Tech Republic

What is generative AI in simple terms, and how does it work? Discover the meaning, benefits, limitations and dangers of generative AI with our guide. source

NordVPN Fast facts Our rating: 4.7 stars out of 5.Pricing: Starts at $3.69 per month.Key features: 6,350+ servers in 111 countries. Meshnet encrypted file-sharing. Malware, ad, and tracker blocker. NordVPN is one of the more popular, if not the most popular, VPNs today — and for good reason. It brings an impressive server network, an extensive range of security features, and a polished user experience. This is on top of providing both fast and reliable VPN speeds across its server locations. While its pricing isn’t the most budget-friendly, NordVPN provides an all-around package that makes it a compelling VPN for most everyday users. ESET PROTECT Advanced Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size Features Advanced Threat Defense, Full Disk Encryption , Modern Endpoint Protection, and more ManageEngine Log360 Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Micro (0-49 Employees), Medium (250-999 Employees), Enterprise (5,000+ Employees), Large (1,000-4,999 Employees), Small (50-249 Employees) Micro, Medium, Enterprise, Large, Small Features Activity Monitoring, Blacklisting, Dashboard, and more Is NordVPN free? No, NordVPN is not free and doesn’t have a free version. If you’re specifically looking for a free VPN to use, I recommend trying out Proton VPN or hide.me VPN. They’re good options, especially since both have zero bandwidth or data limits. SEE: NordVPN vs Proton VPN (2024): Which VPN Should You Choose? (TechRepublic) Instead of a free plan, NordVPN offers a seven-day free trial available for Android. While I appreciate Nord offering a free trial via Android, I hope it extends access to iOS or iPhone users in the future as well. NordVPN pricing NordVPN divides its paid subscriptions into three tiers: Basic, Plus, and Complete. Each tier has a monthly, a yearly, and a two-year contract option. As a side note, subscription names can vary depending on the region per my research (NordVPN Complete being synonymous with NordVPN Ultimate or Ultra; NordVPN Basic being the same as NordVPN Standard). Basic Plus Complete Monthly $12.99 per month $13.99 per month $14.99 per month 1 year $4.99 per month $5.99 per month $6.99 per month 2 years $3.09 per month $3.99 per month $4.99 per month Feature differences Main VPN service, Threat Protection ad blocker All Basic features plus tracker blocker, anti-malware and browsing protection, password manager, and data breach scanner All Plus features plus 1TB of encrypted cloud storage Of its plans, I recommend going for NordVPN Plus one-year subscription at $5.99 per month. It gives you a healthy set of NordVPN’s extra security features at a reasonable one-year contract length. In comparison to other VPNs, NordVPN falls in the upper range in terms of price. For example, Surfshark’s equivalent Surfshark One subscription is priced at $4.09 per month, while Proton VPN’s Plus plan is at $5.99. If you’re on a tighter budget, these picks are probably a better choice. SEE: Private Internet Access vs NordVPN: Which VPN Is Better? (TechRepublic) However, if you have the money, I feel NordVPN offers enough meaningful add-ons to make it worth the spend. In particular, the fact that you get access to Nord Security’s NordPass password manager with NordVPN Plus is a significant value-add, especially if you’re also looking for a dedicated password manager. You also get anti-malware and browsing protection on top of the main VPN service. One thing to note: NordVPN’s one-year and two-year plans have different pricing upon renewal. While it isn’t the only VPN provider to do this, I do wish it had consistent pricing all throughout. This would save users the confusion of having to recalculate pricing past the initial contract. All of NordVPN’s plans offer a 30-day money-back guarantee, allowing you to test out the service and refund it within the allotted period. Is NordVPN safe? NordVPN is a safe and secure VPN to use in 2024. It utilizes AES 256 encryption, widely recognized as one of the most secure encryption algorithms today. This is evidenced by how U.S. government agencies and banking institutions also use AES encryption to protect user data. For VPN protocols, it carries the OpenVPN protocol and its own NordLynx protocol based on the WireGuard communication protocol. I like how Nord gives its users the flexibility to choose a VPN protocol with either fast performance via NordLynx or more security with OpenVPN. SEE: The Top 7 NordVPN Alternatives for 2024 (TechRepublic) Most importantly, NordVPN has a no-logs policy, which states that it doesn’t log any data about users’ browsing activity or online traffic. While any company can make security promises like this, I’m happy to report that NordVPN has undergone independent testing to confirm this policy. NordVPN’s fourth no-logs audit. Image: NordVPN In late 2023, NordVPN’s no-logs claims were verified by a third-party audit conducted by Deloitte. This is NordVPN’s fourth security audit confirming its no-logs policy — showing the company’s commitment to upholding user privacy and security. While I definitely commend NordVPN for having its service independently audited, I have a small nitpick. With its fourth no-logs audit, only those with an active NordVPN subscription are able to access the full report and results. According to NordVPN, this “ensures the audit results are not taken out of context or misunderstood.” While I understand where NordVPN is coming from, I feel that sharing the full report with the public is a better move in terms of overall transparency. With that being said, NordVPN is one of the most secure VPN services to use today. Key features of NordVPN Meshnet encrypted file-sharing Meshnet lets you connect multiple devices to an end-to-end encrypted virtual network and serves as a way to securely share important files across devices. Specifically, you can have 10 devices connected to the network and seamlessly transfer, send, or receive files through Meshnet. Accepting a file in Meshnet network. Image: Luis Millares To its credit, I used it to send a few files from my Android phone to my laptop and it worked pretty flawlessly.

