Category: Best Practices

The technology and best practices for treating cybersecurity as a business enabler, instead of an onerous cost-center, have long been readily available.

Related: Data privacy vs data security

However, this remains a novel concept at most companies. Now comes a Forrester Research report that vividly highlights why attaining and sustaining a robust cybersecurity posture translates into a competitive edge.

The report, titled “Embed Cybersecurity And Privacy Everywhere To Secure Your Brand And Business,” argues for a paradigm shift. It’s logical that robust cybersecurity and privacy practices need become intrinsic in order to tap the full potential of massively interconnected, highly interoperable digital systems.

Forrester’s report lays out a roadmap for CIOs, CISOs and privacy directors to drive this transformation – by weaving informed privacy and security practices into every facet of their business; this runs the gamut from physical and information assets to customer experiences and investment strategies.

Last Watchdog engaged Forrester analyst Heidi Shey, the report’s lead author, in a discussion about how this could play out well, and contribute to an overall greater good. Here’s that exchange, edited for clarity and length.

LW: This isn’t an easy shift. Can you frame the barriers and obstacles companies can expect to encounter.

Shey: A common barrier is framing and articulating the value and purpose of the cybersecurity and privacy program. Traditionally it’s been about focusing inward on securing systems and data at the lowest possible cost, driven by compliance requirements.

Compliance matters and is important, but with this shift, we have to recognize that it is a floor not a ceiling when it comes to your approach. Building your program and embedding these capabilities with a customer focus in mind is the difference. You are trying to align business and IT strategies – and brand value – to drive customer value here. This is a key factor for building trust in your organization.

LW: How can companies effectively measure the success of cybersecurity and privacy integration into their operations?

Shey

Shey: This is something that calls for a maturity assessment. By understanding the key competencies required for this type of shift, organizations can better gauge their current maturity and identify capabilities they need to shore up to further improve. These key capabilities fall under the four competencies of oversight, process risk management, technology risk management, and human risk management.

For example, process risk management capabilities include how well the organization implements security and privacy in its customer-facing products and services as well as its own internal processes. It also covers the extension of security and privacy requirements to third-party partners and the ability to respond quickly and effectively to external questions from stakeholders such as customers, auditors, and regulators.

Within a maturity assessment like this, you can start to hone in on areas of improvement. If you’re doing a particular activity in an ad-hoc way today, establishing a repeatable process for it helps you push to the next level of maturity.

LW: Cultural change is acutely difficult.  What should CIOs and CISOs expect going in; what basic rethinking do they need to do?

Shey: Re-examine their own relationship first, specifically the trust and empathy between CIO and CISO. You need to be partners in driving this. If the CIO and CISO are operating in silos, and do not have shared vision, goals, and values here, it will make broader organizational cultural change difficult.

LW: Some progressive companies are moving down this path, correct? What have we learned from them; what does the payoff look like?

Shey: Yes, and this goes back to a point I made earlier about a key outcome of building customer trust in your organization. Trusted organizations reap rewards. Our research and data on consumer trust have proven this. Customers that trust your firm are more likely to purchase again, share personal data, and engage in other revenue-generating behaviors.

There is also a benefit of stronger business partnerships. We operate in a world today where your business is the risk and how you adapt is the opportunity. Companies view it as a risk to do business with your firm, whether they’re purchasing products and services or sharing data with you. Your ability to comply with partner’s or B2B customer’s security requirements will be critical.

LW: What approach should  mid-sized and smaller organizations take? What are some basic first steps?

Shey: Resist the urge to go buy technology as the first step. Emphasize strategy and oversight of your cybersecurity and privacy program, because you can’t embed the foundation for what you have not built yet. Align with a control framework as a starting point.

This will be your common frame of reference for connecting policies, controls, regulations, customer expectations, and business requirements. Recognize that as you mature your program, a Zero Trust approach will help you take your efforts beyond compliance.

Conduct a holistic assessment of technology and information risks to determine what matters most to the business, and identify the appropriate practices and controls to address those risks.

Set clear goals, such as a roadmap of core competencies to build and milestones. Identify clear lines of accountability to help make it transparent as to who is responsible for what, making it clear how each person on the team contributes to the program’s success.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

The National Institute of Standards and Technology (NIST) has updated their widely used Cybersecurity Framework (CSF) — a free respected landmark guidance document for reducing cybersecurity risk.

Related: More background on CSF

However, it’s important to note that most of the framework core has remained the same. Here are the core components the security community knows:

Govern (GV): Sets forth the strategic path and guidelines for managing cybersecurity risks, ensuring harmony with business goals and adherence to legal requirements and standards. This is the newest addition which was inferred before but is specifically illustrated to touch every aspect of the framework. It seeks to establish and monitor your company’s cybersecurity risk management strategy, expectations, and policy.

•Identify (ID): Entails cultivating a comprehensive organizational comprehension of managing cybersecurity risks to systems, assets, data, and capabilities.

•Protect (PR): Concentrates on deploying suitable measures to guarantee the provision of vital services.Detect (DE): Specifies the actions for recognizing the onset of a cybersecurity incident.

•Respond (RS): Outlines the actions to take in the event of a cybersecurity incident.

