All news with #security awareness tag

🛑 The Internet Bug Bounty program, administered by HackerOne and backed by multiple major software companies, has paused submissions and payouts while it reassesses how best to support open source security. HackerOne said the rise of AI-assisted vulnerability discovery has increased both coverage and speed, shifting the balance between new findings and remediation capacity. Projects such as Node.js will continue to accept and triage reports via HackerOne but may not issue rewards from the paused fund. Similar changes have hit other programs, including curl and recent restrictions at Google's open source rewards effort.

📣 Fortinet announced the winners of the 2026 Training Institute Authorized Training Center (ATC) Awards, recognizing partners that excel in delivering NSE certification and hands-on cybersecurity education across more than 150 countries. The awards highlight regional and categorical leaders — from Partner of the Year to Certified Trainer of the Year — for measurable impact in skills development. Fortinet emphasized that structured, role-based training is a core security control as organizations expand teams, mandate certifications, and adapt to AI-influenced threats.

🧠 Bruce Schneier highlights K. Melton’s recent framework on cognitive security, cognitive hacking, and “reality pentesting.” Melton organizes cognition into five architectural layers—sensory interface, neurocompiler, mind kernel, the mesh, and cultural substrate—and shows how fast, unconscious processes (Kahneman’s System 1) create exploitable backdoors. The taxonomy frames human perception as an IT-like attack surface and suggests practical implications for testing, defense, and threat modeling.

🔒 Organizations frequently treat security awareness training as a control, but this article contends it is primarily a cultural measure that cannot guarantee consistent outcomes. While training and phishing simulations reduce risk at the margins, they do not eliminate human variability or stop sophisticated business email compromise, credential harvesting, and modern MFA bypass techniques. The author recommends engineering systems to assume human fallibility—through phishing-resistant authentication, enforced financial controls, continuous identity telemetry, and real-time anomaly detection—so a single mistake cannot cause material harm.

🔒 In the fourth episode of Season 2 of Brass Tacks - Talking Cybersecurity, Joe Robertson and Professor Richard Benham examine how cybersecurity has shifted from an IT concern to a wider societal challenge that touches public services, national security, education, and everyday life. Benham draws on a career spanning finance, cross‑border policing and public service to show how digital risk became a national priority. He argues that leadership, rethought education and cross‑sector collaboration—illustrated by a pioneering MBA program and the National Cyber Awards—are key to building resilience.

🔒 Bryan Simon, a SANS Senior Instructor, argues that accelerating specialization in cybersecurity is eroding foundational skills and shared context. When teams focus narrowly on domains or tools, organizations lose end-to-end visibility, risk prioritization weakens, and decisions drift toward product selection instead of mission-driven protection. Simon emphasizes that knowing what is "normal," mapping assets to business impact, and reinforcing core competencies are essential; he will teach these principles in SEC401 at SANS Security West 2026.

🔒 Google is introducing Advanced Flow, a new Android mechanism that lets power users sideload APKs from unverified developers while adding multi-step protections. The one-time process requires enabling Developer Mode, confirming you are not being coached by a threat actor, restarting and reauthenticating, then waiting one day to validate the changes. After completion users may enable installations for a week or indefinitely, and Android will display a warning that the app is from an unverified developer. The flow is intended to add friction and disrupt urgency-driven scam tactics.

🚨 The head of the UK's National Crime Agency, Graeme Biggar, warned at the launch of the NCA's National Strategic Assessment that online platforms and algorithms are 'radicalizing' teenagers into cybercrime, alongside other harms. He said technology is reshaping crime and that tech companies must take responsibility. Biggar highlighted rising UK-based attackers, surges in online fraud and sextortion, and the creation of the Online Crime Centre to speed data sharing across government and industry.

🔒Google outlines five practical defenses to help users spot and avoid tax‑season scams. It describes on‑device AI protections on Pixel phones including Call Screen and optional real‑time Scam Detection alerts, plus text‑vetting with Circle to Search and Lens. The post highlights real‑time Safe Browsing, high‑visibility Gmail warning banners and security steps like Passkeys and 2‑Step Verification to reduce fraud risk.

🔒 The Fortinet 2025 Global Cybersecurity Skills Gap Report shows persistent talent shortages are driving higher breach rates and financial losses, making validated skills essential. Certifications provide standardized, role-aligned evidence of operational readiness, support staged career progression, and signal employer investment to improve retention. Structured programs map learning to real roles and help close the readiness gap between knowing concepts and applying them under pressure.