TL;DR: Get rid of annoying ads while protecting your privacy and confidential data with a lifetime subscription to AdGuard — new users can get it for just $11 at TechRepublic Academy. With so much business being transacted online and so much of our data being stored in the cloud, maintaining privacy and security are more important than ever. Plus, those irritating banner and popup ads can be more than just an annoyance. Some of them are actually just a front for seriously dangerous malware. Fortunately, you can now block ads and protect yourself online with a lifetime subscription to AdGuard. About AdGuard Not only will AdGuard banish annoying popups, video ads and banners with advanced ad blocking, but you will also get superior data privacy tools. The program is powered by advanced digital and computing technology to keep you shielded in cyberspace. AdGuard provides the ultimate privacy protection so you no longer need to fear the multitude of activity trackers and analyzers that are all over the web. Superior protection from malware is also included. So all of your most confidential data will be safe from phishing attempts, fraudulent websites and other attacks. You also get robust parental control that allows you to create a safe digital environment by restricting your children’s access to any adult or inappropriate content. AdGuard can be installed on up to three devices and is compatible across multiple operating systems, including Windows, Android and iOS. So you can access it on desktops and mobile devices. It’s easy to see why AdGuard has an exceptional user rating of 4.7 out of 5 stars on Trustpilot. Best of all, since this is a lifetime subscription, you get all these incredible features forever for just one low payment. Choose your plan and get a lifetime subscription to AdGuard while the price has been dropped for new users through October 27: Also looking for a VPN? Check out AdGuard plans available at TechRepublic Academy: You can also find more great deals in our selection of Privacy and Security products. Prices and availability are subject to change. source

Periods of heavier-than-usual call traffic are inevitable for any type of call center. If you can handle call queue management effectively, it presents an opportunity for your team to strengthen customer relationships and relish the achievement of a job well done. If not, peak calling hours can become stressful communication choke points that lead to high customer churn and rampant employee burnout. The tiniest tweaks in your approach can make all the difference — we’ve gathered the best examples below. 1. Implement a callback option Offering callers the option to receive a call back rather than waiting on hold is a win-win. It’s one less caller in the queue, immediately, and that caller is usually excited to get back to their life instead of waiting on hold. When the call-volume subsides, you can call them back, and it’s fine. I love the option of getting a call back, and it’s becoming so common that I am starting to get frustrated when companies don’t offer it. It’s such a better experience than having to half pay attention to lo-fi hold music on speaker phone while I try to accomplish something else. For inbound scenarios, especially customer service, I’d look for call center software that makes setting up a call backs option very easy. It’s most likely nested under call center Interactive Voice Response (IVR) features, and you might see it designated as queue callback, virtual hold, customer callback, automatic callback — it’s all the same thing. This is one of the easiest ways to improve the customer experience by reducing frustration during peak hours. It also takes the strain off your agents and means they are dealing with fewer callers coming off long holds. I would not implement this function for urgent calls. If a customer has an emergency, for example, the callback option is not going to be well received. 2. Broaden IVR self-service options A call center IVR system costs a good deal of money, so it stands to reason that a business should try and get the most out of it. Start by looking at your IVR containment rate — every percentage point higher you can drive that number is another fraction of callers who don’t need to speak to an agent. Look for adding self-service options to help with basic troubleshooting, check account balances, or make a payment using the IVR. Automating each of these tasks reduces the number of calls transferred to live agents, which allows them to focus on more complex issues. A knock-on effect is that wait times are reduced, which in turn boosts customer satisfaction. The operational cost savings is also significant. You probably have some idea of how much each call costs — usually somewhere between $3-$10 per call, potentially more — well, each call successfully resolved by the IVR is money saved. On top of that, the decreased volume will minimize the need to schedule extra staff to handle peak times. That means less hiring and less training. Reviewing your IVR self-service options should be part of any call queue management strategy. What can you streamline, what can you improve, what additional responsibility can your IVR take over from busy agents? 