Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

Cyber corner: ‘Groundbreaking’ FCC settlement, CISO comp, NIST’s new password rules

Image of a portable device listing an email and a password.
Photo: Ted Soqui/Corbis via Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Including news of T-Mobile’s $31.5m settlement to resolve an FCC probe into data breaches that affected tens of millions of US consumers.

The Federal Communications Commission (FCC) reached a settlement with T-Mobile in connection with multiple data breaches between 2021 and 2023 at the mobile carrier and broadband provider, the agency said in a consent order.

The FCC called its settlement “groundbreaking” for having ordered the company to make a $15.75m investment in its data-security and privacy compliance programs and to its internal technology capabilities. That investment directive was on top of the $15.75m fine T-Mobile will have to pay the US Treasury as a civil fine.

The governance reforms the carrier has agreed to take are:

  • Corporate Governance: Designating a Chief Information Security Officer who will report regularly to the board of directors on cybersecurity matters;
  • Modern Zero-Trust Architecture: Moving towards a “zero trust” security framework and segmenting its network to limit the blast radius when a breach occurs;
  • Identity and Access Management: Implementing phishing-resistant multifactor authentication to secure its networks and systems;
  • Data Minimization and Deletion: Adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information;
  • Critical Asset Inventory: Identifying and promptly tracking critical assets on its network to prevent misuse or compromise; and
  • Independent Third Party Assessments: Conducting independent third-party assessments of its information security practices.

CISO compensation

Chief information security officer (CISO) turnover rates in the US remained soft during the first half of 2024, as economic uncertainty continued to slow demand for new executive hires, according to a compensation study by IANS Research and Artico Search. Annual turnover among CISOs was 11% for the first half of the year, compared with 12% for 2023 and 21% for 2022.

Average compensation for CISOs — including base salary, bonuses and equity — came in at $565,000 per year, with median compensation at $403,000. The top 10% of CISOs are earning more than $1m per year, with about 1% earning more than $3m per year.

About 70% of CISOs in the study received merit-based raises, averaging 5.6% base salary increases and 6.3% growth to total compensation. However, CISOs who changed jobs saw compensation increases of 31% on average, according to the report.

The findings were based on a survey of 755 security executives conducted between April and August of this year.

NIST scraps password complexity, mandatory reset rules

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.

The second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements and recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes, usually every 60 or 90 days.

Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.

Thank you, NIST. But why the change?

When NIST first introduced its password recommendations in 2017, it recommended complexity, so passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. But complex passwords are not always strong (i.e., “Password123!) and complexity often meant users were making their passwords predictable and easy to guess, writing them down, or reusing them across accounts.

In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.

NIST also is now recommending password resets in the case of a credential breach only.

Author’s note

For an overview of the NIST, ISO and SOC2 cybersecurity audits and certifications your firm might benefit from, please check out this GRIP podcast.)

Pig butchering goes global

Investigations over the past few years have revealed that hundreds of thousands of people in Southeast Asia have been forced to participate in online scams, often being enslaved and brutalized, as part of criminal enterprises that have netted billions in money gleaned from such crime.

These “pig butchering” operations have largely been concentrated in Myanmar, Cambodia, and Laos. They are typically rooted in Chinese organized crime groups preying on vulnerable people – building seemingly intimate relationships with their targets over text and email and then luring these victims into making an investment of some kind by sending funds to them.

The scams are lucrative for the criminals behind them and, sadly, are being uncovered on multiple continents and in numerous countries around the world.

In 2023, the FBI reported of nearly $4bn in losses from the scams, and some researchers put all-time total global losses at $75bn or more.

Statistics from the FBI show that pig butchering operations have recently emerged in the Middle East, Eastern Europe, Latin America, and West Africa.

Recovering from global disruption needs a plan

Companies that plan ahead often stay ahead. Or so underlies the premise behind disaster preparedness, crisis planning, CEO succession planning and tried and true business continuity planning as an ongoing pursuit.

In the cybersecurity realm, United Airlines is getting some good press for prioritizing its real-time data capabilities in its technology strategy and thereby weathering the CrowdStrike disruption in July.

A flawed update from cybersecurity provider CrowdStrike brought down millions of computers on July 9, crippling healthcare facilities, trains, airlines, financial services firms, and many other industries.

“We get disrupted all the time, whether it’s a hurricane or a snowstorm or whatever. We have to be ready to make decisions and recover quickly,” United’s CIO Jason Birnbaum told CIO Dive. “We had invested in our recovery capabilities, reinforced by communication across different network groups. We all have the same data and we’re all looking at the same screen, so there were a lot of elements we were able to leverage in a very tough situation.”

Compared to one of its main rivals grounding more than 1,000 flights on July 22 and hundreds more the next day, United’s daily cancelations were below 100.

Birnbaum credited good, old-fashioned planning on who does what to get operations back. He said people followed a playbook, getting into their cars and driving to multiple locations to provide added support in the field. And the company provided updates to its customers quickly – and not in “airline jargon,” he said.

, , , , , ,

You may also like