleChairman Clayton warned that combining environmental, social and governance metrics into a single ESG rating is an imprecise way of rating companies, and that asset managers should think carefully about how they use these metrics. There are 307 ‘Sustainable funds’ in the US with $119.3 billion assets under management as of the end of March 2020.
Read full articleMacy’s announced a $1.1 billion bond sale to help shore-up the struggling retailers balance sheet as it navigates the COVID‑19 shutdown. The fresh injection of capital is needed to pay down short term debt maturing in January 2021 and fund operations in the immediate term.
Read full articleData from 30m McAfee MVISION Cloud users worldwide between January and April 2020 show external attacks by hackers on companies’ cloud-based systems have increased 630 percent following the mass migration to work from home. Overall enterprise use of cloud services has increased by 50 percent over the same time period. Use of Cisco Webex has increased 600 percent, Zoom by 350 percent, Microsoft Teams by 300 percent and Slack by 200 percent. Attacks by ‘insider threat’ categories (i. e. employees working from home) have remained the same, indicating that employees do not ‘attempt to steal more data because they are working from home’.
Read full articleA WSJ article chronicled how HTZ was struggling long before COVID‑19, including reference to its belated digital shift relative to peers and repeated missteps with regard to its digital strategy. This reportedly included adverse impacts on fleet management while it cycled through four CEOs in less than 10 years.
Read full articleA survey of 2,000 consumers in North America, UK, France and Germany reported that 37 percent will switch to a competitor company if systems are not back online within 24 hours of a ransomware attack operational disruption, and 66 percent will turn to a competitor if systems are not restored within 3 days. 59 percent would ‘likely avoid doing business with an organization that had experienced a cyberattack in the past year’, and more than 80 percent reported sharing their negative ransomware-related experience with family, friends and colleagues.
Read full articleBritish low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.
Read full articleCompanies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.
Read full articleA NYT Times story explains how the fall of two retail giants—J. Crew and Neiman Marcus stemmed not only from the pandemic but also from the involvement of private equity firms and the financial over-engineering they deployed. The longstanding weaknesses of some traditional bricks and mortar retailers which include belated or poorly executed digital strategies are also directly related to an inability to make big investments due to being overleveraged. These weaknesses were further exposed by the pandemic, resulting in the recent bankruptcy filings.
Read full articleVulnerabilities in SaltStack software were used as a vector to infect cloud servers with malware or other exploits, with over 6,000 master servers reportedly infected and directly exposed to the internet according to the company, allowing them to be breached. The vulnerabilities were discovered about two weeks ago, and several networks have already reported that they have been breached and had cryptocurrency mining malware deployed onto their servers. More damaging attacks such as data theft and ransomware are possible. A patch is now available for the vulnerability.
Read full articlePitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.” PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.
Read full articleCiting a recent report by market research firm Canalys, the WSJ depicts a mixed picture on market-wide digital transformation prospects. Though Microsoft’s year-on-year enterprise cloud growth grabbed headlines, also included in results was the company’s admission that multi-year licensing deals were slow to complete in the final weeks of the quarter —just as the COVID‑19-induced slowdown was taking hold. Some analysts see a positive long-term trend towards digital being brought forward by the pandemic. Others see a slowdown in IT spend and longer-term licensing commitments and investment in cloud initiatives like further AI adoption in the short term as companies scramble to cut costs.
Read full articleA survey by Barracuda of over 1,000 business decision makers in the UK, US, France and Germany reveals significant cyber security deterioration from the recent sudden shift to remote working. 51 percent have seen an increase in email fishing attacks, 51 percent say their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46 percent are not confident that their web applications are secure, 50 percent allow employees to use personal email addresses and personal devices to conduct company work, 49 percent fully expect to see a data breach or cybersecurity incident in the next month due to remote working. Despite this clear increase in the threat surface, 40 percent of the companies have cut their cybersecurity budgets as part of COVID‑19 cost saving measures.
