Sunday, January 28, 2024

4 Golden Ways To Fight The Misinformation Generated By AI

 


In the past years of my blogging, I have thrown a lot of techno jargon out there, but there is one that I have not mentioned:  It is called “Misinformation”.  You don’t hear too much about this in the world of Cybersecurity, but in other words, you do, especially the political one.  This term actually started gaining heavy usage back in the 2016 Presidential Election, when Deepfakes were starting to be used.

And ever since the evolution of ChatGPT, this term has become even more widely used.  If you think about it, it is really hard to tell what is real news/information and what is not.  A lot of this has also been fueled by the growth of AI in other areas, such as Generative AI and the Digital Person.  In fact, according to a recent survey by Forbes, 76% of the respondents do not trust any information that comes from AI.  More information about this can be found at the link below:

https://www.forbes.com/advisor/business/artificial-intelligence-consumer-sentiment/

Because of this, it is even hard to trust the other areas of our lives on a daily basis.  So what can be done to help curtail this?  Here are some tips:

1)     Education:

This year is going to get even uglier with regards to misinformation as the voting season starts.  You can form a group with a bunch of trusted friends to cross check all information that you may end up talking about.  This is particularly important for our senior citizens.  They need to be taught what misinformation is all about, and how to confirm the sources of the information that they receive.  Obviously the elderly are not as well tuned into the advancements of technology that are taking place today, so they need to have an extra level of reassurance.  Again, having a group here would also be greatly beneficial.

2)     Create a forum:

If you are tech savvy enough or have enough money to hire a website developer, you can create sort of a private form with your friends and family in which to share news that is genuine and authentic.  Heck, you can even get a great discussion going on the hot topics of the day.  But make sure to keep this kind of forum private, and if possible, try to password protect it.  Also, you will probably need to designate a group moderator in order  to vet and admit any new members.

3)     Listen to your local news:

 

Probably one of the best sources to get some of the most reliable news and information is your local news channel.  After  all, their sources have to go through a vetting process of sorts, and best of all, you have real people delivering it to you (and not a Deepfake).  If you don’t have cable, you can always find your favorite news show on You Tube.

 

4)     Support other agencies:

 

Given just how bad misinformation is these days, there are a  number of organizations that have popped up to help prevent this from even happening in the first place.  Instead of creating your own group, you can always volunteer your time at one of these places, or even financially donate to them as well  in order to support their cause.

My Thoughts On This:

 

As I mentioned earlier in this blog, with the Presidential Election coming up in November, Misinformation will be at its highest level ever.  But the worst part is from the Cyber standpoint.  Many people will be directed to phony websites convincing them to make a donation, which will in the end just end up in an offshore account.  When the time comes closer, I will post some blogs on how you can avoid this from happening to you. 

 

But for right now, my best advice is to stay off of social media as much as you can.  Keep in mind that with all of the tech layoffs that have happened in the last year, Facebook, X, LinkedIn, etc.  have drastically cut back on their staff whose primary job was to fight off Misinformation on their respective platforms.

Saturday, January 27, 2024

How To Combat Cyberbullying From 4 Key Areas

 


There is an area of Cybersecurity that often evades the headlines.  This is Cyberbullying.  Sure while growing up as kids, we have had our fights on the playgrounds, and even bullied each other in the physical sense.  But once again, given how interconnected everything has become, bullying has now taken onto the electronic form of it, especially where the social media platforms are concerned.

Its becoming a huge problem today, and is expected to only get further exacerbated by the growth in AI, especially that of the Generative kind.  We are all at risk of becoming a victim of Cyberbullying, no matter what age we are or where we live.  Just like fending off a security breach, the key is learning how to mitigate the risk of becoming an actual victim of Cyberbullying.

The worst is when our nation’s most precious asset – our children, become the victim, and they feel helpless to do anything about it.  In fact, Cyberbullying is a huge topic that I have undertaken on my own, and have published numerous blogs and newsletters on it, especially when it comes to the standpoint of our kids.

