Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts

Google has recently issued a security alert regarding a sophisticated phishing scam that is targeting its massive user base of 2 billion active accounts. The company has made it clear that emails coming from the address “no-reply@accounts dot google dot com” are fraudulent and have nothing to do with Google or its services. These deceptive emails are claiming that user data has been compromised or leaked and that immediate action is required, but in reality, they are part of a scam designed to steal personal information.

The Phishing Scam Explained

Over the past two weeks, users, particularly those residing in major metropolitan areas in the United States, have reported receiving emails that seem to come from a legitimate source—Google itself. The emails appear to be official communications, which makes them particularly dangerous. They encourage recipients to click on embedded links, which purportedly lead to government actions requiring access to their data. The message warns that the user’s data may contain blasphemous content or material that threatens national security, and that it needs to be reviewed by government authorities.

The email even goes as far as to claim that it is acting under a subpoena from the U.S. government, further convincing the recipient of its authenticity. However, Google has categorically stated that it does not, nor will it ever, send emails requesting users to share sensitive information such as passwords, one-time passcodes (OTPs), or biometric data. These types of requests are clear signs of phishing attempts, and users are urged to stay vigilant.

The Dangers of Clicking Links in Phishing Emails

The primary danger of these phishing emails lies in the links they contain. Clicking on these links can direct users to fake, malicious web pages that are designed to harvest sensitive information like login credentials, financial details, and other personal data. These fraudulent pages may appear convincingly real, and some even claim to be official Google or government portals. However, once the victim enters their personal information, the attackers gain full access to their accounts, putting them at risk of identity theft, financial loss, and even legal trouble.

To make matters worse, these fake web pages often carry threats of legal action against the victim, warning them of potential criminal charges related to illegal data use or internet misuse. This tactic creates unnecessary fear, pressuring victims into complying with the fraudsters’ demands.

A New Level of Deception: Using Gmail as a Gateway

In the past, cybercriminals have mostly relied on fake emails related to delivery services like FedEx, UPS, and DHL Express to lure users into clicking on malicious links. These scams typically involve fake tracking updates, pushing users to disclose their personal identifiable information (PII). However, this latest phishing scam marks a worrying escalation. Cybercriminals are now leveraging one of the most widely used and trusted services in the world—Gmail—to distribute their malicious content.

Since Gmail is an essential tool for billions of people worldwide, hackers see it as a prime target. The fact that these fraudulent emails are being sent from an email address hosted on Google’s own servers adds an alarming layer of authenticity to the scam, making it even harder for users to spot the fraud. It raises questions about whether Google needs to implement stricter security measures to prevent its own platform from being used as a vehicle for such attacks.

Google’s Response and User Advice

Google has advised all Gmail users to remain cautious and not to click on any links or follow instructions in emails that request personal information or seem suspicious in nature. The company strongly recommends that users report any phishing attempts and delete such emails immediately.

Furthermore, users are encouraged to keep their devices up-to-date with the latest security patches and use strong, reputable anti-malware solutions to protect themselves from threats. This includes ensuring that their operating systems, browsers, and other software are fully updated to patch vulnerabilities that could be exploited by attackers.

Conclusion: Staying Safe in a Digital Age

With cybercrime continuing to evolve, it’s more important than ever to be aware of phishing scams and the tactics used by cybercriminals. While Google has taken steps to warn its users, the responsibility ultimately lies with individuals to stay informed and cautious. By remaining vigilant and adopting good cybersecurity practices, users can better protect themselves from falling victim to these ever-growing threats.

Despite Google’s efforts to safeguard its platform, the fact that phishing emails are being sent from its own servers underscores the need for further action and security enhancements. As we continue to rely on digital services, maintaining a high level of awareness and security is essential to avoiding scams and protecting our personal data.

The post Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts first appeared on Cybersecurity Insiders.

The post Google Warns Users About Phishing Scam Targeting 2 Billion Active Accounts appeared first on Cybersecurity Insiders.

May 21, 2025 at 11:11AM

Read More

It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity

Database expert Dominik Tomicevic highlights the limitations of traditional cybersecurity defense methods and why knowledge graphs could be a better avenue for the CISO to pursue 

Data shows that the global cost of cybercrime will soar by four trillion dollars over the next four years, rising from $9.2 trillion in 2024 to an estimated $13.9 trillion by 2028. Does this mean organizations must simply accept cyberattacks, malware, phishing, and other threats as endemic and ever-growing challenges?

Not necessarily. Greater vigilance and innovation in cybersecurity strategies can change the trajectory. While embracing digital technologies and the cloud has undeniably boosted convenience and productivity, it has also introduced significant vulnerabilities. Increasing reliance on open-source libraries to speed development—rather than building all code in-house—has, in turn, exposed organizations to new and serious risks.

Traditional cyber methods don’t work anymore

But the benefits are simply too great to ignore. The drive toward digital, online, and cloud-based operations is unstoppable, as is the growing reliance on externally sourced or AI-generated code. The problem is that most current cybersecurity methods fall short because they rely on models that are too rigid—both in how they represent the world and how they adapt to change. This is where developers we work with have identified a better way to help curb these dangers, at least to some extent.

The reason current systems of record for cyber vulnerabilities often falter is that they are built on the relational data model, which functions much like a “phonebook.” A phonebook offers a static, alphabetical list of individuals—but real life is far more complex, shaped by friendships, families, workgroups, rivalries, and constantly evolving relationships. Static models simply can’t capture the dynamic nature of modern digital environments.

Attackers understand this. They don’t exploit static lists—they target the living, breathing web of human connections. In other words, they aren’t studying organizational charts or formal hierarchies; they focus on the real-world links between people, creeping through systems to exploit user permissions not in isolation, but as gateways into broader networks.

This is why social engineering is so effective. If one person is compromised, who else might be vulnerable? What systems do they access? Who do they interact with daily? Attackers are disturbingly good at tracing these pathways—and exploiting them to devastating effect.

There’s another key limitation with the phonebook model—or more technically, with traditional relational approaches to cybersecurity: speed. Moving fast is essential, but modeling real-world complexity with relational databases requires many JOIN operations, which quickly become computationally expensive. In a multi-step attack, it might take 10 to 20 JOINs just to assemble a clear picture, and by then, the process could either time out or consume so many resources that it becomes impractical.

Trying to defend against adversaries who map and exploit dynamic relationship networks is incredibly challenging. A bad actor can quietly slip in a change request to open port 40 in a cloud security configuration, and in a highly connected system, that single move could silently unlock 1,000 other doors—with no clear way of knowing where they are.

The key element in the security war is relationships

That’s not just a vulnerability. That’s a nightmare. What’s becoming clear is this: a better way to understand the complex relationships and interdependencies within cyberspace could not only strengthen defensive postures, but also enable faster, more decisive action.

In response, more and more organizations—whether protecting their own systems or building cybersecurity solutions—are turning to graph-based approaches to model relationships and information. After all, every employee’s access to business services and systems creates a connection—a relationship—between individuals and the resources they use.

Player No 2 has entered the game

Which is why graph technology matters: it models systems clearly and powerfully by representing users, systems, and data as nodes, and the permissions and connections between them as edges. This “graph thinking” isn’t new—it’s exactly how attackers view your environment during penetration testing. They don’t see a flat network; they see a connected web of relationships and look for paths they can exploit to move laterally.

Graph technology allows defenders to adopt the same perspective before threats emerge. At its core, graph technology is about relationships—and whether it’s employees and devices, users and applications, or systems and services, a graph database can accurately capture the complex way your organization truly operates.

Crucially, graph technology doesn’t just deliver better visibility—it also dramatically improves speed of response. Because graphs eliminate the need for complex queries and costly JOIN operations, problems can be solved on a linear, not logarithmic, timescale. Connections can be mapped in seconds, not hours, giving security teams the clarity and agility they need to stay ahead of threats.

So where does AI fit into this picture? The next natural evolution is leveraging machine learning, AI, and advanced data techniques. A graph-based approach not only strengthens cybersecurity today, it also lays a powerful foundation for future AI initiatives, enabling faster, smarter, and more adaptive defenses.

The potential of a graph-based approach to navigating the intricate network of relationships that underpin cybersecurity challenges is immense. However, without adopting smarter, more adaptive cybersecurity strategies, both businesses and society will continue to fall behind in the relentless battle against cyber threats—threats that often understand our systems and vulnerabilities better than we do ourselves.

