Thursday, September 25, saw the world cybersecurity defense on high alert after a high profile, actively pursued zero-day attack on critical devices, Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) was publicly announced. This new type of advanced threat that enables deep and persistent compromise resulted in an Emergency Directive being issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as an urgent warning to organizations across the globe, including the Philippines. Security researchers and Cisco itself verified that an extremely sophisticated, state-sponsored, persistent threat (APT) team known as UAT4356, which was associated with the notorious ArcaneDoor campaign, was actively using two critical vulnerabilities: CVE-2025-20333 and CVE-2025-20362. Chaining of these zero-days was used to bring about unauthenticated remote code execution which provided attackers with complete control over the firewall apparatus. Of paramount importance, the threat actors showed that they could alter the read-only memory (ROM) on the device, a technique so sophisticated that the malicious implant is resistant to system re-boots as well as software upgrades. The scale of the threat and especially its high-level sustainability have precipitated network defenders into crisis response mode. The attacks were analyzed by Palo Alto Networks Unit 42 that highlighted the severity of the situation. According to them, the fact that the opponent could alter ROM so as to avoid the software updates sent by developers indicates that these threat actors are a few steps ahead. With the spread of exposed devices around the world, a forensic sweep should be a priority of every organization to reveal whether they are affected or not. Since the threat requires urgent and compulsory action by the international agencies, the Philippine Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center (CICC) are enjoining all domestic enterprises, particularly the banking, government, and telecommunications sectors, to audit their Cisco infrastructure immediately. The CISA directive, which needs to be addressed as a pressing international standard, demands that all the concerned parties: Carry out Forensic Investigation by gathering memory information (core files) of indicators of compromise. Install Security Patches to devices, when available. Disconnect permanently all the end-of-support (EoS) devices; they do not have the secure boot protections that are required to mitigate the ROM-level attack. The local CISOs should collaborate with partners such as the Philippine National Police Anti-Cybercrime Group (PNP-ACG) in realizing these stringent requirements because the targeted devices will be the network gateways to most sensitive digital assets in the country.

In a digital-first world, the cyberattack on a single company can easily cause the failure of a whole chain of supply or a vital national service. The UK government realizes that these risks are closely related, which is why they have introduced the new Cyber Security and Resilience Bill. The bill is aimed at transforming the cyber defence of the nation and sealing loopholes in the current laws. It is not merely a new law, but a new paradigm of how companies need to be handling their digital safety. This guide will specify the main actions that your organization can undertake to get ready to these changes that will follow and to become compliant. A Framework for Compliance: The Resilience Bill Evaluate Your Present Position. You must first appreciate the position of your organization before you can adhere to new regulations. This involves a comprehensive audit of your current state on cybersecurity. Compare your current security measures, incident response strategies, and data protection policies with the new bill, which is more stringent. Such an evaluation will enable you to see the areas where you are weak and develop a proper roadmap of areas where you will achieve the new legal regulation requirements, aiding you in making your preparation more refined and efficient. Grasping the Enlarged Scope. The greatest modification of the new bill is the one in its applicability. Before you kick-start, you have to establish whether your organization or any section of your service is under the new regulatory umbrella or not. The bill is broadened to cover the Managed Service Providers (MSPs) and data centers, as they are important pillars of the digital economy. In the case of an MSP, a data center, or in case you are largely dependent on these providers, you should realize that you are now directly regulated and liable to address the requirements of the bill. Enhance Your Supply Chain Fences. The bill creates a new classification of Designated Critical Suppliers. This implies that despite being a small business, you may be regulated in case your services are needed by a larger and critical service provider. You should collaborate with your supply chain partners so that their security practice is satisfactory. The bill highlights that no organization can be stronger than the weakest link in the chain thus supply chain vigilance remains the first priority of all the involved parties. Get Ready to be More Reporting and Enforcing. The new act will also be accompanied with a greater regulatory authority. It will also implement a two-step process of incident reporting that will necessitate prompt reporting on the occurrence of a cyber breach, and a comprehensive report on the same in the near future. You will have to update your incident response plan to cover these new reporting timelines to prepare. The regulators will also be in a position to impose huge fines in the event of non-compliance hence this should be approached as a legal business serious matter. The only thing that can help you to protect against cyber threats and financial fines is proactive preparation.

