{"id":30832,"date":"2022-11-04T15:18:07","date_gmt":"2022-11-04T19:18:07","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=511620"},"modified":"2022-11-07T12:12:09","modified_gmt":"2022-11-07T17:12:09","slug":"cyber-security-today-week-in-review-for-friday-nov-4-2022-2","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-nov-4-2022-2\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, Nov. 4, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week In Review for the week ending Friday, November 4th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24894945\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">In a few minutes David Shipley of <a href=\"https:\/\/www.beauceronsecurity.com\/\" rel=\"noopener\">Beauceron Security<\/a> will join me to discuss words of wisdom I recently spotted on Twitter. But first a look back at some of the headlines from the past seven days:<\/p>\n<p data-ar-index=\"4\"><strong>Thirty-six nations<\/strong> <a href=\"https:\/\/www.itworldcanada.com\/article\/countries-band-together-to-better-fight-ransomware-set-priority-targets\/511223\" rel=\"noopener\">agreed to form a joint task force to fight ransomware<\/a>. The countries, including Canada, first met a year ago in Washington. After a year of work they agreed this week to create a formal framework for sharing information, setting priority targets and working closely with cybersecurity companies.<\/p>\n<p data-ar-index=\"5\"><strong>An unnamed media company<\/strong> that serves content to major American news outlets has been compromised to serve malware, according to researchers at Proofpoint. <a href=\"https:\/\/twitter.com\/threatinsight\/status\/1587865920130752515\" rel=\"noopener\">They said<\/a> the Javascript used by the victim firm to serve content has been manipulated to deploy the <a href=\"https:\/\/blog.sucuri.net\/2022\/08\/socgholish-5-years-of-massive-website-infections.html\" rel=\"noopener\">SocGholish malware<\/a>, which directs viewers to install fake browser updates.<\/p>\n<p data-ar-index=\"6\"><strong>Dropbox suffered a data breach<\/strong> this month,<a href=\"https:\/\/dropbox.tech\/security\/a-recent-phishing-campaign-targeting-dropbox\" rel=\"noopener\"> the company admitted<\/a>. An employee of Dropbox fell for a phishing scam from a hacker pretending to be from the CircleCI integration platform. Dropbox developers can log into CircleCI and GitHub with their credentials, including a one-time passcode. With the employee\u2019s credentials, the hacker accessed some of the Dropbox code it stores on GitHub. The hacker was able to get some credentials\u2014primarily, API keys\u2014used by Dropbox developers, as well as a few thousand names and email addresses of Dropbox employees, current and past customers, sales leads and vendors.<\/p>\n<p data-ar-index=\"7\"><strong>Apple has created<\/strong> <a href=\"https:\/\/security.apple.com\/research-device\" rel=\"noopener\">a special iPhone for security researchers<\/a> to work on. Called the Security Research Device, is a fused iPhone that allows researchers to plumb the depths of the iOS operating system looking for vulnerabilities. They have to be reported to Apple. Developers have until November 30th to apply for a unit. <a href=\"https:\/\/security.apple.com\/\" rel=\"noopener\">Apple also announced<\/a> the creation of a Security Research website to make it easier for others to get bounties for finding bugs in Apple products.<\/p>\n<p data-ar-index=\"8\"><strong>Security researchers<\/strong> were apparently wrong in concluding the Yanluowang ransomware gang\u2019s core members are Chinese. Leaks of the gang\u2019s internal chat logs are in Russian. Whoever <a href=\"https:\/\/riskybiznews.substack.com\/p\/risky-biz-news-internal-chats-for\" rel=\"noopener\">cracked the gang\u2019s chat server<\/a> also compromised their dark web victim leak site, and posted a screenshot allegedly of the ransomware\u2019s decryption source code. If true, the gang\u2019s reputation could be seriously damaged among crooks looking for partners.<\/p>\n<p data-ar-index=\"9\"><strong>Aurubis<\/strong>, the second largest copper producer in the world, <a href=\"https:\/\/www.aurubis.com\/en\/media\/press-releases\/press-releases-2022\/update-on-cyber-attack-at-aurubis\" rel=\"noopener\">said it was forced to shut down<\/a> several IT systems last week after a cyber attack. The company said it took that action as a preventative measure.