Data breaches are no occasional crisis – they are a persistent, costly epidemic wreaking global havoc on businesses.

While organizations leverage the latest technological advancements in perimeter defense, access management, and cloud and application security, one area that is overlooked is data encryption. 

Where Do Gaps in Encryption Exist?

Enterprise data follows a lifecycle encompassing creation, collection, transfer, storage, processing, analysis, and archival. Traditional encryption methods typically include encryption at rest (when data is stored) and encryption in motion (when data is transferred between systems). However, these approaches need more protection because data must be decrypted for processing and analysis. Additionally, vulnerabilities arise during transitions between encryption in motion and processing or when shifting to encryption at rest.

These security gaps expose organizations to malicious parties – insiders and external hackers – who increasingly target such weak points to gain access to sensitive information. Attackers’ ability to identify and exploit these lifecycle vulnerabilities puts organizations at significant risk of data exfiltration resulting from a breach, underscoring the urgent need for comprehensive encryption solutions that protect data across every stage of its lifecycle.

The risks multiply in cloud-based and data-sharing environments where data is frequently in motion and accessed by multiple parties.

The Promise of Fully Homomorphic Encryption: Continuous Data Protection

Fully homomorphic encryption (FHE) solutions shield data from unauthorized access and render it useless to threat actors when other defenses fail and a breach is successful. FHE allows computations on encrypted data,, eliminating critical vulnerabilities created by conventional encryption and the need to decrypt data for processing and analysis.  

FHE’s promise is transformative. It allows sensitive data to be processed without exposure in plaintext, enabling multiple parties to perform computations while ensuring data confidentiality and providing robust protection against software—and hardware-based attacks.

FHE enables operations on encrypted data without decryption, maintaining continuous protection throughout data workflows.

FHE is an indispensable tool for mitigating many cyber threats. Its application can reduce insider threats and man-in-the-middle attacks by ensuring that data remains encrypted during transmission and processing, reducing the risk of interception and tampering.

It safeguards third-party data sharing by eliminating plaintext exposure and defends against data exfiltration by ensuring that encrypted data is unreadable without proper decryption keys. The technology also strengthens cloud security by allowing secure data processing in untrusted environments.

Why FHE Hasn’t Achieved Mainstream Success

Despite its vast potential, FHE hasn’t achieved widespread adoption due to several inherent limitations hindering its practicality in real-world applications. The combination of high costs, resource demands, and incompatibility with existing software has further limited its adoption, especially in environments requiring real-time processing.

Traditional FHE solutions often cause data to balloon 100 to 1,000 times in size when encrypted, driving up storage costs and slowing data transfer.  These scalability issues have made handling large datasets or complex computations difficult, particularly for big data analytics and machine learning. Performance bottlenecks can make operations on encrypted data thousands to millions of times slower than plaintext processing, requiring immense computational power.

Only when FHE is optimized can it empower organizations to maintain trust and integrity in an ever-evolving threat landscape. 

Advances in cryptographic algorithms and computing power bridge the gap between security and usability in FHE, making it viable for real-world applications. Optimized Fully Homomorphic Encryption (FHE) solutions are emerging as practical, efficient tools for protecting sensitive data without compromising speed or scalability.

One of the most transformative developments in optimized FHE is the ability to inspect encrypted data at near-plaintext speeds.

Unlike traditional FHE, which could take hours, days, or weeks to process encrypted computations, cutting-edge solutions now operate within nanoseconds. This performance boost is critical in real-time processing scenarios like fraud detection, transaction monitoring, or high-frequency trading. Fast encryption and decryption enable organizations to maintain security without sacrificing efficiency, ensuring seamless operations across time-sensitive use cases.

An optimized FHE solution must align with stringent security standards, such as the Federal Information Processing Standard (FIPS) 140-2 certification, to ensure it meets the compliance and encryption benchmarks mandated by governments and regulatory bodies. This certification demonstrates the solution’s robustness and readiness for deployment in industries like finance, healthcare, and government, where data protection is paramount. FIPS compliance ensures secure encryption and fosters trust and confidence in the solution’s reliability.

Optimized FHE solutions eliminate one of the most significant pain points of earlier iterations—data expansion. In traditional FHE systems, encrypted data often ballooned up to 1,000 times its original size, which slowed down processing and created logistical challenges in storage and transmission.