On Sunday, September 21, a group of orchestrated cyberattacks hit various government web pages in the Philippines, as protesters in the country held nationwide rallies against corruption in government-funded flood control projects. Although the attacks led to certain disruption and defacing of certain sites, the officials assured that there was no theft of sensitive data, and the affected sites were restored within a short time. The Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center (CICC) claimed that several attempts had been made to intrude and compromise into the national and local government websites. Seven government websites of the national government, including the Department of Budget and Management, the Department of Public Works and Highways, and Department of Foreign Affairs were also breached successfully, and restored within a minute. Secretary of DICT, Henry Aguda, attributed the fast recovery to the cybersecurity preparedness on whose behalf the nation had prepared to host the ASEAN Summit. He said that although numerous efforts were made to hack into the locations, only a tiny percentage were effective, which he wrote, "Given the number of our digital materials, we did not really feel any significant concerns. CICC Undersecretary Renato Paraiso said in a press conference that they are currently working with the Philippine National Police through the Anti-Cybercrime Group (PNP-ACG), in which they apply the facial recognition technology to identify the culprits based on the footage of the related protest at Mendiola, Manila. It was also suspected that the attacks were related to the demonstrations about the accusations that 20 percent of all PHP545-billion of budget allocated to flood control projects was spent by only 15 contractors.

Have you ever had the weird experience of logging in  and the following few days you visit the internet and everywhere you go you can see those commercials of the same product . It's a bit unsettling, right? That is how it is nowadays because our lives are becoming more digital . But what we ought to ask is what will become of this sensation when it is no longer a nuisance, but a legal question? That is what we have with an oversized case against one of the biggest participants in the e-commerce sector, Shopify. It is not a dry legal case, but it is a story that will serve to illustrate to us the new rules of the road  as far as privacy on the internet is involved. This case and its implications to each and every one of us should be given a closer look. The Heart of the Matter: The Story behind the Shopify Case. What Was the Big Deal? The entire began with a simple statement. One of the clients who had visited one of the online stores built on a Shopify platform alleged that Shopify had installed small bits of software on his computer against his knowledge , which is synonymous to digital spies. These tools, however, did not exist , but it was alleged that they were being used to track his activities online so as to profile him fully and sell the information to other businesses. The core issue? No one ever obtained his permission on all this . It poses a big question, who were the true maniacs that stared at us as we travelled through the internet as we surfed? The Court's Surprise Twist Early during the time that the lawsuit was being filed the legal department of Shopify merely responded, “We are a Canadian company!”. This does not belong to the business of this court in California . The initial agreement was the one that the court agreed. But the person who was to sue did not relinquish. He was challenging the decision and that is where it became really interesting. A higher court in the U.S. appealed the ruling completely, saying that as the information on Shopify platform is gathered on individuals that reside in California, it has enough connection to the state to be liable in it . This was a game changer in its entirety and that is what is making the whole tech industry to talk. Why This Matters to Everyone This ruling is a monster by itself as it i s redefining a historic concept of law  to the digital realm. The company does not have to have a physical office to be sued in a state and it does not need to have a single employee. It may be enough even in case their software is collecting information about one of the residents. It is now much easier to accuse the global companies  of their data practices irrespective of the location of the business. It is in fact closing the digital loophole that has been used by businesses over the years. What We Can All Learn Here. The Shopify case is not an isolated lawsuit, but a very powerful wake up call . To all businesses out there, it is extremely easy to understand that it is not good to cross your fingers and hope that your data practices are implemented. The case explains the importance of the fact that there must be clear and transparent and fair data policies  that can be readily understood by anyone. It is also an eye opener to all the internet users that they should no longer believe that their privacy is a given . It is an ongoing communication that requires us to be aware and the businesses to be accountable.

Have you ever wondered which amount of applications are related to your work? Well, the bad guys are cogitating about it. The FBI has just issued a major warning to firms, advising they should be careful of another, more lucrative target, namely, their Salesforce systems. It is not about some elaborate hack on Salesforce itself. The burglars are becoming cunning and they have discovered two major channels of gaining entry and they are all too cunning. To start with, there is a feds group known as UNC6040. They simply call you, and this is an old-school trick of theirs. They will pretend it is the IT support and explain you will need to install a special version of Salesforce Data Loader to correct an issue. Sounds official, right? But it's a scam. One time they get it installed and they have a golden ticket straight into your account, and all your company information. It is an old scam of phishing but this time on the phone. The second group, UNC6395 is slightly more tech-savvy. They are targeting the applications that you have attached to your Salesforce. Consider all those sales, marketing and support integrations. They are discovering methods of stealing the special keys (OAuth tokens) of these third-party applications such as Salesloft Drift chatbot. They can use those keys to dance freely into your firm SalesForce and take a few of their customer lists, sales figures, any data you feel like, and ransom it. This is a huge development as it demonstrates the way the bad guys are changing their game. They do not simply attempt to break the front door anymore they visit seeking unlocked side doors and back windows. The FBI claims that this is a wake-up call to all businesses to have a harsh look at their cloud security. So, what can you do? Distrust any person who calls you randomly by name IT. Should they request that you install something, call them and get it done on the company number. You should also review your Salesforce app integrations and remove ones you are not actively utilizing, fewer connected apps will result in fewer entry points that hackers have. And discuss with your IT team how to improve the methods of logging in as the old username and password a text code is no longer sufficient. Lastly, your Salesforce activity is something that your IT team should be closely monitoring. Any suspicious data downloads or logins in a foreign place may be a strong alarm. The point is, the data of your company is a good target. In this case it is not everything about firewalls any more, it is about being clever and attentive with all those applications you use on a daily basis.

