Author: bacohido

A hacking gang known as Scattered Spiders soundly defeated the cybersecurity defenses of MGM and Caesars casinos.

Related: Russia puts the squeeze on US supply chain

This cost the Las Vegas gambling meccas more than $100 million while damaging their reputations. As the companies face nine federal lawsuits for failing to protect customer data, it’s abundantly clear hackers have checkmated multi-factor authentication (MFA).

Using a technique known as MFA fatigue, Scattered Spiders put MGM in manual mode and forced Caesars to pay a reported $13 million ransom. For the moment, hackers appear to have the upper hand in the global chess match between cybersecurity professionals and digital criminals.

That’s largely because the splashy headlines and online buzz created by bringing down the pair of casinos will only motivate more mid-level cybercriminals to follow Scattered Spiders’ model, putting wide-reaching businesses at risk of ransomware attacks due to the rise of ransomware-as-a-service models.

Scattered spiders

In early September, Scattered Spiders infiltrated MGM and Caesars using a variety of relatively common hacking techniques. But the coup de gras was how easily they brushed aside the multi-factor authentication protections.

The criminals’ ages are said to range between 17 and 25 years old, and their kung fu was nothing to boast about until they pulled off these crimes.

Using routine social engineering strategies, the cyber-thieves gathered information about key employees. Professional networking and social media platforms continue to prove a rich landscape for phone numbers, locations, hobbies, dates of birth, family members, and friendships.

Crafting a comprehensive file on select casino workers, Scattered Spiders showed some bravado by calling their help desks. Fluent in American English, a gang member convinced a help desk worker to provide a one-time password to log into the systems.

Defeating MFA

Their social engineering chops seem to indicate the relatively youthful thieves possessed significant skills. But persuading a poorly trained help desk operator to provide a temporary password isn’t, unfortunately, out of the ordinary. How they steamrolled multi-factor authentication is a reason for pause.

According to reports, Scattered Spiders spent a little crypto on ransomware reportedly engineered by either ALPHV or BlackCat. The rise in ransomware-as-a-service allowed these seemingly garden-variety hackers to elevate their game. But their ability to overcome multi-factor authentication defenses has cybersecurity experts rethinking the once tried-and-true protection.

Scattered Spiders employed a technique known as “MFA Fatigue.” As the name suggests, hackers flood a legitimate user with approval requests after inputting their username and password. Because MFA typically sends a verification code to a secondary device via text message or email, the hackers cannot usually get their digital hands on the information.

But Scattered Spiders deployed malware that sent the casino employees an avalanche of approval requests. These requests typically pressure people to click on an approval tab.

Much like getting into a disagreement with a relative, MFA fatigue works by wearing someone down psychologically. At some point in a lengthy dispute, one party just says “fine” and agrees to end the argument. Employees who receive a barrage of notifications are likely to approve the request to make the electronic message stop. That’s how millions of dollars were lost, lawsuits were filed, and the casinos’ reputations were tarnished.

Dealing with MFA fatigue

To say receiving a one-time password after a 10-minute conversation with a help desk operator demonstrates a lack of cybersecurity awareness training would be something of an understatement. Human error remains a primary failing in upwards of 88 percent of all data breaches.

That statistic also applies to the employees who succumbed to MFA fatigue tactics and eventually clicked on the login approval. However, there are ways cybersecurity firms can help organizations harden their MFA protocols to reduce human error and avoid MFA fatigue, such as the following.

•Reduce the amount of time a temporary password can be used.

•Limit the number of unsuccessful login attempts.

•Onboard biometric and geolocation elements.

Increasing the number of factors and secondary sources used for approvals is also feasible. If legitimate network users needed to access both email and text messages, hackers would be forced to flood both devices. That should trigger the realization something is amiss.

Given that hackers have a relatively new trick to play on businesses, it’s crucial to harden your cybersecurity defenses and educate staff members about MFA fatigue.

About the essayist: John Funk is Inbound Marketing Specialist at SevenAtoms Marketing Inc., a digital marketing agency; he has expertise in the cybersecurity and IT managed services fields.

