This is January's news and product roundup from Cyberday. To sign up for our next admin webinar (where we go through these things live), chek out our Webinars-page.
The European Union has developed the world's first comprehensive AI regulation, a landmark development for AI security. This AI Act aims to safeguard human rights while encouraging innovation, and is due to be enforced two years after its final text is released, which is anticipated soon.
The AI Act targets AI of different risk levels:
AI that presents an 'unacceptable risk', such as real-time facial recognition and manipulative behavior, will be prohibited, protecting individuals from misuse. Notably, remote biometric identification in public will be banned, but with specific exemptions for law enforcement roles.
High-risk AI systems will be subject to scrutiny before being brought to the market and throughout their lifecycle. Providers of high-risk AI systems will be required to conduct human rights impact reviews before launching their product. Transparency is also a crucial factor, with requirements for certain AI systems to inform users if they are interacting with a machine.
Penalties for non-compliance vary: violations of unacceptable risk could lead to huge fines, up to 7% of global annual turnover or 35 million euros, whichever is greater. High-risk systems can attract a fine of up to 3% or 15 million euros, and 1.5% for disclosing inaccurate information.
The AI Act aims to tackle risks posed by AI applications, define obligations for AI users, enforce compliance, and propose a governance structure at a European and national level.
VF Corp, the parent company to familiar brands such as Timberland and The North Face, fell prey to a severe ransomware attack. There has been ambiguity surrounding the nature of the breached data, due largely to the company's reticence. However, industry experts predict that the stolen data could potentially contain sensitive elements such as customers' order details, contact information and addresses.
Following the breach on December 13, 2023, the company's IT systems were encrypted by the attackers. The cyber assault disrupted the company's operations, including the processing and fulfillment of online orders during the vital holiday season. Despite the turbulence, it was stated by the company that there has been no evidence that customer passwords were stolen, but it is always wise to be cautious with such statements.
In the aftermath of the incident, VF Corp aims to recover their losses through a cyber insurance policy. This instance emphasizes the importance for businesses of all sizes and sectors to prioritize cybersecurity measures, and how an extensive insurance policy can provide a viable safety net in the event of such breaches.
Allianz Risk Barometer is a survey targeted at around 3000 risk management professionals. In 2024 edition's results, cyber incidents, business disruptions, and natural disasters surfaced as the leading global business risks. For the first time, cyber incidents topped the list with a clear margin (5%) before the next risks.
The increasing cyber concerns center around data breaches, attacks on infrastructure, and ransomware attacks. Organizations, regardless of their size, are feeling the sting of these threats. However, the resilience gap, the capacity to recover quickly from difficulties, has notably widened because smaller businesses lack the time and resources for risk management. Bigger enterprises meanwhile have increased resilience investments e.g. due to COVID-19 pandemic. The shortage of skilled cyber security workforce aggravates these concerns as it affects cyber defense measures directly.
Other looming threats include political uncertainties and economic instabilities. The pervasive concerns are reflective of the primary issues that enterprises are combating, such as digitalization, climate changes, and uncertain geopolitical environment. These can potentially shake the foundation of supply chains and business models, calling for a robust resilience system.
In the recent security news, a significant trend is the use of harmful advertisements by cybercriminals to redirect users to malevolent versions of popular apps; FreeCAD here being a typical example. The issue persists despite Google's efforts to combat it. This calls for caution from users when downloading apps. To ensure safety, strict guidelines for employees concerning software downloads are recommended. Additionally, it is essential to scrutinize search engine results and always confirm website authenticity before initiating any software download. Personnel measures shouldn't be limited to guidelines but also extends to user awareness about the potential harm and techniques these fraudulent adverts can inflict or use.
Cybercriminals have managed to trick people into downloading compromised versions of widely-used free software. These harmful ads, usually appearing above organic search results, often come before links leading to the authentic software. Despite Google's substantial anti-abuse workforce, malevolent individuals constantly devise clever ways to evade detection, hence, instances of fraudulent ads leading to malware are quite common.
Both Veolia North America - the world's largest private player in the water sector - and Southern Water have recently become victims of ransomware attacks, with the Black Basta group claiming responsibility. The attacks have e.g. disrupted backend systems, affected online bill payment services of Veolia's Municipal Water division, and have put personal customer data at risk.
These incidents continue the recent trend of cyber attacks on water sector companies, following e.g. recent attacks in Ireland that stopped water services for two days. Veolia and Southern Water are currently managing the impact of these incidents.
In a recent report from the UK's National Cyber Security Centre (NCSC), the potential impact of AI technology on the cybersecurity realm has been discussed. The report highlights that AI presents both opportunities and threats to our digital landscape.
AI has a dual-use nature. It can bolster our security measures, while also paving a way for cybercriminals to exploit existing vulnerabilities. One concerning factor is that AI can amplify the scope and implications of cyber attacks. Alarmingly, all tiers of cyber threat actors have started integrating AI into their operations. AI also plays a crucial role in accentuating reconnaissance, the cyber intelligence gathering process, and escalating the efficacy of social engineering attacks.
The flurry of AI advancements implies faster and more efficient data analysis by threat actors, which can be used to train AI models. As a consequence, the impact of cyber attacks is poised to surge. An increasing accessibility to AI tools diminishes barriers for emerging cyber criminal activities, contributing to the growing threat of global ransomware within the next couple of years.
The democratization of AI-driven capabilities in both criminal and commercial markets will likely equip cyber crime and state actors with advanced tools. We're seeing an era where better tools for cybercrimes are easily available, pointing towards a future marked by exacerbated cyber threats.
We renewed the Reporting main page in Cyberday.
Goal was to more clearly group different kinds of reports, as we've been adding and will keep adding many different kinds of reports to Cyberday. We also display covers which already give an idea about the report contents.
We're going to be doing more reporting related development in the near future. 👍
We made improvements on Cyberday Academy and will keep on producing more content there regularly. More videos, blogs and helps to assist you in getting most out of Cyberday!
You can now create report collection from the renewed Reporting-page.
When you create a report collection, these reports will be displayed on a separate tab (in the web client). In Teams the way to do the same thing is to add Cyberday app to a team.
Report collections can be used to e.g. gather together important reports to share for your auditor or top management, without granting them more extensive rights to the ISMS.
We introduced a couple of improvements on compliance reports
Embed reports now support accessible keyboard navigation to the appropriate part of the report. In the future, we will try to prioritize and study other accessibility improvements as well.
You can now also print out these reports for e.g. archiving, with a print view that shows all the details on one page - without navigation.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
