BetaNews Staff

The human element -- cybersecurity's greatest challenge

web threats

The stark reality of cybersecurity today isn't merely a question of advanced software or strategic counterattacks. It's about people.

The financial impact is undeniable with cybercrime costs projected to reach an astonishing $10.5 trillion annually by 2025. Yet, beneath these figures lies a more pressing issue: the exploitation of human psychology.

Continue reading

People, process, technology: How to shift security testing left successfully

The benefits of shift-left security are clear. It puts security testing in the hands of the engineers who write the code, enabling vulnerability fixes to occur before software hit production. This provides fixers with faster feedback loops on vulnerabilities found, as well as ensuring more efficient time to feature delivery and cohesive teamwork between security and development teams. With all the benefits that come with shifting API and web application security left, it’s no wonder that 57 percent of security team members have either already shifted their security strategy left or are planning to do so this year, according to a GitLab survey.

So, how do organizations implement a shift-left security strategy successfully? The answer lies in the popular three-legged stool analogy: assessing the process, people, and technology behind this major organizational change, and how they all can work together interdependently.

Continue reading

4 best practices in cloud security to strengthen national defense in the automation age

In the era of digital transformation, national security faces complex and multifaceted challenges. To address these challenges, the Department of Defense (DOD) is taking a vigilant approach to fortify the security of cloud infrastructure.

This approach seamlessly aligns with overarching national cybersecurity initiatives, which are focused on countering a multitude of emerging threats in the age of automation. Collaboratively, the DOD and other government agencies are dedicated to strengthening the ever-evolving cloud ecosystem, while navigating an increasingly intricate threat landscape.

Continue reading

The role experience plays in risk mitigation

Risk dial

Without intending to be trite, there is a very important role that experience plays in the mitigation of risk. Experience comes into play when you are tasked with prioritizing risks. If you have zero experience in cybersecurity risk management, two critical vulnerabilities have equal weight and importance. But not all critical vulnerabilities can or will be weaponized and exploited. And not all critical vulnerabilities will result in a breach or security incident. This is the difference between a priori (independent from any experience) vs a posteriori (dependent on empirical evidence) vulnerability management.

To be effective at mitigating risk, we need to find ways to make intelligent use of experience in running infosec programs. We need to use not just our own experience, but also the experience of others. This is a form of collective resilience that is crucial to defending against nation states, organized crime and, like it or not, bored teenagers attacking and breaching companies just for the lulz like LAPSUS$. This piece aims to help identify some ways in which we can better prioritize our efforts.

Continue reading

OpenAI's big announcement: Why enterprises should pay attention

OpenAI held its first dev day conference last week, and announcements there made huge waves in technology and startup circles. But it’s enterprises that should be paying attention, and here’s why:

OpenAI made significant improvements to ChatGPT -- ones that address critical flaws that made it unsuitable for enterprise use cases because the results were inaccurate, non-credible and untrustworthy. What’s changed is that OpenAI has integrated retrieval augmented generation (RAG) into ChatGPT.

Continue reading

APIs -- The hidden cause of data breaches

APIs are unseen. They are not typically a technology that end users interact with directly and are somewhat hidden from their day-to-day activities. Therefore, user understanding of API vulnerabilities and the impact an API security incident could have, when it comes to data breaches, is often lacking.

While data breaches are big news, what regularly isn’t reported is the way in which some of these incidents happen. But the reality is that for many data breaches, the weak links, more often than not, are APIs and improper security around those APIs.

Continue reading

ChatGPT one year on: Why IT departments are scrambling to keep up

ChatGPT

We’re nearly one year on since ChatGPT burst onto the scene. In a technology world full of hype, this has been truly disruptive and permanently changed the way we work. It has also left IT departments scrambling to keep up – what are the risks of using AI? Can I trust the apps with my data?

Should we ban altogether or wait, and see? But if we ban it, is there a risk of being left behind as other companies innovate?

Continue reading

Understanding LLMs, privacy and security -- why a secure gateway approach is needed

AI Safety

Over the past year, we have seen generative AI and large language models (LLMs) go from a niche area of AI research into being one of the fastest growing areas of technology. Across the globe, around $200 billion is due to be invested in this market according to Goldman Sachs, boosting global labor productivity by one percentage point. That might not sound like much, but it would add up to $7 trillion more in the global economy.

However, while these LLM applications might have potential, there are still problems to solve around  privacy and data residency. Currently, employees at organisations can unknowingly share sensitive company data or Personal Identifiable Information (PII) on customers out to services like OpenAI. This opens up new security and data privacy risks.

Continue reading

Embracing the future: How AI is transforming security and networking

Network management and security should go hand in hand. However, making these services work has become more complicated and riskier due to the growth of the public cloud, the use of software applications, and the need to integrate different solutions together.

