Commentary | The IT Nerd

Archive for the Commentary Category

Shai-Hulud supply chain attacks: Commentary on what NIST 800-171 actually covers (and where it falls short)

Posted in Commentary with tags Shai-Hulud on June 9, 2026 by itnerd

More than 100 malicious packages dropped across npm and PyPI in the Shai-Hulud campaign this week—and the reason it’s so hard to stop is structural. The payload rides in on a dependency you’ve already authorized, running with the trust level of installed software. Your perimeter never sees it.

There is a good write up about it here: Active Exploitation Alert: Shai-Hulud Supply Chain Attack Compromises 100+ NPM and PyPI Packages with Self-Spreading Malware – Rescana

Justin Beals, CEO & Founder, Strike Graph had this to say:

“Shai-Hulud is essentially a zero-day executing from behind the firewall. The malicious code rides in on a dependency you’ve already authorized, running with the trust level of an installed package—so the perimeter and network controls most teams lean on never see it.

NIST 800-171 covers more of this surface than people realize. The workhorses are already in the Rev 2 baseline CMMC Level 2 is assessed against: application allowlisting, least privilege to contain credential theft, a maintained component inventory so you can find affected versions fast, and monitoring to catch the post-install behavior a payload generates. Rev 3 goes further—a dedicated Supply Chain Risk Management family and a shift to deny-all, allow-by-exception software control.

But the honest read: a fully compliant shop can still take this hit. Allowlisting and an SCRM plan raise the attacker’s cost and shrink the blast radius—they don’t stop a poisoned build of a package you already trust. A warning to losing too much headcount on the engineering team is that you may be able to run the deep security testing required to secure your dependencies.

Gunter Ollmann, CTO, Cobalt contributes this comment:

“Shai-Hulud highlights how supply chain attacks are evolving from isolated compromises into continuously propagating campaigns. The most dangerous aspect isn’t the initial package infection. It’s the attacker’s ability to steal credentials, abuse trusted relationships, and rapidly expand their foothold across interconnected development environments.

Security teams should assume that software dependencies are part of their attack surface and continuously test for weaknesses in build pipelines, package management processes, credential storage practices, and repository access controls. As these attacks become more automated and self-replicating, organizations will need the same level of continuous validation for their software supply chains that they already apply to cloud and production environments.”

Roman Sannikov, Global Research Coordinator, iCOUNTER adds this:

“Shai-Hulud represents an important evolution in supply chain operations because it combines credential theft, trusted-channel abuse, and autonomous propagation into a single campaign. The attackers are no longer focused solely on compromising software. They’re targeting the trust infrastructure that enables software to move through ecosystems at scale.

The malware is self propagating it doesn’t need to ping back to the command and control for instructions nearly as much as older malware, making it harder to spot by monitoring for suspicious traffic patterns.The lesson for defenders is that visibility alone is not enough. Organizations must be able to identify compromised credentials, understand how trust relationships connect repositories and development environments, and take coordinated action before a localized compromise turns into a broader ecosystem event. Countering these threats requires disrupting the pathways that allow malicious code to spread, not just detecting the code after it arrives.”

I would recommend pulling any and all permissions related to these packages. Then I would get a baseline of NIST 800-171 so that you don’t get caught with your pants down metaphorically speaking.

Leave a comment »

New Research Reveals the More Confident Organizations Are in Their AI Security, the More Likely They’ve Already Been Breached

Posted in Commentary with tags FusionAuth on June 9, 2026 by itnerd

FusionAuth today released its 2026 State of AI and Identity Report, detailing how AI is reshaping identity infrastructure, security posture, and enterprise trust. The findings reveal a profound and counterintuitive crisis: the organizations that feel most prepared are getting hit the hardest.

Sixty-five percent of respondents reported a confirmed AI identity-related security incident in the past 12 months, with another 23% reporting a near miss. Only 12% emerged from the past year without an incident or close call. But the headline finding is not the breach rate alone; it is who is getting breached.