•Recover (RC): Focuses on restoring capabilities or services that were impaired due to a cybersecurity incident.

Noteworthy updates

The new 2.0 edition is structured for all audiences, industry sectors, and organization types, from the smallest startups and nonprofits to the largest corporations and government departments — regardless of their level of cybersecurity preparedness and complexity.

Emphasis is placed on the framework’s expanded scope, extending beyond critical infrastructure to encompass all organizations. Importantly, it better incorporates and expands upon supply chain risk management processes. It also  introduces a new focus on governance, highlighting cybersecurity as a critical enterprise risk with many dependencies. This is critically important with the emergence of artificial intelligence.

To make it easier for a wide variety of organizations to implement the CSF 2.0, NIST has developed quick-start guides customized for various audiences, along with case studies showcasing successful implementations, and a searchable catalog of references, all aimed at facilitating the adoption of CSF 2.0 by diverse organizations.

The CSF 2.0 is aligned with the National Cybersecurity Strategy and includes a suite of resources to adapt to evolving cybersecurity needs, emphasizing a comprehensive approach to managing cybersecurity risk. New adopters can benefit from implementation examples and quick-start guides tailored to specific user types, facilitating easier integration into their cybersecurity practices.

Swenson

The CSF 2.0 Reference Tool simplifies implementation, enabling users to access, search, and export core guidance data in user-friendly and machine-readable formats. A searchable catalog of references allows organizations to cross-reference their actions with the CSF, linking to over 50 other cybersecurity documents – facilitating comprehensive risk management. The Cybersecurity and Privacy Reference Tool (CPRT) contextualizes NIST resources with other popular references, facilitating communication across all levels of an organization.

NIST aims to continually enhance CSF resources based on community feedback, encouraging users to share their experiences to improve collective understanding and management of cybersecurity risk. The CSF’s international adoption is significant, with translations of previous versions into 13 languages. NIST expects CSF 2.0 to follow suit, further expanding its global reach. NIST’s collaboration with ISO/IEC aligns cybersecurity frameworks internationally, enabling organizations to utilize CSF functions in conjunction with ISO/IEC resources for comprehensive cybersecurity management.

About the essayist: Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant.

Organizations in different industries rely on cloud backups to secure critical business data. In recent years, backup to the cloud has evolved into an easy, flexible and effective technology. The two most common cloud backup strategies are multi-cloud backup and hybrid cloud backup. 

However, backups on their own are not enough for data safety. In this post, we describe the two strategies and then provide recommendations that help you build a secure cloud backup system. 

What is Multi-Cloud Backup? 

The multi-cloud backup strategy refers to sending backup data to multiple public clouds of various cloud vendors. This allows organizations to ensure data redundancy and availability while also avoiding a single point of failure in case the original data is lost. Additionally, you can benefit from the cost flexibility of multi-cloud backups, as most vendors offer a pay-as-you-go model.

Proprietary features that enable you to conveniently copy and store data in the cloud are usually available. However, organizations need swift recovery in addition to the backup functionality, which may not be the case for all cloud vendors. Organizing an effective and convenient multi-cloud backup system requires expertise, time and effort from your IT team. 

Lastly, storing all your backups in the cloud can result in slower recovery compared to local backups. Also, cloud backups remain available only when your network connection is up and running.

What is Hybrid Cloud Backup?

A hybrid cloud backup approach utilizes both on-premise and cloud storage as backup repositories. Compared to the multi-cloud strategy, hybrid cloud storage provides additional flexibility and recoverability in exchange for increased complexity and cost. 

To implement hybrid cloud backup, you first need to organize on-premise storage with appropriate high-performance hardware, cooling and maintenance. Secondly, you have to pay for the cloud storage volume required to fit your data backups. And finally, you need to pick a reliable and functional hybrid cloud backup solution to enable and maintain data protection workflows. 

Choosing a suitable data protection solution can be challenging as there are multiple nuances and specifics to consider. You might want to learn more about setting up hybrid cloud backup before you start implementing your system.

Best Practices for Secure Cloud Backup

Creating and maintaining backups does not make your organization’s data secure by default. This additional data copy can be a target for ransomware or malware. Moreover, cybercriminals prioritize data backups when planning their attacks.

Backups require thorough protection to ensure data recoverability. Below you can find several recommendations to enhance backup security. The security best practices mentioned below can help you protect backups with both multi-cloud and hybrid cloud strategies.  

Know your data

First, know and prioritize the data you want to back up. When you are aware of the volume and type of data you need to protect, you can build up your workflows according to recovery point and recovery time objectives. Additionally, consider prioritizing your data so you back up critical assets first. 

Define your cloud backup strategy

Should you implement a multi-cloud or a hybrid cloud backup strategy? Your choice defines the system’s capabilities, costs and management specifics. In addition, the chosen strategy sets the qualification requirements for the IT team. 

A multi-cloud strategy can be more cost-efficient to start with. On the other hand, hybrid cloud data protection adds more reliability for a higher price and increased infrastructure complexity. Consider your data volumes and security priorities along with hardware and network performance to make the choice that suits your organization the most.

