Bubba AI, Inc. is launching Comp AI to help 100,000 startups get SOC 2 compliant by 2032.

San Francisco, California, March 3rd, 2025, CyberNewsWire

With the growing importance of security compliance for startups, more companies are seeking to achieve and maintain compliance with frameworks like SOC 2, ISO 27001 & GDPR. Bubba AI, Inc. is building a comprehensive solution for these organizations to easily integrate compliance workflows and build their own customized processes through an open-source alternative to existing GRC (Governance, Risk, and Compliance) automation platforms.

The company is positioning itself to address the compliance needs of organizations ranging from early-stage startups to established enterprises. Bubba AI’s flagship product, Comp AI, offers a built-in risk register, and policies required for frameworks while also allowing companies to build their compliance workflows using building blocks provided by the platform.

Introducing Comp AI

Comp AI is an open-source alternative to GRC automation platforms like Vanta and Drata. The platform includes several key features designed to automate compliance with frameworks such as SOC 2:

• A built-in risk register to help companies identify, document, and assess potential security risks
• Out-of-the-box security policies for modern companies, complete with an AI-powered editor for customization
• A comprehensive vendor management suite for tracking, assessing, and identifying third-party vendors
• Automated evidence-collection tools that reduce the manual burden of compliance documentation

The open source nature of Comp AI differentiates it from existing solutions in the market, allowing for greater community involvement, customization, and cost savings for companies on their compliance journey.

The Value of Open Source Compliance Solutions

Bubba AI was founded in late 2024 by Lewis Carhart. Carhart recognized a significant gap in the market for affordable, flexible compliance automation tools that could serve the needs of a wide range of companies.

“While building at previous companies, I experienced firsthand how painful and resource-intensive the compliance process can be, especially for smaller organizations. The existing solutions were either prohibitively expensive or lacked the flexibility we needed. I wanted to create an open source platform that democratizes access to compliance automation”, Lewis Carhart commented.

This experience led Carhart to develop Comp AI as an open source alternative that could help organizations of all sizes achieve SOC 2 compliance without breaking the bank or getting locked into proprietary systems.

The Ambitious Goal

Bubba AI has set an ambitious target: helping 100,000 companies achieve compliance with cyber security frameworks like SOC 2, ISO 27001 & GDPR by 2032. This goal reflects the growing importance of security certifications as businesses increasingly handle sensitive customer data and face stricter regulatory requirements.

“We believe that strong security practices shouldn’t be a luxury that only well-funded companies can afford. By providing an open source solution, we’re removing barriers to entry and empowering organizations to build robust security programs regardless of their size or resources”, said Lewis Carhart.

The company plans to build a community around its open-source platform, encouraging contributions and extensions that can benefit the broader business ecosystem.

About Bubba AI

Bubba AI, Inc. was founded at the end of 2024. Its mission is clear: help 100,000 companies get compliant with common cyber security frameworks by 2032. To do this, Bubba AI, Inc. is launching its first product – Comp AI, an open-source alternative to Vanta & Drata.

Contact

Founder
Lewis Carhart
Bubba AI, Inc.
hello@trycomp.ai

The post Bubba AI, Inc. is launching Comp AI to help 100,000 startups get SOC 2 compliant by 2032. appeared first on Cybersecurity Insiders.

March 04, 2025 at 01:16AM

Read More

Enhancing Mobile Banking Security: Protecting Your Data from Cyber Threats

Mobile banking applications provide convenient access to financial services at fingertips. However, they have also become prime targets for cyber-criminals who use keyloggers and other malicious tactics to steal sensitive information such as passwords and banking credentials.

To safeguard your financial data from such threats, follow these essential security measures:

1. Avoid Malicious Applications and Software Downloads

Downloading applications from untrusted sources can expose your device to keyloggers and other malware. Always install apps from official stores like Google Play or the Apple App Store, and be cautious of links sent by unknown senders, as they may contain harmful payloads.