Among organizations that rated themselves “extremely confident” in their AI security posture, 84% had already experienced a confirmed incident. That figure drops to 64% among those “very confident,” and to just 17% among those who are “not so confident.” The gradient is near-perfect: confidence and breach rates move together.

Key Findings at a Glance

88% say AI deployment is outpacing their identity and security infrastructure
65% experienced a confirmed AI identity-related security incident in the past 12 months
84% of organizations that are “extremely confident” in their AI security posture also reported a confirmed incident
80% report shadow AI (employees connecting AI tools without security or IT review)
83% vs 38% confirmed incident rate for multi-tenant SaaS vs. self-hosted identity platforms
85% have faced customer, partner, or regulatory demands to prove tenant isolation
93% say AI is already a trigger for reevaluating identity infrastructure
91% expect identity investment to increase in the next 12–18 months

Confidence is Tracking the Wrong Thing
The report’s most striking finding has significant implications for how the industry benchmarks AI security readiness. Organizations at the top of the confidence scale share a common profile: they are deploying AI broadly, have comprehensive policies, have formalized lifecycle processes, and are investing heavily. They are doing everything a mature organization should, yet they are still being breached at high rates.

The report also notes that organizations with more mature security programs are better at detecting incidents, meaning lower-confidence organizations may not be safer, but simply have less visibility into what is already happening.

Architecture is the New First-Order Security Variable
The deployment model an organization uses for its identity platform correlates strongly with breach outcomes. Organizations using multi-tenant SaaS identity platforms report confirmed incidents at more than twice the rate of those using self-hosted or on-premises deployments: 83% versus 38%.

In a shared SaaS environment, a single compromised token or misconfigured policy does not stay contained. It cascades across every AI workflow connected to the identity layer, model access, data pipelines, automation actions, and downstream services, creating a fundamentally different blast radius than a self-hosted or isolated deployment.

The highest-risk profile in the study is not a low-maturity organization. It is the opposite: companies running AI in production, using AI broadly across the workforce, and operating on multi-tenant SaaS identity infrastructure. In this cohort, 90% reported a confirmed incident and 96% faced shadow AI challenges.

Identity is Now a Commercial Trust Problem
AI identity risk has moved beyond the security team. Eighty-five percent of respondents have faced customer, partner, or regulatory demands to demonstrate tenant isolation at least occasionally, while 56% face it frequently. Tenant isolation has shifted from a backend implementation detail to a commercial requirement that now determines whether enterprise deals close.

Among organizations where AI is the primary driver of identity reevaluation and customers frequently demand proof of isolation, 99% reported a confirmed incident, and 95% are planning significant increases in investment, pointing to a buying motion driven by urgency rather than planning.

Investment is Moving from Incremental to Structural
Ninety-three percent of respondents say AI is already causing or contributing to a reevaluation of identity infrastructure. Sixty-six percent are planning a significant increase in investment, and 91% expect some level of increase in the next 12–18 months. The top evaluation criteria reflect an architectural shift: machine identity at scale (72%), deployment flexibility (57%), fine-grained authorization (54%), and tenant isolation (32%). Total cost of ownership ranked last at 11%.

About the Research
The 2026 State of AI and Identity Report is based on a survey of 312 technology and security leaders, screened for relevance to AI, identity, and security decision-making. Respondents include CTOs, CISOs, VPs and Directors of Product, Engineering, Security, and Platform/Infrastructure across a range of company sizes and industries. The survey was conducted by FusionAuth in early 2026.

Leave a comment »

DTEX Introduces AI Risk Management

Posted in Commentary with tags DTEX on June 9, 2026 by itnerd

DTEX today introduced its expanded AI Risk Management product, extending its platform to secure enterprise use of generative AI tools and autonomous AI agents. As GenAI applications, copilots, and AI agents increasingly operate with access to enterprise data, systems, and workflows, most security solutions still lack the ability to determine human or AI agent intent. DTEX closes that gap with AI Risk Management: a comprehensive suite of AI-native capabilities that apply behavioral intelligence to detect and deter both human and AI-driven risk with the speed and precision of AI.

