Weekly Security Roundup with Clinton Pownall

By Clinton Pownall
 President & CEO
 Computer Business

Cyber Threats Endanger the Democracies. That’s the word from Microsoft President Brad Smith, addressing a Center for Strategic and International Studies webinar. Microsoft has a vested interest in protecting democracies, with Smith noting: “If you look at that, 47% of the world’s people that live in democracies, they account for 97% of Microsoft’s global business. So, I like to say to our own employees, we, as a company, have a mission.” As reported in CyberNews, Smith cited ancient Greece and ancient Rome, saying democracy is fragile and must constantly be protected. He focused on three key threats: hacking of computer systems, threats to the integrity of voting systems, and threats to information operations.  Smith said: “All three of these threats are coming principally from authoritarian nations Russia, China, Iran, and North Korea, using different approaches, with different priorities.”

Russian Government Worries of Possible U.S. Counter Attack after SolarWinds. “The Russian government has issued a security warning to organizations in Russia about possible retaliatory cyberattacks by the USA for the SolarWinds breach,” according to a report in Bleeping Computer, which provides a link to a Russian security bulletin. ABC News reports that the concern on Russia’s part may be linked to the change in the U.S. Presidency, writing: “Biden has called the hack an ‘attack’—an important designation in the cybersecurity world, where a certain level of digital espionage is considered fair game. He also said he would be ‘taking meaningful steps to hold them to account,’ though just what those steps will be are unclear. In the Biden administration’s first two news conferences, White House press secretary Jen Psaki stressed that dealing with the SolarWinds hack was a priority, but that it’s still early in the administration.”

37 Billion Records Exposed in 2020. “Human Error to Blame as Exposed Records Top 37 Billion in 2020” according to a headline in Infosecurity Magazine. The article quotes from the 2020 Year End Report from Risk Based Security, which uses automated tools to crawl the internet, as well as data obtained from Freedom of Information requests, in creating its tally of breaches. While we are used to pointing to hackers when it comes to exposed records, the study found that misconfigured databases and mistakes in configuring cloud resources are often to blame. Infosecurity Magazine writes: “82% of the breached records listed in the report came from just five incidents, all of which were down to misconfigured databases or services.” Fortunately, it quotes Risk Based Security as adding: “There is scant evidence the data has been used for malicious purposes.” I suppose the good news there is that not all exposed records end up in the hands of cybercriminals, but all precautions must be taken to make sure they don’t get that chance.

Don’t Shoot the Piano Player … Or Punish Employees Who Report Data Loss. TechRepublic carries the headline: “A punitive approach toward employees reporting data breaches intensifies problems.” The article quotes Tony Pepper, CEO of Egress Software Technologies, as saying: “In cases where employees report incidents of data loss they accidentally caused, it’s quite common for them to face serious negative consequences. This, obviously, creates a culture of fear, leading to a lack of self-reporting, which in turn, exacerbates the problem. Many organizations are therefore unaware of the scale of their security issues.” Pepper points to a report from Arlington Research which interviewed more than 500 upper-level managers from organizations within the financial services, healthcare, banking, and legal sectors, and found “45% of those surveyed would reprimand the employee(s), 25% would likely fire the employee(s).” Yet the same study found “A high percentage of organizations rely on their employees to be the primary data breach detection mechanism—particularly when it comes to email.” Pepper says this makes the consequences of punishing employees even worse, adding: “By reprimanding employees who were only trying to do their job, organizations are undermining the reporting mechanism and ensuring incidents will go unreported. … Especially in these uncertain times, employees are going to be even less willing to self-report, or report others, if they believe they might lose their jobs as the result.”

Healthcare Organizations Need to Invest More in Security. A few months ago, I mentioned the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alert about bad actors focusing on healthcare. The problem is still with us, as noted in an article in Help Net Security pointing to a survey from Nutanix, a provider of cloud services, that found many healthcare organizations remain unprepared. Summarizing the survey findings, Help Net Security writes: “IT leaders were asked about their organizations’ in-house security expertise, and half of the respondents said they did not have enough budget to recruit quality staff. Further, one in three did not feel they had enough training for staff, and close to ten percent indicated they didn’t have enough staff allocated in general.” Security talent is hard to find and can be expensive to hold onto. This underscores the value of working with a deeply experienced Managed Security Provider.

Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.