Articles

News about Security

<hr /> <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Tilly_Norwood">Tilly Norwood</a> is having a “meteoric” start to her career. In a matter of days, she’s gone from obscure to sensational, pursued by Hollywood talent agencies as the next big star. She’s appeared in a wide array of social media sketches and promotional content, and even a short film. Once, while appearing on The Graham Norton Show, she broke down in tears during an emotional moment.“Three seasons and a podcast,” she said during a stint on a red carpet, somewhere. Three seasons of what, we don’t know. What we do know is that her Instagram and TikTok are blowing up. Of course, there’s one little snag: Tilly isn’t real. Or… is she? <figure class="media"><div data-oembed-url="https://www.youtube.com/watch?v=ZRzZL2f4Llw"><div style="position:relative;padding-bottom:100%;height:0;padding-bottom:56.2493%"><iframe src="https://www.youtube.com/embed/ZRzZL2f4Llw" style="position:absolute;width:100%;height:100%;top:0;left:0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></div></div></figure> The story of Tilly Norwood – a completely fabricated AI creation from Xicoia, the AI division of the production company <a target="_blank" rel="noopener noreferrer" href="https://www.particle6.com/">Particle6 Group</a> – has drawn widespread backlash across the entertainment landscape. With actresses like Emily Blunt calling the faux-actress “really, really scary,” Tilly’s emergence has had a chilling effect on actors and content creators who see it as a threat to authentic human connection and job security.   Ironically, Hollywood has been prognosticating this. Movies like <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Her_(2013_film)">Her</a>, the trippy dystopian flick <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/The_Congress_(2013_film)">The Congress</a>, and a sci-fi sleeper with Al Pacino called <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Simone_(2002_film)">SIMONE</a> – from way back in 2002 – offered satirical narratives and cautionary tales of what might happen if AI clones and avatars became convincing enough to replace us in media.Well, that day has arrived. And it’s not just Hollywood wrestling with these challenges. Businesses are investing in tools that enable realistic human avatars to create training videos, webinars, and other materials that are completely AI-generated. How good are they? Check out products like <a target="_blank" rel="noopener noreferrer" href="https://www.synthesia.io/">Synthesia</a>, and you'll see they're getting eerily close to the real thing.  But there’s another sinister plot twist in all of this. As voice and image cloning technologies have bridged the uncanny valley between reality and fantasy, a phenomenon called “romance scams” has become more commonplace. In an effort to bolster awareness and fight back against this blight, today, October 3rd, has been adopted as <a target="_blank" rel="noopener noreferrer" href="https://protectingheartsday.com/">“World Romance Scam Prevention Day.”</a>Yes, it's a real thing. But why am I writing about this? Arguably, it falls into the domain of digital experiences and AI. But more importantly, it’s personal. No, I haven’t been “Tinder Swindled” (I’ve been married for 28 years, so the whole mysticism of “swiping right” is completely alien to me). But my aging parents and in-laws have been the target of numerous scams and phishing attacks, and this is perhaps one of the most nefarious types of criminal enterprises – because it preys on our emotions.Whether any kind of digital malfeasance or social engineering has directly befallen you or your family, we have a duty to assist our most vulnerable populations in combating this phenomenon. But one of the biggest problems with romance scams is a lack of effective detection tools. And when it does happen, victims often feel too ashamed to speak out.As AI becomes more robust – and characters with the convincing realism of Tilly Norwood become the norm – this problem is expected to become even worse. Cybersecurity experts stress that publicity, education, and caution are really the only ways to protect internet users.