Information Week

COMMENTARY Cybersecurity has spurred many changes in the past five years, from the technology and tools needed to protect an organization from cyberattackers to the skill sets required by IT professionals. The consistent and ongoing ripple effect has also influenced organizational roles and responsibilities. Arguably, one of the most dramatic shifts has been the role of the chief financial officer (CFO). Today’s CFOs must be collaborative leaders, willing to embrace an expanding role that includes protecting critical assets and securing the bottom line. To do this, CFOs must work closely with chief information security officers (CISOs), due to the sophistication and financial impact of cyberattacks. Financial professionals understand data flows and financial processes, while security professionals know the latest cyber threats and best practices to combat those threats. Combining this expertise results in more informed technical investments, faster detection of anomalies, and stronger overall cybersecurity measures. This enhanced approach is critical as we see payments and unsuspecting financial professionals increasingly become the targets of cyberattacks. Both are prime targets because of the volume of money and transactions they process, often manually leaving organizations even more vulnerable to phishing schemes that can go undetected for months. Collaboration between finance and security departments is crucial to threat detection, maintaining compliance, addressing third-party risks, and providing companywide cybersecurity education and training. The Impact of a Security Breach The increasing financial impact of a cyberattack alone mandates CFO involvement in cybersecurity matters. According to IBM’s “Cost of a Data Breach Report 2024,” the global average cost of a data breach reached $4.88 million in 2024, a 10% increase over last year. This substantial financial risk underscores why CFOs must now consider cybersecurity a primary concern for an organization’s economic health. CFOs are uniquely positioned to understand the potential financial devastation from cyber incidents. The costs associated with a breach extend beyond immediate financial losses, encompassing longer-term repercussions, such as reputational damage, legal liabilities, and regulatory fines. CFOs must measure and consider these potential financial impacts when participating in incident response planning. Compliance Requires Protection The regulatory landscape for CFOs has evolved significantly beyond Sarbanes-Oxley. The Securities and Exchange Commission’s (SEC’s) rules on cybersecurity risk management, strategy, governance, and incident disclosure have become a primary concern for CFOs and reflect the growing recognition of cybersecurity as a critical financial and operational risk. The SEC’s cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide periodic updates on their cybersecurity risk management, strategy, and governance. This places significant responsibilities on CFOs, who must ensure timely disclosure of cyber incidents and help to develop and implement risk management strategies. As a result, CFOs must work closely with CISOs, board members, and executives to establish effective cybersecurity governance and provide detailed reporting on the company’s cybersecurity posture and incident response capabilities. CFOs must also navigate other cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and similar state-level regulations, and adhere to industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA). These regulations carry significant financial penalties for noncompliance, further emphasizing the critical role CFOs play in managing cyber-risks. As a result, CFOs must now be well-versed in cybersecurity best practices, incident response protocols, and the evolving regulatory landscape to protect their organizations’ financial interests and maintain compliance effectively. Collaboration and Allocation Adding to the complexity, the CFO is now a cross-functional collaborator who must work closely with IT, legal, and other departments to prioritize cyber initiatives and investments. They must also work with the CISO and chief information officer (CIO) to educate the CEO and the board on cybersecurity matters and communicate broadly, at times, with employees, customers, partners, and investors. CFOs needs to consider the corporate strategy and broader business decisions as they help determine the company’s approach and investment in cybersecurity tools and technologies. This level of decision-making requires CFOs to understand the cyber landscape, threats and trends, and viable investment strategies. This expanded role requires CFOs to help their organizations build resilience against cyber threats while ensuring that security measures are cost-effective and aligned with overall business strategy. How CFOs Can Succeed Working closely with CISOs, CFOs can become key players in protecting their organizations’ critical assets and ensuring long-term financial stability. To succeed in this new landscape, CFOs must foster strong partnerships with CIOs and CISOs, develop a deep understanding of cybersecurity risks and technologies, and integrate cybersecurity considerations into all aspects of financial planning and risk management. Doing so can help organizations build resilience against cyber threats while supporting broader business objectives and growth strategies. source

Where would the world be without APIs? There would likely be a lot less connected and software releases flowing like molasses. Developers use APIs to add capabilities to their apps quickly, though the grab-and-go approach is unwise when it comes to AI.  “While many developers are proficient in embedding AI into applications, the challenge lies in fully understanding the nuances of AI development, which is vastly different from traditional software development,” says Chris Brown, president of professional services company Intelygenz. “AI is not just another technical component. It’s a transformative tool for solving complex business challenges.”  Jason Wingate, CEO of Emerald Ocean, a technology and business solutions company focused on product innovation, brand development and strategic distribution also believes that while APIs make embedding AI seem as simple as calling a function, many developers do not understand how models work and their risks.   “Several major companies in 2023 and early 2024 had their chatbots compromised through prompt injection. Users sent prompts like ‘Ignore previous instructions’ or ‘Forget you are a customer service bot,’ causing the AI to reveal sensitive information,” says Wingate. “This happened because developers didn’t implement proper guardrails against prompt injection attacks. While much of this has been addressed, it showcases how unprepared developers were in using AI via APIs.”  