<\/p>\n<p data-ar-index=\"10\"><strong>Covid lockdowns<\/strong> and law enforcement crackdowns have made it harder for crooks to get hold of pharmaceutical drugs they sell online. <a href=\"https:\/\/news.cybersixgill.com\/illicit-underground-pharma-sales-are-on-the-decline\/\" rel=\"noopener\">According to researchers at Cybersixgill<\/a> the number of posts on underground markets for popular prescription drugs, including painkillers, plunged 79 per cent last year and has remained at the same level this year. Still, these drugs continue to be pedaled online by crooks at inflated prices.<\/p>\n<p data-ar-index=\"11\"><strong>Finally<\/strong>, administrators of the Splunk security event management platform should install the latest patches. <a href=\"https:\/\/www.splunk.com\/en_us\/product-security.html\" rel=\"noopener\">The company issued fixes<\/a> for eight high-severity vulnerabilities for Splunk Enterprise and one for Splunk Secure Gateway.<\/p>\n<p data-ar-index=\"12\"><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p data-ar-index=\"13\"><strong>Howard:<\/strong> Joining now from Fredericton, New Brunswick is David Shipley. Twitter is on our minds today, and only partly because it has a new owner. I recently spotted some nuggets of wisdom from Twitter users I follow that are thought-provoking. Here\u2019s one: \u201cThere is no talent shortage in cybersecurity. There\u2019s a talent development shortage.\u201d<\/p>\n<p data-ar-index=\"14\"><strong>David Shipley:<\/strong>\u00a0I completely agree. I think there is a ton of amazing, talented people out there that have a place in cyber. Our biggest challenge is we get in the way of ourselves. I\u2019ve seen ridiculous job requirements for entry-level positions, some requiring expertise with a decade in the industry \u2014 and the reality is a really good internship program could get the job done and get you that talent. I\u2019m a great example of what happens when you create a talent development pipeline. I\u2019m a journalist, I\u2019ve been a soldier, I was a marketer. My university saw in me the latent potential, the curiosity, the baseline of technical skills they could invest in to make me a cybersecurity professional. The CIO who I worked with recruited me from marketing into his team, helped get me into professional development programs through <a href=\"https:\/\/www.isaca.org\/\" rel=\"noopener\">ISACA<\/a>, and got me out to conferences. Meta Network provided specific technical tool training on things like QRadar \u2014 and I became a cybersecurity professional. Now, It took years to develop that talent but it paid dividends for the university, and it paid certainly paid dividends for me.<\/p>\n<p data-ar-index=\"15\">The reality is we have so many different roles in cybersecurity. We have deep technical roles all the way to ones that require more communications and marketing skills, like awareness or auditing skills. There\u2019s a ton of talent out there, and really smart organizations are doing things like finding out who in their organization is curious about this stuff. That curiosity is the first, critical step to identifying talent. Then you can invest in them. There\u2019s an old cartoon that asks, \u2018What if we invest in our people and they leave?\u2019 [and someone asks] \u2018What if we don\u2019t invest them and they stay?\u2019 There\u2019s this weird paradox where we\u2019re afraid to create value in people.<\/p>\n<p data-ar-index=\"16\"><strong>Howard:<\/strong> This is cyber security. Why shouldn\u2019t an employer say, \u2018I\u2019m looking for experience?\u2019<\/p>\n<p data-ar-index=\"17\"><strong>David:<\/strong> The challenge is if we\u2019re chasing the same limited pool of people who have experience we create a talent shortage. The threat environment has accelerated, expanding the threat surface, whether it\u2019s from digital transformation etc. It has outpaced the available talent pools, so all you\u2019re doing is chasing the same people and escalating salaries. Thank you, but you have a job vacancy requirement. You\u2019re going to have to fill that. It\u2019s time for a trades approach to cyber. Get this out of people\u2019s heads that you need to have a four-year computer science degree to be in cybersecurity. There are some great folks that come out of community college. There are great, professional schools. Toronto Metropolitan University has phenomenal women in cyber and newcomer to Canada in cyber programs [<a href=\"https:\/\/www.itworldcanada.com\/article\/mastercard-funds-training-programs-for-women-and-poc-at-the-rogers-cybersecure-catalyst\/474918\" rel=\"noopener\">through the Rogers Cybersecure Catalyst<\/a>]. They partner with the federal government, they provide SANS Institute courses, really solid, edgy professional education. And they are graduating people right into Canada\u2019s biggest frontline jobs. They\u2019ve figured out the talent pipeline, but we need to scale that across the country because we need to benefit more than just Canada\u2019s five or 10 largest enterprises.