By combining AI risk management with autonomous investigation and response, DTEX enables organizations to accelerate AI adoption with the visibility, control, and operational confidence required to safely scale AI-driven productivity and innovation across the enterprise.

Monitor and Protect AI Activity

As AI agents begin operating autonomously across enterprise systems, organizations face a new category of risk. Unlike traditional software, AI agents can interpret instructions, access sensitive data, interact with external systems, and make decisions with limited human oversight. Securing these environments requires more than activity monitoring. It requires understanding what the agent was instructed to do, how behavior evolves over time, and whether actions align with expected intent.

DTEX delivers comprehensive visibility into how AI is used across the enterprise and applies deep behavioral context to identify emerging risk before it becomes a breach.

With AI Risk Management organizations can:

Discover sanctioned and unsanctioned AI usage across users, endpoints, and workflows, including browser, IDE, application, and embedded AI activity.
Identify shadow AI and embedded copilots in real time, dynamically building sanctioned tool inventories and automatically classifying the risk of unknown or unmanaged AI tools.
Monitor prompts, responses, and data movement at a granular level, including uploads, downloads, and AI-generated content, to detect leakage of source code, intellectual property, and sensitive enterprise data.
Classify prompts and interactions to support auditing, compliance, and threat investigations, enabling security teams to understand not just what was asked, but why, through behavioral context and intent analysis.
Analyze AI activity to infer both human and AI agent intent, distinguishing normal experimentation from risky or malicious behavior by correlating prompts, historical patterns, behavioral baselines, and agent actions over time.
Differentiate human versus AI-driven actions and deliver deep visibility into “Computer Use” AI (CUI), including what an agent was instructed to do, how it executed tasks, and the detailed lineage of actions performed across enterprise systems.
Detect and prevent autonomous agent-driven data exfiltration using behavioral monitoring, prompt lineage, and AI risk models that proactively identify high-risk agentic behavior and the intersection between human and AI risk.

In one early deployment, DTEX identified an autonomous AI agent exposing sensitive enterprise data despite operating within its intended workflow and permissions. By correlating prompt lineage, behavioral patterns, and contextual activity over time, DTEX surfaced the risk before it resulted in a security incident.

Act on Risk with Autonomous Security Agents

To make AI Risk Management operational, DTEX is also introducing autonomous security agents that apply behavioral context and risk modeling to automate investigation and threat analysis. This enables organizations to differentiate human vs AI-driven activity, track behavioral patterns over time, and understand how AI systems interact with data and identities.

Triage Guardian Agent

Built on more than 20 years of DTEX i³ behavioral expertise, Triage Guardian applies a multi-agent approach to deliver consistent, defensible triage outcomes at scale. Unlike traditional alert-driven workflows that evaluate isolated events, Triage Guardian continuously analyzes behavioral context before, during, and after an incident, allowing agents to effectively rewind and fast-forward investigative timelines to understand how risk evolved over time. It automates investigation workflows, gathers contextual evidence, and applies structured human oversight through independent reviewer agents that validate findings, minimize bias, and ensure conclusions remain evidence-backed. By combining behavioral intelligence with analyst-grade decision logic, Triage Guardian dramatically reduces false positives while minimizing missed risks that conventional triage approaches often fail to detect.

Threat Hunter Agent

Threat Hunter enables proactive threat discovery through agentic workflows, continuously assessing the evolving risk landscape, generating detailed threat analysis, and identifying previously unknown threats before they surface in an incident. Analysts can initiate complex threat hunts using natural language, allowing Threat Hunter to determine how to execute the investigation, correlate findings, and surface relevant risk autonomously. Built on more than 25 years of DTEX i³ threat hunting expertise, including collaborative research with MITRE and FVEY defense partners, Threat Hunter applies proven analyst tradecraft and investigative context to every hunt at machine speed.

Availability

DTEX AI Risk Management is currently available in private preview. Organizations can request access, with broader availability expected next quarter.

Organizations can learn more and request access at www.dtex.ai/ai-risk.

