Latest news with #dataBreaches
Irish Times
09-07-2025
- Business
- Irish Times
Leslie Buckley and Denis O'Brien try to rewrite history over INM data breach saga
The decision of the Corporate Enforcement Authority (CEA) not to bring any enforcement action on foot of its six-year long investigation into data breaches and other issues at Independent News and Media (INM) has drawn a predictable response from Denis O'Brien and Leslie Buckley . O'Brien was the largest shareholder in INM – now Mediahuis Ireland – and Buckley was the chairman at the time of the data breaches which were revealed after the company's chief executive Robert Pitt and chief financial officer Ryan Preston made protected disclosures to the CEA's predecessor – the Office of the Director of Corporate Enforcement (ODCE). They raised several issues that concerned them about Buckley's stewardship of the media organisation. O'Brien and Buckley have seized on the decision not to prosecute – disclosed in the authority's annual report last week and a year after High Court inspectors appointed to investigate the issues raised by Pitt and Preston found no breach of company law – to wholeheartedly rubbish the CEA and its chief executive Ian Drennan. Buckley said there were 'serious questions' over the way the investigation was conducted by the ODCE including seeking the appointment of High Court inspectors in 2018. He said that the ODCE adopted 'a highly questionable approach, to say the least', in not meeting him before seeking the appointment. READ MORE 'The taxpayer could have been saved in excess of €5.6 million and €40 million overall in legal costs,' according to Buckley. [ Enforcement authority's costly INM probe leaves unanswered questions Opens in new window ] O'Brien took a similar line saying: 'Mr Drennan's conduct showed little respect for due process, proper procedures or basic objectivity. As a result, he inflicted and facilitated very significant reputational damage for several individuals over six years.' History tends to be written by the victors and Buckley and O'Brien are both entitled to put their spin on the decision not to prosecute. They would be foolish not to take the opportunity when it presented itself. But some facts are worth remembering, not least that Buckley welcomed the appointment of the High Court inspectors in 2018. 'I welcome the opportunity to vindicate my good name through the inspection process,' said Buckley in a statement at the time. 'I intend to robustly defend myself against each and every allegation. I continue to reserve my position.' It was open to Buckley – who had stepped down as chairman of INM at that stage – to challenge the appointment on the basis of what he now describes as the 'highly questionable' decision not to talk to him first. But he didn't. INM did challenge the appointment robustly saying that it was unnecessary and damaging. They lost. The Judge in the case – Peter Kelly – concluded that Drennan and the ODCE had met six of the 10 criteria necessary for the appointment of an inspector. It was a slam dunk and INM decided not to appeal the decision. [ Leslie Buckley questions way that corporate enforcer investigated INM saga Opens in new window ] O'Brien was not a party to the proceedings, but he, too, could presumably have objected to what he now describes as Drennan's lack of 'due process, proper procedures or basic objectivity'. Perhaps with the benefit of hindsight, Buckley may regret his decision not to oppose the appointment but last week's more-in-sorrow-than-anger tone and why-didn't-you-just-come-and-talk-to-me-first spiel doesn't really fly six years later. What does hold up is the report of the two inspectors appointed to the company by the High Court, Seán Gillane SC and Richard Fleck CBE, which upheld Pitt and Preston's version of events and was highly critical of Buckley. They found that he was in breach of his responsibilities as a director, but crucially they concluded his actions were not done to prefer the interests of O'Brien over the other shareholders in the company including businessman Dermot Desmond. They found that Buckley failed to tell the board that Island Capital – O'Brien's personal investment company – had been engaged to advise on the sale of INM's Australian interest and was in line for a €4 million payout. Not disclosing this was 'was inconsistent with his responsibility as a director to disclose material facts', according to the inspectors. The payment was not made in the end. They also found that Buckley should not have involved himself to the extent that he did in the proposed purchase of the radio station Newstalk from O'Brien by INM. That transaction did not go through either. With regard to the extensive external trawls of INM's emails organised by Buckley in 2016 that were the central to the inspectors' investigation, their report concluded; 'It is clear that Mr Buckley's disclosure of confidential information to Mr O'Brien after August 2016 was not in compliance with the company's policies and, in particular, the terms of the memorandum [not to disclose confidential INM information] that he signed,' they said. The report found that O'Brien did not misuse the information provided to him by Buckley. They also concluded Buckley did not break company law. This finding ensured that no criminal proceedings against Buckley were likely to ensue and last week's low-key announcement to that effect by the CEA was inevitable as was the twist put on it by Buckley. It might have been a better idea to keep the head down and take the win.
