Daily Tech Digest - August 18, 2023

Though simpler, India’s data privacy law is stricter than GDPR in some ways

If you think this is all a tough ask, you should know that the law is simpler and less prescriptive than data privacy laws in many countries. This kind of simpler law is appropriate for a country like India for two reasons – one, because India is just starting down the road of data privacy compliance and two – because India has a huge SME sector that would struggle to comply with a more complex law. At the same time, the law is stricter than GDPR in some ways; for example, in the EU, a business that can develop a case for it having a “legitimate interest” to process personal data can do so without consent. This is largely not possible in India. Further, in the EU, a data breach needs to be reported only to the regulator and individuals only where the data fiduciary concludes that the breach could result in a risk to the rights and freedoms of the individual. The government has given itself the power to exempt classes of data fiduciaries from provisions of the law. This includes start-ups, which have been specifically mentioned. 

Exploring Differences Between Diversity and Inclusion

At an organizational level, both diversity and equity can be addressed through recruitment processes, but inclusivity is the most challenging and up to the company as a whole, including all employees. One of the ways to encourage employees to adopt inclusive behavior is through the power of education. When people understand why change is important, they are often more inclined to respond. The word “inclusive” is not a new concept—however, sometimes it is referred to with little substance. Workplaces say they are inclusive because they have a diverse representation of employees, but when you ask the minority groups in that organization if they feel heard, the answer is often conflicting. Rather than playing the game, they feel as though they are mascots or warming the bench. When employees realize inclusion means making sure minority groups feel like they belong, it allows them to assess and challenge their own personal bias, which may be preventing them from fully embracing all perspectives.

Breached for years: How long-term cyber attacks are able to linger

The first step for any cyber criminal looking to pull off a years’ long hack is find a way into a target’s network. Even when organizations make it difficult, there’s usually one entry point. Whether by using initial access brokers (IABs), exploiting vulnerabilities, or using employee credentials – the most effective of the three – they need to get in without tripping any alarms. During the early days of a breach, hackers will do very little other than observe a business and how its people work. They’ll learn all the different processes that staff execute during a typical workday and use that knowledge to mask their movements around the network. There will be no intrusive actions (data exfiltration, vulnerability exploits, lateral movements) until they know how to blend in with everyday traffic being triaged by the organization’s security operations center (SOC) analyst. Attackers usually indulge in one of two methods to remain undetected for extended periods of time. The first is when they use genuine compromised credentials and mimic that employee’s usual behavior 

Tech leaders weigh in on the upside and flipside of generative AI

So if projects are already getting off the ground, what are feelings about where generative AI works best, and how? “The best practises are undoubtedly cross-functional collaboration, ‘try before you buy,’ and learn from what you do,” says Marc O’Brien, CIO at radiology healthcare service provider Medica Group. “In my experience, the algorithms from reputable firms do what they say on the tin but what really matters is where you position in the workflow.” Team Teach’s Ivell believes companies can gain a fast start by using tools being built into applications and suites. “One of the key and immediate opportunities of generative AI is it’s already being built into some tools we already use, be that Power BI, Adobe or more industry-specific apps,” he says. “To take advantage of these needs some internal discovery or analysis of these new functions, understanding how we’d use them, and, in the first instance, training our staff how to exploit the new features. People tend to use tools in the way they always have, and adoption of new features can be slow, so we need to accelerate that.”

6 best practices to defend against corporate account takeover attacks

It’s important to have strong multifactor authentication around all corporate accounts, says Bryan Willett, CISO at Lexmark. "What we’re finding with some of the latest phishing services that are out there, such as EvilProxy, is that they’re getting very good at imitating a login screen that looks just like your corporate login screen and your corporate MFA challenge," Willett says. "And the user has the potential of falling victim to that and sharing their MFA." ... Organizations should also implement contextual access management that considers a user’s current location, the device being used, time of access, network environment, behavior patterns, and other contextual information, according to Halstead. "By doing so, the risk of unauthorized access, often exploited in corporate account takeovers, can be significantly minimized," he says. ... Employee education and awareness are critical, says Halstead. This "human firewall" remains a very important defense in preventing corporate account takeovers.