Leave a comment »

Lookout Study Reveals 93% of CISOs Blinded by False AI Confidence as 59% of Mobile AI Traffic Flows “Dark”

Posted in Commentary with tags Lookout on June 9, 2026 by itnerd

Lookout today released the findings of an exclusive survey report conducted with ZK Research, titled “Solving for the Mobile AI Blind Spot: Executive Confidence Meets Technical Reality.” The independent study exposes a systemic architectural failure. An overwhelming 93% of security executives voice absolute confidence in their AI governance, yet traditional network perimeters are completely blind to a massive mobile shadow AI ecosystem.

The evolution of the mobile AI threat landscape

The rapid enterprise shift from desktop browsers to mobile applications has fundamentally broken traditional data security perimeters. When organizations block or throttle generative AI tools on corporate laptops, employee behavior shifts, rather than stops. To maintain productivity, employees rely on the ultimate shadow AI bypass route. Their personal devices. Today, 52% of all generative AI usage occurs on mobile endpoints, with global knowledge workers routinely uploading sensitive source code, corporate records, and intellectual property.

The technical reality: High spend, zero visibility

Driven by legacy, desktop-era security thinking, organizations are throwing an average of 19% of their 2026 security budgets at AI compliance. Despite this heavy spend, traditional security frameworks are experiencing a systemic structural failure when confronted with mobile-native generative and agentic AI:

The Dark Traffic Route: 59% of mobile AI traffic is hidden from traditional network-discovery tools, routing directly between local apps and external clouds without ever crossing a corporate gateway.
The Agentic Blind Spot: 68% of enterprises have zero technical visibility into autonomous AI agent workflows that inherit user identity and single sign-on (SSO) tokens to manipulate corporate records out of sight.
The Hidden SDK Supply Chain: 72% of organizations are structurally incapable of auditing embedded AI Software Development Kits (SDKs) hidden inside benign-looking everyday mobile applications.

This total absence of mobile-native visibility has immediate operational and board-level consequences. The report confirms that 63% of organizations have actively investigated severe data leaks within the past 12 months where generative AI tools were a definitive contributing factor. Furthermore, 78% of security leaders admit they cannot generate the audit-ready evidence required by emerging frameworks like the EU AI Act, exposing organizations to devastating, tiered global statutory fines that reach up to €35 million or 7% of an enterprise’s total global annual turnover.

Lookout AI Visibility & Governance

To bridge the gap between false security confidence and technical reality, enterprises must abandon perimeter-tied discovery models and deploy a dedicated, mobile-native architecture.

The survey’s findings directly reinforce the critical importance of Lookout’s recent launch of Lookout AI Visibility & Governance. Purpose-built to eliminate the heavy operational friction and “virtualization tax” of legacy architectures, Lookout treats the physical endpoint as the primary control point for AI risk. Operating natively and non-disruptively inside the device environment, Lookout addresses the exact blind spots revealed in the ZK Research data through three primary pillars:

Comprehensive AI Application Discovery: Instantly unmasks every AI-enabled
system, background process, and embedded SDK touching corporate data fabrics to
neutralize the 72% supply chain visibility gap.
Agentic Behavior Mapping: Tracks autonomous agent actions and single sign-on permission extensions in real-time to proactively block unsanctioned workflowsbefore data exfiltration occurs.
Inline Mobile Edge Data Guardrails: Enforces real-time, content-aware data loss prevention (DLP) directly on the physical device, stopping sensitive corporate properties and PII from reaching unsanctioned AI models before it can ever leave the device perimeter.

Join the virtual panel discussion on June 11th

To help organizations navigate these findings and bridge the mobile AI visibility gap, Lookout will host an exclusive virtual panel on Thursday, June 11, 2026.

Moderated by Zeus Kerravala, Principal Analyst at ZK Research, the panel will feature top cybersecurity executives dissecting shadow permissions, embedded SDK exposure, and practical strategies for enforcing edge-based data guardrails.

