Read: The Need for Digital Transformation in Finance

The March 2024 OptionOne Cybersecurity Briefing

By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity Threat News

17 Billion Personal Records Exposed in Data Breaches in 2023

Data breaches in 2023 increased by 34.5% compared to the previous year, affecting over 17 billion personal records, Infosecurity Magazine reported. The cybersecurity firm Flashpoint reported a total of 6,077 data breaches revealing sensitive information like names, social security numbers, and financial details to unauthorized access.

More than 70% of these incidents resulted from unauthorized access from outside the affected organization.

The United States experienced the highest number of breaches, with 3804 incidents making up 60% of the global total. Ransomware attacks were identified as a major factor behind the upsurge, showing an 84% rise in occurrences.

Furthermore, Flashpoint’s 2024 Global Threat Intelligence Report notes a dramatic upturn of 429% in leaked personal data in early 2024 compared to the same timeframe in the previous year, with 1,897 billion records compromised. The report points to specific ransomware groups such as LockBit, which alone was responsible for a large portion of attacks in 2023.

The sectors most affected included construction, engineering, professional services, internet software, and healthcare. The year 2023 also saw a record number of known vulnerabilities, highlighting a critical gap in organizational defenses against cyber threats.

CISA: Hackers Are Actively Attacking a Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning users of Microsoft’s popular SharePoint software that hackers are actively trying to exploit a vulnerability, The Hacker News reported.

CISA has urgently flagged the Microsoft SharePoint Server security flaw, known as CVE-2023-24955, with a Common Vulnerability Scoring System (CVSS) score of 7.2. The vulnerability was flagged for immediate remediation after confirmed reports of its exploitation from users.

This vulnerability enables an attacker, once authenticated as a Site Owner, to remotely execute arbitrary code on the affected server. Microsoft addressed the issue in its Patch Tuesday updates for May 2023. This follows the addition of another SharePoint issue, CVE-2023-29357, to CISA’s Known Exploited Vulnerabilities catalog.

Despite the serious implications of these vulnerabilities, Microsoft assures that users with automatic updates and the ‘Receive updates for other Microsoft products’ option enabled are safeguarded. Federal Civilian Executive Branch agencies have set a compliance deadline of April 16, 2024, for Microsoft to fortify their systems against these threats.

Spyware Vendors Outpace State-Sponsored Actors in Zero-Day Exploits

The landscape of cyber threats has notably shifted, with commercial spyware companies now responsible for 75% of zero-day exploits targeting Google and Android products, Cybernews reported. These companies, which also cater to government clients, constituted 41.4% of all zero-day exploits, matching the contribution from government-backed hackers.

The U.S. has begun to take action against this trend, with President Biden issuing an Executive Order in August 2023 to curb the use of commercial spyware that threatens national security or facilitates human rights abuses. Google has recommended further sanctions against these vendors, highlighting the disproportionate harm they cause compared to their utility.

Windows OS was the most targeted platform last year, followed by the Safari browser. There were no new exploits found for macOS, Firefox, or Internet Explorer.

Of the 19 total in-the-wild zero-days targeting browsers, nine of the zero-days were in JavaScript engines. Google observed an increase in exploits targeting third-party components and libraries that affect more than just a single product.

Cybersecurity Tips

Companies That Meet SEC Cybersecurity Guidelines Generate Almost Four Times More Value Than Others

A recent study by BitSight and Diligent Institute brings to light the profound impact that cybersecurity governance has on shareholder value within public corporations, DarkReading reported.

Despite longstanding guidelines from the US Securities and Exchange Commission urging enhanced cybersecurity measures, many companies have lagged in their cyber governance. However, the research, covering over 4,000 midsize to large global corporations, revealed that businesses that have diligently cultivated their cybersecurity governance not only significantly bolster their security posture but also see their shareholder value increase nearly fourfold compared to those that haven’t.

The study explored the cyber expertise of company directors and the composition of audit and specialized risk committees. It assessed companies against 23 key risk factors including botnet infections and outdated encryption certificates.

Ladi Adefala, a cybersecurity consultant and CEO of Omega315, validated the report’s findings, saying, “Boards that exercise cyber oversight through specialized committees with a cyber expert member as opposed to relying on the full board are more likely to improve their overall security postures and financial performance.”

The study further revealed the critical role of having dedicated board committees for specialized risk and audit compliance. Such committees are better equipped to tackle intricate cybersecurity issues and forge stronger ties with executives managing daily cybersecurity operations.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.