Many companies "were caught off guard by the spread of shadow AI use across the enterprise," Renieris and her co-authors observe. What's more, the rapid pace of AI advancements "is making it harder to use AI responsibly and is putting pressure on responsible AI programs to keep up." They warn the risks that come from ever-rising shadow AI are increasing, too. For example, companies' growing dependence on a burgeoning supply of third-party AI tools, along with the rapid adoption of generative AI -- algorithms (such as ChatGPT, Dall-E 2, and Midjourney) that use training data to generate realistic or seemingly factual text, images, or audio -- exposes them to new commercial, legal, and reputational risks that are difficult to track. The researchers refer to the importance of responsible AI, which they define as "a framework with principles, policies, tools, and processes to ensure that AI systems are developed and operated in the service of good for individuals and society while still achieving transformative business impact."

Benjamin Franklin once wrote: “For the want of a nail, the shoe was lost; for the want of a shoe the horse was lost; and for the want of a horse the rider was lost, being overtaken and slain by the enemy, all for the want of care about a horseshoe nail.” It’s a saying with a history that goes back centuries, and it points out how small details can lead to big consequences. In IT Security, we face a similar problem. There are so many interlocking parts in today’s IT infrastructure that it’s hard to keep track of all the assets, applications and systems that are in place. At the same time, the tide of new software vulnerabilities released each month can threaten to overwhelm even the best organised security team. However, there is an approach that can solve this problem. Rather than looking at every single issue or new vulnerability that comes in, how can we look for the ones that really matter? ... When you look at the total number of new vulnerabilities that we faced in 2022 – 25,228 according to the CVE list – you might feel nervous, but only 93 vulnerabilities were actually exploited by malware. 

While we’re busy putting finops systems in place to monitor and govern Cloud costs, we could see a spike in the money spent supporting generative AI systems. What should you do about it? This is a business issue more than a technical one. Companies need to understand how and why cloud spending is occurring and what business benefits are being returned. Then the costs can be included in predefined budgets. This is a hot button for enterprises that have limits on cloud spending. The line-of-business developers would like to leverage generative AI systems, usually for valid business reasons. However, as explained earlier, they cost a ton, and companies need to find either the money, the business justification, or both. In many instances, generative AI is what the cool kids use these days, but it’s often not cost-justifiable. Generative AI is sometimes being used for simple tactical tasks that would be fine with more traditional development approaches. This overapplication of AI has been an ongoing problem since AI was first around; the reality is that this technology is only justifiable for some business problems.

If a company decides to deploy SASE by going directly through SASE vendors, they’ll have to configure and implement the service themselves, says Gartner’s Forest. “The benefits of a managed service provider are a single source for all setup and management, the ability to redeploy internal resources for other tasks, and the ability to access skills and capabilities that don’t exist internally,” he says. Getting in-house IT staff with the right expertise to handle SASE can be a real challenge, particularly in today’s hiring climate: 76% of IT employers say they’re having difficulty finding the hard and soft skills they need, and one in five organizations globally is having trouble finding skilled tech talent, according to a 2023 survey by ManpowerGroup. The access to outside experts is particularly appealing to companies that don’t have the resources to manage SASE themselves. Managed SASE providers have specialized expertise in deploying and managing SASE infrastructure, says Ilyoskhuja Ikromkhujaev, software engineer at software developer Nipendo. “Which can help ensure that your system is set up correctly and stays up to date with the latest security features and protocols,” he says.

AI has moved beyond automation. Looking at large language models, which some industry experts see as representing the tipping point that ultimately leads to wide-scale AI adoption, Heinemeyer believes that an AI capable of writing code offers attackers the opportunity to develop much more bespoke and tailored, sophisticated attacks. Imagine, he says, highly personalised phishing messages that have error-free grammar and no spelling mistakes. For its customers, he says Darktrace uses machine learning to learn what normal looks like in business email data: “We learn exactly how you communicate, what syntax you use in your emails, what attachments you receive, who you talk to, and when this is internal or external.We can detect if somebody sends an email that is unusual for you.” A large language model like ChatGPT reads everything that is on the public internet. The implication is that it will be reading people’s social media profiles, seeing who they interact with, their friends, what they like and do not like. Such AI systems have the ability to truly understand someone, based on the publicly available information that can be gleaned across the web. 