Related:Let’s Revisit Quality Assurance Timothy E. Bates, professor of practice, University of Michigan and former Lenovo CTO, also warns that most developers don’t fully grasp the complexities of AI when they embed it using APIs.   “They treat it as a ‘plug-and-play’ tool without understanding the intricacies of the underlying models, such as data bias, ethical implications and dynamic updates by AI providers. I’ve seen this firsthand, especially when advising organizations where developers inadvertently introduced vulnerabilities or misaligned features by misusing AI,” says Bates.   An organization can miss opportunities due to a lack of knowledge, which results in poor ROI.  “AI should be tested in sandbox environments before production. [You also need] governance. Establish oversight mechanisms to monitor AI behavior and outcomes,” says Bates. “AI usage should be [transparent] to end users, maintaining trust and avoiding backlash. Combining developers, data scientists and business leaders into cross-functional teams ensures AI aligns with strategic goals.”  Ben Clayton, CEO of forensic audio and video analysis company Media Medic has also seen evidence of developer struggles firsthand.  Related:Soft Skills, Hard Code: The New Formula for Coding in the AI Era “Developers need a solid grasp of the basics of AI — things like data, algorithms, machine learning models, and how they all tie together. If you don’t understand the underlying principles, you could end up using AI tools in ways that might not be optimal for the problem you’re solving,” says Clayton.  “For example, if you’re relying on a model without understanding how it was trained, you might be surprised when it doesn’t perform as expected in real-world scenarios.”  Technology Is Only Part of the Picture  A common challenge is viewing AI as a technological solution rather than a strategic enabler.   “Organizations often falter by embedding AI into their operations without clearly defining the business problem it is solving. This can result in misaligned goals, poor adoption rates and systems that fail to deliver ROI,” says Intelygenz’s Brown. “AI implementation must start with a clear business case or IT improvement objective whether it’s streamlining operations, optimizing network performance, or enhancing customer experience. Without this foundation, AI becomes a costly experiment instead of a transformative solution.”  Chris Brown, Intelygenz Gabriel Zessin, software architect at API solution provider Sensedia, agrees.  Related:Is Open Source a Threat to National Security? “In my opinion, although most developers are proficient in API integrations, not all of them understand AI well enough to use it effectively, especially when it comes to embedding AI to their existing applications. It’s important for developers to set the expectations of what can be achieved with AI for each company’s use case alongside the business teams, like product owners and other stakeholders,” says Zessin.   Data  AI feeds on data. If the data quality is bad, AI becomes unreliable.  “[S]ourcing the correct data is often challenging,” says Josep Prat, engineering director of streaming services at AI and data platform company Aiven. “External influences such as data sovereignty and privacy controls affect data harvesting, and many databases are not optimized properly. Understanding how to harvest and optimize data is key to creating effective AI. Additionally, developers need to understand how AI models produce their outputs to use them effectively.”  Probabilistic Versus Deterministic  Traditionally, software developers have been taught that a given input should result in a certain output. However, AI tends to be probabilistic, which is based on the likelihood something will happen. Deterministic, on the other hand, assures an outcome based on previous results. “Instead of a guaranteed answer, [probabilistic] offers confidence levels at about 95%. And keep in mind, what works in one scenario may not work in another. These fundamentals are key to setting realistic expectations and developing AI effectively,” says Sri (Srikanth) Hosakote, chief development officer and co-founder at campus network-as-a-service (NaaS) Nile. “I find that many organizations successfully adopt AI by working directly with customers to identify pain points and then developing solutions that address those issues.”  Have a Feedback Loop and Test  APIs simplify AI integration, but without understanding the role of feedback loops, developers risk deploying models without mechanisms to catch errors or learn from them. A feedback loop ensures that when the AI output is wrong or inconsistent, it’s flagged, documented, and shared across teams.   “[A feedback loop] prevents repeated use of flawed models, aligns AI performance with user needs and creates a virtuous cycle of improvement,” says Robin Patra, head of data at design-build construction company ARCO Design/Build. “Without such systems, errors may persist unchecked, undermining trust and user experience.”  It’s also wise to involve stakeholders who can provide feedback about the AI outputs, such as whether the prediction is accurate, the recommendation relevant or a fair decision.  “Feedback isn’t just about a single mistake. It’s about identifying

When the Irish Health Care System (HSE)’s data was ransom attacked,  80% of their data became corrupted and unusable. In July, the city of Columbus experienced a ransomware attack that disrupted various municipal services, and months later, it is still working towards recovery. Ransomware attacks are becoming more frequent and causing unprecedented chaos and financial distress. Few organizations have been this transparent following a ransomware attack, but HSE and Columbus are far from alone. Following ransomware attacks, organizations rely on their data protection solution to recover and restore business operations as quickly as possible. However, instead of providing a timely and confident recovery, the limitations of traditional data protection and storage solutions become exposed, and organizations are left paying the ransom, and even then, only 4% get all of their data back (Sophos, States of Ransomware, 2022). This demonstrates how traditional data protection solutions fail to fully support cyber resiliency, despite having added “cyber” features to their products. Features like immutability, isolation, virus scanning, and multi-factor authentication are often easily integrated. Some vendors even rely on marketing hype, attempting to position themselves as security vendors rather than delivering real value. Key Questions to Ask About Data Protection Here are key questions that traditional data protection solutions struggle to answer regarding cyber resiliency: 1. What was the Impact of the Attack? Data protection vendors often rely on high-level analysis to detect unusual activity in backups or snapshots. This includes threshold analysis, identifying unusual file changes, or detecting changes in compression rates that may suggest ransomware encryption. These methods are essentially guesses prone to false positives. During a ransomware attack, details matter. Leveraging advanced AI engines to detect patterns indicative of cyberattacks offers more accuracy, reduces false alerts, and provides the critical details of exactly what files and databases were impacted to support smarter recovery. 