👓 Meta's new AI glasses are a privacy disaster, capturing audio, images, and contextual data in public and private spaces without meaningful consent. Security expert Bruce Schneier warns the technology is inevitable and difficult to regulate effectively. He notes an Android app now claims to detect nearby smart glasses, but detection is limited and insufficient to address broader surveillance and policy challenges.

🔒The author opens this week’s Threat Source newsletter with personal reflections on being raised by a single mother, connecting those experiences to the gender imbalance in STEM and cybersecurity. He cites sobering statistics — for example, women comprise 28.2% of the global STEM workforce and occupy only 16% of CISO roles — and highlights mentorship programs like WiCyS and CTFs. Talos also summarizes a March 10 update on cyber activity tied to the Middle East conflict and provides practical defensive advice for destructive malware, DDoS, and website defacement.

🛡️ At the Growing Up in the Digital Age Summit in Dublin, Google presented product safeguards and policy principles designed to support teen digital wellbeing, emphasizing defaults like SafeSearch and private YouTube uploads as baseline protections. The company announced improvements to Family Link, a unique option to set Shorts time to zero for supervised teens, and additional Gemini Apps guardrails for users under 18. It also unveiled a $20 million global initiative to create multilingual, open-source wellbeing resources and urged a risk-based approach to age assurance rather than blanket bans.

🛡️Microsoft will update Teams to clearly label external third-party bots that appear in meeting lobbies, and organizers will be required to explicitly admit them. The change is slated for May 2026 and will reach Windows, macOS, Android, and iOS for worldwide standard multi-tenant and GCC clouds. By distinguishing bots from human attendees, the feature aims to prevent malicious or unwanted automated participants from being inadvertently accepted into meetings and complements recent Teams security enhancements such as call-reporting, fraud-protection warnings, and Defender-based admin controls.

🔐 Women early in their careers are shaping the future of cybersecurity and AI security, bringing fresh perspectives, curiosity, and collaborative leadership that strengthen detection, design, and resilience. The post argues that diversity is a security imperative, citing research such as the ISACA paper and workforce data showing women comprise roughly 24% of the field. It highlights leaders and programs like Girl Security and recommends practical steps—mentorship, inclusive hiring, sustained training, and community partnerships—to support women from introduction through leadership.

🔒 AI-driven threats have increased employee awareness, but readiness remains uneven: only about 40% of leaders say staff are prepared to identify, avoid, and report AI-based threats. The 2025 report, based on responses from 1,850 senior IT and security leaders, shows training reduces incidents—67% of organizations report moderate or significant reductions—and measurement is shifting toward behavior-focused programs. However, low completion rates, rising insider risk, and outdated content limit impact; practical fixes include microlearning, role-based content, and clearer accountability backed by leadership.

📊 A Seemplicity survey of 300 CISOs and equivalents finds nearly half of US security leaders are effectively working an extra day each week, with 45% logging 11+ additional hours and 20% putting in 16+ hours. Forty-four percent say the role feels emotionally exhausting and 43% cannot take time off without undue stress, yet 94% would still choose cybersecurity. The report warns AI is shifting work from execution to interpretation, increasing the need for communication and business skills.

🔒 This article argues that security culture must be measured and designed, not celebrated as events. It contrasts awareness (what people can repeat) with ownership (what they do under pressure), shows where culture appears in daily decisions, and warns that campaigns and checklists alone won’t create durable change. The author prescribes a practical scorecard and an operating-system redesign so secure choices become the obvious path.

🔐 Fortinet's Academic Partner Program partners with the University of South Australia to expand access to cybersecurity careers by delivering NSE training, hands-on labs, and free exam vouchers that remove financial barriers. With more than 800 partner institutions worldwide and a goal to train 1 million individuals by 2026, the initiative readies students for internships and full-time roles. Industry networking events with distributors such as Wavelink translate certification into interviews and hires, while practical lab work builds technical confidence and employability.

🔒 App permissions determine which data and device features an app can access, and many users accept prompts without considering the consequences. The article, by Phil Muncaster, explains how modern Android and iOS versions surface sensitive permissions at runtime and distinguishes between benign “normal” permissions and higher-risk “dangerous” ones. It highlights particularly sensitive requests — accessibility, background location, SMS/call logs and overlay — and recommends using Allow once or While using, regularly auditing permissions via App Privacy Report or Privacy Dashboard, and installing apps only from reputable stores.