2. Beware of Phishing Scams

Cybercriminals often use phishing attacks through emails and SMS messages to trick users into clicking malicious links. These links may redirect you to fake banking websites designed to steal your credentials or inject malware into your device. To mitigate this risk, never click on suspicious links—delete them immediately or mark them as spam.

3. Keep Your Software Updated

Ensure your mobile device runs the latest operating system, as updates often include critical security patches that protect against vulnerabilities. Additionally, keep your banking and security applications updated to the latest versions to benefit from enhanced security features and bug fixes.

4. Use a Reliable Anti-Malware Solution

Invest in a trusted anti-malware solution to safeguard your smartphone from spyware, adware, and other forms of cyber threats. While free security apps are available, premium solutions offer comprehensive protection against evolving threats in the cybersecurity landscape.

Signs Your Device May Be Compromised

If you notice unusual battery drain, unexpected spikes in data usage, frequent device freezing, or slow performance, your phone may be infected with a keylogger or other malicious software. Running a thorough anti-malware scan can help detect and remove such threats before they compromise your data.

Stay Proactive and Secure

Preventing cyber threats is always better than dealing with their consequences. By adopting proactive security measures, you can keep your mobile banking applications safe and ensure your financial transactions remain secure from prying eyes.

The post Enhancing Mobile Banking Security: Protecting Your Data from Cyber Threats appeared first on Cybersecurity Insiders.

March 03, 2025 at 08:38PM

Read More

Pros and Cons of Using AI in Cybersecurity

In today’s digital age, cybersecurity is more critical than ever before. With the increasing sophistication of cyberattacks and the expanding volume of data that organizations must protect, the integration of Artificial Intelligence (AI) in cybersecurity has emerged as a powerful tool to combat these threats. However, like any technology, AI in cybersecurity comes with both advantages and challenges. This article will explore the pros and cons of using AI in the field of cybersecurity.

Pros of Using AI in Cybersecurity

1.Enhanced Threat Detection and Prevention – One of the most significant advantages of AI in cybersecurity is its ability to detect and prevent threats in real time. Traditional cybersecurity tools often rely on predefined signatures or rules to identify threats, which can be bypassed by new, sophisticated attack methods. AI, on the other hand, can use machine learning (ML) algorithms to analyze vast amounts of data and identify anomalous patterns indicative of cyber threats, such as malware, phishing attempts, or zero-day attacks. This allows organizations to detect threats that may otherwise go unnoticed and respond swiftly before they cause significant harm.

2.Automated Incident Response-  AI can automate many aspects of incident response, reducing the time it takes to detect, analyze, and mitigate cyberattacks. AI-powered security systems can automatically isolate affected systems, block malicious traffic, and implement countermeasures without human intervention. This can dramatically reduce response times and minimize the damage caused by cyberattacks. In high-pressure situations, AI can act as a force multiplier, allowing security teams to focus on more complex tasks while automated systems handle the basics.

3.Improved Accuracy and Efficiency – Unlike human analysts, AI systems do not suffer from fatigue or bias. They can process enormous amounts of data quickly and accurately, identifying threats that might be overlooked by human eyes. By utilizing AI, organizations can significantly reduce the number of false positives, which are common in traditional cybersecurity systems, and ensure that resources are focused on legitimate threats. This efficiency leads to cost savings and a more robust cybersecurity posture.

4.Predictive Capabilities -AI’s ability to analyze historical data and recognize emerging trends allows it to predict potential threats before they materialize. By examining past cyberattacks and understanding how threats evolve over time, AI can provide valuable insights into where and how future attacks may occur. This predictive capability enables organizations to strengthen their defenses proactively, rather than reactively, and helps them stay ahead of cybercriminals.

5. Scalability -As the amount of data generated by organizations continues to grow exponentially, AI’s scalability becomes increasingly valuable. AI systems can adapt to handle larger volumes of data, more complex networks, and a growing number of endpoints. Unlike traditional systems that require constant manual updates and human intervention, AI can autonomously adjust its models and adapt to changing network environments, making it a highly scalable solution for cybersecurity.