3. Offer online help resources Help your customers help you by publishing accurate and useful information about topics callers care about. Your website can serve as a tremendous resource to customers and it will decrease call volume during peak hours. The first benefit is that fewer people will have to call in when they can figure out the answer to their question, problem, or concern just by visiting your website. You can also prompt callers who are in the queue to use website resources, which can help the caller serve themselves without talking to an agent (win-win). And even if the caller cannot 100% resolve their problem on their own, they have learned more about the issue from your site, which likely makes the call with the agent a lot smoother. A lot of people prefer not having to get on the phone in order to accomplish something. Publishing FAQs and Guides about your product is truly helpful for your customers and is one of the lowest-cost call queue management tactics out there. If you have any trouble justifying the budget to make sure that your online help resources are top-notch, remember that creating helpful content is exactly what Google wants to see and will drive high-intent, extremely relevant, organic search traffic to your site. This is an ancient SEO content strategy that still works today. It’s either you or your competitor getting that traffic, so, about that budget? Win more traffic for your brand’s site while solving high call queuing times — not bad at all. 4. Capture customer info before calls Customers don’t enjoy wasting time and effort repeating themselves. Asking them to do so is enough to earn a poor Customer Satisfaction (CSAT) score, even if your agents do everything else to perfection. You can help callers save time, ensure they never have to repeat themselves, and reduce call queue management requirements by using the IVR to request caller information instead of waiting for the agent to pick up. While the caller is still on hold, the IVR can authenticate their identity and collect vital information like their preferred language, social security number, account number, birth date, and the nature of their call. This information can be used to route the call appropriately without an agent having to pick up and transfer the call to another agent. Additionally, the information improves the quality of customer interaction because the agent doesn’t have to request and receive information verbally. There’s less opportunity for error and the agent can begin assisting the customer as soon as they answer. Maybe you have set this up already, but have you captured as much helpful information as possible? For example, say you have the caller’s number tied to a record in your call center CRM software, great — but the customer might

The number of attempted ransomware attacks on Microsoft customers globally have grown dramatically in the last year, according to Microsoft’s Digital Defense report, released on Oct. 15. However, advancements in automatic attack disruption technologies have led to fewer of these attacks reaching the encryption stage. Microsoft reported 600 million cybercriminal and nation-state attacks occurring daily. While ransomware attempts increased by 2.75 times, successful attacks involving data encryption and ransom demands dropped by three-fold. The number of ransomware-linked incidents has steadily grown in recent years. Source: Microsoft Defender for Endpoint Significant attack types include deepfakes, e-commerce theft Microsoft says it “tracks more than 1,500 unique threat groups — including more than 600 nation-state threat actor groups, 300 cybercrime groups, 200 influence operations groups, and hundreds of others.” The top five ransomware families — Akira, Lockbit, Play, Blackcat, and Basta — accounted for 51% of documented attacks. According to the report, attackers most often exploit social engineering, identity compromises, and vulnerabilities in public-facing applications or unpatched operating systems. Once inside, they often install remote monitoring tools or tamper with security products. Notably, 70% of successful attacks involved remote encryption, and 92% targeted unmanaged devices. Other major types of attacks included: Infrastructure attacks. Cyber-enabled financial fraud. Attacks on e-commerce spaces, where credit card transactions don’t require the card to be physically present. Impersonation. Deepfakes. Account takeover. Identity and social engineering attacks — most (99%) of which were password theft attacks. SIM swapping. Help desk social engineering, where attackers impersonate customers to reset passwords or connect new devices. Credential phishing, particularly through phishing-as-a-service projects. Often these are triggered by HTML or PDF attachments containing malicious URLs. DDoS attacks, which caused a global outage earlier this year. Antivirus tampering was also a major player in the previous year: Over 176,000 incidents Microsoft Defender XDR detected in 2024 involved tampering with security settings. SEE: Ransomware actors can target backup data to try to force a payment. Must-read security coverage Nation-state, financially motivated actors share tactics Both financially-motivated threat actors and nation-state actors increasingly use the same information stealers and command-and-control frameworks, Microsoft found. Interestingly, financially-motivated actors now launch cloud identity compromise attacks — a tactic previously associated with nation-state attackers. “This year, state-affiliated threat actors increasingly used criminal tools and tactics — and even criminals themselves — to advance their interests, blurring the lines between nation-state backed malign activity and cybercriminal activity,” the report stated. Microsoft tracks major threat actor groups from Russia, China, Iran, and North Korea. These nation-states may either leverage financial threat actors for profit or turn a blind eye to their activities within their borders. According to Tom Burt, Microsoft’s corporate vice president of customer security and trust, the ransomware issue highlights the connection between nation-state activities and financially motivated cybercrime. This problem is exacerbated by countries that either exploit these operations for profit or fail to take action against cybercrime within their borders. Expert Evan Dornbush, former NSA cybersecurity expert, offers perspectives on the matter: “This report signals one trend currently getting little attention and likely to define the future of cyber: the amount of money criminals can earn,” he said in an email to TechRepublic.  “Per the Microsoft report, government, as a sector, only makes up 12% of the aggressors’ targeting sets. The vast majority of victims are in the private sector.” The sectors most targeted by nation-state threat actors this year were: IT. Education . Government. Think tanks and NGOs. Transportation. Both attackers and defenders use generative AI Generative AI introduces a new set of questions. Microsoft recommends limiting generative AI’s access to sensitive data and ensuring that data governance policies are applied to its use. The report outlines AI’s significant impacts on cybersecurity: Both attackers and defenders increasingly use AI tools. Nation-state actors can generate deceptive audio and video with AI. AI spear phishing, résumé swarming, and deepfakes are now common. Conventional methods of limiting foreign influence operations may no longer work. AI policies and principles can mitigate some risk associated with the use of AI tools. Although many governments agree on a need for security as an important factor in the development of AI, different governments pursue it in different ways. “The sheer volume of attacks must be reduced through effective deterrence,” Burt explained, “and while the industry must do more to deny the efforts of attackers via better cybersecurity, this needs to be paired with government action to impose consequences that further discourage the most harmful cyberattacks.” How organizations can prevent common cyberattacks The Microsoft report contains actions organizations can take to prevent specific types of attacks. TechRepublic distilled some actionable insights that apply across the board: Disrupt attacks at the technique layer, which means implementing policies such as for multi-factor authentication and attack surface reduction. Similarly, use “secure-by-default” settings, which make multi-factor authentication mandatory. Use strong password protection. Test pre-configured security settings, such as security defaults or managed Conditional Access policies, in report-only mode to understand their potential impact before going live. Classify and label sensitive data, and have DLP, data lifecycle, and Conditional Access policies around high-risk data and high-risk users. Microsoft put its Secure Future Initiative in place this year, after the Chinese intrusion into Microsoft government email accounts in July 2023. source

Retail tech has come a long way since the invention of cash registers. One point-of-sale system can now manage inventory, track sales, and accept payments — all on the go with one POS terminal. Affordable mobile terminals also allow businesses to adapt to the constantly evolving in-person payment methods such as buy now, pay later (BNPL) and QR codes. To bring you insights into this popular payment technology, I leveraged my seven years of experience reviewing POS systems and payment systems, my degree in financial management, and certificate payments technology. What is a POS Terminal? Square Terminal, one of the most popular POS terminals on the market. Image: Square A point-of-sale, or POS terminal, is a compact business hardware that comes with built-in POS software and a card reader to accept cash, card, and other forms of non-cash transactions like gift cards. Terminals also typically have, or are connected to, cloud-based POS software to update business information such as inventory levels and sales in real-time. History of Cash Registers and POS Systems The first cash register by James Ritty in 1879 can record transactions without error. Image: Mathematical Association of America Before the POS terminal, there was the cash register. Invented by James Ritty, a saloon owner from Ohio, in 1879, the cash register was designed to accurately record transactions to help users with their bookkeeping. The National Cash Register (NCR) eventually purchased the invention in 1884. During this time, electric motors, cash drawers, and paper rolls for receipts were added to the cash register. Did you know? Tech monopolies are not just a 21st-century problem. In 1921, the U.S. Government filed suits against NCR under the Sherman Antitrust Act. At the time, NCR controlled 95% of the cash register market. IBM introduced the first restaurant computer-based POS system in 1973, which came with an electronic cash register (ECR) and a client-server on the back end. But it wasn’t until 1979 that Visa and Mastercard released the magstripe technology for accepting credit card payments at the point of sale. When the internet became available, Europay, Visa, and Mastercard also developed EMV chips on credit cards in 1993, significantly improving credit card processing. Soon after, pioneers like PayPal, Verifone, and Ingenico developed mobile card readers, allowing businesses to accept payments anywhere. Eventually, PayPal transitioned away from its basic mobile card readers and, along with other competitors like Square, introduced POS terminals that offer better security and more advanced payment capabilities. As POS technology advanced, leading payment