Articles about Security

There is no shortage of news headlines about companies falling victim to cyber breaches and the astounding costs associated with them. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, a 15 percent increase since 2020. For the financial services industry, the cost is even higher at $5.9 million per breach; that is 28 percent above the global average. 

In addition to the higher price tag associated with a cyber breach, companies within the financial industry must also adhere to evolving compliance regulations that dictate how they respond to an attack and where they must invest to reduce the total risk.

Continue reading →

Following the second installment of this Cisco IoT series regarding IoT networking and security supported by Cisco's innovative hardware offerings, this next discussion explores related key topics that are essential for understanding and implementing IoT solutions effectively.

This comprehensive overview will cover critical aspects such as IoT security, operational technology visibility, and industry-specific use cases. By examining these elements, readers will gain a clearer picture of how Cisco's advanced IoT solutions can enhance security, improve operational efficiency, and drive business innovation across various sectors.

Continue reading →

Most organizations find themselves in the midst of their API security journey, racing to keep pace with expanding API ecosystems in a colossal threat landscape. As a core enabler of modern applications, facilitating seamless connectivity and powering mobile and web applications, APIs are everywhere. The DevOps revolution has completely transformed the pace at which developers can design and build APIs faster than a security team can match. 

Large enterprises are operating with tens of thousands of APIs, and even small organizations have a surprising number, both internal and external. With applications and API portfolios becoming increasingly complex, maintaining a comprehensive understanding of all existing APIs has emerged as a significant hurdle. As APIs can quickly become obscured or forgotten, many organizations lack accurate context into the sheer scale and volume of APIs that persist across their infrastructure -- subsequently resulting in the absence of a full picture of their attack surface. As one cannot secure what they cannot see, the absence of discovery mechanisms opens organizations to a host of security risks.  That is why API discovery is now a crucial process for security teams, designed to identify, catalog, and assess APIs. 

Continue reading →

Check Point Research (CPR) has identified a critical zero-day spoofing attack exploiting Microsoft Internet Explorer on modern Windows 10/11 systems, despite the browser's retirement.

Identified as CVE-2024-38112, this vulnerability allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This attack method has been active for over a year and could potentially impact millions.

Continue reading →

In today’s competitive business environment, delivering dynamic experiences across multiple digital channels is becoming increasingly important. In the past, a traditional monolithic CMS was the go-to solution for managing website content in bulk, offering a comprehensive approach with integrated front-end and back-end functionalities.

However, as the importance of web channels for media distribution grew, developers within larger enterprises recognized the limitations of monolithic solutions in managing complex, structured content or delivering unique frontend capabilities. This led to the rise of custom, internal CMS solutions. Performance and extensive customization were possible but at huge engineering costs and time pressure to plan, develop, and uphold these systems.

Continue reading →

Cyber Intelligence-Driven Risk provides a solution to one of the most pressing issues that executives and risk managers face: How can we weave information security into our business decisions to minimize overall business risk?

In today's complex digital landscape, business decisions and cyber event responses have implications for information security that high-level actors may be unable to foresee. What we need is a cybersecurity command center capable of delivering, not just data, but concise, meaningful interpretations that allow us to make informed decisions.

Continue reading →

Since the arrival of generative AI, its potential to increase challenges associated with privacy and cyber security has become a major concern. As a result, government bodies and industry experts are hotly debating how to regulate the AI industry.

So, where are we heading and how is the crossover between AI and cyber security likely to play out? Looking at the lessons learnt from previous efforts to regulate the cyber security market over the past few decades, achieving anything similar for AI is a daunting prospect. However, change is essential if we are to create a regulatory framework that guards against AI's negative potential without also blocking the positive uses that AI is already delivering.

Continue reading →

Supply-chain vulnerabilities loom large on the cybersecurity landscape, with threats and attacks such as SolarWinds, 3CX, Log4Shell and now XZ Utils underscoring the potentially devastating impact of these security breaches. The latter examples of Open Source Software (OSS) attacks are a growing attack vector. In fact, nearly three-quarters (74 percent) of UK software supply chains have faced cyber attacks within the last twelve months.

Expect attacks on the open source software supply chain to accelerate, with attackers automating attacks in common open source software projects and package managers. Many CISOs and DevSecOps teams are unprepared to implement controls in their existing build systems to mitigate these threats. In 2024, DevSecOps teams will migrate away from shift-left security models in favor of “shifting down” by using AI to automate security out of the developers’ workflows.