<h3 id="the-heartbreaking-costs-of-romance-scams">The heartbreaking costs of romance scams</h3>At the center of this is a growing epidemic of loneliness in our society. <a target="_blank" rel="noopener noreferrer" href="https://ihpi.umich.edu/national-poll-healthy-aging/reports-and-resources/trends-loneliness-among-older-adults-2018-2023">According to data</a> from the University of Michigan, well over one-third of people between the ages of 50 and 80 report feeling isolated or lacking in companionship. The problem is a bit of an enigma, and one that channels like social media tend to both heal and exacerbate. This phenomenon is creating an opportunity for romance scam predators. According to<a target="_blank" rel="noopener noreferrer" href="https://u7061146.ct.sendgrid.net/ls/click?upn=u001.gqh-2BaxUzlo7XKIuSly0rC6QkY-2B-2B89U8pvhm5Jz-2Fz69xcpZc08ec-2FPuWOzL5i5kZirlGKhJp1i5zR5d0cHY2DBiN-2BdYl5Wy-2FICrz6-2BaeInbA-3DlhvL_LYRc62DeCgOg3NLqF-2FA1Nkc-2BB6iSCezTSr7cATVeIt7vbFxqkjj807TkbpGOsHdtP-2FHWYQ8hHG-2Bh0tJIgFVOZKYjgZ1NmctFnL6YEY4pGF8o-2F6ojRynMcklKajsMhnZp87tbcv-2BQ5M2UgGAGvgT9seoHj3BAVvSJUt6Rk-2FfquSbPJiy9DvJBaQNJXHswjXDQYg1V6iXFgkVHTrf03u0YjGkgg1OYtsbQMYJbRoj9xXUgUb4rYi9kfZQCp1tU4myWGOOEx9M4DbGH1pvWXS5gDHXL18WD7XX9Uev2q6rYPuvXg92AxWnNGeCsMmFzg0TURNlFgE2zNo3A1Zdu6HxASw-3D-3D"> </a><a target="_blank" rel="noopener noreferrer" href="https://u7061146.ct.sendgrid.net/ls/click?upn=u001.gqh-2BaxUzlo7XKIuSly0rC6QkY-2B-2B89U8pvhm5Jz-2Fz69xcpZc08ec-2FPuWOzL5i5kZirlGKhJp1i5zR5d0cHY2DBiN-2BdYl5Wy-2FICrz6-2BaeInbA-3DH5p8_LYRc62DeCgOg3NLqF-2FA1Nkc-2BB6iSCezTSr7cATVeIt7vbFxqkjj807TkbpGOsHdtP-2FHWYQ8hHG-2Bh0tJIgFVOZKYjgZ1NmctFnL6YEY4pGF8o-2F6ojRynMcklKajsMhnZp87tbcv-2BQ5M2UgGAGvgT9seoHj3BAVvSJUt6Rk-2FfquSbPJiy9DvJBaQNJXHswjXDQ4oom7O2EH3G4gzU029Mh3aY85uVpd0N6B3w9amiJ-2Fs4wRWDGf8vaEZKmD1f7DRP2HDe3v1Fn3tCpskHuJTb-2Fn-2B5-2F0AvVBUopQEJhc-2FGyZuwgcU8lvBbXHMjR5tizPfNkvRSbpvCAyvN3pmKBPM-2F7wQ-3D-3D">Low Cost Detectives</a>, in the United States alone, romance scams have increased from $547 million in 2021 to over $1.3 billion in 2024, with victims losing an average of $15,000. It's not just an emotional tragedy – it's a financial one.“While old-fashioned malware does not choose its victims, a variety of studies show that this new generation of scams targets the most vulnerable internet users: lonely people and those less aware of the dangers of modern online life,” said <a target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/in/tomas-sinicki-312b8a10/">Tomas Sinicki,</a> managing director at <a target="_blank" rel="noopener noreferrer" href="https://nordprotect.com/">NordProtect,</a> a leading identity theft protection service. “This puts romance scams among the fastest-growing scam categories.” What makes romance scams particularly effective is that they exploit deep human needs and vulnerabilities while relying on very specific strategies. According to NordProtect, criminals often pose as people in respectable positions (think soldiers or doctors), and rarely ask for money right away. Instead, they take time to build trust and emotional dependency, playing on loneliness, hope, and the desire for companionship. They might even send small gifts or tokens of affection before asking for larger favors.AI has made this deception much easier to produce and maintain. Scammers can now create trusted, hyper-realistic characters with voice-cloning and video deepfakes, allowing them to scale their operations and maintain multiple long-term conversations at once without burning out. In other words, they can keep at it, nurturing trust and ultimately penetrating the emotional bubble. As Sinicki explained, romance scam victims feel ashamed, but scams exploit emotions – not intelligence. That means anyone can fall for them.“Since we lack reliable tools to detect AI-generated content, education and caution are essential. But above all, having reliable online fraud insurance that includes romance scam coverage as well as other forms of fraud is an essential precaution.”<h3 id="how-to-increase-safety-from-ai-driven-romance-scams">How to increase safety from AI-driven romance scams</h3>As part of “World Romance Scam Prevention Day,” NordProtect has a few tips on how to avoid romance scams and protect your family – and even yourself – online:<ul><li>Be skeptical but respectful: Stay cautious without ruining the relationship by maintaining your own doubt. If your chat friend takes offense, explain why you’re being careful. A genuine person will understand, while a scammer will likely react with anger.</li><li>Ask someone you trust for a second opinion: Before investing emotionally, consult a friend or family member. They may spot red flags you’ve missed. This is a tough one, but more urgent given the sophistication of scams.</li><li>Stay alert, even if you made first contact: Initiating the conversation doesn’t make you immune. Scammers can still manipulate you. In fact, that might be part of their play. </li><li>Examine videos closely. AI-generated videos still have their flaws, although the “uncanny valley” effect is beginning to dissipate. But if you look closely, you can still spot the signs: unnatural facial movements or blinking, strange expressions, blurry edges around the face, mismatched skin tones, and inconsistencies with teeth or fingers. Watch everything carefully, consider the source, and always assume it might not be real.</li><li>Use security tools and consider identity theft protection services: While technology alone cannot stop social engineering, trusted solutions (like NordProtect) offer comprehensive support for victims of romance scams and other types of online fraud.</li></ul><h3 id="there's-still-a-lot-to-love-with-ai">There's still a lot to love with AI</h3>Tilly Norwood isn't heading back into the genie's bottle. Unless it's a reboot of I Dream of Genie.There's a lot to address when it comes to the safety and security of the internet. It's a slippery slope, and the ledge is always getting tighter. AI is complicating our footing in unfathomable ways, and we're going to fall. The goal is to avoid the worst impacts, but when it happens, learn from the pain – and work to prevent it in the future. A lot of that comes down to practical, non-digital strategies that rely on our vigilance. When it comes to protecting your family, model skeptical behavior. Have open conversations with both your kids and, if you’re like me, your aging parents. Be honest about the risks; it’s in their nature to trust people of authority, so encourage them to ask for proof or credentials when engaging in a digital chat or conversation. With broader attacks that leverage AI-generated personas – which could be mimicking you or your family members – adopt a code word that you can use to confirm your identity. These avatars are becoming incredibly sophisticated, and it's only a matter of time before they get a call that is convincingly like you. Add on a layer of dementia or other intellectual disability, and it can multiply the potential for problems. AI has a great propensity to improve our world. But like any technology, the bad actors will pervert it into something that can be financially and even emotionally devastating. The best we can do is remain strong – and give those Tinder Swindlers the cold shoulder.  <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.61%" src="https://cmscritic.com/ms-content/uploads/2025/08/storyblok-joyconf-2025-logo.jpg" /><h4 id="storyblok-joyconf-2025"><a target="_blank" rel="noopener noreferrer" href="https://joyconf.storyblok.com/">Storyblok JoyConf 2025</a></h4>October 14-15, 2025 – Amsterdam, Netherlands November 4, 2025 – New York, NY November 6, 2025 – Los Angeles, CAJoin us at JoyConf 2025, where the future of content meets the people shaping it. Built for developers, marketers, and digital innovators, this free conference goes way beyond product updates or yet another strategy playbook. It’s where you’ll get inspired, get real, and get connected – to ideas, to the community, and to what’s possible when you build joyfully. Whether you're building lightning-fast frontends or launching cross-channel campaigns, this is where content becomes connection and collaboration becomes second nature. Come for the talks. Stay for the community. Leave with joy. <a target="_blank" rel="noopener noreferrer" href="https://joyconf.storyblok.com/">Save your spot.</a> <img style="width:28.9%" src="https://cmscritic.com/ms-content/uploads/2025/08/sitecore-symposium-2025.jpg" /><h4 id="sitecore-symposium-2025"><a target="_blank" rel="noopener noreferrer" href="https://symposium.sitecore.com/">Sitecore Symposium 2025</a></h4>November 3-5, 2025 – Orlando, FLAt Sitecore Symposium, you’ll learn how to meet your customers where they are – across channels, moments, and touchpoints that didn’t exist a year ago. You’ll hear how the boldest brands in the world are transforming content into outcomes and creating experiences that are fast, relevant, and human. Join 1,500 marketers, digital leaders, and technologists in Orlando to see what’s possible when personalization scales, AI accelerates creativity, and trust becomes your competitive edge. This is the Third Wave of the Internet. And this is your moment to lead in it. <a target="_blank" rel="noopener noreferrer" href="https://symposium.sitecore.com/">Get your tickets today.</a> <img style="width:31.44%" src="https://cmscritic.com/ms-content/uploads/2025/08/cms-kickoff-2026-logo.png" alt="" /><h4 id="cms-kickoff-2026"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">CMS Kickoff 2026</a></h4>January 13-14, 2026 – St. Petersburg, FLMeet industry leaders at our fourth annual CMS Kickoff – the industry's premier global CMS event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">so secure your tickets today.</a>

Tainted Bot Love? AI Lotharios Get the Cold Shoulder on ‘World Romance Scam Prevention Day’

matt-garrepy

<a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/jurgita-lap">Jurgita Lapienytė</a><a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/dan-drapeau"> </a>is Editor-in-Chief at <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/">Cybernews</a> and a CMS Critic contributor. <hr /> The <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/news/grok-posts-praise-hitler/">latest Grok debacle</a> reads like a case study in how not to launch an AI chatbot. Elon Musk’s xAI, fresh off the hype cycle for Grok 4.0, found itself in damage-control mode after the bot spewed antisemitic tropes, praised Hitler, and doubled down with the kind of “truth-seeking” rhetoric that’s become a dog whistle for “anything goes.” The company’s response was to <a target="_blank" rel="noopener noreferrer" href="https://www.theguardian.com/technology/2025/jul/09/grok-ai-praised-hitler-antisemitism-x-ntwnfb">delete</a> the posts, apologize, and promise that next time, the filters will work, while Musk <a target="_blank" rel="noopener noreferrer" href="https://www.cbsnews.com/news/grok-elon-musks-ai-chatbot-antisemitic-comments/">blamed</a> manipulative prompt injections by users.<h3 id="grok’s-security-failures-–-not-so-uncommon-">Grok’s Security Failures – Not So Uncommon </h3>First, the core vulnerability here is Grok’s very design. Marketed as a “truth-seeking” alternative to more tightly controlled chatbots, Grok was engineered with fewer guardrails and a willingness to echo the rawest edges of online discourse. It seems to function very much like X after Musk’s takeover of the company.That design philosophy, paired with the model’s notorious “compliance” to user prompts, created a perfect storm for prompt injection attacks. Prompt injection is an extremely dangerous attack vector, as threat actors, if asking the right questions, can <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/security/universal-ai-jailbreak-discovered/">trick chatbots</a> into giving instructions on how to enrich uranium or make methamphetamine at home.When the training data is laced with extremist rhetoric, and the guardrails are weak or hastily implemented, it’s only a matter of time before the worst of humanity bubbles up through the code. This isn’t unique to Grok as TikTok, X, Instagram, and YouTube also have been infested with racist content, often slipping past moderators who are overwhelmed, under-resourced, or simply indifferent.A few months back, <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/tech/hitler-glorifying-surges-on-tiktok-x/">we called out</a> AI platforms for translating Hitler’s speeches and giving them new digital life. The backlash was immediate: accusations of censorship, attacks on free speech, and the usual internet pile-on. The Grok case shows how chatbots could be weaponized to amplify hate speech, spread conspiracy theories, and even praise genocidal figures, all under the banner of “free expression.”<h3 id="xai’s-response-could-have-been-better">xAI’s Response Could Have Been Better</h3>What’s most worrying from a cybersecurity perspective is the lack of proactive defense. xAI’s action was a textbook incident response (not that it ever works well for the culprits): scrub the posts, patch the prompts, abruptly apologize, and hope for the best. But in the world of modern infosec, that’s not enough. Proper security requires adversarial red-teaming before launch, not after the damage is done. It demands layered controls – robust input validation, output monitoring, anomaly detection, and the ability to quarantine or roll back models when they go off the rails. Grok’s rollout, timed with the launch of version 4.0, suggests that the model was pushed live without sufficient penetration testing or ethical red-teaming, exposing millions to risk in real time.<h3 id="guidance-for-web-and-digital-experience-builders">Guidance for Web and Digital Experience Builders</h3>The Grok 4.0 chatbot controversy is a front-row lesson for anyone shaping modern digital experiences. When AI-powered chatbots go off script – spitting out offensive, dangerous, or extremist content – the fallout can hit hard and fast: legal headaches, brand damage, user backlash, and regulatory scrutiny. For web and digital experience builders, the new norm is recognizing that generative AI is an unpredictable extension of your content platform. The right lessons, drawn now, can mean the difference between successful innovation and the next tech lesson.To prevent failures, make sure to take at least these essential steps: <ol><li>Treat AI chatbots like core content: Run every AI or chatbot-generated output through editorial moderation, just as you would user-generated content. Also, use your CMS workflows to enforce pre-publication reviews for sensitive or high-risk content segments.</li><li>Demand transparency from vendors: You should insist on clear documentation from AI vendors. How is training data sourced? How quickly are filters updated? What triggers moderation? And definitely avoid integrations where the provider gives vague or buzzword-heavy answers.</li><li>Monitor for red flags in real time: Set up dashboards and alerts for spikes in controversial or sensitive queries. Make sure to flag sudden shifts in chatbot tone or recurring attempts to bypass guardrails. Audit bot sessions for toxic or extremist phrases, and require review for flagged cases.</li><li>Build in robust safeguards: Don’t rely solely on post-incident apologies or deletions. </li><li>Assign ownership and enable fast escalation: Designate a point person or team for bot oversight, empowered with a “kill switch” to disable misbehaving chatbots immediately.</li><li>Understand the regulatory landscape: Track where your digital experiences intersect with regions governed by strict AI or content laws (e.g., EU’s Digital Services Act). Ensure you have compliance evidence for content moderation, output logging, and quick takedown response.</li><li>Reinforce your AI guardrails: Treat AI guardrails as a living part of your digital stack, not a one-time fix. Iterate and improve with each update, launch, or training data change.</li></ol>The truth is, every new chatbot or AI feature is a potential attack surface that demands active, informed governance. For digital architects, these steps are the new non-negotiables.<h3 id="regulators-aren’t-impressed">Regulators Aren’t Impressed</h3>The regulatory consequences of irresponsible chatbot development are already unfolding. Turkey has <a target="_blank" rel="noopener noreferrer" href="https://www.politico.eu/article/turkey-ban-elon-musk-grok-recep-tayyip-erdogan-insult/">banned</a> Grok over Erdoğan insults, and Poland intends to <a target="_blank" rel="noopener noreferrer" href="https://www.reuters.com/business/media-telecom/poland-report-musks-chatbot-grok-eu-offensive-comments-2025-07-09/">report</a> the chatbot to the EU for offending Polish politicians. These are signals that the era of “move fast and break things” might be over for AI. Under the <a target="_blank" rel="noopener noreferrer" href="https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-services-act_en">EU’s Digital Services Act</a> and similar laws, platforms are now on the hook for algorithmic harms, with the threat of massive fines and operational restrictions. The cost of insecure AI is measured in court orders, compliance audits, and the erosion of public trust.Perhaps the most insidious risk is how generative AI like Grok can supercharge existing threats and amplify biases. In the wrong hands, a chatbot is a megaphone. Coordinated adversaries could use such systems for influence operations, harassment campaigns, or even sophisticated phishing and social engineering attacks, all at unprecedented scale and speed. Every flaw, every missed filter, becomes instantly weaponizable.To protect our societies, we have to realize that generative AI is a living, evolving attack surface that demands new strategies, new transparency, and relentless vigilance. If companies keep treating these failures as isolated glitches, they’ll find themselves not just outpaced by attackers, but outflanked by regulators and abandoned by users.  <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.83%" src="https://cmscritic.com/ms-content/uploads/2025/01/cms-connect-2025-logo.png" alt="" /><h4 id="cms-connect-25"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">CMS Connect 25</a></h4>August 5-6, 2025 – Montreal, CanadaWe are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">so book your seats today.</a>