● What: Solving for the Mobile AI Blind Spot (Virtual Panel)
● When: Thursday, June 11, 2026 at 8:00 am PT
● Moderator: Zeus Kerravala, ZK Research
● Registration: To secure your virtual seat, register now

Leave a comment »

New Research Reveals the More Confident Organizations Are in Their AI Security, the More Likely They’ve Already Been Breached

Posted in Commentary with tags FusionAuth on June 9, 2026 by itnerd

FusionAuth today released its 2026 State of AI and Identity Report, detailing how AI is reshaping identity infrastructure, security posture, and enterprise trust. The findings reveal a profound and counterintuitive crisis: the organizations that feel most prepared are getting hit the hardest.

Key Findings at a Glance

88% say AI deployment is outpacing their identity and security infrastructure
65% experienced a confirmed AI identity-related security incident in the past 12 months
84% of organizations that are “extremely confident” in their AI security posture also reported a confirmed incident
80% report shadow AI (employees connecting AI tools without security or IT review)
83% vs 38% confirmed incident rate for multi-tenant SaaS vs. self-hosted identity platforms
85% have faced customer, partner, or regulatory demands to prove tenant isolation
93% say AI is already a trigger for reevaluating identity infrastructure
91% expect identity investment to increase in the next 12–18 months

Confidence is Tracking the Wrong Thing

The report’s most striking finding has significant implications for how the industry benchmarks AI security readiness. Organizations at the top of the confidence scale share a common profile: they are deploying AI broadly, have comprehensive policies, have formalized lifecycle processes, and are investing heavily. They are doing everything a mature organization should, yet they are still being breached at high rates.

Architecture is the New First-Order Security Variable

The deployment model an organization uses for its identity platform correlates strongly with breach outcomes. Organizations using multi-tenant SaaS identity platforms report confirmed incidents at more than twice the rate of those using self-hosted or on-premises deployments: 83% versus 38%.

Identity is Now a Commercial Trust Problem

AI identity risk has moved beyond the security team. Eighty-five percent of respondents have faced customer, partner, or regulatory demands to demonstrate tenant isolation at least occasionally, while 56% face it frequently. Tenant isolation has shifted from a backend implementation detail to a commercial requirement that now determines whether enterprise deals close.

Investment is Moving from Incremental to Structural

Ninety-three percent of respondents say AI is already causing or contributing to a reevaluation of identity infrastructure. Sixty-six percent are planning a significant increase in investment, and 91% expect some level of increase in the next 12–18 months. The top evaluation criteria reflect an architectural shift: machine identity at scale (72%), deployment flexibility (57%), fine-grained authorization (54%), and tenant isolation (32%). Total cost of ownership ranked last at 11%.

About the Research

The 2026 State of AI and Identity Report is based on a survey of 312 technology and security leaders, screened for relevance to AI, identity, and security decision-making. Respondents include CTOs, CISOs, VPs and Directors of Product, Engineering, Security, and Platform/Infrastructure across a range of company sizes and industries. The survey was conducted by FusionAuth in early 2026.

Leave a comment »

Bitdefender Releases 2026 Global Scam Intelligence Report

Posted in Commentary with tags Bitdefender on June 9, 2026 by itnerd

Bitdefender today released the Bitdefender 2026 Global Scam Intelligence Report, a comprehensive analysis of the global scam landscape over a 12-month period. The report examines how scams have evolved into a sophisticated, cross-platform criminal industry, revealing the tactics, channels, and behavioral patterns that fraudsters use to target consumers worldwide.

Online scams and fraud continue to escalate at an alarming rate. Losses due to scams globally have reached nearly half a billion US dollars in 2025 alone. Bitdefender’s independent global survey of 7,000 consumers reinforces the severity of the problem with 1 in 7 (14%) reporting falling victim to a scam in the past year, a finding that confirms scams as not merely a cybersecurity issue, but a serious threat to consumers’ financial security and digital identity.

The Bitdefender 2026 Global Scam Intelligence Report is built from real-time insights spanning trillions of URLs, billions of messages, live ad ecosystems, call honeypots, and direct consumer submissions. This telemetry captures scam activity as it happens, tracking campaigns across platforms and documenting attacker behavior in motion. The result is a field report that gives both consumers and the security community a comprehensive, data-driven view of how scams operate at scale.

