Daily Tech Digest - April 23, 2023

Shadow IT, SaaS Pose Security Liability for Enterprises

All issues surrounding shadow IT can be traced back to an organization's lack of visibility. An unmanaged software stack gives IT teams zero insight into how sensitive company information is being used and distributed. Since these tools are not vetted properly and are left unmonitored, the data they store is not adequately protected by most organizations. This creates the perfect framework for hackers to easily seize important data, such as confidential financial records or personal details. Critical corporate data is at risk because most, if not all, SaaS tools require corporate credentials and access to an organization's internal network. A recent survey by Adaptive Shield and CSA actually shows that in the past year alone, 63% of CISOs have reported security incidents from this type of SaaS misuse. As stated prior, the recurring theme that many businesses are experiencing with shadow IT is the risk associated with a data breach. However, it is equally important to realize the potential industry scrutiny that businesses face and the penalties they receive from regulators because of sprawling shadow IT.

The Cyber Resilience Act Threatens Open Source

At the heart of the issue is the need for organizations to self-certify their compliance with the act. Since open source is often maintained by a small loose-knit group of contributors, it is difficult to see how this will work. Here’s the concern in a nutshell. Suppose you write up a cool little C++ program for your own use. You aren’t a company, and you didn’t do it for profit. Wanting to share your work, you post your program on GitHub with an open source license. ... In fact, it is even encouraged. That’s how open source works. The problem is when the GRID database has a problem that causes a data breach. The problem turns out to be a vulnerability in your code. Under the proposed law, it is possible you’d be left holding the bag for a large sum of money thanks to your generous hobby project that didn’t earn you a cent. The situation is even more complex if your code has multiple contributors. Was it your code that caused the breach or the other developer’s code? Who “owns” the project? Are all contributors liable? 

Why Your Personal Brand Needs A Niche: The Benefits Of Specialization

Finding your niche also allows you to focus your energy and resources on a specific area, reducing the chances of you feeling overwhelmed trying to be everything to everyone. A niche provides a compass for your efforts, ensuring that the work you do aligns with your skills and interests. While being more specific can feel uncomfortable, it ultimately enables employers and clients to understand the specific value you offer. In the early days of my consultancy, I found myself saying yes to everything, including some speaking engagements that fell outside of my immediate area of expertise or taking on clients who demanded a lot of additional effort on my part to cover the entire scope of the services they sought that went beyond my offerings. Over time, I defined clearer boundaries around my scope of services. I also tried to more explicitly communicate which services I did not offer or consider within my area of expertise. When you niche down and clearly define your area of focus, it enables you to make clearer career choices, only pursuing opportunities that allow you to reinforce your positioning.

Former Microsoft CIO Jim DuBois Dishes On AI and Future of IT

One of the things we have to figure out in the future of work is that a huge part of the population isn’t able to take advantage of this hybrid and remote opportunity. And what do we do for them? Do we end up getting to a place where people are picking jobs based on whether they can work remote or not? And are we going to have to compensate people differently for being on- or off site? That’s something that hasn’t been solved … There are a lot of companies that haven’t figured out how to keep the collaboration and the culture going in a remote workforce. So they just said, “Oh, we’ve got to get people back into the office do that.” I would say, “Or, you could figure out how to collaborate and keep your culture going with remote.” ... I’m a believer in carrot rather than stick incentives. Rather than compliance requirements, we need to focus on the fact that there’s so much value in ESG and in having a more diverse team. We need to focus more on the incentives and less on the “because we told you to” part. 

Using generative AI to understand customers

In terms of better understanding customers, generative AI is really effective in summarising information. Companies are already using the technology to create auto-summaries of market research reports, eliminating the need for having to precis reports manually. Going forward, there is potential to expand this use case to summarise large volumes of information quickly and efficiently in order to provide concise answers to key business questions. ... Generative AI can also make it easier for all stakeholders to access market research without having to involve an insights manager each time, thereby removing access barriers and facilitating the seamless integration of consumer insights into daily operations. Moreover, generative AI can help to address common concerns associated with all stakeholders accessing market research, such as non-research workers asking the wrong questions. By prompting relevant questions related to their search query, the technology can help those without research backgrounds to ask better questions, ultimately leading to more accurate and useful customer information.

