All news with #security awareness tag

🔍 Across organizations, employees run three to five AI tools daily—many unapproved and often connected to corporate data via OAuth, browser extensions, or newly added vendor features—creating a widening "shadow AI" gap that evades traditional network controls. The article outlines five practical steps security teams can apply: build an inventory, write usable policies, create a fast approval lane, implement browser-native monitoring, and deliver just-in-time coaching. Together these measures aim to preserve productivity while restoring visibility, reducing data exposure, and aligning employee workflows with security requirements.

🔒 Subscription services are widespread and often contain personal data, making them attractive targets for attackers. The article outlines common attack vectors — phishing, credential reuse, infostealers, and bulk-resale of hacked family slots — and explains practical defenses: use password managers, enable two-factor authentication or passkeys, and monitor active sessions. It also advises how to spot phishing and track hidden recurring charges through bank statements and app-store settings.

⚠ Geopolitical tensions have created a fertile environment for opportunistic scammers who exploit fear and sympathy to harvest credentials, personal data, or direct payments. Common ploys include fake charities, romance and travel scams, fraudulent charges, investment schemes, sensational fake news and classic advance-fee cons. Scammers increasingly use convincing content produced with generative AI and impersonation tactics to bypass trust; verify independently, avoid unsolicited links or calls, and protect devices with reputable anti-malware.

🔒 Many CISOs are pursuing board and advisory roles to bridge gaps between security teams and directors, improve communication, and shape product roadmaps. Leaders such as ISACA vice chair Jamie Norton, Accenture’s Mitra Minai, and Nathan Morelli describe governance learning, vendor advisory seats, and targeted certifications as common pathways. The article emphasizes governance capability, strategic language, and the significant time commitment these roles demand.

🔒 The 2026 CSO Awards recognize 64 security organizations whose projects deliver measurable business value and stronger enterprise resilience. CSO profiles six standout initiatives that illustrate trends such as zero trust, AI-driven automation, gamified awareness, and shift-left cloud security. Examples include Copart’s adaptive phishing and gamification that lifted reporting rates from ~20% to over 55%, HMSA’s Zero Trust Data Governance that removed confidential member information from nonproduction environments, and Hensel Phelps’ automation program saving more than 1,250 work hours annually.

🔒 Signal has rolled out new in-app confirmations and warning messages to help users detect phishing and social engineering attempts that abuse the Linked Device feature. The updates add visible cues such as “Name not verified” and “No groups in common”, stronger safety tips, and prompts reminding users the app will never ask for registration codes, PINs, or recovery keys. These measures aim to introduce friction so recipients can better evaluate external requests.

🔒 Kaspersky analyzed 231 million unique passwords leaked on dark‑web forums (2023–2026) and found that 60% can be cracked in under an hour, with 48% broken in less than a minute. The testing used a single RTX 5090 GPU against MD5 hashes, illustrating how rapidly cracking speeds are improving. The report identifies common human patterns—digits, years, predictable words and popular special characters—and warns that many users reuse unchanged passwords for years. It recommends practical defenses such as a password manager, passkeys, and strong two‑factor authentication.

⚠️ Cofense warns that low-skilled threat actors are increasingly abusing Vercel's v0.dev GenAI tools to generate convincing phishing pages with minimal effort. Attackers can prototype for free, purchase tokens to build pages, and use Vercel hosting—its pro tier is roughly $20/month—to deploy and tear down sites quickly. Integrations with services like Telegram, AWS, Stripe and xAI further simplify operations. Cofense advises security teams to verify sender domains, watch for urgency cues and report malicious Vercel sites for takedown.

🔐 The most-used password globally remains '123456', according to NordPass, and the author found that some mainstream services still accept trivial credentials in direct tests. Examples include Evite (breached in 2019) and parts of major social platforms that permit easily guessable strings like '1234567!'. The article highlights inconsistent password policies across sites and argues for stronger authentication requirements—preferably mandated MFA—with regulatory backing where necessary.

🛡️ The NCSC has warned UK organisations to prepare for a coming "patch wave" as vendors adopt powerful AI tools to discover and fix software vulnerabilities. CTO Ollie Whitehouse urged teams to prioritise external attack surfaces, enable automatic updates and hot patching where safe, and follow the NCSC's Vulnerability Management guidance. He cautioned that patching alone isn't enough for unsupported legacy systems and recommended replacing or restoring out-of-support technologies. The alert also notes potential US moves by CISA to shorten patch deadlines and industry concerns about operational readiness.