Pick suitable cloud provider(s)

The data backup and recovery capabilities of the available cloud providers can vary. Some can have the latest integration features that simplify building multi-cloud systems. Others can provide advanced data protection and recovery functions that add resilience and improve RTOs. The solution is to check the offers available on the market and pick the cloud provider (or providers) suitable for your strategy, infrastructure, expectations and budget.  

Encrypt backup data

In 2024, storing unencrypted data means exposing your digital assets to malicious actors. You can organize an encrypted cloud backup storage in Amazon, Google Cloud, or Microsoft Azure, among other providers. 

However, you might also want to encrypt backup data “in flight” (during transfer). Additionally, your local backups should also be encrypted in case a hybrid cloud backup is your choice. Consider using a specialized data protection solution to enable backup encryption in all your data transfers and repositories.  

Implement anti-ransomware capabilities

Ransomware is an ongoing and evolving threat worldwide, and backups are priority targets for hackers. The most advanced cloud providers, such as Amazon or Microsoft, enable you to set immutability periods for repositories. Immutability protects the data in a repository from alteration or deletion, thus preventing ransomware encryption. 

Modern data backup and recovery solutions such as NAKIVO Backup & Replication can enable you to set immutability in on-premise and cloud repositories. Even in the worst-case scenario, when ransomware successfully infiltrates backup repositories, immutable backups remain usable for recovery. Integrating immutability along with threat monitoring and regular antivirus solutions into backup protection workflows can help you ensure regulatory compliance and avoid paying ransoms.

Optimize resource consumption

Modern data protection solutions can provide shorter backup windows and cut cloud storage costs with deduplication and compression features. Additionally, compressed and deduplicated backups can offload your networks when running backup workflows. This is especially beneficial when transferring large volumes of data to public cloud repositories.   

Implement thorough backup testing

The worst time to discover that your backups are unrecoverable is when the original data is already lost or unavailable. Consider implementing regular backup testing as a part of your data protection strategy. You can conduct a test upon completion of every backup workflow and perform a global recovery review at specific times.

Modern hybrid and multi-cloud backup solutions enable recovery testing on demand and by schedule. Additionally, you can run test workflows without impacting production environments. 

Restrict access to backups

Role-based access control (RBAC) and multi-factor authentication are efficient security practices that significantly improve the resilience of accounts and infrastructures. Consider using these common approaches to enhance the protection of your backup repositories and restrict access to data protection workflows.

Prepare a DR plan

A DR (disaster recovery) plan includes IT-related steps that your staff undertakes when a global incident happens. You might want to organize a disaster recovery team and share responsibilities with qualified workers to increase IT recovery efficiency. 

Last but not least, modern infrastructures with hybrid or multi-cloud backups require custom data recovery sequences, which may be complicated to compose. However, you can meet shorter recovery time objectives after planning and automating such workflows beforehand for different disaster cases. 

Conclusion

Multi-cloud and hybrid-cloud backup strategies enable higher data protection reliability and flexibility compared to other backup methods. Although the strategies are different from each other, you can use similar security practices to enhance data security and recoverability. Consider using a third-party backup solution with data encryption, ransomware protection, resource optimization, backup testing, access restriction and disaster recovery planning capabilities to implement multi-level backup and recovery workflows.

The post Multi-Cloud and Hybrid Cloud Backup: Best Practices to Reliably Secure Your Data appeared first on Cybersecurity Insiders.

Americans lost a record $10 billion to scams last year — and scams are getting more sophisticated.

Related: Google battles AI fakers

Recently used to impersonate Joe Biden and Taylor Swift, AI voice cloning scams are gaining momentum — and one in three adults confess they aren’t confident they’d identify the cloned voice from the real thing.

Google searches for ‘AI voice scams’ soared by more than 200 percent in the course of a few months. Here are a few tips  how to not fall prey to voice cloning scams.

•Laugh. AI has a hard time recognizing laughter, so crack a joke and gauge the person’s reaction. If their laugh sounds authentic, chances are there’s a human on the other end of the line, at least.

•Test their reactions. Say something that a real person wouldn’t expect to hear. For instance, if scammers are using artificial intelligence to imitate an emergency call from your relative, say something inappropriate, such as “Honey, I love you.” Whereas a real person would react panicked or confused, AI would simply reply “I love you too.”

Konovalov

•Listen for anomalies. While voice cloning technology can be convincing, it isn’t yet perfect. Listen out for unusual background noises and unexpected changes in tone, which may be a result of the variety of data used to train the AI model. Unusual pauses and speech that sounds like it was generated by ChatGPT are also clear giveaway that you’re chatting to a machine.

•Verify their identity. Don’t take a familiar voice as proof that a caller is who they say they are, especially when discussing sensitive subjects or financial transactions. Ask them to provide as many details as possible: the name of their organization, the city they’re calling from, and any information that only you and the real caller would know.

•Don’t overshare. Avoid sharing unnecessary personal information online or over the phone. According to Alexander, scammers often phish for private information they can use to impersonate you by pretending to be from a bank or government agency. If the person on the other end seems to be prying, hang up, find a number on the organization’s official website, and call back to confirm their legitimacy.

•Treat urgency with skepticism. Scammers often use urgency to their advantage, pressuring victims into acting before they have time to spot the red flags — If you’re urged to download a file, send money, or hand over information without carrying out due diligence, proceed with caution. Take your time to verify any claims (even if they insist there’s no time.)

