NTSC Technology Security Roundup

Weekly News Roundup: October 22, 2018

SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls

According to a press release from the SEC, “The Securities and Exchange Commission [last Tuesday] issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls. The report is based on the SEC Enforcement Division's investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process. […] The companies, which each had securities listed on a national stock exchange, covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods. Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” While the SEC did not press charges on the nine companies, Reuters noted in an article that this press release points out how the companies could violate federal law if cybersecurity is weak.

FICO and U.S. Chamber of Commerce Release First U.S. Cybersecurity Assessment

A report from FICO and the U.S. Chamber of Commerce made the rounds last week after its release on October 11. According to a press release, the assessment noted the following key points:

  • Large companies are at greater risk than their smaller counterparts. Cybersecurity risk is correlated to both the size of the organization and the complexity of the organization’s networks. Larger networks are more difficult to manage and tend to increase the forward-looking odds of a breach incident.
  • The relative risk of industry sectors varies widely. The highest-scoring sector was construction at 764, while the media, telecommunications and technology sector scored lowest at 619 — this difference represents nearly 200% variance in odds of [a] significant cyber incident.
  • The risk performance differentiation between large and small entities is less pronounced in industries with the most sensitive data, such as healthcare and finance and banking, where companies are subject to specific compliance regimes.

Princeton University Study Shows Connection Between Hacking IoT Devices and Disrupting Power Grid

A concerning study from Princeton University shows a connection between the hacking of IoT devices (such as appliances) and using those hacked devices to cause power outages. The abstract of the research report talks about “a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid. […] [The] MadIoT attacks can result in local power outages and in the worst cases, large-scale blackouts.” In an article discussing this study, Fortune notes: “Attacks on internet-connected devices are on the rise, as the technology becomes more available, with a 600% increase in attacks in 2017 from 2016, WSJ reported.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • How corporate boards are navigating cybersecurity risks and data privacy: Reported in Help Net Security, “While about eight-in-ten (79 percent) companies surveyed claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight. In fact, 72 percent of board members say the board is more involved with cybersecurity now than they were 12 months ago. Furthermore, eight-in-ten (79 percent) companies have an incident response plan in place to respond to potential cyberattacks.”
  • Cybersecurity Salaries Rise 6% in One Year: Reported in Infosecurity Magazine, “Salaries for cybersecurity professionals have risen by 6% in one year, double the national average of 2.9%, according to Acumin Consulting’s latest annual Salary Survey.”
  • 9 in 10 Enterprises Report Gaps Between the Cybersecurity Culture They Have and the One They Want: According to a press release, “With cybersecurity threats continuing to escalate worldwide, the ISACA/CMMI Institute Cybersecurity Culture Report found that just 5 percent of employees think their organization’s cybersecurity culture is as advanced as it needs to be to protect their business from internal and external threats.”

Israeli Cyber Consulting and Incident Response Company Sygnia to Be Acquired by Temasek

According to a press release, Sygnia, a cyber technology and services company providing high-end consulting and incident response support for organizations worldwide, announced last Tuesday that it will be acquired by Temasek, a global investment company headquartered in Singapore. Sygnia will maintain its operational independence while pursuing collaborations with Temasek and its portfolio companies. With the acquisition, the press release notes that Sygnia will grow its resources and expand its global reach as it continues building its capabilities as a world-class provider of cyber consulting and incident response services.