Read full articleTarkett reports that a cyber attack ‘has affected part of its operations since April 29 despite the IT security measures implemented by the group’, and that it has shut down its IT systems and implemented ‘necessary preventive measures to protect its operations as well as the data of its employees, customers and partners.’
Read full articleFitch expects COVID‑19 related economic impacts to test the growing cyber insurance market due to risks around cloud-related breaches and other operational disruptions that could result in capital constraints and impact ratings.
Read full article“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything,” said Satya Nadella, chief executive officer of Microsoft on the announcement of strong Q3 results today.
Read full articleTravelex announced that it is seeking offers and that interested parties should contact PricewaterhouseCoopers. Travelex’s business was severely impacted by its December 2019 cyber breach, which put the company in a very difficult financial position even before COVID‑19 disruptions hit.
Read full articleA WSJ report outlined how increased cyber risks amid COVID‑19 are posing increased challenges for M&A transactions globally.
Read full articleA survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.
Read full articleA recently published Trustwave report looking at cybercrime globally found that far and away the most common environment breached is corporate and internal IT networks (54%), followed by ecommerce (22%) and the cloud (20%). In the thousands of incidents studied, the report found that 50% of breaches across all environments stemmed from phishing and social engineering.
Read full articleData stolen from Italy’s Unicredit allegedly came via a cyber breach into a company contracted by Unicredit to provide HR services. The data went on sale April 19, and reportedly includes employee names, email addresses, phone numbers and encrypted passwords. Telecom Italia unit Telsy reported that “the database appears to be genuine and the potential result of a SQL injection attack”.
Read full articleLeading managed IT service provider Cognizant announced a Maze ransomware attack on Friday. Per Cognizant: “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”
Read full articleZurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.
Read full articleZurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.
Read full articleMSC reported Friday that a network outage is affecting systems at its Geneva headquarters, and that a cyber attack might be responsible. As of Tuesday 16:00 GMT, the MSC website is still down and the company has released very little new information. General operations appear not to be widely impacted yet, but precedent shows that an operational disruption can be extremely value destructive to a company like MSC.
Read full articleAccording to a Wall Street Journal piece, 5G will transform supply chains, in part by cutting waste, better predicting consumer demand, and being able to adjust to market and operational shifts in real time. The gamechanger between 4G and 5G lies in the number of devices that can live on a single connection. By some estimates, 5G is 10 times faster than 4G. This enables more data to be analyzed more quickly and in much greater detail than was possible before.
Read full articleAt a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.
Read full articleRansomware attacks on the healthcare industry continue at the same frequency as before COVID‑19, despite recent promises by some hacker groups to avoid targeting the industry during the current crisis.
Read full articleA Wall Street Journal article outlined the accelerated pace of corporate bond downgrades amidst the COVID‑19 pandemic and economic crisis. It has been the swiftest pace of downgrades on record over the last two weeks. Ford was the latest big name to be downgraded to junk, while approximately $90bn of debt was downgraded in March, and some estimate the number to reach $200bn this year.
Read full articleVPN Mentor’s research team discovered a breached database at Cloud backup provider SOS Online Backup that contained more than 135m records. While this information apparently did not fall into malevolent hands, the incident highlights cybersecurity risks posed by the use of third-party service providers.
Read full articleAs Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.
Read full articleEnterprise use of VPNs has increased by 33 percent, and use of Remote Desktop Protocols (RDP) has increased by about 40 percent over the past month as companies respond to COVID‑19 by having employees work from home. These systems increase the risk of a breach of company IT systems as they are inherently less protected than onsite systems and as employees use external access systems that they are less familiar with.
Read full articleMacy’s announced it is furloughing a majority of its 130,000 staff globally in the midst of the COVID‑19 crisis that has ground brick-and-mortar retail to a halt. Staff that remain will maintain e-commerce, distribution, and call centers operations.