Forbes
30-06-2025
- Business
- Forbes
Rethinking Security Training With A Human Risk Management Approach
Masha Sedova, VP of Human Risk Strategy, Mimecast. What's the one area in cybersecurity that is overdue for change? It's security awareness training. After three decades of underwhelming results, it's clear that security awareness programs haven't kept up with today's threat landscape. Human error remains the leading cause of data breaches, with Mimecast reporting that 95% of data breaches involve user mistakes. While those numbers remain stubbornly high, conventional training methods fail to instill lasting behavioral change. If we want security awareness to truly protect organizations, we need to rethink everything—from how we structure training, to the metrics we track, to what 'success' actually looks like. It's time to stop measuring attendance and start measuring action. By focusing on adaptive learning, personal accountability and measurable outcomes, we can evolve security awareness from a compliance checkbox into a core defense mechanism. Why Legacy Training Fails To Deliver For years, security awareness relied on outdated tactics like annual training modules and phishing simulations. These tools often create a false sense of progress while leaving companies exposed when behavior doesn't shift. The problem isn't just outdated content—it's one-size-fits-all structure. Most organizations deliver the same training to every employee, regardless of job role, risk exposure or history of security missteps. Expecting uniform outcomes from workers with vastly different responsibilities is both unrealistic and ineffective. Worse, the metrics used to assess these programs are often meaningless. Completion rates and engagement scores track participation, not progress. It's time to prioritize behavior and results, not just check-the-box compliance. What Human-Centric Training Should Look Like To truly reinvent security awareness, organizations need to move from static, one-dimensional programs to those that empower employees and respond to evolving risks. Grounded in a human risk management framework, this new approach should center on three pillars: The calendar-based model no longer works. Cyberthreats evolve rapidly, and training must evolve with them—meeting employees at the point of risk. Just-in-time learning is essential. If an employee clicks on a risky link, a prompt that explains the mistake and offers safer alternatives helps cement the lesson when it matters most. Threat-responsive updates are just as vital. Security programs should shift with threat levels—deploying phishing alerts during surges or ransomware simulations when relevant. Even simple interventions, like monthly nudges, help keep good habits top of mind. Not all employees face the same risks. Senior leaders are often targeted by spear-phishing. Developers may encounter credential-harvesting threats. Yet most training programs treat all employees the same. A more tailored approach improves both relevance and retention. This can be achieved by taking the following steps: • Categorize employees by their risk level (low, medium, high) based on job role, access level and past behavior. • Use real user data to shape future training and deliver targeted feedback or additional simulations for those who have fallen for phishing attempts. • Create transparent risk profiles that show employees how their behavior compares to peers (e.g., "You are two times more likely than your peers to click a phishing link.") to promote self-awareness. Customization doesn't just drive better results. It shows employees that the training applies directly to their day-to-day challenges—and empowers them to reduce risk on their own. One of the biggest shifts needed is how we define success. Vanity metrics like completion rates won't cut it. Focus instead on data points that reflect behavioral change and reduced risk outcomes, including: • Reduced successful phishing attacks over time • Improved password hygiene (e.g., reduction in reused or weak credentials) • Decreased risky activities, like installing unapproved apps or mishandling sensitive data • Tangible economic benefits, such as lower remediation costs or fewer downtime events Behavior-based metrics are not only more meaningful—they drive continuous improvement by showing what's working and where to focus next. Creating A Culture Of Accountability Modern security awareness must build trust, not fear. Employees shouldn't be punished into compliance—they should be brought into the process as active defenders. Give them visibility into their own progress. Simple dashboards or comparative banners (e.g., 'You're in the top 10% for secure behavior!') drive motivation and clarity. Recognition matters too. Celebrate employees who report phishing attempts or avoid traps. Positive reinforcement builds morale—and reinforces the right habits. When employees feel invested and informed, participation turns into ownership. Reframing Awareness As Human Risk Management Security awareness is just one part of a broader human risk strategy—but it's a high-impact opportunity hiding in plain sight. The poll results are clear: Industry frustration is high and legacy methods no longer serve. By shifting toward adaptive, personalized and outcome-based training, organizations can finally address the human vulnerabilities that attackers exploit most. When done right, security awareness doesn't just educate—it protects. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Yahoo