There is a lot on this topic, but for the purpose of this blog, there are four areas of focus which needs to be addressed in order to protect our kids.  Here they are:

1)     The School:

This is where kids spend the most of their time during the school year.  The first line of defense here are of course the teachers.  They must encourage the kids in their classrooms to come to them directly if they think they are being Cyberbullied.  There must be an open line of communication here, and the parents must be involved in every step of the way here as well.  Even the school staff must be supportive of these efforts, going all the way from the administrative assistant to the principal, and heck even the school superintendent.

2)     The Federal Government:

I have to be honest here, the Biden Administration probably has done the most in recent history to initiate new directives when it comes to Cybersecurity and making sure that AI is being used properly more so than other Administrations that I remember.  One such effort can be seen at the link below:

https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/

But unfortunately, much more needs to be done to combat Cyberbullying at the national level.  If you leave it to the states, then everybody will be marching to their own beat.  What is needed is a set of best practices and standards, for all of the 50 states, which will eventually transcend down to the school level.  But keep in mind one thing:  there is also an explosion in the amount of threats that are taking place against our elected leaders, given the political climate that we are in today.  I was reading more about this today, and it is called “Swatting”. 

3)     Corporate America:

Just about every company out there today is trying to produce some new AI based gimmick.  This is all fine and dandy, but why can’t we divert these efforts into more meaningful and useful efforts like discovering new ways in which AI can be used to help prevent Cyberbullying?  There is a lot of potential in this area, and in fact, it will be the focal point of my next newsletter.

4)     The Parents:

Ultimately in this regard, the buck stops here, you, the parent.  You have to take ultimate responsibility for the safety of your kid, but bear in mind that you are not alone in this.  The school in which your kid attends will be one of your strongest allies.  But you need to keep close tabs on what your kid is doing on their wireless device, and lay down strict rules.  Be loving, but be firm at the same time.  My best advice here:  Don’t even let your kid have a wireless device until they are in college.

My Thoughts On This:

As a parent, you also need to be concerned about another grace issue:  Making sure that you child’s PII datasets are safe, and the appropriate controls are put into place to make sure that data exfiltration does not happen.  But, this will be a topic for a future blog.

Sunday, January 21, 2024

6 AI Privacy Actions You Can Implement Today

 


As the world delves deeper into AI, we are seeing both the good sides of it.  But unfortunately, we are also starting to see the bad sides of it as well.  For example, it can be used by a Cyberattacker to create malicious code, create Deepfakes, or even launch a Ransomware attack.  But apart from this, there is also a growing area of concern amongst the American public:  Protecting our privacy, and the use our data that is fed into an AI model for its training purposes.

While the Federal Government is starting to take some action in this regard, AI is moving fat too fast before any of the legislation can catch up with it.  So therefore, it is up to the private sector to help instill some sense of confidence in Americans that our private information and data is being protected, and that the right controls are being implemented to help mitigate any chances of it being leaked.

So you may be asking what can be done?  Here are some areas that can be tackled by Corporate America:

1)     Use it on  case-by-case basis:

Rather than creating an ad hoc AI model of sorts, companies should take the extra step to insure that if a customer or a prospect wants to use their model, it should be customizable to how he or she wants to use it.  That way, they will feel they have more control as to what they input.

2)     Take it to the Edge:

Edge Computing happens when all of the data processing happens  closer to the physical location of the end user’s device.  In this way, AI models should be deployed also.  In other words, rather than processing all of the information and data in a central Cloud location, do it on a virtual server that is closer to the origin points of where more of your customers and prospects are.

3)     Allow for tracking to happen:

Even to this day, AI models are viewed as a “black box” phenomenon.  This simply means that it thought of as “garbage in and garbage out”, with no visibility as to what is happening on the inside of it.  Of course the AI vendors don’t want to give this out, because this will give away their bread and butter – namely the algorithms.  But you don’t necessarily have to give this away – you need to be transparent enough to your end users to show them what has been in the AI model that has used their information and data.  In other words, provide a tracking history, or activity page as to what has been used with those datasets.  Honestly, most of the American public will not want to know all of the technical details of the model, just how their data is being used and why.