Houston, Texas, USA – 16 Nov. 2023 – Given the sharpening complexity of cyber threats, our digital and physical infrastructure faces mounting challenges.

In the past year alone, we’ve seen cybercriminals refine their arsenal with sophisticated tools aimed squarely at evading defences and causing disruption. This isn’t an underground effort but a professional marketplace, teeming with state-backed operatives, criminal collectives, and rogue activists.

As the US’s critical infrastructure stands on high alert, cybersecurity firm Bridewell, spotlights the critical trends and emerging dangers cyber teams must watch out for in 2024. Our report, ‘Cyber Security: What to Expect in 2024”, is informed by insights collected through continuous monitoring from our 24/7 Security Operations Centre (SOC) and input from our dedicated consultants and cyber experts. A snapshot of the challenges on the horizon for next year and in the full report are:

•RaaS will bring hope to more cybercriminals – The growth of Ransomware-as-a-Service (RaaS) will catapult large-scale criminal gangs to enterprise status and level up the lower-skilled crime groups. Ransomware operators with the skills to write software for use by affiliate groups have identified a gap in the criminal market. This is accelerating the professionalization of cybercrime. Large-scale ransomware groups will achieve the size and habits of major enterprises, adopting departmental specialisms such as R&D and offering defined career structures. The only thing they won’t do in 2024, is pay taxes.

•The rise of malware that thinks for itself – Forget Terminator and Skynet or HAL 9000 on the Discovery One spacecraft, AI threats are real and all around us. AI will lower the barrier to entry for criminals but also help with detection in a way no human can, democratizing security. AI will enable more sophisticated attack methods such as polymorphic malware, which mutates with every infection, making detection a difficult task. The arms race around AI will become a distinct feature of the next 12 months, as organizations and criminals compete to take advantage of the technology.

•Land of the free, home of the cyberattack – When it comes to regulation, it often feels like it’s jogging a few paces behind the sprint of technological advancements. The US remains a long way behind Europe and other regions in terms of nationwide cyber security regulation, and this will continue to have the knock-on effect of more cyber attacks on US businesses. This is despite moves by the Biden administration to improve standards in federal organizations and among its software providers. Despite the growth of threats from rogue nation-states and hacking groups, US organizations will continue to have a bare-minimum approach to cybersecurity until they are subject to more stringent requirements and penalties. This leaves the direction of US cyber regulation next year in question.

•An explosion of threats against energy companies – The energy sector faces heightened risk because it is a bargaining chip for cyber criminals focused on politically-motivated attacks. It is effectively a weapon of war and an area of major governmental concern, given its critical role in all economies and the sensitivity to price rises among consumers. The International Energy Agency has warned that energy systems are at “unprecedented threat” from cyberattacks, particularly in the renewables segment of the market. Green energy technologies will become hotspots for cyber threats, so the sector must brace for a turbulent year.

•Big year for cyber in politics? – Cyberattacks often correspond with major political events, and 2024 will see a US presidential election. Preparation will be key as Russia, North Korea, Iran and activist hacking groups all carry their own motivations. Following the US National Intelligence Council (NIC) reporting “profit-motivated cybercriminals disrupted 2020 US presidential election preparations in some states with ransomware attacks”, the government will certainly step up security to prevent threat actors from entering networks or disrupting proceedings during 2024.

Chase Richardson, Head of US Operations, at Bridewell added: “Looking ahead to 2024, we can see how emerging technology tools, sophisticated attack methods and the eruption of AI are transforming how criminals organise and operate, but also how legitimate organisations can defend themselves. To strengthen their security posture at a time of great change, organizations must avoid dependence on technology as the sole answer. They must acquire greater visibility and threat intelligence and develop their processes and technologies to ensure they are leveraging sophisticated threat-led managed detection and response (MDR) and extended detection and response (XDR) capabilities.” Download the full Cyber Security: What to Expect in 2024 guide.

About Bridewell: Bridewell is a cybersecurity services company providing global, 24×7 managed detection and response services and cybersecurity consultancy.

