Latest news with #CybersecurityAct
The Sun
a day ago
- Business
- The Sun
AI use sparks new security fears: Tenable
PETALING JAYA: Tenable, the exposure management company, revealed in its 2025 Cloud Security Risk Report released yesterday that cloud workloads supporting artificial intelligence (AI) initiatives are more vulnerable than traditional workloads. The report found that 70% of AI workloads across AWS, Azure and GCP contain at least one unremediated critical vulnerability, posing increased security risks for organisations in Singapore and Southeast Asia as AI adoption accelerates. AI workloads, with their vast training datasets and model development processes, are an increasingly attractive target for threat actors. The study found that 77% of organisations using Google's Vertex AI Workbench had at least one notebook instance configured with an overprivileged default service account, which could allow privilege escalation and lateral movement across cloud environments. These risks are increasingly top-of-mind for regulators across Southeast Asia. In Singapore, the Cybersecurity Act and Monetary Authority of Singapore's (MAS) Technology Risk Management Guidelines mandate stringent cloud and AI security controls. Indonesia's PP 71 and Otoritas Jasa Keuangan (OJK) regulations require secure cloud usage and local data storage for financial institutions, while Malaysia's Risk Management in Technology (RMiT) framework sets out strict cloud risk practices for banks. Thailand's Personal Data Protection Act (PDPA) and Bank of Thailand (BOT) guidelines emphasise access controls and transparency, and the Philippines' Data Privacy Act and Bangko Sentral ng Pilipinas (BSP) regulations call for data classification, strong authentication and robust third-party governance. As these regulatory frameworks evolve, organisations must embed security early into AI development to ensure compliance and mitigate emerging cloud risks. Tenable's research also shows broader progress in cloud risk management. Toxic cloud trilogies, workloads that are publicly exposed, critically vulnerable, and highly privileged, fell to 29% of organisations surveyed, a nine-point improvement from 2024. Tenable's researchers attribute the nine-point decline to sharper risk-prioritisation practices and wider use of cloud-native security tooling, yet warn that even a single trilogy provides attackers with a fast lane to sensitive data. Identity remains the foundation of a secure cloud environment. The report finds that 83% of AWS users have configured at least one identity provider (IdP), a best practice for securing human and service identities. Yet, the presence of identity-based risks persists. Credential abuse remains the most common initial access vector, implicated in 22% of breaches, underscoring that strong multi-factor authentication (MFA) enforcement and least privilege principles are critical to meet regulatory expectations and protect sensitive data. 'Organisations have made real strides in tackling toxic cloud risks, but the growing adoption of AI workloads is introducing a fresh layer of complexity,' said Ari Eitan, director of Cloud Security Research at Tenable.
Euronews
24-06-2025
- Business
- Euronews
Industry calls to safeguard independence of EU cybersecurity agency
Telecom operators, trade unions and industry groups have called for the EU's cyber agency ENISA to steer away from political interference and remain independent in response to a consultation on the European Commission's review of existing cybersecurity rules. In May, the Commission began gathering feedback on a revision to the bloc's 2019 Cybersecurity Act (CSA), which is being revamped in line with efforts to simplify existing rules. The proposal aimed to give the Athens-based ENISA a bigger mandate, including over the drafting of cybersecurity certification schemes, through which companies can demonstrate that their ICT solutions include the right level of cybersecurity protection for the EU market. Since 2019, the Commission requested three of these voluntary certification schemes: on baseline ICT products, 5G and cloud services, of which only the first has yet been adopted. The certification for cloud services (EUCS) turned into a political battle over sovereignty requirements. France has led resistance and wants to be sure that it can continue to use its own scheme – SecNum Cloud – after the adoption of EUCS. Tech industry association CCIA said ENISA's role in the certification scheme development 'should be explicitly grounded in technical independence, allowing it to make non-political decisions that reflect industry realities and cybersecurity best practices.' This was echoed by US tech company Amazon which said that the voluntary certification frameworks should be 'based purely on technical criteria'. 'We strongly believe that introducing non-technical factors could undermine the framework's effectiveness and create unnecessary barriers to innovation,' it added. Global consumer electronics company Lenovo, also warned against introducing non-technical criteria 'such as vendor nationality, ownership, or headquarters location—in cybersecurity risk assessments or certification schemes.' 'These measures risk undermining EU principles of non-discrimination, market access, fair competition, and proportionality, while offering little benefit to actual cybersecurity outcomes,' it said. There have been calls and plans from the Commission to increase the bloc's independence of suppliers from outside the EU. In the upcoming Cloud and AI Development Act, for example, the Commission plans to strengthen the EU's position in the industry. In the European Parliament lawmakers are also calling for measures to boost technological sovereignty and guarantee the bloc's independence and security by protecting its strategic infrastructure and reducing dependence on non-European technology providers. ENISA mandate The Commission began seeking feedback from industry and national governments on the functioning and scope of work of ENISA last year, as reported, in a bid to modify the agency's mandate and financial support. There seems to be support to increase its funding among the participants to the consultation. For example, Eco, a German association for the internet industry, said that the agency hadn't grown in terms of staff despite its expanded remit. 'Given the current geopolitical security challenges and the scale of global cyber threats, its financial resources remain limited compared to other EU bodies. [...] It is important to boost ENISA's role as the independent expert on European Cybersecurity. In order to operate independently and attract necessary resources, staff, and experts to the benefit of its mandate, ENISA has to leverage its public standing among the global community,' the contribution said. Henna Virkkunen, the EU Commissioner for technology, said earlier this year that she will carry out a so-called Digital Fitness Check – expected before the end of 2025 -- which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification. The CSA is expected to be part of that.
Euronews
11-04-2025
- Business
- Euronews
EU Commission starts consultation on revision of cybersecurity rules
ADVERTISEMENT The European Commission on Friday started gathering input to help revise the bloc's cyber rules, which date back to 2019, in line with efforts to simplify existing rules. The review of the Cybersecurity Act (CSA) will focus on the mandate of the EU's cyber agency ENISA, as well as the European Cybersecurity Certification Framework, and addressing ICT supply chain security challenges, the Commission's statement said. Euronews reported last year that the Commission already began seeking feedback from industry and national governments on the functioning and scope of work of ENISA, in a bid to potentially modify the agency's mandate and financial support. The CSA gave ENISA – which has some 100 staff members – a mandate to oversee the implementation of EU-wide cybersecurity rules. But one of its tasks, drafting a voluntary cybersecurity certification for cloud services (EUCS), has not advanced significantly since 2019. Related EU cloud scheme needs more privacy safeguards, French watchdog says Cyber certification to remain on hold despite Polish effort The EUCS is intended to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but it turned into a political battle over sovereignty requirements. There have been calls to make the system mandatory under the new CSA. Henna Virkkunen, the EU Commissioner for technology, said that she will carry out a so-called Digital Fitness Check this year which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification. The consultation comes weeks after Virkkunen said that she wants member states to adopt 5G security rules to protect networks from cyber threats and risks. In 2020, member states agreed to apply restrictions for suppliers considered to be high risk – such as China's Huawei and ZTE – including necessary exclusions, following security concerns, but only a limited number of countries have taken concrete steps to ban the companies. Interested parties, including member state competent authorities, cybersecurity authorities, industry and trade associations can give feedback to the consultation until 20 June.