About the essayist: Alexander Konovalov is the Co-Founder & Co-CEO of vidby AG, a Swiss SaaS company focused on Technologies of Understanding and AI-powered voice translation solutions. A Ukrainian-born serial tech entrepreneur, and inventor, he holds patents in voice technologies, e-commerce, and security. He is also a co-founder of YouGiver.me, a service that offers easy and secure communication through real gifts, catering to individual users and e-commerce businesses.

San Francisco, Calif., Mar. 7, 2024 — Badge Inc., the award-winning privacy company enabling Identity without Secrets™, today launched a new Partner Program and welcomed Identity Data Management and Analytics provider Radiant Logic as its newest partner.

Radiant Logic joins Badge’s partner network alongside marquee identity partners, Okta and Ping Identity. The new Badge Partner Program further accelerates the adoption and integration of Badge’s privacy-preserving authentication, enabling even more users to benefit from seamless MFA experiences across any device or application without storing user secrets or private keys.

“We are thrilled to be working with Badge, enabling a best-in-class authentication solution that builds on top of our market-leading identity data management and identity analytics capabilities to provide greater privacy and security to our customers,” said Wade Ellery, Field CTO, Radiant Logic.

The integration of Badge brings downstream value to Radiant Logic customers, allowing employees to enroll once and log into any application via RadiantOne using their preferred biometrics and factors of choice for a safe and holistic user experience across any device. By eliminating passwords and stored secrets, Badge bolsters Radiant Logic’s extensible identity data platform to accelerate strategic initiatives such as digital transformation, Zero Trust, automated compliance, and data-driven governance.

Zero Code Integration, SCIM Support, Resource Portal

The Badge Partner Program extends best-in-class security platforms such as Radiant Logic, Okta and Ping Identity with unprecedented MFA experiences.

Benefits of joining the Badge Partner Program include:

•Prioritized access to new features and capabilities leveraging Badge’s unique differentiator, enabling every user to be their own cryptographic root of trust.

•Zero-code integration using standard protocols, including OAuth 2.0, OIDC, SAML, FIDO, TLS, Kerberos, and others, offering effortless compatibility and enhanced functionality across a variety of systems and platforms.

•SCIM (System for Cross-Domain Identity Management) support quickly syncs users from an organization’s primary directory, eliminating the need to manually create users and automatically ensuring the right users always have access to Badge.

•Dedicated partner portal with relevant marketing materials to help streamline collaboration and empower partners in promoting Badge’s solutions effectively.

•Library of technical documentation support to configure Badge in various customer environments, including Windows desktop login, web application single-sign-on, passkeys, legacy applications, etc.

•Video demos and solution briefs illustrate end-user onboarding and authentication experiences for common use cases, such as uninterrupted device transitions for frontline workers, phishing-resistant account recovery, integration for removing private keys from workflows, etc.

Herder

“As organizations continue to realize the importance of privacy-preserving, secure, and user-friendly authentication solutions, our Partner Program is a response to new alliances and integrations with key players across the security ecosystem, moving Badge closer to our vision of becoming the identity backplane of the Internet,” said Charles Herder, Badge Co-founder and MIT Cryptography Ph.D. “By fostering collaborations with industry leaders like Radiant Logic, Okta and Ping Identity, who have some of the largest footprints in the industry, we’re building a world where trust and privacy improve user experience and drive business value instead of being in tension with each other. This sets the stage for a more connected and secure online future for everyone.”

Badge renders PII and biometric credential storage obsolete, eliminating passwords, device redirects, and knowledge-based authentication (KBA). With Badge, the user simply enrolls once, then seamlessly authenticates across ecosystems on any device using authentication factors that are unique and inherent to them. Biometric factors such as fingerprint or face can be combined with other factors to create a strong and convenient MFA method that does not rely on a specific device or token to authenticate users. Badge empowers users to move freely across devices and platforms without losing access to their accounts or compromising security.

For more information on Badge’s Partner Program including how to join, please contact sales@badgeinc.com for more information or to schedule a demo.

About Badge: Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. Learn more at www.badgeinc.com.

Media contact: Frances Bigley, badge@finnpartners.com

Achieving “digital trust” is not going terribly well globally.

Related: How decentralized IoT boosts decarbonization

Yet, more so than ever, infusing trustworthiness into modern-day digital services has become mission critical for most businesses. Now comes survey findings that could perhaps help to move things in the right direction.

According to DigiCert’s 2024 State of Digital Trust Survey results, released today, companies proactively pursuing digital trust are seeing boosts in revenue, innovation and productivity. Conversely, organizations lagging may be flirting with disaster.

“The gap between the leaders and the laggards is growing,” says Brian Trzupek, DigiCert’s senior vice president of product. “If you factor in where we are in the world today with things like IoT, quantum computing and generative AI, we could be heading for a huge trust crisis.”

DigiCert polled some 300 IT, cybersecurity and DevOps professionals across North America, Europe and APAC. I sat down with Trzupek and Mike Nelson, DigiCert’s Global Vice President of Digital Trust, to discuss the wider implications of the survey findings. My takeaways:

Bungled innovation

Digital trust refers to companies meeting the reasonable expectation that the digital services they offer not only protects users, but also upholds societal expectations and values. The tech sector has been preaching this for several years, acknowledging the fact that preserving trust, as digital services advance, is proving to be extremely difficult — yet crucial nonetheless.