20-06-2025
- Business
- Yahoo
OPINION: Why 'least privilege' is Canada's best defence
Microsoft just hit a record high of 1,360 reported vulnerabilities in its software last year. While that number might sound scary, it's part of a trend we've seen for years. The real problem lies in what's behind the numbers and what they mean for Canadian businesses trying to stay secure in a fast-moving world. As BeyondTrust's latest Microsoft Vulnerabilities Report reveals, one type of security risk is especially alarming: elevation of privilege (EoP). This category made up 40 per cent of Microsoft's total reported vulnerabilities in 2024. That's not just a statistic; it's a wake-up call. What's elevation of privilege and why should Canadians care? Imagine someone finds a way to break into your office using a stolen key card. That's what an elevation of privilege attack is like in the digital world. Once inside, hackers can quietly move through your systems, taking control of sensitive data or expanding their access without being noticed. These attacks often begin with compromised credentials, sometimes even from non-human identities like service accounts. The problem snowballs from there. We've seen it over and over in major data breaches: attackers find one weak point, then jump from system to system. And Microsoft isn't the only target. If 40 per cent of their vulnerabilities are EoP-related, imagine how many other software platforms that Canadian companies rely on could also be vulnerable. The rise of security feature bypass attacks Another disturbing trend is the spike in security feature bypass vulnerabilities, up 60 per cent since 2020. These are loopholes hackers use to get around built-in protections in tools like Microsoft Office and Windows. Think of these bypasses as digital 'unlocked doors.' If an attacker finds one, it doesn't matter how strong your locks are, they're walking right in. Tools like EDR (endpoint detection and response) are meant to stop threats, but attackers are finding ways around them too. We've seen the rise of tools like EDR Killer that are designed specifically to sneak past these defences. Why Canadian companies can't rely on just one layer of security Some businesses still make the mistake of thinking one product or platform will keep them safe. But cybersecurity isn't about one silver bullet. It's about layered defences, also known as 'defence in depth.' For example, if a patch causes problems or breaks other tools, companies might delay applying it. But that delay gives attackers a window of opportunity. The better approach? Have multiple layers of protection in place, especially for front-line systems and high-risk assets. Microsoft Edge: The new problem child? One surprise in this year's report was the jump in Microsoft Edge vulnerabilities. Critical issues rose from 1 to 9 and total vulnerabilities increased from 249 to 292. Has Microsoft shifted its focus too much toward Azure and Dynamics 365? It's a question worth asking, especially when everyday tools like browsers are often the first entry point for cyberattacks. AI brings new benefits and new risks Artificial Intelligence (AI) is transforming how businesses operate, but it's also opening the door to new threats. Microsoft Copilot Studio and Azure Health Bot, for instance, were flagged for AI-related vulnerabilities in this year's report. AI is already being used by threat actors to automate attacks, identify weaknesses faster and even write malicious code. We haven't yet seen a large-scale attack where an AI or large language model (LLM) becomes the main infection point, but that day is coming. The biggest question on the horizon: can we trust the output from AI tools? What if the answers, code or insights we get from AI are secretly manipulated by a hacker? Canadian companies need to think about how to secure not just their AI tools, but also the data and systems that feed them. AI security can't be an afterthought; it must be built into every layer of your defence strategy. The power of 'least privilege' in a 'zero-trust' world One of the most effective ways to reduce risk is by applying the principle of 'least privilege.' It's not a new idea, but it's more important than ever. 