<\/p>\n<p data-ar-index=\"18\"><strong>Howard:<\/strong> So what do those who are looking for a security talent want? What do they need? Experience, certifications, a university degree?<\/p>\n<p data-ar-index=\"19\"><strong>David:<\/strong> They basically want an entire security team in a single person, which is crazy. No one cyber security professional can cover all the different things you might need in a team. If you\u2019re a small or mid-sized business you need a cybersecurity lead. Okay, get somebody that actually understands the fundamentals, understands governance and management. A certified information security manager is a great role. And you might be like me, an MBA graduate that has a CISM. They can make your plan, your strategy, help build your budget, find out what other skills make sense to hire internally, or develop the talent pipeline, or outsource. But so many times they want to hire a junior analyst at a junior analyst\u2019s salary but they expect them to be the CISO, which is crazy.<\/p>\n<p data-ar-index=\"20\"><strong>Howard:<\/strong> This week Technation Canada, which represents big IT companies, told me that they\u2019ve asked Ottawa to create a public-private task force to work on the cyber security talent shortage. It would be governments \u2014 provincial, territorial, federal \u2014 the private sector tech companies and academics. Is that needed? Do the federal and provincial governments really need to get involved? Why can\u2019t the industry talk directly to universities and colleges?<\/p>\n<p data-ar-index=\"21\"><strong>David:<\/strong> I think we need federal government money to make it affordable for students to take a period of time, whether they\u2019re in school now or they want to change careers. That\u2019s what we need Ottawa\u2019s money for. We don\u2019t need another task force to reinvent a model. Toronto Metropolitan University\u2019s Rogers Cybersecure Catalyst has figured it out. It\u2019s there. Pop one of these in every major city in this country, backed by a top-tier university and start ramping it up. Free tuition \u2014 with some kind of acceptance criteria, but not necessarily a computer science degree. I love the Toronto Metropolitan University program and how it\u2019s taught people cyber fundamentals, right up to the skills to be a junior SOC analyst or a risk auditor put them right into jobs. There\u2019s your talent strategy. I just saved millions of dollars. Go and get it done.<\/p>\n<p data-ar-index=\"22\"><strong>Howard:<\/strong> You didn\u2019t save millions of dollars: You said the f-word in there \u2014 free tuition. That costs money.<\/p>\n<p data-ar-index=\"23\"><strong>David:<\/strong> Sure, but look at the payback back to the Canadian economy. We talked two weeks ago that Canadian businesses lost $600 million to cybercrime. That comes directly out of the economy. If you have a program to start filling the talent pipeline across this country with a 10 times ROI, isn\u2019t that a good spend?<\/p>\n<p data-ar-index=\"24\"><strong>Howard:<\/strong> Here\u2019s another clip from a Twitter user that\u2019s job-related: He wrote, \u2018I\u2019ve been promoted to staff security engineer. That\u2019s two promotions in the year and a half that I\u2019ve been at my company versus the zero promotions that I have in the two and a half years at\u2019 and here he named a huge tech company that begins with the letter \u2018O\u2019, \u2018and the zero I promotions that I had in the four years at,\u2019 and here he named another huge tech company that begins with the letter \u2018I\u2019. I can\u2019t verify how that this person was treated at those companies, but the interpretation of this tweet is some companies treat their staff better than others which may be common sense \u2014 but isn\u2019t that also a key to keeping your existing talent?