Technology Risk Assessment

Microsoft's AI Red Team has released a groundbreaking paper titled "Lessons From Red Teaming 100 Generative AI Products" (https://lnkd.in/dGxsydwF) 🌎 Drawing from their extensive experience, they've distilled eight pivotal lessons for enhancing the safety and security of Gen AI systems:- 1. Understand what the system can do and where it is applied. 2. You don’t have to compute gradients to break an AI system. 3. AI red teaming is not safety benchmarking. 4. Automation can help cover more of the risk landscape. 5. The human element of AI red teaming is crucial. 6. Responsible AI harms are pervasive but difficult to measure. 7. LLMs amplify existing security risks and introduce new ones. 8. The work of securing AI systems will never be complete. 📌 Distinguish between Red teaming and safety Benchmarking - Red teaming involves simulating real-world attacks to uncover vulnerabilities, whereas safety benchmarking assesses performance against predefined standards. 🤖 Leverage automation - Utilizing tools like PyRIT can help cover a broader risk landscape more efficiently. 👭 Human judgment is irreplaceable - While automation aids the process, human expertise is essential for nuanced assessments and decision-making. 💭 Responsible AI harms are complex - Identifying and measuring harms require careful consideration, as they can be pervasive yet subtle. 👉 LLMs introduce new security challenges - Large Language Models can amplify existing risks and present novel ones, necessitating continuous vigilance. 👉 Security is an Ongoing Process - Ensuring the safety of AI systems is a continuous effort, demanding regular updates and assessments. 📜 This paper is a must-read for AI practitioners aiming to fortify their systems against emerging threats. #AI #GenerativeAI #AIResearch #RedTeaming #AIEthics #AITrust #MachineLearning #AIInnovation #AIRegulation #TechSafety #ResponsibleAI #CyberSecurity #AIProductDevelopment #AITrends #SafetyInAI

Inside the Breach: What the 2025 Verizon DBIR Warns About Our Failing Cyber Defenses The 2025 Verizon Data Breach Investigations Report delivers one of the most comprehensive looks yet into the evolving threat landscape, and the findings should concern every organization handling sensitive data. With over 22,000 incidents analyzed and more than 12,000 confirmed breaches across 139 countries, this report isn’t just about numbers—it’s a snapshot of where cyber risk is headed and how fast it’s accelerating. From vulnerability exploits to supply chain breakdowns, the scope is global, and the risks are intensifying. One of the most alarming trends is the continued rise of ransomware, which now appears in nearly half of all breaches. Simultaneously, exploitation of vulnerabilities—particularly in edge devices and remote access tools—has surged, making up a significant portion of attack vectors. Add to this the doubling of third-party-related breaches, and it's clear that supply chain risk is no longer a future concern; it's a current crisis. Missteps in configuration and social engineering continue to haunt organizations, revealing that despite automation advances, human error still drives a majority of breaches. Perhaps most pressing is the emergence of generative AI as a double-edged sword. While it’s revolutionizing business, its unregulated use introduces massive data exposure risks. Cybercriminals are already testing GenAI in phishing and influence operations, while nation-state actors are moving from spying to full-on data theft. The message is clear: the threat landscape is growing in scale and sophistication. Organizations must act decisively—tighten access, secure credentials, enforce AI policies, and invest in real cyber resilience before the next breach strikes. #cybersecurity #VerizonDBIR2025 #trends #riskmanagement

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

"The rapid evolution and swift adoption of generative AI have prompted governments to keep pace and prepare for future developments and impacts. Policy-makers are considering how generative artificial intelligence (AI) can be used in the public interest, balancing economic and social opportunities while mitigating risks. To achieve this purpose, this paper provides a comprehensive 360° governance framework: 1 Harness past: Use existing regulations and address gaps introduced by generative AI. The effectiveness of national strategies for promoting AI innovation and responsible practices depends on the timely assessment of the regulatory levers at hand to tackle the unique challenges and opportunities presented by the technology. Prior to developing new AI regulations or authorities, governments should: – Assess existing regulations for tensions and gaps caused by generative AI, coordinating across the policy objectives of multiple regulatory instruments – Clarify responsibility allocation through legal and regulatory precedents and supplement efforts where gaps are found – Evaluate existing regulatory authorities for capacity to tackle generative AI challenges and consider the trade-offs for centralizing authority within a dedicated agency 2 Build present: Cultivate whole-of-society generative AI governance and cross-sector knowledge sharing. Government policy-makers and regulators cannot independently ensure the resilient governance of generative AI – additional stakeholder groups from across industry, civil society and academia are also needed. Governments must use a broader set of governance tools, beyond regulations, to: – Address challenges unique to each stakeholder group in contributing to whole-of-society generative AI governance – Cultivate multistakeholder knowledge-sharing and encourage interdisciplinary thinking – Lead by example by adopting responsible AI practices 3 Plan future: Incorporate preparedness and agility into generative AI governance and cultivate international cooperation. Generative AI’s capabilities are evolving alongside other technologies. Governments need to develop national strategies that consider limited resources and global uncertainties, and that feature foresight mechanisms to adapt policies and regulations to technological advancements and emerging risks. This necessitates the following key actions: – Targeted investments for AI upskilling and recruitment in government – Horizon scanning of generative AI innovation and foreseeable risks associated with emerging capabilities, convergence with other technologies and interactions with humans – Foresight exercises to prepare for multiple possible futures – Impact assessment and agile regulations to prepare for the downstream effects of existing regulation and for future AI developments – International cooperation to align standards and risk taxonomies and facilitate the sharing of knowledge and infrastructure"

