Cybersecurity News for Leadership

Edition #55 | Compiled May 19 by Aware Force Cybersecurity

As employees lean on tools like ChatGPT and Claude for research and writing at work, they need to understand that every prompt creates a permanent, reviewable record accessible by the LLM providers and, in some cases, by law enforcement.

• Roughly one‑third of employee ChatGPT inputs include confidential information such as customer details, internal documents, or proprietary code, raising serious data‑exposure and compliance risks for employers.
  
• Conversations are routinely logged on LLM servers, may be retained for months or years, can be reviewed by humans, and remain accessible to the provider when responding to lawful requests even when users turn off “chat history” or opt out of training.
  
• Organizations must instruct employees to treat LLM chats like email: create clear policies for what may be shared, prefer enterprise or self‑hosted LLMs, and remind staff that anything they type into a public AI tool can be discoverable in lawsuits and audits just like any other written communication.

Cyber insurance helps organizations survive ransomware and data breaches, but new exclusions, stricter security requirements, and nation‑state threats mean your next big attack may not be covered.

• To even qualify or renew, customers are being pushed to redesign backup and storage. Underwriters now expect immutable, logically or physically separated backups, independent credentials, and network segmentation. 
  
• In real‑world breach case studies, policies often covered incident response, legal, and recovery costs, but only when they could prove they had met pre‑breach security obligations and followed insurer‑approved playbooks.
  
• Insurers are increasingly excluding “war‑like” and state‑sponsored operations: Lloyd’s now requires syndicates to carve nation‑state attacks out of standalone cyber policies, and many U.S. policies quietly added similar language.

Google’s new Cloud Fraud Defense system is quietly turning reCAPTCHA into a de‑facto gatekeeper for the web: if you don’t have a compatible system, you can’t get into the site. More than 4 million sites use some version of reCAPTCHA, including big names like Spotify, Canva, Medium, Calendly, Pinterest, major news outlets, e‑commerce sites, and SaaS dashboards.

• Users are most likely to hit the QR/Play‑Services flow on registration pages, login forms, password‑reset flows, and checkout/payment steps where merchants turn on “high assurance” verification.
  
• When a site using Cloud Fraud Defense thinks your traffic looks risky (new device, VPN, privacy‑hardened browser, Tor, unusual behavior), you’ll encounter the new system. 
  
• On certain logins, password resets, or payments, instead of “click all the buses” you’ll see a QR code on your desktop and a prompt to scan it with a phone; your desktop session stays blocked until a compatible phone scans and approves it. If you don’t have an approved phone, you’re stuck.

45% of cybersecurity professionals have considered quitting due to stress, while Gartner says nearly 50% of cyber leaders will change jobs by 2025 and one in four will leave the field altogether. What CISOs and executives can do:

• Cut “impossible” workloads with ruthless scoping: Decide what the security team is not responsible for (legacy apps you won’t fix, business units that won’t fund controls) and document those as accepted risks so staff aren’t held accountable.
  
• Invest in your people to avoid burnout: Budget for additional headcount, automation engineers, and training the team wants (certs, labs, conferences), and tie this to the business case.
  
• Measure and reward the right things: Track and report metrics like “critical vulnerabilities closed,” “mean time to detect/respond,” and “business projects shipped securely” so security wins are visible, and build those into performance reviews and bonuses, not just “no breaches this year.”
  
• Normalize talking about burnout: Have leadership openly acknowledge the problem, encourage use of mental‑health benefits, and signal that raising workload or process issues is seen as proactive risk management, not complaining.

AI‑generated child abuse images and deepfake sextortion are rising so fast that schools and child‑safety groups are warning parents to think twice before posting identifiable photos of children online.

• Where the photos originate: random minors found online (class photos, sports teams, influencers) and children known to the offender (classmates, relatives, kids in their care), Instagram, TikTok, and other platforms. Offenders then run them through “nudify,” “undress,” or face‑swap apps to generate explicit deepfakes, meaning no original nude photo is needed.
  
• In one AI‑CSAM dataset, girls accounted for around 94% of identified victims, and many deepfakes are generated from typical “selfies” or posed photos shared by teen girls online.
  
• The UK has become the first to ban AI tools built to create child abuse images and is now pushing a law that forces platforms to remove flagged intimate pictures within 48 hours or face fines of up to 10% of their global revenue. 

Aware Force keeps your employees informed and engaged
about digital risks at work and at home.
All branded and tailored for your organization.
Check out how we compare to other outstanding cybersecurity training solutions here. 

Want to see how we can up your cyber game? Contact us at [email protected].