“Trust has become absolutely paramount in the world,” Nelson observes. “Trust can be lost when you introduce digital connectivity — and digital connectivity is everywhere.”

DigiCert’s survey presents hard evidence that trust can be the basis of a winning business model. The top 33 percent of digital ‘trust leaders’ identified in DigiCert’s poll said they can respond more effectively to outages and incidents and found themselves to be in a much better position to effectively leverage innovation. Meanwhile, the bottom 33 percent found it increasingly difficult to tap into innovation.

This tug-and-pull is happening in an operating environment where digital innovation, from a global perspective, is being bungled. That’s the assessment of the 2024 Edelman Trust Barometer, a study highlighting the rapid erosion of digital trust, to the point of exacerbating polarized political views.

Trzupek

In such an environment, companies have a terrific opportunity to set themselves apart as being trustworthy, Trzupek argues. “The companies we view as the most trustworthy on the planet are able to provide very reliable digital services in consistent ways,” he says. “They’re able to connect people through trusted experiences.”

Emerging standards

Indeed, advanced technologies, new protocols and emerging best practices are at hand to help companies build and sustain trust.

And supply chain participants and individual consumers are eager recipients, naturally gravitating to trusted services, Nelson observes. Digital trust has, in fact, become a crucial factor in consumer purchasing decisions and corporate procurement strategies, he says.

This dynamic is highlighted by support of the Matter smart home devices standard. Matter is part of a fresh slate of technical standards that must take hold to enable massively interconnected, highly interoperable digital systems.

Since it was introduced two years ago, Matter has been embraced by some 400 manufacturers of IoT devices and close to one million Matter certificates have been issued, Nelson told me. “It’s not just in smart homes,” he says. “We’re building trust into devices in automotive and we’re seeing it in healthcare, as well.”

For its part, DigiCert has continued to advance it’s DigiCert ONE platform of tools and services to help companies manage their digital certificates and Public Key Infrastructure (PKI.) DigiCert’s clients and prospects are steadily modernizing the way digital connections get authenticated and sensitive assets get encrypted, Trzupek told me.

“In visiting our customers over the past 18 months, I’ve seen a newfound energy for closely examining and more effectively managing PKI infrastructure, both internally and externally,” he says.  “Companies are moving to update decades old PKI systems because they realize how pivotal this is to digital trust and everything they do.”

DigiCert has also been a leader in championing the concept of “crypto agility” —the capacity to update and adapt cryptographic routines swiftly—something Trzupek and Nelson argued is rapidly becoming a business imperative.

A starting point

Nelson

Leveraging advanced tools and embracing emerging best practices is all well and good for the trust leaders. But what about the laggards? For the organizations just starting down the path towards achieving and sustaining digital trust, Nelson outlined this framework:

•Knowledge and inventory: Begin with taking inventory of cryptographic assets and understanding how they’re utilized within the organization.

•Policies and enforcement: Next, establish organizational policies that outline appropriate and inappropriate behaviors regarding digital assets. Assure that these policies are enforceable.

•Centralized security: Streamline control over various business units that may have disparate practices, thereby improving visibility and the ability to mitigate risks.

•Factor in business impact: Finally, prioritize security efforts based on the potential business impact. Evaluate the consequences should certain assets go offline; focus on protecting the most critical areas first.

Lagging really is no longer an option. Geo-political conflict, remote work exposures, unpredictable usage of generative AI; these all stand to further undermine digital trust for months and years to come.

Will the laggards follow the trust leaders? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

AI chatbots are computer programs that talk like humans, gaining popularity for quick responses. They boost customer service, efficiency and user experience by offering constant help, handling routine tasks, and providing prompt and personalized interactions.

Related: The security case for AR, VR

AI chatbots use natural language processing, which enables them to understand and respond to human language and machine learning algorithms. This helps them improve their performance over time by gaining data from interactions.

In 2022, 88% of users relied on chatbots when interacting with businesses. These tools saved 2.5 billion work hours in 2023 and helped raise customer satisfaction to 69% for $0.50 to $0.70 per interaction. Forty-eight percent of consumers favor their efficiency prioritization.

Popular AI platforms

Communication channels like websites, messaging apps and voice assistants are increasingly adopting AI chatbots. By 2026, the integration of conversational AI in contact centers will lead to a substantial $80 billion reduction in labor costs for agents.

This widespread integration enhances accessibility and user engagement, allowing businesses to provide seamless interactions across various platforms. Examples of AI chatbot platforms include:

•Dialogflow: Developed by Google, Dialogflow is renowned for its comprehension capabilities. It excels in crafting human-like interactions in customer support. In e-commerce, it facilitates smooth product inquiries and order tracking. Health care benefits from its ability to interpret medical queries with precision.

•Microsoft Bot Framework: Microsoft’s offering is a robust platform providing bot development, deployment and management tools. In customer support, it seamlessly integrates with Microsoft’s ecosystem for enhanced productivity. E-commerce platforms leverage its versatility for order processing and personalized shopping assistance tasks. Health care adopts it for appointment scheduling and health-related inquiries.