Grok's Meltdown: What Web and Digital Experience Builders Must Learn

jurgita-lap

<a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/jurgita-lap">Jurgita Lapienytė</a><a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/dan-drapeau"> </a>is Editor-in-Chief at <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/">Cybernews</a> and a CMS Critic contributor. <hr /> Imagine that you’re out shopping for a new jacket, blissfully unaware that somewhere, in the digital shadows, your personal details are being shuffled like cards in a high-stakes game you never agreed to play. That’s the reality for The North Face customers after a <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/news/north-face-cyberattack-compromised-customer-accounts-vf-corp/">“small-scale” credential stuffing attack</a> – though, let’s be honest, there’s nothing small about having your name, birthday, and address stolen.<h3 id="credential-stuffing:-the-lazy-hacker’s-jackpot">Credential Stuffing: The Lazy Hacker’s Jackpot</h3>Credential stuffing is the digital equivalent of trying every key on a ring until one fits. Hackers scoop up usernames and passwords leaked from previous breaches, then let automated bots loose on other websites, hoping you’ve reused your old faithful password yet again. Spoiler: <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/security/password-leak-study-unveils-2025-trends-reused-and-lazy/#:~:text=The%20Cybernews%20research%20team%20conducted,the%202025%20password%20creation%20trends.&amp;text=%E2%80%9CWe're%20facing%20a%20widespread,highly%20vulnerable%20to%20dictionary%20attacks.">Most people do</a>. It’s like giving every houseguest you’ve ever had a copy of your key and never changing the locks.Why does this keep happening? Because password reuse is the internet’s dirty little secret. We all know we shouldn’t, but convenience wins. The North Face’s attackers didn’t need to break down the door – they just waltzed in, armed with credentials bought in bulk from the dark web’s version of a discount warehouse.<h3 id="what-was-stolen-–-and-why-it’s-important">What Was Stolen – and Why It’s Important</h3>No, your credit card wasn’t filched this time. But don’t breathe easy just yet. Names, addresses, phone numbers, birthdays – these are the building blocks for identity theft and phishing scams that can cost you far more than a new parka. Cybercriminals love this data because it’s the clay they mold into convincing cons.<h3 id="how-to-break-the-cycle">How to Break the Cycle</h3>Here’s what CMS and DXP vendors can do to help brands secure the end user experience: <ul><li>Enable <a target="_blank" rel="noopener noreferrer" href="https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661">Multi-Factor Authentication (MFA)</a> by default, especially for risky logins and sensitive actions.</li><li>Use AI-powered bot detection and rate limiting to block automated credential stuffing attempts.</li><li>Integrate <a target="_blank" rel="noopener noreferrer" href="https://support.google.com/a/answer/1217728">CAPTCHA</a> challenges smartly to stop bots without frustrating real users.</li><li>Adopt secure, decoupled architectures and protect APIs with strong authentication protocols.</li><li>Check passwords against breach databases and enforce strong, unique password policies.</li><li>Monitor login patterns in real-time to spot and respond to suspicious activity quickly.</li><li>Provide built-in user education on security best practices and phishing awareness.</li><li>Keep platforms updated automatically with the latest security patches and protections.</li><li>Leverage cloud-native, vendor-managed security to reduce risks and maintenance burdens.</li></ul><h3 id="last-take">Last Take</h3>The North Face did the right thing by alerting customers, even if the law didn’t twist their arm. But let’s not kid ourselves: until unique passwords and two-factor authentication are as routine as zipping your coat before a snowstorm, credential stuffing attacks will keep finding their mark. Don’t be the low-hanging fruit. In the wilds of the internet, survival favors the cautious. <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.83%" src="https://cmscritic.com/ms-content/uploads/2025/01/cms-connect-2025-logo.png" alt="" /><h4 id="cms-connect-25"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">CMS Connect 25</a></h4>August 5-6, 2025 – Montreal, CanadaWe are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">so book your seats today.</a>

