The research programme:

• Collected data from a global audience of critical infrastructure organizations, with representation across North America, EMEA, and APAC. The survey was balanced to get around 40% of responses from North America, 20% from EMEA, and 40% from APAC.
• Engaged with leaders within these organizations that have IT or security responsibility and knowledge of their email security posture.
• Drew on CISA’s list of critical infrastructure sectors, such as chemicals, commercial facilities, communications, critical manufacturing, dams, and more. CISA says there are 16 sectors classified as critical infrastructure. CISA defines these sectors on this basis: sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. While this definition is US-centric, the same principle applies in other places, too.

Once the research design was agreed, we worked on the survey questions, took this to field, and analyzed the data. You can get your copy of the results from the OPWAT website. But here’s a preview:

• Critical Infrastructure Remains a Target
  80% of critical infrastructure entities fell prey to email-related security breaches within the past 12 months, highlighting their attractiveness to cyber threat actors.
• Lingering Vulnerability
  Despite advancements in cybersecurity, 48% of organizations lack confidence in their existing email security defenses, leaving them vulnerable to potentially devastating cyberattacks.
• Noncompliance presents significant operational and business risks
  Shockingly, 65% of organizations are not compliant with regulatory standards, exposing themselves to significant operational and business risks.

A major recommendation in the report is finding email security capabilities that “preclude and prevent threats” from finding their way into an organization’s email system. While this is critical for critical infrastructure organizations, it is no less so for those in other sectors.

Check out OPSWAT’s site for your copy.

U.S. critical infrastructure organizations need to improve cyber hygiene

In almost all attacks seen against U.S. critical infrastructure organizations, cyber actors have taken advantage of poor cyber hygiene practices. These include the use of default or weak passwords, unpatched known vulnerabilities, and poorly secured network connections. Avril Haines, Director of National Intelligence, said they are seeing record levels of attacks against U.S. industrial control systems typically used to automate industrial processes and widely used by critical infrastructure organizations. Defense.gov

Aiden for addressing vulnerabilities and keeping Windows endpoints at the desired specification

Aiden Technologies announced new security capabilities to mitigate vulnerabilities faster across Windows endpoints. Its AidenVision system identifies and alerts on high and critical CVEs across all Windows endpoints, maps what new software patches are needed to address these CVEs, and then automates remediation. Pre-AidenVision, the company says that organizations typically took 55 days to remediate 50% of the most critical KEVs from CISA. Post-AidenVision, organizations can deal with 97% of the most critical CVEs within 3 days. The reporting system gives audit-ready evidence to meet enquiries from regulatory bodies and insurance carriers. Aiden Technologies

Another reason to stop relying on SMS for MFA

Receiving one-time codes by SMS is a very convenient way of enacting multi-factor authentication requirements. It is, however, one of the least secure methods of MFA and one we continually recommend against. With phishing kits routinely including MFA bypass capabilities for one-time codes, SMS and other MFA mechanisms that take this approach should be deprecated in your security posture. And here’s another reason: fraudsters are targeting employees at mobile carriers with offers of money to perform a SIM swap, thus giving them access to a user’s phone number to receive MFA codes, among other malicious benefits. Security Boulevard