IBM Watson Assistant: IBM Watson Assistant stands out for its AI-powered capabilities, enabling sophisticated interactions. Customer support experiences a boost with its ability to understand complex queries. In e-commerce, it aids in crafting personalized shopping experiences. Health care relies on it for intelligent symptom analysis and health information dissemination.

Checklist of vulnerabilities

Potential attack vectors can be exploited in AI chatbots, such as:

Input validation and sanitation: User inputs are gateways, and ensuring their validation and sanitation is paramount. Neglecting this can lead to injection attacks,, jeopardizing user data integrity.

Authentication and authorization vulnerabilities: Weak authentication methods and compromised access tokens can provide unauthorized access. Inadequate authorization controls may result in unapproved interactions and data exposure, posing significant security threats.

Privacy and data leakage vulnerability: Handling sensitive user information requires robust measures to prevent breaches. Data leakage compromises user privacy and has legal implications, emphasizing the need for stringent protection protocols.

Malicious intent or manipulation: AI chatbots can be exploited to spread misinformation, execute social engineering attacks or launch phishing. Such manipulation can harm user trust, tarnish brand reputation and have broader social consequences.

Machine learning helps AI chatbots adapt to and prevent new cyber threats. Its anomaly detection identifies suspicious behavior, proactively defending against potential breaches. Implement systems that continuously monitor and respond to security incidents for swift and effective defense.

Best security practices

Implementing these best practices establishes a robust security foundation for AI chatbots, ensuring a secure and trustworthy interaction environment for organizations and users:

Amos

Guidelines for organizations and developers: Conduct periodic security assessments and penetration testing to identify and address vulnerabilities in AI chatbot systems.

Multi-factor authentication: Implement multi-factor authentication for administration and privileged users to enhance access control and prevent unauthorized entry. Using MFA can prevent 99.9% of cyber security attacks.

•Secure communication channels: Ensure all communication channels between the chatbot and users are secure and encrypted, safeguarding sensitive data from potential breaches.

•Educating users for safe interaction: Provide clear instructions on how users can identify and report suspicious activities, fostering a collaborative approach to security.

•Avoiding sensitive information sharing: Encourage users to refrain from sharing sensitive information with chatbots, promoting responsible and secure interaction.

While AI chatbots have cybersecurity vulnerabilities, adopting proactive measures like secure development practices and regular assessments can effectively mitigate risks. These practices allow AI chatbots to provide valuable services while maintaining user trust and organizational security.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Notable progress was made in 2023 in the quest to elevate Digital Trust.

Related: Why IoT standards matter

Digital Trust refers to the level of confidence both businesses and consumers hold in digital products and services – not just that they are suitably reliable, but also that they are as private and secure as they need to be.

We’re not yet at a level of Digital Trust needed to bring the next generation of connected IT into full fruition – and the target keeps moving. This is because the hyper interconnected, highly interoperable buildings, transportation systems and utilities of the near future must necessarily spew forth trillions of new digital connections.

And each new digital connection must be trustworthy. Therein lies the monumental challenge of achieving the level of  Digital Trust needed to carry us forward. And at this moment, wild cards – especially generative AI and quantum computing — are adding to the complexity of that challenge.

I had the opportunity to sit down with DigiCert’s Jason Sabin, Chief Technology Officer and Avesta Hojjati, Vice President of Engineering to chew this over. We met at DigiCert Trust Summit 2023.

We drilled down on a few significant developments expected to play out in 2024 and beyond. Here are my takeaways:

PKI renaissance

Trusted digital connections. This is something we’ve come to take for  granted. And while most of our digital connections are, indeed, robustly protected, a material percentage are not; these range from loosely configured cloud IT infrastructure down to multiplying API connectors that many companies are leaving wide open, all too many APIs simply going unaccounted for.

Each time we use a mobile app or website-hosted service, digital certificates and the Public Key Infrastructure (PKI) come into play — to assure authentication and encrypt sensitive data transfers. This is a fundamental component of Digital Trust – and the foundation for securing next-gen digital connections.

The goal is lofty: companies and consumers need to feel very confident that each device, each document, and each line of code can be trusted implicitly. And PKI is the best technology we’ve got to get us there.

Sabin

“PKI has been around for 30 years in lots of different reincarnations,” Sabin noted. “We’re hitting a massive resurgence, almost a renaissance of PKI right now, because there are so many use cases where the simple ingredients of PKI can be used very effectively to solve the business needs of today.”

Enter the concept of “cryptographic agility” —  a reference to the rise of a new, much more flexible approach to encrypting digital assets. Crypto agility has arisen because digital connections are firing off more dynamically than ever before. Thus companies increasingly require the ability to update encrypted assets in a timely manner and even switch them out as needed, Sabin says.

Post-quantum crypto

A high level of Digital Trust, one that leverages crypto agility, is needed for companies to thrive in environment where cyber attacks are becoming more targeted and severe – and with generative AI providing a great boon to the attackers.

What’s more, a fresh layer of risks posed by the rise of quantum computing looms large. And this is were something called “post-quantum cryptography” (PQC) comes into play.

