Stealth Data Collection Threatens Employee Privacy
It’s no secret that collecting sensitive information comes with risks, says Alan
Brill, senior managing director of the cyber risk practice, at business advisory
firm Kroll. “You may be collecting information that's covered by laws or
regulations, whether you know it or not,” he warns. “Collecting data that you
don’t actually need in order to perform a business process represents 100% risk
and 0% value.” Enterprise leadership has to recognize that collecting unneeded
information, or information that's not used for intended purposes, can be an
actual danger to the organization. “This decision should not be delegated solely
to IT leaders,” Brill says. ... The fastest way to identify confidential and
unnecessary data is by using advanced data loss prevention (DLP) capabilities to
search for specific patterns, such as email addresses, phone numbers, protected
health information, and personally identifiable information (PHI/PII) data
types, says Doug Saylors, a cybersecurity partner with global technology
research and advisory firm ISG. Another protection measure, aimed at limiting
traffic visibility, is to require remote workers to use VPN connections whenever
linking to the enterprise network, he adds.
AWS names 6 key trends driving machine learning innovation and adoption
Increasing volumes of data, and different types of data, are being used to train
ML models. This is the second key trend Saha identified. Organizations are now
building models that have been trained on structured data sources such as text,
as well as unstructured data types including audio and video. Having the ability
to get different data types into ML models has led to the development of
multiple services at AWS to help in training models. One such tool that Saha
highlighted is SageMaker Data Wrangler, which helps users process unstructured
data using an approach that makes it practical for ML training. AWS also added
new support for geospatial data in SageMaker this week at the re:Invent
conference. ... The final key trend that will drive ML forward is democratizing
the technology, making tools and skills accessible to more people. “Customers
tell us that they … often have a hard time in hiring all the data science talent
that they need,” Saha said. The answers
to the challenge of democratization, in Saha’s view, lie in continuing to
develop low-code and use case-driven tools, and in education.
Balancing cybersecurity costs and business protection
For many SMEs, cuts to cybersecurity budgets may feel justified due to a lack of
breaches encountered in the past. However, the reality is those defences are why
they’ve never had an attack. You wouldn’t get rid of a house alarm because
you’ve never been burgled. Cybersecurity should be no different. Organisations
may also think they can do away with security measures because they’re too small
– that they’re not a juicy enough target. But the opposite can be true. Hackers
can see smaller businesses as easy prey that won’t have the same calibre of
defence as a large corporation – and more likely to give in to demands too. ...
When thinking about cybersecurity, another area that is often overlooked is the
possibility of human error. While the risk of an employee retaining data
accidentally can be just as serious as an external hacker, preventing accidental
breaches shouldn’t cost the earth and there are simple ways to minimise the
chance of one happening. Regular training is the most effective ways to prevent
a slip-up and will empower staff to stay on top of new threats. It’s important,
however, that this training is targeted and being applied in the right areas.
Great Leaders Manage Complexity with Self-Awareness and Context Awareness
Undoubtedly, people across organizations have expectations of “leaders.” In a
general sense, they expect them to lead. In my experience, this entails a
diverse set of expectations from various people within a collective or shared
context. The most common expectations I’ve come across are providing answers and
clarity, guidance, context, direction and vision, structure, and accountability.
Think of how expectations are entangled with the framing of leadership. People
seem to have different specific needs to take steps toward something and make
progress. My experience is that a person’s historical experiences significantly
influence their needs, which vary with context. People’s awareness about
themselves, a specific situation, and others vary. So what people think is
needed is sometimes not relevant or appropriate. These are some reasons I’ve
found the specifics of leadership challenging, to say the least. Some of the
sources that I’ve found particularly helpful when managing these
challenges—understanding individual and contextual needs—are SCARF by David Rock
and Wardley Mapping.
Machine Learning Models: A Dangerous New Attack Vector
Researchers demonstrated how such an attack would work in a POC focused on the
PyTorch open source framework, showing also how it could be broadened to target
other popular ML libraries, such as TensorFlow, scikit-learn, and Keras.
Specifically, researchers embedded a ransomware executable into the model's
weights and biases using a technique akin to steganography; that is, they
replaced the least significant bits of each float in one of the model's neural
layers, Janus says. Next, to decode the binary and execute it, the team used a
flaw in PyTorch/pickle serialization format that allows for the loading of
arbitrary Python modules and execute methods. They did this by injecting a a
small Python script at the beginning of one of the model's files, preceded by an
instruction for executing the scrip, Janus says. "The script itself rebuilds the
payload from the tensor and injects it into memory, without dropping it to the
disk," she says. ... The resulting weaponized model evades current detection
from antivirus and endpoint detection and response (EDR) solutions while
suffering only a very insignificant loss in efficacy, the researchers
said.