With extensive experience in delivering large-scale transformational projects in highly regulated environments, Bridewell enables organizations to drive strategic change securely, providing a full breadth of end-to-end cybersecurity services. Its expert team comprises a diverse range of highly skilled consultants, supported by industry leading technology, deep technical expertise, accredited methodologies and a client-centric business driven approach.

Bridewell delivers a vast number of services across critical national infrastructure, aviation, financial services, government and oil and gas.  The company holds a number of industry accreditations including NCSC, CREST, ASSURE, IASME Consortium, SOC2, Cyber Essentials Plus, ISO27001, ISO9001 and are PCI DSS QSA Company.

Media contact Harry Lethaby, Senior Account Executive, +44 (0) 1252 727313, harryl@whiteoaks.co.uk

Combining DevSecOps with Generative Artificial Intelligence (Gen-AI) holds the potential to transform both software development and cybersecurity protocols.

Related: The primacy of DevSecOps

Through harnessing the power of Generative AI, enterprises can usher in a new era of DevSecOps, elevating development velocity, security, and robustness to unprecedented levels.

DevSecOps teams can test and debug code 70 percent faster with generative AI, which in turn saves businesses money and employee hours.

Generative AI can also help DevSecOps professionals to identify areas that are ripe for automation, enhance real-time monitoring and analytics, and even predict and address security problems before they happen.

Accelerating automation

DevSecOps and cybersecurity teams often encounter repetitive, time-consuming tasks that can lead to inefficiencies and errors when they handle these tasks manually. AI can play a pivotal role in automating these processes.

Tasks like code review, test case generation, systematically generating, storing, and managing configuration files, and infrastructure provisioning are prime candidates for automation. Leveraging generative AI in these areas can significantly speed up the delivery process and reduce human errors that could become cybersecurity threats.

AI engineers can train the AI model on a dataset of historical code changes. The model will learn to identify potential problems in code, such as security vulnerabilities, performance issues, and compliance violations. The AI model can then review new code changes automatically. This frees up the DevSecOps teams to focus on higher-order tasks, such as testing and developing new authentication features.

Generative AI can also be used to suggest and/or generate test cases. This baseline test coverage helps immensely in DevSecOps processes and automation and delivers immense value at negligible costs. And in terms of generating configurations, generative AI software allows teams to completely automate the configuration process.

Responding in real-time

But AI-powered issue-spotting goes beyond simple code review. Generative AI algorithms can also continuously analyze vast amounts of data generated during the software development and deployment process. They can monitor key performance metrics, server health, response times, and application stability in real time.

By detecting deviations from normal patterns, such as sudden spikes in server load or unexpected errors in the code, the AI system can promptly alert the appropriate teams to any potential security issues, enabling them to respond swiftly and minimize fallout.

AI can also be programmed to initiate automated remediation actions, also called “self healing,” when issues arise. For instance, if AI identifies a particular type of error that could cause a vulnerability, it can then trigger an automated rollback to a stable version of the software, or it can suggest changes to the code and once accepted, the software is upgraded to perform satisfactorily. This reduces the need for manual intervention and accelerates the incident response process, maintaining a smooth software delivery experience.

Predictive maintenance  

Generative AI algorithms can continuously analyze data from various sources, such as server logs, application performance metrics, and user interactions. By learning normal patterns and behaviors, the AI system can flag deviations that indicate potential issues or security threats.

Anomalies might include unusual traffic patterns: a sudden influx of traffic to a particular website, for example, can herald a Denial of Service attack.

By leveraging historical data and past incident patterns around anomalies, generative AI can build predictive models to anticipate potential failures or breaches. If the AI identifies specific warning signs that have previously led to system crashes or service disruptions, it can warn the tech teams about the likelihood of similar failures occurring in the future.

Armed with this foresight, teams can take preventive measures, implement necessary fixes, and ensure uninterrupted software delivery.

DevSecOps applications

Generative AI is revolutionizing the realm of DevSecOps, providing enhanced security measures throughout the software development lifecycle. Products like Google Cloud’s Security Command Center and DeepCode detect vulnerabilities in cloud environments and code respectively.

