With Daniela away, Glen and Brian are running the show! 🤡 They kick things off by breaking down a recent NPM (Node Package Manager) supply chain attack that targets open-source developers through social engineering. This spirals into a larger discussion about the "spiderweb of trouble" within modern software supply chains and the massive, often invisible, risks posed by Shadow IT and Shadow AI. The hosts provide practical, actionable advice for organizations trying to govern tools they don't even know their employees are using, emphasizing that the AI genie isn't going back in the bottle.

• (01:55) Announcement: Join Glen, Brian, and Daniela for their social engineering workshop at SaintCon in Utah!

• (02:30) The NPM Attack: A deep dive into the ongoing supply chain attack where hackers use stolen developer credentials to inject malicious code into widely used open-source packages.

• (05:15) The Spiderweb of Trouble: How vulnerabilities in small, third-party components can create massive, tangled risks for organizations, even if they aren't using the components directly.

• (12:18) Software Bill of Materials (SBOM): A crucial tool for vetting vendors and understanding the security maturity of the products you buy. If a vendor can't provide one, that's a red flag. 🚩

• (14:05) Shadow AI & Shadow IT: The things you don't know about are the scariest. The hosts discuss the risks of unsanctioned apps and AI tools operating within your environment.

• (17:21) You Can't Just "Turn Off" AI: Why blocking AI is like fighting a house fire with a squirt gun. Governance through policy and training is the only realistic path forward.

• (29:40) A Cautionary Tale: A classic real-world example of how a critical business process became dependent on unsupported Shadow IT, leading to panic when it inevitably broke.

• Ask for an SBOM: When procuring software, ask vendors for a Software Bill of Materials (SBOM) to get a clear picture of what's inside their product.

• Create an AI Policy: Since you can't block AI everywhere, focus on governance. Develop a clear Acceptable Use Policy to give employees guardrails for using AI tools safely.

• Provide Sanctioned Tools: Enable your team to work efficiently by providing a sanctioned, private AI environment where they can safely use sensitive company data.

• Go Hunting for Shadows: Use DNS monitoring and review company credit card expenses to identify unsanctioned third-party applications and services being used in your organization.

• Build a Security Culture: Technical controls aren't enough. Foster a strong security culture where employees understand the why behind the policies and feel empowered to make smart decisions about data.

In this special Credit Union Edition of the ByteWise Podcast, Daniela, Brian, and Glen are joined by Tom Costello, CEO of Upstreme, to unpack the future of the Automated Cybersecurity Examination Tool (ACET) and its impact on credit unions.

For years, ACET has been the standard tool for cybersecurity self-assessments, but with its foundation—the FFIEC’s Cybersecurity Assessment Tool (CAT)—now officially sunset, credit unions must prepare for what comes next.

• ACET’s Rise and Sunset: Why the tool was created, its limitations, and why regulators are moving away from it.

• Alternative Frameworks: Deep dive into the top three contenders—NIST CSF 2.0, the CRI Profile, and the CIS Controls—and what each offer.

• Credit Union Realities: Challenges for smaller institutions, including ISE framework considerations, resource constraints, and scaling expectations.

• Transition Strategies: Practical advice on mapping from ACET to modern frameworks, avoiding common mistakes, and creating a smooth shift.

• Bigger Picture: How technologies like AI and Zero Trust Architecture are reshaping InfoSec, and why now is the perfect moment for credit unions to reframe cyber risk conversations with boards and leadership.

• Risk & Governance: Connecting frameworks to enterprise risk management, risk appetite, and governance functions—ensuring cyber strategy aligns with organizational strategy.

• “All frameworks are wrong. Some of them are just more useful than others.” – Tom Costello

• “The biggest mistake is doing nothing and sticking with ACET.” – Tom Costello

• NIST Cybersecurity Framework 2.0

• Financial Services CRI Profile

• CIS Controls

• Upstreme

• Connect with Tom

Welcome back to ByteWise! October is right around the corner and it is Cybersecurity Awareness Month. This episode is packed with budget-friendly, creative ideas to boost security awareness in your organization and personal life. The four key themes of this year's Cybersecurity Awareness Month: strong passwords, multi-factor authentication (MFA), recognizing phishing, and updating software.

The hosts discuss why these "usual suspects" are still critical topics. They explore the importance of MFA not just at work but on personal accounts like email and online banking. To make learning engaging, they brainstorm several low-cost activities:

• "Build Your Digital Fortress" Workshop: A hands-on session to walk employees through setting up MFA on their personal accounts.

• The MFA Rollout Race: A friendly competition between departments to see who can get the highest adoption rate, with winners receiving fun, inexpensive prizes like stickers or 3D-printed trinkets.

• "Password Creation Cook-Off": A challenge encouraging employees to create the most creative and strong passphrase, using online tools to "score" their strength.

• The "Set It and Forget It" Campaign: A drive to teach people how to enable automatic software updates on their personal devices to ensure they are always protected.

• "Reverse Phishing" Challenge: An innovative activity where employees are challenged to create their own convincing (but harmless) phishing email to better understand the psychology and tactics used by attackers.

The conversation also touches on the importance of using password managers, following NIST guidelines for password creation, and the critical need for leadership buy-in to make any awareness campaign successful. The key is to make security training engaging, positive, and presented in bite-sized, low-cost pieces to ensure it resonates with everyone.