4)     Keep everybody informed:

Just like you see today how websites make it a point to formally accept their cookies ands before you submit any information/data on a contact form, you agree to have your data stored in accordance with the data privacy laws.  This should also be the same for AI models.  If you are a company that makes use of AI models in the delivery of products and services, you need to notify your prospects and customers that they will be at least partially acquiring your goods through the AI, and they information/data about that may be collected in order to insure prompt delivery.

5)     Don’t give in too easily:

This is for the prospect or customer:  Never, ever give your financial information to a chatbot, and email or even a text message. If you have to submit something, make sure that you are talking with a real human being, and that the company has a strong reputation.

6)     Always use situational awareness:

As a company, you will always want to blend in AI into your website, in order to make it look sharper and induce prospects in. But if you really want to be fair about this as a business owner, you should let it be known that AI is being used to drive your website.  At first, you may have a fall down in the total number of prospects downloading or visiting stuff, but think of the long term.  You will be viewed as a business that is forthcoming and honest, and in the end, this is what your customers and future ones will value the most.

My Thoughts On This:

The above are just some of the steps that you, as a business owner, can take.  But keep in mind that if you are planning to use AI in a big way of various sorts, then it is your responsibility to keep up with how you can best protect that data.  Don’t just simply wait for a set of guidelines or a framework to come out with from the Federal Government.  At best, they will be initially tentative and broad.

Remember that in the end, you are the steward for the data that you store, process, and archive.  And, you just like how the data privacy laws give customers the option to have their data removed from any system, you need to offer the same when it comes to your AI models.

Saturday, January 20, 2024

The Four Critical Flaws Of The Australian "Essential Eight Maturity Mode" & How They Can Be Fixed

 


When we think of Cybersecurity, we often think of the United States and other nation threat actors, such as those of China, Russia, North Korea, etc.  We often don’t think about the other players such as those in the European Union (EU), the African continent, or even the Pacific Rim nations.  So it is in with regards to the latter that that this blog is about.

Starting in 2020, Australia made some serious headway into improving its overall lines of defenses, by investing well over $1 Billion into its Cybersecurity posture.  This was officially called the “Cybersecurity Strategy 2020”.   But despite this huge effort, more security breaches have occurred in the Land Down Under than had been anticipated.

For example, in its Cyber Threat Report 2022-2023, there were 58 incidents that were classified as an “Extensive Compromise”, and also there were well over 190 other incidents that were also classified as “Isolated Compromises”.  This report can be seen at the link below:

https://www.darkreading.com/cybersecurity-operations/missing-cybersecurity-mark-with-essential-eight

In response to these alarming stats, the Australian Government updated one of its newer frameworks, which is called the “Essential Eight Maturity Model”.  More information about this can also be seen at the link below:

https://www.infosecassure.com.au/post/essential-eight-changes-july-2021

While it has been claimed that this framework provides excellent guidance on such areas as patching, backups, and application control, it is severely lacking in other areas, especially those of SaaS based applications, and Identity and Access Management.  Another sharp criticism of it has been in the area of the Cloud.  It does not specifically address how to best protect security issues in this regard, but rather, it only focuses on those risks that are posed to an On Prem Infrastructure. 

In fact, there is only area of this entire framework that really addresses of how to better protect online accounts.  So what can be done to improve this very important framework?  Here are some key areas that need to be addressed:

1)     Configuration Management:

When one thinks of this, the image of changes in builds to software applications often come to mind.  But Configuration Management goes far beyond this.  It should address everything that happens within the infrastructure of a business, all the way from the servers to physical access entry scenarios.  Anything and everything that is related as it relates to the IT and Network Infrastructure and any changes to them that are going to happen has to be addressed here, at this level.