Modern FHE, by contrast, ensures the size of encrypted data remains consistent with its plaintext equivalent, allowing for faster performance and reduced bandwidth and storage costs. This breakthrough is particularly beneficial for large-scale data-sharing applications requiring high computational efficiency.

When evaluating an FHE solution, it’s critical to ensure the offering incorporates key features and capabilities that enable organizations to fully unlock its potential.

The post Gaps In Encryption Create Exploitable Vulnerabilities first appeared on Cybersecurity Insiders.

The post Gaps In Encryption Create Exploitable Vulnerabilities appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/O1eokQZ
via IFTTT

The number of dark web marketplaces, also known as darknet markets, continues to grow year-on-year, despite law enforcement’s efforts to close the networks down. Cybercriminals use these illicit platforms to trade hacking tools, services, stolen data and other sensitive information obtained from cyber attacks. Tools such as malicious software, phishing kits and email extractors are being sold by sophisticated hackers through these darknet markets to inexperienced cybercriminals, democratising their use.  

With advancements in these tools and technologies (such as AI) driving wider use of ransomware and malware-as-a-service (MaaS), the need for organisations to protect digital identities through robust cybersecurity has never been greater. To address and mitigate the vulnerabilities leaving them exposed to cyber attacks, organisations must familiarise themselves with the tools and tactics cybercriminals are using.    

Last year, half of UK businesses experienced a cyber attack or some kind of breach, with the primary attack type being phishing (84%), and viruses or other malware accounting for only 17% of attacks. With phishing’s main purpose being to steal credentials or sensitive information, this knowledge gives organisations a better understanding of what cybercriminals are after and, by extension, where cybersecurity efforts should be prioritised. As organisations struggle to combat cyber attacks, now must be the time to refer to the hacker’s playbook and beat them at their own game.  

Battling hacker sophistication  

More sophisticated attacks and entrepreneurial approaches to the tools hackers make available to other cybercriminals are threatening to outpace organisations in the cyber race. As well as this, evolving technologies, like AI, are accelerating the democratisation of cyber attacks, giving less experienced threat actors the resources they need to carry out a serious breach.  

Recent cases have shown us the extent of damage MaaS attacks can cause. The cybercriminals who carried out the Snowflake data theft and extortion used infostealer malware and purchased credentials to carry out the attack which left up to 165 businesses compromised. The data stolen from such attacks is a valuable commodity on darknet marketplaces, with darknet market ‘vendors’ making the sensitive information available to even the most novice cybercriminals. Last year’s attack on Synnovis, an NHS provider, is another example of this kind of work in the wild, resulting in the ransomware gang which carried out the attack (Qilin) publishing 400GB of private healthcare data online. These attacks reveal how hacking tools and sensitive information is being made available for all types of cybercriminals to utilise. 

Readily available MaaS, including adware, keyloggers, spyware, worms, Trojan horses and more is concerning. Organisations are racing against time to combat the ever-growing volume and complexity of attacks fuelled by open trade on darknet markets.

How organisations can take advantage of the playbook  

The World Economic Forum’s Global Cybersecurity Outlook report for 2025 found a 223% increase in deepfake-related tools being traded on the dark web, outpacing organisations’ abilities to keep up with AI-driven cyber attacks.  

As attacks and the technology behind them evolve, so too must cyber defences. For organisations to defend digital identities from malicious intentions, they must stay informed of the technologies and strategies hackers are exploiting, as well as the most valuable targets for cybercriminals.  

Understanding how hacking tools are being used and what data is most valuable for cybercriminals will become more critical as organisations develop strategies to tackle threats. With bad actors continuously adopting new technologies and changing their attack styles, proactive defence measures, such as behavioural analytics and AI-driven threat detection, should be widely implemented to outsmart cybercriminals before an attack is successfully completed.  

Importantly, personally identifiable information (PII), financial information and passwords or login credentials top the list of the most valuable data cybercriminals sell on the dark web. Alongside proactive defence measures, focusing cybersecurity efforts on these vulnerabilities is critical, and as this information is often stolen through phishing attacks, email and password security should be a primary focus. 

