Cyber security news roundup: September 2022

Published on: 3 Oct 2022

We're rounding up some of the biggest cyber security stories of the past few weeks. In September, new surveys warned of the threats posed by cloud weaknesses and non-tech savvy users, the government's cyber security agency issued a new advisory about state-backed ransomware attacks, and around 40 per cent of Australia's population had personal details compromised in a data breach.

4 in 5 firms suffer from cloud security issues, survey finds

New research has revealed that more than four out of five businesses (81 per cent) have experienced a cloud-rated security incident in the past year, with nearly half (45 per cent) suffering from at least four issues in the last 12 months.

Venafi, which conducted the study, warned that this problem is likely to become even more serious in the coming year as more critical processes shift to the cloud. It noted that currently, firms host an average of 41 per cent of their applications in the cloud. However, this is expected to grow to 57 per cent over the next 18 months, meaning the complexity of business' IT environments will continue to increase. Therefore, professionals with expertise in cloud security are likely to be in high demand.

"Developers are making cloud native tooling and architecture decisions that decide approaches to security without involving security teams," said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi. He added: "We can already see the results of that approach: Security incidents in the cloud are rapidly growing. We need to reset the approach to cloud security and create consistent, observable, controllable security services across clouds and applications."

UK firms warned of Iranian-backed ransomware attacks

The National Cyber Security Centre (NCSC) has warned businesses in the UK to be aware of new advanced persistent threats (APTs) targeting known vulnerabilities on unprotected networks in order to spread ransomware, which are said to be conducted by hackers backed by Iran's Islamic Revolutionary Guard Corps (IRGC).

A new advisory publisher in conjunction with GCHQ and cyber security agencies in the US, Australia and Canada, detailed a range of tactics and techniques used by the hackers, who are said to be using APTs to target organisations across multiple sectors, including those related to critical national infrastructure.

Paul Chichester, NCSC director of operations, said: "This malicious activity by actors affiliated with Iran's IRGC poses an ongoing threat and we are united with our international partners in calling it out. We urge UK organisations to take this threat seriously and follow the advisory’s recommendations to mitigate the risk of compromise."

Many tech users 'still lack basic cyber security skills', according to new research 

Cyber security professionals may have their work cut out ensuring their end-users are following best practices, as new research has found the majority of people are still failing to follow basic advice to protect against attacks.

Researchers at the National Cybersecurity Alliance (NCA) and CybSafe polled 3,000 workers across the UK, US and Canada to mark Cybersecurity Awareness Month, which takes place in October. It found that two-thirds of tech users lack basic cybersecurity knowledge, with weak passwords, failure to automatically update software and a tendency to fall for phishing scams among the biggest issues.

For example, only 16 per cent of people reported creating passwords more than 12 characters long, while just seven per cent use a password manager. Instead, 37 per cent of respondents preferred to write passwords in a notebook, while 28 per cent store them electronically. Meanwhile, 37 per cent do not have automatic software updates enabled and 35 per cent presume that their devices are automatically secure.

Optus hack highlights questions over handling of personal data

A hacking attack on Australian communications provider Optus that exposed the personal details of more than ten million people has highlighted the risks faced by companies that do not put advanced cyber security methods in place.

The data breach, which has been described as the country's worst cyber security incident, affecting about 40 per cent of the population, exposed names, birth dates, home addresses, phone and email contacts, and passport and driving licence numbers, including data from the Prime Minister's office and the Department of Defence. While Optus chief executive Kelly Bayer Rosmarin described it a "sophisticated attack", commentators and government ministers have questioned the company's procedures.

Cyber security minister Clare O'Neil dismissed Ms Bayer Rosmarin's statement and said Optus had "effectively left the window open" for data to be stolen. She added that the country's overall cyber security standards are "about a decade behind" where they need to be. Meanwhile, prime minister Antony Albanese suggested Optus should pick up the bill for new passports for affected citizens, highlighting the potential costs firms around the world could face from large-scale data breaches.