CISA's Cyber guidance for small businesses and trains stop for 5 hours 🚂 - Newsletter #8
India's GDPR is also taking shape and Discord fined $830k for GDPR "lapses"
First of all, sorry for the delay on the November newsletter. Some people asked (the majority didn’t), but rest assured we have good content coming down the pipe.
Last month was eventful, with relevant news all over the field: critical vulnerabilities, GDPR fines, breaches, etc. - at the end, nothing we’re not used to. On the incident front, the Danish train operator (DSB) had to stop its trains for several hours after a supply chain attack took the enterprise asset management solution provider Supeo out of business. It’s still not clear who was behind the attack.
If supply chain attack was not yet on your risk register, you might consider adding it now.

Also in November, CISA released a “Cyber Guidance for Small Businesses” that include a number of interesting recommendations. One of the most interesting is how CISA tells company owners to basically go to cloud for security reasons:
While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.
You can read the guide here.
On privacy, two pieces took my attention: first is how India is setting up their own GDPR program, with the following objectives:
The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.
As a reminder, India has 760 million active internet users.
The last one is how Discord was fined €800,000 by the French data protection authority (CNIL). This is their reasoning:
lack of a written data retention policy, violating Article 5(1)(e) of the GDPR;
lack of information regarding retention periods provided to data subjects, violating Article 13 of the GDPR;
failure to inform users of voice channel connections and transmissions to third parties, or utilise the appropriate technical measures to ensure this was not possible without said information, violating the obligation to guarantee Data Protection by Default under Article 25(2) of the GDPR;
accepting a password consisting of six characters, including letters and numbers, violating Article 32 of the GDPR; and
determining it was not necessary to carry out a Data Protection Impact Assessment ('DPIA'), violating Article 35 of the GDPR.
More information here.
Other articles I read last month
How we handled a recent phishing incident that targeted Dropbox (Dropbox Tech Blog)
UK Government scans all web servers hosted in the UK for vulnerabilities (NCSC)
PayPal Allows Bypassing Two-Factor Authentication With a Button Click (blog.devgenius.io)
Microsoft is phoning home the content of your PowerPoint slides (rogermexico.bearblog.dev)
Indian ISPs: We already give govt full access to web traffic (entackr)
French Court rules that refusing to disclose a mobile passcode to law enforcement is a criminal offence (Fairtrials.org)
Open-source software vs. the proposed Cyber Resilience Act (blog.nlnetlabs.nl)
A third of organisations don’t know if they were hacked in the last year (Busycontinent)
The FBI alleges TikTok poses national security concerns (NPR)
Germany Forces a Microsoft 365 Ban Due to Privacy Concerns (Techgenix)
Vulnerability Management at Lyft: Enforcing the Cascade (Lift Blog)
India’s GDPR is taking shape (The Cybersecurity Times)
Tax filing websites have been sending users’ financial information to Facebook (The Verge)
On Twitter

My bet? it’s a matter of time until we see a significant Cybersecurity incident coming from Twitter. Firing security teams + leaving engineers to compliance + rushing features = 🚩🚩🚩🚩
This is one of those simple risk assessments: probability that someone impersonates our brand with an official badge? = close to zero. Impact? extreme.
Be careful with what you commit.
Cybersecurity Tips Telegram Channel
Join our Telegram Channel to follow the latest news in Privacy and Cybersecurity.