processors launched what are now called “Smart Terminals” that combined advanced POS features. How can POS terminals improve business operations? The advent of the internet enabled POS systems and terminals to evolve into a more efficient business solution. Nowadays, terminals offer quicker and more secure payment processing, customer engagement tools, better inventory control, and additional payment channels. Read more: Best POS systems for small business How do POS terminals work? The role of the POS terminal in the POS ecosystem is to compute the total cost of the transaction, accept payment, and keep a record of the transaction. During checkout At checkout, customers bring products to the POS terminal for purchase. The seller scans the product barcode with a barcode scanner, which generates a corresponding SKU number within the POS system’s inventory catalog. The product information, including the list price, is then displayed, and the user enters the quantity to get the total cost. When collecting payment Once the total price is displayed, the customer presents their preferred payment method. If cash or other non-card payments: The seller enters the tender amount to prompt the cash drawer. If card: the seller will either swipe, insert, or tap the card in the area where the card reader is located in the POS terminal. If mobile and other digital payment: the customer will present proof of payment on their mobile device for the user to record the confirmation code In the back end, a payment authorization request is initiated at this point. The transaction and payment data is encrypted and transmitted by the merchant’s payment processor, then sent to the relevant financial institutions for verification. If the customer’s bank confirms that funds are available, the transaction will be authorized, and payment approval will be displayed on the POS terminal. Otherwise, a declined payment notice will be displayed, and the customer will be asked to provide a different payment source. Logging the transaction Finally, a receipt for the completed transaction will be generated and provided to the customer. A copy of the receipt is kept by the user. For card transactions, a transaction receipt is generated in triplicate, and one is given to the customer. At the back end, the POS system also records the sale and adjusts the available inventory in real-time. Read more: POS deployment checklist What are the key features to look for in a POS terminal? The POS terminal is a combination of software and hardware components. Hardware setup Hardware is an essential feature of a POS terminal. For it to complete its task, the POS terminal should have, at minimum: A computer-operated device that runs the POS software. A card reader for accepting card payments (swipe, tap, or dip). A thermal printer to generate receipts, or other means of delivering receipts. You may also want to consider: A barcode scanner to scan barcodes that pulls up product information. A cash drawer (for countertop terminals) for storing cash and other non-card payments if you plan to accept cash. Payment gateway The payment gateway is a software component embedded in the POS system. This is the checkout window on the system display where the user enters the customer’s payment information. The payment gateway will display the available payment methods depending on your payment processing settings. It is also the payment gateway’s role to encrypt the transaction data before sending it to the payment processor for authentication. Payment processor The payment processor connects to the card network and other financial institutions that authorize the transfer

Professionals across industries are exploring generative AI for various tasks — including creating information security training materials — but will it truly be effective? Brian Callahan, senior lecturer and graduate program director in information technology and web sciences at Rensselaer Polytechnic Institute, and Shoshana Sugerman, an undergraduate student in this same program, presented the results of their experiment on this topic at ISC2 Security Congress in Las Vegas in October. Experiment involved creating cyber training using ChatGPT The main question of the experiment was “How can we train security professionals to administer better prompts for an AI to create realistic security training?” Relatedly, must security professionals also be prompt engineers to design effective training with generative AI? To address these questions, researchers gave the same assignment to three groups: security experts with ISC2 certifications, self-identified prompt engineering experts, and individuals with both qualifications. Their task was to create cybersecurity awareness training using ChatGPT. Afterward, the training was distributed to the campus community, where users provided feedback on the material’s effectiveness. The researchers hypothesized that there would be no significant difference in the quality of training. But if a difference emerged, it would reveal which skills were most important. Would prompts created by security experts or prompt engineering professionals prove more effective? SEE: AI agents may be the next step in increasing the complexity of tasks AI can handle. Must-read security coverage Training takers rated the material highly — but ChatGPT made mistakes The researchers distributed the resulting training materials — which had been edited slightly, but included mostly AI-generated content — to the Rensselaer students, faculty, and staff. The results indicated that: Individuals who took the training designed by prompt engineers rated themselves