At a glance.
- New York's Department of Financial Services issues a cyber alert.
- California's cybersecurity strategy.
- US DoD inspector general says research institutions lack adequate data protection policies.
New York's financial sector could be in Russia’s cyber crosshairs.
New York State Department of Financial Services’ last week issued an alert warning the financial sector is facing elevated cyber risk as a result of Russia’s invasion of Ukraine. As Business Insurance explains, history tells us that Russian cyberattacks on Ukraine could impact networks in other countries. As well, Russia could choose to attack US infrastructure directly as retaliation for sanctions from the West. The warning includes recommendations for steps entities should take to protect themselves, including ensuring all programs are compliant with core cybersecurity hygiene measures, updating and testing incident response plans, reviewing the ransomware guidance issued by the department last June, and conducting additional cybersecurity awareness training for staff.
California’s CISO discusses “people-first” cybersecurity strategy.
Government Technology spoke with Vitaliy Panych, chief information security officer for the state of California, to discuss his plans for the state’s current and future cybersecurity prowess. Appointed in 2019, Panych talks about Vision 2023, a people-first approach to cybersecurity, and how the state responded to security threats posed by the pandemic. He also describes the state’s Cybersecurity Task Force, which aims to “[unify] the state, local, tribal, territorial, academic and private sectors through leadership to strategize and task workgroups with the missions we need to focus on.” Discussing Cal-Secure, the state’s five-year information security strategy launched last Fall, Panych explains, “The plan outlines an overarching road map to prioritize initiatives to guide organizations at any level of maturity. The plan focuses on building up technical capabilities, but also how our workforce and governance practices can and do help us sustain our collective protection measures.” Panych also recognizes that smaller entities need the cybersecurity focus often reserved for larger organizations. “A lot of efforts have been focused on larger enterprises with relative successes and failures, but the smaller organizations haven’t had much help from our industry,” he states. “I mean those small businesses, rural governments, nonprofits, and service providers. We need to aim our focus on scaling security basics at that level.”
US DoD inspector general says research institutions lack adequate data protection policies.
FCW reports that a recent audit conducted by the US Defense Department’s (DoD) Office of Inspector General (OIG) shows that research institutions working with the DoD on military technology developments sometimes lack the cybersecurity policies necessary to properly safeguard the sensitive data they handle. After examining the policies of ten defense research organizations, the OIG found that nearly 50% had cybersecurity deficiencies that could make them vulnerable to data theft or insider risks. The most common issue was failure to use automated whitelisting to secure controlled unclassified information stored on removable media like external hard drives. Other pitfalls include failure to shutdown inactive user accounts, weak password hygiene, and lack of an incident response plan. The report, released last week, redacts the names of the institutions audited. To address the issues, the principal director for Defense Pricing and Contracting said an interim rule would be needed to apply the requirements retroactively, one of the first steps of the implementation of the DoD’s Cybersecurity Maturity Model Certification program, based on the National Institute of Standards and Technology's foundational SP 800-171 guidance.