🔒 BleepingComputer and Kaseya will host a live webinar on May 14, 2026 at 2:00 PM EDT examining how modern attacks — led by AI-driven phishing and brand impersonation — are outpacing traditional defenses. The session explains why many MSPs segregate security and backup functions, creating gaps that threat actors exploit after initial compromise. Attendees will learn how to combine prevention, detection, and rapid recovery with SaaS backups and a robust BCDR strategy to minimize downtime and data loss.

🔍 The article identifies five go-to-market barriers that prevent managed service providers (MSPs) from converting growing cybersecurity demand into predictable revenue. It argues many MSPs emphasize technical findings and frameworks rather than translating risks into business outcomes, leaving security positioned as a cost rather than a strategic investment. Cynomi's GTM Academy Complete Sales Kit is presented as a practical, operator-led playbook to align sales and technical teams, quantify ROI, and expand existing accounts through targeted discovery, scoring, and playbooks.

🔍Only 34% of cybersecurity professionals plan to remain with their current employer, according to a survey of 500 respondents by IANS and Artico Search. The report finds that flexible work models, visible leadership support, and structured career development influence retention more than absolute pay. Hybrid schedules, mentorship, and modern tooling help reduce burnout and turnover.

🛡️ Marsh's 2026 People Risks report, compiled from interviews with over 4,500 HR and risk professionals across 26 markets, finds cyber-threat literacy is the top global people risk, with technological change, tech skills shortages and AI-related mindset barriers also ranking highly. The report highlights mishandling of data and low employee security awareness as persistent threats that can increase exposure to breaches and reputational damage. Marsh recommends reframing cyber risk to cover OT, HR and third-party systems, recruiting cyber talent, building a cyber-centric culture, reducing fatigue, and ensuring human oversight with robust governance and insurance cover.

📋 This blog by Rico Mariani outlines eight practical best practices for CISOs conducting risk reviews, focusing on identifying assets, applications, and access controls to shape review scope and priorities. It emphasizes good quality authentication (tokens and issuers like Microsoft Entra), robust authorization, network isolation, detection, and auditing to enable proactive security. The post also highlights commonly overlooked areas such as backups, support, and development systems to ensure comprehensive risk coverage.

🔍 Over three quarters of cybersecurity professionals did not receive a pay rise last year, and roughly half report feeling undervalued, according to the Harvey Nash Global Tech Talent & Salary Report. Only 45% expect a pay increase in the next 12 months, placing information security professionals among the most pessimistic about pay prospects. Just 22% said their organisations increased cybersecurity resources after high-profile incidents, driving dissatisfaction and turnover risk.

🧑‍🦯 Be My Eyes and its Be My AI feature can help visually impaired users identify on-screen content and even flag phishing attempts, but they are not infallible. In tests, the AI identified fake login pages and suspicious emails, yet risks such as hallucinations and prompt-injection remain. Treat AI output as a first-pass check, avoid sharing confidential details with unknown volunteers, install trusted security software and use a password manager, and prefer apps that process sensitive documents locally when possible.

🏆 Fortinet’s Training Institute has been honored with multiple industry awards that validate its sustained investment in cybersecurity education and certification. The institute continues to expand the NSE Certification program with role-based pathways and a global ecosystem spanning over 150 countries and 800 academic partners. Fortinet also delivers a SaaS-based Security Awareness and Training service—now offered in an education edition free to primary and secondary schools—and has pledged to train 1 million people by the end of 2026.

🔐 The UK Cyber Security Council has launched a new Associate Cyber Security Professional title, with applications open from 13 April to 17 May. The entry-level certification places holders on the UK Cyber Security Professional Register, requiring demonstration of competence across five key areas and a commitment to 75 hours of CPD over three years. Applicants can fast-track if they hold aligned qualifications, and the scheme aims to help early-career candidates prove their readiness to employers.

🔐 Check Point Services offers PS Private Training (Custom ILT), a tailored instructor‑led program that turns complex security environments into operational control. The service replaces generic courses with environment‑specific labs, hands‑on exercises, and field‑proven best practices delivered by active Professional Services consultants. It focuses on closing hands‑on skill gaps, speeding issue resolution, and lowering operational risk even in well‑equipped organizations.