Optimizing SaaS With Automation and Zero-Touch IT

While it may seem daunting, the journey to achieving zero-touch IT is not out of reach. It does require investment in time, technology and people, however. And once you get there the efficiencies will be apparent. Let’s break these benefits down by category. Zero-touch IT helps companies manage their software applications much more effectively. IT groups have historically gotten bogged down in the manual execution of tasks that are complicated and tedious, despite being basic and common. Two processes cited as top concerns for IT professionals, onboarding new employees and offboarding departing employees, are concrete examples. But managing the user life cycle of an employee doesn’t just start at onboarding and stop at offboarding. Many changes take place during an employee’s time at the organization—promotions, changes in departments, password resets, new project assignments, etc. And every single time an event like this occurs, some type of action, like giving or revoking access to new files, elevating access rights or taking security steps to prevent unauthorized access is required. 

Cyber insurer launches InsurSec solution to help SMBs improve security, risk management

InsurSec solutions are new, emerging offerings, but the concept behind them and its potential to add value to involved parties is something being recognized more widely, particularly for SMBs and organizations struggling with an adverse blend of low maturity and cost constraints. “I think the insurance market is recognizing that their future offering in this space has to grow beyond simple loss protection,” Paul Watts, distinguished analyst at the Information Security Forum, tells CSO. “Providing complementary services to help organizations with proactive and reactive management of cyber risk could also help foster stronger relationships between insurer and client.” Both parties stand to benefit here – by engaging in this way, risk is better (and jointly) managed, Watts says. Insurers are mitigating losses, and clients are drawing down on capabilities that were previously too expensive for consideration and could see lower premiums as a result. 

Novel Technique Exploits Kubernetes RBAC to Create Backdoors

Researchers at Cybersecurity firm Aqua Security said they recorded and analyzed an attack on its Kubernetes honeypots that used the RBAC system to gain persistence. Kubernetes Role-based access control or RBAC is a method of restricting network access based on the roles of individual users within an organization. In their honeypots, the researchers exposed AWS access keys in various locations on the cluster and received a beacon indicating that the access keys were used by the attacker to try and gain further access to the cloud service provider account and leverage the attack to steal more resources and data. "The findings are significant as they shed light on the risks of misconfigurations and how even large organizations can overlook the importance of securing their clusters, leaving them vulnerable to potential disasters with just one mistake," according to researchers. The large-scale campaign dubbed RBAC Buster allowed attackers to gain initial access by exploiting a misconfigured API server that allowed unauthenticated requests from anonymous users with privileges.

How does blockchain fit into today’s enterprise?

According to Bennett, outside of the financial services sector, “we are still not at the point where we can confidently say that blockchain really is delivering the business value that people are looking for, simply because it is incredibly difficult to actually set up a blockchain network that at the end of the day really needs all those blockchain features,” she said. Stack Overflow recently conducted a survey to find out what new technologies made it past what Gartner refers to as the hype cycle. Many new technologies can stir up excitement in the industry, but not all will actually see widespread adoption. They ranked technologies on a scale of experimental to proven and positive to negative impact. On a scale from zero (experimental) to 10 (proven), blockchain technology came in towards the middle at 4.8. And on a scale from zero (negative impact) to 10 (positive impact), it received a score of 5.3. Another survey by Foundry echoes these sentiments. It found that 51% of respondents were not interested in adopting blockchain technology within their organization.

Navigating The Future Of Cyber

Cyber is about more than protecting information—risk management, incident response planning and threat intelligence can often be directly correlated to increasing trust within businesses. Many organizations recognize the importance of prioritizing cybersecurity and have reported significant improvements in trust and efficiency through their efforts. In Deloitte Global’s latest Future of Cyber Survey, almost 70% of businesses that were identified as highly mature organizations when it comes to cyber believe cybersecurity has positively impacted their organization's reputation and productivity. From robust cyber planning across the business and effective board-level engagement—the high cyber performers recognize the importance of cyber responsibility and involvement across the whole organization. Beyond looking across the organization, cyber planning strategies should be regularly reviewed and updated to protect trust in the organization.

Quote for the day:

"Without courage, it doesn't matter how good the leader's intentions are." -- Orrin Woodward

No comments:

Post a Comment