Brian Pennington's IT Security and Compliance Blog

Soonwon Park and John D. Hastings of The Beacom College of Computer and Cyber Sciences, Dakota State University, have produced a paper on how Compliance is enforced across a range of GRC standards. The paper specifically focuses on PCI DSS, HIPAA, NIS2, and GDPR and how the individual standards are enforced and how the enforcement impacts the level of compliance across those organisations that…

Here are Computer Weekly’s top 10 cyber security stories of 2025. 1. US indicts five in fake North Korean IT contractor scandal 2. NCSC proposes three-step plan to move to quantum-safe encryption 3. NHS asks suppliers to sign up to cyber covenant 4. US cyber agency CISA faces stiff budget cuts 5. Brits clinging to Windows 10 face heightened risk, says NCSC 6. UK government to bring in…

It is relatively easy for cybercriminals to obtains tool and support to instigate a Phishing or Quishing email attack campaign. Their challenge is to find enough targets to make the attacks work and like the other criminals in their space, the spammers, scammers and BECers it is a numbers game and luckily for them there is enough compromised data out there to help them create a lucrative…

Over the years I have consolidated a few “next year” predictions as it is interesting, well at least for me, to see how accurate the predictions are but also how geopolitical and technological developments can impact the security industry and therefore the outcomes of the predictions. If you want to look back in time, my consolidated list for 2011 click here The 2025 predictions are below,…

A picture paints a thousand words and this useful image from KnowBe4 quickly and simply summarises the current Phishing activities. The main Phishing topic for business based attacks was HR with 42% of the attacks followed by IT related emails at 30%. Outside of HR the usual suspects come into play with Amazon Prime, PDFs and QR codes causing a lot of headaches.

A blog by Luke Rupnow of Online Business Systems Inc. The demand for Chief Information Security Officers (CISOs) continues to increase due to the rising complexity of cyber threats and the critical role of cybersecurity pertaining to business strategy and operations. According to PwC’s 2024 Global Digital Trust Insights, a significant portion of executives acknowledge the need for enhanced cyber…

The ISO 27000 family of protocols represent a series of standards developed by the International Organization for Standardization (ISO) to address various aspects of information security management. These standards provide a framework for organizations to establish, implement, maintain, and continually improve their information security management systems (ISMS). Each standard within the ISO…

Despite the very detailed analysis by Statista the “not identified” cyber incidents account for more that the the four usual nations. This could mean the usual suspects are doing a good job of hiding their attacks and they are getting away with a considerable amount of cybercrime or a lot of other more “friendly” nations are doing a lot more hacking that they are being credited with. Either way…

Cyber Crime Surge: During COVID-19, cyber crimes shot up by 600%, showing how threats adapt to global changes. Phishing Attacks: Phishing is the top cyber attack, causing 90% of data breaches. Shockingly, 96% of these attacks come through email. Ransomware Attacks: In 2023, a whopping 72.7% of organizations faced ransomware. The cost of these attacks could hit $265 billion annually by…

Tokio Marine HCC International Cyber team has published their fourth annual Top 10 Cyber Incidents Report 2023. Here is their Top 10 with the link to the report at the bottom of the post. Israel – Hamas war (Nation State attack)Impact – Kinetic cyber attack causing direct or indirect physical damage, injury or death to people ION Derivatives (Financial institution)Impact – Systemic risk due to…

Over the course of this year I have explained to colleagues and clients who’s roles are not in Cybersecurity what certain phrases or abbreviations mean. After I while I started to drop them into a word document so I could reuse them. Then I decided to make this post so I can easily share the explanations. There are bound to be things missing, please drop a comment if I have missed something and…

2018 changes to PCI DSS v3.2

Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).

Here is a list of some of the changes that will come into effect:-

3.5.1: Full documentation of all cryptographic architecture (service providers only)

6.4.6:  Change management processes that include verification of any PCI DSS impact for changes to systems or networks