CISA's Cyber guidance for small businesses and trains stop for 5 hours 🚂 - Newsletter #8

India's GDPR is also taking shape and Discord fined $830k for GDPR "lapses"

Dec 15, 2022

First of all, sorry for the delay on the November newsletter. Some people asked (the majority didn’t), but rest assured we have good content coming down the pipe.

Last month was eventful, with relevant news all over the field: critical vulnerabilities, GDPR fines, breaches, etc. - at the end, nothing we’re not used to. On the incident front, the Danish train operator (DSB) had to stop its trains for several hours after a supply chain attack took the enterprise asset management solution provider Supeo out of business. It’s still not clear who was behind the attack.

If supply chain attack was not yet on your risk register, you might consider adding it now.

How Dall-E sees “Hackers at the train station”

Also in November, CISA released a “Cyber Guidance for Small Businesses” that include a number of interesting recommendations. One of the most interesting is how CISA tells company owners to basically go to cloud for security reasons:

While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.

You can read the guide here.

On privacy, two pieces took my attention: first is how India is setting up their own GDPR program, with the following objectives:

The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.

As a reminder, India has 760 million active internet users.

The last one is how Discord was fined €800,000 by the French data protection authority (CNIL). This is their reasoning:

lack of a written data retention policy, violating Article 5(1)(e) of the GDPR;
lack of information regarding retention periods provided to data subjects, violating Article 13 of the GDPR;
failure to inform users of voice channel connections and transmissions to third parties, or utilise the appropriate technical measures to ensure this was not possible without said information, violating the obligation to guarantee Data Protection by Default under Article 25(2) of the GDPR;
accepting a password consisting of six characters, including letters and numbers, violating Article 32 of the GDPR; and
determining it was not necessary to carry out a Data Protection Impact Assessment ('DPIA'), violating Article 35 of the GDPR.

More information here.

On Twitter

Casey Newton @CaseyNewton

According to messages shared in Twitter Slack, Twitter’s CISO, chief privacy office, and chief compliance officer all resigned last night. An employee says it will be up to engineers to “self-certify compliance with FTC requirements and other laws.”

My bet? it’s a matter of time until we see a significant Cybersecurity incident coming from Twitter. Firing security teams + leaving engineers to compliance + rushing features = 🚩🚩🚩🚩

Rafael Shimunov is on Mastodon @rafaelshimunov

Did Twitter Blue tweet just cost Eli Lilly $LLY billions? Yes.

This is one of those simple risk assessments: probability that someone impersonates our brand with an official badge? = close to zero. Impact? extreme.