Happy Friday!

Welcome to Cycoresecure.com, your go-to partner for transforming security and compliance into effortless processes. Whether you're a startup or a growing tech company, we provide services to tackle your biggest security challenges, freeing you to focus on scaling your business with confidence. Let's secure your future together!

Make sure to follow our Cycore LinkedIn page and subscribe to receive updates on current events, trends, and industry news that matter to you

In Today's Rundown

• What caught our attention: ISO 27001 Blind Spots: …

• Security,Privacy and Compliance roundup

• Let's Build Trust

Let’s dive right in.

What caught our attention: ISO 27001 Blind Spots: What Your Auditors Are Finding (And You're Missing)

Organizations pursuing ISO 27001 certification face increasing scrutiny around environmental risk factors as auditors adapt to 2024's updated requirements. A recent internal audit discussion revealed several subtle but important compliance gaps that security teams should address before formal certification:

Environmental disruption documentation is now mandatory

• February 2024 standards updates explicitly require environmental risks assessment

• Most organizations omit pandemic, climate change, and large-scale environmental disruptions

• Internal/external context documents must now specifically mention climate risks

Information security objectives require measurable KPIs

• Many security programs lack quantifiable targets for incident response improvement

• KPIs like "reduce incident response time" must specify exact metrics (e.g., "from X to Y hours")

• Measurement methodologies must produce consistent, comparable, and reproducible results

Risk assessment frameworks contain logical inconsistencies

• Common issue: stating "risks over 15 are unacceptable" when calculation methods cap at 9

• Technical risks (malware, application vulnerabilities) often missing from risk registers

• AI-specific risks now explicitly questioned by auditors, regardless of actual AI usage

Organizations should review their ISO 27001 documentation with particular attention to risk acceptance thresholds, environmental considerations, and ensuring that information security objectives include specific, measurable targets with defined evaluation methods.

Security,Privacy and Compliance roundup

🔐 Security

• GitHub Supply Chain Breach Hits Coinbase
  A supply chain attack via the tj-actions/changed-files GitHub Action exposed secrets in 218 repositories, with Coinbase identified as the primary target.
  

• Critical Ingress NGINX Vulnerabilities Enable RCE
  Five flaws in Ingress NGINX Controller affect over 6,500 Kubernetes clusters, allowing unauthenticated remote code execution—patches are strongly advised.

🛡️ Privacy

• Microsoft Adds Inline Data Protection to Edge
  Microsoft has integrated inline data protection in Edge for Business to block GenAI data leaks and bolster privacy for enterprise users.
  

• 23andMe Bankruptcy Raises DNA Privacy Fears
  Genetic testing company 23andMe filed for bankruptcy, raising concerns about the security of sensitive customer DNA data. Users are advised to delete their data.
   

📜 Compliance

• CISA Flags Actively Exploited NAKIVO Vulnerability
  CISA added CVE-2024-48248 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal systems to patch NAKIVO Backup flaws by April 9, 2025.
  

• Why Continuous Compliance Monitoring is Crucial
  A new report highlights that over 33 million U.S. SMBs are at risk of non-compliance, and stresses the importance of real-time automated control monitoring.
  

Let's Build Trust

Work with us or follow along:

1. Cycore, builds enterprise-grade security, privacy and compliance programs for the modern organization. Partner with us.

2. Follow us on LinkedIn for security, privacy & compliance updates!

3. How else can we help? Feedback? Have a question? Reply to this email.

4. Know someone who would like this email? Forward it to a friend...

Your security & compliance ally,
Cycore Team