From the cybersecurity policy front
Harvard Business Review explains what U.S. business needs to know about the new U.S. cybersecurity policy.
- “While the 39-page document features bureaucratic buzzwords like “harmonize”, “stakeholders,” and “multilateral,” we’ve identified three concrete things business leaders should know about the new strategy.
- “First, every company needs to identify their distinct vulnerabilities and risks.
- “Second, companies then need to adopt measures that address those supply chain vulnerabilities, and
- “Third, companies need to recognize that one size will not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger business, critical infrastructure, and software providers.”
Dark Reading adds
- “In order for cybersecurity initiatives to be effective in reducing security failures, Gartner, a research and consulting firm, finds that it will be essential for security and risk management leaders to turn to a human-centered approach.
- “A human-centric approach in cybersecurity practices prioritizes the individual employee and their experience, which ultimately encourages better practices while also reducing friction and risk.
- In the past, there has been a focus in improving the technology or the many different processes that uphold security practices. Going forward, having a “human-centric talent management approach” means focusing on the employees that require these kinds of updates to technology and program processes to be made in the first place, and shifting from external hiring to internal or “quiet hiring,” according to Gartner.”
FedScoop reports
- “The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and cybersecurity authorities of other international allies on Thursday published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products.
- “The cybersecurity guidance is the first of its kind, and is intended to speed up cultural shifts within the technology industry that are needed to achieve a safe and secure future online.
- “Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security.
- “Publication of the secure-by-design principles follows the publication in March of a new national cybersecurity strategy by the Biden administration, which sought to shift the responsibility for maintaining the security of computer systems further towards larger software makers.”
From the cyber vulnerabilities front
Healthcare Dive tells us
- “The healthcare industry is “cyber poor” and the most targeted sector for data breaches over the past four years, according to a Moody’s Investors Service report from this week.
- “Moody’s said healthcare’s vulnerable state makes it “target rich,” which could bring service disruptions and personal data disclosures.
- “Nonprofit healthcare organizations received a “very high risk” rating, while corporate healthcare was deemed “high risk.” Providers must ramp up investment in cybersecurity to protect patient data and avoid interruption of critical operations, the report said.”
The Cybersecurity and Infrastructure Security Agency added to its catalog two known exploited vulnerabilities on April 10, one more on April 11, and two more on April 13.
From the ransomware front
- Cybersecurity Dive relates, “Rorschach ransomware, with a rare encryption speed, makes it even harder for companies to respond. The potential impact and victims claimed by Rorschach remain unknown, but one expert said some yet-undetected attacks are likely underway.”
- Cyberscoop informs us “Ransomware gangs increasingly deploy zero-days to maximize attacks; Microsoft issued a patch for a zero-day that researchers at Kaspersky said was used to deliver Nokoyawa ransomware.
- The Bleeping Computer’s Week in Ransomware is back.
From the cyber defenses front
- CISA released
- “an update to the Zero Trust Maturity Model (ZTMM), superseding the initial version released in September 2021. ZTMM provides a roadmap for agencies to reference as they transition towards a zero-trust architecture. ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.
- “The objective of this update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture.”
- An ISACA expert points out “Five Key Considerations When Developing a Collaboration Strategy for Information Risk and Security.”