Cons of Using AI in Cybersecurity

1.High Implementation Costs – While AI offers numerous benefits, implementing AI-based cybersecurity solutions can be expensive. The development, integration, and ongoing maintenance of AI-powered systems require significant financial investment. Organizations must not only purchase the necessary hardware and software but also invest in the expertise required to configure and manage these systems effectively. Smaller organizations with limited budgets may find it difficult to justify the high costs of adopting AI for cybersecurity.

2.Risk of Adversarial AI – As AI systems become more integrated into cybersecurity, cybercriminals are also using AI to launch more sophisticated attacks. Hackers can develop adversarial AI, which is designed to bypass or deceive security systems powered by machine learning algorithms. For example, AI can be used to create fake data that tricks a security system into classifying malicious activity as benign, allowing cybercriminals to evade detection. This cat-and-mouse dynamic between security AI and cybercriminals introduces a new layer of complexity to the cybersecurity landscape.

3.Dependence on Data Quality – AI systems are only as good as the data they are trained on. If the data used to train AI algorithms is biased, incomplete, or of poor quality, the effectiveness of the system can be severely compromised. In cybersecurity, where the stakes are high, relying on faulty or incomplete data can lead to missed threats, false alarms, or improper responses to attacks. Organizations must ensure that the data feeding their AI systems is accurate, comprehensive, and representative of the latest threat landscape.

4.Complexity and Lack of Transparency – AI systems, particularly those based on deep learning and other advanced techniques, can often operate as “black boxes,” meaning their decision-making processes are not easily understood by human operators. This lack of transparency can be a significant drawback in cybersecurity, where understanding why a particular threat was detected or why a response was triggered is essential for improving and fine-tuning the system. Additionally, if an AI system makes an incorrect decision, it can be difficult to troubleshoot and correct the issue without a clear understanding of how the AI reached its conclusion.

5.Ethical and Privacy Concerns -The deployment of AI in cybersecurity can raise ethical and privacy concerns, particularly when it comes to data collection and surveillance. AI-driven systems often require access to vast amounts of sensitive information to function effectively, which could include personal data, employee activities, or customer information. The use of AI in this context could potentially violate privacy rights or lead to unwanted surveillance. Moreover, the increasing reliance on AI could give organizations unprecedented power over personal data, raising concerns about potential misuse or abuse.

Conclusion

AI has the potential to revolutionize cybersecurity by providing faster, more accurate threat detection, automated responses, and predictive capabilities. However, its adoption comes with challenges, including high implementation costs, the risk of adversarial AI, data quality concerns, and ethical issues related to privacy. As AI technology continues to evolve, organizations must carefully weigh the benefits and drawbacks before integrating AI into their cybersecurity strategies. With proper implementation and oversight, AI can significantly enhance an organization’s ability to defend against the ever-evolving landscape of cyber threats.

The post Pros and Cons of Using AI in Cybersecurity appeared first on Cybersecurity Insiders.

March 03, 2025 at 11:04AM

Read More

Russia not a cyber threat to the United States

In recent years, media outlets across the United States have heavily reported on the rising concerns surrounding Russia, portraying it as one of the nation’s primary cyber adversaries. Over the past three to four years, Russia has been widely accused of engaging in espionage, cyberattacks, and targeting critical infrastructure in the U.S., leading to its designation as a significant national security threat.

However, last Friday, the White House issued new directives to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), officially removing Russia from the list of America’s primary cyber adversaries. This decision marks a significant shift, as the focus has now turned exclusively to China, which is now considered the sole nation posing a direct cyber threat to the United States. The decision to remove Russia from the threat radar came after discussions between CISA, the Department of Homeland Security, and the Pentagon.

