Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.

Dive into six things that are top of mind for the week ending Oct. 25.

1 - CSA: How to prevent “shadow AI” 

As organizations scale up their AI adoption, they must closely track their AI assets to secure them and mitigate their cyber risk. This includes monitoring the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? You may find useful ideas in the Cloud Security Alliance’s new “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper.

The white paper covers shadow AI topics including:

• Creating a comprehensive inventory of AI systems
• Conducting gap analyses to spot discrepancies between approved and actual AI usage
• Implementing ways to detect unauthorized AI wares
• Establishing effective access controls
• Deploying monitoring techniques

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

• The asset’s description
• Information about its AI models
• Information about its data sets and data sources
• Information about the tools used for its development and deployment
• Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
• Records of its access control mechanisms

Shadow AI is one of four topics covered in the publication, which also unpacks risk management; governance and compliance; and safety culture and training.

To get more details, read:

• The full “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper
• A complementary slide presentation
• The CSA blog “Shadow AI Prevention: Safeguarding Your Organization’s AI Landscape”

For more information about AI security issues, including shadow AI, check out these Tenable blogs:

• “Do You Think You Have No AI Exposures? Think Again”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”
• “6 Best Practices for Implementing AI Securely and Ethically”
• “Compromising Microsoft's AI Healthcare Chatbot Service”

2 - Best practices for secure software updates

The security and reliability of software updates took center stage in July when an errant update caused massive and unprecedented tech outages globally.

To help prevent such episodes, U.S. and Australian cyber agencies have published “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers.”

“It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements,” reads the 12-page document.

Although the guide is aimed primarily at commercial software vendors, its recommendations can be useful for any organization with software development teams that deploy updates internally.

The guide outlines key steps for a secure software development process, including planning; development and testing; internal rollout; and controlled rollout. It also addresses errors and emergency protocols.

“A safe software deployment process should be integrated with the organization’s SDLC, quality program, risk tolerance, and understanding of the customer’s environment and operations,” reads the guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Australian Cyber Security Centre.

To get more details, read:

• The “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers” guide
• The CISA alert “CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes”

For more information about secure software updates:

• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design” (Tenable)
• “The critical importance of robust release processes” (Cloud Native Computing Foundation)
• “Software Deployment Security: Risks and Best Practices” (DevOps.com)
• “Software Updates, A Double-Edged Sword for Cybersecurity Professionals” (Infosecurity)
• “DevOps Best Practices for Faster and More Reliable Software Delivery” (DevOps.com)

3 - Report: GenAI, attack variety, data security drive cyber strategies

What issues act as catalysts for organizations’ cybersecurity actions today? Hint: They’re fairly recent concerns. The promise and peril of generative AI ranks first. It’s closely followed by the ever growing variety of cyberattacks; and by the intensifying urgency to protect data.

That’s according to CompTIA’s “State of Cybersecurity 2025” report, based on a survey of almost 1,200 business and IT pros in North America and in parts of Europe and Asia. 

These three key factors, along with others like the scale of attacks, play a critical role in how organizations currently outline their cybersecurity game plans.

“Understanding these drivers is essential for organizations to develop proactive and adaptive cybersecurity strategies that address the evolving threat landscape and safeguard their digital assets,” reads a CompTIA blog about the report.

Organizations are eagerly trying to understand both how generative AI can help their cybersecurity programs and how this technology is being used by malicious actors to make cyberattacks harder to detect and prevent.

Meanwhile, concern about data protection has ballooned in the past couple of years. “As organizations become more data-driven, the need to protect sensitive information has never been more crucial,” reads the blog.

Not only are organizations focused on securing data at rest, in transit and in use, but they’re also creating foundational data-management practices, according to the report.

“The rise of AI has accelerated the need for robust data practices in order to properly train AI algorithms, and the demand for data science continues to be strong as businesses seek competitive differentiation,” the report reads.