Read full articleSpecialty insurer Beazley reports that ransomware attacks are rapidly increasing and that the dollar value of individual ransom demands is also increasing. Beazley’s analysis and key findings are in line with Cyberhedge findings that most breaches are relatively unsophisticated and the result of poor cyber governance and hygiene by employees. Strengthening employee training is both relatively low-cost and the most effective step that most companies can take to improve their cybersecurity. Beazley also highlights two additional key Cyberhedge findings: 1. that vendors are increasingly becoming a breach vector into companies and 2. that the dramatic increase in COVID‑19‑related remote access into company IT networks has increased companies’ cyber threat surfaces.
Read full articleCybersecurity company FireEye outlined successful attacks by a Chinese group called APT 41 against Citrix and Cisco equipment in the first two months of 2020, targeting more than 75 FireEye customers, including manufacturers, media companies, and healthcare organizations. It appears that APT 41 accelerated efforts by exploiting software vulnerabilities in both companies, issues both Citrix and Cisco indicated they fixed.
Read full articleGE disclosed that personal information for a number of current and former employees was exposed in a security breach that took place between February 3-14 at Canon Business Process Services, one of its service providers. While the breach did not occur in GE’s systems, according to the legal filing, the case highlights a common supply chain risk: cyber governance extends beyond company networks and includes regimes of counterparties.
Read full articleA recent article in the Financial Times highlighted the continued emergence of ransomware and the targeting of large financial institutions, an issue illustrated by the devastating attack on Travelex and the growth of cyber insurance as a mitigation measure for companies. Large insurers point to the significant increase in the sums attackers are demanding and disputing the claim that having cyber insurance to cover such incidents makes companies more of a target.
Read full articleThe unprecedented challenges posed by the COVID‑19 outbreak extend to securing companies’ IT networks, and this event may be the biggest cybersecurity threat ever. Threat surfaces are also increasing dramatically as large numbers of workers are forced to work from home, often with systems and procedures that are different from those they are trained on and familiar with in their workplace.
Read full articleA new EY Board Survey has identified “technology disruption” as the number one strategic opportunity for organizations. The survey reveals that 48 percent of boards believe data breaches and cyber attacks will “more than moderately” impact the business in the next 12 months. However, only 36 percent of respondents in the survey indicated cybersecurity is a priority in the planning phase of any new business initiative.
Read full articleA recent study claims that ransomware attacks have increased 350 percent in the past year. This mirrors other reports, including one by Blackberry Cylance, outlining a similar upsurge in such attacks against the healthcare sector across the U. S. and Europe. In December 2019, Cylance disclosed findings related to Zeppelin Ransomware-as-a-Service (RaaS), which targeted IT vendors and healthcare providers.
Read full articleUK-based Informa (INF), the world’s largest events and exhibitions business, reported generally positive FY19 results in terms of revenue, earnings, and growth, including what Informa leadership describes as a “secure balance sheet”. But, more important is the storm brought about by coronavirus that is facing the events-focused business and the impact this may have on the company’s already-poor cyber governance. In its earnings call, the company described strong headwinds from coronavirus and possible uncertainties around the larger disruption over the course of 2020. Indeed, INF has already taken a £450mn revenue hit as a result of postponing and cancelling 100 events.
Read full articleWalgreens notified customers last month of a personal data breach that occurred in January stemming from its mobile app. The company indicated that it took steps to remedy the problem once discovered, but that health information for a “small percentage of the total users who were affected” was leaked.
Read full articleIn a mandatory filing with the California attorney general this week, J. Crew Group, Inc. disclosed a breach of customer accounts dating back to April 2019.
Read full articleKey findings from a study on smart factories by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) include: 25 percent of manufacturers surveyed have not performed a cyber risk assessment in the past year, meaning these manufacturers likely do not have visibility into the impact of a cyber-related operational disruption; 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives; 40 percent of manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months; Management of information technology (IT) is often out of sync with operational technology (OT) management, creating additional vulnerabilities many companies are unaware of; OT is typically managed by engineering, automation, and operations rather than IT; There is generally no single team responsible for all OT systems and underlying security; Traditional application of security controls, such as patching or vulnerability scanning, needs to be adapted to new environment.