The importance of password-related security is often overlooked. Alternative authentication methods, such as multi-factor authentication (MFA), token authentication and biometric identification can easily be implemented to defend against attacks carried out by sophisticated hackers and less skillful cybercriminals alike. Decentralising identity is also often under-utilised as a defence strategy, despite its proven benefit of making it more difficult for cybercriminals to carry out an attack.  

Darknet markets will remain 

Protecting significant vulnerabilities, such as passwords, which are knowingly exploited to steal PII, financial details and credential information, is of ever-growing importance as hackers continue to go to great lengths to steal one of the dark web’s most valuable commodities – data.  

As technologies and cybercriminals rapidly evolve, organisations must rethink their approach to cyber defence. By keeping well informed of hacking tools and techniques and focusing resources into defences protecting the most valuable aspects of data, businesses can better position themselves to secure digital identities.

 

The post What can organisations learn about cybersecurity from the hacker’s playbook? first appeared on Cybersecurity Insiders.

The post What can organisations learn about cybersecurity from the hacker’s playbook? appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/4fZ7CLz
via IFTTT

Palo Alto, California, April 16th, 2025, CyberNewsWire

SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser. 

DLP is a core pillar of every enterprise security stack. Data breaches can result in severe consequences including IP loss, regulatory violations, fines, and severe reputational damage. With over 60% of corporate data being stored in the cloud, browsers have become the primary way for employees to create, access, and share data. Consequently, the browser has become a particularly attractive target for external attackers and insider threats alike. Yet, existing endpoint and cloud DLP solutions have limited telemetry and control over how employees interact with data on the browser. 

Additionally, there are several unique challenges when it comes to maintaining data lineage in the browser. This includes managing multiple personal and professional identities, the wide landscape of sanctioned and shadow SaaS apps, and the numerous pathways in which sensitive data can flow between these apps. Unlike managed devices where enterprises have full control over what can be installed on the device, employees can easily sign up for various SaaS services without the IT team’s knowledge or oversight. 

SquareX researcher Audrey Adeline says, “Data splicing attacks are a complete game changer for insider threats and attackers that are seeking to steal information from enterprises. They exploit newer browser features that were invented long after existing DLP solutions and thus the data exfiltrated using these techniques are completely uninspected, resulting in full bypasses. With today’s workforce heavily relying on SaaS apps and cloud storage services, any organization that uses the browser is vulnerable to data splicing attacks.”

As part of the talk, they will also be releasing an open-source toolkit, “Angry Magpie”, which will allow pentesters and red teams to test their existing DLP stack and better understand their organization’s vulnerability to Data Splicing Attacks. SquareX hopes that the research will highlight the severe threats that browsers pose on data loss and serve as a call to action for enterprises and vendors alike to re-think their data loss protection strategies. 

Upon the completion of BSides San Francisco, the SquareX team will also be presenting at RSAC 2025 and will be available at Booth S-2361, South Expo for further discussions on the research.

Talk Details:

Title: Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out

Speakers: Jeswin Mathai and Audrey Adeline

Event: BSides San Francisco 2025

Location: San Francisco, CA

Toolkit Release: Angry Magpie (Open Source)

About the Speakers

Jeswin Mathai, Chief Architect, SquareX

Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company’s infrastructure. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon Village, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. He is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

Audrey Adeline, Researcher

Audrey currently leads the Year of Browser Bugs (YOBB) project at SquareX which has disclosed multiple major architectural browser vulnerabilities to date. She is also a published author of The Browser Security Field Manual. Key discoveries from YOBB include Polymorphic Extensions, Browser Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping Computer and Mashable. She is passionate about furthering cybersecurity education and has run multiple workshops with Stanford University and Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital and graduated from the University of Cambridge with a degree in Natural Sciences.

About SquareX

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate, and threat-hunt client-side web attacks targeting employees happening against their users in real-time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

The post SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions first appeared on Cybersecurity Insiders.

The post SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/BsjUD6E
via IFTTT

With the rise of worldwide data threats and attacks, data privacy acts are springing up across the globe. It may be relatively unknown, but India for one has established a data privacy regulation called the Digital Personal Data Protection (DPDP) Act, passed back in 2023. Established to protect digital personal data and regulate its processing, the DPDP Act aligns with global privacy laws like the EU’s General Data Protection Regulation (GDPR), which we are all familiar with, yet it has its own unique set of rules and requirements.