To get more details, read:

• The report’s announcement “Cybersecurity success hinges on full organizational support, new CompTIA report asserts”
• CompTIA’s blogs “Today’s top drivers for cybersecurity strategy” and “Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report”
• The full “State of Cybersecurity 2025” report

For more information about data security posture management (DSPM) and preventing AI-powered attacks, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “Mitigating AI-Related Security Risks” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

4 - CISA lists software dev practices most harmful for security

Recommended best practices abound in the cybersecurity world. However, CISA and the FBI are taking the opposite tack in their quest to improve the security of software products: They just released a list of the worst security practices that software manufacturers ought to avoid.

Titled “Product Security Bad Practices,” the document groups the “no-nos” into three main categories: product properties; security features; and organizational processes and policies.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop,” CISA Director Jen Easterly said in a statement.

“These product security bad practices pose unacceptable risks in this day and age, and yet are all too common,” she added.

Here are some of the worst practices detailed in the document, which is part of CISA’s “Secure by Design” effort:

• Using programming languages considered “memory unsafe”
• Including user-provided input in SQL query strings
• Releasing a product with default passwords
• Releasing a product with known and exploited vulnerabilities
• Not using multi-factor authentication
• Failing to disclose vulnerabilities in a timely manner

Although the guidance is aimed primarily at software makers whose products are used by critical infrastructure organizations, the recommendations apply to all software manufacturers.

If you’re interested in sharing your feedback with CISA and the FBI, you can submit comments about the document until December 16, 2024 on the Federal Register.

To get more details, check out:

• CISA’s announcement “CISA and FBI Release Product Security Bad Practices for Public Comment”
• The full document “Product Security Bad Practices”

For more information about how to develop secure software:

• “Tenable Partners with CISA to Enhance Secure By Design Practices” (Tenable)
• “Ensuring Application Security from Design to Operation with DevSecOps” (DevOps.com)
• “What is application security?” (TechTarget)
• “Guidelines for Software Development (Australian Cyber Security Centre)

5 - New EU law focuses on cybersecurity of connected digital products

Makers of digital products — both software and hardware — that directly or indirectly connect to networks and to other devices will have to comply with specific cybersecurity safeguards in the European Union.

A newly adopted law known as the “Cyber Resilience Act” outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of these types of products, including IoT wares such as connected cars.

For example, it specifies a number of “essential cybersecurity requirements” for these products, including that they:

• Aren’t shipped with known exploitable vulnerabilities
• Feature a “secure by default” configuration
• Can fix their vulnerabilities via automatic software updates
• Offer access protection via control mechanisms, such as authentication and identity management
• Protect the data they store, transmit and process using, for example, at-rest and in-transit encryption

“The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components (...) are made secure throughout the supply chain and throughout their lifecycle,” reads a statement from the EU’s European Council.

The law will “enter into force” after its publication in the EU’s official journal and will apply and be enforceable 36 months later, so most likely in October 2027 or November 2027. However, some of its provisions will be enforceable a year prior.

For more information and analysis about the EU’s Cyber Resilience Act:

• “Cyber Resilience Act Requirements Standards Mapping” (ENISA)
• “The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)
• “EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)
• “Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)
• “The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation) 

6 - UK cyber agency: CISOs must communicate better with boards

CISOs and boards of directors are struggling to understand each other, and this is increasing their organizations’ cyber risk, new research from the U.K.’s cyber agency has found.

For example, in one alarming finding, 80% of respondents, which included board members, CISOs and other cyber leaders in medium and large enterprises, confessed to being unsure of who is ultimately accountable for cybersecurity in their organizations.

“We found that in many organisations, the CISO (or equivalent role) thought that the Board was accountable, whilst the Board thought it was the CISO,” reads a blog about the research titled “How to talk to board members about cyber.”

As a result, the U.K. National Cyber Security Centre (NCSC) has released new guidance aimed at helping CISOs better communicate with their organizations’ boards titled “Engaging with Boards to improve the management of cyber security risk.”

“Cyber security is a strategic issue, which means you must engage with Boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated,” the document reads.