<\/p>\n<p data-ar-index=\"25\"><strong>David:<\/strong> Exactly, and it goes back to the point I was making at the start: Sometimes companies are terrified of investing in their own people because they\u2019re going to lose them. But the reality is if you don\u2019t invest them they are going to jump to other employers, just like this. This anecdote from Twitter shows you got to believe in your people, you got to believe in building up a talent pipeline. The job of every leader and every manager is to make sure there\u2019s someone below them that\u2019s ready to take over when they move up the chain or move to another organization. Within our company as part of the ISO 27001 standard that we have for security we have train every employee to make sure that they know how to be successful in their role. This isn\u2019t what you would traditionally think is attached to a security certification, but it robustly makes our business more secure and resilient. If you\u2019re not investing in your people, you\u2019re missing out because it\u2019s the people in any given organization that make it competitive, that makes it amazing. The technology that you use, the things that you produce, those are the outputs. The things that accelerate that, whether it\u2019s cyber or anything else, are people. You have to invest in that. I think the Great Resignation, the great transition that we\u2019ve gone through over the last 12 months as part of the pandemic really highlighted exactly that point: People people are finding it easier to get recognition in other organizations, and that\u2019s pretty damning.<\/p>\n<p data-ar-index=\"26\">Howard: Can you show appreciation in ways other than with money or a title?<\/p>\n<p data-ar-index=\"27\"><strong>David:<\/strong> Absolutely. Within our organization we regularly canvass our employees and ask what new courses, what new skills do you want to develop? When I was at the university they paid 50 per cent of my MBA, and I was given time during work hours to go to classes. They didn\u2019t increase my salary. And frankly, the 50 per cent coverage of the tuition didn\u2019t really cost them that much. But it was immensely valuable to me. The other thing you can do inside of your organization is to challenge people: Give them new problems, new opportunities. And that\u2019s why cyber is such an exciting talent development theme for today\u2019s podcast is. We survey a lot of people, we got some cool data coming soon. The amount of people that want to do the right thing is well above 90 per cent in every organization, and within that pool of your employees are people who would thrive in cyber.<\/p>\n<p data-ar-index=\"28\">Here\u2019s a challenge to those listening: In your annual security awareness and training and compliance, are you using that as an opportunity to identify people that really get excited about cyber? They are the first ones to complete the training, or always report phishes or are always showing up to [cybersecurity] town halls. Are you reaching back to them through your HR teams and saying, \u2018We notice you\u2019re pretty keen on this stuff. Did you know we have vacancies in cyber security and privacy and information handling? Would you be interested in that? Let\u2019s have a conversation.\u2019 But that\u2019s hard, long work. That\u2019s the kind of talent farming that we need to do \u2014 but we\u2019re much more comfortable headhunting. Talent farming yields greater results over time, but you got to put the work in.<\/p>\n<p data-ar-index=\"29\"><strong>Howard:<\/strong> Here\u2019s a third pearl of wisdom that I saw on Twitter. This person wrote, \u2018If you have a burdensome process, if your machines are overloaded with agents, if you have alert fatigue, you\u2019ve got a culture problem. Not a tech problem.\u2019<\/p>\n<p data-ar-index=\"30\">David: I really, really enjoyed that point. When we set out to do cybersecurity, when we\u2019re trying to do objectives and governance for organizations, the first thing to look at is what are we trying to protect? why are we trying to protect it? and what are the systems and processes to do that make the most sense for our organization? That starts with leadership. For example, for our ISO process we specifically said the protection of customer data is the most important. From there, what are all the system processes etc. to achieve that particular standard? what kind of culture do we want to create around that so we don\u2019t have a billion and one tools? how do we have a culture where everyone understands what we\u2019re doing? If everyone in your organization is doing things that are setting off fire alarms \u2014 whether they\u2019re going to websites with malware, they\u2019re clicking on every phishing link, they\u2019re insecurely sending data out to other individuals \u2014 you have a culture problem. You\u2019re not going to out-tech your way out of that problem.<\/p>\n<p data-ar-index=\"31\"><strong>Howard:<\/strong> And while we\u2019re on Twitter, we can\u2019t get away from Elon Musk. You\u2019ve seen an uptick in Twitter phishes and scams, including attacks on verified accounts since the Musk takeover. What do you think is going on here?