2)     Identity and Access Management:

This was just examined earlier in this blog.  With a lot of businesses now going to the Cloud, establishing the appropriate levels of permissions for the appropriate job titles is now a must.  But it has to go beyond this.  The framework also has to take into account what is known as “Role Based Access Control”, or “RBAC” for short.  This is where the rights, permissions, and privileges are also assigned based upon the roles that they do in their particular job.

3)     Third Party Applications:

Given the explosion of the IoT and everything digital, third-party mobile apps and just apps in general are becoming extremely popular.  While it is important to give your employees access to what they need to make them productive, you also have to make sure that your business does not succumb to the risks of what is called “Shadow IT”.  This is where your employees download unauthorized apps to onto their work devices for the sake of ease of use, familiarity, and comfort. 

4)     The Right Controls:

Pretty much all employees, whether hybrid, On Prem, or remote now access shared resources onto the Cloud.  Therefore, the right controls need to be put into place to make sure that these critical assets are protected the best that they can be.  Also, regular audits need to be conducted on these controls in order to make sure that they are still optimal.  If not, they will have to be replaced and/or upgraded.

My Thoughts On This:

Even here in the United States, we have many government and even private sector-based entities that have come out with these kinds of frameworks.  The most notable ones are from the NIST and CISA.  But in order to keep these frameworks updated to the best degree possible, it will literally “Take A Village” to make it all happen.  In other words, feedback and input has to be provided at all levels, and the upgraded frameworks have to be tested on a regular basis.

Sunday, January 14, 2024

The Top 2 Grave Weaknesses Of AI & How To Fix Them

 


AI and ML are now fast becoming the big buzzwords in just about ever industry, and not Cybersecurity.  Where it is really making its splash are in those industries where automation is needed the most.  A typical example of this is in the automotive industry.  Here you can see where robotic arms are now being used for things like tightening bolts in the car parts and even painting them.  This is an area of AI that is known as “Robotic Process Automation”, or “RPA” for short.

But with all of the advantages that they both bring to the table, there is also the downside as well.  Probably the biggest one is that AI and ML could be used for the opposite purpose, mainly for nefarious intents.  Obviously a Cyberattacker is not going to brute force into an AI system, but just like any other digital asset, they are going to enter into the vulnerabilities, and exploit things further that way.

You may be asking at this point, what are they?  Well, here is a sampling for you:

1)     The use of open-source tools:

As I have mentioned before, software developers love to use APIs for their source code development.  While this does significantly cut down on the cost and time it takes to deliver a project to a client, there is one huge drawback.  That is, open-source tools are rarely checked for any weaknesses, and they are hardly ever upgraded by the hosting repositories.  But, software developers often think that the APIs are safe to use, and thus, never double check them on their own.

2)     The fuel:

As such as a car needs fuel to go, the AI and ML models need data in the same way.  They need data not to only to initially learn, but to also keep them optimized and updated as they mode forward in terms of usage.  But here in lies yet another problem:  These datasets are also stored by the AI and ML models to some degree or another, and because of that, they have also become a prime source of attacks by the Cyberattacker.  Datasets are always a prized token to have, no matter where it initially resides.

While the above is not an all-inclusive list, these are definitely some of the most important ones that you need to pay attention to.  What are some proactive steps that you can take?  Here are a few:

1)     It’s not the just the AI/ML models:

Remember, these models are also interdependent upon other functionalities as well, it is not just the datasets that are fed into them.  So in this regard, you probably should scan for vulnerabilities on these as well.  A good way to get started with this is to start with a comprehensive Vulnerability Scan or Penetration Test.

2)     Have strong IAM policies:

This is an acronym that stands for “Identity and Access Management”.  Being said, you need to make sure that you assign only the appropriate amounts of rights, privileges, and permissions to the people that are authorized to full access the AI and ML models.  There is yet another area that you need to also be concerned about, and is called “Role Based Access Control”, also called “RBAC” for short.  A part of assigning the right permissions is to give them based upon the roles that the authorized users have.  Obviously, an IT Security team member will have more rights that would say, an administrative assistant.