 It’s important to understand the key aspects of the DPDP Act and what you should do to stay compliant. In short, if your organization handles the personal data of residents in India, you need to be prepared.

What is the DPDP Act?

The DPDP Act is India’s own regulation to address concerns over data privacy and security. It applies to organizations that store, collect, or process digitized personal data of individuals in India, regardless of where the company is based. The law emphasizes clear guidelines on data processing, user consent, and penalties for non-compliance.

 Some of the key highlights of DPDP you need to know about include:

•  Data fiduciary responsibilities – Organizations handling personal data must implement robust security measures, restrict access based on need, and maintain data protection accountability. In some cases, they must also appoint a Data Protection Officer (DPO).
• Consent that is explicit – Before processing personal data, organizations must get clear, affirmative consent from individuals. Users must actively agree to data collection – pre-checked boxes or implied permissions won’t cut it.
• Access and erasure rights – Individuals have the right to know what data an organization holds about them. They can request updates, corrections, or deletion of their data – essentially giving them the power to have control over their personal information.
• Data transfer across borders – The Indian government has the authority to regulate the transfer of personal data outside of India to make sure that its residents’ data is not mishandled or exploited in countries with weaker privacy laws.
• Strict penalties – Non-compliance can result in hefty fines, reaching up to INR 250 crore ($30 million USD). For businesses failing to obtain proper consent, mishandling data, or violating data security protocols, it likely will also mean big financial and reputational damages.

Comparing India’s DPDP Act to the EU’s GDPR

It’s clear there are major similarities between the DPDP Act and GDPR, since they both emphasize data rights, consent, and security. But there are also differences which reflect regional approaches to data protection and the specific needs of each jurisdiction. Understanding these distinctions is important for organizations operating within multiple regulatory frameworks.

Some of these differences include:

• Scope of application – GDPR applies broadly to any organization handling EU citizens’ data, while DPDP is specific to Indian residents.
• Data localization – While GDPR allows free movement of data across the EU, DPDP instills restrictions on transferring sensitive personal data outside of India.
• Reporting of a breach – While DPDP’s reporting requirements are still evolving, GDPR establishes strict and specific breach notification timelines.

Why DPDP compliance matters

Pretending you don’t know the DPDP Act exists or ignoring it all together isn’t an option. With India’s skyrocketing digital economy, regulatory compliance is extremely important. Organizations that fail to comply will risk reputational damage, legal penalties, and the loss of consumer trust.

However, a well-structured data protection strategy can provide businesses with not only compliance, but a competitive advantage. By demonstrating a commitment to data privacy, they can build stronger relationships with customers and stakeholders. Proactive steps for compliance also minimize the risk of security breaches, ensuring long-term operational stability.

How technology can help

Navigating data privacy regulations can feel overwhelming. However, approaches such as AI-driven data security governance can help businesses maintain compliance by:

• Discovering and classifying structured and unstructured personal and sensitive data across cloud and on-premises repositories.
• Monitoring and autonomously remediating data access and sharing to detect risky permissions, overexposed data, and unauthorized sharing.
• Automating compliance monitoring to ensure your data practices align with the DPDP Act’s requirements.
• Obtaining real-time insights to mitigate risks and prevent data breaches and unauthorized access.

India’s DPDP Act is a major step toward stronger data privacy and protection. With the proper intelligent data security solutions and practices in place, you can stay ahead of compliance challenges and keep data protected.  

The post What to Know about Compliance with India’s Emerging Digital Personal Data Protection Act first appeared on Cybersecurity Insiders.

The post What to Know about Compliance with India’s Emerging Digital Personal Data Protection Act appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/iB7P3Ww
via IFTTT

In an era where data drives strategy and personalized outreach is key to consumer engagement, marketing teams face mounting pressure to deliver results, especially in healthcare. However, when marketing initiatives intersect with protected health information (PHI), the stakes are significantly higher. HIPAA (Health Insurance Portability and Accountability Act) places strict limitations on how healthcare organizations collect, store, and share patient data. For cybersecurity professionals, ensuring compliance in this digital landscape means taking a proactive role in educating and guiding marketing departments. 