While this move may come as a surprise to many, it was somewhat anticipated, especially considering the ongoing political ties between former U.S. President Donald Trump and Russian President Vladimir Putin. Trump’s cordial relationship with the Kremlin has long been a subject of scrutiny and debate, with some speculating that it might have influenced this recent decision.

With this change, CISA has now been instructed to cease monitoring or reporting any cyber threats originating from Russia, or those funded by the Russian government. However, there is still uncertainty about whether Russian-affiliated cybercriminal groups, such as the notorious ransomware gangs LockBit and Black Basta, will continue to fall under surveillance. These groups, notorious for launching ransomware attacks, have posed a significant threat to businesses across the United States, and their removal from the radar could have serious consequences for cybersecurity in the country.

Meanwhile, in Europe, Poland has taken a different stance. The Polish government recently identified Russia as its most significant cyber adversary after a Kremlin-backed cybercriminal group infiltrated the Polish Space Agency (POLSA), planting malware and stealing sensitive data. Polish officials have confirmed the attack and launched a forensic investigation to uncover the full extent of the breach.

Krzysztof Gawkowski, Poland’s Minister of Digital Communications, verified the attack and emphasized that the investigation is ongoing. The Polish government has publicly accused the Russian government of orchestrating the cyberattack, arguing that it was part of a broader effort to destabilize the country’s political and economic interests. Poland’s strong support for Ukraine, particularly in providing military and humanitarian aid, has made it a key target for the Kremlin. The cyberattack is seen as an attempt to retaliate and undermine Poland’s role in the ongoing conflict between Russia and Ukraine.

This situation underscores the growing importance of cybersecurity on the global stage and highlights the diverse approaches different nations are taking in response to cyber threats. As the United States shifts its focus toward China, Europe, particularly Poland, remains resolute in its stance against Russian cyber aggression, revealing the complex and evolving nature of international cyber conflict.

The post Russia not a cyber threat to the United States appeared first on Cybersecurity Insiders.

March 03, 2025 at 10:53AM

Read More

Business Continuity Planning: Scenarios vs. impact

The core aim of Business Continuity Planning is to ensure that an organisation can continue to deliver its products and services, minimise downtime and recover swiftly when faced with disruption.

There is a fundamental question, often posed when organisations begin: “should I plan for scenarios or impacts?” For example, should we have a plan for fire, flood, terrorist event and gas leak? Or should we instead plan for shared impacts such as the loss of premises?

The simple answer is that the only practical solution is to plan for impacts, not scenarios. The longer answer is that scenarios also have a part to play.

Scenarios play a vital role in bringing planning to life and making exercises ‘real’. In some cases, when a specific risk is highly likely, specific plans may be required to address that scenario. For instance, you may want a specific plan if your premises are located in an area likely to be targeted by terrorists or at high flood risk.

The increasing likelihood of cyber-attacks, along with their specific impacts, mean all organisations should have a plan specific to this threat. As we will explore, it is this practical element that makes impact-based analysis so important – and why organisations should continue to prioritise it over scenarios.

What is Business Impact Analysis?

A Business Impact Analysis (BIA) is the cornerstone of business continuity. By assessing the potential impacts of disruptions, a BIA establishes priorities for recovery, the timeframes for bringing systems back online and the resources necessary to achieve these goals.

It is a process that focuses on the impacts rather than the causes of a disruption. In other words, a BIA helps businesses to understand the consequences of losing critical functions and services, regardless of the event that triggered the disruption.

For example, you might conduct a BIA to determine the Recovery Time Objective (RTO) for key business processes. This establishes the speed at which operations must be restored to avoid severe financial or reputational damage.

The trend towards scenarios

The appeal of scenarios as a core part of a BCP stems from their ability to simulate and test responses to specific crises. In turn, this offers a practical method for decision-makers to understand the complexities of potential disruptions and their consequences.

Scenarios are also effective means of fostering engagement. Realistic, time-bound situations, enable employees and leadership teams to immerse themselves in the experience, helping them to practice decision-making under pressure.

