Shadow IT, SaaS Pose Security Liability for Enterprises
All issues surrounding shadow IT can be traced back to an organization's lack of
visibility. An unmanaged software stack gives IT teams zero insight into how
sensitive company information is being used and distributed. Since these tools
are not vetted properly and are left unmonitored, the data they store is not
adequately protected by most organizations. This creates the perfect framework
for hackers to easily seize important data, such as confidential financial
records or personal details. Critical corporate data is at risk because most, if
not all, SaaS tools require corporate credentials and access to an
organization's internal network. A recent survey by Adaptive Shield and CSA
actually shows that in the past year alone, 63% of CISOs have reported security
incidents from this type of SaaS misuse. As stated prior, the recurring theme
that many businesses are experiencing with shadow IT is the risk associated with
a data breach. However, it is equally important to realize the potential
industry scrutiny that businesses face and the penalties they receive from
regulators because of sprawling shadow IT.
The Cyber Resilience Act Threatens Open Source
At the heart of the issue is the need for organizations to self-certify their
compliance with the act. Since open source is often maintained by a small
loose-knit group of contributors, it is difficult to see how this will work.
Here’s the concern in a nutshell. Suppose you write up a cool little C++ program
for your own use. You aren’t a company, and you didn’t do it for profit. Wanting
to share your work, you post your program on GitHub with an open source license.
... In fact, it is even encouraged. That’s how open source works. The problem is
when the GRID database has a problem that causes a data breach. The problem
turns out to be a vulnerability in your code. Under the proposed law, it is
possible you’d be left holding the bag for a large sum of money thanks to your
generous hobby project that didn’t earn you a cent. The situation is even more
complex if your code has multiple contributors. Was it your code that caused the
breach or the other developer’s code? Who “owns” the project? Are all
contributors liable?
Why Your Personal Brand Needs A Niche: The Benefits Of Specialization
Finding your niche also allows you to focus your energy and resources on a
specific area, reducing the chances of you feeling overwhelmed trying to be
everything to everyone. A niche provides a compass for your efforts, ensuring
that the work you do aligns with your skills and interests. While being more
specific can feel uncomfortable, it ultimately enables employers and clients to
understand the specific value you offer. In the early days of my consultancy, I
found myself saying yes to everything, including some speaking engagements that
fell outside of my immediate area of expertise or taking on clients who demanded
a lot of additional effort on my part to cover the entire scope of the services
they sought that went beyond my offerings. Over time, I defined clearer
boundaries around my scope of services. I also tried to more explicitly
communicate which services I did not offer or consider within my area of
expertise. When you niche down and clearly define your area of focus, it enables
you to make clearer career choices, only pursuing opportunities that allow you
to reinforce your positioning.
Former Microsoft CIO Jim DuBois Dishes On AI and Future of IT
One of the things we have to figure out in the future of work is that a huge
part of the population isn’t able to take advantage of this hybrid and remote
opportunity. And what do we do for them? Do we end up getting to a place where
people are picking jobs based on whether they can work remote or not? And are we
going to have to compensate people differently for being on- or off site? That’s
something that hasn’t been solved … There are a lot of companies that haven’t
figured out how to keep the collaboration and the culture going in a remote
workforce. So they just said, “Oh, we’ve got to get people back into the office
do that.” I would say, “Or, you could figure out how to collaborate and keep
your culture going with remote.” ... I’m a believer in carrot rather than stick
incentives. Rather than compliance requirements, we need to focus on the fact
that there’s so much value in ESG and in having a more diverse team. We need to
focus more on the incentives and less on the “because we told you to”
part.
Using generative AI to understand customers
In terms of better understanding customers, generative AI is really effective in
summarising information. Companies are already using the technology to create
auto-summaries of market research reports, eliminating the need for having to
precis reports manually. Going forward, there is potential to expand this use
case to summarise large volumes of information quickly and efficiently in order
to provide concise answers to key business questions. ... Generative AI can also
make it easier for all stakeholders to access market research without having to
involve an insights manager each time, thereby removing access barriers and
facilitating the seamless integration of consumer insights into daily
operations. Moreover, generative AI can help to address common concerns
associated with all stakeholders accessing market research, such as non-research
workers asking the wrong questions. By prompting relevant questions related to
their search query, the technology can help those without research backgrounds
to ask better questions, ultimately leading to more accurate and useful customer
information.