Continue reading →

Cybercriminals are not new, and often neither are their tactics. Despite this, phishing attacks, which incorporate social engineering in emails and messages to persuade people to perform an action that puts organizations at risk, continue to be highly successful. New technologies, such as GenAI, are improving these tactics further and companies must implement a strategic approach built on a solid foundation of identity security to minimize risks.

The most glaring vulnerability within an organization stems from human error. Mistakes such as using weak passwords, reusing credentials across multiple platforms, or falling victim to phishing attacks, can provide malicious actors with an easy gateway into secure systems. Social engineering exploits the natural human inclination to trust, deceive employees into divulging sensitive information or unwittingly granting access. Despite widespread awareness campaigns, these tactics continue to succeed, highlighting the gap between knowledge and practice, which presents a major risk to organizations.

Continue reading →

In today’s post-pandemic world, businesses are looking to shift back into the office while leveraging the learnings from the pandemic. Digital operations are going to be the new normal. With business innovations increasingly helping enterprises provide faster and easier-to-consume services to customers, the digital way of business is continuously creating a much larger digital footprint than ever before.

However, continuously increasing digital footprint also means possible targets of cyberattacks are also increasing equally rapidly. What is interesting to note is while investments in cybersecurity are increasing, so have the cyberattacks. According to CrowdStrike, attackers are moving faster within enterprises after an initial breach, with the average time it takes to hit patient 1 after patient 0 (the typical indicator of lateral movement) falling from 84 minutes to 62 minutes in the last year. Unfortunately, while many enterprises are continuing to invest in cyber security, far few invest in cyber defense, yet everyone wants the assurance of cyber resilience.

Continue reading →

The popularity of Large Language Models (LLMs) has prompted an unprecedented wave of interest and experimentation in AI and machine learning solutions. Far from simply using popular LLMs for sporadic background research and writing assistance, LLMs have now matured to the degree where particular solutions are being used within specific workflows to solve genuine business problems.

Industries such as retail, education, technology, and manufacturing are using LLMs to create innovative business solutions, delivering the required tools to automate complex processes, enhance customer experiences, and obtain actionable insights from large datasets.

Continue reading →

Hardly a week goes by without news of another email-based attack via phishing or Business Email Compromise (BEC) scam. These types of attacks can cause a great deal of damage to infrastructure and an organization’s image, whether it is a large enterprise, a small-medium business (SMB) or even much smaller retailers. The FBI (Federal Bureau of Investigation) reports that the average financial loss per BEC attack is $125,000 and last year estimated the Business Email fraud industry to be valued at a whopping $50 billion.

These attacks are increasingly creative, and typically involve impersonation of someone such as the head of an organization or finance. If someone responds on behalf of the executive, they could unknowingly give away the keys to the kingdom, causing significant losses. With that in mind, let’s review some of the larger email security trends.

Continue reading →

In 2006, British mathematician Clive Humby declared that data is the new oil -- and so could be the fuel source for a new, data-driven Industrial Revolution. 

Given that he and his wife helped Tesco make £90m from its first attempt at a Clubcard, he should know. And it looks like the “derricks” out there are actually pumping that informational black gold up to the surface: the global big data analytics market is predicted to be more than $745bn by 2030 -- and while it may not be the most dependable metric, Big Tech is throwing billions at AI at a rate described as “some of the largest infusions of cash in a specific technology in Silicon Valley history”. 

Continue reading →

As artificial intelligence (AI) continues to advance, its impact on cybersecurity grows more significant. AI is an incredibly powerful tool in the hands of both cyber attackers and defenders, playing a pivotal role in the evolving landscape of digital threats and security defense mechanisms. The technology has seen use both by attackers to conduct cyber attacks, and defenders to deter and counter threats.

The incorporation of AI into malicious social engineering campaigns creates a new era where cyber threat actors are more convincingly deceptive. With access to a vast amount of data, cyber threat actors can both increase the success and effectiveness of large-scale phishing campaigns, or use this access to huge amounts of data to spread disinformation online.

Continue reading →

In order to comply with the Product Security and Telecommunications Infrastructure (PSTI) Act in the UK, Apple says it will provide security updates for iPhones for a minimum of five years.

While Apple has not previously abandoned iPhone users and left them with insecure devices -- in fact, the company has been known to release updates for very old handsets in extraordinary circumstances -- it has never previously committed to any particular period of support.

Continue reading →