Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

When the first cryptographically relevant quantum computer (CRQC) arrives, it won’t come with a press release. One day in the not too distant future, a nation-state, organized crime group or unhinged megalomaniac billionaire will quietly spin up the capability, and in eight hours or less, your TLS (Transport Layer Security) RSA-2048 encryption is gone. Like a hot knife through butter.

Researchers at Stripe warn of a wave of spear phishing attacks targeting C-suite employees and senior leadership across a wide range of industries. The emails pose as OneDrive document-sharing notifications with subject lines like “Salary amendment” or “FIN_SALARY.” If a user clicks the link, they’ll be taken to a spoofed Microsoft Office/OneDrive login page designed to steal their credentials.

I occasionally get human risk management (HRM) administrators asking me to help them with ideas of “contests” to better educate their end-users. They have usually done the traditional recommendations, which means at least monthly-to-weekly security awareness training (SAT) and simulated phishing. They are working to educate their end-users about social engineering and phishing attacks as best as they can without being overly annoying.

The State of California’s Franchise Tax Board (FTB) has warned of an ongoing SMS phishing (smishing) campaign targeting residents, Malwarebytes reports. The FTB stated, “These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information.

Over the past few years, artificial intelligence (AI) has transformed millions of organizations worldwide. AI can automate rote tasks, facilitate natural-language interfaces, and pick up subtle patterns in huge data sets. It can also hallucinate wrong answers, reinforce societal biases, and even introduce cybersecurity risks. Before incorporating the technology into their workflows, responsible organizations must weigh the benefits and risks of AI.

Remote access scams are social engineering attacks where fraudsters convince users to install or open remote desktop tools like TeamViewer or AnyDesk. Once inside, they hijack login flows, harvest credentials, and often bypass MFA, opening a hidden path to account takeover (ATO). These scams are rising fast, exploiting customer trust and evading traditional fraud controls.

On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.

Just because ransomware attacks have decreased doesn’t mean that the risk has disappeared. Indeed, it remains one of the most disruptive threats to any organisation. Headlines can convey a false sense of relief: Ransomware attacks are down 15%, according to Verizon's latest DBIR report. But for those of us who work in cybersecurity, we know that this doesn't tell the whole story, especially when the real issue isn't how often an attack occurs, but what happens when it does.

If your website or digital app collects, tracks, or sells data from Colorado residents, chances are the Colorado Privacy Act (CPA) applies to you. Like California’s CCPA and Virginia’s VCDPA, the CPA is part of the growing patchwork of state-level privacy laws reshaping how U.S. businesses handle personal data. Yet many companies underestimate the scope of the Colorado Privacy Act—or assume compliance is covered by PCI DSS or HIPAA if they process payments or healthcare data.

Endpoint data loss prevention (DLP) is a critical compliance service designed to ensure that an organization's sensitive or confidential information remains secure by implementing robust security controls and continuously monitoring devices to protect data from unauthorized access or transmission and prevent potential data breaches.