Finally, they can highlight weaknesses in existing plans and reveal areas for improvement, ultimately strengthening readiness for future events. By confronting the ‘what-ifs,’ organisations can implement proactive strategies to manage potential risks.

Assessing impact

Despite the trend towards scenario-based exercises, focusing on impact remains the most crucial aspect of Business Continuity Planning. While scenarios can simulate specific threats, it’s impossible to predict every possible disruption.

Real-life crises rarely follow a neatly scripted structure, and focusing too much on specific threats can lead to an overcomplicated, fragmented plan that is difficult to implement. On the other hand, impact-based planning remains an adaptable and versatile solution.

While there are an infinite numbers of potential scenarios, each will have shared impacts on your organisations key assets. These can be broken down into P-P-R-S:

• People (skills and knowledge)
• Premises (buildings and facilities)
• Resources (IT, information, equipment, materials)
• Suppliers (third-party products and services)

Evaluating the outcomes of disruption (such as lost revenue or reputational harm) rather than the cause, enables organisations to ensure that their continuity plans are flexible enough to handle any event. To achieve this, a BIA is invaluable to highlight critical business functions, as well as the resources to restore them, regardless of the type of disruption.

Striking a balance

The key to effective Business Continuity Planning is to find a balance between impact and scenario-based approaches. While scenario exercises can be invaluable to test your organisation’s response capabilities and prepare for specific crises, the foundation of any continuity strategy must be built around impact.

In an ideal world, scenario-based exercises should be used to test the effectiveness of impact-focused plans. By combining these approaches, businesses can ensure they are both proactive (anticipating potential crises) and resilient (prepared to deal with that disruption).

Recognising the value of both is crucial to develop a robust and comprehensive strategy, ensuring that recovery efforts are focused on the outcomes that matter most to your business.

The post Business Continuity Planning: Scenarios vs. impact appeared first on Cybersecurity Insiders.

March 01, 2025 at 07:34PM

Read More

The New Face of Executive Protection: Why Digital and Physical Security Can No Longer Stand Alone

The security landscape for corporate leaders has reached a critical inflection point. Physical threats against executives have surged by 88%, but what’s even more alarming is how these threats have evolved. Today’s attackers aren’t just gathering intelligence online – they’re weaponizing it for sophisticated, hybrid attacks that exploit the traditional divide between cyber and physical security operations.

In this new reality, digital and physical environments have become inextricably intertwined. Threat actors target everything from Personal Identifiable Information (PII) to social media presence, using this intelligence to orchestrate more sophisticated attacks. The goal isn’t just compromising digital assets – it’s inflicting tangible reputational and financial damage on companies, through their leaders.

The Dangerous Divide

For too long, organizations have treated digital and physical security as separate domains, each with its own teams, tools, and protocols. While traditional executive security measures like bodyguards, corporate security teams, and cyber threat intelligence all play crucial roles, taking a fragmented approach creates dangerous blind spots. Threat actors have recognized this division as a critical weakness, and they’re increasingly exploiting it.

Consider a common scenario: An attacker purchases an executive’s PII through a data broker site and discovers details about their family, including their home address and children’s names and ages. Armed with this intimate knowledge, they craft impersonation scams that leverage these personal details to deceive employees into revealing sensitive company information. This is just one way attackers bridge digital and physical realms to target corporate leaders.

The stakes go far beyond digital deception. What begins as digital reconnaissance can quickly evolve into physical surveillance or attack, made more effective by detailed intelligence gathered online. The diversity of teams and strategies involved in executive security often leads to fragmentation, when what’s really needed is a cohesive solution.

Breaking Down Silos Between Physical and Digital Security

To counter these hybrid threats, security teams need to fundamentally reimagine their approach to executive protection. This means breaking down the artificial barriers between digital and physical security, and creating integrated protection programs that address the full spectrum of modern risks.

