Two ways to improve GDPR enforcement
Centralised enforcement would certainly add efficiency and consistency to the enforcement process. However, implementation could take years, and even once it’s in place, there’s a risk that member states may disagree about enforcement decisions because one member state could take issue with rulings made by the central enforcement agency. The other foreseeable approach is for the EU to stick with its current decentralised approach to GDPR enforcement, but to invest in measures that would make enforcement more consistent and efficient. ... Developing clearer guidelines about GDPR interpretation would help, too. As a principles-based framework, the GDPR can be overwhelming to interpret, making it challenging for businesses to comply and for enforcement authorities in various countries to determine when a violation has taken place. Centralised interpretation guidance in the form of clarifications about complex GDPR requirements or examples of successful compliance would help ensure more consistent and efficient enforcement of the GPDR, even without a centralised enforcement agency.
How to get your CFO to buy into a better model for IT funding
To ensure persistent teams stay within budget, and thereby reduce risk, it’s crucial that executives understand the fundamental agile principles related to flexible scope and fixed budget. Sometimes, management needs to make a change in direction, and persistent teams allow for this. By using data insights from the quarterly business performance report, the CFO is made aware of situations where the organisation is not tracking towards goals. The executive is then empowered to reprioritise, while still focusing on the ‘why’ or outcome to be delivered. They can change persistent teams’ focus by working with them to swap one initiative for another — rather than asking for additional funding. Making trade-offs means they need to prioritise wisely, as there is a fixed budget to work within. “When there is a change in direction, executives are empowered to make trade-offs to deliver on their needs. It is no longer an ‘ask’ of technology,” says Hubbard, regarding Rest’s use of an agile approach in conjunction with persistent funding. We set up a persistent pilot team at Rest in 2023 to test out the concept. About three months into the six-month pilot, the team uncovered that one of the initiatives wasn’t technically feasible at this time.
7 Tips for Managing Cross-Border Data Transfers
Partners are great for business, but they can misunderstand and make mistakes,
too. Their errors can cost your organization as much as its own mistakes can.
Take steps to ensure all third parties you work with comply as well.
“Increasingly, companies that want to mature and manage their cross-border data
transfers are putting in place three-part vendor risk programs that include
pre-contract assessments, contractual safeguards model privacy and data
protection provisions and data processing addendums (DPAs), and post-contract
audits,” says Jim Koenig, a partner at Troutman Pepper and co-chair of its
privacy and cyber practice group. The first ensures third parties meet your
security requirements and provides an inventory of data transfers. The second --
contractual safeguards model privacy and data protection provisions and DPAs --
“define the specific uses and restrictions on secondary uses, including AI
algorithm training, and compliance requirements,” Koenig says. And the last,
post-contract audits, “assesses the recipient company’s compliance with the
applicable data transfer laws, such as EU GDPR, Saudia Arabia, China’s PIPL and
others, and specific contract requirements,” he says.
Getting Ahead of Shadow Generative AI+
Generative AI should help you differentiate what your company does. However,
using public LLMs alone will not deliver this, and you will sound the same as
everyone else. Companies can make their generative AI strategies more effective
and tailored for them and for employees by bringing their own data to the table
using retrieval augmented generation, or RAG. RAG takes your own data, gets it
ready for use with generative AI, and then passes this data as context into the
LLM when your employee asks for a response. RAG is part of solving problems like
hallucinations, and it also makes results more relevant for your organization
and your customers, rather than getting similar results to other companies that
are asking for the same kinds of questions. ... To implement this, you will have
to combine various tools from vector data stores and AI integrations to build a
RAG stack that makes it easier and faster to get started. Delivering this
quickly will help you prevent some of those “off the books” deployments that
teams might try to do for themselves while they wait for central IT.
The state of ransomware: Faster, smarter, and meaner
The pace of innovation on the part of ransomware criminal groups has hit a new
high. “In the past two years, we have witnessed a hockey stick curve in the
rate of evolution in the complexity, speed, sophistication, and aggressiveness
of these crimes,” says John Anthony Smith, CSO and founder of cybersecurity
firm Conversant Group. ... “They have combined innovative tactics with complex
methods to compromise the enterprise, take it to its knees, and leave it
little room to negotiate,” Smith says. One sign of this is that dwell time —
the length of time before the first entry to data exfiltration, encryption,
backup destruction, or ransom demand — has dramatically shortened. “While it
used to take weeks, threat actors are now often completing attacks in as
little as four to 48 hours,” says Smith. Another new tactic is that attackers
are evading multifactor authentication by using SIM swapping attacks and token
capture or taking advantage of MFA fatigue on the part of employees. Once a
user authenticates themselves, tokens are used to authenticate further
requests so that they don’t have to keep going through the
authentication.
