Check out key findings and insights from the “Tenable Cloud AI Risk Report 2025.” Plus, get fresh guidance on how to transition to quantum-resistant cryptography. In addition, find out how AI is radically transforming cyber crime. And get the latest on open source software security; cyber scams; and IoT security.

Dive into six things that are top of mind for the week ending March 21.

1 - Tenable: Orgs using AI in the cloud face thorny cyber risks

Using AI tools in cloud environments? Make sure your organization is aware of and prepared for the complex cybersecurity risks that emerge when you mix AI and the cloud.

That’s a key message from the “Tenable Cloud AI Risk Report 2025,” released this week and based on a telemetry analysis of public cloud and enterprise workloads scanned through Tenable products.

“Cloud security measures must evolve to meet the new challenges of AI and find the delicate balance between protecting against complex attacks on AI data and enabling organizations to achieve responsible AI innovation,” Liat Hayun, Tenable’s VP of Research and Product Management for Cloud Security, said in a statement.

Key findings from the report include:

• 70% of cloud workloads with AI software installed have at least one critical vulnerability, compared with 50% of cloud workloads that don’t have AI software installed.
• 77% of organizations have the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks – which puts all services built on this default Compute Engine at risk.
• 91% of organizations using Amazon Sagemaker have the risky default of root access in at least one notebook instance, which could grant attackers unauthorized access if compromised.
   

These are some of the report's risk mitigation recommendations:

• Take a contextual approach for revealing exposures across your cloud infrastructure, identities, data, workloads and AI tools. 
• Classify all AI components linked to business-critical assets as sensitive, and include AI tools and data in your asset inventory, scanning them continuously. 
• Keep current on emerging AI regulations and guidelines, and stay compliant by mapping key cloud-based AI data stores and implementing required access controls. 
•  Apply cloud providers' recommendations for their AI services, but be aware that default settings are commonly insecure and guidance is still evolving. 
• Prevent unauthorized or overprivileged access to cloud-based AI models and data stores. 
• Prioritize vulnerability remediation by understanding which CVEs pose the greatest risk to your organization. 

To get more information, check out:

• The full “Tenable Cloud AI Risk Report 2025”
• The webinar “2025 Cloud AI Risk Report: Helping You Build More Secure AI Models in the Cloud” on April 17, 2025 at 2 pm EDT
• The video “Why firms need ‘exposure management’ for cloud security”

2 - U.K.’s cyber agency offers post-quantum migration guidance

Is your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out fresh guidance about this topic.

This week, the U.K. National Cyber Security Centre (NCSC) published “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.

“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog.
 

At a high-level, these are the three main key milestones proposed by the NCSC:

• By 2028
  • Define the organization’s migration goals.
  • Assess which services and infrastructure need to have their cryptography upgraded to PQC.
  • Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.
• By 2031
  • Execute the first, most important PQC migration steps.
  • Refine the PQC migration plan to ensure the roadmap will be fulfilled.
  • Ensure your infrastructure is ready to support PQC.
• By 2035
  • Complete your PQC migration.

The need to migrate to PQC stems from the ability quantum computers will have to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.

The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced last week, should be available in 2027.

For more information about how to protect your organization against the quantum computing cyberthreat:

• “How to prepare for a secure post-quantum future” (TechTarget)
• “Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)
• “Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)
• “US unveils new tools to withstand encryption-breaking quantum. Here's what experts are saying” (World Economic Forum)
• “Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)
• “Quantum and the Threat to Encryption” (SecurityWeek)

3 - Europol: AI is transforming organized crime

Criminals are enthusiastically embracing AI, which helps them accelerate their malicious activities and operate more effectively.

So said Europol in its report “European Union Serious and Organised Crime Threat Assessment 2025: The changing DNA of serious and organised crime,” published this week.

“As AI-driven systems … become more advanced and user-friendly, criminal networks are increasingly leveraging their capabilities across a wide spectrum of crimes,” the report reads.
 

According to Europol, AI is “fundamentally reshaping” crime by:

• Drastically lowering the barriers to entry for digital crimes by allowing crooks to, for example, craft phishing messages in multiple languages, precisely target victims and craft sophisticated malware
• Allowing fraudsters to create sophisticated synthetic media, such as voice cloning and video deepfakes, to dupe victims, impersonate people and carry out blackmail
• Making crooks more effective by, for example, automating attacks, expanding their scope and scale, and bypassing security controls – all with fewer resources.

“To counter the growing threat of AI-enabled crime, policymakers, law enforcement agencies and the technology sector must collaborate to develop robust safeguards, consistent regulations and advanced detection tools,” the report reads.

For more information about how cybercriminals are leveraging AI:

• “How AI is making phishing attacks more dangerous” (TechTarget)
• “How AI agents help hackers steal your confidential data - and what to do about it” (ZDNet)
• “How cyber criminals are using artificial intelligence (AI) for online threats” (Government of Canada)
• “The near-term impact of AI on the cyber threat” (U.K. NCSC)
• “FBI Warns of Increasing Threat of Cyber Criminals Utilizing Artificial Intelligence” (FBI) 

4 - Groups call for IoT end-of-life disclosure law

Manufacturers of internet-of-things (IoT) devices should be required by law to disclose the products they’re no longer supporting, so that customers are aware of the security risks those products pose.