Read full articleVisser Precision, a parts supplier to automotive, defense, and aeronautics companies, reported a data theft incident, according to a Tech Crunch article.
Read full articleISS World, a Danish workplace experience and facility management company, was hit by a malware attack on February 17, 2020. As a precautionary measure, they immediately disabled access to shared IT services across company sites and countries.
Read full articleMacy’s Inc.’s (M’s) Q4 and FY19 results marked a continued slide for the brick-and-mortar retailer amidst an attempted turnaround.
Read full articleHertz (HTZ) announced Q419 and FY19 results on February 24, reporting quarterly sales of $2.326 billion, which missed the analyst consensus estimate of $2.34 billion. The company ended the fourth quarter with cash and cash equivalents of $865 million, compared to $1.13 billion at the end of 2018. Total debt as of year-end amounted to $17.09 billion, compared to $16.32 billion as of Dec 31, 2018. As of February 25, the stock was down approximately 15 percent post-earnings.
Read full articleCitrix—one of the world’s largest networking and remote access technology companies—announced malicious hackers inside its networks for five months between 2018 and 2019. This comes almost a year after the breach of its network was announced following an FBI alert.
Read full articleThe personal details of more than 10.6 million MGM Resorts International (MGM) guests were published on a hacking forum last week.
Read full articleThis month, the Department of the Navy (DON) released a report, Information Superiority Vision, that outlines an acceleration of the military branch’s digital transformation. The report highlights the need for a comprehensive overhaul of the department’s systems and cyber posture to better defend against attacks.
Read full articleMore than 41.4 million patient records were compromised by 572 healthcare data breaches in 2019, according to a study of data provided by the U. S. Department of Health and Human Services, the media, or other sources. This excludes two breaches of IT vendors servicing dental offices across the country in August and December 2019.
Read full articleTwo stories point to the upside and downside of digital transformation in the energy sector. On the negative side, this week, the U. S. Government Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about its response to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. According to the alert, “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators.” The victim’s emergency response plan did not specifically consider cyberattacks, and the decision was made to implement a deliberate and controlled shutdown to operations that lasted two days, resulting in a loss of revenue and productivity, after which normal operations resumed.
Read full articleOn Tuesday, S&P lowered its rating for Macy’s from BBB- to BB+—one notch below investment grade—saying it viewed the company’s turnaround plan as necessary, but also a sign that the department-store chain’s “competitive advantage has diminished more than we expected.”
Read full articleIn October 2019, Bayer’s digital agriculture division, The Climate Corporation (Climate Corp), announced a partnership between its FieldView™ digital farming platform and Tillable, a self-described first-of-its-kind digital marketplace connecting farmers and landowners. According to Tillable, it was “created to help landowners receive fair rent and get the insights they need about their farm’s performance, while also helping great farmers build their reputations and expand operations.”
Read full articleUK-based cyber company Nominet released its CISO Stress Report, attempting to shed light on the burden carried by the person responsible for protecting corporate networks in 2020. The U. S./UK study serves as a follow-on to Nominet’s first couple of reports looking at the role of the CISO, including one on the perspectives of boards. Some well-known facts are confirmed, as well as important current data points on CISO-C-suite dynamics: 88% of CISOs remain moderately or tremendously stressed, 90% of CISOs said they’d take a pay cut if it improved their work-life balance. Most CISOs still lack strong support from rest of C-suite.
Read full articleU. S. Senator Kirsten Gillibrand (D-NY) introduced legislation to create a Data Protection Agency to, in her words, “bring the protection of your privacy and freedom into the digital age.