3)     Stronger protection:

This is especially true of the datasets that you are feeding into the AI and ML models.  Make sure that you have the right controls in place, and that you audit them on a regular basis.  This is a must, because you will now come under greater scrutinization of the data privacy laws, such as the GDPR and the CCPA.

4)     Fortify your team:

In the past, I have written about DevOps and DevSecOps.  They are created to help out the software development scan for the gaps and weaknesses that are found in the source code that they compile.  Likewise, there is a new concept now called the “MLSecOps”.  This is where the IT Security team works in close tandem with the team that are developing the AI and ML models, and work under the same principle as the former two teams.

My Thoughts On This:

The time to be proactive about AI and ML security is now!!!  These are areas that are advancing quite rapidly, and you and your teams have to work to be even faster just to keep up.

Friday, January 12, 2024

A Fundamental Change In Mindset Is Needed To Protect Our Critical Infrastructure

 


As we enter now into mid-January, one could say we are now deep rooted in the New Year.  This of course is going to be one interesting and crazy year, especially with the Presidential Elections that will be coming up in November.  But one thing that won’t rest is the Cyber threat landscape.  One particular area of trouble is that of the Critical Infrastructure of the United States.

This includes our water supply, food distribution system, the national power grid, nuclear facilities, etc.  One of the main reasons why they have become such a huge target is that the technology they use is totally outdated.  For example, they use hardware and software that was developed back in the 1970s.  But back then, nobody gave Cybersecurity a concern, the main fear was about Physical Access Entry.

One might say why don’t we simply rip out the old systems and put new ones it?  Well, this is theoretically possible, technically it is infeasible.  This is for two reasons:  1) There is too much interconnectivity now that is taking place between the hardware and software (brought on pretty much by the IoT); and 2) Many of the suppliers that built the stuff way back then are no longer in business.  It would take literally forever to get new parts made again.

But another area that can be changed is in our mindset.  Just like the digital threat variants, we have an image of what is perceived to be dangerous.  While they are, there are other ways we to rethink this approach, especially when it comes to safeguarding our Critical Infrastructure.

Here is what can change:

1)     The Nation State Actors are not the only ones:

When we hear this term, we think about Russia, China, and North Korea.  And don’t forget Iran.  While these countries pose a grave threat in terms of Cybersecurity to the United States, don’t discount home grown terrorism either.  We never thought that this could happen, until Oklahoma City happened.  But as mentioned before, given the current climate in this country, this is now a huge threat, which should not be overlooked.

2)     Just don’t look at the devices:

When we think about the lines of defenses, we also often conjure up the image of devices of all kinds, both physical and virtual.  But don’t get blindsided into this way of thinking only.  Think also about the access to these devices.  For example, what if your employee loses their smartphone, and it falls into the wrong hands?  Are the right access controls in place to make sure that no data can be exfiltrated from it?  This is where the area of Identity and Access Management (IAM) will play a crucial role.

3)     Break it down to the basics:

 

Protecting Critical Infrastructure can be a complex proposition, that’s why people are too slow to implement any kinds of safeguards.  So in this regard, bring it down to the basics.  Simply start off with good Cyber Hygiene.  Make sure you have Security Awareness Training programs, and make sure that your employees practice what you preach to them.  Also launch mock drills, such as mock Phishing attacks to see if they are really applying what you have trained them on.  Also, make sure that you have good Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans in place.  Make sure you practice them as well, and update your relevant documents with the lessons that have been learned.

My Thoughts On This:

Our Critical Infrastructure will always be at risk, just like anything else in life.  But the key here is in learning how to mitigate that risk from actually being exploited.  Perhaps by changing our mindset into a different direction will add more power to it.

Sunday, January 7, 2024

The New Defense In Adversarial ML: The Homomorphic Encryption Algorithm

 


About one year ago, I first started hearing about ChatGPT. I thought to myself, “OK, this is something new, it probably won’t last for too long”.  But today, the fever around it this platform, and anything around Large Language Models (LLMs) and the GPT4 algorithms will be even the craze of this year.  While things like ChatGPT can bring many advantages to the table, the biggest fear now is that the bad guys will also equally use it.