<\/p>\n<p data-ar-index=\"32\"><strong>David:<\/strong> Social engineering thrives in elements of controversy and confusion, and that\u2019s Elon\u2019s brand. Right now we\u2019ve got mass confusion over people with verified status, which are highly valuable accounts. They don\u2019t know if they\u2019re going to be getting a $20 a month bill for this [as of the time this podcast was recorded] or if they\u2019re going to keep their status or how things are changing. This is the perfect time for scammers to kick in. We\u2019re also hearing that Twitter\u2019s trust and security teams are taking an awful potential beat down in terms of job cuts, layoffs etc. So it\u2019s never been a better time to be a scammer targeting Twitter. They\u2019ve dived on this like ravenous animals on a wildebeest. And this can have consequences. There was a trial run of an attack in the Southern United States about a decade and a half ago where a social media disinformation account said there was a natural gas leak. They wanted to see if they could create panic. Imagine a bunch of verified news organizations falling victim to social engineering by a nation-state to push something. \u2026 And we\u2019re watching it just be thrown into utter chaos. Criminals are having a field day.<\/p>\n<p data-ar-index=\"33\"><strong>Howard:<\/strong> Do you think he knows what he wants to do?<\/p>\n<p data-ar-index=\"34\">David: I think Elon Musk is like Heath Ledger\u2019s Joker [in Batman: The Dark Knight] I think he is just an absolute agent of chaos. Sometimes I think his intelligence outpaces his actions. I think at his core he still a red meat-eating capitalist who wants to make money \u2014 he sure paid a lot of money for Twitter \u2014 so he\u2019s got to figure out how to do that. Which directly conflicts with a vision of what exactly free speech moderation means in a platform that depends on advertisers for 90 per cent of its revenue. I think he\u2019s a lot like the dog that caught the car and now he doesn\u2019t know what to do with it \u2026<\/p>\n<p data-ar-index=\"35\"><strong>Howard:<\/strong> I think that Elon is only partly a free-speech libertarian. The other part, I\u2019m just guessing, is he\u2019s a bottom-line capitalist. I wonder if he\u2019s looking at the 1,500 people around the world at Twitter who are content moderators \u2014 that is, they delete objectionable images and words \u2014 and he probably thinks they really don\u2019t contribute to the bottom line. There\u2019s no end to the demand that all platforms, be they Linkedin or all sorts of other social media platforms, do more to delete or block hateful speech disinformation and misinformation.<\/p>\n<p data-ar-index=\"36\">And if the owners of these platforms give in to these demands, well, they\u2019re going to have to hire thousands of people as moderators. Not many businessmen think is a really good business model.<\/p>\n<p data-ar-index=\"37\"><strong>David:<\/strong> It\u2019s an interesting problem. I deeply remember the messages of Ray Bradbury\u2019s book <em>Fahrenheit 451<\/em> and the cautious warnings about the rise of censorship at the time it was published. Letting people say absolutely hateful, harmful things about identifiable groups \u2026 We\u2019ve seen this show before, when we give platforms to hate-mongers. It results in real tragedies and real crimes. So what do we do? It\u2019s interesting that companies want to yield tremendous profits from online advertising. They have displaced traditional media like newspapers, radio and television, which were held to a higher standard. Newspapers could be sued for printing libelous or defamatory things. Radio stations and broadcast stations had publicly-granted spectrum licenses and were held to account by a regulator or their own industry, so there were checks and balances. I\u2019m old enough to remember when we called social media \u2018New media.\u2019 \u2026 Well guess what? You created the world\u2019s largest letter-to-the-editor platform ever, and the awfulness that comes with this is your accountability now. Maybe the counterpoint to this is some of the ideas that Musk has about people having to prove their identity and thus making it easier for them to be held to account by each country\u2019s laws with respect to libel hate speech defamation etc. Maybe that\u2019s the answer. A lot of smarter people say that\u2019s a giant pitfall for free speech.