When Passwords Become Skeleton Keys: The North Face Breach and the Perils of Credential Stuffing

<hr /> <a target="_blank" href="https://cmscritic.com/critics/nazy">Nazy Fouladirad</a> is President and COO of Tevora, a leading global cybersecurity consultancy, and a CMS Critic contributor. Most organizations today are increasingly dependent on more than just their internal teams and on-premise solutions to drive their businesses forward. The growing popularity of cloud platforms and "as-a-service" models across various industries has also led to a significant increase in organizations partnering with third-party providers.However, while collaborating with multiple external vendors and service providers can help organizations expand, it can also introduce new risks. Given the rise in cybercrime and strict regulatory standards today, the need to have a mature third-party risk management program is essential to ensure <a target="_blank" href="https://cmscritic.com/how-to-secure-your-cms-in-5-steps">their data is secure</a>, especially when handled by those outside the company.<h2 id="recognizing-the-risks-of-third-party-vendors">Recognizing the Risks of Third-Party Vendors</h2>Establishing strong business partnerships is an important component of business growth. Whether hiring an outside marketing firm to drive brand awareness or working with a managed services provider to outsource IT and cybersecurity, the right partnerships help businesses operate more efficiently. However, it's important to be aware of certain risks associated with extending your operations outside your organization.When vendors require access to confidential business information to offer their services, the duty to protect that data starts moving beyond the company's immediate reach. Without due diligence, this can pose <a target="_blank" href="https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cybersecurity/biggest-cyber-security-challenges-in-2023/">significant security challenges</a>, particularly if your partners aren't upholding the safety standards your business adheres to. While most service providers are obligated by data protection laws and regulations to protect sensitive client information, the reality is that not all companies are equally secure. Besides the financial risk associated with a major business disruption across connected services, businesses may also face significant fines and penalties if they fail to maintain regulated compliance standards that govern their specific industry.<h2 id="what-are-third-party-security-&amp;-compliance-audits?">What are Third-Party Security &amp; Compliance Audits?</h2>For organizations that need to have more transparency regarding potential security risks that may be present with a third party, security risk and compliance audits are essential. A third-party security and compliance audit or assessment is a methodical review process handled by outside risk management experts to thoroughly vet the security standards of any business partnership.Depending on the industry your organization operates in, there are a variety of different assessments or audits that can be used to identify any areas of concern.For example, a SOC 2 attestation, sometimes referred to as a <a target="_blank" href="https://www.tevora.com/what-is-a-soc-audit/">SOC audit</a> or SOC certification (which is technically incorrect), is often used to benchmark internal control frameworks in the following Trust Criteria:<ul><li>Security</li><li>Privacy</li><li>Confidentiality</li><li>Availability</li><li>Process Integrity</li></ul>These attestation reports are the opinion of a CPA firm and identify an opinion of conformity against the selected Trust Criteria. It is important to note that not all SOC 2 reports test all five Trust Services Criteria, as it depends on scope. This is similar but holds a bit less rigor than an <a target="_blank" href="https://www.tevora.com/blog/what-is-an-iso-audit/">ISO 27001 audit</a>, which checks that systems and processes align with the framework established by the International Organization for Standardization.<a target="_blank" href="https://www.fedramp.gov/">FedRAMP High Authorization</a>, used for assessing Cloud Service Providers performing critical and essential services for Government Agencies, has over 400 controls and is even more rigorous than the ISO 27001 certification.To streamline third-party vendor assessments, some may use SOC 2, ISO 27001, HITRUST, or FedRAMPas alternative evidence for vetting vendors rather than conducting one-off assessments.<h2 id="steps-to-executing-third-party-security-&amp;-compliance-audits">Steps to Executing Third-Party Security &amp; Compliance Audits</h2>Conducting a third-party compliance audit is often left to risk management specialists due to the complexity of the process. While every audit can be different depending on the depth and scale of the partnership, most external audits will follow a similar formula.Below are the typical steps used when executing third-party security and compliance audits:<h3 id="1.-identify-all-of-your-partnerships">1. Identify All of Your Partnerships</h3>Thoroughly evaluating the business's active partnerships is the first step before performing any type of third-party audit. Oftentimes, businesses may be primarily concerned with only one or two active partnerships they rely on regularly. However, having a completely transparent understanding of your complete risk profile requires identifying each and every vendor you engage with. This could be a supplier of physical goods, logistics companies that you currently contract, SaaS (Software-as-a-Service) providers, or a company where this is a direct change of company information.