'Least privilege' means giving every user—human or machine—only the access they absolutely need to do their job. Nothing more. If someone doesn't need admin rights, don't give it to them. If a service account only needs access to one system, don't let it roam freely. This approach limits the damage if (or when) something goes wrong. It's also a key part of a 'zero-trust strategy,' which assumes no one and nothing should be trusted automatically, even if they're already 'inside' your network. In fact, many organizations confuse 'zero trust' with 'least privilege.' The difference is that 'zero trust' is the overall strategy, and 'least privilege' is a tactical way to enforce it. A practical step Canadian companies can take right now? Audit your users and systems. Who has access to what and why? You might be shocked by how many people or services have more access than they actually need. Identities are the new perimeter Cybersecurity used to be about building firewalls around a company's data centre. But in today's world of cloud apps, hybrid work and global supply chains, identity is the new perimeter. Attackers are no longer just looking for software flaws. They're targeting people, especially those with access and privileges. That includes your employees, partners, contractors and even automated systems. That's why privilege access management (PAM) and identity-first security strategies are so critical for Canadian businesses. These approaches don't just monitor threats; they help stop them at the source by locking down who can do what, where and when. The bottom line going forward Cybersecurity isn't about being perfect; it's about being proactive. You can have 99.9 per cent of your environment locked down, but if there's a .01 per cent vulnerability, that's all an attacker needs. Canadian organizations need to shift their mindset from reactive to proactive. That means applying patches smartly, layering defences, adopting AI cautiously and putting 'least privilege' at the heart of your security program. Because when it comes to protecting your business, every identity and every privilege matters. Dan Deganutti is the senior vice president and country manager for Canada at BeyondTrust, where he leads the company's Canadian go to market (GTM) operations and fosters relationships with clients and business partners. This section is powered by Revenue Dynamix. Revenue Dynamix provides innovative marketing solutions designed to help IT professionals and businesses thrive in the Canadian market, offering insights and strategies that drive growth and success across the enterprise IT spectrum. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Forbes
19-06-2025
- Forbes
Meta Confirms Facebook Upgrade—How To Keep Your Account
All change for Facebook. So, this is ironic. Coming the same day as the latest warning that Facebook passwords have been breached (along with others) on an unimaginable scale, you can now stop this happening to you, ensuring you keep your account and it's not lost to hackers. Your Facebook account will be upgraded — and you need to act as soon as it is. We're talking passkeys, and the news Meta is 'introducing passkeys on Facebook for an easier sign-in.' There are so many reports on Facebook account hacks and password breaches, and users struggling to recover those accounts, that this is long overdue. 'Passkeys make it simpler and safer than ever to sign in to Facebook,' the company dsays, with the same fingerprint, face or PIN you already use on your mobile device." Facebook passkeys are expected on both iPhone and Android 'soon,' and 'will begin rolling out passkeys to Messenger in the coming months. The same passkey you set up for Facebook will also work on Messenger once this capability launches.' Passkeys are finallt here. You should enable passkeys on all accounts where they're available, and where they're not, you should stop using SMS for two-factor authentication (2FA) and use authenticator apps instead. Microsoft is even pushing its users to delete passwords altogether, given the inherent risks in having these enabling access to accounts. With that Cybersecurity News report that 'since the beginning of the year' it has 'discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records,' accounts have never been more at risk, so make this change as soon as you can. Google has warned passkeys are still very under-used — even 2FA is enabled by less than half of users. Paskeys are easier and more secure, linking your login credentials to your physical device, unlocked with the same biometrics or PIN used to unlock your device. This means they can't be intercepted, stolen or even shared. Meta says 'creating your passkey is easy and only takes a few simple steps. You can set up and manage your passkey in Accounts Center, found within the Settings menu on Facebook. You also may be prompted to set up a passkey when you log in to Facebook.'
