Embedding security throughout your company has greater organizational impact and myriad benefits.

As cybersecurity has become an increasingly important consideration in corporate decision-making, there's been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, "If cyber is important, CISOs must be important." However, elevating the role sets the CISO up to be a lone voice in the desert crying "security," with little connection to the day-to-day decision-makers in IT, engineering, or products.

This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company's security measures caused hours-long delays in responding to its Oct. 4, 2021, outage, or the Uber exec who paid off hackers who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in "additional layers of security" rather than admit they made poor selections initially. In all of these cases, the CISO's isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.

**Organizational Impact**

Perhaps it's time to reimagine the role of the CISO. Maybe it's better to see the CISO's importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.

Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of "security" solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.

Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company's code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.

In all these cases, security becomes a factor in corporate decisions grounded in the reality of corporate operations. The technical expertise of the CISO becomes integral to day-to-day work rather than a constraint imposed upon it. Similarly, security and compliance need to work seamlessly so that financial systems and communications with partners and vendors remain secure. This extends to telecom systems and other hardware.

**The Risk Factor**

This seems like a more impactful way to make the technical dimension of security a powerful voice in company execution. However, one may wonder if this will diminish the policy dimension, balkanizing it to address the special interests of individual functional units. This concern can be addressed by expanding the role of the chief risk officer to include the security policy functions currently carried out by the CISO. 

This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn't mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.

There are numerous access control technologies that would have protected Facebook effectively without locking out its own personnel. When the security risk is considered along with the availability risk, those more pragmatic solutions would emerge.

Reimagining the Role of the CISO

New technologies designed into processors allow enterprises to leverage cloud advantages while meeting privacy regulations.

Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.

Confidential computing involves creating an isolated vault on hardware — also called a trusted execution environment — in which encrypted code is protected and stored. The code is accessible only to applications with the right keys, which are usually a combination of numbers, to unlock and then decrypt it. A process called attestation verifies all is correct, minimizing the chances of unauthorized parties stealing or pilfering the data.

Confidential computing offers the "ultimate in data protection," said Mark Russinovich, chief technology officer at Microsoft Azure, during a streamed session at the company's Ignite conference in October.

"Because it is inside the enclave, protected by hardware, nothing outside can see that data or tamper with it," he said. "That includes people with physical access to the server, the server administrator, the hypervisor, and the administrator of an application."

Confidential computing allows companies to migrate workloads that rely heavily on data privacy and security to the cloud, analysts say. Companies in highly regulated industries like healthcare and finance can move to cloud services while maintaining their security posture.

**Spying the Holes in the Clouds**

Since its early days, the utilitarian appeal of cloud computing, in terms of pricing and flexibility, largely drowned security concerns. The most vocal criticism of cloud computing was the prospect of privacy being impossible to ensure because guest workloads could not be completely isolated from the host system, says James Sanders, principal analyst for cloud, infrastructure, and quantum computing at technology research firm CCS Insight.

"However, the disclosure of the Spectre and Meltdown vulnerabilities in 2018 demonstrated the potential for a malicious cloud tenant to exfiltrate data from the workloads of other processes on the same host system," Sanders says.

The vulnerabilities exposed to hackers confidential information leaving secure enclaves. The twin attacks also pushed along the wider idea of confidential computing, in which encrypted code was accessible to only authorized parties but would not leave isolated enclaves.

Confidential computing prevents bad guys from breaking into servers and stealing secrets, says Steve Leibson, principal analyst at Tirias Research.

"The state-sponsored \[attacks\] are the most difficult and the most sophisticated," he says. "So at this point you really have to think about protecting data in use, in motion, and stored. It must be encrypted in all three situations."

**Grounding Confidential Computing in Silicon**

Confidential computing is changing the way hardware makers and cloud providers think about applications on virtual machines and not directly on processors, Leibson says.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon," he says. "But a virtual machine — that's just software. You can alter it. Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

Chip makers have since taken a security-first approach in chip design, and it has trickled down to cloud offerings. Last month Google, Nvidia, Microsoft, and AMD jointly announced a specification called Caliptra to establish a secure layer on chips where the data can be protected and trusted. The specification protects the boot sector, provides attestation layers, and safeguards against conventional hardware hacking, such as glitching and side-channel attacks. Caliptra is managed by the Open Compute Project and Linux Foundation.