The diagram illustrates the relationship between the Open Systems Interconnection (OSI) model layers and corresponding cyberattacks, along with the security measures to mitigate them. The OSI model, a conceptual framework for network communication, is divided into seven layers: • Physical Layer: Deals with the physical medium of data transfer. • Possible Attacks: Physical tampering, eavesdropping, man-in-the-middle attacks, tapping network cables, and disrupting power supply. • Attack Controls: Access controls, CCTV surveillance, secure cabling, regular inspection and monitoring, and preventing unauthorized access to networking infrastructure. • Data Link Layer: Handles the transfer of data between two directly connected nodes. • Possible Attacks: MAC address spoofing, ARP spoofing, VLAN hopping, and Ethernet frame manipulation. • Attack Controls: Port security to limit MAC IDs per port, utilizing ARP spoofing detection, and enabling VLAN trunking protocols. • Network Layer: Manages the addressing and routing of data packets. • Possible Attacks: IP spoofing, ICMP attacks (e.g., ping flood, ping of death), and Denial-of-Service (DoS) attacks. • Attack Controls: Firewall filtering, using Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), and configuring routers to prevent IP address spoofing. • Transport Layer: Provides reliable data transfer between applications. • Possible Attacks: SYN flood attacks, TCP session hijacking, and UDP flooding. • Attack Controls: Monitoring and controlling firewall traffic, mitigating SYN flood attacks, and implementing secure data exchange. • Session Layer: Manages the connections and sessions between applications. • Possible Attacks: Session hijacking, token-based attacks, and session side jacking. • Attack Controls: Randomizing session IDs, enforcing secure logout mechanisms, and using secure tokens for user authentication. • Presentation Layer: Deals with data formatting and encryption. • Possible Attacks: DAT format manipulation, code injection, and serialization attacks. • Attack Controls: Validating and sanitizing user inputs, using secure data serialization libraries, and preventing code injection. • Application Layer: Provides the interface for applications to access network services. • Possible Attacks: SQL Injection, Cross-site Scripting (XSS), and Remote Code Execution (RCE). • Attack Controls: Regular patching, remediating known vulnerabilities, input validation, and using a Web Application Firewall (WAF). The diagram effectively presents a comprehensive overview of potential cyber threats at each layer of the OSI model and outlines corresponding security measures. It serves as a valuable resource for understanding network security and implementing appropriate defenses.

🧠 Quantum computing: What business leaders need to do right now Right now, criminal and state-sponsored hackers are intercepting and storing encrypted data they cannot yet decode. Likely targets include everything from corporate secrets and medical records to legal agreements and military communications. Why would these actors bother to steal data they can’t read? Because they are betting on developments in quantum computing that will eventually let them crack this encrypted data wide open. This isn’t a fringe theory. The NSA (National Security Agency), NIST (National Institute of Standards and Technology), and ENISA (European Agency for Cybersecurity) are all treating this “harvest now, decrypt later” scenario as a live threat that is serious enough to demand immediate action. The NSA has mandated that all U.S. national security systems must transition to quantum-resistant cryptography by 2035—with new acquisitions required to be compliant by 2027. In Europe, ENISA issued updated guidance in April 2025 warning that the threat is “sufficient to warrant caution, and to warrant mitigating actions to be taken,” and recommending that organizations begin deploying post-quantum cryptography immediately. NIST has launched a parallel global effort to develop the new cryptographic standards on which these transitions will depend. The message from all three bodies is the same: Organizations run a grave risk if they wait to begin upgrades until quantum computers can break current encryption standards. That is the reason business leaders need to pay attention to quantum computing now — not because the technology is ready, but because the risk is grave, and the cost of preparation is trivial compared with the cost of being caught flat-footed. 🔗 Find out how in our new Fast Company article here: https://lnkd.in/g54y88UE.

Japan’s Ministry of Economy, Trade and Industry (METI) has released an in-depth OT Security Guide for semiconductor device factories. This 132-page document outlines practical, globally-aligned strategies covering: ✅ Safeguarding production goals, confidential information, and semiconductor quality. ✅ Using NIST CSF 2.0 and the Cyber/Physical Security Framework (CPSF) for risk management. ✅ Factory security best practices based on IEC 62443 zones and microsegmentation. ✅ Special focus on asset inventory, vulnerability assessment, and tailored mitigation , not just patching. ✅ Preparing for nation-state threats, APTs, and modern supply chain risks. A must-read for OT, cybersecurity, and semiconductor industry pros looking to align with the latest global standards and strengthen factory resilience.

