October 27, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Consider the QR code aired during the Super Bowl. Now, imagine the company behind that commercial had malicious intent (just to be clear, the company behind that commercial did not have malicious intent). Say, for example, the QR code displayed during the ad opened your phone's browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the Super Bowl, the outcome of that attack could have been disastrous. That's quishing. ... We've all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks. At the moment, most quishing attacks involve criminals sending a QR code via email.?
The theme of people adopting GenAI within their workplaces without oversight from IT and security teams or leadership, a trend we might reasonably term shadow AI, is not a new one as such. Earlier this year, an Imperva report drew similar concerns, stating that an insider breach at a large organisation arising from someone using generative AI in an off-the-books capacity was only a matter of time. However, given the steadily widening scope and ever-growing capability of generative AI tools, organisations can no longer afford not to exert, at the very least, minimal oversight. “Much like bring-your-own-device [BYOD], gen AI offers massive productivity benefits to businesses, but while our findings reveal that boardroom executives are clearly acknowledging its presence in their organisations, the extent of its use and purpose are shrouded in mystery,” said Kaspersky principal security researcher, David Emm. “Given that GenAI’s rapid evolution is currently showing no signs of abating, the longer these applications operate unchecked, the harder they will become to control and secure across major business functions such as HR, finance, marketing or even IT,” said Emm.
There is a mutual responsibility between employees and employers, so trust and openness are essential. On the one hand, employees must be discerning about the digital tools they employ, understanding the permissions they grant and the third parties that might gain access to their data. They also need to accept that their personal choices can impact the security of the organization too. This requires awareness and a commitment to regular audits of personal digital spaces, ensuring that no unwanted entities are lurking in the shadows. Conversely, organizations bear the responsibility of being forthright about their data practices. Companies that are transparent about the data they access - and, more importantly, why they access it—stand out as beacons of integrity. This transparency extends beyond mere access; it encompasses the entire data lifecycle, from collection to storage, usage, and eventual disposal. By openly communicating these practices, enterprises can foster a culture of trust with their employees – and comply with regulatory standards too.
领英推荐
A fast and reliable way to identify cyber threats is with proactive threat hunting, which utilizes human defenders armed with advanced detection and proactive response technologies and approaches, says Mike Morris, a Deloitte risk and financial advisory managing director via an email interview. “In particular, threat hunting, during which human defenders actively maneuver through their networks and systems to identify indicators of a network attack and preemptively counter these threats, can speed the discovery of cyberattacks.” Yet he warns that for threat hunting to function optimally, it’s necessary that specific, relevant, and accurate intelligence is coupled with automation to identify and mitigate the adversary’s activities. When deploying human-based threat-hunting capabilities, it’s helpful to think about the parallels to physical security leading practices, Morris says. “For example, human security guards, tasked with protecting critical assets, constantly inspect physical infrastructures and maintain the integrity of their responsible spaces by actively patrolling and investigating,” he explains.
Low-quality data can severely impact decision-making and operational efficiency. Inaccurate or incomplete data can lead to flawed strategies, missed opportunities, and ultimately, financial losses. A sales team relying on outdated customer information could waste time on leads that have already been converted or are no longer relevant, leading to lost sales opportunities and financial losses. Similarly, a marketing team using incorrect customer segmentation data could end up targeting the wrong audience, wasting advertising budget, and missing revenue targets. These real-world scenarios further illustrate the cost of poor data quality. The examples highlight the tangible impact of data quality issues on an organization's bottom line. ... Data breaches can have devastating financial consequences for organizations. The direct costs include legal fees, fines, and customer compensation, which can run into millions of dollars. Indirect costs, such as reputational damage and loss of business, can be even more damaging in the long run.?
Change management isn’t any different for Zero Trust than it is for any other big initiative. But most of us aren’t very good at change management. And security and cybersecurity are not sexy. And most people want their security to be minimally invasive and as unnoticeable as possible. And most leaders get no top-line/bottom-line joy from spending money on Zero Trust initiatives. And Zero Trust doesn’t drop new features and functionality for a product at the end of a sprint. ... Three key areas you can focus on as you get started:Get leadership engaged – If the culture of your organization is driven by urgency, craft a message and plan that leverages urgency. If the culture is driven through aspiration, use aspirational vision and goals. Either way, get leadership on board to deliver the message. Create a communications strategy – The strategy must include the rhythm and mode of communications, as well as the context and content of the communications for leadership and sponsors, leads and key centralized players, local mavens, and users. Persuasive communication is what the marketing team does well. Get them involved.