This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Are you in the crosshairs?

China’s Next Five-Year Plan Offers Preview of Cybersecurity Targets
Is your industry next in line to be targeted by China’s government-sponsored hackers? To find out, look at China’s latest five-year plan, suggests a global threat report released this morning. The report covers attacks by nation states, cybercriminals and hacktivists. “China is the biggest offender that we can see,” said Adam Meyers, vice president of intelligence at security vendor CrowdStrike, which produced the report. The country is mostly focused on collecting intelligence that supports its economic system, according to the report. “The last five-year plan was effectively a road-map of everything China was going to target,” he said.

Cyber Criminals Focus on the Super-Wealthy
Financial Times
High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Cyber criminals are trawling through wealth managers’ websites as well as social media networks to target the super-rich and trick them into parting with hundreds of millions of pounds a year, security experts say. Kroll, the security group, said it had seen an increase in the number of cyber attacks against the very wealthy and those who manage their private investments. Organizations that list details of senior staff online and networking sites such as LinkedIn are being filleted by criminals to find people with board-level job titles.

Huge Rise in Hack Attacks as Cyber-Criminals Target Small Businesses
The Guardian
It seemed like just another ordinary day for staff at vehicle hire company MNH Platinum. Little did they know that the simple click of an email link was about to threaten their entire business. It was early last year when the Blackburn-based firm was the victim of a virus which encrypted over 12,000 files on its company network. A ransom demand followed – the criminals would decrypt the company’s files in exchange for more than £3,000. With the virus proving impossible to remove without the loss of crucial company data, the firm had no choice but to pay up. “We were completely unprepared for a cyber breach simply due to a lack of awareness of the magnitude an attack of this type could have through mistakenly clicking a link in an email,” says managing director Mark Hindle. “I am thankful that we had a lucky escape, in that I was able to retrieve the documents that are crucial to the running of the business, albeit at a price.”

Give us a little privacy, would you please?

Eleventh-Hour Deal Reached to Keep Data Flowing Across the Atlantic
The Hill
The United States and the European Union have reached an eleventh-hour agreement that will permit Facebook, Google and thousands of other companies to continue handling Europeans’ personal data. Both Commerce Department and European Commission leaders insisted the new legal framework — which replaces a recently-invalidated agreement known as Safe Harbor — will stand up to court scrutiny. “There will be complainants and new court rulings, but I am pretty confident this will stand,” Justice Commissioner Vera Jourova said in a press conference unveiling the pact. The European high court struck down the original arrangement in October, claiming that the U.S. could not be seen to adequately protect privacy thanks to its mass surveillance practices.

Opinion: The Undoing of Germany’s Privacy Dogma
Germans vociferously objected to US surveillance after Edward Snowden revealed the vast scope of National Security Agency spying. So, when the European Court of Justice ruled in October to dismantle Safe Harbor, the legal arrangement that let American companies transfer Europeans’ data to the US, Berlin policymakers celebrated Europeans taking a stand for their right to privacy and digital sovereignty. But how things change. In a matter of months, after Islamic State terrorists killed 130 people in Paris and the refugee flows remain unabated, many Germans now recognize that intelligence cooperation with the US may be a price worth paying to combat threats dangerously close to home.

How Do Americans Weigh Privacy Versus National Security?
The Atlantic
Three years ago, Edward Snowden leaked troves of previously classified information that laid bare the American government’s widespread surveillance of its citizens. The takeaway was clear: We live in an age when private, personal information—from Google searches, to GPS locations, to swipes of your credit card—is being collected constantly and invisibly, and there’s little any individual can do about it. The U.S. government defended its actions by claiming that the information gathered would aid in fighting terrorism, both foreign and homegrown.

Reactions to the EU-US Privacy Shield
The new framework for the transfer of personal data between the European Union and the United States is really the evolution of over 15 years of established privacy regimes between the U.S. and the E.U. The result of the negotiations are really meant to reestablish trust in the U.S. and E.U. transatlantic relationship. The newly announced framework will be wholly replacing the now ‘dead’ E.U./U.S. Safe Harbor program. In fact the new framework established by the U.S. and E.U. will even go by a completely new moniker: E.U./U.S. Privacy Shield. E.U./U.S. Privacy Shield is said to both protects the fundamental right of privacy of European citizens while at the same time providing legal certainty for the thousands of U.S. based businesses that serve them.

Former CIA Director Endorses Unbreakable Encryption
The Hill
The former director of the Central Intelligence Agency and the National Security Agency said this week that the government should not have a backdoor into encrypted communications. “America is more secure with end-to-end unbreakable encryption,” said General Michael Hayden, now a principal of the security and risk management firm Chertoff Group, speaking at a Wall Street Journal conference. Hayden’s comments are part of a tense debate over the degree of access that law enforcement agencies should have into secure communications. In the wake of the terror attacks in Paris and San Bernardino, Calif., law enforcement and some lawmakers have been pressing tech companies to give investigators guaranteed access to encrypted data.