The author is the CEO of knowledge graph leader Memgraph

The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity first appeared on Cybersecurity Insiders.

The post It’s Time to Move Away from the “Phonebook” Approach to Cybersecurity appeared first on Cybersecurity Insiders.

May 21, 2025 at 10:18AM

Read More

UK Cyber Crime takes a new turn towards TV show the Blacklist

Cybercriminals in the UK have recently shifted their attention to a new, high-profile target: UK retailers. This marks a significant escalation in the threat landscape, where digital criminals are now turning their focus on disrupting major businesses. In a bizarre twist, these groups seem to have taken inspiration from The Blacklist, a hit TV show that gained popularity after its 2013 debut. The show, which became especially popular with younger audiences, might have unwittingly inspired the name choices of these cybercriminals, who now associate themselves with the notorious characters of Raymond “Red” Reddington and Dembe Zuma, despite having no actual connection to the producers or actors behind the series.

One of the latest victims, the Co-Op, has failed to meet the ransom demands set forth by the DragonForce ransomware group. This refusal has prompted the hackers to announce their intentions to leak the stolen data on the dark web. Worse still, they are reportedly prepared to sell this information to verified parties who are willing to pay for it. This move underscores a disturbing trend of increasing sophistication in cyberattacks, with ransomware gangs now using stolen data as a commodity on the black market.

Financial Fallout for Retailers and CEOs

The ripple effects of these cyberattacks are not limited to the technical side of operations but extend to the financial health of companies. Stuart Machin, CEO of Marks and Spencer, revealed the significant economic impact his company faced when it became embroiled in the latest wave of cybercrime. The retailer’s share prices plummeted by 15%, and as a consequence, Machin’s personal compensation is expected to take a substantial hit, with a projected £1.1 million reduction in his pay.

This serves as a stark reminder of how cyberattacks can create widespread financial repercussions, not just for the companies themselves but also for top executives who are often held accountable for the company’s performance.

NHS England Takes Preventive Measures Amid Rising Threats

As these threats loom larger, NHS England has been actively urging companies—particularly those in critical infrastructure sectors—to strengthen their cybersecurity defenses. Experts within the healthcare sector have warned that ransomware groups like DragonForce could strike not just once but multiple times, wreaking havoc on both public and private entities. To address this, NHS England has developed a new cybersecurity charter aimed at countering the growing ransomware threat. While the framework itself is not groundbreaking—many similar initiatives already exist globally—the NHS’s focus on collaboration and unified action across organizations is a step in the right direction.

Cybersecurity experts agree that it is no longer a matter of if an organization will be attacked, but when. The emphasis is shifting towards preparedness and resilience, ensuring that businesses can weather these attacks without losing critical data or facing prolonged operational disruptions.

The Co-Op’s Digital Disruption: A Misleading Report?

In a surprising twist, the Co-Op, which initially denied any impact from a cyberattack, has faced significant operational disruptions. Early reports suggested that a configuration error, rather than a cyberattack, had caused a shutdown of the retailer’s digital systems. However, this technical mishap had far-reaching consequences. It severely impacted the company’s supply chain and logistics functions, leading to widespread shortages in deliveries—a scenario that often mirrors the aftermath of a full-scale cyberattack. This confusion has only added to the complexity of the situation, with many questioning whether the incident was indeed a case of poor configuration or whether there was more to the story than meets the eye.

DragonForce: A Ransomware Group with a Unique Twist

To wrap things up, while the criminal activities of the DragonForce group are undeniably alarming, it’s worth noting that they have chosen to link their identity to the characters from The Blacklist. This strange connection has no bearing on the actual content of the show, nor any direct involvement with its creators. However, the group’s decision to associate itself with figures like Raymond Reddington and Dembe Zuma speaks to the growing trend of cybercriminals branding themselves in ways that make their attacks seem almost theatrical. It’s as if the cyber underworld is using popular culture references to cultivate an aura of mystique or even intimidation.

As ransomware attacks continue to evolve in both scale and sophistication, the cybersecurity community, businesses, and consumers alike must remain vigilant and proactive in safeguarding their digital infrastructures. The risk is real, and the stakes are higher than ever.

The post UK Cyber Crime takes a new turn towards TV show the Blacklist first appeared on Cybersecurity Insiders.

The post UK Cyber Crime takes a new turn towards TV show the Blacklist appeared first on Cybersecurity Insiders.

May 20, 2025 at 10:54AM

Read More

Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats

Ransomware increasingly targets critical infrastructure, threatening essential services and national security. Over 66% of critical infrastructure organizations in the US have faced attacks in the past 12 months, some experiencing over 100. As these attacks grow more frequent and sophisticated, organizations struggle to secure their networks. Legal and financial risks are rising, with 36% of victims paying ransoms, sometimes violating laws. There is an urgent need to adopt defense strategies to protect sectors like energy, transportation, and healthcare from major disruptions.

Unseen Vulnerabilities in Critical Infrastructure

Ransomware not only exploits known vulnerabilities but also broader gaps, such as poor configuration, outdated systems, and weak security monitoring. A common issue is neglecting basic security practices like the CIS (Center for Internet Security) benchmarks.

Many organizations implement these benchmarks but fail in ongoing management and real-time risk assessments. For instance, IT may approve changes without assessing the impact on security, lowering protection and leaving assets exposed. Many systems lack real-time monitoring, allowing ransomware to exploit unnoticed gaps.

Sector-Specific Weaknesses in Energy, Transportation, and Healthcare

The energy, transportation, and healthcare sectors are particularly vulnerable due to legacy systems and large networks of interconnected devices. Energy companies often rely on outdated industrial control systems (ICS), which are hard to patch without operational disruptions. Similarly, healthcare uses older software incompatible with modern security protocols, exposing them to attacks that can cause service outages or compromise patient data.

The financial toll is steep. The 2024 Cost of a Data Breach Report shows the average breach now costs USD 4.88 million, and disruptions in essential services amplify the impact.

The transportation sector also faces vulnerabilities, with its vast networks of vehicles, sensors, and communication systems offering numerous entry points. Without strong segmentation, breaches can spread across the entire network.

The Evolution of Ransomware Tactics

Ransomware has evolved from simple file-locking schemes to sophisticated, multi-faceted operations. Modern groups use techniques like phishing, privilege escalation, and lateral movement across networks to maximize damage. They’ve also shifted from targeting files to exploiting weaknesses in identity and access management (IAM) systems, using stolen credentials to disrupt operations.

AI and machine learning (ML) now enable attackers to automate attacks, identify vulnerabilities, and move laterally within networks much faster, making detection and containment harder and increasing the potential damage.

Proactive Defense Strategies

To combat sophisticated ransomware, organizations need proactive defense strategies that go beyond traditional cybersecurity. One approach is Zero Trust Architecture (ZTA), which assumes no one inside or outside the network can be trusted by default, requiring strict identity verification and continuous monitoring. This limits lateral movement, preventing full access even if part of the system is breached.

AI and ML-powered threat detection can spot suspicious activity in real-time, analyzing patterns and identifying anomalies to flag potential attacks. Deception techniques, where attackers are lured into fake environments, also help study strategies while minimizing risk.

Preparing for the Quantum Security Threat

While most organizations are focused on current ransomware tactics, an emerging threat looms on the horizon: quantum computing. The arrival of “Quantum Day” (Q-Day)—anticipated to arrive by 2030—will mark a seismic shift in cybersecurity. By Q-Day, quantum computers will be capable of decrypting today’s widely used encryption algorithms in a fraction of the time it currently takes. This could render much of the world’s existing cryptography obsolete overnight.

While this future may seem distant, attackers are already preparing for it. Sensitive data that is stolen today could be stored for future decryption, once quantum computers become more powerful. Critical infrastructure organizations cannot afford to ignore quantum security risks, even if they don’t yet face an immediate threat.

To safeguard against this, organizations need to transition to post-quantum cryptography, a set of algorithms designed to resist quantum-based attacks. The first step is for businesses to identify which of their assets are most vulnerable to quantum risks. This process, referred to as a crypto CMDB (Configuration Management Database), involves mapping out critical data and determining what kind of encryption is currently being used. Only then can organizations begin upgrading their encryption protocols to quantum-resistant standards.

Enhancing Cyber Resilience

Beyond defense, organizations must focus on cyber resilience—preparing for attacks while ensuring business continuity. This requires not only defense but also planning for operations during an attack. Regular risk assessments, penetration testing, and vulnerability management are key to a resilient cybersecurity framework.