as more adept at avoiding social engineering attacks and password security. Those who took the training designed by security experts rated themselves more adept at recognizing and avoiding social engineering attacks, detecting phishing, and prompt engineering. People who took the training designed by dual experts rated themselves more adept on cyberthreats and detecting phishing. Callahan noted that it seemed odd for people trained by security experts to feel they were better at prompt engineering. However, those who created the training didn’t generally rate the AI-written content very highly. “No one felt like their first pass was good enough to give to people,” Callahan said. “It required further and further revision.” In one case, ChatGPT produced what looked like a coherent and thorough guide to reporting phishing emails. However, nothing written on the slide was accurate. The AI had invented processes and an IT support email address. Asking ChatGPT to link to RPI’s security portal radically changed the content and generated accurate instructions. In this case, the researchers issued a correction to learners who had gotten the inaccurate information in their training materials. None of the training takers identified that the training information was incorrect, Sugerman noted. Disclosing whether trainings are AI-written is key “ChatGPT may very well know your policies if you know how to prompt it correctly,” Callahan said. In particular, he noted, all of RPI’s policies are publicly available online. The researchers only revealed the content was AI-generated after the training had been conducted. Reactions were mixed, Callahan and Sugerman said: Many students were “indifferent,” expecting that some written materials in their future would be made by AI. Others were “suspicious” or “scared.” Some found it “ironic” that the training, focused on information security, had been created by AI. Callahan said any IT team using AI to create real training materials, as opposed to running an experiment, should disclose the use of AI in the creation of any content shared with other people. “I think we have tentative evidence that generative AI can be a worthwhile tool,” Callahan said. “But, like any tool, it does come with risks. Certain parts of our training were just wrong, broad, or generic.” A few limitations of the experiment Callahan pointed out a few limitations of the experiment. “There is literature out there that ChatGPT and other generative AIs make people feel like they have learned things even though they may not have learned those things,” he explained. Testing people on actual skills, instead of asking them to report whether they felt they had learned, would have taken more time than had been allotted for the study, Callahan noted. After the presentation, I asked whether Callahan and Sugarman had considered using a control group of training written entirely by humans. They had, Callahan said. However, dividing training makers into cybersecurity experts and prompt engineers was a key part of the study. There weren’t enough people available in the university community who self-identified as prompt engineering experts to populate a control category to further split the groups. The panel presentation included data from a small initial group of participants — 51 test takers and three test makers. In a follow-up email, Callahan told TechRepublic that the final version for publication will include additional participants, as the initial experiment was in-progress pilot research. Disclaimer: ISC2 paid for my airfare, accommodations, and some meals for the ISC2 Security Congress event held Oct. 13–16 in Las Vegas. source

More than 75% of working professionals worldwide use AI at least once daily for work, but far fewer trust AI-generated code, according to a survey of 3,000 employees in Google’s 2024 Accelerate State of DevOps Report (DORA). The study, published on Oct. 22, revealed that 76% of professionals use AI to write code, summarize information, explain unfamiliar code, optimize code, and document code. It outlined the many benefits of generative AI adoption, including increased focus, productivity, job satisfaction, and code quality. However, generative AI can also negatively impact software delivery performance, product quality, and the time employees spend on valuable work, the report indicated. It also found that using AI does not necessarily reduce time spent on “toilsome work,” or tasks that lack “meaningfulness.” “AI has positive impacts on many important individual and organizational factors which foster the conditions for high software delivery performance,” the report states. “But, AI does not appear to be a panacea.” Google survey outlines pros and cons of generative AI This year’s study, the 10th iteration, focused on how AI impacts burnout, focus, job satisfaction, productivity, and the performance of products, organizations, and teams. DORA measures stability success through four key metrics: change lead time, deployment frequency, change fail rate, and failed deployment recovery time. SEE: Choose from our list of 10 best project portfolio management (PPM) software and Tools for 2024. Interactions with AI in daily work tended to come in the form of: Chatbots (78.2%). External web interfaces (73.9%). AI tools embedded within their integrated development environments (72.9%). Some respondents reported adopting AI in response to competitive pressures, with one interviewee noting that companies not embracing AI risk being “left behind.” Another mentioned their organization viewed AI as “a big marketing point.” Fewer than 10% of respondents said