Read full article$76-billion-dollar retail giant Estée Lauder (EL) suffered a breach of a reported 440 million records, including customer data. The breach resulted from a non-password-protected cloud server. Importantly, it does not appear that any payment information was part of the breach.
Read full articleAccording to IBM, cybercrime continues to grow at a significant pace year-over-year (4x increase in 2019 vs. 2018) despite increasing resources and attention placed on security by companies and governments.
Read full articleEuropean Central Bank (ECB) President Christine Lagarde, citing a report by the European Systemic Risk Board (ESRB), outlined how a successful attack on a major financial institution could quickly create financial instability.
Read full articleSecurity researchers at Dragos and Sentinel One believe they have identified a new strain of ransomware designed specifically for industrial control systems (ICS)—systems most commonly associated with being at the core of utility infrastructure. ICS environments are also among the highest-value targets for cybercriminals and nation-state hackers.
Read full articleA key finding from Cisco’s recently released CISO survey indicated that reducing network complexity is a top priority. CISOs are electing to embark on vendor consolidation, with 86 percent now using 20 vendors or less.
Read full articleMore than 160,000 data breach notifications have been reported across the EU since the GDPR came into force on 25 May 2018, according to a DLA Piper survey. The fines, however, have not proven to have a material impact on large companies as some predicted when the law was enacted.
Read full articleAs of Q319, leading experts like McAfee observed over 100% growth in ransomware attacks globally. FireEye recently identified how threat actors are collaborating in efforts to launch ransomware attacks, a trend that will grow in 2020.
Read full articleSalesforce. com, Inc. and children’s clothing company Hanna Andersson are facing a federal court lawsuit that is among the first to cite the new California Consumer Data Privacy Act that went into effect in January.
Read full articleIn its preliminary 4Q and full-year 2019 sales results this week, Macy’s (M) announced the closure of 125 stores—about 20% of its physical footprint—over the next three years, as well as 2,000 job cuts. These moves come as the retailer continues to grapple with the rising dominance of e-commerce and shifting preferences of shoppers.
Read full articleThe Pentagon has finalized the long-anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense (DoD), a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0, according to Fifth Domain.
Read full articleAn FAA inspector general report outlined how Southwest Airlines failed to prioritize safety, and the Federal Aviation Administration (FAA) did not properly conduct oversight of the airline. The criticizes the agency’s oversight of the carrier as lax, ineffective, and inconsistent, according to a WSJ article.
Read full articleBoeing (BA) reported its first annual loss since 1997 as 737 MAX costs approach $19 billion. However, shareholder value losses have been far greater, losing about 25% of value since the March 2019 Ethiopian Airlines crash. The company is now in the midst of complicated and potentially costly compensation talks with airline customers like American Airlines. These customers have felt the direct effects of the MAX grounding and believe that BA, not their shareholders, should be on the hook for the crisis.
Read full articleOn January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations. The document outlines a series of approaches taken by market participants in areas including governance and risk management, access rights and controls, data loss prevention, resiliency, vendor management, and training and awareness.
Read full articleA WSJ profile of Target CIO Michael McNamara outlined the retail giant’s shift in IT strategy following the damaging 2014 data breach—from outsourcing functions like software development to hiring more in-house technologists, or what the industry refers to as “in-sourcing.”
Read full articleCitrix—one of the world’s largest networking and remote access technology companies—announced patches for a known vulnerability more than one month after it was announced. It is a $15BN company that more than 400,000 companies, including many of the Fortune 500, rely upon to keep their data safe and networks secure.
Read full articleIn the lead-up to its Annual Meeting a World Economic Forum (WEF) note outlines in some detail the steps that boards and C-suites should take to better tackle cybersecurity risk—a top-five risk in its 2020 Global Risks Report. The report poses the question, beyond the rising damage caused by cyber breaches, what incentives for investment and improved approaches exist? Though an increasing number of market players such as insurers and ratings firms are getting in the fray, “coherence, however, is still missing,” according to WEF.
Read full article