Make Data Security Training Fun and Engaging with These Tips

What are your employees most interested in? What’s most likely to capture their attention? If you don’t know, ask. Gather insights from employees to identify their current concerns and interests and integrate those into the content. Consider how you could leverage their personal interests in your storytelling approach. For instance, if you have a large base of avid football fans, how might a Super Bowl-themed story or challenge related to data security help capture their interest? Ensure accuracy while entertaining: learning outcomes need to take center stage in your communication efforts, of course. Strive to provide accurate information about cybersecurity and employees’ roles in helping to protect systems and data, while integrating some fun into the delivery of the content. ... Good stories have a protagonist (in this case, the employees), an antagonist (cybercriminals), and some tension that leads to a climax in the plotline. Use these elements to create content that entertains while also illustrating the tangible outcomes and repercussions of poor data security practices, like the potential damage to personal and professional relationships.

Robotic Process Automation: Is Your Job at Risk?

One thing is certain: Change is inevitable. Hairston points to The World Economic Forum’s The Future of Jobs Report 2023, which estimates that 44% of workers’ skills will be disrupted over the next five years. The current pace of technology evolution is transforming jobs faster than ever. IT can either be a key facilitator of the change or a recipient of the change. “In the former case, IT can push the business toward RPA and other automation technologies that are designed to be used by business,” he says. “This will help companies achieve their most strategic objectives and view IT as more of a partner.” As RPA and AI gain stronger footholds, the only way forward is to help displaced team members reskill and upskill, Zhao says. “Fortunately, many online training platforms are available at affordable costs.” To expedite learning, he advises organizations to develop curated content that employees can freely access. Zhao notes that such content should be relevant to both the work being phased out as well as to the tasks that team members will need moving forward. Executive-level sponsorship of any intelligent automation strategy is essential for long-term success.

We think that as general-purpose robots are becoming more common—and they are—people could misuse them. You can find videos online showing how easy it is to attach a weapon to a mobile robot. So, there’s a reasonable concern about who will have access to robots and what they can do with that access. We want to make sure that there will be some regulation around this—and lead the charge in getting it put into place. Policymakers need to get engaged and be informed about the capabilities of the robots, as well as the potential dangers. We are being vocal about our anti-weaponization stance: robots should not cause harm, nor should they impinge upon anybody’s privacy. The industry that we’re hoping to build only exists if people trust robots. If they’re afraid of them, then that’s going to be a problem. ... By managing the final assembly ourselves, we have better control over the quality and cost, and it helps us to rapidly iterate. One of the things we have learned is that when you iterate your design and work with a partner to do the assembly, the communication challenges are pretty thick. 

The Architect’s Guide to Thinking about Hybrid/Multicloud

While most people will tell you complexity is the hardest thing to manage in a multicloud environment, the truth is that consistency is the primary challenge. Having software that can run across clouds (public, private, edge) provides the consistency to manage complexity. Take object storage. If you have a single object store that can run on AWS, GCP, Azure, IBM, Equinix or your private cloud, your architecture becomes materially simpler. Consistent storage and its features (replication, encryption, etc.) enable the enterprise to focus on the application layer. Consistency creates optionality, and optionality creates leverage. Reducing complexity can’t come at some unsustainable cost. By selecting software that runs across clouds (public, private, edge) you reduce complexity and you increase optionality. If it’s cheaper to run that workload on GCP, move it there. If it’s cheaper to run that database on AWS, run it there. If it’s cheaper to store your data on premises and use external tables, do that.

Observability – everything you need to know

The first thing you need to do on any of these platforms is to get your data into it. Historically, for log analytics solutions, like Splunk, that was relatively easy. I don’t mean to trivialise this, but you would grab logs from all of your infrastructure and send those back to Splunk and we process those. You would usually deploy an agent to do it. For observability solutions – not just ours, but any of them – you need more data. In addition to those logs that you capture from each host, you also need system metrics and application metrics and profiles and distributed traces and everything else. There are additional layers of complexity here. Now you’re not just capturing human readable logs from operating systems, you’re capturing all these other types of data from the individual applications that people have written. That requires hooks into all of the hundreds of thousands of libraries that software developers use. I think that historically has held back this industry to a fairly large degree. We rely on a project that I co-founded with a number of other people, and a number of other companies.

Quote for the day:

"I believe it is important for people to create a healthy mental environment in which to accomplish daily tasks." -- Darren L. Johnson

No comments:

Post a Comment