Companies are about to waste billions on AI — here’s how not to become one of them
As you think about saying yes to that next AI project, look at the cost of the
needed resources, today and over time, to sustain that project. Ten hours of
work from your data science team often has 5X the engineering, DevOps, QA,
product and SysOps time buried underneath. Companies are littered with
fragments of projects that were once a good idea but lacked ongoing investment
to sustain them. Saying no to an AI initiative is hard today, but too frequent
yes’ often come at the cost of fully funding the few things worth supporting
tomorrow. Another dimension to cost is the increasing marginal cost that AI
drives. These large models are costly to train, run and maintain. ... The
simplest bets are the ones that better the business you are already in. The
old BASF commercial comes to mind: “We don’t make the things you buy, we make
the things you buy better.” If the application of AI provides you momentum in
the products you already make, that bet is the easiest to make and scale. The
second easiest bets are the ones that let you move up and down the value chain
or laterally expand to other sectors.
Securing Modern Banking Applications – Do’s and Don’ts
The consumer also plays a pivotal role in the security of their mobile
banking. As the device user, consumers and/or employees need to beware of
banking applications that ask for tons of accessibility permissions. Granting
accessibility permissions without closely looking at what they are requesting
can be risky because these permissions can give apps broad control over a
device’s functionalities. Banking trojans will often ask for and then exploit
accessibility features to automate transactions, capture sensitive data (such
as passwords) or overlay fake login screens on legitimate banking apps. Just
because the app is legit, consumers should still proceed with caution, knowing
that trojans will often use this “preconceived trust” as a launching pad for
their destructive attacks. Consumers should also avoid downloading banking
apps from unvetted sources, such as third-party app stores that lack the
rigorous security controls that actual Apple or Android stores have. Lastly,
beware of phishing emails, URLs or texts that look legitimate. Threat actors
will often reverse-engineer banking apps to steal logos and other icons to
imitate the actual app.
8 cybersecurity predictions shaping the future of cyber defense
By 2028, the adoption of GenAI will collapse the skills gap, removing the need
for specialized education from 50% of entry-level cybersecurity positions.
GenAI augments will change how organizations hire and teach cybersecurity
workers looking for the right aptitude, as much as the right education.
Mainstream platforms already offer conversational augments, but will evolve.
Gartner recommends cybersecurity teams focus on internal use cases that
support users as they work; coordinate with HR partners; and identify adjacent
talent for more critical cybersecurity roles. ... By 2026, enterprises
combining GenAI with an integrated platforms-based architecture in security
behavior and culture programs (SBCP) will experience 40% fewer employee-driven
cybersecurity incidents. Organizations are increasingly focused on
personalized engagement as an essential component of an effective SBCP. GenAI
has the potential to generate hyperpersonalized content and training materials
that take into context an employee’s unique attributes. According to Gartner,
this will increase the likelihood of employees adopting more secure behaviors
in their day-to-day work, resulting in fewer cybersecurity incidents.
Data Security Posture Management in the Education Sector: What You Need to Know
The first and perhaps most crucial step is identifying where all instances of
student data reside within your institution. With a best-of-breed DSPM
solution, advanced machine learning (ML) and AI can autonomously scan and
categorize student data, regardless of where it’s stored (including in
structured and unstructured data repositories, email/messaging applications,
or cloud or on-premises storage), including its semantic context. It can
identify the data, learn its usage patterns, and determine if it’s at risk.
This thorough discovery and identification process is also especially
important for educational institutions aiming for FERPA compliance. ... The
ability to identify and classify sensitive student data puts institutions in a
great place, but once identified, any vulnerabilities and risks found must be
remediated. Leveraging deep learning, DSPM solutions can compare each data
element with baseline security practices used by similar data to detect risk
-- even without relying on rules and policies. Even better is to address these
access risks in real time -- whether that means remediating access control
issues, disabling sensitive file sharing, or blocking an attachment in a
messaging platform.
API Security Best Practices That CTOs Can Action Today
The basic function of APIs is to facilitate the exchange of data from one
system to another, a process that inherently multiplies potential security
risks. The current pace of innovation, with new services, features, and
operations being rolled out almost daily, means that several foundational
security practices are often overlooked. This oversight can dramatically
decrease an organization’s security posture because APIs, by their very
design, open up access to data and systems – often beyond the direct control
of the organization. This aspect of APIs – the “link” to external entities –
is a double-edged sword. While it enables unprecedented levels of
interconnectivity and functionality between applications, it also demands that
security controls be as robust and comprehensive as those applied to internal
access management. However, therein lies the problem: while developers and IT
professionals are adept at quickly setting up APIs in the interests of
enhancing their services and operations, they often don’t apply the same
security standards as they would to strictly internal operations.
Quote for the day:
"The more I help others to succeed,
the more I succeed." -- Ray Croc
No comments:
Post a Comment