Read: Transforming Back Office Operations with Intelligent Automation

Cybersecurity menu button with cursor hovering overtop

The October 2024 Option One Cybersecurity Briefing

By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity Threat News

Study: 49% of Enterprises Underestimate SaaS Cybersecurity Risks

The recent AppOmni 2024 State of SaaS Security Report reveals a concerning trend in organizational security practices, The Hacker News reported. According to the study, 34% of security practitioners are unaware of the number of SaaS applications deployed in their organizations and only 15% of companies have centralized SaaS security within their cybersecurity teams.

This lack of visibility and decentralized approach to SaaS security has led to an increase in data breaches, with 31% of organizations reporting such incidents in the past year.

The disconnect between business units focused on innovation and security teams trying to keep up with a rapidly changing SaaS landscape has created an environment where vulnerabilities can thrive. This cultural gap has resulted in overconfidence in security measures and misalignment between perceived and actual security levels. For instance, while many companies believe they have high cybersecurity maturity, the reality often differs, with underestimated risks and complexities in SaaS environments.

The shared responsibility model between SaaS providers and customers is frequently misunderstood, leading to gaps in security coverage.

To address these challenges, organizations must focus on building a strong SaaS security culture. This involves the following steps:

  • Enhancing communication between business units and security teams
  • Providing ongoing cyber awareness training
  • Implementing clear security policies
  • Fostering a proactive security mindset
  • Leveraging SaaS Security Posture Management (SSPM) solutions for continuous monitoring and threat detection.

You can download the full report here.

SEC Fines Companies Millions for Downplaying SolarWinds Breach

The Securities and Exchange Commission (SEC) has taken action against four companies for their handling of disclosures related to the 2020 SolarWinds breach, DarkReading reported.

Unisys received the largest penalty of $4 million for describing cybersecurity risks as hypothetical despite experiencing two SolarWinds-related intrusions. Avaya Holdings Corp agreed to pay $1 million for failing to disclose the full extent of compromised data. Meanwhile, Check Point was fined $995,000 for intentional vagueness in its disclosures, while Mimecast will pay $990,000 for not fully disclosing the nature and quantity of exfiltrated data.

The SEC’s actions emphasize the need for companies to provide accurate and comprehensive disclosures following cybersecurity incidents.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit at the SEC. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”

This enforcement action highlights the changing landscape of enterprise cybersecurity, requiring closer collaboration between Chief Information Security Officers (CISOs) and legal teams.

“Companies can no longer rely on generalizations or hypotheticals,” said cybersecurity attorney Beth Burgin Waller. “The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits.”

The SEC’s enforcement aims to discourage vague or misleading communications following cybersecurity incidents.

Change Healthcare Breach Impacts 100 Million Americans—Could Have Been Prevented with Multi-Factor Authentication

The ransomware attack on Change Healthcare, a healthcare payment provider, has impacted the personal information of 100 million United States Citizens, Infosecurity Magazine reported. That number is based on updated figures from the U.S. Department of Health and Human Services (HHS).

The attack began in February 2024 and is the largest known data breach of U.S. healthcare records ever recorded. Change Healthcare informed the HHS Office for Civil Rights (OCR) of the updated number on October 22nd, and the company began sending notifications to impacted patients in July.

The SEC is still determining the extent of the breach, as well as whether Change Healthcare violated any security regulations. However, the personal, financial, and health data that may have been breached in the attack include the following:

  • Contact information (first and last name, address, date of birth, phone number and email)
  • Health insurance information (health plans and policies, insurance companies, member and group ID numbers, and government payor ID numbers)
  • Billing, claims, and payment information (claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
  • Other personal information (Social Security numbers, driver’s licenses, state ID numbers, or passport numbers)

The attack caused significant disruption to healthcare services across the U.S. UnitedHealth admitted that it paid a $22 million ransom to the BlackCat ransomware gang to restore its systems. In May, UnitedHealth CEO Andrew Witty told Congress that hackers remotely accessed a Change Healthcare Citrix portal and that the portal did not have multifactor authentication (MFA) enabled.

Cybersecurity Tips

Microsoft Warns CISOs to Stay Ahead of AI Technologies

Microsoft’s annual Digital Defense Report highlights the growing threat of artificial intelligence (AI) in cybersecurity and the need for chief information security officers (CISOs) to stay on top of AI-powered threats, CSO Magazine reported. The most significant threat is likely the use of generative AI, which threat actors can use to create malware, phishing lures, and deepfake videos.

The report warns that organizations slow to adopt AI defensive strategies may be at a disadvantage, as early AI adopters will have an edge in detecting and blocking malicious activities.

AI-enabled human targeting by threat actors is expected to become more challenging to defend against, even with AI-assisted defensive strategies. The report also notes that nation-state actors, particularly those linked to Russia, China, and Iran, are among the most prolific users of AI in social media influence operations.

To address these challenges, Microsoft recommends that Chief Information Security Officers (CISOs) leverage AI technologies in their defensive strategies. This includes using AI to do the following:

  • Prioritize security incidents
  • Reduce resolution time
  • Scan for risk assessment
  • Augment threat intelligence datasets
  • Generate answers to security-related questions.

The report also emphasizes the importance of thorough testing and evaluation of AI systems, as well as the need for organizations to invest in training, tools, and robust strategies to overcome barriers to AI implementation.

As the threat landscape evolves, CISOs must stay ahead by embracing AI capabilities, addressing potential limitations, and ensuring proper integration with existing systems.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.