"We are looking ahead to future innovations in confidential computing and varied use cases that require chip-level attestation at the level of a package or system on a chip (SoC)" with Caliptra, wrote Parthasarathy Ranganathan, vice president and technical fellow at Google, in a blog entry posted during the Google Cloud Next event that took place in mid-October.

Google already has its own confidential computing technology called OpenTitan, which is mainly focused on protecting the boot sector.

Microsoft's previous efforts at confidential computing relied on partial enclaves rather than protecting the entire host system, CCS Insight's Sanders says. However, this month the company announced Azure virtual machines with confidential computing based on technology baked into Epyc, a server processor from AMD. AMD's SNP-SEV encrypts data when it is loaded into a CPU or GPU, which protects data while being processed.

**Clearing the Way to Real-World Compliance**

For enterprises, confidential computing offers an ability to secure data in the public cloud as required by regulations like Europe's General Data Protection Regulation and the United States' Health Insurance Portability and Accountability Act, analysts say.

"Availability of administrator-proof encryption in the cloud undercuts one of the longest-serving anti-cloud talking points, since shielding workloads from the cloud platform operator effectively eliminates the largest remaining source of risk preventing adoption of public cloud," Sanders says.

The AMD technology appeared in general-purpose virtual machines earlier this year, but the announcements at Ignite extends the technology to Azure Kubernetes Service, which provides additional security for cloud-native workloads. The AMD technology on Azure is also designed for use in bring-your-own-device workplaces, remote work, and graphics-intensive applications.

Cloud Providers Throw Their Weight Behind Confidential Computing

Apple engineers share technical details about the team's work on memory safety features on the new Apple Security Research site.

Apple's work on hardening the memory allocator has made it harder for attackers to exploit certain classes of software vulnerabilities on iOS and Mac devices, the company's security engineers wrote on a new website Apple launched to share technical details behind iOS and MacOS security technologies.

The new initiative, Apple Security Research, also offers tools to help security researchers report issues to Apple, get real-time status updates for submitted reports, communicate securely with Apple engineers investigating the issue, and provides information about the Apple Security Bounty program. The intent behind the new security hub is to share with the research community how Apple engineers approach security challenges, and also to invite researcher contributions and feedback.

Memory safety is a key area of focus, especially since memory safety violations are the most widely exploited class of software vulnerabilities. On Apple platforms, improving memory safety includes "finding and fixing vulnerabilities, developing with safe languages, and deploying mitigations at scale," the engineers wrote in a technical post on XNU memory safety.

XNU is the kernel at the core of iPhones, iPads, and Macs.

Much of the code running on the iPhone, iPad, and Mac were written using "memory-unsafe" programming languages, which means they don’t prevent memory safety violations and developers can inadvertently and unknowingly violate memory safety rules while writing code, the researchers wrote. Those issues can be exploited by attackers to crash software, execute unauthorized command, and harvest sensitive information.

It is infeasible to rewrite large amounts of existing code using memory-safe languages, so "improving memory safety is an important objective for engineering teams across the industry,” the engineers wrote.

Apple laid the groundwork for the hardened memory allocator _kalloc\_type_ back in iOS 14 when it introduced _kheaps_, the data split, and virtual memory sequestering. Apple added randomized bucketed type isolation to the zone allocator when it introduced _kalloc\_type_ in iOS 15. With the release of iOS 16 and macOS Ventura, the hardened allocator is now available on all the systems using the XNU kernel.

"Our fundamental strategy is to design an allocator that makes exploiting most memory corruption vulnerabilities inherently unreliable," the researchers wrote. "This limits the impact of many memory safety bugs even before we learn about them, which improves security for all users."

In Apple's update on its bounty program, the company said it has awarded close to $20 million to security researchers over the past two-and-a-half years since the program was launched. While average payouts are around $40,000 in the product category, the company has paid 20 separate rewards over $100,000 for high-impact issues. Evaluation criteria researchers need to meet in order to collect bounties are available on Apple Security Research.

Apple Launches New Security Research Hub

Without even asking for permissions, the newly discovered 'SiriSpy' flaw in Apple's iOS Bluetooth access could allow someone to access user interactions with Siri and keyboard-dictation audio.

For anyone who thought their conversations with Siri were sacred and keyboard dictation recordings were secure, a new analysis found a flaw in the iOS Bluetooth that could allow someone to grab audio from both. 

