Profiles in Leadership: Marcel Lehner, CISO, MM Group

Mathew J. Schwartz • January 20, 2022

When Marcel Lehner was hired to be the CISO of MM Group in Vienna, his mandate was clear: to better embed information security management and governance throughout the manufacturer's organization. To do that, he ran a "hearts and minds" campaign to communicate his vision and strategy and boost uptake.

Business Email Compromise (BEC)

The Need to Think Differently About Cybersecurity in 2022

Latest

Critical Infrastructure Security

CISA, EPA Issue 100-Day Cyber Plan for Water Utilities

Dan Gunderman • January 27, 2022

CISA and the EPA today announced the Industrial Control Systems Cybersecurity Initiative, a 100-day cybersecurity plan to safeguard water and wastewater systems. Officials say their action plan "focuses on high-impact activities that can be surged to safeguard water resources."

Fraud Management & Cybercrime

Lawsuit: 'Negligence' Led to Memorial Health System Attack

Marianne Kolbasuk McGee • January 27, 2022

A proposed class action lawsuit has been filed against Ohio-based Memorial Health System in the wake of a ransomware attack last August that reportedly involved the Hive cybercriminal gang, resulting in a health data breach affecting nearly 216,500 individuals.

Application Security

Battling Bugs: UK Government Pitches 'Scanning Made Easy'

Mathew J. Schwartz • January 27, 2022

Britain's National Cyber Security Center has launched a trial vulnerability management project called Scanning Made Easy, designed to empower small and midsize organizations to identify if critical software flaws are present in their IT infrastructure, so they can be targeted for remediation.

Governance & Risk Management

Spotting Cybersecurity Gaps, Becoming More Systems-Focused

Brian Barnier • January 27, 2022

Lisa Young prepares security teams to protect and defend their organizations from cybercriminals by seeing the things that others miss and asking the questions that others are too afraid to ask. She discusses how critical thinking improves cybersecurity.

Access Management

US OMB Releases Zero Trust Strategy for Federal Agencies

Dan Gunderman • January 26, 2022

OMB on Wednesday released a federal strategy to move the U.S. government toward mature zero trust architectures. White House officials say the new strategy - with a focus on MFA, asset inventories, traffic encryption, and more - is a key step in delivering on Biden's May 2021 executive order.

Business Continuity Management / Disaster Recovery

Ransomware Trends: Volume of Known Victims Remains Steady

Mathew J. Schwartz • January 26, 2022

Despite Western governments' increased focus on disrupting ransomware, the quantity of new victims doesn't appear to have declined, at least so far. But multiple experts say that nation-state efforts to combat cybercrime syndicates are still picking up speed and may well yet have an impact.

Business Continuity Management / Disaster Recovery

US, NATO Discuss Ukrainian Cyber Aid Amid Tensions

Dan Gunderman • January 25, 2022

As tensions continue to flare between Ukraine and Russia, which has amassed at least 100,000 troops along Ukraine's eastern border, the U.S. continues to mull intervention, a part of which includes bolstering Ukraine's cyber defenses. This comes as experts warn that cyberwarfare could play an increasingly significant...

3rd Party Risk Management

Log4j Updates: Flaw Challenges Global Security Leaders

Devon Warren-Kachelein • January 25, 2022

The security world continues its fight against potential widespread exploitation of the critical remote code execution vulnerability - tracked as CVE-2021-44229 - in Apache's Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." This is a digest of ISMG's updates.

Anti-Phishing, DMARC

'Email Security Doesn't Get the Attention It Deserves'

Anna Delaney • January 25, 2022

"Email security doesn't get the attention it deserves" because "phishing is not going away and is not getting any less," says Jess Burn, a senior analyst at Forrester. She shares best practices for phishing prevention.

Business Continuity Management / Disaster Recovery

Brand Narratives and Awareness in Cybersecurity

Steve King • January 25, 2022

Kyle Flaherty has worked with a range of companies, changing the worlds of big data, IoT, BYOD, SaaS, open-source software, network security, fraud detection, data analytics, marketing automation and network management. He weighs in on brands and how metrics feed different audiences.

3rd Party Risk Management

The Ransomware Files, Episode 4: Maersk and NotPetya

Jeremy Kirk • January 25, 2022

Maersk was one of dozens of organizations crippled by the NotPetya malware in June 2017. Gavin Ashton and Bharat Halai worked in identity and access management at Maersk and share how the company's technology team tirelessly brought the company back from the brink of an IT systems meltdown.

Cybercrime

Suspected REvil Ransomware Spinoff 'Ransom Cartel' Debuts

Mathew J. Schwartz • January 24, 2022

Has the notorious REvil, aka Sodinokibi, ransomware operation rebooted as "Ransom Cartel"? Security experts say the new group has technical and other crossovers with REvil. But whether the new group is a spinoff of REvil, bought the tools, or is simply copying how they work, remains unclear.