Most quantum boardroom conversations end without an agenda. They end with a posture — "we're monitoring quantum developments," "we're taking it seriously". Neither statement produces a plan. The distinction matters because quantum creates three problem classes, each with a different urgency and a different cost of inaction. A generic posture misaddresses all three at once. The right response, for most leadership teams, has three parts. The first is to defend now. Post-quantum cryptography belongs on the enterprise risk agenda as a current priority. That means building visibility into cryptographic dependencies across the enterprise, identifying migration priorities, and mapping third-party exposure. This is the part of the quantum agenda that cannot wait. The second is to explore selectively. Most leadership teams do not need a wide portfolio of quantum pilots. They need a small number of focused efforts on high-value problems where the workload aligns with quantum's actual strengths — evaluated against the strongest available classical alternative. Each effort should be a targeted test: one specific problem, one clear classical benchmark, one honest evaluation. The third is to build options. For companies in simulation-relevant sectors — pharmaceuticals, advanced materials, energy — the right posture is modest investment in partnerships and early hardware collaborations. The goal is R&D workflows that are ready to integrate quantum subroutines when the technology matures. The companies that benefit most will not necessarily be those spending the most today. They will be the ones best positioned to move when the moment arrives. The most common failure on quantum is conflating the urgency of the three classes — treating all three as equally distant or equally immediate, when each has a different clock running. The organizations that get this right understand early which problem classes matter to their business, which ones to set aside, and what the distinction demands of them starting Monday morning. https://lnkd.in/gkymW7Xm

If your team is asking “Can we use this AI tool?” You need governance.   Especially when AI systems can develop discriminatory bias, give incorrect advice, leak customer data, introduce security flaws, and perpetuate outdated assumptions about users.   AI governance programs and assessments are no longer an optional best practice.   They're on the fast track to becoming mandatory as several AI regulations roll out. Most notably for high-risk AI use. I recommend AI assessments beyond high risk use cases to also capture the privacy, security and ethical risks. Here’s how companies can conduct an AI risk assessment: ✔ Start by building an AI data inventory List every AI tool in use, including hidden ones embedded inside vendor software. Capture data inputs, decisions it makes, who has access, and outputs. ✔ Assess the decision impact Identify where wrong AI decisions could cause harm or discriminate, and review AI systems thoroughly to understand if it involves high-risk.   ✔ Examine company data sources Check whether your training data is current, representative, and free from historical bias. Confirm you have disclosures and permissions for use. ✔ Test for bias and fairness Run scenarios through AI systems with different demographic inputs and look for discrepancies in outcomes. ✔ Document everything Maintain detailed records of the assessment process, findings, and changes you make. Regulations like the EU AI Act and the Colorado AI Act have specific requirements for documenting high-risk AI usage.   ✔ Build monitoring checkpoints Set regular reviews and repeat risk assessments when new products or services are introduced or as models, vendors, business needs, or regulations change. AI oversight isn’t coming someday. It’s here.   Companies that start preparing now will be ready when the new regulations come into force. Read our full blog for more tips and to see how to put this into action 👇

🛡️ The Quantum Clock is Ticking quietly: Is Your Financial Infrastructure Ready? The financial industry is built on a foundation of digital trust, currently secured by #cryptographic standards like RSA and ECC. However, the rise of Cryptographically Relevant Quantum Computers (CRQC) poses an existential threat to this foundation. As we navigate this transition, here are 3 key pillars from the latest Mastercard R&D white paper that every financial leader must prioritize: 1. Addressing the 'Harvest Now, Decrypt Later' (HNDL) Threat 📥 Malicious actors are already intercepting and storing sensitive #encrypted data today, intending to decrypt it once powerful quantum computers are available. Financial Use Case: Protecting long-term assets such as credit histories, investment records, and loan documents. Unlike transient transaction data (which uses dynamic cryptograms), this "shelf-life" data requires immediate risk analysis and the adoption of quantum-safe encryption for back-end systems. 2. Quantum Resource Estimation & The 10-Year Horizon ⏳ While a CRQC capable of breaking RSA-2048 in hours might be 10 to 20 years away, the migration process itself will take years. Financial Use Case: Developing Agile Cryptography Plans. Financial institutions should set "action alarms" for instance, once a quantum computer reaches 10,000 qubits, a pre-prepared 10-year migration plan must be triggered to ensure infrastructure is updated before the "meteor strike" occurs. 3. Hybrid Implementations: The Bridge to Security 🌉 The transition won't happen overnight. The paper highlights the importance of Hybrid Key Encapsulation Mechanisms (KEM), which combine classical security with PQC. Financial Use Case: Enhancing TLS 1.3 and OpenSSL 3.5 protocols. By implementing hybrid models now, banks can protect against current quantum threats (like HNDL) while maintaining compatibility with existing classical systems, ensuring a smooth and safe transition. The Bottom Line: A reactive approach is no longer an option. Early adopters who evaluate their data's "time value" and begin the migration today will be the ones to maintain resilience and protect global financial assets tomorrow. #QuantumComputing #PostQuantumCryptography #FinTech #CyberSecurity #DigitalTrust #MastercardResearch