Frequent testing of backup and recovery systems ensures they work during ransomware attacks. Network segmentation is crucial to stop ransomware from spreading. Isolating critical assets and monitoring network traffic can limit damage if an attack occurs.

The Importance of Collaboration and Innovation

The growing ransomware threat, along with quantum security challenges, highlights the need for stronger public-private collaboration. Governments, industries, and cybersecurity firms must unite to establish cybersecurity standards and create advanced defense solutions. Public-private partnerships can drive innovation, keeping organizations ahead as ransomware tactics evolve.

Strengthening critical infrastructure requires a multi-layered approach, combining proactive defense, cyber resilience, and quantum security preparation. Focusing on these areas will help organizations protect essential services and national security while staying ahead of attackers.

In conclusion, it is important to think security in every stage of design and implementation and be aware that this a cat and mouse game and hence, we need to be constantly vigilant and continuously modifying as new methods of attack get invented! 

The post Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats first appeared on Cybersecurity Insiders.

The post Ransomware’s Next Target: Strengthening Critical Infrastructure Against Emerging Cyber Threats appeared first on Cybersecurity Insiders.

May 20, 2025 at 07:16AM

Read More

Scam Messages and emails increase exponentially after M & S Cyber Attack

A recent cyberattack on Marks and Spencer (M&S) has raised significant concerns, revealing that hackers infiltrated the UK-based retailer’s systems almost a week before the breach was discovered. The attack, which was first detected a couple of weeks ago, exploited a vulnerability created by human error, compromising the personal data of nearly 9.4 million active customers.

Initial investigations suggest that while the hackers gained access to sensitive information, such as order histories, dates of birth, and some payment card details (excluding CVV numbers), they did not manage to steal complete payment card data. In fact, the retailer’s IT department clarified that only certain usable card information may have been exposed, but crucial security elements like CVVs remained protected.

CEO Stuart Machin reassured customers, explaining that although the breach might have disrupted online ordering, the hackers did not access full payment card details. He further emphasized that such data is not stored long-term on M&S servers, with archives holding payment information for a maximum of 24 hours. Machin expressed confidence that the company’s technical team would restore services by the end of the month.

The attack, attributed to the DragonForce ransomware gang, is having ripple effects beyond M&S’s digital operations. Many of the retailer’s physical stores across the UK are experiencing severe product shortages, as panic buying escalates among consumers. The gang behind the attack, believed to be affiliated with the Scattered Spider cybercriminal group, is demanding a ransom of $4 million. However, M&S has made it clear that it will not be entertaining these demands.

The impact of the breach has extended to customers, with some reporting an increase in spam calls and emails. These types of cyberattacks often result in data leaks that can fuel spam campaigns, as hackers may use the stolen information for targeted scams. Despite efforts by email providers and telecom companies to mitigate these issues, customers are urged to remain vigilant. They should avoid downloading any suspicious applications or software that could potentially carry malware.

As the situation unfolds, both M&S and its customers are left to contend with the aftermath of a costly and disruptive cyberattack.

The post Scam Messages and emails increase exponentially after M & S Cyber Attack first appeared on Cybersecurity Insiders.

The post Scam Messages and emails increase exponentially after M & S Cyber Attack appeared first on Cybersecurity Insiders.

May 19, 2025 at 10:37AM

Read More

Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses

Coinbase, one of the largest cryptocurrency exchanges, has disclosed a significant data breach that exposed sensitive customer information, including government-issued IDs. The attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the public release of the stolen data.

The breach could result in losses of up to $400 million, depending on regulatory fines, legal actions, and customer compensation. Coinbase has launched an internal investigation and is cooperating with law enforcement. It has also notified affected customers and offered support.

The implications of the Coinbase breach are significant for crypto users and investors, spanning financial, regulatory, and trust-related concerns.

For crypto users, the risks are substantial. If government-issued IDs and personal data were stolen, users could face identity theft, phishing attacks, or SIM swapping. This could lead to unauthorized access to other financial accounts or crypto wallets. Users may lose confidence in Coinbase’s ability to protect their data, prompting them to move assets to other platforms or cold storage. Coinbase might implement stricter security protocols or temporarily limit certain services, affecting user experience. Affected users might be eligible for compensation or become part of class-action lawsuits.

For investors, the breach could lead to stock price volatility. Publicly traded companies like Coinbase (COIN) often see sharp stock price drops after breaches due to shaken investor confidence. The breach could trigger investigations by the SEC or other regulators, potentially leading to fines or new compliance requirements. Coinbase will likely need to invest heavily in cybersecurity upgrades, legal defense, and customer support. Long-term brand damage could reduce user acquisition and retention, impacting revenue growth.

David Stuart, Cybersecurity Evangelist at Sentra, commented on the breach, saying, “The Coinbase breach highlights the growing challenge of protecting sensitive customer data in highly interconnected digital ecosystems. Financial platforms, in particular, carry an outsized responsibility to safeguard personal and financial information against increasingly sophisticated threats. Full visibility into where sensitive data resides, how it moves, and who can access it is essential, especially as data spans cloud, SaaS, and third-party environments. Without continuous monitoring, access governance, and proactive risk management, even well-defended systems can become vulnerable. Organizations must prioritize a data-first security model that ensures sensitive information remains protected at every layer, beyond just perimeter defenses.”

Clyde Williamson, Senior Product Security Architect at Protegrity, added, “Coinbase says the affected customer base impacted in this attack is less than 1% of its 9.7 million customers to minimize the impact. That’s still around 1 million people whose sensitive information has been compromised, and the financial damage to Coinbase itself isn’t small. Malicious actors can do significant damage with your name and contact information; imagine what they’ll do with masked bank information and Social Security numbers. This attack was only possible because contractors and support personnel were allowed access to this information. This was an entirely avoidable situation on Coinbase’s part, and now they’re expecting the customers who trusted the organization with their highly sensitive information to perform damage control. It’s great that Coinbase was legally required to disclose this attack quickly, but those customers will be haunted by this breach. Disclosure without real action is data security’s ‘thoughts and prayers.’ Consumers deserve better than to live in constant fear of their data.”

The breach underscores the critical need for robust cybersecurity measures to protect sensitive customer information..

 

The post Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses first appeared on Cybersecurity Insiders.

The post Experts React: Coinbase Discloses Breach, Faces Up to $400 Million in Losses appeared first on Cybersecurity Insiders.

May 19, 2025 at 09:46AM

Read More

Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes

The recent Twitter data leak, which exposed the personal information of 2.8 billion users, serves as a stark reminder of the vulnerabilities organizations face when disgruntled employees or contractors retain access to sensitive systems. This incident, suspected to be an insider job, underscores the critical importance of managing security and business risks potentially arising amidst workforce volatility. It is an especially important issue nowadays, as companies navigate massive layoffs and contract terminations.

When employees, contractors, or vendors leave an organization, their access to team services and applications must be promptly revoked. Failure to do so can leave “zombie” accounts — dormant accounts that remain active and act as security vulnerabilities. CISOs must always operate with a risk-aware mindset, assuming worst-case scenarios could happen and building policies, technologies, and processes to mitigate those risks.

Insider Threats from Disgruntled Employees

Disgruntled former employees can pose serious insider threats, including cybervandalism or selling their credentials to hackers. These risks extend beyond cybersecurity breaches to compliance liabilities under regulations such as SOX, GDPR, or HIPAA.

A notable example occurred in 2023 when two former Tesla employees leaked the personal data of tens of thousands of current and former employees to a German newspaper. Additionally, there is growing concern about disgruntled workforce potentially deploying AI agents or RPA bots within financially significant ERP systems to exfiltrate data or revenue to offshore bank accounts after their access is removed.

The Prevalence and Risks of Zombie Accounts

Moreover, dormant “zombie” accounts left enabled after termination are a common one attack vector for cyber criminals. Attackers may use brute-force attacks to guess passwords, hoping to find accounts lacking Multi-Factor Authentication (MFA), so that they can gain unauthorized access and start moving laterally within an organization’s systems. If successful, it is harder to detect attackers compromising accounts of former employees than existing ones.

The Verizon Data Breach Investigations Report 2024 highlights that the use of stolen credentials has appeared in almost one-third (31%) of all breaches over the past decade. For instance, last year, a hacker gained access to internal company tools using stolen credentials from a former employee at Tile, a leading Bluetooth location-tracking device vendor, breaching multiple systems and stealing sensitive data – a stark example of the severe consequences of delayed incident response in the case of a stale account compromise.

Identity Hygiene Measures

Proper identification of all human identities with access to an organization’s services and applications is crucial for assessing risk posture. This involves maintaining an inventory of applications, ideally sorted by risk to the organization, to facilitate the termination of access to these assets. These practices align with the NIST Cybersecurity Framework (CSF) 2.0’s “Identify” core function, which emphasizes the importance of understanding and managing cybersecurity risks.

Even with the above controls in place, organizations might still face increased security risks when offboarding a high volume of employees. As employees’ roles change throughout their careers, their access permissions might not be updated properly — especially for those who were granted elevated or emergency access that may not have been documented — increasing the risk of oversight during de-provisioning.

Best practice dictates that application account logins for terminated workforce members should be disabled in coordination with HR notifying the individual, and no later than 24 hours after notice. However, in modern enterprises where dozens—if not hundreds—of applications are in use, each potentially requiring separate credentials or permissions, oversights are not uncommon, exposing the organization to security risks. This risk is particularly high in companies lacking modern identity security and access governance automation.

Without automation, IT teams must manually revoke every access permission tied to each application, increasing the chance of human error, which might take weeks. With an automated identity governance solution, deprovisioning can be triggered by changes in an employee’s HR status. This ensures immediate and complete revocation of access, minimizing human error and reducing the deprovisioning time from weeks to just a couple of days—or even instantly.

Overall, identity hygiene best practices involve several stages on the path to mature identity governance. This starts with clear policies on how users are granted and maintain access to systems, progresses to basic automation for provisioning and access reviews, and culminates in application governance automation. The latter advanced approach enables automated provisioning by continuously monitoring the risk associated with access—both when it’s initially granted and during periodic reviews—and restricting it further through the use of emergency access management controls. With such an approach in place, massively offboarding people would become just another routine task for an organization.

 

The post Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes first appeared on Cybersecurity Insiders.

The post Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes appeared first on Cybersecurity Insiders.

May 19, 2025 at 08:21AM

Read More

Beyond the hype: The hidden security risks of AI agents and MCP

As AI rapidly evolves from a novelty to a necessity, businesses across every industry are feeling the pressure to integrate it into their operations, products, and services. What was once a forward-looking initiative has now become a critical component of staying competitive in a fast-changing market. 

AI experimentation is no longer driven by enthusiastic technologists or curious stakeholders—it’s now a strategic imperative. A significant component of this transformation is the use of AI agents: intelligent systems designed to autonomously perform tasks, make decisions, and adapt to changes in information.

Here, we’ll define what AI agents are, introduce MCP (Model Context Protocol), and dive into the security risks that come with these emerging technologies.

AI agents, defined: The brains behind autonomous applications

AI agents are applications where a Large Language Model (LLM) drives decisions, coordinates tasks, and adapts to changing inputs in real time.

A true shift occurs when AI agents are equipped with the tools and services they need to interact with the digital world. Whether it’s querying a database, sending a message, updating records, or triggering entire workflows, this tool access transforms AI into an autonomous process.

One of the most promising enablers of this evolution is the MCP. Introduced by Anthropic in November 2024, MCP is an open, emerging standard that simplifies how AI agents connect to tools and data sources. It’s earning widespread attention for doing what the USB standard did for hardware peripherals: replacing complex, one-off integrations with a universal interface.

By standardizing tool access, MCP empowers AI agents to execute dynamic, context-aware tasks across platforms. 

How does MCP work?

MCP uses a familiar client-server architecture to standardize how AI agents interact with external tools and data sources. This protocol ensures consistent and reliable communication between the agent and the resources it needs to function effectively.

This setup places MCP clients within the host application, whether that’s an AI assistant, a coding environment, or any other AI-enabled application. It performs the function of managing communication with an MCP server. As part of this process, the application and connected tools must negotiate protocol versions, discover available capabilities, and transmit requests and responses between them.

What makes MCP unique is that these capabilities are described in natural language, thereby allowing them to be directly accessed by the LLM driving the AI agent. This enables the model to understand which tools are available and how to use them effectively.

The server uses URI-based patterns to manage access to its resources and supports concurrent connections, enabling multiple clients to interact with it simultaneously. This makes the MCP highly scalable, flexible, and well-suited for complex agentic environments.

Autonomous vs. delegated identity: A crucial distinction

As AI systems become more embedded in business and everyday life, defining and managing AI identities is becoming increasingly important. Two key models are emerging: autonomous AI identity and delegated (on-behalf-of, or OBO) identity.

Autonomous AI identity refers to an agent that operates independently, making decisions and taking action without the intervention of a human in real time.

In contrast, a delegated identity represents an AI that performs tasks under the direction of a human. Understanding this distinction is crucial for maintaining proper accountability and security in AI-powered systems.

It is important to note that both models influence how authorization is managed by systems. A failure to differentiate these roles can result in over-permissioned systems, security risks, or misattribution of actions.

Visibility & control: The missing pieces

Real-time monitoring is essential for detecting and responding to anomalous behaviors in AI agents, especially as they operate autonomously and make decisions without human oversight. Just as important is robust identity management that clearly distinguishes between non-human identities (NHIs), which represent fully autonomous agents, and delegated identities, in which an agent acts on behalf of a human user.

Tagging each action with the correct identity context allows security teams to enforce least-privilege access, audit agent behavior against user delegations, and maintain clear accountability. Furthermore, tool-specific audit trails provide detailed records of every API call, data access, and action performed by an AI agent. As a result, these logs are essential for forensic investigations and compliance audits and should be integrated with existing SIEM systems to correlate agent activity across environments and detect suspicious activity.

As protocols like MCP expand tool integration capabilities, security frameworks must evolve in parallel, introducing dynamic authorization, continuous monitoring, and adaptive policy enforcement to manage increasingly capable agents. The combination of detailed audit trails and identity-aware monitoring will be critical to maintaining control, visibility, and trust as AI agents become more embedded in core operations.

Prepare now for secure AI adoption

As MCP rapidly gains traction as a standardized framework for integrating AI models with external tools and data sources, it’s reshaping how AI systems interact with applications. This unlocks more dynamic and context-aware capabilities. The rapid adoption of this technology, however, has outpaced the development of mature security controls, exposing potential risks such as unauthorized access, data leakage, and compromised tool integrity.

To address these concerns, organizations are encouraged to take proactive steps:

• Audit current MCP usage or plans: Assess how MCP is currently implemented within your systems or how it’s planned to be integrated.
• Enhance visibility and standardize authentication: Implement standardized authentication protocols and ensure comprehensive identity tracking to monitor interactions between AI models and external tools.
• Foster collaboration between engineering and security teams: Encourage cross-functional teams to work together in developing and enforcing security policies tailored to MCP implementations.

Securing the future of AI agents

The use of AI agents is unlocking unprecedented efficiency and intelligence across applications – automating tasks, streamlining workflows, and enabling real-time decision making. But with any rapid advancement comes risk. 

To stay ahead of emerging threats, prioritize auditing MCP deployments and implement standardized authentication protocols to establish a secure baseline. Then build a comprehensive AI identity security strategy by leveraging third-party security tools to protect your systems as agents grow more autonomous and deeply integrated into core business operations.

Remember that security isn’t static—it must evolve with your AI stack.

 

The post Beyond the hype: The hidden security risks of AI agents and MCP first appeared on Cybersecurity Insiders.

The post Beyond the hype: The hidden security risks of AI agents and MCP appeared first on Cybersecurity Insiders.

May 17, 2025 at 10:27AM

Read More

Ransomware attacks on education sector go unreported for months

Countries like the United Kingdom, the United States, Australia, and Canada have established cyber laws that require organizations affected by ransomware attacks to report these incidents within a specific time frame. These mandatory reporting windows typically range between 48 to 72 hours, depending on the country’s regulatory framework. The aim is to ensure transparency, facilitate timely responses, and protect stakeholders from further harm.

However, a recent study by Comparitech reveals a troubling trend in the U.S. education sector. On average, educational institutions across America take approximately 4.8 months to publicly disclose data breaches resulting from ransomware attacks. In some extreme cases, schools have waited as long as six months before reporting the breach or notifying affected individuals about the compromise of their personal data.