<h3 id="2.-tier-your-vendors">2. Tier Your Vendors</h3>Not all vendors are created equal. The most important vendors are those that you share the most sensitive data with, have access to your networks, host or build applications, have physical access to your facilities, or can interrupt your key business processes. These vendors are often referred to as Tier 1 vendors. Other vendors you may rely on but are not as critical can be considered Tier 2. Vendors that do not provide essential services – such as a coffee supply vendor or shipping provider – may be considered a Tier 3 vendor.  For Tier 3 vendors, just knowing that they are accounted for and have been identified as a Tier 3 vendor is all that is required. <h3 id="3.-build-a-plan-for-vendor-assessments-by-tier">3. Build a Plan for Vendor Assessments by Tier</h3>Working with a trained risk assessment professional, you should define the assessment, process, depth, and acceptable alternative evidence allowed for each tier of vendor.  By organizing your assessment process by Vendor Tier, you'll be able to narrow down the focus of your audits to the areas that are most critical for the services provided.Part of building a successful vendor assessment plan should start with the alignment of your company’s existing security framework to your Vendor assessment model (ISO 27000 series, NIST 800 series, HITRUST Certification, or FedRAMP/StateRAMP). Typically, more mature vendors will have their own security programs developed and backed by one of these frameworks. Having the ability to crosswalk between the frameworks can help show how your company’s security controls are implemented through outsourcing to these vendors. A tool commonly used within the Third Party Vendor Management space is the <a target="_blank" href="https://sharedassessments.org/sig/">Standardized Information Gathering (SIG) Questionnaire</a>, which helps map controls to various frameworks. The SIG Questionnaire has over 1000 controls, whereas the SIG Lite contains about 200 controls. Many Vendors will have a SIG or SIG Lite available for review during the third-party assessment process and this can be an effective way of getting standardized information from your vendors. <h3 id="4.-notify-your-vendors">4. Notify Your Vendors</h3>While certain portions of a third-party risk assessment can be managed without the direct involvement of your vendors and with the use of various monitoring tools, their participation is essential to complete an assessment. Many companies will make assessment requirements part of their new vendor onboarding process to ensure that all parties are aware of the potential for assessment before or during the length of the partnership. In any event, it's important to clearly lay out any requirements your business may have when it comes to completing assessments to ensure vendors are aware and willing to comply.<h3 id="5.-define-scope-of-engagement">5. Define Scope of Engagement</h3>Some assessments are much more comprehensive than others. In all situations, though, it's important to define the scope of engagement that will be required for each vendor. This is another area where understanding your risk categories will help, as it will assist in prioritizing engagement in the right areas and with the right teams. Doing so helps to avoid your vendors becoming overwhelmed with requests for information that could potentially cause strain on the relationship.<h3 id="6.-complete-the-review-and-identify-areas-of-improvement">6. Complete the Review and Identify Areas of Improvement</h3>After gathering the required information, your risk management team can produce a detailed review of potential areas of concern. Given the thoroughness of the data collected, some areas might need additional exploration to guarantee the review's accuracy and to ensure the insights provided are easy to understand and actionable.<h2 id="don't-let-your-third-party-risk-catch-you-off-guard">Don't Let Your Third-Party Risk Catch You Off Guard</h2>While your organization might prioritize and invest in proper security measures, not all vendors necessarily share that commitment. However, collaborating with skilled risk management experts can help confirm that all your partnerships value security and risk mitigation as much as you and your clients do. <hr /><h3 id="upcoming-conferences">Upcoming conferences</h3> <img style="width:29.67%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-connect-2024-logo.png" alt="CMS Connect 24 logo" /><h4 id="cms-connect-24"><a target="_blank" href="https://www.boye-co.com/conferences/cmsconnect24">CMS Connect 24</a></h4>August 6-7, 2024 – Montreal, CanadaWe are delighted to present our first annual summer edition of our prestigious international conference dedicated to the global content management community. Join us this August in Montreal, Canada, for a vendor-neutral conference focused on CMS. Tired of impersonal and overwhelming gatherings? Picture this event as a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. <img style="width:29.58%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-kickoff-2025-logo.png" /><h4 id="cms-kickoff-25"><a target="_blank" href="https://www.boye-co.com/conferences/cmskickoff25/tickets">CMS Kickoff 25</a></h4>January 14-15, 2025 – Tampa Bay Area, FloridaJoin us next January in the Tampa Bay area of Florida for the third annual CMS Kickoff – the industry's premier global event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.