First up is establishing systematic monitoring of digital indicators that could signal impending physical threats. This includes analyzing social media sentiment; tracking mentions of executives across the surface, deep, and dark web; and monitoring for leaked personal information that could be exploited by attackers. The power of this approach was recently put to the test, when our analysts identified a threat actor who had posted plans on social media to attack a corporate building with an AR-15 rifle. By cross-referencing various platforms and arrest records, our team discovered the individual had a violent history. And through detailed analysis of background objects in the person’s social media photos, our analysts pinpointed their location, enabling law enforcement to intervene before any harm could occur.

Second, security teams need to develop shared protocols and communication channels that enable rapid response to emerging threats, regardless of whether they manifest in the digital or physical realm. Establishing real-time physical security monitoring that maintains situational awareness is crucial, especially during executive travel. Proactive monitoring of social media accounts, digital platforms, and suspicious activity is critical for identifying and neutralizing potential threats before they escalate to full-scale attacks.

Third, organizations must take a more proactive approach to protecting executive privacy and PII. Data broker sites routinely collect and sell detailed executive profiles containing everything from home addresses to income details and medical records. This information becomes ammunition for sophisticated attacks, including imposter scams where attackers use personal details about an executive’s family to make their deceptions more convincing. Monitoring for, and quickly removing,  this sensitive information helps keep it off the digital marketplace.

Looking Ahead: A Modern Approach to Executive Protection

As the digital landscape expands, so do the opportunities for cyber exploitation targeting executives, and the line between digital and physical security becomes increasingly blurred. Companies that put up barriers between these domains risk creating dangerous blind spots that sophisticated attackers will exploit. The solution isn’t simply to add more layers – it’s to fundamentally reshape how we think about and implement executive protection.

This means creating comprehensive digital monitoring across social media and dark web channels, establishing real-time threat alert systems, and implementing robust personal information protection programs. Organizations should build unified security operations centers where digital and physical teams work together seamlessly, develop integrated response protocols, and ensure all security personnel are trained to recognize how online threats can signal physical danger.

The stakes are too high to continue with outdated executive security models. In today’s world, every digital breadcrumb can be weaponized for physical attacks. The question isn’t whether to integrate digital and physical security – it’s how quickly organizations can adapt before sophisticated attackers exploit their divided defenses.

 

The post The New Face of Executive Protection: Why Digital and Physical Security Can No Longer Stand Alone appeared first on Cybersecurity Insiders.

March 01, 2025 at 06:39PM

Read More

Why Cyber Resilience Legislation is Vital to Safeguarding Our Networks

Mary Ward was a pioneer. She was considered to have a talent for drawing, researching insects and writing several books on microscopy, which made her one of the most prominent scientists in the British Isles – a novelty for a woman at the time. Another novelty was her steam-powered carriage, in which she rolled through Ireland. In 1869, her vehicle earned her a sad notoriety: Ward is considered the first road traffic fatality. On a bend, the 42-year-old slipped off the bench, fell in front of the cart, which then ran over her. Seat belts, which might have saved the life of the mother of eight, were not mandatory at the time. It was only around 1900 that rules for traffic as we know them today emerged. Rules to avert damage and to make the interaction of everyone safer for all, something which is also the case today in the IT world. Countries are pushing ahead with legislation with the aim of protecting companies, administrations, and individuals from dangers from cyberspace.

Traffic regulations for more cyber security

From North America to India and Asia – all over the world, digital traffic regulations are in demand. Politicians are looking for ways to make the digital economy more resilient. The goal: To establish a culture of security in all private and public spheres. A look at Europe shows how this might be achieved. The European Union is currently pushing ahead with the new version of the directive for Network and Information Systems (NIS2). The union of states is pursuing the idea of modernizing the existing legal framework and adapting it to the intensifying threat situation. Although more digitalization also creates more opportunities for value creation, every additional digital opportunity also opens up potential gateways for third parties with nefarious intentions.

