Identity security is one of the most significant issues facing individuals and businesses.…… Free Membership Required You must be amore...
You must be a Free member to access this content.
The cybersecurity industry seems addicted to research but isn’t all that good at it. Mining the massive amount of data produced is daunting but crucial to everyone.
Surveys and studies are an important part of marketing form the cybersecurity industry. Cyber Protection magazine receives a lot of them. We read them all. In the two months before the RSA Conference, more than one a day came into our inbox. However, they are not a great source of independent data and insight.
Ignoring the cherry-picked data highlighting a particular company’s product or service, there are a few nuggets that, taken together, produce some interesting insights. Out of 60+ reports, we took a pass on any that were repetitive, were suspect methodologically, or effectively plagiarized from another source. We chose to look at seven with a solid methodology, representation of industry-wide concerns, and originality. The reports came from Dynatrace, Black Kite, SlashNext, Metomic, Originality AI, Logicgate, and Sophos. We found three common themes: The impact of AI on security, government regulation compliance, and understanding of security concerns on the C-suites and board levels.
Understanding security issues.
Almost every study has a common complaint. CISOs say application security is a blind spot at the CEO and board levels. They say increasing the visibility of their CEO and board into application security risk is urgently needed to enable more informed decisions to strengthen defenses.
However, Dynatrace’s study said CISOs fail to provide the C-suite and board members with clear insight into their organization’s application security risk posture. “This leaves executives blind to the potential effect of vulnerabilities and makes it difficult to make informed decisions to protect the organization from operational, financial, and reputational damage.”
Recent news shows the study may have a point. Marriott Hotels admitted that a 2018 breach was the result of inadequate encryption of customer data. In 2018 the company claimed their data was protected by 128-bit AES encryption when customer identity was only protected by an outdated hashing protocol. One can imagine the discussion between the CEO and the IT department:
CEO: is our data encrypted?
IT manager: Yeah, sort of.
CEO: OK, good enough
If the CEO doesn’t understand the difference between a hash and AES encryption, that’s a problem.
And there many be evidence that ignorance is widespread. Apricorn reported that the number of encrypted devices in surveyed companies had dropped from 80 percent to 20 percent between 2022 and 2023. Some of that could be attributed to work-from-home (WFH) growth in companies. It is also likely that companies over-reported what was encrypted simply because they did not understand what “encryption” meant. Once they learned the meaning, adjustments were made.
That lack of a foundational security technology could be a reason for the devastating growth in ransomware in the past two years.
Cyber Protection Magazine posted a long article about Google’s decision to start de-listing California-based newspapers. We strove to be as objective as possible and present both sides of the argument, but we did say that the opponents were missing the point, hoping that the point would be obvious in the discussion. Here, however, we want to shed objectivity and make the point clear.
Google’s move, generously described, is a preemptive response to California’s Journalism Preservation Act (AB 886) that has yet to pass the Senate. The act will require Google to sit down and negotiate with California publishers over the fair price of publishing content from those media sites.
Note that the bill is not mandating a price. It is mandating a negotiation. That changes the nature of the discussion.
The debate over the appropriateness of the Congressional action against TikTok can be debated for a long time and probably will until the Senate takes action—which could be weeks. What is less debatable is TikTok’s, and pretty much all of the social media industry’s contribution to the situation. In essence, social media has hung itself with its own lifeline.
The industry has long embraced Section 230, a section of Title 47 of the United States Code that classifies them as part of the telecommunications industry. That particular law immunizes social media platforms and users from legal liability for online information provided by third parties. The section also protects web hosts from liability for voluntarily and in good faith editing or restricting access to objectionable material, even if the material is constitutionally protected. These protections do not apply to what is traditionally known as “the media.” That is an important distinction.
The FCC also regulates related to the foreign ownership of telecommunications companies, broadcast, and cable companies, in that it is not allowed. If TikTok expects protection under Section 230, it has to abide by all the FCC regulations, including ownership. In that case, the legislation is consistent with US law.
News media or Telecom?
However, the CEO of TikTok has made the case that the legislation infringes on the First Amendment rights of the company, creators, and users because… wait for it … TikTok is a major source of news for users. In other words, it is a news medium. According to TikTok, 43 percent of users rely on the app for daily news. But that sets up an entirely different problem.
Print, broadcast, and cable media are bound by ethics and laws to print truth. If they knowingly publish defamatory and untrue information, they can be sued by the injured party. That was most recently and famously demonstrated in the lawsuits against Fox News and Rudy Guiliani for intentionally spreading lies about election technology related to the 2020 US election.
Those same lies were and still are spread on social media platforms, including TikTok, with impunity under the protection of Section 230. But if they are a news medium, the protections of Section 230 go away and TikTok and creators who spread disinformation can now be held accountable for libel and slander.
Social media companies can adjust algorithms limiting what kind of information can be distributed on their networks and they reluctantly apply those restrictions when they are pushed to. But they can’t be sued for disseminating that information under Section 230. If they
This content requires that you purchase additional access. The price is $1.00 or free for our Premium members.
President Joe Biden took a step forward in protecting American's data this week and issued an executive order (EO) to protect Americans’ personal information from hostile governments.
You must be a Free member to access this content.
French regulators recently warned that a January 2024 cyber-attack on two major healthcare sector companies caused over 33 million people’s………more...
You must be a Free member to access this content.
Generative AI platforms have dominated news cycles for much of 2023 and that probably won’t abate in 2024. That isn’t surprising. The technology is spreading through every facet of life. Our lead article from the 2024 predictions issue!
You must be a Premium member to access this content.
Canadians are arguably the nicest people in the world. So we called up our favorite Canadian “cybersleuth”, Ian Thornton-Trump, Cyjax’s CISO. to get the skinny.
Read more...
But SMEs are on their own The use of the law to shut down malicious use of Cobalt Strike ismore
Read more...