Other tools such as Checkmarx’s Codebashing deliver interactive security training, while Palo Alto Networks’ Cortex XSOAR and Red Canary automate vital security tasks. Snyk offers protection against security flaws, and DeepArmor combats malware threats. The real-time threat response is made possible by a software called Insights. Collectively, these advancements underscore the importance and capabilities of generative AI in fortifying software security.

As the cybersecurity industry continues to evolve, demands will only increase and become more complex. Expectations for efficiency will rise right along with them.

In addition, the need for generative AI in DevOps and IT is only going to grow. So embracing AI is not just a luxury for teams grappling internal demands on their time. It’s a necessity to stay ahead of the competition and keep tech companies moving forward.

About the essayist: Priyank Kaspadia is a seasoned technology leader at Accolite, delivering solutions through design-led product engineering and advising clients to adopt Generative AI responsibly. 

London, 14 Nov. 2023 – Vaultinum, a leading provider of technology due diligence and audit solutions announced today the launch of a certified Timestamping offer, enabling the creation of traceable digital proofs.

Among other uses, Vaultinum’s Timestamping solution will enable companies to demonstrate their compliance with the EU Omnibus Directive (28/05/2022), promoting price transparency and fair consumer practices.

The Christmas shopping season kicks off at the end of November with the Black Friday promotions, where discount scams are becoming commonplace. It is well known that most Black Friday promotions are misleading, and that in most cases product discounts tend to be inflated. In other words, most of the offers still don’t comply with European trade regulations, which state that the reference price must be clearly displayed and that the discount must be calculated on the cheapest price of a product in the last 30 days.

To address this critical issue, Vaultinum is launching its powerful Timestamping tool, to help companies prove that their promotional pricing information is accurate, reliable and complies with regulations such as the EU Omnibus Directive. This directive significantly increases the penalties associated with misleading promotions, fake reviews and aggressive door-to-door selling, in order to strengthen consumer protection, especially for those who shop online. The text provides for heavy fines and even imprisonment for companies that do not ensure strict compliance. The fine reaches 75,000 euros for companies and in the case of large-scale, repeat breaches, the fine can even be as high as 4% of the company’s average annual turnover. In July 2023 the company Showroomprive was fined 600,000 euros for fake promotions by the French controlling authority (DGCCRF).

Easy implementation

Vaultinum Timestamping is designed to handle large volumes of data, using a machine-to-machine API that automates the timestamping process. Vaultinum’s solution offers a single interface, a Rest API and an online sandbox to enable any client platform to connect seamlessly to its timestamping platform. The Vaultinum solution complies with the RFC3161 timestamping protocol, thus offering high levels of performance and security.

In an era marked by digital advances and rapid technological innovation, ensuring transparency and accountability in markets is critical. Governments and regulators around the world strive to maintain fair and efficient market conditions.

“In this context, Timestamping emerges as an effective tool to demonstrate traceability and compliance. The tool records the date and time of an event in a secure way, providing an unalterable record that companies can use as undisputable proof in case of controls or litigations,” explains Josh Nunn, Vaultinum’s Managing Director for the United Kingdom. “During sales periods such as Black Friday, companies that timestamp their reference prices and discounts can easily prove that they comply with local regulation on price transparency.”

Compliance and traceability

Another of Vaultinum’s Timestamping’s qualities is its versatility of use. As well as being used by promotional websites that need to demonstrate that discounts are real and comply with consumer transparency regulations, Timestamping can be used by lawyers, legal officers, finance managers and supply chain managers for traceability needs such as:

•Supply chain traceability: Timestamping records and timestamps product information at every stage of the supply chain allowing businesses to trace products all the way from their origin to their final destination, capturing critical information along the way. This enables companies to address a range of challenges, such as product recall, quality control, ethical sourcing and regulatory compliance.

•Providing evidence of an event: Timestamping helps prove that an event occurred on a specific date and time in order to win a case, whether it is damage to a person or property, accident, infringement, etc.

•Ensure compliance and audit readiness with time stamping: Timestamping is the best way to ensure compliance of digital documents such as invoices, payroll, financial transactions, legal documents, etc.

