Your car is listening to you, CISA releases AI guidance, security assessments during M&A
By John Bruggeman , virtual Chief Information Security Officer
Your car is listening to you when you connect your phone.
Your new car is listening to your phone calls and recording your text messages, and the U.S. federal courts have ruled that this is legal. I recently experienced the effect of this legal ruling when my Ford mobile app updated this past week, and it had a new disclaimer that said very clearly that Ford is recording me when I use the app.
In a recent U.S. federal court decision, a judge in the Ninth Circuit refused to bring back class-action status for a case in Washington state. The judge ruled that the recording of text messages and calls does not meet the threshold of an illegal privacy violation in the state of Washington.
Car manufacturers are, of course, selling your texts and call logs to advertisers as a way to generate revenue.
While I can't say I am surprised that federal courts sided with the big three car companies, I am disappointed. Personal privacy is not protected here in North America. That is not true in the European Union, where data privacy is much more tightly regulated.
What can be done to prevent this?
Not much, though it never hurts to contact your provincial and federal legislators and ask them where they stand on data privacy laws.
What to do?
Remember to read those disclaimers when you connect your phone to your car so that you know what rights you are giving up.
To learn more about this case you can read this story .
CISA and NCSC release AI guidance
For those looking into developing AI tools for your company or organization, the Cybersecurity Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released joint guidelines for Secure AI System Development on November 26.
The guidelines are easy to read and understand, and describe the right way to develop or implement AI in your environment securely. The focus is on developers of AI platforms (think OpenAI, Microsoft, Google, etc.), but it is a short enough read that most every CIO and CISO should read them as well.
There are only four guidelines:
1. Secure Design
2. Secure Development
3. Secure Deployment
4. Secure Operation and Maintenance
But there is a lot behind each one of these bullet points.
In the Secure Design section, they accurately point out that you should model threats to your system. That is key to knowing how your AI tool can be manipulated.
In the Secure Development section, they call out managing your technical debt, which is a doozy. Virtually every company I have helped has technical debt, ranging from barely manageable to massive, crushing debt. It is a key call-out, but not an easy one to fix.
领英推荐
In the Secure Deployment section, they point out that you need incident management procedures, which should be a no-brainer these days. However, sadly, many companies still do not have an incident response plan for cybersecurity incidents, including ransomware.
The Secure Operation and Maintenance section states that you need to monitor your system's input. This also seems fairly obvious, but in the rush to deploy a new, hot, sexy tool, the obvious can often be assumed or overlooked.
I highly recommend technology leaders take the time to read the guidelines and incorporate them into their AI strategy.
What to do?
Check with your department leaders and ask them if they are adding AI to their environment. They probably are, but not in a strategic way.
Let them know OnX can help them safely and securely deploy AI in their environment by consulting with them on their AI strategy.
Here is a link to the CISA website with the information and guide.
Security assessments during mergers and acquisitions
Good cybersecurity starts with finding out where you are now in terms of your cybersecurity program (the tools, policies, procedures, and people).
Just like when you ask your daughter or son, “How was school today?” the CIO or CEO should be asking questions like, “How is our cybersecurity today?”
And just like you are not satisfied with little Aaron or Jacqueline saying, “It was ok,” the CIO or CEO isn’t going to be happy with hearing, “It’s fine,” from the cybersecurity team.
The CIO or CEO wants a grade or a scorecard for how things are going in relation to protecting the computers, the network, and the data from criminals and other threat actors.
But how can you get graded on your cybersecurity program?
With a security program assessment!
The importance of security assessments and penetration testing is well established, just not as cool as a new piece of hardware or software tool.
This importance is even greater when a company is going through a merger or acquisition. If a company like General Motors is going to acquire a smaller company, GM needs to assess the security posture of the smaller company. It’s just good business practice.
Thankfully, we at OnX Canada do that. We have a team dedicated to security program assessments and can help companies safely and securely merge or acquire other businesses.
What to do?
Have you had a security program assessment done recently? If you haven’t had an assessment done within the last 2–3 years, you are due for a check-up.
Security assessments are cost-effective, relatively short-term engagements (think 3-4 weeks), and provide a documented roadmap for you on ways to improve your cybersecurity program over the next three years.
The roadmap includes hardware and software solutions that can be implemented with our help and provides a way to check in on a quarterly or semi-annual basis to see how you are doing.
You can read an article about the value of a security assessment during M&A activity here .
About the author
John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO