Cyber security news roundup: May

Published on: 28 May 2021

We're rounding up some of the biggest security cleared stories of the past few weeks. In May, the US saw one of the most consequential ransomware attacks on record, new research warned of the risk of third-party data breaches, and a survey highlighted some of the skills gaps that remain in many cyber security teams.

Ransomware attack sparks panic buying in US

Early this month, a ransomware attack targeting an energy company in the US served as a reminder of how vulnerable critical infrastructure is to cyber threats, after hackers were able to shut down a key fuel pipeline.

The attack on Colonial Pipeline led to panic buying of petrol across much of the eastern US as supplies ran short. Eventually, Colonial Pipeline deemed the disruption too great and paid a ransom of $4.4 million worth of cryptocurrency to the hackers.

Chief executive of the firm Joseph Blount said this was not a decision that was made lightly, but it was ultimately decided that making the payment was "the right thing to do" for the country, as the pipeline supplies almost half of the fuel used on the east coast, with almost ten million people relying on it.

Third parties a leading cause of data breaches

New research by the Ponemon Institute and SecureLink has revealed that more than half of companies (51 per cent) have experienced a data breach caused by a third party, with many firms admitting they failed to fully assess the security of these partners before giving them access to sensitive information.

Dr Larry Ponemon, chairman and founder of the Ponemon Institute, said: "Providing remote access to third parties without implementing the appropriate security safeguards is almost guaranteeing a security incident and a data breach involving sensitive and confidential information."

The importance of improving third-party security has also been highlighted this month by the UK government, which has launched a consultation seeking views on how supply chains and other partner relationships can be better protected. Matt Warman, minister for digital infrastructure, noted that at present, only 12 per cent of businesses review risks coming from immediate suppliers while just one in twenty address risks coming from wider supply chains.

Irish health service suffers "catastrophic" cyber attack

Public sector organisations around the world are another top target for hackers, and this was illustrated in May after a ransomware attack on Ireland's health system had a "catastrophic" impact on operations.

The attack was reported to have affected every aspect of patient care, with appointments dropping by up to 80 per cent in some areas as staff had to resort to paper records.

However, unlike in the Colonial Pipeline hack, the organisation did not have to pay to restore services, as the hackers reportedly had a change of heart. The Conti group, which claimed responsibility for the attack, dropped its demand for $20 million for the decryption tools and handed over the software for free. It is still, however, threatening to publish or sell data stolen in the hack unless a payment is made.

Security leaders highly worried about data breach litigation

A new report by security software provider Egress has found the threat of litigation from customers affected by a data breach is now one of the biggest financial concerns for security leaders.

Some 90 per cent of professionals said the prospect of class-action lawsuits is a major concern, whereas 85 per cent expressed fears about regulatory fines. As the survey also found almost half of UK consumers (47 per cent) would join a group action against an organisation that compromised their personal data, these worries may be well-founded.

Egress chief executive Tony Pepper said: "Over the last year, the ICO has shown leniency towards pandemic-hit businesses, letting them off with greatly reduced fines ... With data subjects highly aware of their rights and lawsuits potentially becoming 'opt-out' for those affected in future, security leaders are right to be nervous about the financial impacts of litigation."

Cyber security teams remain understaffed

The majority of cyber security teams remain understaffed, which means firms may struggle to find the qualified and skilled cyber security professionals they need, according to new research from ISACA and HCL Technologies. 

More than six out of ten cyber security teams (61 per cent) reported being below full strength, with 55 per cent having unfilled positions and 50 per cent saying their applicants are not well-qualified.

Fewer than one in three firms (30 per cent) said their HR departments do not understand their hiring needs, while the biggest skills gaps seen in candidates are in soft skills (56 per cent), security controls (36 per cent) and software development (33 per cent).