The find is from researcher Guilherme Rambo, who published details of an Apple iOS flaw he calls "SiriSpy," tracked under CVE-2022-32946. It would let a malicious app that a user has been convinced to install eavesdrop on audio interactions with iPhones.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo wrote. "This would happen without the app requesting microphone access permission, and without the app leaving any trace that it was listening to the microphone." 

Rambo explained he regularly does cybersecurity research on AirPods, leading him to the find. 

After alerting Apple to the vulnerability in late August, Rambo said on Oct. 24 that iOS 16.1, along with all of the other remaining Apple operating systems, were updated with a fix. Making the find even sweeter, Rambo added he's been told by Apple he will receive a $7,000 bug bounty for his efforts. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

iOS Bug Lets Apps Record Siri Conversations

The malware is being used to deliver Clop ransomware, in a vicious spate of October attacks that show an evolution in its methods.

The Raspberry Robin cyber-worm operation has infected nearly 3,000 devices in almost 1,000 organizations in the last 30 days, according to Microsoft telemetry — and the threat seems to be molting into something new.

Raspberry Robin was initially spotted back in May, infecting targets via infected USB drives and worming to other endpoints — but then remaining dormant. That changed in July, when Microsoft security researchers saw Raspberry Robin importing the FakeUpdates malware to devices where it was nesting. Further exploration of the activity revealed some infrastructure overlaps with the infamous Dridex Trojan and the Evil Corp (aka DEV-0243) ransomware gang.

Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot, according to a Microsoft update on Oct. 27, with researchers uncovering a notable spate of attacks in October that have resulted in Clop ransomware infections. The threat has also taken flight beyond its initial USB access vector, researchers noted, and is now capable of using at least four different methods for gaining purchase on devices.

The computing giant attributes the post-compromise Clop activity to a group it tracks as DEV-0950 -- aka FIN11 or TA505 -- indicating that Raspberry Robin is establishing itself iin the wider cybercrime economy.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," Microsoft researchers noted.

They added, "Given the interconnected nature of the cybercriminal economy, it's possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Raspberry Robin's Cyber Worm Infects Thousands of Endpoints

A malicious employee was behind hateful, violent messages on the Post's website and Twitter account, the paper has confirmed.

New York Post readers are accustomed to cheeky headlines, but Thursday morning the news outlet's website and Twitter account were plastered with racist, violent, and explicit messages targeting politicians.

"The New York Post has been hacked," an early morning tweet from the Post's account explained. "We are currently investigating the cause."

The messages have been removed, but they targeted Rep. Alexandria Ocasio-Cortez; President Joe Biden and his son Hunter Biden; New York City Mayor Eric Adams; Texas Governor Greg Abbott; and Ill. Rep. Adam Kinzinger, along with others.

One of the tweets sent by the malicious insider read, "We must destroy and imprison Union teachers."

The site and the New York Post's Twitter feed are currently functioning normally. But the incident highlights the danger that insider threats, armed with credentials, can pose to a business.

"The New York Post's investigation indicates that the unauthorized conduct was committed by an employee, and we are taking appropriate action," a spokesperson for the publication said in a statement following the incident. "This morning, we immediately removed the vile and reprehensible content from our website and social media accounts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NY Post Falls Victim to Insider Threat

Even if the security bug is not another Heartbleed, prepare like it might be, they note — it has potentially sprawling ramifications.

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a "critical" vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue.

**Potentially Huge Implications**

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project's disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

If the new vulnerability turns out to be another Heartbleed bug — the last critical vulnerability to impact OpenSSL — organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.

The Heartbleed vulnerability (CVE-2014-0160), disclosed in 2014, basically gave attackers a way to eavesdrop on Internet communications, steal data from services and users, to impersonate services, and do all this with little trace of their ever having done any of it. The bug existed in OpenSSL versions from March 2012 onward and affected a dizzying range of technologies, including widely used Web servers such as Nginx, Apache, and IIS; organizations such as Google, Akamai, CloudFlare, and Facebook; email and chat servers; network appliances from companies such as Cisco; and VPNs.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys' Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There's no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

**Security Orgs Should Brace for Impact**

"It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn't use the label 'critical' lightly," says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL itself defines a critical flaw as one that enables significant disclosure of the contents of server memory and potential user details, vulnerabilities that can be exploited easily and remotely to compromise server private keys.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. "After Heartbleed, OpenSSL introduced these preannouncements of security patches," he says. "They are supposed to help organizations prepare. So, use this time to find out what will need patching."

