Daily Tech Digest - February 17, 2023

Bard, Bing, and the 90% problem

With search in particular, accuracy and thoroughness matter. One simple answer is fine — when it’s right. And when you can trust that it’s right. But it certainly seems like right now, that’s anything but the case with any of this technology. Hell, Microsoft's Bing-bot includes prominent disclaimers that it’s likely to provide inaccurate or incomplete information! And all novelty and cool factor aside, I just don’t see how that’ll make for an especially useful utility from a search context, for as long as that remains the case. ... It's really quite simple: If even one out of every 10 attempts at using something produces a flawed or for any reason unsatisfactory result, folks tend to lose faith in said thing pretty fast. And they then end up turning to another tool for the same purpose more often than not. That's why lots of us rely on Assistant for functional commands, which work fairly consistently — but when it comes to more complex searches, whether we've got Assistant at our beck and call on a phone or built into the core system interface on a Chromebook, we're still more likely to go to Google to get an answer.

EaaS as a Technique to Raise Productivity in Teams

EaaS can help you provide your application in a staging environment. Essentially, this environment is a copy of your production environment. EaaS tools simply assist you with duplicating the production environment and all of its elements (e.g., the codes, settings, and deployment configurations). These technologies enable you to quickly create these environments for your clients, providing them with a trial version of your software. Consequently, even before the application is finished, you may present your products to clients more quickly. EaaS also allows developers to be more creative by constructing settings similar to sandboxes in which they can experiment with new ideas without having to set up new setups or recreate current ones. The EaaS approach is scalable and cost-effective. Only the resources you use and the time your server is online are subject to payment. So, if you need to submit a proof of concept to a stakeholder, you just need to pay for the time the environment will be operational.

Fraudsters are using machine learning to help write scam emails in different languages

Scammers don't even need to speak the language of the people or organizations they're targeting: analysis of some prolific BEC campaigns by researchers at Abnormal Security suggests that email fraudsters are turning to machine learning-powered translation tools like Google Translate to help compose emails used in the attacks. This technique is enabling widespread BEC campaigns for an expanded array of cyber-criminal groups, who can cast a larger net at minimal cost. "Attacking targets across various regions and using multiple languages is nothing new. However, in the past, these attacks were perpetrated mainly by sophisticated organizations with bigger budgets and more advanced resources," said Crane Hassold, director of threat intelligence at Abnormal Security. ... The payment fraud campaigns have been distributed in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish.

Don’t Let a Cyberattack Destroy Your Pharmacy

One mistake that many independent pharmacies make is to use free Gmail addresses to transmit sensitive data, Mr. Gallagher added. The email service is not encrypted or secure, he stressed, which is why a better option is to use a private domain for company email. Similarly, he added, it’s important to choose HIPAA-compliant videoconferencing software, such as Microsoft Teams, for discussions with patients and internal meetings. Sloppy data disposal practices are another concern. “What we’ve learned from previous breaches that have happened at pharmacies is that whether it’s paper or whether it’s electronic, it’s really a good idea to ensure that the information is responsibly and securely disposed of,” said Lee Kim, JD, the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society, who wasn’t a presenter at NASP. “How many of us actually think, ‘Well, maybe I should ensure that everything is wiped from the photocopier before it gets serviced’? Probably not many, but if you don’t think about the small transactional things like that … people’s information is at risk.”

States sketch out roadmaps for zero trust ‘journey’

“Money doesn't solve every problem, and endless amounts of money would not instantly create a perfect world where every state has zero trust fully implemented in a very mature way,” Pugh said. “But it would help those states that are very budget strapped and have many competing priorities.” One way of assessing how far along states are in implementing zero trust is whether it is “top of mind in security conversations,” said Jim Richberg, public sector field CISO and vice president of information security at Fortinet. And by that measure, state leaders are paying attention. Those that have led the way on state-level zero trust said guidance already exists from the likes of the National Institute of Standards and Technology’s Authenticator Assurance Levels and Identity Assurance Levels. With those guidelines in place, said Adam Ford, Illinois’ chief information security officer during a National Governors’ Association webinar, states can establish a baseline for themselves, even though the system nationwide is set up so we are "50 experiments going on at the same time," he said.