Optimizing SaaS With Automation and Zero-Touch IT
While it may seem daunting, the journey to achieving zero-touch IT is not out of
reach. It does require investment in time, technology and people, however. And
once you get there the efficiencies will be apparent. Let’s break these benefits
down by category. Zero-touch IT helps companies manage their software
applications much more effectively. IT groups have historically gotten bogged
down in the manual execution of tasks that are complicated and tedious, despite
being basic and common. Two processes cited as top concerns for IT
professionals, onboarding new employees and offboarding departing employees, are
concrete examples. But managing the user life cycle of an employee doesn’t just
start at onboarding and stop at offboarding. Many changes take place during an
employee’s time at the organization—promotions, changes in departments, password
resets, new project assignments, etc. And every single time an event like this
occurs, some type of action, like giving or revoking access to new files,
elevating access rights or taking security steps to prevent unauthorized access
is required.
Cyber insurer launches InsurSec solution to help SMBs improve security, risk management
InsurSec solutions are new, emerging offerings, but the concept behind them and
its potential to add value to involved parties is something being recognized
more widely, particularly for SMBs and organizations struggling with an adverse
blend of low maturity and cost constraints. “I think the insurance market is
recognizing that their future offering in this space has to grow beyond simple
loss protection,” Paul Watts, distinguished analyst at the Information Security
Forum, tells CSO. “Providing complementary services to help organizations with
proactive and reactive management of cyber risk could also help foster stronger
relationships between insurer and client.” Both parties stand to benefit here –
by engaging in this way, risk is better (and jointly) managed, Watts says.
Insurers are mitigating losses, and clients are drawing down on capabilities
that were previously too expensive for consideration and could see lower
premiums as a result.
Novel Technique Exploits Kubernetes RBAC to Create Backdoors
Researchers at Cybersecurity firm Aqua Security said they recorded and analyzed
an attack on its Kubernetes honeypots that used the RBAC system to gain
persistence. Kubernetes Role-based access control or RBAC is a method of
restricting network access based on the roles of individual users within an
organization. In their honeypots, the researchers exposed AWS access keys in
various locations on the cluster and received a beacon indicating that the
access keys were used by the attacker to try and gain further access to the
cloud service provider account and leverage the attack to steal more resources
and data. "The findings are significant as they shed light on the risks of
misconfigurations and how even large organizations can overlook the importance
of securing their clusters, leaving them vulnerable to potential disasters with
just one mistake," according to researchers. The large-scale campaign dubbed
RBAC Buster allowed attackers to gain initial access by exploiting a
misconfigured API server that allowed unauthenticated requests from anonymous
users with privileges.
How does blockchain fit into today’s enterprise?
According to Bennett, outside of the financial services sector, “we are still
not at the point where we can confidently say that blockchain really is
delivering the business value that people are looking for, simply because it is
incredibly difficult to actually set up a blockchain network that at the end of
the day really needs all those blockchain features,” she said. Stack Overflow
recently conducted a survey to find out what new technologies made it past what
Gartner refers to as the hype cycle. Many new technologies can stir up
excitement in the industry, but not all will actually see widespread adoption.
They ranked technologies on a scale of experimental to proven and positive to
negative impact. On a scale from zero (experimental) to 10 (proven), blockchain
technology came in towards the middle at 4.8. And on a scale from zero (negative
impact) to 10 (positive impact), it received a score of 5.3. Another survey by
Foundry echoes these sentiments. It found that 51% of respondents were not
interested in adopting blockchain technology within their organization.
Navigating The Future Of Cyber
Cyber is about more than protecting information—risk management, incident
response planning and threat intelligence can often be directly correlated to
increasing trust within businesses. Many organizations recognize the
importance of prioritizing cybersecurity and have reported significant
improvements in trust and efficiency through their efforts. In Deloitte
Global’s latest Future of Cyber Survey, almost 70% of businesses that were
identified as highly mature organizations when it comes to cyber believe
cybersecurity has positively impacted their organization's reputation and
productivity. From robust cyber planning across the business and effective
board-level engagement—the high cyber performers recognize the importance of
cyber responsibility and involvement across the whole organization. Beyond
looking across the organization, cyber planning strategies should be regularly
reviewed and updated to protect trust in the organization.
Quote for the day:
"Without courage, it doesn't matter
how good the leader's intentions are." -- Orrin Woodward