About Vaultinum:Vaultinum is a European trusted third party, that offers solutions to protect innovations and investments. The company works with digital innovators and investors, providing them solution to protect their intellectual property, ensure business continuity, provide irrefutable proof of events, and reduce cybersecurity and software quality risks. Vaultinum is trusted and used by thousands of organisations, including CAPZA, BPI France, EURAZEO, SIEMENS, AIRBUS, THALES and BNP Paribas. For more information, please visit: https://vaultinum.com/es

Press contact: Liminal, T: +44 203 778 1103, E-Mail: vasiliki@liminalcomms.com

New York, New York, Nov. 14, 2023 — 1touch.io, a pioneer in sensitive data intelligence, today announced Ashish Gupta as its new Chief Executive Officer and President.

Gupta will also join the 1touch.io Board of Directors. Previously, he served as the CEO and President of Bugcrowd, where he successfully led the company’s rapid scaling by transforming it into a multi-product, industry-leading platform. Zak Rubinstein, Cofounder of 1touch.io and its CEO since inception, will focus on expanding the company’s growth through strategic partnerships as the Chief Business and Strategy Officer

“We are thrilled to welcome Ashish as 1touch.io’s new CEO,” said Rubinstein. “His track record of scaling businesses profitably, along with his strategic leadership, business acumen, and product vision, make him ideal to lead our next stage of growth. Ashish is an exceptional leader of people who appreciates the value of culture and teamwork. I am confident he will continue building on our strengths in these areas as he guides 1touch.io into the future.”

Gupta, an accomplished technology executive, brings over 20 years of experience in driving growth and innovation for startups and public companies in the fields of cybersecurity, data analytics, and enterprise infrastructure software. Before joining Bugcrowd, he held executive positions at high-growth technology companies including Infoblox, Actian, Vidyo, Microsoft, and Genesys where he led product strategy, built world-class marketing teams, and accelerated revenue growth.

“1touch.io is at the confluence of three of the highest priority business initiatives today?digital transformation, cybersecurity, and AI/GenAI?with our proven data lifecycle management platform. This platform offers contextual intelligence for protecting sensitive data and strengthening security postures,” Gupta stated. “Conversations with customers have confirmed 1touch.io as a technology leader in its category, which is trusted by the biggest Fortune 500 brands for ensuring data privacy, compliance, and governance. I am honored to join the talented 1touch.io team, which is committed to driving innovation and prioritizing our customers.”

1touch.io investor Nitin Chopra, Managing Director of Neotribe Ventures commented, “With extensive experience building high-tech companies and scaling them to more than $100 million in revenue, Ashish brings domain expertise in data, security, and cybersecurity. His vision and ability to execute are invaluable as we continue expanding our product line and customer base. We’re thrilled to have Ashish at the helm to drive our next level of growth and to further establish 1touch.io’s market leadership.”

About 1touch.io:1touch.io, a pioneer in sensitive data intelligence, is transforming data discovery and classification for Fortune 500 companies, ensuring data privacy, compliance and governance. Our AI-driven platform, Inventa™, safeguards the data of over 500 million individuals worldwide, offering contextual intelligence for robust data protection and enhanced security posture. Through our strategic OEM partnership with IBM, Inventa is licensed and globally rebranded as IBM Security Discover and Classify, demonstrating its robustness in handling complex data challenges at a global scale.

Media contact: Vicky Harris, Email: Vicky.harris@1touch.io, Phone: (954) 557-8163

The IQ of our smart homes is about to level-up.

Hundreds of different types of smart devices designed to automate tasks and route control to our smart phones and wearable devices have arrived on store shelves, just in time for the holiday shopping season.

Related: Extending digital trust globally

Some of these latest, greatest digital wonders will function well together, thanks to the new Matter smart home devices standard, which was introduced one year ago.

However, there’s still a long way to go to achieve deep interoperability of interconnected services in a way that preserves privacy and is very secure. Matter is a bellwether, part of a fresh slate of technical standards and protocols taking shape that will help to ingrain digital trust and pave the way for massively-interconnected, highly-interoperable digital services.