Here’s a small sampling of the advice:

• Understand your audience, including who are the board’s members and their areas of expertise; and how the board works, such as its meeting formats and its committees.
• Talk about cybersecurity in terms of risks, and outline these risks concretely and precisely, presenting them in a matter-of-fact way.
• Don’t limit your communication with board members to formal board meetings. Look for opportunities to talk to them individually or in small groups outside of these board meetings.
• Elevate the discussions so that you link cybersecurity with your organization’s business challenges, goals and context.
• Aim to provide a holistic view, and avoid using technical jargon.
• Aim to advise instead of to educate.

TORONTO – The Canadian Securities Administrators (CSA) is providing an update to interested parties on the status of its work to introduce binding authority for an independent dispute resolution service.

At high level dialogue, Stakeholders Rally Support for Women’s Empowerment in Agriculture (National Update/Punch)

This article published by National Update (Nigeria) wrote about a recent high-level dialogue on the CGIAR HER+ initiative in Abuja held on October 9, 2024, that aimed to address barriers women face in Nigeria’s agrifood sector.

The post At high level dialogue, Stakeholders Rally Support for Women’s Empowerment in Agriculture (National Update/Punch) appeared first on IFPRI.

At ASHG, Illumina to Share Updates to Sequencing, Proteomics, and Single-Cell Technologies  Genetic Engineering & Biotechnology News

Updated Dates & Impacts with Extended Parking Lane Closures & Traffic Shifts at W. Foster Avenue between N. Broadway and N. Winthrop Avenue for Street Reconstruction & Shoring Tower Construction & Staging.

Updated Dates, Extended Partial Alley Closure at the alley east of 4801 – 4838 N. Broadway for station foundation construction.

Updated Dates, Extended Street Closures, W. Ardmore Avenue between N. Broadway and N. Winthrop Avenue for street, sidewalk restoration and screen wall installation.

Update Dates and Impacts with Parking Lane and Partial Sidewalk Closure at 5600 – 5605 N. Broadway

Updated Dates Daily Alley Closures for the alley west of 4700 thru 4748 N. Winthrop Avenue (W. Leland Avenue to W. Lawrence Avenue) for wall cap installation.

Updated Dates for Extended Partial Alley Closure for the alley west of 4700 thru 4748 N. Winthrop Avenue (W. Leland Avenue to W. Lawrence Avenue)

Updated Dates Parking Lane and Partial Sidewalk Closure at 5600 – 5605 N. Broadway for Decorative Sidewalk Paver Installation.

Updated Dates for Extended Alley Closure for The alley behind 5300 thru 5358 N. Winthrop Avenue (W. Berwyn Avenue to W. Balmoral Avenue) for alley reconstruction.

Updated Dates and Extended Street Closure at W. Balmoral Avenue between N. Broadway and N. Winthrop Avenue for street and sidewalk restoration.

Updated Dates Parking Lane and Sidewalk Closure for - W. Newport Avenue between N. Clark Street and 927 W. Newport Avenue - N. Clark Street between W. Roscoe Street and W. Newport Avenue

The alley behind 5300 – 5358 N. Winthrop Avenue will be closed through Oct. 26 for reconstruction as part of the Red and Purple Modernization Project.

There will be intermittent street closures on W Ardmore at the CTA tracks to allow crews to hoist construction materials to track level.

Updated Dates and Extended Street Closure for W. Balmoral Avenue between N. Broadway and N. Winthrop Avenue for Street and Sidewalk Restoration.

Updated Dates Alley Entrance Relocation & Daily Short-term Street Closures Crane Staging & Material Deliver

(Sun, May 16 2021 12:01 AM to TBD) Red and Purple line trains share tracks btwn Thorndale and Belmont. Purple Line Express trains continue to make only express stops between Howard and Belmont.

(Sun, May 16 2021 12:01 AM to TBD) Red and Purple line trains share tracks btwn Thorndale and Belmont. Purple Line Express trains continue to make only express stops between Howard and Belmont.