Whether it’s the energy, water, banking, finance, or health sectors, NIS2 extends the group of companies and public institutions that must make their IT landscape more resilient. And this applies to all sectors that are of crucial economic and social importance and are particularly dependent on information and communication technologies. The rules apply directly to a wider range of institutions and indirectly to companies that are part of a supply chain. The example of Crowdstrike shows why this is crucial: On July 19, 2024, the cybersecurity provider delivered a faulty update that caused computer systems around the world to fail. Around 8.5 million Windows devices at airlines, hospitals and retailers, were affected. It was a simple glitch, but in a fully digitally networked economy, it turned into an unprecedented problem. 

Authorities, standards and guidelines to mitigate cyber risks

From hackers and botnets to accidents and mishaps, more and more digitalized and industrialized economies are arming themselves against threats like these. In 2022, for example, the Strengthening American Cybersecurity Act was passed in the US. The law updates existing federal information security regulations, requires operators of critical infrastructure to report cyber and ransomware attacks, and improves the security of cloud services for federal agencies. Not unlike Malaysia: Malaysia’s first standalone Cyber Security Act 2024 came into force in 2024. The law sets regulatory standards for cybersecurity and aims to protect the national critical information infrastructure. A dedicated agency – the National Cyber Security Committee – is to implement and monitor the requirements. The same applies to India and Singapore: The subcontinent has set up its own government agency, the Indian Computer Emergency Response Team, which publishes guidelines and recommendations for companies and is responsible for preventing cyber attacks. And the city state aims to protect critical information infrastructures with their Cybersecurity Act introduced in 2018.

Internet Exchanges and cyber resilience: More resilience for providers and customers

Critical infrastructure with a particularly high economic importance and need for protection: This is precisely the situation of telecommunications companies in many countries around the world. The basic principle is that to make networks resilient, all levels – from undersea cables to Internet Exchanges to data centers – must be individually secured. In practical terms, this means that each infrastructure is only as resilient as the individual elements of which it is composed. So, if all the components of a shared infrastructure – be it the roads or the global telecommunications infrastructure – are designed to be redundant and diversified, the overall system will be more resilient for everyone. On the one hand, for the providers who provide their services in this way and, on the other hand, for the customers who build their own IT on such mutually secured services and solutions.

Telecommunications providers in particular are setting a good example in this respect. In contrast to other industries, they often have a fully integrated resilience approach, as figures from PwC’s Global Crisis and Resilience Survey 2023 show: Technology, Media and Telecommunications has the most integrated resilience programs (28%), ahead of Health (24%), Energy (24%), and Financial Services (22%). This includes interconnection providers in Europe and Germany – in view of NIS2, some operators will have to tighten up their identity and access management, but in principle, interconnection services already belong to the “critical infrastructure” category (according to NIS1). In addition, many Internet Exchanges are now certified according to national regulatory requirements such as the so-called IT-Grundschutz from the German Federal Office for Information Security and ISO27001. Both are recognized frameworks and standards for IT and information security, which NIS2 demands.

Not just a compliance exercise: Weighing up IT risks in our own economic interest

Whether in Berlin, Kuala Lumpur, New Delhi or Washington – companies that want to ensure professional and secure IT operations for themselves and their customers have always been well advised to follow guidelines and standards for greater IT security. And that is true even out of pure economic self-interest. The experts at PWC, for example, recommend that laws for more cyber resilience should not be dismissed as mere compliance and checklist exercises, but should be recognized as a competitive advantage. Those who do not base their actions solely on how the law will affect them elevate their own corporate interests to the level of the common good of society.

Self-interest as the basis for the common good? Whether on the information superhighway or on the road, it makes sense. Since they came into force in 1934, Germany alone has amended its road traffic regulations more than 30 times – from speed limits to lane markings to the general requirement to wear seat belts. Very much in the spirit of Mary Ward.

 

The post Why Cyber Resilience Legislation is Vital to Safeguarding Our Networks appeared first on Cybersecurity Insiders.

March 01, 2025 at 05:22PM

Read More