Brian Fox, co-founder and CTO at Sonatype, says that by the time the OpenSSL Project discloses the bug Tuesday, organizations need to identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to remediate the issue. 

"Potential reach is always the most consequential piece of any major flaw," Fox notes. "In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices." In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it's not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. "Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow," Fox says. "All you can do at the moment is inventory."

**An Entire Ecosystem Might Need to Update**

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project's release of the new version on Tuesday is only the first step. "An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them," says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. "This is why software bills of materials can be important," Bambenek says. "They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well." One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. "On the security side, it's worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops," he advises.

There's not enough information in OpenSSL Project's announcement to say how much work will be involved in the upgrade, "but unless it requires updating certificates, the upgrade will probably be straightforward," Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a "bug-fix release." Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.

Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn

A bipartisan bill aims to create a usable framework for the use of open source components when building applications, which Google is urging the private sector to support.

Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.  

The Securing Open Source Software Act introduced in the Senate last month \[PDF\] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.

"We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large," noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.

Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.

Hansen noted that "seemingly simple questions about the open-source supply chain are still difficult to answer," including:

*   Does a project contain known vulnerabilities?
*   Are the project’s maintainers and community following security best practices during software development?
*   What open source dependencies are part of a particular piece of software?
*   How secure was the distribution supply chain?

Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.

The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.

"Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem," Hansen said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Trumpets US Federal Open Source Security Initiative

Industry-first unified identity platform provides the building blocks to help businesses build and operate their unique identity process end-to-end.

**SAN FRANCISCO, Oct. 27, 2022 /PRNewswire/ —** Persona today launched the next evolution of its unified identity platform to help businesses mitigate online fraud and meet ever-evolving compliance standards. The new Persona platform connects, centralizes and orchestrates all fragmented identity data, disparate systems and identity operations under a single infrastructure. Leading companies—including Square, Gusto, Revel, Toast, Coursera, and Dapper Labs—leverage Persona to quickly adapt to evolving fraud techniques and regulatory compliance requirements—all while creating a frictionless experience for customers.

"With rising fraud rates and tightening regulation, organizations need to ensure the people and businesses they work with are who they say they are," said Rick Song, CEO, Persona. "But the way businesses manage and verify their customers' identities today is purely transactional. This is because identity is ever-evolving and incredibly resource-intensive to manage. No use case is created equal. The rigor necessary for a company to verify one user might drastically differ from another due to a number of factors, including transaction risk, location and associated regulations. And applying a one-size-fits all approach leads to high failure rates and frustrated customers."

**The New Persona Platform: Building Blocks for Identity Operations**

In order for businesses to effectively mitigate fraud and stay compliant, they need to be able to customize the way they interact and build a relationship with each user. Persona's configurable building blocks allow organizations to tailor and streamline each stage of their unique identity processes. Solutions include:

*   **Verifications:** the industry's most robust and fully-automated suite of international verification tools—e.g., database, documentary, biometric, digital ID, and behavioral signals.
*   **Dynamic Flow:** the first dynamic risk assessment engine that customizes the way businesses collect and verify information based on real-time signals.
*   **Cases:** a fully-customizable investigation center that can be tailored and optimized for every team's unique internal review processes.
*   **Workflows:** a flexible no-code identity process automation builder that can ingest data, automate complex decisions, and trigger actions.
*   **Graph:** a link analysis and fraud investigation solution that proactively surfaces hidden fraud rings and detects new fraud patterns.
*   **Marketplace:** a robust library of integrations with identity data providers and business productivity applications that enables organizations to unsilo and connect identity data to their business systems for better decision-making and automation.

Each of Persona's products work independently and in tandem with each other, allowing businesses to build their ideal solution for any use case. Two of Persona's newest solutions, Graph and Marketplace, illustrate how Persona's building blocks work together seamlessly to power all identity operations from end to end in one place.