2. How can Data Loss be Minimized? Organizations snapshot or back up data regularly, ranging from hourly to daily intervals. When an attack occurs, restoring a snapshot or backup overwrites production data—some of which may have been corrupted by ransomware—with clean data. If only 20% of the data in the backup has been manipulated by bad actors, recovering the full backup or snapshot will result in overwriting 80% of data that did not need restoration. This will include valuable business information that could be lost forever. Detailed forensic insight into which specific files were impacted is essential to minimizing data loss. 3. Do I Need to Validate Databases from Ransomware Corruption? Cybercriminals understand that databases are the backbone of many businesses, making them prime targets for extortion. By corrupting these databases, they can pressure organizations into paying ransoms. Using common variants, such as ransomware that intermittently encrypts data, attackers can disrupt both user files and critical databases. Although some vendors suggest that there’s no need to validate database integrity—arguing that corrupted databases will simply cease to function—this is misleading and will result in significant impact following an attack. Regular validation of production databases, including their content and structure, is essential to ensure cybersecurity resilience and mitigate potential damage. 4. Is the AI Engine Smart Enough?  AI is now a mainstream topic, but understanding how an AI engine is trained is critical to evaluating its effectiveness. When dealing with ransomware, it’s important that the AI is trained on real ransomware variants and how they impact data. If the AI is only trained to look for threshold changes or compression rate fluctuations, cybercriminals can adjust their tactics to bypass detection. Many modern encryption algorithms do not affect compression rates, and certain ransomware variants avoid triggering metadata-based threshold alerts. AI engines must be trained on actual ransomware behaviors and constantly updated with new variants to ensure the accuracy and relevance to support smart recovery. 5. Can you Keep Up with Modern Ransomware Variants?  Ransomware evolves quickly, with bad actors introducing new encryption algorithms and altering how files are corrupted. Signature scanning and other methods based on specific indicators of compromise struggle to keep up with these rapid changes.  What’s needed is an automated approach that continually tests against the latest ransomware variants and provides a service-level agreement (SLA), ensuring reliability and accuracy in detecting data corruption caused by attacks. Demand Trust-Worthy Resilience Organizations need to demand AI data integrity engines that can accurately detect corruption due to cyberattacks, detailed forensic insights to minimize data loss, regular validation of data at rest to ensure reliability, and continuously updated AI to keep up with evolving ransomware variants. Traditional methods often fail to provide effective cyber resiliency. Challenge good enough methods and implement an integrated storage and data protection solution you can trust. source

The flurry of commerce, travel, and other business that escalates with the winter holidays might make for tempting targets for hackers — or perhaps not in a world already wracked with cyberattacks. Enterprises defend against ransomware and other digital threats throughout the year. Bad actors might choose to focus their attention more on targets of opportunity that are unrelated to the holiday season, though the temptation might be too great for Cyber Gremlins and Grinches. This episode of DOS Won’t Hunt saw a panel comprised of David Richardson, vice president of endpoint and threat intelligence for Lookout; Kris Lovejoy, senior vice president for security with Kyndryl; Jake King, head of threat and security intelligence with Elastic; Mikhail Ishkhanov, senior director, product strategy and sales enablement with SOTI; Stephanie ”Snow” Carruthers, IBM’s global head of cyber range and chief people hacker with IBM X-Force; and John Paul Cunningham, CISO for Silverfort. They discussed what is at stake during the holidays, security risks that can arise with undertrained seasonal staff, and why it is not a good idea to have someone caught up in holiday festivities tasked with cyber forensic audits. Mind the champagne. Listen to the full podcast here. Related:Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust source

The Securities and Exchange Commission (SEC) is putting a spotlight on security incident reporting. This summer, the SEC announced a rule change that requires certain financial institutions to notify individuals within 30 days of determining their personal information was compromised in a breach. Larger entities will have 18 months to comply, and enforcement will begin for smaller companies in two years.   This new rule change follows cybersecurity disclosure requirements for public companies that were adopted only a year prior — and implemented on December 18, 2023 for larger companies and June 15, 2024 for smaller reporting companies. These changes are already having an impact on disclosures, even if not in the way the SEC intended.  Under these disclosure requirements, public companies must report cybersecurity incidents within four business days of determining that an incident was “material.” But in mid-November, even before the rules were officially adopted, the AlphV/BlackCat ransomware gang added an early twist to its typical game by notifying the SEC that one of its victims had failed to report the group’s attack within the four-day limit.   This incident raised the sobering possibility that if companies don’t report cyberattacks to the SEC, attackers will do it for them. The action has sparked concerns about the abuse of regulatory processes and worries that the new rules could unintentionally lead to early disclosures, lawsuits, and an increase in attacks.  Related:Facing the Specter of Cyber Threats During the Holidays I’m not convinced threat groups have the upper hand. We must assume the SEC or contractors are monitoring the dark web for info on attacks that impact publicly traded companies. Still, organizations would be wise to strengthen their defenses and prepare for the worst-case scenario.  As Cyberattacks Increase, Identity Is in Spotlight  The SEC’s disclosure rules come as cyberattacks continue to rise in scale and severity, with identity-based attacks at the forefront. Verizon’s 2023 DBIR found that 74% of all breaches involved the human element, while almost a quarter (24%) involved ransomware.  Active Directory (AD) and Entra ID identity systems, used in more than 90% of enterprises worldwide, provide access to mission-critical user accounts, databases, and applications. As the keeper of the “keys to the kingdom,” AD and Entra ID have become primary targets for identity-based attacks.  It’s too early to know if cybercriminals reporting their attacks to the SEC will become a trend. Regardless, it is critical for organizations to take a proactive approach to identity security. In today’s digital world, identities are necessary to conduct business. But the unfettered access that identity systems can provide attackers presents a critical risk to valuable data and business operations. By taking steps to strengthen their cybersecurity posture, incident response and recovery capabilities, and operational resilience, organizations can help prevent bad actors from infiltrating identity systems.  Related:Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust Protect Active Directory, Build Business Resilience   Securing AD, Entra ID, and Okta is key to identifying and stopping attackers before they can cause damage. AD security should be the core of your cyber-resilience strategy.  Attacks are inevitable, and organizations should adopt an “assume breach” mindset. If AD is taken down by a cyberattack, business operations stop. Excessive downtime can cause irreparable harm to an organization. Henry Schein was forced to take its e-commerce platform offline for weeks after being hit by BlackCat ransomware three times; the company lowered sales expectations for its 2023 fiscal year due to the cybersecurity breach.  Having an incident response plan and tested AD disaster recovery plan in place is vital.   Here are three steps for organizations to strengthen their AD security — before, during, and after a cyberattack.  Related:Ransomware Attack on Rhode Island Highlights Risk to Government 1. Implement a layered defense. Cyber resilience requires a certain level of redundancy to avoid a single point of failure. The best defense is a layered defense. Look for an identity threat detection and response (ITDR) solution that focuses specifically on protecting the AD identity system. 2. Monitor your hybrid AD. Regular monitoring of the identity attack surface is critical and can help you identify potential vulnerabilities before attackers do. An effective monitoring strategy needs to be specific to AD. Use free community tools like Purple Knight to find risky configurations and vulnerabilities in your organization’s hybrid AD environment.  3. Practice IR and recovery. An incident response (IR) plan is not a list to check off. It should include tabletop exercises that simulate attacks and involve business leaders as well as the security team. Even with a tested AD disaster recovery plan, your organization is still vulnerable to business-crippling cyber incidents. However, IR testing greatly improves your organization’s ability to recover critical systems and data in the event of a breach, decreasing the risk of downtime and data loss.  From my own experience, I know that the key difference between an organization that recovers quickly from an identity-related attack and one that loses valuable time is the ability to orchestrate, automate, and test the recovery process. Here are my tips for a swift incident response:  Having backups is an essential starting point for business recovery. Make sure you have offline/offsite backups that cannot be accessed by using the same credentials as the rest of your production network.   The best approach for recovery is “practice makes progress.” A convoluted recovery procedure will delay the return to normal business operations. Verify that you have a well-documented IR procedure that details all aspects of the recovery process — and that the information can be accessed even if the network is down.  Orchestrate and automate as much of the recovery process as possible. Time is the critical factor in recovery success. Automation can make the difference between a recovery that takes days or weeks and one that takes minutes or hours.   The prospect of attackers outing their victims to the SEC underscores the importance of protecting systems in the first place. Organizations need to take the necessary steps, starting with securing their identity system. Whether your organization uses AD, Entra ID, or Okta,

Albert Einstein published his groundbreaking “light quantum” paper in 1905, birthing his theory that light consists of tiny energy packets known as photons. This idea — along with findings from Niels Bohr and Max Planck — laid the foundation for quantum physics, a field that is shaping the future of computing today.  What Is Quantum Computing?  Quantum computing aims to tackle problems that traditional computers struggle with — either due to complexity or speed. By leveraging the principles of quantum physics, quantum computers can unlock new possibilities.  Instead of the binary bits (zero or one) used in traditional computing, quantum computers utilize qubits. A qubit can represent both zero and one simultaneously due to a phenomenon called superposition, allowing quantum computers to process multiple possibilities at once. This offers unprecedented efficiency for specific mathematical challenges. While this makes the potential vast, it’s important to note that quantum computers won’t replace everyday computing purposes — like office work, media consumption, or gaming. Instead, they excel in niche areas such as solving specific mathematical problems and simulating quantum states, which is important for research on quantum physics.   Related:Facing the Specter of Cyber Threats During the Holidays And we’ve come a long way — quantum computing has started to revolutionize various industrial sectors and leading organizations, from Google to IBM, along with research institutions and startups, are making significant strides in the field.   And while exciting, these developments might also enable them to decode encryption methods that are hard to break using currently available computing clusters.   Is Quantum Computing a Threat to Cybersecurity?  As quantum technology progresses, one major area of concern is looming: cybersecurity. Could quantum computers crack the encryption systems we rely on today?   Luckily, the short answer is not yet. Still, the potential threat is real, with McKinsey citing that capable quantum systems could be ready by 2030.  Though functional quantum computers already exist — and some companies even provide access to them, today’s quantum computers are still limited, with the most powerful systems containing only around 1,200 qubits.   This limited number of qubits is not yet enough to solve problems that are too complex for existing computers or super computers. In fact, experts predict that breaking the most secure encryption methods would require a quantum computer with 20 million qubits — a benchmark that still gives us time to prepare.  Related:Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust However, with each advancement, the power of quantum computing inches closer to the point where it could potentially unravel protections that currently safeguard everything from personal data to state secrets.   Can We Quantum-Proof Our Future?  Preparing for a quantum future means rethinking our encryption methods.   There are mathematical problems that are just as difficult for quantum computers to solve, and cryptography experts are currently building schemes based on these problems. This type of encryption is called post-quantum cryptography (PQC).  However, we can also make the encryption methods we use today quantum resistant. For instance, a method called RSA encrypts a large portion of internet traffic. It uses prime factors which are hard for traditional computers to compute.   Today’s encryption algorithms — like RSA — rely on the difficulty of factoring large prime numbers. While that is a challenge for classical computers, it’s much easier for quantum systems. Before quantum computers become powerful enough, organizations must pivot to quantum-resistant algorithms.  One solution lies in increasing the number of bits. For instance, RSA encryption using 2048-bits is currently safe, but doubling it could make decryption — even for quantum computers much more complex. Other encryption schemes may require similar adjustments to stay ahead of the quantum threat.  Related:Ransomware Attack on Rhode Island Highlights Risk to Government Some actors are already storing encrypted data with the intent to decrypt it in the future when quantum computers are more powerful — a tactic known as “harvest now, decrypt later.”  The data they’re storing might be old by then, but it can still be critical. Think of intelligence services, for example. This makes it essential to transition to post-quantum encryption sooner rather than later.  How do IT Professionals Prepare?   To prepare, IT professionals can start by identifying sensitive data and encryption use across your organization — VPNs, external server access or remote access are key areas to focus on. Determine which cryptographic methods you’re using and explore the implementation of post-quantum standards for the future.  In the coming years, many operating systems and browsers will incorporate quantum-safe cryptographic libraries, making it easier for organizations to adopt post-quantum encryption. It’s crucial to stay updated and ensure your systems are patched and compatible with these new standards.  Be Prepared, But Don’t Forget the Basics   We’ve come a long way since Einstein first published his paper, and quantum-safe encryption is becoming a critical focus for the cybersecurity world. Yet, while the quantum threat is on the horizon, do not neglect the basics. The probability of your network being attacked, due to an outdated system, is still much higher than the threat of quantum computers breaking your encryption. So, for now, the focus should remain on protecting your network from threats present today, while beginning conversations and thinking through a five-year plan that includes PQC.  And remember, as quantum computing advances, having a robust security foundation today will make it easier to quantum-proof your IT systems tomorrow.   source

On Dec. 5, a warning from vendor Deloitte alerted the state government of Rhode Island that RIBridges, its online social services portal, was the potential target of a cyberattack. By Dec. 10, Deloitte confirmed the breach. On Dec. 13, Rhode Island instructed Deloitte to shut down the portal due to the presence of malicious code, according to an alert published by the state government.   Brain Cipher, the group claiming responsibility, is threatening to release the sensitive data stolen in the attack, potentially impacting hundreds of thousands of people, according to The New York Times.   State and local government entities, such as RIBridges, are popular targets for ransomware gangs. They are repositories of valuable data, provide essential services, and are often under-resourced. What do we know about this attack so far and the ongoing cyber risks state and local governments face?   The Brain Cipher Attack  RIBridges manages many of Rhode Island’s public benefits programs, such as the Supplemental Nutrition Assistance Program (SNAP), Medicaid, and health insurance purchased on the state’s marketplace. Deloitte manages the system and Brain Cipher claims to have attacked Deloitte, BleepingComputer reports.   “We are aware of the claims by the threat actor. Our investigation indicates that the allegations relate to a single client’s system, which sits outside of the Deloitte network. No Deloitte systems have been impacted,” according to an emailed statement from Deloitte.   Related:Facing the Specter of Cyber Threats During the Holidays The information involved in the breach could “include names, addresses, dates of birth and Social Security numbers, as well as certain banking information,” according to the RIBridges alert.   Rhode Island Governor Daniel McKee (D) issued a public service announcement urging the state’s residents to protect their personal information in the wake of the breach.   “Based on the information that’s being put out there by the governor about … the steps you can take to minimize the fallout of this, that tells me that they’re unlikely to be paying the ransom,” says Truman Kain, senior product researcher at managed cybersecurity platform Huntress.   Brain Cipher appears to be a relatively new ransomware gang. “We’ve tracked five confirmed attacks so far, including this one. Two others have been on government entities as well: one in Indonesia and one in France,” Rebecca Moody, head of data research at Comparitech, a tech research website, tells InformationWeek.   In June, the ransomware group hit Indonesia’s national data center. It demanded an $8 million ransom, which it ultimately did not receive. In August, it posted Réunion des Musées Nationaux (RMN), a public cultural organization in France, to its data leak site, alleging the theft of 300GB of data, according to Comparitech.   Related:Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust In addition to these confirmed attacks, there are 19 unconfirmed attacks potentially linked to Brain Cipher, according to Moody. It is unclear how much the group may have collected in ransoms thus far.   “It’s always really difficult to know when people have paid because, obviously, if they pay they [threat groups] shouldn’t really add them to the data leak site, and obviously, companies are very reluctant to tell you if they’ve paid a ransom because they think it leaves them open to future attack,” says Moody.   