NTSC Blog

Weekly News Roundup: March 23, 2020

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• Hackers find new target as Americans work from home during outbreak: According to The Hill, “Experts are warning of a new wave of cyberattacks targeting Americans who are forced to work from home during the coronavirus outbreak. There is increasing evidence that hackers are using the concerns over the virus to prey on individuals and that working outside secure office environments opens the door to more cyber vulnerabilities. […] The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s cyber agency, underlined Kellermann’s concerns by issuing an alert [last] Friday pointing to specific cyber vulnerabilities around working from home versus the office. CISA zeroed in on potential cyberattacks on virtual private networks (VPNs), which enable employees to access an organization’s files remotely.”
• NIST asks for public comments on new cybersecurity risk management document: According to Fifth Domain, “The National Institute of Standards and Technology is asking for public comments on a new report that provides insight into how organizations can integrate cybersecurity into enterprise risk management. The document, titled ‘NIST-Interagency Report 8286 Integrating Cybersecurity and Enterprise Risk Management,’ advises organizations on how to improve the cybersecurity risk information they use to shape their enterprise risk management program.”
• NIST Updates and Expands Its Flagship Catalog of Information System Safeguards: According to NIST, “NIST Draft Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, is a collection of hundreds of specific measures for strengthening the systems, component products and services that underlie the nation’s businesses, government and critical infrastructure. One of NIST’s flagship risk management publications, the document is undergoing its first update in seven years, and the agency is accepting public comments on the draft until May 15, 2020.”
• HHS notice on telehealth penalties raises privacy concerns: According to IAPP, “The U.S. government just eased the path for doctors and nurses to do video chats with patients by lifting privacy and security compliance penalties and enforcement action against health care providers. The Office for Civil Rights at the U.S Department of Health and Human Services [last] Tuesday said it will allow health care providers to use technology, such as Apple FaceTime, Facebook Messenger video chat or other video platforms, to communicate with patients. But, while federal response to the COVID-19 pandemic could usher in greater adoption of virtual communication for testing and monitoring patients, several health data privacy questions remain.”
• Industry on pins and needles as DoD, accreditation body to finalize CMMC agreement: According to Federal News Network, “The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification off the starting blocks. Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations. Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature. […] Until the MOU is signed, contractors are in limbo in how much they can prepare for the CMMC assessments.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• New FTI Consulting Survey Reveals Leading Corporate Data Privacy Risks, Priorities and Change Initiatives: According to a press release, “Nearly 60 percent of respondents agreed with the statement: ‘We don't have the resources in our organization to ensure that we are fully compliant with data privacy regulation.’ The survey also confirmed that board members and corporate leaders are knowledgeable of and committed to data privacy compliance. While 81 percent said their executives understand the issues, awareness isn’t translating to a prioritization of data privacy at more than one-third of organizations surveyed. At the same time, many organizations have a positive self-assessment of their privacy compliance, suggesting inconsistencies between awareness, prioritization, perception and readiness.”
• One-Third of Financial Firms Lack Clear Plan to Address Privacy Risks, Accenture Report Finds: According to a press release, “[Seven] in 10 respondents (70%) see privacy as a key risk for their firms, increasing the need for a clear privacy strategy. Noting that nearly three-quarters (72%) of respondents’ companies use consent to tailor customer-facing products and services, the report suggests that financial services firms incorporate privacy into the overall customer journey by giving customers more control over their data and deleting personal information upon request.”
• 65% of Security Professionals Access Documents Unrelated to Their Jobs: Reported in CISO Mag, “A survey on insider threats conducted by unified security and risk analytics firm Gurucul, revealed that nearly 65% of cybersecurity professionals have accessed documents that are not related to their job profiles. It also found that 40% of respondents who had negative performance reviews, also admitted to abusing their privileged access.”
• Over a Quarter of Security Alerts Are False Positives: Reported in Infosecurity Magazine, “More than a quarter of security alerts fielded within organizations are false positives, according to new research from the Neustar International Security Council (NISC). The NISC surveyed senior security professionals across five European markets and the US, highlighting the risks of alert fatigue currently being faced by businesses around the world. As detailed in the research, more than two-fifths (43%) of organizations experience false positive alerts in more than 20% of cases, while 15% reported more than half of their security alerts are false positives.”
• Retirement Industry Cybersecurity A Mounting Issue As Companies Collect More Data: Reported in FA Advisor, “Cybersecurity was cited as a top issue by 80% [of] retirement specialist advisors in a recent Cerulli survey, with respondents adding that it is the single most important factor when evaluating recordkeepers.”

Cybersecurity Acquisitions

News about four major cybersecurity company acquisitions was reported last week:

• Israeli cybersecurity firm Checkmarx acquired for $1.15 billion: Reported in The Jerusalem Post, “Ramat Gan-based cybersecurity company Checkmarx is set to be acquired by preeminent global equity firm Hellman & Friedman (H&F) in a high-profile deal valued at $1.15b., the largest ever acquisition of an application security company. The company's previous owner, the global venture capital and private equity firm Insight Partners, will retain a minority stake in the company.”
• Nemko Acquisition of System Sikkerhet Deepens Cybersecurity Platform: According to a press release, Nemko Group last Friday announced the acquisition of System Sikkerhet AS, a leading provider of assessment and consultancy services within the fields of information technology and cybersecurity.
• Deloitte Acquires Zimbani to Boost its Cybersecurity Practice: Reported in CISO Mag, “Deloitte announced that it entered into a strategic agreement to acquire Australian security architecture specialist Zimbani. With the latest acquisition, Deloitte aims to build its professional security services in Australia and the Asia Pacific regions by combining Zimbani’s existing cybersecurity practice.”
• MAG Aerospace acquires defense communications company: Reported in Washington Business Journal, “After robust mergers-and-acquisition activity in 2019, MAG Aerospace Corp. [last] Monday made its first purchase of 2020, acquiring New Jersey communications infrastructure company AASKI Technology Inc. Terms of the acquisition were not disclosed. AASKI specializes in communications engineering, cybersecurity engineering, enterprise information technology and other services focusing on Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance and Reconnaissance (C5ISR) capabilities for the Department of Defense.”