For example, if a business is having trouble preventing duplicate account fraud, they can use the Marketplace to consolidate active and passive signals from Persona with third-party signals, such as data from partners including Chainalysis and SentiLink. Graph then takes that information and surfaces suspicious patterns to prevent fraud before it escalates. Finally, the business can use the business platform integrations from the Persona Marketplace to automate any follow-up actions, such as updating accounts in Salesforce or closing out tickets in Zendesk.

Song continued, "In today's constantly changing digital landscape, organizations struggle to balance fraud mitigation and conversion optimization without putting a huge strain on their operations team. With Persona's re-architected platform, companies can tackle every identity need—from identity verification to fraud review—individually, or orchestrate and safeguard their identity operations from end to end by combining building blocks on one cohesive platform."

**ABOUT PERSONA**

Persona offers a unified identity platform that gives businesses the building blocks they need to securely collect, verify, manage, and make decisions about individuals' and businesses' identities—along with automation and orchestration tools to streamline the entire process from end to end.

Founded in 2018, Persona is headquartered in San Francisco and is available in 200+ countries and territories and 20 different languages. Persona serves any business that needs to verify its customers online, including retail, fintech, marketplace, delivery services, real estate and hospitality, HR, edtech, legal services, home and childcare services, and more. For additional information, please visit https://withpersona.com/.

Persona Launches Unified Identity Platform to Fight Fraud and Reduce Compliance Risk

70% of investors on the cap table are women.

**TORONTO – October 27, 2022** **—** Cybersecurity startup Protexxa today announced it has raised CAD$4 million in seed funding. The company, which launched at an intimate event earlier this month, aims to address the risk to businesses resulting from gaps in personal cybersecurity for both companies and individuals. Its seed funding round was led by BKR Capital, which makes transformational investments in disruptive companies and promising Black technology founders. The Firehood Angels and several angel investors, including Jeff Fettes, Annette Verschuren, and Leen Li also participated in the round. The funds will be used to build out the cybersecurity platform with assisted remediation technology, facilitate pilots with global customers, and prepare to scale its operations. The company is currently in the process of filing several patents.

Protexxa is the brainchild of global information technology leader and cybersecurity executive Claudette McGowan. Prior to Protexxa, McGowan held the role of Global Executive Officer for Cybersecurity at TD Bank. As she is passionate about advancing women in technology, 70% of Protexxa investors are women.

**Protexxa Personalized Cybersecurity Protection Platform**

Of the 4.95 billion global internet users, half are victims of cybercrime and most don’t even realize they have been compromised. Protexxa is addressing the human element of cybersecurity by connecting the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With 43% of cyberattacks aimed at small businesses, cyber solutions for businesses of all sizes are needed now more than ever.

Protexxa’s personalized cybersecurity protection platform is currently being piloted across several industries including government, academia, and healthcare.

“Since the pandemic, cybercrime has quadrupled and continues to accelerate. Our goal is to be part of the solution. Through Protexxa, we will democratize cybersecurity by making it more accessible for both businesses and individuals,” says McGowan, who is at the helm of Protexxa in the role of Chief Executive Officer. “The key is to connect the dots on how personal cyber hygiene can affect an organization. This means identifying blind spots and building out personalized training, assessment, and awareness plans to move cyber health in a positive direction.”

**Protexxa Advisory Circle**

As Protexxa Advisory Chair, Jodi Kovitz leads the company’s Advisory Circle, which includes notable executives such as Wes Hall, Chairman of Kingsdale; Sherry Shannon-Vanstone, former CEO of Trustpoint and now CEO of Profound Impact; Yung Wu, CEO of MaRS; Jean Augustine, CEO of Jean Augustine Centre for Young Women's Empowerment; and Larissa Holmes, former Chief Talent Officer at Borrowell.

**Cyber Security Fast Facts**

*   90% of digital breaches and attacks are caused by human error.
*   Remote work and lockdowns has resulted in a 50% increase in worldwide internet traffic, leading to new cybercrime opportunities.
*   Global spending on cybersecurity exceeded $1 trillion in 2021.
*   More than 90% of successful attacks against businesses originate from phishing.
*   $21 billion is anticipated to be spent annually on training and cyber awareness by 2027.

**About Protexxa**

Protexxa is a B2B SaaS cybersecurity startup that connects the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With a key focus on prevention and increasing global cyber literacy, Protexxa also offers personalized training and consulting for companies worldwide. For additional information, visit protexxa.com.

Source

DARKReading