Ransomware Attacks on Government  Government remains a popular target for threat actors. “They are vulnerable because they are a key service for people, and they can’t afford downtime,” says Moody. “It is one of the sectors that we’ve seen a consistently high number of attacks.”   Between 2018 and December 2023, a total of 423 ransomware attacks on US government entities resulted in an estimated $860.3 million in downtime, according to Comparitech. For 2024, Comparitech tracked 82 ransomware attacks on US government agencies, up from 79 last year.   Related:Cybercriminals and the SEC: What Companies Need to Know Of the 270 respondents in the state and local government sector included in The State of Ransomware in State and Local Government 2024 report from Sophos, just 20% paid the initial ransom demand. States such as Florida, North Carolina, and Tennessee, have legislation limiting or even prohibiting public entities from paying ransom demands.    That doesn’t necessarily mean threat actors will avoid targeting government entities. Even if a threat group cannot successfully extort a victim, it can still sell stolen data to the highest bidder. “Ransoms are probably higher than what they would get for leaking the data. It depends on how much data is stolen though and the value of that data,” says Moody.   Regardless of whether a government agency pays when hit with ransomware, it still must deal with the disruption and fallout.   While cybersecurity threats to local and state governments are highly publicized, funding continues to be a stumbling block. Just 36% of local IT executives report that they have adequate budget to support cybersecurity initiatives, according to the 2023 Local Government Cybersecurity National Survey from Public Technology Institute.   While budgets may be limited, cybersecurity cannot be ignored, Kain argues.   “I think it’s kind of an excuse for state and local governments to say, ‘Oh, well we just don’t have the budget. So, cybersecurity is an afterthought,’” he says. “Things should really start from a cybersecurity perspective, especially when you’re dealing with sensitive data like this.”   State and local government agencies can focus on cybersecurity basics, like enabling multi-factor authentication, regular security awareness training for staff, and vulnerability patching. “It’s … those key things that don’t necessarily cost a lot,” says Moody. “Also [be] prepared for the inevitable because no one’s immune to them [attacks].” source

As the cyber landscape evolves, a holistic approach to cybersecurity will be essential for organizations to effectively navigate risks and align their cyber strategies with overarching business objectives. By integrating cybersecurity into the core of corporate governance, organizations can transform security from a reactive measure into a strategic asset — enhancing resilience, fostering innovation, and maintaining competitive advantage.  In today’s business landscape, incorporating cybersecurity into enterprise risk management is a critical imperative for organizations. As cyber threats evolve, organizations must move beyond viewing cybersecurity as a technical concern and recognize its profound impacts on financial stability, reputation, compliance, and resilience.  This new model requires a fundamental shift in how the C-suite and board of directors approach cybersecurity. Change comes from understanding the criticality of moving away from a focus on technical issues towards more comprehensive, business-aligned strategies that encompass risk for the entire organization.  To effect this shift, leadership should cultivate broader digital competencies and foster a deeper understanding of cybersecurity as part of their overall risk management strategy. Chief information security officers (CISOs) will play a pivotal role in this transformation, aligning efforts more closely with overarching business objectives.  Related:Facing the Specter of Cyber Threats During the Holidays Cybersecurity as a Core Business Function  Cybersecurity conversations should extend far beyond the security team, engaging a broader set of stakeholders including board members, and risk management executives. Nearly 40% of leaders surveyed by the World Economic Forum believe that cyber-attacks represent a paramount global risk. However, most organizations remain mired in Gen 1.0 cyber thinking: that cybersecurity is an IT problem or, worse, that cyber won’t strike.  Change will only come from understanding how threats specifically impact an organization’s business, operations, sustainability, and financial condition. Whether a hospital, bank, insurer, or manufacturing giant, the implications of an incident vary dramatically.  Board Engagement and Competency  Boards are becoming involved in cybersecurity, but many may fear that they lack the necessary digital competencies or may expose themselves to risk. There’s a growing need for boards to include cyber experts who can translate technical risks into business terms and create risk committees to ensure informed decision-making and oversight.  Related:Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust The challenge lies in shifting perspectives from viewing cybersecurity as a costly problem best solved by technical solutions alone, to understanding the cyber domain as an enterprise risk with shared roles and responsibilities. To facilitate this transition, it’s crucial to provide plain business language assessments along with analytics that align investment decisions and help mitigate known risks.  Organizations also need to understand what an optimal insurance or risk transfer structure looks like for their specific entity. This involves stress-testing existing policies across a range of potential cyber incidents.  Finally, directors want cybersecurity exposures presented in terms that resonate with their expertise in business, operations, governance, legal matters, and finance. They also want to know what to do when things go wrong, and how to involve law enforcement.   Addressing Cybersecurity Fatigue  Digital transformation, with all its efficiencies, is juxtaposed against the seemingly unending battle against cybercrime, leaving many boards questioning how to effectively address the dynamic. To overcome fatigue and pessimism, transparent and effective communication is essential.  Premortems and table top exercises (TTXs) are both valuable, low-cost security exercises for boards and leaders. The key is to present concrete scenarios that illustrate the potential impact of cyber events on the business. For instance, demonstrating how a two-week ransomware outage could result in a $200 million write-down can help the board and CFO understand the stakes involved.  Related:Ransomware Attack on Rhode Island Highlights Risk to Government With budgets always top of mind, it is crucial to allocate cybersecurity capital wisely. Shifting away from conceiving cybersecurity as a cost center to viewing it as part of the long-term capital budget is a worthwhile conversation for organizations to consider.  