I recently discussed the current state of tech standards with DigiCert’s  Mike Nelson, Global Vice President of Digital Trust and, Dean Coclin, Senior Director of Trust Services, at DigiCert Trust Summit 2023. We drilled down on Matter as well as another new standard,  BIMI, which stands for “brand indicators for message?identification.” BIMI essentially is a carrot-on-a-stick mechanism designed to incentivize e-mail marketers to proactively engage in suppressing email spoofing. Here are my takeaways:

Matter picks up steam

Frustration with smart home devices should be much reduced in 2024. That’s because gadgets that bear the Matter logo are more readily available than ever.  Matter-compliant thermostats, pet cams, vacuum cleaners, kitchen appliances, TVs and security systems can now be purchased — and they can be seamlessly controlled by either Amazon’s Alexa or Apple’s Siri.

This is precisely what the consortium of software companies and device manufacturers, led Google, Amazon and Apple, set out to achieve when Matter was conceived four years ago. Following a successful debut in November 2022, Matter is picking up steam, Nelson told me.

“Millions of Matter devices have been provisioned and are out in the market,” he noted. “Consumer awareness is growing and evolving. It’s important that as consumers are shopping for these smart home devices that they learn to recognize the Matter trademark so that they can make educated decisions.”

Matter works much the way website authentication and website traffic encryption gets executed. It builds off and extends

Aproduct attestation authority, such as DigiCert, issues device attestation certificates for each Matter-compliant device. This step assures that the device meets an interoperability threshold as well as integrates robust security mechanisms at the device level. “Matter drives toward an improved smart home experience and it also raises the bar of security,” Nelson says.

Extending Matter

Notably, Google, Amazon and Apple have been cooperatively leading the campaign to persuade more device manufacturers to join the Connectivity Standard Alliance (CSA) and integrate Matter  into their product lines.

The hope is that Matter gives rise to an emerging technology ecosystem in which interoperability deepens not just in smart homes, but across multiple interconnected systems. Nelson outlined for me how CSA is acting on this vision by working on specifications to extend Matter beyond smart home devices to smart devices in healthcare facilities and commercial buildings.

“The Matter spec starts with an objective of getting all manufacturers of smart home devices to get on board with CSA and become compliant with Matter,” Nelson says. “This same approach really could be applied to other industries.

“For instance, since a hospital, has similarities to a smart home, in that lots of different devices from different manufacturers need to connect securely and be fully interoperable, a CSA working group is looking at how to apply Matter to this use case to create interoperability and security for medical devices.

“We’re also moving on smart commercial buildings. You need secure interoperability between the smart devices used in these buildings such as security cameras, access controls, HVAC and emergency systems. This enables you to aggregate data and make informed decisions based on that. And it’s exciting that CSA is already working on those specs, as well.”

Carrot-on-a-stick

As Matter gains wider traction, it should give impetus to other standards and practices that similarly drive business value while simultaneously helping saturate security more pervasively in our increasingly complex digital systems.

BIMI is a case in point. This new standard provides a means for e-marketers to efficiently distribute their trademarked logo atop email messages sent to clients, suppliers and prospective customers via Gmail, Yahoo Mail and Apple Mail – in a way that also incrementally adds to security of the wider ecosystem.

The tech giants are leading the championing of BIMI as a brand awareness booster that also happens to serve as a trusted seal of authentication “Companies spend a lot of money on trademarks,” Coclin says, “and now they have a trusted way to widely display their trademark logo directly in the inbox of the customers and suppliers they’re communicating with.”

BIMI is a carrot-on-a-stick aimed at rallying efforts to repel an enduring threat: email spoofing. Astoundingly, some 68 percent of phishing attempts have never been seen before and phishing is 45 times more dangerous than having data exposed, according to research presented by Google and University of Florida professor Daniela Oliveira at Black Hat USA 2023.

“Spoofed email is getting through our firewalls and filtering systems because the attackers are constantly migrating and finding new ways to penetrate these systems,” Coclin says.

Support for DMARC

To implement BIMI, companies must embrace DMARC, which stands for “domain-based message authentication, reporting and conformance.” DMARC is a robust email authentication protocol that has been around for more than a decade. It can be cumbersome to set up and so adoption has been sluggish.