their productivity had been negatively impacted by AI. Additional findings show: 81% of respondents said “their organizations have shifted their priorities to increase their incorporation of AI into their applications.” Developers feel more productive when using AI, with 67% of respondents reporting that AI helps them improve their code. Nearly 40% of respondents said they had “little to no” trust in AI. On the other hand, a majority of respondents said they only “somewhat” trust the quality of AI-generated code. Interviews, as well as the study’s authors’, indicate this may mean developers expect to use AI as a baseline from which to tweak and correct the results. “However, respondents also reported expectations that AI will have net-negative impacts on their careers, the environment, and society, as a whole,” the report reads. Over 30% of respondents think AI will be detrimental to the environment. AI may also impact software delivery performance, stability, and throughput. This may be because AI-written code can be generated in such large amounts. These larger changes are “slower and more prone to instability,” according to the report. Small batch sizes are still an important principle in software development that directly relates to quality. Must-read developer coverage Nearly 9 in 10 professionals use internal developer platforms Platform engineering is a discipline for creating workflows to promote self-service and collaboration. DORA describes it as the intersection of social interactions between teams and technical performance — such as automation, self-service, and repeatability of processes. DORA found that 89% of respondents used internal developer platforms, although the definition of the term was left quite broad. The report also found: Organizations tend to see performance gains at the beginning of a platform engineering initiative, followed by a dip and a leveling out. This pattern matches that of other transformation initiatives DORA studies. Individuals were 8% more productive when using an internal developer platform. Organizations performed 6% better when using an internal developer platform. Throughput and change stability fell by 8% and 14%, respectively, when using an internal developer platform. Why such a large drop in change stability? DORA suggests the platforms could increase rework time. Or, this number could be indicative of a different pattern: teams with high pre-existing instances of burnout and change instability may adopt platforms to solve those problems. Additional findings include the importance of stable priorities The complete report goes into more detail on these topics. Additional takeaways include: Product quality is proportional to how well the organization understands its users’ needs. User-centered software development is beneficial because deriving a sense of purpose — directly meeting users’ needs — benefits both employees and organizations. Organizations should give developers confidence that their projects are meaningful — a process that requires user feedback. Focus on creating quality documentation. This is documentation that is not necessarily comprehensive but instead is relevant, findable, and reliable. Unstable priorities can cause burnout in its employees. Namely, “move-fast-and-constantly-pivot” mentalities from leadership can hurt employees. This mindset creates unclear expectations, decreases employees’ sense of control, and increases their workloads. Leaders should be positive. While they can still challenge their workers to think innovatively, leaders should also recognize employees’ successes. “The key to success is rolling up your sleeves and just getting to work,” the report stated. “The goal of the organization and your teams should be to simply be a little better than you were yesterday.” source

Microsoft is basically the biggest name in the business world, whether we’re talking about Microsoft Office apps or Windows running on our computers. One thing they have nailed down is recognizing that their products are well-loved for their simple and familiar interface, but still offering regular updates. Windows 11 Pro was specifically designed for business professionals. You’ll find new tools for productivity and balancing hybrid or remote work with life. With this deal, you can upgrade three devices to Windows 11 Pro — rated 4.5/5 stars by verified purchasers — for just $19.97 at TechRepublic Academy. New look, new features The first thing you’ll notice is a redesigned user interface. Rounded app corners, a centered bottom taskbar, snap layouts and widgets all give your computer a refreshed, yet familiar, appearance while offering the latest tools. Then, there’s layers of security features like Microsoft Information Protection that protects your personal data from leaks and BitLocker device encryption that encrypts your hard drive with a key. Both of these are excellent for shielding your personal and work information from harm. Designed for the workforce If you’re a remote or hybrid worker, or a business owner or manager with employees around the globe, you’ll appreciate things like: Windows Information Protection allows you to separate work and personal data on the same device. Remote desktop access is included from anywhere. Connect to your Windows 11 Pro computer from another computer, a tablet or a smartphone. Group Policy Management tools allow enforcement of policies and compliance. Administrators can create settings or access for different devices, users and groups. Upgrade your operating system to Windows 11 Pro on three devices for only $19.97 (reg. $199), now at TechRepublic Academy, so be sure to take advantage of it before it’s gone. Prices and availability are subject to change. source

