Latest News

emergent risk

Privasec had the privilege of being invited on the board panel discussion last week organised by Cyber Data-Risk Managers.

Romain Rallu together with Teresa Dyson, Michelle Beveridge, Meena Wahi, moderated by Shamane Tan discussed the perspective of boards on Super funds, experience of complying with APRA CPS234 to business continuity and lessons learnt from living in pandemic times, all the way through to emerging risks and risk transfer options.

Watch it here now to tap into this jammed packed and insightful exchange if you've missed out!

Cyberrisk 4

With the entire world mostly moving online, our Executive Advisor Shamane Tan has wasted no time in bringing her acclaimed Cyber Risk Meetups (of more than 3,000 cyber security professionals across Australia, Singapore and Japan) to the digital platforms as well. We are proud to be a community supporter as she launched the Mega C-Suite Series, seeking to bring real insights from various C-executives.

Episode 1 featured guest speaker Dan Lohrmann, a renowned government CISO from the US where he shared some stories of his personal failure and successes over the past few decades. The episode covered his Cyber Storm days to how he built the pandemic playbook for H1N1 all the way to how he nearly got fired as a CISO.

Episode 2 had CEO Paula Kensington (former CFO) shared her insights the board’s expectations of the CFOs, to the modern day language of a CFO, including her view on how our cyber security and risk leaders should be articulating their message to the other C-execs.

Episode 3 with CRO Jeff McArthur explored Shamane’s questions:

  • What are the common challenges a CRO faces?
  • What are some quick tips for aspiring CROs?
  • How should one influence strategic risk objectives but also balance between the financial and operational constraints? How should our CISOs/ other cyber security leaders be talking to the Board/ their other C-execs?

Want more? The Mega C-Suite Series is still running for the month of April and May. RSVP now for the 4th Episode and a special APAC edition:

You can also get up to speed on the previous episodes by subscribing to the Cyber Risk Meetup YouTube channel here:

If you have any GRC-related, pentesting or other cyber security business needs, you can always reach out directly to our trusted advisor Shamane Tan here – This email address is being protected from spambots. You need JavaScript enabled to view it., or drop her a LinkedIn message –

Cyber insurance vs security policies privasec

Data breaches are rampant in the world of business today. Hardly a week goes by without a reported breach or fines that range into the millions of dollars. This new age of security has brought about a change in the way that organisations structure their risk, and their insurance. Unfortunately for many, their over-reliance on cyber insurance to bail them out when they suffer a breach leaves them with a “customer last” security policy.

Insurance has always been an important part of peace of mind and ensuring that we can go about our lives or operating businesses in relative security, but the buck should not stop with insurance.

To put it into context, just because you have vehicle insurance, it does not (or should not) mean that you become reckless whilst driving. So why are we hearing more and more business leaders opt for the bare minimum in terms of cybersecurity measures because of cyber insurance?

While claiming on insurance does help recoup financial losses, undergoing a breach usually has the following effects:

  • It raises your insurance premium and you may only be able to recoup some of the financial losses (depending on insurance cover)
  • Breaches increase the stress levels of your employees (especially on the security and IT teams)
  • Cyber insurance does not cover an organisation from a reputation point of view

What is often overlooked is the reputational damage that inevitably follows a data breach that is revealed to have happened due to security policy negligence. By choosing to rely on cyber insurance as opposed to mitigation and response methods, the organisation is essentially saying that it doesn’t care about the data that it is supposed to be protecting and therefore it does not care about the customers, employees and partners to which the data relates to.

Who would want to do business with an entity like that? When an organisation is breached and the main mitigation strategy was insurance, how likely would you be to do business with them again? At the end of the day, insurance protects the one who was breached and not the hundreds, thousands or millions of others affected.

It’s important to realise that beyond the financial fallout from a breach, the reputational fallout could result in a reduction in future revenue and partnership opportunities.

It goes without saying that cyber insurance is still an important part of protecting the organisation financially, especially as breaches are accepted as an inevitability, ‘it’s not a matter of if but when’. However, organisations must not rely solely on cyber insurance as the answer to potential breaches.

It’s also important to understand the frameworks and standards around risk and how they relate to your cyber insurance. If you’d like more information on this, Privasec recently ran a webinar (click here to view the recording) which covered the complexity of insurance and how organisations can apply a structured approach to accurately quantify the potential loss, based on international standards such as the Open Group FAIR framework and the new standard ISO27102:2019 for cyber insurance. This enables your organisation to better understand its financial exposure to cyber risk and be able to negotiate a more tailored cyber insurance coverage.

Click here if you would like to schedule some time with our consultants to better understand how to quantifying your own risk, as it is a useful exercise in understanding the value of the cyber security program. Getting the cyber security budget you need is a lot easier once you have the numbers to back it up.

Threat actors around the world have been trying to take advantage of the coronavirus pandemic situation by registering coronavirus related domains and selling them at a discounted price on the dark web. The average number of registrations for such domains have increased almost 10 times over the past few weeks.


Image Source: The Hacker News

Mr Builder: ‘I only had 14 days to build this web app, I don’t have time to keep up with the demands of continuous testing and security.’

Mr Breaker: ‘Your application has insufficient transport layer protection and insecure direct object references and don’t even get me started on the security misconfigurations’.

Mr Builder (Yellow) loves to build, and Mr Breaker (Red) loves to break. It is no wonder why these two do not get along. In many cases, the builders would wait for a penetration test excel sheet from the breakers, google their way to change a few configurations of the code and get back to their job of building more apps/ softwares.

Orange Team

In 2019, attackers are phishing targets to retrieve sensitive information that ultimately leads to data compromise. Phishing is the technique where a malicious actor lures a victim into revealing sensitive information. This can be through large “spray-and-pray” type campaigns involving multiple recipients or, a more targeted approach crafting attacks for specific individuals, known as Spear Phishing. Phishing has been around since the early days of the Internet as one of the oldest vectors of attack.


An ADC (Account Data Compromise) event occurs when a third-party attacker or a group of attackers gain unauthorised access to cardholder data that is held within an organisation in either electronic or physical form. Even though the number of ADC events may vary year by year, it takes only one ADC event to negatively impact an organisation.

Account Data Compromise steps

It is a wrap!

Privasec's DroneSec team had a great time at the Singapore Airshow (Asia' largest Aerospace and Defence event) and Global Drone Security Network (GDSN) last week.

DroneSec CTO

Many organisations don’t fully understand the difference between vulnerability scanning, a penetration test, and Red Teaming.

In our latest article, we discussed the difference between a vulnerability scan and a penetration test. Read the full article here.

This article explains the difference between a red team assessment and a penetration test and which assessment is best suited for your organisation.

Vulnerability scan vs penetration testing

As more business processes increase their reliance on data, information security is not just a technical issue anymore. The bigger question, however, is around adoption of an effective risk management framework that not only quantifies risk but also improves executive decision making.

One such structured and defensible framework is FAIR (Factor Analysis of Information Risk).

FAIR Framework