Privacy Board Gives High Marks to Spying Reforms
The Hill
The government’s privacy watchdog on Friday gave a positive assessment to the Obama administration’s efforts to reform federal spying powers. The small Privacy and Civil Liberties Oversight Board (PCLOB) said the government has started to enact reforms addressing each of the nearly two dozen recommendations it made two years ago, on the heels of Edward Snowden’s leaks about American surveillance. “[I]mportant measures have been taken to enhance the protection of Americans’ privacy and civil liberties and to strengthen the transparency of the government’s surveillance efforts, without jeopardizing our counterterrorism efforts,” the bipartisan five-member board said.
In 2014, months after Snowden’s leaks revealed details of U.S. spying, the PCLOB declared that the National Security Agency’s (NSA) bulk collection of Americans’ phone records was illegal.

Developing a Global Privacy Regime in the Age of Mass Surveillance: Four Key Principles
Open Democracy
The proliferation of mass surveillance practices in recent years has posed a number of tough challenges for the protection of human rights in democratic societies, most notably for the right to privacy. These challenges have been exacerbated by the considerable diversity in the legal and constitutional protection of privacy across the globe, with states engaging in far-reaching surveillance activity (such as the United States as demonstrated by the Snowden revelations) providing a fragmented and limited constitutional framework for the protection of privacy, especially regarding non-citizens. At the same time, privacy protection framed strictly from a national/territorial perspective is increasingly inadequate to address the globalisation of surveillance, as evidenced by the proliferation of extraterritorial surveillance practices by states.

Privacy Debate Explodes Over Apple’s Defiance
A long-simmering showdown between Silicon Valley and Washington over national security flared into a major political spat Wednesday, after Apple CEO Tim Cook vowed to resist the federal government’s demand for help breaking into an iPhone used by one of the attackers in last year’s deadly mass shooting in San Bernardino, California. The dispute between the tech giant and the FBI has put the entire industry on the defensive and prompted new calls, from the 2016 campaign trail to Capitol Hill, for tech companies to cooperate in terrorism investigations. Apple’s harshest critics included Donald Trump, who asked on Fox News, “Who do they think they are?” — while Senate Intelligence Committee member Tom Cotton (R-Ark.) charged that the company had chosen to “protect a dead ISIS terrorist’s privacy over the security of the American people.”

What business needs to know.

Fast Data Will Revolutionize Cybersecurity in 2016
How could ordering a pizza take down a bank? It’s frighteningly easy—and illustrates the need for faster, more-sophisticated technology to block the even more-pernicious cyber-security threats targeting big companies today. In the pizza example, a bank employee orders a pizza online, using his company email address to complete the transaction. And, like many people, he uses the same password for the pizza site as he does to log in to his bank’s workstation or intranet. Bad move: Clever hackers now automate cyber-attacks on some businesses with weaker security, like pizza parlors. They can easily snare the employee’s information, then try those login credentials on the bank’s website or employee VPN– and, if they work, tap into the bank’s internal networks.

Cybersecurity Statistics Predict a Hot Market For 2016 To 2020
Cybersecurity is a hot market, period. Read on if you want to know why. The worldwide cybersecurity industry is defined by market sizing estimates that range from $75 billion in 2015 to $170 billion by 2020. Or to put it another way, corporations and governments will spend roughly $100 billion on cybersecurity over the next four to five years. Internet of Things (IoT) security could add another $29 billion to those market figures by 2020. 9-figure deals lifted cybersecurity investments to an all-time high in 2015. An InformationWeek DarkReading article reports that cybersecurity stocks are way down in 2016, but a lot of venture capital money is still flowing into cyber companies.

Many Companies Still Procrastinating When It Comes To Cybersecurity
It’s going to take more than a massive hack against Sony Pictures, Anthem, and the Internal Revenue Service to persuade business executives to protect their companies from data breaches. A recent survey of 1,000 business executives by consulting company NTT Com Security said that the only half of the polled respondents had a formal plan in place to protect their data and networks in case of an attack. Additionally, a quarter of these executives “are certain that their company will suffer a security breach in the future,” the report stated.

Deloitte: For CyberSecurity – Offense Can Be the Best Defense
Integration Developer News
As 2016 begins, organizations are going on the offense to combat cyber threats, according to a report this month by Deloitte LLP. Companies and government agencies are no longer satisfied with simply “locking the doors” where cybersecurity is concerned, said the 2016 Deloitte Analytics Trends report. “Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. [They] are beginning to employ more predictive approaches to threat intelligence and monitoring—in short, going on the offensive,” the Deloitte report found.

Liability can Change Attitudes to Corporate Cybersecurity
Throughout the past century we’ve witnessed how liability, regulation and legislation have been instrumental in improving security and safety. As Britain marks 50 years since the first seatbelt law was introduced this month, we celebrate how driver liability changed norms and saved thousands of lives. This massive potential is not limited to personal safety. In any market, the key drivers for change have largely been regulation and incentive, whether through legal liability or insurance cover. However, these agents of change are still immature in the cybersecurity market, and we’re seeing serious and unnecessary breaches as a result. This was highlighted last year by GCHQ director Robert Hannigan’s astute reflection that the free market is failing cybersecurity.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

February 23, 2016