The week in security: Poor security hygiene just not good enough, APRA warns

Valeriy Kachaev |

APRA plans to crack down on the rather poor security hygiene practices still being commonly found across the financial-services industry, the regulator announced in the wake of statistics showing that the industry suffered 36 data breaches in just four months this year.

Better security isn’t just a matter of hygiene, however: as the creators of phishing kits Become ever more skilful at morphing their creations with regularity, high-profile targets in financial services and elsewhere need to be aware of the ever changing risks they face.

Indeed, new risks threaten any company that has been investing heavily in the cloud – and that, these days, means any company at all. The key is to not take security for granted, and to remember that cloud security is different because the cloud is different.

Also high on hackers’ list are healthcare targets, but the technical minds behind My Health Record (MyHR) seem to be doing something right for now: the first report on the e-Health initiative since its shift to opt-out architecture showed that the system had not suffered any malicious cyber attacks, with 38 recorded data breaches resulting in accidental, not malicious, compromises. Monash IVF, however, was not so lucky.

Internet of Things (IoT) vulnerabilities are another common area of risk, and the Five Eyes intelligence community committed to working together, and with industry, to try to stamp out IoT bugs that have not only persisted, but gotten even worse in recent times.

Things could get much worse before they get better, if Microsoft’s level of concern about the high-profile BlueKeep vulnerability in any way reflects the actual threat level. The company was actively warning systems administrators to find and patch any RDP services they can, because new BlueKeep threats are coming.

Forewarned is forearmed, after all – and Cisco was on that bus too, advising developers to stop using the once-popular Exhibitor open-source tool that was abandoned by its Netflix engineer author in 2016.

Meanwhile, the Australian government was releasing advice about countering ‘foreign interference’ after a spate of university cyber attacks laid bare the extent of the education industry’s security vulnerabilities.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies