Daily Tech Digest - December 15, 2022

How acceptable is your acceptable use policy?

Your AUP needs to be auditable and enforceable—but there’s a tricky balance between protecting employees and making them feel like they’re working for an authoritarian regime. “It should be written to the end user rather than the technical person who works in security,” says Michaels. “One of the pitfalls that we see in the development of policies is the security leader will either own the creation of the policy or delegate it to somebody on their team, and they won’t go out and source feedback and check that they’re on the right track.” More mature security programs source feedback and have closer partnerships with HR and the other functions in the business. But many companies are “still trying to do the basic blocking and tackling,” Michaels says. “They’re still more focused on the technology and the process rather than the people that they’re impacting.” The AUP should be clear, concise, and easy to understand—not technobabble or legalese. But getting employee buy-in could also come down to something as simple as word choice.

The power of incremental momentum

Companies can get the type of disruptive innovation they need to survive and create lasting change, without moving fast and breaking things. This can be achieved by building momentum for change incrementally. It’s not a new approach, but it can get overlooked when a sense of urgency arises and appears to dictate swift action. ... Incremental momentum has been successfully used in other endeavors. Almost 120 years after Roosevelt’s work, a team of environmental scientists in Finland surveyed the success of incremental change in achieving the country’s sustainability goals. They concluded: “The strengths of small wins include the ability to react to the constantly changing, dynamic conditions…and to deepen trust, commitment and understanding among people.” The report continued, small wins “can facilitate progress and interfere with old routines by bringing about small steps that may result in continuous transformational change and generate radical changes in the long run.” ... The risks were great. The SAP executive team had to balance putting effort into building cloud solutions with maintaining engineering support for the ERP system innovations that its customers relied on.

IT leaders face reality check on hybrid productivity

Organizations are realizing that hybrid work is more about how teams come together — not just what’s right for the organization or individual, says Jonathan Pearce, workforce strategies lead at Deloitte Consulting. So more companies are ratcheting up expectations for their team leaders to decide how work gets done, and then hold them accountable as a team when it comes to performance and rewards. “We’re expecting more team leaders to have open discussions with their teams on what’s working and not working around communication, the norms around [how quickly] they’re expected to respond and how we come together when we need to collaborate,” Pearce says. “The question now becomes how do we up their game as managers — not just managers of work but really orchestrators of a more complex team environment,” Pearce says. Good managers make work more enjoyable for their teams, are better able to identify and use each employee’s strengths and help those workers gain more skills and experience they need to develop their careers and be more productive, he adds.

Improving Cyberresilience in an Age of Continuous Attacks

Effective cybersecurity is about risk management. For example, when banks lend money or issue credit cards, the chief risk officer (CRO) has created a model based on profiles that assume there will be a default rate, meaning certain borrowers may not ever repay their obligations. This is communicated to the chief executive officer (CEO) so that the entire management team understands that it will incur losses from certain customers. Banks are then able to plan and reserve for these losses before they happen. Enterprises must think of cybersecurity in the same manner in which banks lend money. It is only a matter of time before a breach occurs. If the right controls are in place, these breaches are nothing more than a simple incident of 1 machine being compromised vs. an entire network’s worth of data being compromised. Each new attack has the potential to change the threat model. This may not be the first thing on cybersecurity team members’ minds after an attack, but changes could be required immediately. 

The 3G shutdown: Here are the impacted devices. Do you own any?

So, what does this all mean for older hardware like cell phones, alarms, and GPS systems that thrive on the 3G spectrum? To put it bluntly, many of the network-driven features will become obsolete, presenting some unforeseen dangers. Fortunately, there are steps that you and your loved ones can take to safely transition from aging to future-proof tech. In some cases, manufacturers may even be able to give your older gadgets new life through software upgrades. ... Besides ushering in the revolution of smartphones, 3G has played a foundational role in the navigation and alarm-based systems that we rely on during our everyday commutes. With the institution of faster and more reliable 5G, roadside assistance and emergency crash alerts are among the many network-based features that will be affected by the shutting down of 3G. Many cars also have an emergency SOS button that, when pressed, dials first responders via 3G. That, too, will lose functionality. Vehicles from popular automakers like Toyota, Lexus, Nissan, Hyundai, Dodge, and more released before 2019 are susceptible to the issues mentioned above. 

Quantum Computing Will Change Our Lives. But Be Patient, Please

Over and over at Q2B, quantum computing advocates showed themselves to be measured in their predictions and guarded about promising imminent breakthroughs. Comments that quantum computing will be "bigger than fire" are the exception, not the rule. Instead, advocates prefer to point to a reasonable track record of steady progress. Quantum computer makers have gradually increased the scale of quantum computers, improved its software and decreased the qubit-perturbing noise that derails calculations. The race to build a quantum computer is balanced against patience and technology road maps that stretch years into the future. ... And new quantum computing efforts keep cropping up. Cloud computing powerhouse Amazon, which started its Braket service with access to others' quantum computers, is now at work on its own machines too. At Q2B, the Novo Nordisk Foundation -- with funding from its Novo Nordisk pharmaceutical company -- announced a plan to fund a quantum computer for biosciences at the University of Copenhagen's Niels Bohr Institute in Denmark.

The Future: Data Access Must Be Intelligently Automated

Of course, an AI engine must contain certain features, including the ability to provide transparent explanations to data managers regarding processes and the capability to receive data manager feedback for learning and improving the DPP. It must also boost efficiency and accuracy when automating and improving how policies are built, maintained and enforced. Then, over time, these policy applications become more accurate, flexible and intelligently automated. An AI engine also requires vast data sets for training. However, it’s possible to reduce the time required by applying the “human in the loop concept,” where data managers educate the AI. Through this process, the AI engine learns faster and makes better decisions and suggestions. Policies can then be maintained and updated, improving the DPP and supporting organizations to quickly and automatically decide on sharing processes that are safe, secure and compliant. This is the ideal convergence of human expertise and AI technology. And it’s the future of data access governance and lifecycle management. Is your business ready to take advantage?

How much digital trust can you place on zero-trust?

One very important principle of zero-trust that is often understated is assumed breach. All too often, some identity and access management (IAM) product suppliers are quick to share how they can help enterprises achieve zero-trust. This is all well and good, except for the fact that they often cover the first two principles of i) verify explicitly and ii) use least privilege access, but not enough of iii) assume breach. While the first two principles help to limit any attack blast radius and hinder a breach as it steps through the attack kill chain, the third and last principle is critical to effective and efficient detection and containment of a breach in the ability to detect fast, contain fast and recover fast. If we believe that breaches are inevitable, assume breach requires a bigger stage. ... With the increase of triple-extortion ransomware and ransom cartels, it is important to zoom in on decoys. The deployment of time-based database honeytokens shortens incident response time by allowing an enterprise to quickly determine whether the source of a data leak arose from any system breach within the enterprise or was the result of a case of re-hashing of past leaked data from breach databases.

The Great Resignation isn’t over yet

One in four employees don’t feel secure in their current positions and almost half of them plan to explore new job options in 2023, according to a new report that indicates the Great Resignation remains in full swing. Over the past year, more than 4 million workers have quit their jobs every month, according to US Bureau of Labor Statistics The report, by human resource management software provider isolved, says the top way employers can improve company culture and retain their workers is by paying their employees market value. “This comes as no surprise, considering pay transparency laws have jumped to the forefront, and the pressure is on employers to eliminate pay inequality within their organizations,” isolved said in its report. “Data shows employees are more anxious, burnt-out and financial security-driven than ever," ” James Norwood, isolved’s chief strategy officer, said in a statement. "To combat these concerns, HR departments of all sizes must evaluate what they can automate and gain efficiencies in, enhance what they can to improve employee experience, and extend the impact of their team."

The Professionalization of Ransomware: What You Need to Know

Carson says it is critical that IT professionals are current with the ransomware trends and techniques, as it will help IT professionals identify the best ways to reduce those risks and enhance the security controls for the business they are hired to protect. From his perspective, the breakup of some of the large ransomware criminal gangs makes it more likely that smaller splinter groups will become the top threat in 2023. “They have the knowledge of a larger ransomware gang and can now operate more efficiently, sometimes even more targeted,” he says. Kirk explains ransomware is still largely successful due to security mistakes or weaknesses that usually can be mitigated or eliminated. “The risk from stolen login credentials can be mitigated by employing multifactor authentication,” he says. “Cybersecurity awareness training can reduce the likelihood an employee may be tricked into downloading a malicious attachment.” He adds that promptly patching software -- particularly for internet-facing systems such as email servers or VPNs -- is extremely important, as is ensuring that remote connectivity software is securely managed.

Quote for the day:

"Brilliant strategy is the best route to desirable ends with available means." -- Max McKeown

No comments:

Post a Comment