Truffles are one of the most expensive and sought after ingredients in the world. Today, we look back at our NYC adventure with a truffle smuggler and how the market has changed since we last talked to him. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

When Maddie Messer was 12 years old, she noticed an unfair dynamic in the video games she loved: playing as a man was often free, but she had to pay to play as a woman. So ... she decided to take on the video game industry. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

How one man's quest to dominate the onion market changed commodities trading, and potentially how much you pay at the grocery store, forever. | Subscribe to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

College has gotten incredibly expensive. And some colleges are offering students a new way to pay. It's not a scholarship. It's not quite a loan. It's more like the students are selling stock in themselves. We check in on how income share agreements at one school have been working. | Subscribe to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: This episode originally ran back in 2022.)

This past weekend, Spider-Man: Across the Spider-Verse had the second largest domestic opening of 2023, netting (or should we say webbing?) over $120 million in its opening weekend in the U.S. and Canada. But the story leading up to this latest Spider-Man movie has been its own epic saga.

When Marvel licensed the Spider-Man film rights to Sony Pictures in the 1990s, the deal made sense — Marvel didn't make movies yet, and their business was mainly about making comic books and toys. Years later, though, the deal would come back to haunt Marvel, and it would start a long tug of war between Sony and Marvel over who should have creative cinematic control of Marvel's most popular superhero. Today, we break down all of the off-screen drama that has become just as entertaining as the movies themselves.

This episode was originally produced by Nick Fountain with help from Taylor Washington and Dave Blanchard. It was engineered by Isaac Rodrigues. It was edited by Jess Jiang. The update was produced by Emma Peaslee, with engineering by Maggie Luthar. It was edited by Keith Romer.

Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

*Note: This episode originally ran in 2020*

'Tis the season for Americans to head out in droves and bring home a freshly-cut Christmas tree. But decorative evergreens don't just magically show up on corner lots, waiting to find a home in your living room. There are a bunch of fascinating steps that determine exactly how many Christmas trees get sold, and how expensive they are.

Today on the show, we visit the world's largest auction of Christmas trees — and then see how much green New Yorkers are willing to throw down for some greenery. It's a story where snow-dusted Yuletide dreams meet the hard reality of supply and demand. We've got market theory, a thousand dollars in cash, and a "decent sized truck"... anything could happen.

This episode was produced by James Sneed. It was edited by Bryant Urstadt. It was engineered by Gilly Moon. Alex Goldmark is Planet Money's executive producer.

Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: This episode originally ran in 2020.)

In the restaurant game, you need to make the most of every table every minute you are open. And you need to make sure your guests are happy, comfortable, and want to come back.

If you're a restaurateur, your gut tells you "more seats, more money," but, in this episode, restaurant design expert Stephani Robson upends all that and more. She helps Roni Mazumdar, owner of the casual Indian spot Adda in New York's Long Island City, rethink how a customer behaves at a table, and how small changes can lead to a lot more money.

It's a data-driven restaurant makeover.

This episode was originally produced by Darian Woods and Alexi Horowitz-Ghazi. James Sneed and Sam Yellowhorse Kesler produced this update. Engineering by Isaac Rodrigues and Maggie Luthar. Alex Goldmark originally edited the show and is now Planet Money's executive producer.

Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: This episode originally ran in 2023.)

Union membership in the U.S. has been declining for decades. But, in 2022, support for unions among Americans was the highest it's been in decades. This dissonance is due, in part, to the difficulties of one important phase in the life cycle of a union: setting up a union in the first place. One place where that has been particularly clear is at the Volkswagen plant in Chattanooga, Tennessee.

Back in 2008, Volkswagen announced that they would be setting up production in the United States after a 20-year absence. They planned to build a new auto manufacturing plant in Chattanooga.

Volkswagen has plants all over the world, all of which have some kind of worker representation, and the company said that it wanted that for Chattanooga too. So, the United Auto Workers, the union that traditionally represents auto workers, thought they would be able to successfully unionize this plant.