What’s more alarming is that many of these incidents only come to light when stolen data appears for sale on the dark web. In other words, rather than being proactive, many institutions remain silent until external parties expose the breach.

A notable example of this occurred at the end of last year, when a significant ransomware attack targeted PowerSchool software—widely used by school districts for managing student information. The attack affected over 100 school districts, as hackers managed to infiltrate and encrypt critical servers. Yet, details of the breach only surfaced publicly once the compromised data began circulating in underground cybercrime markets.

This pattern of delayed disclosure not only raises serious ethical and legal questions but also puts students, parents, and educators at heightened risk of identity theft, fraud, and other cyber-related harms.

The post Ransomware attacks on education sector go unreported for months first appeared on Cybersecurity Insiders.

The post Ransomware attacks on education sector go unreported for months appeared first on Cybersecurity Insiders.

May 16, 2025 at 08:47PM

Read More

Dior likely hit by ransomware attack

In a concerning development, Dior, the iconic French luxury fashion brand, has reportedly been targeted by a cyber attack that appears to be a form of ransomware. According to the latest updates, hackers seem to have gained unauthorized access to the company’s internal servers, potentially compromising a range of sensitive customer information. While the full extent of the breach is still under investigation, initial reports suggest that the attack is linked to a file-encrypting malware, a type of ransomware where malicious actors lock away critical data until a ransom is paid.

The Data Breach: What Was Compromised?

The breach is believed to have exposed various personal details of customers, although fortunately, no financial information related to either customers or employees has been leaked, which is a somewhat reassuring piece of news from a cybersecurity perspective. However, the compromised data includes names, gender details, mobile phone numbers, email addresses, postal addresses, and purchase history. In addition, fashion preferences—categorized by gender and age—were also part of the exposed data.

This kind of information can be highly valuable to cybercriminals, who may use it for a variety of malicious purposes. One of the primary concerns is that this data could potentially be exploited in targeted phishing attacks. Customers might receive fraudulent emails or messages designed to trick them into revealing even more personal or financial details.

Dior’s Response and Investigation

In response to the breach, Dior has swiftly implemented various security measures to prevent the malware from spreading further within its network. The company’s IT teams are currently conducting an in-depth investigation to identify the exact nature of the intrusion and to ensure that no further data loss occurs. While the situation is still developing, Dior has promised to keep the public informed with regular updates as the investigation progresses.

For now, Dior is urging its customers to remain vigilant and monitor their financial transactions closely. The company has issued a warning that individuals may be at a higher risk of falling victim to phishing scams in the coming months. This advisory is expected to remain in effect for the next 6 to 12 months, as the stolen data could be used in a variety of nefarious ways, including crafting personalized phishing schemes.

A Broader Cybersecurity Concern

This breach is not an isolated incident. Last month, several major retail brands in the UK, including Marks & Spencer, Co-Op, and Harrods, were also targeted by a cybercriminal group known as the “Scattered Spider” gang, which is believed to be behind the DragonForce ransomware attacks. The growing frequency of these types of incidents highlights a disturbing trend in the retail sector, where hackers are increasingly focusing on stealing personal data from consumers.

While Dior has not yet confirmed whether a ransomware attack specifically was involved, the company has promised to provide further updates as the investigation unfolds. The absence of financial data in the breach is a slight silver lining, but the loss of personal details, especially sensitive information such as shopping preferences, can still be damaging. It’s worth noting that marketing and advertising firms could also leverage this data to build detailed customer profiles, which could lead to more targeted (and potentially intrusive) marketing campaigns in the future.

Moving Forward: Precautionary Measures

As Dior continues to assess the damage and work toward securing its systems, customers are urged to take a proactive approach to their online security. It’s a good practice to review your bank and credit card statements regularly, and be cautious when receiving unsolicited emails or messages, especially those that ask for personal information or contain links to unknown websites.

In an increasingly digital world, incidents like this remind us all of the importance of maintaining robust cybersecurity measures and staying alert to potential online threats.

The post Dior likely hit by ransomware attack first appeared on Cybersecurity Insiders.

The post Dior likely hit by ransomware attack appeared first on Cybersecurity Insiders.

May 16, 2025 at 11:37AM

Read More

AI Governance Is Your Competitive Edge If You Treat It That Way

For years, we’ve watched technology initiatives stumble not because they failed to innovate, but because they failed to govern. Now, with artificial intelligence reshaping industries at breakneck speed, many organizations are falling into the same trap: rushing ahead with AI initiatives without building the governance foundations needed to sustain them.

The mistake? Treating AI governance like a compliance checkbox. Too often, organizations bolt it on after models are built, when it should have been embedded from day one. This approach turns governance into a bottleneck instead of a business enabler. By the time issues like bias, security gaps, or explainability failures surface, it’s too late and expensive to unwind.

I’ve seen what happens when governance is an afterthought. In a previous engagement, a financial services company rolled out an algorithmic lending platform with minimal oversight. Early indicators were promising: faster decisions, operational efficiency, and positive buzz across the business. But without strong governance, especially in how training data was sourced and decisions were justified, things quickly unraveled. Auditors uncovered biased outcomes disproportionately affecting specific demographic groups. The company was forced to pull the product from production, launch a costly investigation and remediation effort, and face significant regulatory scrutiny. Trust, once lost, proved hard to regain.

In contrast, I worked with a healthcare organization that treated governance as a strategic imperative from day one. Their approach was comprehensive. Cross-functional teams, diverse review boards, transparent documentation, and adversarial testing protocols were all in place before the first AI model went live. When they launched a diagnostic tool, it wasn’t just technically sound—it was trusted. Regulators engaged early. Physicians felt confident using it. Patients understood its purpose. Governance didn’t slow them down. It cleared the path for faster deployment and broader adoption.

Red Teams Belong at the Governance Table

Too many governance frameworks exist only on paper. They outline principles but never validate how those principles hold up under real-world pressure. That’s where offensive security plays a vital role. Red-teaming and adversarial testing are not optional. They are essential to making AI governance operational.

Offensive security helps stress-test assumptions, uncover hidden attack surfaces, and expose misuse scenarios that may not be evident in controlled development environments. By simulating adversarial behavior, red teams can validate that AI guardrails function as intended—not just under ideal conditions, but when systems are manipulated, misused, or operating at their limits. This transforms governance from a theoretical exercise into a practical, pressure-tested foundation.

We’ve seen red teaming shift how organizations think about AI resilience. It introduces failure modes early, creates more realistic threat models, and drives cross-functional conversations that strengthen policy, technical, and ethical safeguards. In mature organizations, offensive testing is not reserved for the final stage of deployment. It is woven into the lifecycle of every model.

Data First, AI Second

Another common misstep is starting AI governance at the model level instead of the data layer. Data is the raw material of every AI system, and yet many organizations pursue model governance without first ensuring the privacy, integrity, and security of the data feeding those models. This backward approach leads to weak foundations and hard-to-detect failures.

A strong AI governance strategy is, first and foremost, a data governance strategy. It requires full visibility into data sources, clear policies around consent and anonymization, and robust access controls to prevent leakage or misuse. Without this, even the most sophisticated AI frameworks are vulnerable to bias, drift, and exploitation.

Embed It Early or Pay for It Later

For security and product leaders who want to get ahead of these risks, the time to act is now. And the steps are clear:

• Establish decision rights and accountability structures for AI systems before development begins.
• Form cross-functional governance teams that include technical, legal, ethical, and business perspectives.
• Define governance metrics that tie directly to business outcomes, not just compliance requirements.
• Build governance into existing product workflows instead of bolting on additional processes.
• Invest in documentation and explainability tools from the start.
• Create monitoring systems that continuously evaluate model behavior in real-world conditions.

These actions don’t just reduce risk. They accelerate execution. When governance is built in, not bolted on, it becomes a driver of speed, clarity, and confidence.

Governance as a Growth Lever

The most successful AI programs don’t treat governance as friction. They treat it as fuel. When done right, governance provides the blueprint for faster innovation, the clarity regulators demand, and the transparency that customers expect. It creates trust, and trust is what ultimately differentiates companies in an increasingly AI-driven economy.

Governance enables scale. It helps organizations avoid the cycle of rework, remediation, and reputational repair. It allows them to launch with confidence and adapt responsibly when models change. In industries where the cost of failure is high—finance, healthcare, critical infrastructure—that kind of resilience is not just valuable. It is essential.