This can happen in many fronts, just consider the following:

Ø  The Cyberattacker of today does not really invent new threat variants.  Rather, they take the framework of what has worked before, and tweak it ever so slightly so that it can evade detection, but yet, still cause maximum damage.  This is the case of Phishing.  Ransomware did not exist before this, it only happened after crux that made up Phishing was tweaked so that it could lock up the files in a device.  But to this extreme, Ransomware now has become extreme, even being used to launch extortion like attacks.  So, all the Cyberattacker has to do now is merely enter the anatomy of a previous malicious payload, and have something like ChatGPT come with some new source code for it.

 

Ø  Creating more nefarious code.  Speaking of this, SQL Injection Attacks have always been a tried and true method of breaking into any kind of SQL like database, even the ones that are most widely used today, such as MySQL.  Normally, it would take some time to produce something to modify the baseline code to it, but not anymore.  Just simply input into an AI platform that is driven by the GPT4 algorithms, and ask it to create something somewhat “different”.  Apparently, you simply can’t ask the AI model to create something malicious directly, but you can get pretty creative about it by using some clever “Prompt Engineering”.

 

Ø  Generative AI is now the new wave of the so-called traditional AI.  What is different this time is that it can produce the outputs in a wide range of formats, all the way from images to videos to even voice generated calls.  There are fears about this on three fronts:  1) Deepfakes:  This is when a fictitious video of a real-life person is created.  It is popular during the times of elections, and this year could be the worst for it, given the current political climate and how advanced Gen AI has become.  2)  Robocalls:  These have always been in a pain, but will only get worst as now it only takes a matter of mere minutes to create an audio file, and disperse it to hundreds of victims on their smartphones.  3)  Social Engineering:  A Cyberattacker can now scope out the Social Media profiles of their victims, and feed that into ChatGPT.  From there, it can analyze it, and point out weak spots that the Cyberattacker can prey onto in a very slow, but quite dangerous manner.

Because of all of these fears, the Cyber industry (and even others) are now starting to wake up and thinking of what proactive steps can be taken so that the Cyber threat landscape does not become the proverbial “New Wild West”.  In this aspect, some of the vendor neutral groups such as the OWASP and MITRE have upgraded their vulnerability databases to include risks posed by the Generative AI models.

Heck, even the NIST has come out with its own framework for Generative AI best practices.  The entire document can be downloaded at this link:

http://cyberresources.solutions/blogs/NIST_AI.pdf

Also, a new force has emerged, which has been appropriately dubbed the “MLSecOps”.  This is actually a new kind of organization, sort of like the OWASP.  They have started to formulate a sense of guiding principles that your business should consider implementing.  But before that, you need to have your own MLSecOps team first.  This will of course be a combination of your IT Security team, Operations team, and your AI team (if you have one). 

This is very similar to the concepts that drive the DevSecOps and the DevOps models that are also starting to be used widely as well.  But rather than being an open-ended thing, MLSecOps focuses upon the following:

Ø  Supply Chain Vulnerability.

 

Ø  Model creation with respect to the Data Privacy Laws.

 

Ø  Governance, Risk, and Compliance (GRC).

 

Ø  Trusted AI:  Making AI fair, objective, and trustworthy.

 

Ø  Adversarial AI:  Exploring new ways how AI/ML can be used for nefarious purposes.

My Thoughts On This:

There has also been movement in the Cyber industry to encrypt what goes in and what comes out of an AI or ML model.  In this regard, new developments have been made in what is known as “Fully Homomorphic Encryption”, also known as “FHE” for short.  While this does hold some great promise, the encrypted causes some great concern right now:  IT can be 20x greater than the plaintext it is supposed to scramble.

I foresee another rat race on the horizon, but unfortunately, I think the Cyberattacker will be well ahead of the AI and ML curve.  But at least we have started with some positive steps in the right direction.