“It’s a little bit of work to implement DMARC,” Coclin says, “But there are companies that can help you do it, and now once you do all that good work the reward is you can use BIMI to display the company’s trademarked logo far and wide.”

As BIMI helps heat up DMARC adoption, a couple of other email security mechanisms could gain wider adoption, as well, Coclin noted. One is “verified mark certificates,” or VMCs. These take the form of a blue check mark and a logo that appears on company-issued email; by hovering a cursor over the blue check mark, the user can visually verify that the email is coming from a specific domain and not an imposter.

Another is S/MIME, which stands for “secure/multipurpose internet mail extensions. S/MIME provides a means to encrypt sensitive emails while also  verifying the authenticity of the sender.

Email remains far and away the most widely used business communication tool, and thus a primary target. Ongoing attention to improving email security will be necessary, going forward, because threat actors are well-along leveraging machine learning to constantly iterate and scale up email attacks, Coclin argues.

“We’ve got a big problem right now because the attackers are using machine learning and AI to help them break through,” he says. “So the more we can do to help users identify spam emails, the better we become at helping them secure themselves.”

More so than ever, tech standards that embed security deeply – and provide business value –  need to be fine-tuned and widely adopted. I’ll keep watch and keep reporting.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

(LW provides consulting services to the vendors we cover.)

 

London, United Kingdom, Nov. 7, 2023 —  Organisations have been laser focussed on protecting their own networks, applications, physical premises and people against cyber security attacks but have neglected their exposure to suppliers.

Indeed, over the past 3 years, a staggering 73% of organisations have been affected by a third-party security breach. Helping these businesses toughen their resilience against such attacks, cyber security business Risk Ledger is today announcing it has raised a £6.25 million series A funding round to strengthen supply chains.

The funding round was led by UK investor Mercia Ventures, which joins Seedcamp, Firstminute Capital, Episode 1, Village Global as well as Finnish VC Lifeline Ventures as investors. To date, Risk Ledger has raised a total of  £9.8 million in venture funding.

Recent cyber attacks on The Metropolitan Police and NHS Trusts through their supply chains have the potential to compromise the UK’s national security and private citizen data. A threat alert by the National Cyber Security Centre is also warning of increased state-sponsored attacks against UK critical national infrastructure. Supply chain attacks are on the rise, and can have severe impacts, as the Solarwinds, Log4J, and MOVEit Transfer attacks have shown. According to recent research by KPMG, 73% of the surveyed organisations had experienced at least one significant disruption, caused by a third party, within the last three years, while 85% said that their business considers third party risk management (TPRM) a strategic priority. The cost of global supply chain attacks is expected to reach $46 billion this year (Juniper Research).

Organisations are increasingly trusting others with critical business functions and sensitive data, meaning vulnerabilities can appear anywhere in the supply chain, from suppliers to partners. Traditional, point in time cyber security risk assessments make for poor quality data that goes out of date fast, offering little protection.

Risk Ledger offers an innovative social network approach to supply chain risk management, allowing organisations to use the platform as both clients and suppliers, able to share with connected organisations a single profile of their controls across 12 security domains, including ESG and financial risk. This reveals relationships in many directions and allows for a unique visualisation of the entire supply chain ecosystem, and the uncovering of critical interdependencies, concentration risks and single points of failure well beyond immediate third party connections. It also results in more accurate and real time data, giving organisations the ability to make better decisions to protect their business from supply chain threats.

Haydn Brooks, co-founder and CEO, at Risk Ledger commented: “The unique ability of Risk Ledger to map relationships and interdependencies in the supply chain allows organisations to understand where they sit within their own supplier ecosystem and how different incidents may impact their organisation given those interdependencies.”

Risk Ledger has seen rapid adoption over the past two years and today counts over 5,000 organisations with 17,000 users across large public sector and financial services organisations as customers. Client bookings have consistently doubled year on year, or more, since the company launched its platform in 2020.

Risk Ledger’s growing international client base includes many organisations in sensitive sectors such as critical national infrastructure, financial services and the public sector, which face particular regulatory scrutiny and need to demonstrate how Continue reading "News alert: Risk Ledger secures £6.25 million to prevent cyber attacks on enterprise supply chains" →