In an environment where AI is the new battleground for competitive advantage, governance is your edge if you choose to use it that way.

 

The post AI Governance Is Your Competitive Edge If You Treat It That Way first appeared on Cybersecurity Insiders.

The post AI Governance Is Your Competitive Edge If You Treat It That Way appeared first on Cybersecurity Insiders.

May 16, 2025 at 07:53AM

Read More

Insider Threat fetches $400m loss to Coinbase

Coinbase, one of the leading cryptocurrency exchanges in the United States, has been the target of a significant cyber attack, potentially leading to losses ranging from $180 million to $400 million in the current financial year. This forecast comes from the exchange itself, after conducting an analysis of the incident’s immediate and long-term impacts, including the drop in the company’s share value by approximately 3%.

According to information obtained by Cybersecurity Insiders, the breach appears to have stemmed from an insider threat. A trusted individual within the company gathered sensitive information and passed it along to external actors. On May 11, 2025, the hackers launched their attack, claiming to have gained access to a small portion of Coinbase’s data. This data reportedly included personal details of customers and employees, such as names, email addresses, and home addresses.

The scope of the attack is particularly concerning as the cybercriminals employed advanced phishing tactics to trick Coinbase users into transferring part of their cryptocurrency holdings to fraudulent accounts. Victims of the attack believed they were responding to legitimate requests, only to realize too late that they had been deceived by the attackers’ sophisticated methods.

Upon discovering the breach, Coinbase’s incident response team acted swiftly. They immediately reset all server account passwords and initiated a process to reimburse customers who had unknowingly transferred their funds to the fraudulent accounts. The company also launched an investigation into the insider threat, which was traced back to freelance employees working for Coinbase outside of the United States. These individuals were promptly terminated.

Currently, Coinbase is focused on restoring the affected accounts and reinforcing its security protocols to prevent further incidents. The company has made it clear that it will not comply with the $20 million ransom demand made by the attackers, maintaining its stance of not paying out to cybercriminals. In a move to encourage public cooperation, Coinbase has also announced a reward of up to $20 million for anyone who provides information that leads to the identification and capture of the attackers.

This attack appears to be a variant of ransomware, in which data was siphoned off without the encryption typically seen in traditional ransomware attacks. Notably, Coinbase has emphasized that its servers were not encrypted during the breach, which may offer insight into the nature of the attack.

The broader impact of such cyber incidents is evident, as crypto exchanges have become frequent targets for cybercriminals. According to Chainalysis, cryptocurrency exchanges suffered a staggering $2.2 billion in losses from cyberattacks in 2024. The trend is expected to continue, with predictions suggesting that losses could increase by 25% in 2025, further highlighting the increasing risks in the crypto industry.

The post Insider Threat fetches $400m loss to Coinbase first appeared on Cybersecurity Insiders.

The post Insider Threat fetches $400m loss to Coinbase appeared first on Cybersecurity Insiders.

May 15, 2025 at 08:31PM

Read More

Google warns of US retail cyber attacks and M & S insurance payout to cost £100m

Google Issues Warning to U.S. Retailers About the Growing Threat of Scattered Spider Cyberattacks

Google’s Threat Intelligence team has issued an urgent warning for U.S. retail businesses, cautioning that they could soon become targets of a highly sophisticated cybercriminal group known as Scattered Spider. This group is suspected of being behind a series of major cyberattacks in the United Kingdom, including attacks on well-known retailers such as Harrods, Co-Op, and Marks & Spencer, which saw the deployment of DragonForce ransomware.

In partnership with Mandiant, a cybersecurity company owned by Google, the tech giant has forecast that these attacks could begin as early as September of this year. With this timeline in mind, Google is urging all businesses, regardless of their size, to take proactive measures to safeguard themselves against potential cyber risks, which could result in significant disruptions and financial losses.

Scattered Spider’s Operations

Scattered Spider, also known by its alias UNC3944, is a well-organized and highly skilled group of cybercriminals that has gained notoriety for its ability to carry out large-scale ransomware campaigns. Their most recent wave of attacks, which primarily targeted major UK-based retailers, has raised concerns that they might now set their sights on U.S. retail companies, given the similarities in the modus operandi and the group’s growing capabilities.

John Hultquist, Chief Analyst at Google Threat Intelligence, confirmed that the group is likely planning to expand its operations into the U.S., targeting retail businesses. As a result, organizations in the retail sector should remain on high alert for any suspicious activity or indications of a potential cyberattack.

How Mandiant Can Help

To assist organizations in strengthening their defenses, Mandiant has made available a free guide—a playbook designed to help businesses assess and bolster their cybersecurity strategies. This playbook provides detailed, actionable recommendations for mitigating the risks associated with advanced persistent threats, such as those posed by Scattered Spider. Businesses are strongly encouraged to leverage this resource, as it could significantly improve their ability to detect and respond to cyberattacks before they can cause widespread damage.

Marks & Spencer to File £100 Million Claim Following Cyberattack

In related news, British retailer Marks & Spencer, which was recently hit by a devastating DragonForce ransomware attack linked to Scattered Spider, is now preparing to file an insurance claim estimated at £100 million to cover its recovery costs. The company has confirmed that the attack resulted in a combination of direct financial losses, order cancellations, and potential long-term damage to its brand reputation, especially in relation to the safety of customer data.

The Impact of the Attack

The cyberattack on Marks & Spencer forced the company to temporarily shut down several of its operations, resulting in significant operational disruptions. Not only did this lead to immediate financial losses, but the cancellation of orders and the ongoing uncertainty surrounding the safety of customer data has likely harmed the retailer’s trust with consumers. As a result, the company is now seeking reimbursement through its insurance policy to cover the damages incurred.

However, the payout on such an insurance claim is not guaranteed, as it depends on several factors. For instance, insurance companies often assess the preparedness of a company’s IT infrastructure before offering coverage. If Marks & Spencer, for example, had not implemented sufficient cybersecurity measures to prevent such an attack, its claim might be partially or entirely denied, or only reimbursed for certain types of damages.

Understanding Cyber Insurance and Premium Risks

For companies considering cybersecurity insurance, there are several important considerations to keep in mind. First, most insurance providers assess an organization’s preparedness for cyberattacks when determining the premiums and coverage limits. These assessments often involve examining the company’s existing cybersecurity measures, its in-house talent, and its overall resilience to cyber threats.

Moreover, even if Marks & Spencer successfully receives an insurance payout, it may face higher premiums in the future, as cyber insurance providers adjust their pricing models in response to the increasing frequency and severity of cyberattacks. In fact, some insurers are starting to exclude specific types of cyber risks, like ransomware attacks and distributed denial-of-service (DDoS) attacks, from their coverage policies altogether.

This trend is prompting many CIOs (Chief Information Officers) and CTOs (Chief Technology Officers) to reconsider their approach to cyber insurance. As premiums rise and coverage options shrink, organizations will need to carefully evaluate their risks and decide whether to invest in higher-level protection or adjust their coverage to account for evolving cyber threats.

A Call for Vigilance in the Retail Sector

The growing threat from groups like Scattered Spider highlights the importance of cybersecurity across all industries, but particularly in retail, where customer data and financial transactions are prime targets for cybercriminals. As cyberattacks become more sophisticated and more frequent, it is essential for organizations to invest in both proactive and reactive measures to protect their systems and data.

For now, retailers must take action to bolster their defenses and ensure they have adequate insurance coverage to mitigate the financial impact of potential breaches. As Google and Mandiant have emphasized, staying ahead of the curve is crucial—especially with the knowledge that the next wave of attacks could be just around the corner.

The post Google warns of US retail cyber attacks and M & S insurance payout to cost £100m first appeared on Cybersecurity Insiders.

The post Google warns of US retail cyber attacks and M & S insurance payout to cost £100m appeared first on Cybersecurity Insiders.

May 15, 2025 at 10:44AM

Read More

Data Protection Market: Endless Possibilities to Ensure a Secure Future

Do you know that the average cost of a data breach is expected to reach over USD 4 million by the end of 2025, having already reached around USD 4.86 million globally in 2024. Data leaks and cyberattacks have increased in frequency, affecting more than 342 million people in 2023. Here are a few recent data breach cases in prominent fields.

