Technology Risk Assessment

Inside the Breach: What the 2025 Verizon DBIR Warns About Our Failing Cyber Defenses The 2025 Verizon Data Breach Investigations Report delivers one of the most comprehensive looks yet into the evolving threat landscape, and the findings should concern every organization handling sensitive data. With over 22,000 incidents analyzed and more than 12,000 confirmed breaches across 139 countries, this report isn’t just about numbers—it’s a snapshot of where cyber risk is headed and how fast it’s accelerating. From vulnerability exploits to supply chain breakdowns, the scope is global, and the risks are intensifying. One of the most alarming trends is the continued rise of ransomware, which now appears in nearly half of all breaches. Simultaneously, exploitation of vulnerabilities—particularly in edge devices and remote access tools—has surged, making up a significant portion of attack vectors. Add to this the doubling of third-party-related breaches, and it's clear that supply chain risk is no longer a future concern; it's a current crisis. Missteps in configuration and social engineering continue to haunt organizations, revealing that despite automation advances, human error still drives a majority of breaches. Perhaps most pressing is the emergence of generative AI as a double-edged sword. While it’s revolutionizing business, its unregulated use introduces massive data exposure risks. Cybercriminals are already testing GenAI in phishing and influence operations, while nation-state actors are moving from spying to full-on data theft. The message is clear: the threat landscape is growing in scale and sophistication. Organizations must act decisively—tighten access, secure credentials, enforce AI policies, and invest in real cyber resilience before the next breach strikes. #cybersecurity #VerizonDBIR2025 #trends #riskmanagement

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

AI agents are not yet safe for unsupervised use in enterprise environments The German Federal Office for Information Security (BSI) and France’s ANSSI have just released updated guidance on the secure integration of Large Language Models (LLMs). Their key message? Fully autonomous AI systems without human oversight are a security risk and should be avoided. As LLMs evolve into agentic systems capable of autonomous decision-making, the risks grow exponentially. From Prompt Injection attacks to unauthorized data access, the threats are real and increasingly sophisticated. The updated framework introduces Zero Trust principles tailored for LLMs: 1) No implicit trust: every interaction must be verified. 2) Strict authentication & least privilege access – even internal components must earn their permissions. 3) Continuous monitoring – not just outputs, but inputs must be validated and sanitized. 4) Sandboxing & session isolation – to prevent cross-session data leaks and persistent attacks. 5) Human-in-the-loop, i.e., critical decisions must remain under human control. Whether you're deploying chatbots, AI agents, or multimodal LLMs, this guidance is a must-read. It’s not just about compliance but about building trustworthy AI that respects privacy, integrity, and security. Bottom line: AI agents are not yet safe for unsupervised use in enterprise environments. If you're working with LLMs, it's time to rethink your architecture.

How to Approach Mobile Penetration Testing: A Real-World Guide In today’s digital age, mobile applications are a cornerstone of many businesses, but they are also a prime target for attackers. Mobile penetration testing ensures these apps are secure, reliable, and resilient to cyber threats. Here’s how to approach it step-by-step: 1️⃣ Pre-engagement Phase • Define the scope: Android, iOS, or both? Native, web, or hybrid apps? • Set up testing tools: Static analysis (e.g., MobSF), dynamic analysis (e.g., Frida, Burp Suite), and reverse engineering (e.g., JADX). 2️⃣ Reconnaissance • Analyze the app store listing for permissions, version history, and potential clues. • Decompile the app to uncover hardcoded secrets, APIs, and other vulnerabilities. 3️⃣ Static Analysis • Review the codebase for: • Hardcoded credentials. • Insecure storage. • Weak cryptographic practices. • Audit permissions and configuration files for security misconfigurations. 4️⃣ Dynamic Analysis • Test the app on an emulator or physical device. • Intercept and analyze network traffic for sensitive data leaks or weak encryption. • Evaluate authentication and session management mechanisms. 5️⃣ Backend Testing • Assess APIs for vulnerabilities like insecure authorization, IDOR, and data exposure. • Check server configurations (e.g., SSL/TLS setup). 6️⃣ Device Testing • Check local storage for sensitive data. • Review secure storage mechanisms like Keychain/Keystore. • Test for clipboard exposure and file tampering vulnerabilities. 7️⃣ Exploitation • Bypass root/jailbreak detection. • Exploit vulnerabilities for privilege escalation or tampering. 8️⃣ Reporting • Document all findings with clear descriptions, proof-of-concept (PoC), and remediation steps. • Provide actionable recommendations to secure the app. 🛠 Key Tools: • Static Analysis: MobSF, Apktool, JADX. • Dynamic Testing: Frida, Burp Suite, mitmproxy. • Network Analysis: Wireshark, Netcat. What I learned this weekend: This weekend, I deep-dived into the fascinating world of mobile penetration testing. Understanding the real-world processes and tools involved has been eye-opening and invaluable for my skillset. What’s next? I’ll be posting a complete demo of me performing a full mobile penetration test on a demo app as a personal project! I’d love for you to watch, provide feedback, and share your thoughts on what I did right and what could be improved. Let’s learn and grow together! 💡 What’s your go-to tool or tip for mobile app security? Let’s discuss in the comments! #CyberSecurity #MobileSecurity #PenetrationTesting #AppSec #InfoSec #LinkedInNetworking

Your Procurement Cycle is a Minefield of Risks. Are You Walking Blind? Procurement Excellence | 17 JAN 2026 - Procurement always navigates hidden risks that can derail projects, inflate costs, and tarnish reputations. Ignoring them? That’s the real risk. Here are 7 CRITICAL risks lurking in your procurement cycle + how to defuse them: #1. Performance Risk ↳Suppliers underdelivering on quality/timelines. ↳Fix: Clear KPIs. Penalty clauses. Regular performance reviews. #2.Specification Risk ↳Vague requirements lead to wrong deliverables. ↳Fix:Collaborate with stakeholders upfront & freeze specs before sourcing. #3. Supplier Financial Risk ↳Bankrupt suppliers = halted operations. ↳Fix:Run credit checks, diversify suppliers, demand financial disclosures. #4. Reputation Risk (ESG) ↳Child labor or pollution in supply chain = brand crisis. ↳Fix: Supplier ESG screenings. Audits. Sustainability clauses. #5. Price Volatility Risk ↳Market swings crush budgets. ↳Fix: Fixed-price contracts. Hedging strategies. Cost-indexed clauses. #6. Fraud & Corruption Risk ↳Kickbacks, fake invoicing, collusion. ↳Fix: Segregate duties. Whistleblower policies. AI-powered anomaly detection. #7. Contract Leakage Risk ↳Unused discounts, auto-renewals, scope creep. ↳Fix:Centralized contract repository. Milestone alerts. Spend analytics. #Bonus I: Over-Reliance Risk ↳One supplier holds 80% of your spend. ↳Fix: Strategic supplier diversification. #Bonus II: Cybersecurity Risk ↳Suppliers accessing your systems >>data breaches. ↳Fix:Vendor security assessments. Zero-trust architecture. #Bonus III: Supply Disruption Risk ↳Natural disasters, geopolitics or supplier failures. ↳Fix: Dual sourcing, Safety stock & Real-time supply chain monitoring. Risk Mitigation Playbook: ✅ Proactive: Map risks at EVERY stage ✅ Use AI for predictive analytics, blockchain for traceability. ✅ Train & empower teams to spot red flags early. ✅ Collaborate & partner with Legal, Finance, Operations. Risk-aware procurement NOT about avoiding suppliers Procurement can’t own risk alone! Build resilient, ethical & agile supply chains that drive sustainable value. What risks keep YOU up at night? ♻️ Share to help someone in your network. ➕️ Follow Frederick for more content like this. #ProcurementExcellence #RiskManagement #Leadership