This complex network security domain requires more skilled cybersecurity professionals. But as this need becomes obvious, so does the glaring skills gap. In the UK, half of all businesses face a fundamental shortfall in cybersecurity skills, and 30 percent grapple with more complex, advanced cybersecurity expertise deficiencies.

Continue reading

The eight common weaknesses of IT security

Every organization in the 21st century understands that keeping proprietary data safe is crucial to its success. However, while business leaders tend to believe their current security products and policies are truly secure, breaches continue to climb. It is clear that despite an ever-increasing number of companies maintaining formalized security programs and annually increasing security budgets, there are gaps that continue to go unnoticed and unaddressed.

Through hundreds of assessments and breach analyses, we have concluded there are eight common weaknesses that most commonly enable threat actors to penetrate organizations’ security armor, move through networks to elevate privileges, and ultimately allow them to compromise defenses. These weaknesses are continuously probed by threat actors, and while they may seem secure at deployment, they often are not; and even if initially secure, they frequently become obsolete due to missed updates, upgrades, changes to the enterprise environment, and evolving threat tactics. A frequent misconception is that security products and processes can be set and then forgotten; but since threat actors’ tactics evolve at an alarming pace, security controls must also be continually adjusted to ensure that organizations’ security armor continues to envelop and protect. In the absence of continuous evolution, the armor and its contents become vulnerable and, often, more at risk due to a false sense of security.

Continue reading

Navigating the complex role of the CISO under SEC disclosure rules

CISO

I’ve led security functions and established cybersecurity board reporting processes for over 25 years. The relationship between CEOs and CISOs has always held contradictions and the decisions around when to disclose a breach have always been hard. But the recent developments involving the SEC and SolarWinds is a regulatory game-changer for the CISO community. Still, I think we’ll all ultimately come out OK from this if we behave ethically.

New ethical lines are being drawn very quickly and publicly as teams figure out the lines between good judgment and fraud. I have no intention of moralizing here about the SEC’s allegations against SolarWinds and their CISO. Rather, I’d like to shine a light on the underlying principles of disclosure that have served as my own ethical compass, and which I think remain unchanged.

Continue reading

Evolving change management to software value realization

Most digital transformations fail. As a global entrepreneur and former software implementation consultant for Fortune 500 companies, I know that a digital initiative doesn’t end after a platform goes live. Digital change has a huge impact on our employees, who interact with about 13 applications 30 times per day to be successful in their jobs.

When trying to get employees to embrace new technology and tools, leaders say their biggest challenge is hard-to-use applications with a high learning curve (68 percent). It is, therefore, not surprising that many employees’ responses to digital transformation follow a process similar to the Kubler-Ross Stages of Grief. In the context of software adoption, we can think of this in terms of the associated Kubler-Ross Change Curve.

Continue reading

GenAI and its hallucinations: A guide for developers and security teams

Artificial-intelligence

With the rapid proliferation of Generative AI (GenAI), developers are increasingly integrating tools like ChatGPT, Copilot, Bard, and Claude into their workflows. According to OpenAI, over 80 percent of Fortune 500 companies are already using GenAI tools to some extent, whilst a separate report shows that 83 percent of developers are using AI-tools to speed up coding.

However, this enthusiasm for GenAI needs to be balanced with a note of caution as it also brings a wave of security challenges that are easily overlooked. For many organizations, the rapid adoption of these tools has outpaced the enterprise's understanding of their inherent security vulnerabilities. This would yield a set of blocking policies for example, Italy had at one point this year completely blocked usage of GPT, which is never the answer.

This misalignment could not only compromise an organization’s data integrity but also impact its overall cyber resilience. So, how should AppSec teams, developers, and business leaders respond to the security challenges that accompany the widespread use of GenAI?

Continue reading

To fix BI, build it into your applications

Business intelligence (BI) was once heralded as a technology that would democratize data, enabling everyone to become more productive and make better decisions. Today, though, analysts in the BI space like to share the same (and possibly apocryphal) statistic: The global business intelligence adoption rate is only 26 percent.

If only 26 percent of potential users ever access BI, something is broken. Why is access so poor? What can developers and engineers do to make BI achieve its full potential?

Continue reading

The evolving challenge of insider threats

web threats

Modern security teams need a 360-degree perspective if they are to successfully deal with all the risks they face. As well as protecting networks and data from external threat actors, organizations must also look at the risks posed by insiders -- a major security problem that brings a unique set of challenges.

Indeed, the issues associated with insider threats are growing to near ubiquitous levels. According to recent industry research, three-quarters of organizations say insider attacks have become more frequent, with more than half experiencing an insider threat in the last year. A major part of the challenge is identifying where the threats are coming from, given that employees and contractors already have varying levels of permitted access to systems. While the motivation for insiders can be malicious, employee errors can also result in hugely damaging security breaches.

Continue reading

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.