Thus, in the modern world, data protection becomes crucial to protect individual rights, foster trust in digital interactions, and preserve personal integrity. According to Research Nester’s analysis, the market for data protection is expected to reach USD 1.12 trillion by 2037, up from USD 158.77 billion in 2024. The need for data protection and recovery, the increased organizational awareness of data integrity, and increasing cybersecurity threats are some important factors that will support the growth of the global data protection market. Further, in this blog post, let’s explore evolving trends and identify future opportunities in the data protection market.

1.Growth of Remote Work Culture and Bring Your Own Device (BYOD) Policies

As of March 2025, more than 35 million Americans, or around 21% of all employees, worked remotely to some extent. Due to the growing accessibility of technology and the recognition that working remotely can be more effective and efficient, the workforce is increasingly moving toward remote arrangements. As a result, strong data protection measures are required as remote workers have long been viewed by hackers as weak points in their attempts to access systems and steal data. For instance, in 2023, the average cost of a data breach was around USD 5 million, and breaches related to remote work cost an extra USD 173,073 on average per occurrence. Moreover, fostering a culture of security and compliance in remote work situations is crucial since remote work presents a wide range of cybersecurity challenges.

2.Adoption of Zero Trust Architecture (ZTA)

Zero Trust is an integrated, proactive strategy that offers quick improvements in security controls and risk mitigation. To improve cybersecurity and preserve the integrity of federal agency networks, organizations are increasingly using ZTA in response to the growing prevalence of remote work, cloud computing, and sophisticated cyber threats. Small and medium-sized businesses (SMBs) are exposed to a growing range of security vulnerabilities, making ZTA an essential strategy to protect SMBs. For instance, SMBs were the target of over 60% of cyberattacks in 2023. In fact, in 2023, about 94% of cybersecurity events that affect SMBs cost between USD 825 and USD 653,586. 

3.Shift to Cloud Computing

According to the European Commission, in 2023, 45.2% of EU businesses purchased cloud computing services, primarily for office software, electronic file storage, and email system hosting. Moreover, by the end of 2025, more than 90% of all businesses globally will rely on cloud computing services to support their operations, around 13% in 2020. This shift has necessitated robust data protection strategies as it also introduces the risk of data breaches. For instance, data stored on the cloud was the cause of over 75% of data breaches in 2023, making the cloud a susceptible area. This is further boosting spending on cloud security to protect cloud-based systems from changing cyber threats, illegal access, and data breaches. 

4.Presence of Stringent Data Privacy Laws

Almost all nations have passed some kind of data privacy legislation to safely shield data from breaches, illegal access, and online dangers. Businesses that prioritize data privacy should adhere to legal requirements, protect assets, build trust, and promote sustainability. With rising concerns over data breaches, countries around the world are doubling down on data privacy regulations. Let’s look at how several nations are emphasizing data privacy laws.

1. The Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 20236, at the beginning of August 2023, which is the country’s first data protection law. The fines for breaking the DPDP Act can range from around ₹49 crore to over ₹240 crore for each infraction.
2. Under the California Privacy Rights Act (CPRA), the state government of California established the California Privacy Protection Agency (CPPA) to strengthen consumer data rights while informing customers by encouraging openness, enforcement, and education. For a single CCPA violation, civil penalties can vary from over USD 2400 to USD 7400.
3. The General Data Protection Regulation (GDPR) went into force throughout the European Union on May 25, 2018, impacting any organization that handles the data of people who reside in EU member states. Those that break the GDPR’s privacy and security rules might face severe fines of around 9 million euros, or over 1% of a company’s global yearly turnover from the prior year, whichever is higher.

In a Nutshell,

Every business should place a high premium on data protection to maintain the confidentiality and integrity of the data. As a result of increased rules, technical improvements, and an increasing emphasis on individual rights and control, data privacy is set to undergo major change in the future. Towards the end, the global data protection market is poised for significant growth in the evolving cybersecurity landscape.

Source: https://ift.tt/m0HPJL3 

 

The post Data Protection Market: Endless Possibilities to Ensure a Secure Future first appeared on Cybersecurity Insiders.

The post Data Protection Market: Endless Possibilities to Ensure a Secure Future appeared first on Cybersecurity Insiders.

May 15, 2025 at 08:06AM

Read More

The End of VPNs — Part 1: Why Reachability is the New Risk

[Part 1 of 2 – Based on an interview with Zscaler CSO Deepen Desai]

By Holger Schulze, Cybersecurity Insiders

The 2025 RSA Conference floor was buzzing earlier this month—every booth promising maximum security, every vendor claiming AI. But when I sat down with Deepen Desai in a quieter room to talk about secure access, he cut straight to the point: 

“VPNs are exposed by design,” he said. “And anything exposed is exploitable.”

Desai is the Chief Security Officer at Zscaler. He leads ThreatLabz, one of the most recognized research teams in cloud security. His team had just released the 2025 VPN Risk Report, an unflinching assessment of how legacy remote access infrastructure is failing the modern enterprise.

The numbers alone signal a turning point:

• 65% of organizations plan to eliminate VPNs within 12 months
• 81% are moving toward a Zero Trust architecture
• 92% are concerned that unpatched VPNs will lead to ransomware attacks

But those numbers weren’t the headline. The real story was what Desai said next.

“The problem with VPNs isn’t misconfiguration. It’s that they work exactly as designed—by placing users on the network. That’s the flaw.”

From Access to Attack Surface – The Blast Radius Is the Network

For years, VPNs served as the default answer to remote access. They were familiar, deployable, and “secure enough.” But the world they were built for no longer exists. And in today’s hybrid work and cloud-first environment, that familiarity is dangerous as they create tunnels from users into internal environments: because once authenticated, VPNs grant network-level access.

“VPNs don’t connect you to an application,” Desai explained. “They put you on the network—and once you’re there, the entire routing table is fair game.”

Between 2020 and 2025, Zscaler ThreatLabz tracked over 400 CVEs tied to VPN appliances as reported by the MITRE CVE Program. In 2024 alone, 60% of new VPN vulnerabilities were rated high or critical. These flaws allowed attackers to bypass authentication, execute code remotely, or hijack sessions outright. And the adversaries aren’t waiting around. 

And as Desai pointed out, attackers are often exploiting them faster than vendors can patch.

“We’ve seen ransomware groups reverse-engineer VPN vendor patches within hours of release,” he said. “They don’t need to wait for the next zero-day exploit. They just need to watch the update notes.”

Once inside, VPNs offer no built-in segmentation. No identity-aware access. No containment. 

We’ve seen this play out repeatedly. In the past 24 months, attacks targeting Citrix, Pulse Secure, and Ivanti VPNs forced urgent patch cycles, major outages, and—in at least one case— U.S. federal agencies were ordered to physically disconnect appliances to prevent a breach.

“When a government agency tells you to unplug your VPN device,” Desai said, “that’s not a security advisory. That’s an obituary.”

The Breach Blueprint: Four Stages of Exploitation

What makes VPNs so dangerous today is not just that they’re reachable—it’s what they enable after compromise. Desai broke it down like a blueprint, because that’s exactly how attackers see it:

1. Find an exposed VPN endpoint—scan the internet or query an LLM trained on CVE metadata.
2. Compromise the device—via credentials, phishing, or a known exploit.
3. Move laterally—because VPNs place you on the internal network with broad access.
4. Exfiltrate or encrypt—steal data or detonate ransomware.

“If your device is compromised,” Desai warned, “the blast radius is everything your VPN can reach on the network. And with most VPNs, that’s a lot.”

AI Is Changing the Rules—and Breaking the Old Model

Desai also emphasized that attackers aren’t just adapting to old defenses. They’re automating past them.

“We’re already seeing threat actors use AI to scale reconnaissance,” he said. “They use GPT models to query CVE databases, plan attacks, and generate working exploits faster than most teams can patch.”

In this new era, attackers no longer need weeks of manual research. They can run 1,000 automated scans, find the exposed systems, and strike—at scale.

“They don’t care about an 80% failure rate,” Desai added. “If 20 out of 100 attacks succeed, they win. But we can’t operate that way. We have to defend everything.”

And while defenders have AI too—risk scoring, anomaly detection, automated policy generation—Desai made it clear that defensive AI only works when the architecture is simplified.

“Use AI to fight AI,” he said. “But don’t rely on AI to clean up after a broken access model. You need Zero Trust first—because if your infrastructure is reachable, you’ve already lost.”

This is where Zero Trust does more than reduce risk. It removes visibility. It denies entry. It breaks the attacker’s playbook before they press ‘Enter.’