📢 What are the risks from Artificial Intelligence? We present the AI Risk Repository: a comprehensive living database of 700+ risks extracted, with quotes and page numbers, from 43(!) taxonomies. To categorize the identified risks, we adapt two existing frameworks into taxonomies. Our Causal Taxonomy categorizes risks based on three factors: the Entity involved, the Intent behind the risk, and the Timing of its occurrence. Our Domain Taxonomy categorizes AI risks into 7 broad domains and 23 more specific subdomains. For example, 'Misinformation' is one of the domains, while 'False or misleading information' is one of its subdomains. 💡 Four insights from our analysis: 1️⃣ 51% of the risks extracted were attributed to AI systems, while 34% were attributed to humans. Slightly more risks were presented as being unintentional (37%) than intentional (35%). Six times more risks were presented as occurring after (65%) than before deployment (10%). 2️⃣ Existing risk frameworks vary widely in scope. On average, each framework addresses only 34% of the risk subdomains we identified. The most comprehensive framework covers 70% of these subdomains. However, nearly a quarter of the frameworks cover less than 20% of the subdomains. 3️⃣ Several subdomains, such as *Unfair discrimination and misrepresentation* (mentioned in 63% of documents); *Compromise of privacy* (61%); and *Cyberattacks, weapon development or use, and mass harm* (54%) are frequently discussed. 4️⃣ Others such as *AI welfare and rights* (2%), *Competitive dynamics* (12%), and *Pollution of information ecosystem and loss of consensus reality* (12%) were rarely discussed. 🔗 How can you engage?   Visit our website, explore the repository, read our preprint, offer feedback, or suggest missing resources or risks (see links in comments). 🙏 Please help us spread the word by sharing this with anyone relevant. Thanks to everyone involved: Alexander Saeri, Jess Graham 🔸, Emily Grundy, Michael Noetel 🔸, Risto Uuk, Soroush J. Pour, James Dao, Stephen Casper, and Neil Thompson. #AI #technology

PRC-backed hackers gained undetected, years-long access to U.S. telecom networks, data centers, and other critical infrastructure. This prolonged breach, which remains unremediated, enabled theft of sensitive data and exposed the ability for Chinese intelligence agencies to track and monitor individuals globally. With access to telecom providers, adversaries can see call records, geolocation, and SMS content of all Americans, including government officials and high-value individuals who are likely tracked: who they call, when, and where they move, through the same carrier systems law enforcement uses in investigations. The hard part is that telecommunication providers have to do the response and remediation by themselves, while the government shares threat intelligence such as indicators, targeting patterns, and adversary capabilities to give providers a better chance to hunt effectively and prepare interdictions before the next wave. The Cybersecurity Information Sharing Act of 2015, which enables that collaboration, expires on September 30, 2025. If it lapses, collaborative defense against attacks like Salt Typhoon will be severely weakened. National Security Agency Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation (FBI) DoD Cyber Crime Center (DC3) SANS Institute

The growing complexity of supply chain interdependencies is creating significant cybersecurity risks. In my latest article for the World Economic Forum’s Centre for Cybersecurity, I outline five key risk factors and what organisations must do to mitigate them: 1️⃣ Cyber Inequity – Large organisations are improving cyber resilience, but SMEs remain vulnerable. They must view cybersecurity as a business priority, while industry collaboration and policy support can help bridge the gap. 2️⃣ Limited Supply Chain Visibility – Expanding supply chains make it harder to assess supplier security. Without clear incentives, compliance gaps persist, increasing exposure to cyber threats. 3️⃣ Third-Party Software Vulnerabilities – AI and open-source adoption introduce new risks, yet only 37% of organisations assess AI tool security before deployment. A structured security framework is essential. 4️⃣ Dependence on Critical Providers – Over-reliance on a few key suppliers creates systemic points of failure. Resilient IT architectures and strong business continuity planning are critical. 5️⃣ Geopolitical Risks – Cyber threats are increasingly shaped by global tensions, disrupting supply chains and increasing attack sophistication. Organisations must integrate geopolitical risk assessments into their cybersecurity strategies. 𝗪𝗵𝗮𝘁’𝘀 𝗡𝗲𝘅𝘁? Organisations must prioritize visibility, support smaller partners, and invest in resilience. Strong business continuity planning, robust IT management, and proactive threat detection are non-negotiable. Cybersecurity is not just an IT issue—it’s a strategic imperative. Read the full article here: https://lnkd.in/g-yQ2QRa #CyberSecurity #SupplyChain #AI #RiskManagement

