Cyber attack?

CERTAINITY Incident Response Hotline

Everyone’s talking about ransomware. Sure: encrypted data, ransom demands, PR disasters – that screams for attention. But while we stare at the skull on the front page, a once-familiar threat is quietly reclaiming center stage in the cyber threat landscape: identity theft.

With surgical precision and a toolkit full of camouflage, we are witnessing a renaissance of account compromise, business email compromise (BEC), and credential phishing. Particularly insidious: attackers are increasingly targeting High Net Worth Individuals (HNWIs) and prominent IT figures – such as Troy Hunt, the founder of “Have I Been Pwned.”

NIS (NISG) already stipulates this today:

" The operator shall ensure that employees are trustworthy and aware of their responsibilities. The operator shall also ensure that employees are qualified for the roles assigned to them. "

The upcoming NIS2 directive will make this requirement even more specific: Annex 3, point 5b talks about mandatory background checks for security-relevant roles. The internationally recognized ISO 27001 also requires in section A.6.1 an appropriate check of all persons who are to be included - in relation to business risk, information classification and within the framework of applicable laws and ethical standards.

Mistakes are human - this also applies to software development. A simple transposed number or an overlooked special case in the code can have far-reaching consequences, such as security gaps that attackers could exploit. Closing such gaps requires a structured and efficient approach. This is exactly where the concept of a responsible disclosure process comes in. At CERTAINITY, we see responsible disclosure as an important contribution to the IT community in order to create a secure and resilient society against cyber attacks.