The Quiet Cost: Normalized Fragility, Institutional Risk

Desai’s view isn’t just about external threats. He pointed to what he called the “quiet failure” of VPNs: the day-to-day cost they impose on IT, security, and end users.

“We’ve normalized the fragility,” he told me. “Dropped sessions, sluggish performance, endless helpdesk tickets—it’s all seen as just the price of remote work. But it doesn’t have to be that way.”

According to the VPN risk report:

• 54% of teams say VPNs are a recurring source of outages or support escalations
• 41% call VPN maintenance a major drain on internal resources
• 51% of users report degraded application performance
• 23% say slowdowns directly impact their productivity

The problem isn’t just the VPN tunnel. It’s the architecture around it—one that demands constant patching, exposes public IPs, and assumes any authenticated user is trustworthy enough to be on the network.

“Security teams are stuck patching appliances,” Desai said. “Helpdesk teams are buried in tickets. Meanwhile, attackers are using AI to scale recon. It’s not a fair fight.”

Inheriting Risk: Third-Party and M&A Exposure

There’s another failure mode that Desai considers just as dangerous—and far less visible: VPNs as backdoors for third-party risk.

“If your contractors connect over VPN, you’re not just exposing your apps,” he said. “You’re inheriting whatever vulnerabilities exist in their environments.”

In one 2024 incident cited in the report, a financial services firm suffered a breach after attackers exploited a third-party VPN connection, exposing data from nearly 20,000 clients.

And the risk is amplified during mergers and acquisitions.

“Attackers monitor the news,” Desai said. “When an acquisition is announced, they target the smaller company. It’s lean, underprotected, and usually connected by VPN to the parent. That’s the bridge—and no one’s watching it.”

What Happens When the VPN Is Gone

So what does life after VPN actually look like?

Desai offered a clear example: ManpowerGroup, a global enterprise with over 30,000 users, fully transitioned from traditional VPN to Zscaler Private Access (ZPA)—in just 18 days.

The impact wasn’t just faster logins or simplified administration. It was architectural.

• No exposed IP addresses
• No lateral network access
• 97% reduction in helpdesk tickets related to remote access
• Application access based on identity and policy—not network level routing

“When you eliminate the idea of being ‘on the network,’” Desai said, “you eliminate the attacker’s playground.”

Coming Next: The End of VPNs —Beyond the Buzz of Zero Trust

In Part 2 of this series, we’ll go deeper into how Zero Trust replaces VPNs—not just in branding, but in architecture. We’ll walk through how Zscaler applies Zero Trust in practice, why identity—not subnet—is the new perimeter, and how organizations are using app-segmentation and deception to stop lateral movement before it starts.

Because the future of secure access isn’t about building safer tunnels. It’s about removing the need for VPN tunnels altogether.

The post The End of VPNs — Part 1: Why Reachability is the New Risk first appeared on Cybersecurity Insiders.

The post The End of VPNs — Part 1: Why Reachability is the New Risk appeared first on Cybersecurity Insiders.

May 15, 2025 at 03:34AM

Read More

INE Security Alert: Continuous CVE Practice Closes Critical Gap Between Vulnerability Alerts and Effective Defense

Cary, North Carolina, May 14th, 2025, CyberNewsWire

INE Security, a global leader in hands-on cybersecurity training and certifications, today highlighted how ongoing real-world practice with the latest CVEs (Common Vulnerabilities and Exposures) is essential for transforming security teams from reactive to proactive defenders.

With over 26,000 new CVEs documented in the past year, security teams are drowning in vulnerability alerts while facing exploit windows that have compressed to hours in many cases.

“Reading CVE bulletins is not the same as knowing how to stop the attack,” said Dara Warn, CEO at INE Security. “Our Skill Dive platform gives practitioners hands-on experience with real vulnerabilities in contained environments, cutting incident response times when these same issues hit production. This practical approach delivers far more value than traditional security certifications alone.”

Skill Dive is INE Security’s risk-free technical environment featuring exclusive labs not found in learning paths and courses. Skill Dive’s Vulnerabilities Lab Collection offers a continuously updated library of labs specifically designed to provide hands-on practice with actual CVEs, allowing security practitioners, including those preparing for pentester certifications, to experience both the exploitation and mitigation of current real-world threats in a safe environment.

CVEs: From Bulletin to Defense

CVEs are the standard identifiers for known vulnerabilities, but many security teams struggle to implement effective mitigations at scale, even those with Sec+ and other entry-level certifications.

Common challenges include:

• Risk prioritization across hundreds of monthly CVEs
• Testing mitigations without impacting production
• Adapting defenses to diverse system configurations
• Building response muscle memory that works under pressure
• Getting ahead of the threat curve instead of constantly reacting

Practice Today’s Threats. Prevent Tomorrow’s Breaches.

INE Security’s Skill Dive Vulnerabilities Lab Collection delivers:

• Exclusive vulnerability labs not available in standard security training
• Monthly CVE updates focusing on high-impact vulnerabilities
• Isolated practice environment for both offensive and defensive techniques
• Complete severity coverage from critical zero-days to common misconfigurations
• Practical exploitation and defense experience that transfers directly to production incidents

“When a critical CVE drops, you don’t have time to theorize,” said Tracy Wallace, Director of Content at INE Security. “Teams with hands-on practice respond significantly faster because they’ve seen similar attack patterns before. Log4Shell (CVE-2021-44228) was a perfect example – practitioners who had experience with JNDI injection attacks were able to implement effective mitigations within hours, while others took days or even weeks to fully remediate.”

Real Benefits for Security Teams

Skill Dive delivers immediate advantages for practitioners:

• Develop attack pattern recognition that speeds incident response
• Understand attack chains beyond what bulletins describe
• Practice team coordination for high-pressure security events
• Identify defensive gaps before attackers find them
• Build skills that directly translate to career advancement

SecOps teams, security analysts, and IT admins get exactly what certification courses miss: hands-on practice with real-world vulnerabilities.

“Security professionals who regularly drill on current vulnerabilities become exponentially more valuable to their organizations,” said Wallace. “The best defenders understand both the attack and defense sides of the equation.”

High-Impact CVEs in the Skill Dive Collection

The platform features hands-on labs for the most actively exploited vulnerabilities in enterprise environments, including:

• OpenMetadata Authentication Bypass (CVE-2024-28255): Exploit the target machine running OpenMetadata by bypassing the authentication and gaining remote code execution (RCE)
• Calibre RCE (CVE-2024-6782): Exploit the remote code execution vulnerability in Calibre, leading to unauthorized system access
• Log4Shell (CVE-2021-44228): Practice identifying and remediating this critical remote code execution vulnerability that continues to plague Java applications across multiple sectors
• Spring4Shell (CVE-2022-22965): Gain hands-on experience with this widely exploited RCE vulnerability affecting Spring Framework applications

“We continuously track which vulnerabilities are most actively exploited,” said Wallace. “Our collection prioritizes CVEs with the highest real-world impact, not just theoretical severity ratings.”

Proactive Security Through Deliberate Practice

The Skill Dive approach includes:

• Monthly updates aligned with emerging threat patterns
• Realistic environments mirroring production systems
• Practical documentation focused on effective mitigations
• Continuous evolution based on real-world attack trends

Recent lab additions include other top-exploited vulnerabilities such as Cacti Import Packages RCE (CVE-2024-25641), Gradio Path Traversal (CVE-2024-1561), Calibre Arbitrary File Read (CVE-2024-6781), Graylog Information Exposure (CVE-2024-24824), and Navidrome SQL Injection (CVE-2024-47062). 

“Security teams that regularly practice with new vulnerabilities stop more breaches, period,” said Wallace. “Practice transforms defense from constant firefighting into strategic advantage.”

Availability

Individual subscriptions to Skill Dive are available now. Enterprise packages for team training are also available.

For more information, users can visit ine.com/cyber-ranges

About INE Security

INE Security is the premier provider of online networking and cybersecurity training and cybersecurity certifications. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity. The company is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

Contact

Kathryn Brown
INE Security
kbrown@ine.com

The post INE Security Alert: Continuous CVE Practice Closes Critical Gap Between Vulnerability Alerts and Effective Defense first appeared on Cybersecurity Insiders.

The post INE Security Alert: Continuous CVE Practice Closes Critical Gap Between Vulnerability Alerts and Effective Defense appeared first on Cybersecurity Insiders.

May 14, 2025 at 03:00PM

Read More