🧠 Quantum computing: What business leaders need to do right now Right now, criminal and state-sponsored hackers are intercepting and storing encrypted data they cannot yet decode. Likely targets include everything from corporate secrets and medical records to legal agreements and military communications. Why would these actors bother to steal data they can’t read? Because they are betting on developments in quantum computing that will eventually let them crack this encrypted data wide open. This isn’t a fringe theory. The NSA (National Security Agency), NIST (National Institute of Standards and Technology), and ENISA (European Agency for Cybersecurity) are all treating this “harvest now, decrypt later” scenario as a live threat that is serious enough to demand immediate action. The NSA has mandated that all U.S. national security systems must transition to quantum-resistant cryptography by 2035—with new acquisitions required to be compliant by 2027. In Europe, ENISA issued updated guidance in April 2025 warning that the threat is “sufficient to warrant caution, and to warrant mitigating actions to be taken,” and recommending that organizations begin deploying post-quantum cryptography immediately. NIST has launched a parallel global effort to develop the new cryptographic standards on which these transitions will depend. The message from all three bodies is the same: Organizations run a grave risk if they wait to begin upgrades until quantum computers can break current encryption standards. That is the reason business leaders need to pay attention to quantum computing now — not because the technology is ready, but because the risk is grave, and the cost of preparation is trivial compared with the cost of being caught flat-footed. 🔗 Find out how in our new Fast Company article here: https://lnkd.in/g54y88UE.

🗞️Platform regulation : great effort at establishing the 1st large-scale, cross-platform, scientifically sound measurement via 4️⃣ Structural Indicators of Disinformation: 🔹Prevalence of mis/disinformation 🔹Sources (relative influence of repeat misinformers vs. credible actors) 🔹Cross-platform presence 🔹Monetisation They assess : 🔹how permeable Very Large Online Platforms (VLOPs) are to mis- & disinformation in Europe 📈 how influential repeat misinformers are relative to credible sources 💰 the extent to which such content is monetised. As most VLOPs continue to disengage from their commitments, this report offers evidence-based measurement to inform policy & enforcement. 🔹6️⃣ VLOPs analysed : Facebook, Instagram, LinkedIn, TikTok, X/Twitter, YouTube 🔹 in 4️⃣ EU States : France 🇫🇷, Poland🇵🇱 Slovakia 🇸🇰 , Spain 🇪🇸 🔹corpus of ~2.6 million posts totalling ~24 billion views. Key findings 1) Prevalence of mis/disinformation 🔹TikTok highest : 20% of exposure-weighted posts, Facebook 13%, X/Twitter 11%; YouTube and Instagram 8%; LinkedIn 2%. 🔹When including abusive (hate speech) + borderline content, prevalence = 34% on TikTok 32% on X/Twitter 27% on Facebook 22% on YouTube 19% on Instagram 8% on LinkedIn 2) Sources – “misinformation premium” 🔹Accounts repeatedly sharing misinformation attract more engagement per post per 1 000 followers than high-credibility accounts on all platforms except LinkedIn. 🔹Ratio most pronounced on YouTube : 8× & Facebook 7× 5× on Instagram and X/Twitter, and 2× on TikTok. =systematic amplification advantages for recurrent misinformers. On LinkedIn : sharers of misinformation are not rewarded with extra visibility. 3) Cross-platform footprint 🔹Low-credibility actors are more likely than high-credibility actors to maintain accounts on X/Twitter +34%, Facebook (+23%), TikTok 17%; inverse for LinkedIn (-80%), Instagram (-33%). 4) Monetisation 🔹None of the assessed services fully prevents monetisation by recurrent misinformers. On YouTube, ~76% of eligible low-credibility channels are monetised. On Facebook, ~20% of eligible low-credibility Pages appear monetised (vs. 60% for high-credibility). Google Display Ads appear on 27% of low credibility websites. 🔹Transparency limits prevented equivalent auditing on X/Twitter, TikTok, LinkedIn, and Instagram. => inconsistent with an online environment that privileges trustworthy information. The way to go : 🔹under the DSA’s systemic-risks framework, platforms must reduce the spread and impact of misleading content and avoid incentivising it financially. Congrats to the consortium behind this work : Science Feedback Newtral Demagog.SK @Pravda, CheckFirst Universitat Oberta de Catalunya European Media & Information Fund (EMIF) (EMIF)