They were wrong.

In this episode, we tell the story of the UAW's 10-year fight to unionize the Chattanooga plant. And, what other unions can learn from how badly that fight went for labor.

This episode was hosted by Amanda Aronczyk and Nick Fountain. It was produced by Willa Rubin. It was engineered by Josephine Nyounai, fact-checked by Sierra Juarez, and edited by Keith Romer. Alex Goldmark is our executive producer.

Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: This episode originally ran in 2021.)

Millions of American workers in all sorts of industries have signed some form of noncompete agreement. Their pervasiveness has led to situations where workers looking to change jobs can be locked out of their fields.

On today's episode: how one man tried to end noncompete contracts in his home state of Hawaii. And we update that story with news of a recent ruling from the Federal Trade Commission that could ban most noncompete agreements nationwide.

This episode was hosted by Erika Beras and Amanda Aronczyk. The original piece was produced by Dave Blanchard, edited by Ebony Reed, and engineered by Isaac Rodrigues. The update was reported and produced by Willa Rubin. It was edited by Keith Romer, fact-checked by Sierra Juarez, and engineered by Josephine Nyounai.

Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: A version of this episode originally ran in 2019.)

In 1794, George Washington decided to raise money for the federal government by taxing the rich. He did it by putting a tax on horse-drawn carriages.

The carriage tax could be considered the first federal wealth tax of the United States. It led to a huge fight over the power to tax in the U.S. Constitution, a fight that continues today.

Listen back to our 2019 episode: "Could A Wealth Tax Work?"

Listen to The Indicator's 2023 episode: "Could SCOTUS outlaw wealth taxes?"

This episode was hosted by Greg Rosalsky and Bryant Urstadt. It was originally produced by Nick Fountain and Liza Yeager, with help from Sarah Gonzalez. Today's update was produced by Willa Rubin and edited by Molly Messick and our executive producer, Alex Goldmark.

Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

(Note: A version of this episode originally ran in 2016.)

Back in 2016, things were pretty bad in Venezuela. Grocery stores didn't have enough food. Hospitals didn't have basic supplies, like gauze. Child mortality was spiking. Businesses were shuttering. It's one of the epic economic collapses of our time. And it was totally avoidable.

Venezuela used to be a relatively rich country. It has just about all the economic advantages a country could ask for: Beautiful beaches and mountains ready for tourism, fertile land good for farming, an educated population, and oil, lots and lots of oil.

But during the boom years, the Venezuelan government made some choices that add up to an economic time bomb.

Today on the show, we have an economic horror story about a country that made all the wrong decisions with its oil money. It's a window into the fundamental way that money works and how when you try to control it, you can lose everything.

Then, an update on Venezuela today. How it went from a downward spiral, to a tentative economic stabilization... amidst political upheaval.

This original episode is hosted by Robert Smith and Noel King. It was produced by Nick Fountain and Sally Helm. Today's update was hosted by Amanda Aronczyk, produced by Sean Saldana, fact checked by Sierra Juarez, and engineered by Neal Rauch. Alex Goldmark is our Executive Producer.

Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

Back in the 90s, the federal government ran a bold experiment, giving people vouchers to move out of high-poverty neighborhoods into low-poverty ones. They wanted to test if housing policy could be hope – whether an address change alone could improve jobs, earnings and education.

The answer to that seems obvious. But it did not at all turn out as they expected.

Years later, when new researchers went back to the data on this experiment, they stumbled on something big. Something that is changing housing policy across the country today.

Today's episode was originally hosted by Karen Duffin, produced by Aviva DeKornfeld, and edited by Bryant Urstadt. The update was hosted by Amanda Aronczyk, produced by Sean Saldana and fact checked by Sierra Juarez. Our supervising executive producer is Alex Goldmark.

Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy

Ada Vista Preschool will no longer be offered. Due to construction and limited space it was decided to discontinue the Spanish Immersion preschool at Ada Vista.

The post Latest Updates from Child Care Services appeared first on Forest Hills Public Schools.