The “blame the user” mentality is a cognitive bias that ignores the complexities of human-computer interaction. Research in cognitive psychology and human factors engineering has shown that humans are not designed to be perfect digital operators. Mistakes are a natural part of our interaction with systems, especially those that are complex and non-intuitive. Moreover, our susceptibility to scams and manipulation is not just a personal failing, but a product of millennia of evolution. For instance, social engineering attacks exploit our natural tendency to trust and cooperate, which have been crucial to human survival and societal development. To put the onus on the individual is to ignore the broader context. Shifting the blame is an easy way out. It absolves organizations of the responsibility to address systemic issues and allows them to maintain the status quo. This is underpinned by the “just-world hypothesis,” a cognitive bias which propounds that people get what they deserve. When an employee falls for a scam, it's easy to assume that they were careless or ill-prepared.

Security experts have called for improvements in how private sector organizations share threat intelligence data with the wider industry. It’s believed that better cross-organizational collaboration would improve cyber resiliency in the face of cyber attacks that continue to rise in frequency and develop ever more sophisticated. “I think this is one of the ways in which the private sector can work with governments around the world, and each other across sectors, industries, and regions,” said Jen Ellis, co-chair at the Institute for Science and Technology’s Ransomware Task Force. Government agencies such as the UK’s Information Commissioner’s Office (ICO) or the US’ Cybersecurity and Infrastructure Security Agency (CISA) enforce strict reporting deadlines around data breaches, but companies often report the minimum required information. The designated cyber security authorities in the UK and US enforce strict reporting deadlines around data breaches and this is seen as a positive step. However, victims often report the minimum required information which in turn reduces other organizations’ ability to learn from, and potentially prevent, follow-on attacks.

Often in large organizations, there are users in your network who have the equivalent of Domain administrative rights and are not even aware of this. Your firm may have even inherited the setup of the domain with original accounts and permissions set for a Novell network that was migrated from years before. Often the difference between a firm with better security and one with poor security is having a staff that takes the additional time to test and confirm that there will be no side effects in the network if changes are made. Take the example of unconstrained delegation; this is a setting that many web applications need to function, including those that are internal only to the organization. But this setting can expose the domain to excessive risk. Delegation allows a computer or server to save the Kerberos authentication tickets. Then these saved tickets are used to act on the user’s behalf. Attackers love to grab these tickets, as they can then interact with the server and impersonate the identity and in particular the privileges of those users.

You might think 128-bit isn't viable because it's difficult or even impossible to do, but that's actually not the case. Lots of parts in processors, CPUs and otherwise, are 128-bit or larger, like memory buses on GPUs and SIMDs on CPUs that enable AVX instructions. We're specifically talking about being able to handle 128-bit integers, and even though 128-Bit Cpu prototypes have been created in research labs, no company has actually launched a 128-bit CPU. The answer might be anticlimactic: a 128-bit CPU just isn't very useful. A 64-bit CPU can handle over 18 quintillion unique numbers, from 0 to 18,446,744,073,709,551,615. By contrast, a 128-bit CPU would be able to handle over 340 undecillion numbers, and I guarantee you that you have never even seen "undecillion" in your entire life. Finding a use for calculating numbers with that many zeroes is pretty challenging ... Ultimately, the key reason why we don't have 128-bit CPUs is that there's no demand for a 128-bit hardware-software ecosystem. The industry could certainly make it if it wanted to, but it simply doesn't.

According to Nutanix’s fifth global Enterprise cloud index survey, data sovereignty was the top driver of infrastructure decisions in Australia, with 15% of local respondents citing that as the most important criteria when considering infrastructure investments. Data sovereignty was also one of the top three considerations for over a third (37%) of enterprises in Australia. “Control and security are the biggest factors Australian organisations are weighing up when transforming their IT infrastructure,” said Jim Steed, managing director of Nutanix Australia and New Zealand. “While public cloud was seen as a panacea for many years, it’s becoming increasingly clear that cloud is a tool – not a destination. Some workloads and applications are perfectly suited to a public cloud, but Australian organisations are moving their most sensitive and business-critical workloads back home to their on-premises infrastructure.” According to the study, over half of Australian organisations are planning to repatriate some applications from the public cloud to on-premise datacentres in the next 12 months due to data sovereignty concerns.