Cybersecurity and Information Resilience Blog

The past 18 months have seen the transformation of nearly every aspect of our world. All organizations will have managed different challenges during the pandemic and as governments ease lockdowns, many businesses are planning for employees to return to the workplace. Collecting employee data is now a new concern that brings with it new regulations and important factors that need to be considered.

Most organizations that think they won't be targeted by a cyber-attack have already faced a breach – they just don't know it yet. Getting a penetration tester to attempt to breach a network is the ultimate test of defenses and provides a clear picture of where and how a hacker could potentially gain access to the system.

With more information on the PCI DSS v4.0 update gradually coming to light, it appears that the long-awaited update is getting further away not closer. This means that organizations will have a generous timeframe during which transition can occur.

So down to the question:

What do we know, and what can we say for certain about PCI DSS Version 4?

While the hybrid office model is seen as a flexible solution to allow employees to efficiently perform their daily duties while keeping them safe, it also generates potential cybersecurity risks if left unmanaged. Risks in this scenario are primarily based around loss of visibility of employee activity and data, employee susceptibility to phishing attacks, and employees using shadow IT.

Research by the cybersecurity and information resilience team at BSI shows that over a third of organizations are unprepared for a cyber incident, with one in six highlighting that they have experienced a COVID-19 related data breach and cyber-attack in the past six months.

In planning a road trip across country by car, I would not want to use a map that was not updated since 1955. Roads have changed and new freeways would have been added that would not be on the 1955 map. In the same fashion, in planning changes to my environment or in planning and validating security solutions and controls, I need to have the most up to date and accurate depiction of my network. The best way to stay current is to add a step to your change control process

The European Court of Justice ruled that the EU/US  Privacy Shield data transfer mechanism is invalid.  Conor Hogan, Global Practice Director - Privacy at BSI, reviews the impact and implications of the European Court of Justice's decision on the 5000+  organizations that rely on the Privacy Shield for the transfer personal data between the EU and US and vice-versa.