Consumer data privacy legislation is booming in the United States at a rapid pace on the state level. This expanding patchwork of laws is transforming the collection, use and management of personal information by businesses i n the absence of a broad federal standard. A number of new legislations are to be enforced in 2025 and onwards, basing on the initial principles laid down by previous laws in different states including California, Virginia, and Colorado. One feature of all these regulations is the strengthening of consumer rights. They are the right to access information about what the company collects, right to rectify wrong information, and right to request the deletion of personal information. It is also allowing consumers to have new rights to decline data sales, targeted advertising and robotic decision-making processes. A Privacy-First Framework in State Laws Expanded Scope The Delaware Personal Data Privacy Act (DPDPA) extends its scope further, imposing its demands on non profiteering organizations- a feature uncommon in several other state laws. Small Business Inclusion Nebraska Data Privacy Act (NDPA) stands out because the small businesses are not exempt depending on the level of revenue or consumer numbers. This implies that even mini firms and start ups have to meet the same strict demands as bigger firms. Global Privacy Control (GPC) The Global Privacy Control browser signal is a signal that businesses must comply with under the New Hampshire Privacy Act (NHPA). This gives a power to consumers to automatically decline some types of data processing, such as targeted advertising, without having to file requests manually. Protecting Children’s Data The importance that has been placed on the protection of minors is on the rise. The DPDPA of Delaware and similar legislations impose an additional burden on the processing of data on children including the need to have opt-in consent to targeted advertising to children below the age of 18. The Compliance Imperative This changing regulatory landscape represents the necessity of a proactive compliance strategy.  Businesses must now: Have clear and comprehensive privacy statements. Carry out routine data protection tests. Introduce mechanisms that can manage an increasing number of consumer rights claims. With additional states implementing their own laws, businesses have a strategic choice to make: implement an inclusive, high-quality privacy framework that addresses all of the jurisdictions or use a localized state-by-state approach to compliance. Both strategies require a transparency and consumer trust pledge by giving people significant control on their personal information.

The increasingly popular online gaming platform Roblox is under mounting legal and regulatory scrutiny as more lawsuits continue to emerge in which it is being accused of not taking appropriate action to ensure child users are not exposed to predators. The most recent move is by Louisiana Attorney General Liz Murrill who filed a suit against the company alleging that the online platform is enabling predators to flourish, meet and prey on children. This suit is among a surge of legal actions against Roblox, where such civil sexual abuse cases have been brought in states such as California, Florida, and Texas. The grievances allege that Roblox does not verify the age of users, and adults can easily pretend to be kids, and predators can use the virtual currency, Robux, to exploit underage users. In one case, a predator claimed to groom a 10-year-old girl to send explicit photos using Robux. To further intensify the legal pressure, YouTuber and lawyer Law By Mike declared in a video called We’re Suing Roblox that he is collaborating with the legal team of a content creator named Schlep to sue the company. The video accuses police of arresting dozens of people since 2018 on the claim that they were using Roblox to target children. It is also alleged in the video that the moderation policies of Roblox are dangerously weak and that the company has turned a blind eye to the fact that its platform is being used to commit predatory acts, despite the company officially reporting over 13,000 cases this alone. Roblox has acted to improve its safety protocols as a reaction to the growing controversy. Early in September, the company launched a new age estimation feature, which uses machine learning to group users by age. This aspect, together with the introduction of the new direct messaging controls, is the part of the work of Roblox to overcome the safety issue and make the platform a safer place where its younger audience can enjoy it. In spite of these attempts, critics claim that these actions of Roblox are not enough and the company took care of its growth and profit long before the security of the most vulnerable users. The judicial processes and public outcry are examples of the ongoing controversy on whether a tech corporation has the role to defend children on the internet or not. The results of such suing cases are supposed to provide historic precedents into how online platforms will be responsible in keeping children safe in future.