Entrepreneur
16-06-2025
- Business
- Entrepreneur
5 Easy Steps to Fortify Your Cybersecurity
Cybercrime could drain over $639 billion from the U.S. in 2025 — and hit $1.82 trillion by 2028. Is your enterprise ready, or is a single careless click all it takes to bring it down? Opinions expressed by Entrepreneur contributors are their own. Cybercrime is projected to cause over $639 billion in losses in the United States in 2025 — and some projections expect those costs to grow as high as $1.82 trillion by 2028. Needless to say, it has never been more important for enterprises to improve their cybersecurity, particularly as hacking attempts become increasingly sophisticated. Fortunately, cybersecurity solutions are also growing more sophisticated, and implementing them can be surprisingly straightforward. 1. Emphasize employee education Employee education should always be the first priority for enterprise businesses. Human error is believed to have contributed to 95% of data breaches in 2024. Even more alarming, 80% of incidents were linked to just 8% of staff members. More often than not, these breaches are the result of successful phishing attacks that target careless or inattentive employees. Enterprises cannot afford to take a "once and done" mindset toward educating employees about cybersecurity risks. Employee education must be persistent and repeated. Many organizations have found success by conducting monthly phishing test emails, which help employees better recognize common phishing attempts while also helping leaders identify those who need additional training. Related: Cyber Attacks Are Inevitable — So Stop Preparing For If One Happens and Start Preparing For When One Will 2. Update cybersecurity requirements for all workers While providing educational resources is a good first step, enterprises can also reduce their risk for employee-related cyber attacks by making some basic upgrades to their cybersecurity requirements. Common examples include setting mandatory password rules (such as the inclusion of special numbers and characters) and requiring multi-factor authentication. Multi-factor authentication or systems that don't rely on a password (such as biometrics or push notifications) are generally considered more secure and easier for employees than requiring them to frequently update their passwords. While requiring a VPN when accessing company resources, particularly for remote or hybrid employees, has long been a standard practice for many, a recent increase in VPN-related attacks indicates that VPNs are no longer the most secure option for enhancing cybersecurity. 3. Incorporate zero trust principles Adopting a "zero trust" security framework is rapidly becoming the go-to solution for enterprises. Rather than focusing on perimeter security, the zero trust approach requires that all users, devices and applications be verified and authenticated. Users and devices are only ever given the minimum level of access that is required for them to perform their tasks. Implementing a zero trust framework generally relies on using solutions like SASE (secure access service edge), which merge network and security functions in a cloud-based application to determine access rights and identify threats among dispersed workforces. At the same time, policy management is centralized to ensure all security and access policies are applied consistently and properly. With a zero trust framework, organizations essentially operate as if a breach has already occurred, using security tools that minimize the scope of a potential attack. This ultimately reduces the risk of successful cyber attacks while limiting damage if a breach occurs. 4. Keep all software and applications up to date Outdated software is another area where enterprises often allow for unplanned vulnerabilities. In fact, software and application updates are often made specifically to account for newly discovered security vulnerabilities. With the average enterprise using over 1,000 apps, it can become surprisingly easy for out-of-date software or applications that haven't been updated properly (or are no longer supported by the developer) to go unnoticed and create cybersecurity risks. Such vulnerable systems can go unnoticed for years, allowing for data theft or increasing the risk of a ransomware attack. To address this common issue, enterprises should ensure that apps and software are set to implement automatic updates. Updates could also be scheduled for times when they won't cause significant downtime. Enterprises should regularly audit the applications they use to identify out-of-support software, as well as areas where apps could be consolidated. Similarly, out-of-date hardware should be replaced as needed to ensure it can continue to receive necessary security updates. Related: How to Make Sure Your Business Can Handle Cyber Threats 5. Back up your data Finally, no enterprise cybersecurity plan is complete without a robust system for data backups. The rise of ransomware attacks, which seek to lock enterprises out of devices or files, has made this a necessity. A successful ransomware attack now costs banks an average of $6.08 million. Data backups can help reduce periods of extended downtime, allowing the enterprise to resume operations quickly, even if access or data are lost. Cloud storage solutions and automated backup tools from SaaS platforms can help create backups consistently, while also using AI tools to monitor for and detect threats. In addition to cloud-based backups, enterprises may also benefit from using options like external hard drives as an offline backup solution. This adds an extra layer of protection in case of data loss from a cyber attack or other incident. Develop a stronger cybersecurity profile Even the easiest-to-implement cybersecurity strategies require time and some level of financial investment. However, taking steps such as improving employee knowledge and training and partnering with the right cybersecurity partners can make a dramatic difference in reducing your organization's risk of a successful cyber attack. You don't have to become a cybersecurity expert yourself to improve your enterprise cybersecurity. But with a proactive, targeted approach, you can make a difference — and much quicker than you might expect.
