Check out key findings and insights from the “Tenable Cloud AI Risk Report 2025.” Plus, get fresh guidance on how to transition to quantum-resistant cryptography. In addition, find out how AI is radically transforming cyber crime. And get the latest on open source software security; cyber scams; and IoT security.
Dive into six things that are top of mind for the week ending March 21.
Using AI tools in cloud environments? Make sure your organization is aware of and prepared for the complex cybersecurity risks that emerge when you mix AI and the cloud.
That’s a key message from the “Tenable Cloud AI Risk Report 2025,” released this week and based on a telemetry analysis of public cloud and enterprise workloads scanned through Tenable products.
“Cloud security measures must evolve to meet the new challenges of AI and find the delicate balance between protecting against complex attacks on AI data and enabling organizations to achieve responsible AI innovation,” Liat Hayun, Tenable’s VP of Research and Product Management for Cloud Security, said in a statement.
Key findings from the report include:
These are some of the report's risk mitigation recommendations:
To get more information, check out:
Is your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out fresh guidance about this topic.
This week, the U.K. National Cyber Security Centre (NCSC) published “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.
“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog.
At a high-level, these are the three main key milestones proposed by the NCSC:
The need to migrate to PQC stems from the ability quantum computers will have to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.
The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced last week, should be available in 2027.
For more information about how to protect your organization against the quantum computing cyberthreat:
Criminals are enthusiastically embracing AI, which helps them accelerate their malicious activities and operate more effectively.
So said Europol in its report “European Union Serious and Organised Crime Threat Assessment 2025: The changing DNA of serious and organised crime,” published this week.
“As AI-driven systems … become more advanced and user-friendly, criminal networks are increasingly leveraging their capabilities across a wide spectrum of crimes,” the report reads.
According to Europol, AI is “fundamentally reshaping” crime by:
“To counter the growing threat of AI-enabled crime, policymakers, law enforcement agencies and the technology sector must collaborate to develop robust safeguards, consistent regulations and advanced detection tools,” the report reads.
For more information about how cybercriminals are leveraging AI:
Manufacturers of internet-of-things (IoT) devices should be required by law to disclose the products they’re no longer supporting, so that customers are aware of the security risks those products pose.
That’s the opinion of Consumer Reports, the Center for Democracy and Technology, the U.S. Public Interest Research Group and the Secure Resilient Future Foundation, which recently proposed a model bill called the “Connected Consumer Products End of Life Disclosure Act.”
The bill would require IoT manufacturers and internet service providers (ISPs) to provide “clear and timely” information about their connected devices’ support lifecycles.
“The proliferation of IoT devices in homes and businesses has created a significant security challenge. When these devices reach their end of life and no longer receive software and security updates, they become vulnerable to exploitation by malicious actors,” reads a joint statement from the groups.
Specifically, the groups want the law to require IoT manufacturers to:
Moreover, the proposed model law would also put the onus on ISPs to remove from customers’ homes any devices they provided once those devices reach end-of-life status.
For more information about IoT and operational technology (OT) security, check out these Tenable resources:
Open-source software manufacturers, project stewards and developers need to beef up on their knowledge of the European Union’s Cyber Resilience Act (CRA), a landmark cybersecurity law whose enforcement is expected to begin in late 2027.
That’s the main takeaway from the new report “Unaware and Uncertain: The Stark Realities of ‘Cyber Resilience Act’ Readiness in Open Source” from the Linux Foundation and the Open Source Security Foundation.
“This report highlights significant knowledge gaps and key strategies to help organizations meet regulatory obligations outlined in the CRA regarding secure software development, while preserving the collaborative and decentralized nature of open source,” Steve Fernandez, OpenSSF’s General Manager, said in a statement.
The report surveyed 685 respondents, most of them software developers, IT professionals and security professionals. It found that CRA awareness is low, with 62% of respondents saying they’re either “not familiar at all” or are “slightly familiar” with the law.
Even many respondents who are familiar with the CRA still lack a comprehensive grasp of its scope. For example, 42% of respondents haven’t determined if the law applies to them, and almost 60% aren’t aware of the non-compliance penalties. Furthermore, only 28% correctly said full CRA compliance begins in 2027.
Here are some key recommendations from the report:
The Linux Foundation also released a complementary report titled “Pathways to Cybersecurity Best Practices in Open Source” that features cybersecurity best practices from three of the organization’s projects.
The CRA outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of digital products – both hardware and software – including IoT wares such as connected cars.
For example, the CRA specifies a number of “essential cybersecurity requirements” for these products, including that they:
For more information and analysis about the EU’s Cyber Resilience Act:
VIDEO
The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation)
Cyber fraudsters are luring victims by offering free online tools for converting files into different formats, according to the U.S. Federal Bureau of Investigation.
While the tools work as advertised, they also perform malicious actions in the background, such as infecting the converted file with malware or stealing personal data from it, including banking information and Social Security numbers.
In other scheme variations, the tools may offer to combine files into a single one – such as by consolidating multiple photos into one PDF file – or they may claim to be an MP3 or MP4 downloader.
“Unfortunately, many victims don’t realize they have been infected by malware until it’s too late, and their computer is infected with ransomware or their identity has been stolen,” reads the alert from the FBI’s Denver office.
The FBI recommends thinking twice about using free online tools that offer these functionalities and scanning all files you receive with anti-virus software.
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.