The National Institute of Standards and Technology (NIST) is in the late stages of formally adopting established standards for PQC; this will result in NIST-recommended encryption algorithms that can withstand potential threats posed by quantum computers.

Sabin pointed me to a recent Ponemon Institute polling of 1,426 IT security pros that reveals a worrying lack of PQC-readiness among companies across the US, Europe, the Middle East and Asia-Pacific. The survey found a skills shortage, budget constraints and uncertainty about PQC causing some 61 percent of respondents to acknowledge that their organizations are not prepared.

Yet quantum computing exposures are happening today. Threat actors are pursuing a “harvest now, decrypt later” strategy, Savin told me. They’re hoarding stolen cyber assets encrypted with current day algorithms, he says, and patiently waiting for quantum hacking routines to emerge that will enable them to crack in.

PKI playground

To aid and abet the PQC transition, DigiCert has been collaborating with industry partners to develop encryption methods that can withstand the threats posed by quantum computing. DigiCert recently released the DigiCert PQC Playground—a part of DigiCert Labs designed to let security code writers and tech enthusiasts experiment with the NIST-endorsed PQC algorithms which are slated to go into effect in 2024.

Hojjati

Playground visitors can get in the practice of issuing certificates and PKI keys under NIST’s three most advanced encryption algorithms: CRYSTALS-Dilithium, FALCON, and SPHINCS+. Hojjati told me this free tool is intended to be an incubator for development and innovation, demystifying PQC by providing a user-friendly environment for experimentation.

The aim is to alleviate apprehension surrounding the deployment of PQC algorithms and certificates, Hojjati says. This will give software developers, CISOs and other stakeholders a sandbox to test and understand the practical implications of integrating the new NIST algorithms into their systems, he says.

As standards and best practices solidify, a new senior leadership role — , the Chief Digital Trust Officer – has cropped up. The office of CDTO is gaining traction in large enterprises that are proactively pursuing Digital Trust. These new security leaders are not just technologists, Sabin says, they are strategists and visionaries.

“In the last 18 months we’re already seeing a number of companies create this new C-level role, recognizing that Digital Trust is critical to their capabilities, their business objectives and the vision of the company,” Sabin says.

A we turn the corner into 2024, Digital Trust is in sight. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Threat intelligence sharing has come a long way since Valentine’s Day 2015.

Related: How ‘Internet Access Brokers’ fuel ransomware

I happened to be in the audience at Stanford University when President Obama took to the stage to issue an executive order challenging the corporate sector and federal government to start collaborating as true allies.

Obama’s clarion call led to the passage of the Cybersecurity Information Sharing Act, the creation of Information Sharing and Analysis Organizations (ISAOs) and the jump-starting of several private-sector sharing consortiums.

Material progress in threat intel sharing, indeed, has been made. Yet, there remains much leeway for improvements. I had the chance to discuss this with Christopher Budd, director of Sophos X-Ops, the company’s cross-operational task force of security defenders.

Budd explained how Sophos X-Ops is designed to dismantle security silos internally, while also facilitating external sharing, for the greater good.

For a full drill down, please view the accompanying videocast. Here are my takeaways.

Overcoming inertia

Threat actors haven’t been exactly sitting on their laurels. Case in point: fresh intel just released in Sophos’  Active Adversary Report for Security Practitioners discloses how telemetry measuring network activity has begun turning up missing on a grand scale – in nearly 42 percent of the incident response cases examined by Sophos’ analysts between January 2022 and June 2023.

These gaps in telemetry illustrate just how deep and dynamic the cat vs. mouse chase has become; in some 82 percent of these cases the attackers purposefully disabled or wiped out the telemetry to hide their tracks.

“Because of improved network defenses, the attackers are innovating ways to get in and out as fast as they can,” Budd says.  “We’ve been dealing with this arms race for decades; at this point, not only is it an arms race, but it is also a highly caffeinated arms race.”

Budd

Overcoming inertia remains a big challenge, Budd adds. Historically, network security has been marked by siloed security operations; unilateral teams got stood up to carry out email security, vulnerability patching, incident response, etc. — interoperability really wasn’t on anyone’s radar.

Meanwhile, the network attack surface has inexorably expanded, even more so post Covid 19, as companies intensified their reliance on cloud-centric IT resources. And today, with the mainstreaming of next-gen AI tools, attackers enjoy an abundance of viable attack vectors, putting security teams that operate unilaterally at a huge disadvantage.

Joint task force approach

Sophos X-Ops launched in July 2022 to apply a joint task force approach to protecting enterprises in this environment. Budd directs a cross-operational unit linking SophosLabs, Sophos SecOps and SophosAI, bringing together three established teams of seasoned experts.

From this command center perspective, real-world strategic analysis happens continuously and in real time. The task force can deploy leading-edge detection and response tools and leverage the timeliest intelligence. It’s much the same approach that has proven effective time and again in military and emergency response scenarios.

“The benefit of a joint task force model is you maintain excellence and expertise in each domain area,” Budd says. “You don’t dilute the expertise in that domain area; you break down the silos by bringing each piece that you need for that unique threat to build a unique solution.”

