Cyber security news roundup: November 2021
We're rounding up some of the biggest cyber security stories of the past few weeks. In November, the government introduced new laws to tackle IoT security threats, a major web hosting firm reported a breach affecting over a million users, and research warned many firms are not confident in their ability to tackle ransomware attacks.
More than half of IT leaders 'unable to mitigate' a data breach
New research this month has revealed that more than half of IT leaders do not believe they would be able to effectively mitigate the impact of a ransomware data breach in their organisation.
This is according to a survey by Syntax, which found that overall, 51 per cent of professionals said they would be able to neutralise a data breach, given their current levels of IT talent. However, only 47 per cent said they would be able to handle a ransomware attack on their systems.
The study also found fewer than half of professionals (43 per cent) are confident in their ability to defend a hybrid workforce from threats. This may be especially worrying as many firms have greatly increased their use of these working arrangements in the last year.
Global cyber security talent shortage improves, but still a major challenge
The shortage of specialist cyber security personnel around the world continues to be a major challenge, although the situation has improved slightly over the last 12 months, a new study has revealed.
Research by training provider (ISC)2 found there was a shortage of 2.72 million cyber security professionals in 2021 - down from 3.12 million a year previously. However, even though 700,000 new people have entered the workforce in the last 12 months, demand continues to greatly outstrip supply, with the sector still needing to grow by 65 per cent to meet the needs of businesses.
CEO at (ISC)2 Clar Rosso said: "The study tells us where talent is needed most and that traditional hiring practices are insufficient. We must put people before technology, invest in their development and embrace remote work as an opportunity."
New laws aim to tighten IoT security
The government has unveiled new proposals that will aim to tighten the security of a wide range of Internet of Things (IoT) devices by requiring manufacturers to improve the protections offered as standard.
It comes as new research revealed there were 1.5 billion attempts to compromise IoT devices in the first half of 2021, double the figure for 2020. The new bill will ban weaknesses such as easily-guessed default passwords and ensure buyers know exactly how long devices will be supported with security updates and patches.
Though the proposals are aimed at consumer devices, they are also likely to impact businesses, as many of these items have found their way into enterprises. Therefore, ensuring that IoT technologies will have a minimum set of security standards built-in should make life a little easier for cyber security professionals.
Over 1 million Wordpress users affected by GoDaddy breach
A data breach targeting web hosting provider GoDaddy has compromised the details of more than one million of its Wordpress customers, the provider has revealed.
In a filing to the US Securities and Exchange Commission, GoDaddy explained that on November 17th, it identified an unauthorised third party had gained access to its Managed Wordpress hosting environment, exposing data including email addresses and customer numbers for 1.2 million active and inactive customers. The source of the breach was traced to a compromised password, which had been in use since September 6th.
Commenting on the incident, Ian McShane, field CTO at security firm Arctic Wolf, said: "GoDaddy is a $3.3 billion company who you can assume has a large investment in cyber security, yet they still had an adversary in their environment for 72 days ... The number of affected accounts is so big that it feels like this would have been a lucrative ransomware opportunity, so there might be more to come from this story."
Cultural divide 'a major barrier' to strong cyber security
Cultural divides between IT teams and operational technology (OT) units are a major contributor to failures in industrial cyber security strategies, it has been claimed.
Research by specialist cyber security firm Dragos found that fewer than half of organisations have a cohesive policy that covers both these departments, while security teams rarely work together. As nearly two-thirds of firms (63 per cent) had experienced an industrial control system (ICS) or OT cyber security incident in the last two years, this represents a significant threat.
Only 43 per cent of respondents said company cyber security policies and procedures were aligned with ICS and OT security objectives, while just 21 per cent report their programmes are fully mature. Meanwhile, 56 per cent of professionals say that OT cyber security is managed by an engineering department that does not have experience in this area, with only 12 per cent of teams reporting directly to a Chief Information Security Officer.