Understanding the HIPAA-Marketing Relationship 

HIPAA was enacted to protect sensitive patient information and to ensure privacy in healthcare transactions. While its relevance to clinicians and healthcare administrators is well-known, marketing teams often overlook their exposure to compliance risks, especially when campaigns target individuals based on health data or behavior. Whether through email campaigns, social media ads, or consumer lead lists, mishandling PHI can result in severe penalties, lawsuits, and long-term reputational damage. 

The challenge lies in the broad definition of PHI. Data points such as names, email addresses, medical conditions, appointment histories, and insurance information are all protected under HIPAA. Even indirect indicators — such as targeting people who downloaded a fertility app or visited a diabetes treatment page — can raise red flags if that data is not properly anonymized. 

Where Marketing Can Go Wrong 

One of the most common pitfalls involves using consumer lead lists that contain health-related information. Purchased or shared lists often lack clear data lineage or proper consent mechanisms. If a marketing team sends emails or digital ads to these contacts without verified HIPAA authorization, the organization could be found in violation even if the marketers were unaware of the regulations. 

Similarly, integrating PHI into customer relationship management (CRM) systems without proper encryption or access controls can create vulnerabilities. Misconfigured cloud storage, unsecured API integrations, and poor endpoint protection are other common weak spots. These missteps aren’t just technical flaws — they represent legal liabilities. 

Cybersecurity professionals must also watch for oversights during the handoff between departments. For example, a healthcare provider may collect patient feedback through a post-visit survey. If those responses are later used for testimonial marketing without HIPAA-compliant consent forms, the organization may unknowingly breach privacy regulations. 

Strategies for HIPAA-Compliant Marketing 

1. Implement Access Controls: Ensure that only authorized personnel — such as HIPAA-trained marketers or legal advisors — can access data tied to individuals’ health information. 
2. Audit Data Sources: Verify that all data used in campaigns is collected with proper consent and is HIPAA-compliant. This includes vetting third-party vendors and lead list providers for compliance documentation. 
3. Use Deidentified Data When Possible: HIPAA permits the use of deidentified data for marketing, provided that all 18 identifiers outlined by the law are removed. Work with data privacy experts to confirm deidentification standards are met. 
4. Secure Communication Channels: Any emails or digital communication involving PHI must be encrypted. Secure email platforms and SSL certificates are essential for any form of electronic outreach. 
5. Train Marketing Teams: Regular training sessions on HIPAA and digital marketing ethics can help nontechnical team members understand how to handle data responsibly. Awareness is often the first line of defense. 
6. Review Business Associate Agreements (BAAs): Ensure BAAs are in place with all marketing vendors who handle PHI. These agreements legally bind third parties to follow HIPAA rules. 

Cybersecurity’s Expanding Role 

For cybersecurity professionals, HIPAA compliance now extends beyond IT infrastructure. With the marketing department increasingly relying on data analytics and personalized targeting, cybersecurity must collaborate across departments. This includes helping select compliant martech tools, conducting risk assessments for marketing workflows, and establishing clear protocols for data segmentation and use. 

Additionally, incident response plans must now include potential marketing-related breaches. If an unauthorized ad campaign mistakenly reveals PHI, the fallout is both a privacy and PR crisis. Being prepared for such incidents is crucial. 

Prevention Over Penalties 

The digital transformation of healthcare marketing offers exciting opportunities but also introduces complex risks. For organizations navigating this evolving landscape, a unified approach between cybersecurity and marketing is essential. By identifying risks early and adopting HIPAA-compliant practices, cybersecurity professionals can play a pivotal role in preventing costly violations. 

Whether you’re working with consumer lead lists or developing targeted campaigns, remember: The goal is not just to market effectively — it’s to market ethically and legally. In the digital age, success is measured not only by clicks and conversions but by trust and compliance. 

__

Author bio: Richard Bufkin is President of TargetLeads a division of Senior Direct Inc., a direct mail marketing company. With over 20 years of experience, he focuses on lead generation and growing the business. 

The post Navigating HIPAA In The Digital Age: How Marketing Teams Can Avoid Costly Violations first appeared on Cybersecurity Insiders.

The post Navigating HIPAA In The Digital Age: How Marketing Teams Can Avoid Costly Violations appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/lILXbW2
via IFTTT