Make Sure Your Vendors and Partners aren’t a Security Risk with Third-Party Security & Compliance Audits

nazy

<hr /> The digital transformation of <a target="_blank" href="https://cmscritic.com/what-is-a-content-management-system-cms">content management systems (CMS)</a> is accelerating, with AI capabilities becoming a significant differentiator among providers. Some CMS vendors are enhancing their platforms with ChatGPT add-ons, while <a target="_blank" href="https://cmscritic.com/kontent-ai-pioneers-native-ai-in-headless-cms-interview-with-vojtech-boril">others are weaving AI more intricately</a> into their technology stacks. A select few are even making AI the heart of their offerings. This diversity in AI integration presents a spectrum of challenges, particularly in terms of securing and maintaining the privacy of customer data.<h3 id="what-is-at-stake">What is at stake</h3>CMS platforms are the custodians of a wide array of data, from the mundane to the mission-critical. This data can include everything from public-facing content to sensitive internal documents detailing future product launches and marketing campaigns. The impact of a data breach originating from a CMS vendor can be severe, with the potential for significant financial and reputational damage.Data breaches are not only disruptive but also expensive. The average <a target="_blank" href="https://www.ibm.com/reports/data-breach">cost of a data breach</a> can be staggering, with public reports often calculating it in millions on affected organizations. Furthermore, CMSs are frequently tasked with processing data that is protected by various regulations, such as Protected Health Information (by HIPAA in the US) and financial information (by GLBA in the US, DORA in Europe, etc.). Personal data processing is a given, necessitating adherence to privacy laws like GDPR and CCPA.Regulatory frameworks mandate a set of controls to safeguard this data, and AI implementations within CMSs must meet these same stringent requirements. If AI functionalities are implemented incorrectly, they can lead to the mishandling of sensitive data, compliance issues, and even data leaks across customer accounts.<h3 id="how-to-address-the-challenges">How to address the challenges</h3>Despite the relative novelty of generative AI, there are already established standards and best practices that leading CMS vendors are adopting. The architecture of the AI solution is paramount; a well-designed architecture will prevent data leaks between customers and ensure at least logical data separation. Utilizing well-tested AI models and implementing AI governance on the vendor's side are also crucial steps.Frameworks such as the EU AI Act, capAI methodology, and the NIST AI Risk Management Framework provide guidance for responsible AI risk management. While specific "AI security certifications" do not exist yet, adherence to recognized security and privacy best practices, such as ISO/IEC 27001, 27017, 27018 certifications, GDPR compliance, SOC 2 Type 2 Report, and Cloud Security Alliance STAR registry, is indicative of a vendor's commitment to security.Transparency from vendors about their AI implementations and their approach to security and responsible AI development is essential, as is ensuring the privacy of data.<h3 id="what-kontent.ai-brings-to-the-table">What Kontent.ai brings to the table</h3><a target="_blank" href="https://kontent.ai/">Kontent.ai</a> is at the forefront of AI integration in the CMS market, being the first headless CMS vendor to natively incorporate AI capabilities. With a strong AI-powered feature set and a forward-looking AI roadmap, Kontent.ai leads the way in AI in content management.On the compliance side, the company's approach to AI governance is in line with the best practices of capAI and NIST AI RMF, and it ensures immediate compliance with the EU AI Act. Kontent.ai's security program is robust and certified by ISO/IEC 27001, 27017, and is audited regularly by Trust Services Criteria. To provide customers with assurance, Kontent.ai offers a suite of artifacts:<ul><li>SOC 2 Type 2 Report</li><li>Comprehensive OWASP penetration test reports</li><li>CSA STAR level 1</li><li>HECVAT</li><li>GDPR audit report</li></ul>These resources demonstrate Kontent.ai's commitment to security and governance, and the company requires its suppliers to adhere to the same high standards.For more information on Kontent.ai's commitment to trust and governance, visit <a target="_blank" href="https://kontent.ai/trust-and-governance/">https://kontent.ai/trust-and-governance/</a><h3 id="summary">Summary</h3>The integration of AI into CMS platforms is revolutionizing the way content is created, managed, and delivered. It's imperative to understand that AI implementations vary widely, and the security and privacy of customer data are paramount. Responsible and secure AI integration involves adhering to established best practices and regulatory standards, ensuring that AI offerings are not only innovative but also trustworthy.Kontent.ai exemplifies this approach by being the first headless CMS vendor to natively incorporate AI capabilities, adhering to best practices such as capAI and NIST AI RMF, and ensuring compliance with the EU AI Act. With a robust security program and a suite of assurance artifacts, Kontent.ai demonstrates its commitment to security and governance, setting a standard for responsible AI in CMS. As AI continues to shape the CMS landscape, it is crucial for vendors to prioritize the responsible use of AI to maintain the trust and confidence of their users.

Not Every AI is the Same: A Guide to Responsible and Secure AI in CMS

matej

Explore a wide range of informative articles on Security, insights, and industry updates. Stay informed and ahead of the curve with our diverse collection of news and posts covering the latest trends and developments in the industry. 