Ultimately, the business must decide on its risk tolerance, ideally elevating this decision to the board level. Presenting the facts, including potential losses, mitigation strategies, and costs, allows boards to make informed decisions about acceptable risks and ROI.  CISO Evolution and Future of Cyber Risk Governance  As the role of a CISO expands beyond technical expertise, there’s a growing need for a new breed of digital risk leaders who can bridge the gap between cybersecurity and wider business objectives. Organizations are exploring innovative governance structures, such as creating a chief digital risk officer role to oversee a broader portfolio of digital exposures.  Looking ahead, integrating cybersecurity into enterprise risk management will entail a multi-faceted approach. This includes developing risk committees to address complementary domains like supply chain and technology risks, while leveraging changing frameworks like NIST CSF 2.0 the SEC’s cyber rules, and regulations like the EU’s AIAct, NIS2, and DORA.  A Framework for Board Engagement  Effective cybersecurity governance at the board level rests on three pillars: substance, frequency, and structure. The information presented must align cyber risks with tangible business exposures, moving beyond technical jargon. The frequency of discussions should be calibrated to ensure timely oversight without overwhelming the board’s agenda. Finally, determining the appropriate committee structure is crucial for fostering in-depth and relevant discussions.  As the cyber landscape evolves, a holistic approach to cybersecurity will be essential for organizations to effectively navigate risks and align their cyber strategies with overarching business objectives. By integrating cybersecurity into the core of corporate governance, organizations can transform security from a reactive measure into a strategic asset — enhancing resilience, fostering innovation, and maintaining competitive advantage.  source

The recent Forrester Security & Risk Summit in Baltimore featured government cybersecurity officials discussing a newly published guide on zero trust and evaluating the next steps for the security model.   In fact, Forrester is known for introducing the zero-trust security model back in 2009. The motto “never trust, always verify” suggests a least-privilege approach. Former Forrester analyst John Kindervag, now a chief evangelist at Illumio, was an initial champion of zero trust.  In a Dec. 10 panel, cybersecurity leaders discussed “Navigating the Federal Zero Trust Data Security Guide,” which the federal CISO and CDO Councils published on Oct. 31. The guide, developed by 70 people from more than 30 federal agencies and departments, offers a breakdown of how government agencies and organizations should think about data risks. The goal is to provide a practical guide on how to implement zero trust.  A Holistic View of Data and Security  During the session, Steven Hernandez, CISO in the US Department of Education and co-chair of the US federal CISO Council, discussed how the guide could teach federal and private cybersecurity professionals think from both a zero-trust and data perspective.  “It’s interesting because we talk about how to harness data, so we use a lot of behavioral analytics and logs from our systems, etc.,” Hernandez told the audience. “That’s one side of the coin, but the other side of the coin is how we protect data using zero trust principles, technologies, and operations, and in the data management section, we’re going to have to basically straddle both of those platforms to be successful. ”   Related:Ransomware Attack on Rhode Island Highlights Risk to Government Anne Klieve, management analyst in the Office of Enterprise Integration at the US Department of Veterans Affairs, agreed that a goal of the guide was to create a document that both the data and security communities could understand.   “It was about creating a guide that would be readable to both the cybersecurity and data communities, and specifically looking at how separate even the jargon was for both communities,” Klieve said during the session.  Massachusetts CIO Jason Snyder said he appreciates how the guide can move federal agencies and organizations past understanding the architecture of zero trust and doing something with it. He also said Massachusetts was at “ground zero” as far as zero trust.  “One of the things I really liked about the guide was its primary focus is data, and when you talk about zero trust, I think that is the right area of focus,” Snyder said during the panel. “So, what we’re doing within Massachusetts is really driving forward from a data perspective and better understanding our data, better understanding different types of data we have, and then working on ways to protect that data.”  Related:Cybercriminals and the SEC: What Companies Need to Know Heidi Shey, principal analyst at Forrester and co-moderator of the panel, sees the guide as applicable to organizations beyond state and federal government. For example, the panelists plan to add a section on supply chain risk.   In an interview following the session, Shey told InformationWeek that the guide can help organizations no longer operate in silos as far as data and security.  “We’re talking about really embedding data security controls throughout that entire life cycle and thinking about how we manage data and how we protect it in a much more holistic way, so that these two functions within organizations are not operating as siloed functions anymore the way they historically have been,” Shey said. “I think that’s one of the big takeaways from this guide that people can use to help bring these two groups together on zero-trust data security.”  Klieve recommended that organizations use the guide to create a zero-trust data implementation road map based on general program management principles. This would include a maturity analysis and gap assessments. After that, organizations could implement their programs as they planned, including examining finances, examining risks, and managing performance. However, she noted that C-suite leaders such as the CISO and chief data officer would need to be consulted on how the budgets would be allocated.  Related:Does Desktop AI Come With a Side of Risk? Chapter 4 of the guide has a placeholder for the topic “Manage the Data.” Klieve would like to see this chapter filled with a discussion of alignment of data management to data security as well as how to use data management to minimize data breaches. In addition, the chapter should cover the interaction between data engines and machine learning as it relates to data security, according to Klieve. That includes preparing data for machine learning models.  “This will become a key document I just keep on my desk all the time,” Klieve said. “I really want to see it kept up to date.”   