Don't put off data minimization

From a risk-based perspective, the biggest exposure is in relation to cyberattack. This is a particular threat for law firms because cybercriminals now include you on a shortlist of prime targets. The ABA’s cybersecurity report in 2021 observed that ransomware, in particular, is: “an increasing threat to lawyers and law firms of all sizes”. Microsoft revealed that state-sponsored Chinese hackers have been targeting “US-based universities, defense contractors, law firms and infectious disease researchers”. A lack of systematic data minimisation increases your attractiveness to such criminals because you present a larger, juicier target. Moreover, cyberattack can be your biggest nightmare. It incurs lost productivity and may entail ransom demands. You’ll likely need to pay cybercrime expert fees, and potentially regulatory and professional fines. But that’s not all. A New York based entertainment law firm suffered an attack in 2020 when hackers demanded a ransom payment of USD$42 million to prevent the release of confidential information about the firm’s world-famous clients. News outlets subsequently reported that the firm eventually paid out USD$365k. And there’s the rub. 

CIO role: 4 ways to do more with less

Even the best CIOs can fall victim to a common efficiency-robbing habit: getting lost in the weeds on a particular project. As CIO, you have a lot on your plate, and it’s easy to miss deadlines or deliver sub-par performance if you get too focused on details your team can – and should – handle. Assuming you have a competent, trustworthy team, let go of more minor details and remain laser-focused on your organization’s desired strategic outcomes. When CIOs feel compelled to control every detail, it can indicate a struggling organization. If a business’ IT arm is bogged down by legacy systems or an outpouring of manual and rote tasks that do nothing for business performance, the CIO will often be mired in dealing with organizational performance issues. That means more time managing internal fire drills and less time thinking strategically and making business-critical decisions. ... When you have the confidence and infrastructure to delegate details to your team, you’ll have much more bandwidth to focus on the big picture and drive your business forward.

Navigating the ever-changing landscape of digital security solutions

We see an increasingly fragmented geopolitical landscape with unique data residency requirements for each country which is resulting in localized hosting of solutions as well as nimbleness and increased granularity of data control. Regulations like GDPR and CCPA necessitate the need for not only safeguarding information (via encryption and tokenization) but also driving automated protection of PII. Recent regulations from the White House and guidance from CISA are aimed at driving better compliance with incident disclosure as well as offering a blueprint for zero trust. ... Most progressive organizations view cybersecurity as business critical and partner with organizations like ours to create a comprehensive cybersecurity strategy. In short, while there is increased oversight, both the consumers and providers of security solutions are more focused on: implementing a zero-trust approach, instituting automated protection of information and taking a partnership posture as opposed to a traditional vendor-buyer approach.

Cybersecurity Jobs Remain Secure Despite Recession Fears

"With reports of job cuts at organizations including Twitter, Meta, Microsoft, Amazon and Google, cybersecurity staff could benefit from proactive hiring targeted towards those recent layoffs," the report stated. "With so many tech jobs impacted by recent layoffs, it is possible that many of those individuals may find opportunity in pursuing a career in cybersecurity, where they can apply related skills and expertise." The resilience in demand for cybersecurity professionals comes as many workers burned out and resigned, part of the Great Resignation in 2022. Organizations that lost valuable specialists did so for three main reasons, Rosso says. Cybersecurity teams have traditionally not had great career advancement opportunities, so their ability to gain promotions and increased salaries at their current company are often limited. In addition, the culture surrounding many security teams has often led to burnout and mental stress, she says. "We know, for example, that at the end of 2021 and beginning of 2022, the Log4j issue was causing people to clock a lot of hours, and that led to some burnout," she says. 

Why Your Organization Needs to Embrace Data Resiliency

Enterprises should take a holistic approach to understanding their data: how it's gathered, how it's used throughout the organization, and how it's impacted by a lack of availability or corruption, Krishnamoorthy says. “This starts with creating a detailed map of business processes, applications, systems, and data,” he suggests. Schick notes that there's no industry-standard checklist for ensuring data resiliency, but advises separating critical and non-critical data, storing data in separate locations, logging transactions that change critical data, and using tools and processes to quickly recover corrupted or lost data. Enterprises should retain data only for as long as it's needed, O'Hern suggests. “We eliminate risk when we purge … which means it no longer exists to be held hostage.” Krishnamoorthy notes that it's also important to understand how applications, automated tools and systems, and IT staff interact with enterprise data from manageability, serviceability, and security perspectives. 

Quote for the day:

"Nothing is so potent as the silent influence of a good example." -- James Kent

No comments:

Post a Comment