Today’s threat landscape includes nation-state actors as well as attackers looking to test their skills or turn a profit. AT ISC2 Security Conference in Las Vegas, CISA advisor and former New York Times cybersecurity journalist Nicole Perlroth took the stage to discuss what has changed over the last 10 years of cyber warfare. Her presentation was the capstone of the conference, held Oct. 13-16. Nation-state attackers look for ‘target-rich, cyber-poor’ victims Perlroth presented a timeline of nation-state attacks she covered throughout her journalism career, from 2011 to 2021. Barriers to entry for attackers have worsened since she began her career, with ransomware-as-a-service evolving into “a well-oiled economy.” The CrowdStrike outage showed how much a widespread attack could disrupt operations. While it used to be conventional wisdom that the United States’ geographical location kept it isolated from many threats, “those oceans don’t exist anymore” when it comes to the cyber landscape, Perlroth said. Likewise, the digital “edge” has transformed into the world of the cloud, software as a service, and hybrid workforces. “The new edge is the people, it’s the endpoints,” Perlroth said. Attacks on this new frontier could take the form of deepfakes of targeting CEOs or nation-state attacks on critical infrastructure. Perlroth focused her discussion on Chinese state-sponsored attacks on U.S. infrastructure and businesses, such as the 2018 cyber attack on the Marriott hotel chain. Marriott or Change Healthcare were “target-rich, cyber-poor” environments, Perlroth said. These environments may not have large, dedicated cybersecurity teams, but have valuable data, such as the personal information of government workers who may have used the health system or visited a hotel. Another target-rich, cyber-poor environment Perlroth said defenders should focus on is water treatment. Local water treatment facilities may not have a dedicated cybersecurity professional, but an adversary tampering with water utilities could prove catastrophic. “The code had become the critical infrastructure and we really hadn’t bothered to notice,” Perlroth said. Must-read security coverage Russia, China explore cyberattacks in connection with military action In terms of wider geopolitical implications, Perlroth notes cybersecurity professionals should be especially aware of Russia’s military offensive and of China eyeing a possible incursion into Taiwan in 2027. Threat actors could aim to delay U.S. military mobility or use social engineering to sway public opinion. The U.S. has a mutual defense pact with Taiwan, but China has seen the U.S. “waffling” in the defense of Ukraine, Perlroth said. Perlroth said geopolitical commentators have been surprised there haven’t been more cyber attacks from Russia in concert with the attack on Ukraine. On the other hand, there have been significant cyber attacks around Ukraine, including DDoS attacks and the interruption of commercial ViaSat service just before the war began. PIPEDREAM, a Russian-linked malware, may have been intended to strike U.S. infrastructure, Perlroth said. SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium) Generative AI changes the game “The biggest change in cybersecurity has been AI,” Perlroth asserted. AI enables companies and threat actors to craft zero-day attacks and sell them to governments, she said. Attackers can generate new code with AI. At the same time, defenders equipped with AI can reduce the cost and time it takes to respond to major attacks. She anticipates the next large-scale enterprise attack, like the SolarWinds hack, will start from generative AI-related systems. Cybersecurity professionals should study how to ensure employees interact safely with generative AI systems, she said. How can cybersecurity professionals prepare for large-scale attacks? “We need to start doing a sort of sector-by-sector census to see what is the Change Healthcare of every industry,” said Perlroth. “Because we know our adversaries are looking for them and it would be great if we could get there first.” The good news, she said, is that cybersecurity professionals are more aware of threats than ever before. Cyber professionals know how to persuade the C-suite on security matters for the well-being of the entire organization. CISOs have become a type of business continuity officer, Perlroth said, who have plans for how business can resume as quickly as possible if an attack does happen. Cybersecurity professionals should factor in the culture, management, budget, HR, education, and awareness in their organizations as well as technical skill, Perlroth said. The primary questions cybersecurity professionals should ask is still “What are my crown jewels and how do I secure them?” Although her presentation emphasized the scope and prevalence of threats, Perlroth said her goal wasn’t to scare people — a tactic that has been used to sell security products. However, cybersecurity professionals must strike a balance between maintaining confidence in existing systems and explaining that threats, including nation-state threats, are real. Stories like the disruption of the PIPEDREAM attack should “give us immense hope,” she said. As she concluded: “We have picked up some serious learnings about what we can do together in the government and private sector when we come together in the name of cyber defense.” Disclaimer: ISC2 paid for my airfare, accommodations, and some meals for the ISC2 Security Congress event held Oct. 13–16 in Las Vegas. source