 

Saturday, January 6, 2024

5 Golden Tips To Protect Against Corporate Espionage

 


As we now start off into 2024, Cybersecurity is still at the front and center of just about everything today.  But now there is a new fear that is coming out:  The threat of Corporate Espionage.  You may be wondering, what is it?  Well, here is a technical definition of it:

“Corporate espionage is the act of stealing proprietary information, trade secrets, or intellectual property from a business and giving or selling it to another.”

(SOURCE:  https://www.investopedia.com/financial-edge/0310/corporate-espionage-fact-and-fiction.aspx)

Simply put:  It is not just your digital and physical assets that are at grave risk, now your Intellectual Property (IP) is also.  What can you do to help prevent this from happening?  Here are some tips:

1)     Always make use of Non-Disclosure Agreements:

These are also commonly referred to as “NDAs”.  The idea with this is that you make any relevant party that you are having discussions with sign this document.  It simply means that any trade secrets, or other proprietary information that is discussed cannot be spoken outside of the venue of the conversation.  If the party that has issued the NDA finds out that you have revealed some trade secrets, then by the letter of the NDA, they can technically sue you. But in reality, these are really tough to enforce.  Why?  Because it will be your word against the other party you have accused of releasing this information.  I have signed a ton of these for my own business, and in the end, they don’t mean a whole lot.  But hey, some protection is better than nothing at all.

2)     Know what your IP is:

You would think that a business owner would know what their IP is, where it lies, and how it is used.  But unbelievably, many of them do not know this simple fact.  It’s like acting as a CISO if they know what is contained in their databases.  More than likely, they will say “No, I do not know”.  This answer carries two distinct pitfalls with it:

àIf you don’t know where your IP is, how can you protect it?

àIf you go to court to file a lawsuit against a third party for an IP breach, and the judge asks you, “Where is it?”, and you can’t answer it, you will, for lack of a better term, be laughed out of court.

3)      Do your Due Diligence:

               Before you engage in a conversation with a third party, make sure you carefully vet them first.  In     fact, if you have a procedure for doing this similar kind of thing for vetting out a potential   supplier, follow the same procedures here as well.  If any red flags appear to you in this process,          then you need to decide very carefully how you are going to move forward, if at all.  In this                instance, explain the gravity of what will be discussed, and the repercussions of what could                happen if anything is leaked out, whether intentional or not.  But also keep in mind that      Corporate Espionage attacks could also happen even to your own employees.  For more                information on this, click on the link below:

               https://www.darkreading.com/cyber-risk/former-nsa-employee-faces-life-in-prison-after-     espionage-attempt

4)     Have Security Awareness Training:

This is a theme that has been beaten down who knows how many times during and even after the COVID-19 Pandemic.  But at the risk of sounding like a broken record, it is imperative that you train both your regular employees and independent contractors in how to practice strong levels of Cyber Hygiene.  Also train them in what Corporate Espionage is all about, and what the telltale signs of it are.  Perhaps even launch mock exercises against them to see how they react to it, in a manner very similar to how you would launch a simulated Phishing attack. Also, more information about this can be seen at the link below:

https://www.darkreading.com/cybersecurity-operations/from-snooze-to-enthuse-security-awareness-training-that-sticks

5)     Encourage Communications:

As much time and money you will be investing in training your employees and contractors, you also need to invest the same in establishing ways in which people can reach out to you if there is anything suspicious happening.  Of course, this should all be done on an anonymous basis.  You should have reporting venues that are open and available on a 24 X 7 X 365 basis.

My Thoughts On This:

Protecting your IP is now more important than ever.  Given the digital age that we live in today, anything can happen, especially with AI and ML now taking a firm foothold in our society.  In fact, it might even be wise to consider hiring some sort of virtually related C-Suite title to help you to do all of this.  Or, you can also consult with your business attorney as well.

But the bottom line is that make you sure your employ a multitude of defenses, and not just rely upon just one means.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...