<\/p>\n<p data-ar-index=\"38\"><strong>Howard:<\/strong> The last item I want to talk about is whether CEOs should be held accountable for data breaches, and if so how far. I raise this because <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2022\/10\/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million\" rel=\"noopener\">the U.S. Federal Trade Commission recently sanctioned an online alcohol marketplace called Drizly and its CEO over allegations that poor customer data protection resulted in the theft of 2.5 million customer records<\/a>. Drizly and the CEO were allegedly alerted to security problems two years ago before the breach but they failed to improve the security.<\/p>\n<p data-ar-index=\"39\">The FTC\u2019s proposed order not only restricts what the company can retain and collect going forward, but it also orders the CEO personally to implement security programs not only at Drizly but at any company he runs in the future if it collects data from 25,000 people or more. An appeal court may not find that part of the order lawful. But what do you think about this. If the CEO is paid big bucks why shouldn\u2019t they pay the price?<\/p>\n<p data-ar-index=\"40\"><strong>David:<\/strong> I there is a really compelling case to be made here. The parallels are in securities trading. We\u2019ve also seen examples where consequences can follow executives when they do bad things. We\u2019ve seen this in the Elizabeth Holmes case and the fraud around her medical technology biotech company [<a href=\"https:\/\/www.nbcnews.com\/business\/business-news\/theranos-lab-director-confirms-testimony-elizabeth-holmes-rcna52316\" rel=\"noopener\"> Holmes was convicted in January and is awaiting sentencing, although this is not a cybersecurity case] <\/a>Applying that to cyber makes some sense. In the FTC case I think the important facts here are the lack of a due diligence defense. This was a risk and they allegedly chose to prioritize businesses other areas or other risks over this. They allegedly made the choice and with that choice came consequences. I think the punishment for CEOs and breaches should be commensurate with the actual risk of significant harm to individuals.<\/p>\n<p data-ar-index=\"41\">I remember the <a href=\"https:\/\/www.itworldcanada.com\/article\/lifelabs-faulted-for-huge-data-breach-by-ontario-b-c-privacy-commissioners\/432525\" rel=\"noopener\">LifeLabs breach here in Canada<\/a>, where people\u2019s private medical records, disease screening tests and other things were captured by a criminal gang. If [in a similar case] the CEO had known for years and chosen to disregard security the penalty should be more severe than, say, the loss of information that\u2019s not nearly as sensitive \u2014 like usernames and passwords for an online ordering site. It makes sense, I think, to send the right signal to CEOs that there are professional consequences. This is not the first time we\u2019ve seen C-suite executives held to account for their decisions. One example is the post-Enron series of legislation around accountability and signing off on financial statements. They make a lot of sense.<\/p>\n<p data-ar-index=\"42\">I don\u2019t think it should just stop at the CEO. There are other key roles inside an organization. This is a nice bookend to the Uber case, where the chief security officer <a href=\"https:\/\/www.itworldcanada.com\/article\/ex-uber-cso-convicted-of-cover-up-in-2016-data-breach\/506957\" rel=\"noopener\">was just convicted last month<\/a> for the cover-up of a breach. It\u2019s nice to see CEOs being held to account \u2014 although the disparity between the chief security officer getting criminal consequences in possible jail time and a fine for a CEO and some covenants if they go to create future businesses is worth noting as well.<\/p>\n<p data-ar-index=\"43\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-nov-4-2022\/511620\">Cyber Security Today, Week in Review for Friday, Nov. 4, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode looks at cyber-related advise on Twitter, Twitter&#8217;s new owner and how far CEOs should be held accountable for dat<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389,44],"class_list":["post-30832","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today","tag-twitter"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/30832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=30832"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/30832\/revisions"}],"predecessor-version":[{"id":30919,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/30832\/revisions\/30919"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=30832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=30832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=30832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}