Hernandez said work on the Zero Trust Data Security Guide is in a holding pattern until late January, but then his team will brief the incoming administration on “the overall status of all things cybersecurity.” He also said the CISO council could add a zero-trust section to the National Institute of Standards and Technology’s Special Publication 800-60, which provides guidelines on how to map data to security systems.   The Next Level for Zero Trust  Meanwhile, in another Dec. 10 panel, “Next-Level Your Zero Trust Initiative” panelists from the federal government as well as GE Aerospace addressed how government agencies and the private sector can move forward with zero trust.   Eric Poulin, senior director for cybersecurity technology strategy and management at GE Aerospace, told the audience that applying the same zero-trust initiatives to all teams would not work.  “You can design a master zero-trust plan, but at the end of the day, you just try to put one blanket zero-trust plan, you’re going to end up alienating certain individual business lines,” Poulin said.   At the Department of Interior, its zero-trust program manager, Lou Eichenbaum, has built a “zero-trust community of practice,” over three years, he told the audience. The department respects the separate missions of areas such

As the need for AI talent grows, enterprises in virtually all fields are struggling to find individuals who can help them take full advantage of this powerful new technology. With competition for qualified AI experts tight, and likely to grow even tighter over the next few years, many organizations are now looking internally to find and train qualified candidates.  Every organization needs to make a serious commitment to AI, one of the biggest technology shifts in our lifetime, says David Menninger, executive director, software research, with technology research and advisory firm ISG in an email interview. “AI is not just an IT initiative; everyone needs to jump on board.”  Here’s a look at how four major enterprises are getting ahead of competitors by encouraging and cultivating internal AI talent.  Cummins  Renowned for producing powerful engines, Cummins Inc. also designs, manufactures, and distributes filtration, fuel system, power generation, and numerous other heavy-duty products and services. Like a growing number of forward-looking enterprises, Cummins management understands that AI is destined to play a critical role in virtually every aspect of its operations.  “At Cummins, we conduct a 360-degree evaluation of our talent,” says Prateek Shrivastava, the firm’s principal data scientist via email. Individuals with strong analytical skills and a preference for coding are identified as potential candidates for in-house AI roles. “However, it’s crucial to also gauge their interest in working with cutting-edge technology.”  Related:Defining an AI Governance Policy Shrivastava states that targeted training programs, mentorship under experienced AI professionals, and providing opportunities to work on real-world AI projects within the organization have all proven essential. “A great example is one of our interns from last year,” he notes. The individual demonstrated innate AI talent, so he was paired with one of the firm’s AI experts. “By the end of his internship, he had successfully delivered a highly customized AI chatbot for HR.”  Since AI is a relatively new technology, formal training options are limited, Shrivastava observes. “For us, pairing talent with experts, supplemented by YouTube tutorials, has been highly effective.”  Saatchi & Saatchi  One of the world’s largest advertising agencies, Saatchi & Saatchi understands that AI adoption is critical to its future success. The firm also realizes that AI is destined to play an essential role in virtually every aspect of its business.  Jeremiah Knight, Saatchi & Saatchi’s chief operating officer, says that the major barriers to integrating AI into daily operations are apprehension and trepidation. “People can be hesitant with AI in the same way technophobe family members are hesitant around a complicated new appliance,” he observes in an online interview. “Perhaps there’s some fearfulness about how to use AI, some fearfulness about breaking something, or even fearfulness about long-term implications.”  Related:Preparing for AI-Augmented Software Engineering The antidote, Knight believes, is finding zealous first adopters scattered throughout the agency who are willing to lead workshops that help colleagues acquire AI skills in a safe, hands-on environment. “And to have fun with it, because enjoying the silliness of some of the generative AI platforms goes a long way to reducing fear about them,” he adds.  Knight also likes to find “champions” within each department — individuals who are eager to learn and unafraid to be curious about specific tools that advance departmental efforts. “Such individuals often have a positive infectious effect on their peers by demystifying AI and showcasing what’s possible on a departmental/personal basis.”  Dell Technologies  Two years ago, just about the only people working with generative AI were researchers, observes John Roese, global CTO and chief AI officer at Dell Technologies. “At Dell, we asked our team member population ‘who’s interested in AI as part of their future job?’ — 5,000 individuals raised their hands.” Off-the-shelf AI training is sufficient to a certain point, Roese notes, but he believes that the best way to transfer knowledge is with pairing an AI newbie with a seasoned expert. “A lot of what people need to know isn’t documented well,” Roese explains in an online interview. “To get to advanced levels, you need to have people doing advanced AI work and sharing their knowledge.” He warns that one of the biggest mistakes organizations make is getting one central team to do all the AI work instead of helping AI experts propagate their ability to other teams.  Related:How AI Drives Results for Data-Mature Organizations Mine for the pockets of individuals who exhibit enthusiasm and promise, Roese advises. “Get started today and begin training immediately.”  Microsoft  Naga Santhosh Reddy Vootukuri, senior software engineering manager at Microsoft, recommends training employees and keeping them AI-competitive so that when the need arises to utilize these their skills, they won’t find themselves lagging behind competitors. “It’s important … to view AI talent as an ongoing process rather than a one-time initiative,” he observes in an online interview.  Team hackathons and knowledge-sharing presentations make it easy to identify individuals who possess the foundational skills necessary to build upon their AI talent, Vootukuri says. “AI experts in the team should do active mentoring to guide junior engineers who have the passion to make strides, but don’t know how to proceed and are limited due to their nine-to-five job.”  source