The incidence response team, for instance, might zero in on suspicious activity to gather hard evidence that gets turned over to malware experts for deeper analysis. AI specialists might then jump on board to develop an automated mitigation routine, suitable for scaling. And the entire mitigation effort gets added to the overall knowledge base.

This is how the Sophos X-Ops team helped neutralized a recent spike in ransomware attacks against Microsoft SQL servers. The joint task force unraveled how the attackers were able to leverage a fake downloading site and grey-market remote access tools to distribute multiple ransomware families. The campaign was thwarted by pooling resources and jointly analyzing the attackers’ tactics.

 External sharing

It struck me in discussing this with Budd that the joint task force approach directly aligns with Obama’s call for stronger alliances on the part of the good guys. Notably, Sophos X-Ops from day one has actively participated in external sharing, via the Cyber Threat Alliance (CTA)and the Microsoft Active Protections Program (MAPP.)

The CTA is a coalition of some two dozen companies and organizations, led by Cisco, Palo Alto Networks, Fortinet and Check Point, committed to sharing actionable threat intel in real time. Members proactively share information on emerging threats, malware samples and attack patterns.

With MAPP, Microsoft aims to share fresh vulnerability patching alerts with security vendors before public disclosure. This gives the security vendors a head start in developing patches and affords them a head start in distributing patches. This strengthens the overall Windows ecosystem, Budd noted.

As cyber threats continue to evolve and scale up, the urgency for companies and government agencies to do much more of this is intensifying. The good news is that the advanced technologies and vetted best practices required to completely dismantle security silos as well as to  extend external sharing far and wide, are readily available.

This all aligns with the notion that deeper levels of sharing must coalesce if we are to have any hope of tempering continually rising cyber threats. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

QR code phishing attacks started landing in inboxes around the world about six months ago.

Related: ‘BEC’ bilking on the rise

These attacks prompt the target to scan a QR code and trick them into downloading malware or sharing sensitive information.

In June, we started seeing these types of attacks amongst our customer base. Since June, there has been a fourfold increase in the search volume around keywords associated with these types of attacks.

Within the last week we have identified 655,0000 QR codes for our customers, of which 1,000 contained suspicious text and 8,000 came from a domain with a low rank (a freemail or a new email address, which are both flags for malicious senders). This is a true reflection of the attack landscape.

Scans slip through

These attacks are so successful because many traditional email security tools focus only on text-scanning, allowing image-based attacks to slip through. When attacks reach the inbox, users have a natural reaction to “scan the code,” assuming it’s legitimate.

When they do, many users don’t have any apprehensions around scanning QR codes because the assumption is that QR codes are legitimate. Also, users generally receive the email on their device but scan the QR code with their phone.

Mobile phones often don’t have the same level of corporate protections that desktops do. A lot of companies find themselves looking in the rear-view mirror post-compromise to see the anomalies detected like a new IP address/device that sent the attack email.

Lieberman

At this stage, companies should (at a minimum) educate their employees about the prevalence of these attacks, and the key things to look out for as the most basic form of protection against them. For example, users should know that Microsoft, Zoom, ZenDesk and other platforms will NEVER ask you to log in via QR code, which is something that users may often fall prey to.

Attacker friendly

Looking at hacker economics here, it is easy to understand why these attacks are so popular: they come with a low investment of cost and time, and they can be scaled up without much effort. In some cases, these attacks are also hard to detect. As a few examples:

•Secure email gateways pick up the first URL a QR code sends them to, but not the malicious redirect.

•Text can be embedded in the image of the QR code itself, which text based systems won’t pick up – Optical Character Recognition (OCR) is required.

Best practices

So how do you defend your enterprise against QR code phishing attacks?

The first step business leaders should take is determining if there is a legitimate use case for QR codes being used via email in their business. QR codes only make life easier if they don’t come with a side of malware, or a scam to steal information. Beyond that, here are a few best practices:

•Determine if the email contains a QR code and if it is from an untrusted sender or a sender with a low domain rank. Each company has to determine what they deem to be an “untrusted sender,” it can be a sender with a recently registered domain, a first-time sender to the user or a user that has not been seen across the company or the platform.

•Read QR codes to determine if text is hidden in an image that isn’t in text form, or extract and follow the URL to determine if it is malicious. In image-based attacks, images can be added to a deny list and emails containing anything similar can be blocked.

•With the QR code landscape evolving and new QR codes coming out constantly, attackers can keep iterating these attacks. A recent method involves a malicious QR code in PDF attachments. As such, it is important to not only scan text and images in the email body, but in attachments as well.

•Use tooling to determine if you hover over the QR code and get a redirect. If not, you’ll know that the code is not legitimate.

Staying on top of how these attacks evolve and ensuring that your defense mechanisms follow suit can feel like a full-time job. However, cloud email security providers can offer a series of defense mechanisms—from QR code scanning, to perceptual hashing, OCR-based detection and URL and behavioral analysis.

Tools and services are readily available to ensure these attacks don’t hit users inboxes in the first place, and have a fighting chance at being successful in their phishing attempts.

Make sure to always check the waters before you swim (or in this case, scan).

About the essayist: Allen Lieberman is the Chief Product Officer at Tessian. Prior to Tessian, Allen was at VMware Carbon Black for nearly a decade, where he held roles including Senior Director of Product Marketing and VP of Product Management.