As we advance in our everyday lives and artificial intelligence continues to be a part of life, one of the biggest issues has started to become apparent; how can we as a society continue to live with the growing capability of artificial intelligence and not infringe on the privacy of those that use it? The majority of technology companies are building their business models around amassing a colossal volume of user information, whereas Apple has chosen to do things its way, developing a unique business model that tries to balance strong AI with an obsessive focus on user privacy. The report outlines the privacy-first strategy concerning Apple AI work, and the key principles and technologies that protect user data. A User Privacy - First Framework The Foundational Principle One of the key principles on which the company depends is that privacy is a human right at Apple. Instead of teaching its AI models with the personal data of its users, the company has chosen another path, where the AI is brought to the information of the user and not the other way round. This is the principle that will help them to create all their AI in such a way that the information of the users will not be disclosed to the third parties and can be considered safe. On-Device Processing The basis of the AI strategy introduced at Apple is on-device processing. Many AI features and capabilities, such as facial recognition in Face ID, smart photo organization, and many more, are entirely controlled and managed on the device of the user . This would be the most privacy-protective option because the personal data will not stay under the control of another party and is not collected by Apple. It allows the AI to learn the personal history of a user without gathering and storing his/her information. Private Cloud Compute Apple utilizes a more sophisticated technology called Private Cloud Compute (PCC) to carry out more sophisticated tasks that cannot be executed by a device with the required level of computational power. On demand, the device will analyze its ability to perform the work on its own; otherwise it sends only the data necessary to perform the task to an Apple silicon-based server owned by the user. They are set to process stateless, i.e. user information is passed through to process a specific request and lost permanently, never recorded again and never made available to Apple employees. Openness and Verification As a way of winning the trust of its users, Apple has taken it upon itself to ensure that its systems are transparent and verifiable. Each build of the PCC is published as a full software image by the company. This helps security researchers who are not employed by the company to verify the code and approve the privacy claims made by Apple. Only after the software has been publicly logged and verified will the device used by the user be able to communicate with a server. The User-Centric Approach Even partnerships that Apple has with third parties, such as the use of ChatGPT, rely on this privacy-first model. Users are specifically requested to authorize any transmission of information to a third party service before the information is sent. By placing the user at the heart of the AI experience, Apple is defining a new paradigm of how AI can be constructed, addressing individual control, and transparency.

In the context of less compliance pressure on smaller market intermediaries, the Securities and Exchange Board of India (SEBI) has also unveiled a redesigned and simplified Cybersecurity and Cyber Resilience Framework (CSCRF). It is a giant leap towards the safety of the Indian financial markets as well as the capability to comply with the international standards. The new framework also includes graded compliance norms, that provide exemptions and lesser compliance conditions to small parties. In the example of Asset Under Management (AUM) of the portfolio managers, once it reaches 3,000 crore, the requirement of meeting will not be necessary any more as it will assist them to save cost of meeting the new rules, which can be very expensive at times and even a pain in technical terms. In spite of the enormous cheers the new framework has been getting among the level stakeholders as a way of enhancing security within the marketplace, smaller companies have been noted to still find themselves battling scores of problems. The reason is that large organizations can simply offset absence of compliance costs and commentators such as Deloitte and KPMG and because does not imply that small stakeholders can always manage it which explains why it is not always easy. The structure also holds the top-level management directly accountable to cyber governance and transfers all the liability of third-party risks to the regulated entities. It is an indicator of the adverse consequences of failure to comply and it can also result in expensive litigation and publicity. It has been explained above that in all ways, most successful implementation and enforcement but most importantly in the manner of making small firms adopt it profitably in order to build real toughness to the entire market will characterize its actual success, as the specialists describe it.

Cybersecurity has emerged as one of the most pressing problems of businesses, governments, and individuals  as the digital transformation increases in speed. Human error is among the worst weaknesses  and it follows that appropriate employee training is a key component of any strong security posture. The blog contains the agenda on how to design and implement a successful cybersecurity training program. Key Components for your Strong Cybersecurity Training Program Carry Out a Needs Assessment You need to be aware of the risks that are specific to your organization before creating a program. Analyze common threats, past incidents, and roles within the company. It makes the training more relevant and productive  as it allows adapting it to the real needs and weaknesses of your employees. Develop an Inclusive Curriculum The curriculum should consist of the necessary topics  that also cover how to detect phishing attacks, learn about the potential risks posed by RaaS , and how to behave safely on the internet. It should also talk about the importance of good passwords and the security of cloud and hybrid environments  since these misconfigurations can be a priority vulnerability in this scenario. Work With Interesting and Reachable Formats Do not rely on long, heavy-text documents as the only way to ensure that the employees remain active; diversify the forms. This can include interactive modules, brief videos and simulated phishing tests . Making the training easily accessible and easy to understand will ensure that the training can be easily participated in and that the retention rate is addressed. Take a Gradual and Progressive Approach There is no respite in cybersecurity threats which continue to evolve due to advances in artificial intelligence . Therefore, training cannot be a one day event. Implement the program gradually and give employees regular, periodic refresher courses  to ensure that they are updated on the latest threats like AI-based attacks and the rise of RaaS. Measure, Monitor, and Reinforce To evaluate the performance of your training, you can measure it through performance like the clicks on phishing or security breaches . Use these lessons to refine your curriculum and provide concrete and instant feedback. Gamification of these lessons or some form of rewards  can also be used to reinforce positive security behaviors .