How to get cloud migration right
A successful migration — like a house renovation — begins with an analysis of
your current environment. Knowing how DNS/DHCP functions in your environment, as
well as identifying adjacent technologies and integrations, security posture,
and business processes is a necessary step. It won’t prevent all surprises
during migration, but it can help. Next, outline and explore the challenges
related to your current network architecture. Stakeholders should arrive with a
vision of their ideal infrastructure. What things do they not want to see in
their new network? What do they want to prevent, improve, and optimize — and how
do they expect the cloud to help? Resilience drives many enterprises to cloud
migration. This might occur after crippling outages that disrupt user
experiences and business operations. But the hunt for efficiency and new IT
initiatives that can reduce service level agreements are also factors. There’s
another often-ignored factor that can derail cloud migrations: not including the
right stakeholders. In an on-premises environment, the main stakeholders were
the data center or network team. Successful cloud migrations demand
inclusion.
When blaming the user for a security breach is unfair – or just wrong
The best place to start is understanding employee roles, resources, and access
habits, Laxdal says. For example, financial workers should understand the
specific risks to business accounts and social engineering attempts such as BEC
scams that may target them. Development departments will have different risk
areas to focus on; for example, their IP on hosted servers or malware hidden in
public open-source libraries. HR, on the other hand, is dealing with PII
(financial, banking, and healthcare information) that shouldn’t be shared over
any channel, particularly given that anyone can impersonate a CEO and request
files or transfers. “All of these vectors are being used globally against
information assets and are overwhelmingly credential-based attacks that are
perpetrated through phishing. Users need to understand why and be part of that
discussion with real-world examples,” Laxdal explains. “Sit down with your
employees, ask about their typical day and access requirements. And understand
each functional area of the business so you can design controls and training for
their business.”
7 ways to cope with a C-level rival
Embrace and uplift your foe, regardless of whether they embrace and uplift you,
advises Paola Saibene, principal consultant at IT and business advisory and
consulting firm Resultant. “Your focus should be on revamping, refreshing,
reinventing, and progressing, so that you’ll be known as a leader, no matter
what,” she says. “If you put your focus on getting better and better, and being
inclusive along the way, the rival will have fewer and fewer opportunities to
bring you down.” Also try to view the situation from the antagonist’s
perspective, no matter how unjustified it may be. “Take the opportunity to bring
them into a conversation to deconstruct the issue,” Saibene recommends. “If it’s
not a personal issue, it’s solvable.” Finally, if all efforts at compromise
fail, feel free to proceed with no regrets, Saibene suggests, fully realizing
that you tried your best. As you struggle with your nemesis, it’s important to
maintain your composure and not let emotions get in the way of your
decision-making process, says Kimberley Tyler-Smith, a former McKinsey & Co.
analyst. Currently the strategist at career tech service company Resume Worded,
Tyler-Smith advises seeking impartial help.
Data Clean Rooms: Enabling Analytics, Protecting Privacy
According to Forrester, to qualify as a data clean room, security and privacy
controls must be embedded in the tool so that enterprise and customer data is
protected before it’s shared and analyzed. This means they must include strong
identity and access management capabilities, and encryption of data entering the
“clean room,” among other protections. But it’s not just the tools that need to
incorporate these protections. Forrester says that clean rooms must have
processes in place to protect privacy, too. For instance, a critical process
would include normalizing data before entering the room and verifying the degree
of de-identification when data leaves the room. Another essential piece is a
process to assess risks in the data clean room, according to Forrester.
Forrester lists two other keys to data clean rooms: transparent data governance
controls, and a self-governing analysis experience. One data clean room provider
is Snowflake. Originally known for its cloud data warehouse services, the
company was already known for working with end-customer data, and it was talking
about data clean rooms back in January 2020 as a way to continue data analysis
while abiding by new regulations such as GDPR and the California Consumer
Privacy Act.
Adopting Low Code/No Code: Six Fitnesses to Look For
LCNC platforms usually offer more than one hosting option. Typical hosting
options include the LCNC provider's cloud and self-hosting within your own
infrastructure. Choosing the provider's cloud has the benefit of making use of
their end-to-end DevOps toolchain which should be operationally easy to manage
and in turn, cost-effective. Note that this benefit is best when a significant
number of applications are hosted within their environment, and those
applications are isolated in nature (meaning, limited integrations with existing
applications residing in your hosting infrastructure). You also need to check if
the provider's cloud offers transparency to your deployed resources and offers
support tiered to your application’s criticality. For example, if you have a
significant number of applications developed on the Mendix platform and you plan
to build more applications on it, then choosing Mendix Cloud may be
cost-effective and operationally simplistic.
Quote for the day:
"Being honest and open is the only way
to convince cynical employees that you truly want to establish a partnership
with them." - Florence M. Stone
No comments:
Post a Comment