That’s the opinion of Consumer Reports, the Center for Democracy and Technology, the U.S. Public Interest Research Group and the Secure Resilient Future Foundation, which recently proposed a model bill called the “Connected Consumer Products End of Life Disclosure Act.”

The bill would require IoT manufacturers and internet service providers (ISPs) to provide “clear and timely” information about their connected devices’ support lifecycles.
 

“The proliferation of IoT devices in homes and businesses has created a significant security challenge. When these devices reach their end of life and no longer receive software and security updates, they become vulnerable to exploitation by malicious actors,” reads a joint statement from the groups.

Specifically, the groups want the law to require IoT manufacturers to:

• Clearly disclose for how long they’ll provide security and software updates, and to offer this support for a reasonable amount of time.
• Proactively alert customers when their devices are approaching end-of-life status and offer appropriate guidance.
• Offer details about features that will become inactive, and about potential vulnerabilities and security risks resulting from end-of-life status.

Moreover, the proposed model law would also put the onus on ISPs to remove from customers’ homes any devices they provided once those devices reach end-of-life status.

For more information about IoT and operational technology (OT) security, check out these Tenable resources:

• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform: The Importance of Contextual Prioritization” (blog)
• “How To Secure Your IT, OT and IoT Assets With an Exposure Management Platform: Complete Visibility with Asset Inventory and Discovery” (blog)
• “The Invisible Bridge: Recognizing The Risk Posed by Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)
• “Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)

5 - Report: Open source community must prep better for EU’s CRA law compliance

Open-source software manufacturers, project stewards and developers need to beef up on their knowledge of the European Union’s Cyber Resilience Act (CRA), a landmark cybersecurity law whose enforcement is expected to begin in late 2027.

That’s the main takeaway from the new report “Unaware and Uncertain: The Stark Realities of ‘Cyber Resilience Act’ Readiness in Open Source” from the Linux Foundation and the Open Source Security Foundation.

“This report highlights significant knowledge gaps and key strategies to help organizations meet regulatory obligations outlined in the CRA regarding secure software development, while preserving the collaborative and decentralized nature of open source,” Steve Fernandez, OpenSSF’s General Manager, said in a statement.
 

 
The report surveyed 685 respondents, most of them software developers, IT professionals and security professionals. It found that CRA awareness is low, with 62% of respondents saying they’re either “not familiar at all” or are “slightly familiar” with the law. 

Even many respondents who are familiar with the CRA still lack a comprehensive grasp of its scope. For example, 42% of respondents haven’t determined if the law applies to them, and almost 60% aren’t aware of the non-compliance penalties. Furthermore, only 28% correctly said full CRA compliance begins in 2027.

Here are some key recommendations from the report:

• Manufacturers need to adopt a more proactive approach to securing their open source software dependencies by, for example, developing internal security controls and establishing formal contribution processes.
• Stewards should help “scale and standardize” cybersecurity practices and processes throughout the open source ecosystem. The CRA defines stewards as industry organizations, such as the OpenSSF, that support the development of open source software for commercial use.
• Regulatory agencies should provide clear guidance around the CRA so that open source players are clear about the scope and requirements of the law.

The Linux Foundation also released a complementary report titled “Pathways to Cybersecurity Best Practices in Open Source” that features cybersecurity best practices from three of the organization’s projects.

The CRA outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of digital products – both hardware and software – including IoT wares such as connected cars.

For example, the CRA specifies a number of “essential cybersecurity requirements” for these products, including that they:

• Don’t ship with known exploitable vulnerabilities
• Have a “secure by default” configuration
• Can fix their vulnerabilities via automatic software updates
• Offer access protection via control mechanisms, such as authentication
• Protect the data they store, transmit and process

For more information and analysis about the EU’s Cyber Resilience Act:

• “Cyber Resilience Act Requirements Standards Mapping” (ENISA)
• “The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)
• “EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)
• “Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)
• “The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation)

6 - FBI: Beware of malicious file-converter tools

Cyber fraudsters are luring victims by offering free online tools for converting files into different formats, according to the U.S. Federal Bureau of Investigation.

While the tools work as advertised, they also perform malicious actions in the background, such as infecting the converted file with malware or stealing personal data from it, including banking information and Social Security numbers.
 

In other scheme variations, the tools may offer to combine files into a single one – such as by consolidating multiple photos into one PDF file – or they may claim to be an MP3 or MP4 downloader.

“Unfortunately, many victims don’t realize they have been infected by malware until it’s too late, and their computer is infected with ransomware or their identity has been stolen,” reads the alert from the FBI’s Denver office.

The FBI recommends thinking twice about using free online tools that offer these functionalities and scanning all files you receive with anti-virus software.