Key findings include:

Younger generation is highly targeted – Younger consumers are now twice as likely to fall victim to scams as older generations, with a victimization rate of 20% compared to 9.7% among those 55 and older. Scammers have followed their audience to the social platforms, gaming environments, and messaging apps where younger users spend the most time.
1 in 20 text messages shows signs of fraud – Extensive analysis of SMS traffic found that 5.2% of all messages analyzed (roughly 1 in 20) exhibited characteristics consistent with scam infrastructure or coordinated fraud activity. For a communication channel people inherently trust, that exposure rate is a serious cause for concern.
Voice calls remain a high-yield fraud channel – Bitdefender analyzed nearly 150 million incoming calls during the reporting period. More than 23 million were classified as unwanted, meaning about 1 in 6 calls reaching protected devices was deemed fraudulent or unsolicited. The system processed more than 52 million unique phone numbers, with over half a million flagged as unwanted.
Finance scams dominate across every channel – Investment fraud, banking phishing, and crypto-themed scams appear consistently across SMS, social ads, WhatsApp, voice calls, and email. The lure changes with the platform, but the objective remains constant: quickly move the victim toward a financial decision before skepticism has a chance to intervene.

To download a complimentary copy of the Bitdefender 2026 Global Scam Intelligence Report, visit here.

Leave a comment »

Hackers steal $1.7M worth of condoms after hijacking Walmart shipment

Posted in Commentary with tags Cybernews on June 9, 2026 by itnerd

Hackers steal $1.7 million worth of condoms and lubricants headed to Walmart after hijacking a trucking shipment from one of the biggest companies in sexual wellness – all by using a cybercriminal playbook turned supply-chain nightmare.

Here are the key findings:

Attackers used a phishing email to compromise a legitimate trucking carrier and secure a shipment containing roughly 103,000 units of ONE Flex condoms and Move lubricant.
The scammers then posed as freight brokers, hired legitimate truck drivers, and redirected the cargo to a warehouse in the Bronx.
The shipment passed standard verification checks because the compromised carrier account appeared legitimate.
The FBI recently warned that cyber-enabled cargo theft is surging, reporting a 60% increase since 2024 and record losses of $725 million last year

What initially sounded almost absurd – a cyber-enabled condom heist – turned into an elaborate and polished operation ending with FBI agents tracking the still missing shipments through the controversial Flock camera systems.

For more information, here’s the full article: https://cybernews.com/cybercrime/fbi-hackers-steal-condoms-walmart-shipment-cargo-theft/

Leave a comment »

Parallel Works Brings AI Under One Governed Gateway

Posted in Commentary with tags Parallel Works on June 9, 2026 by itnerd

Parallel Works today announced new AI governance and budget management capabilities for ACTIVATE AI, enabling enterprises and government organizations to centrally manage, govern and control AI usage across commercial and privately hosted large language models (LLMs) through a single unified gateway.

The Parallel Works ACTIVATE AI Gateway addresses the growing challenge of uncontrolled token consumption by applying proven governance principles that enterprises utilize for compute and storage. Designed for large enterprises, government/defense organizations and HPC/research environments, the platform addresses the costly challenge of uncontrolled token use as organizations strive to manage escalating AI usage costs.

The ACTIVATE AI platform is differentiated by its ability to combine hybrid compute orchestration, GPU governance, Kubernetes management and AI consumption governance, including token budgeting and chargebacks, within a single platform. Organizations are able to centrally connect commercial AI services and self-hosted LLMs from a unified, vendor-neutral API gateway.

The platform supports all OpenAI-compatible providers, Anthropic, Azure OpenAI, AWS Bedrock, and privately hosted LLM models, allowing organizations to govern AI access and consumption consistently across cloud and on-premises environments while avoiding vendor lock-in.

Key capabilities of the ACTIVATE AI Gateway governance module include:

Unified virtual API gateway for public and private LLM access.
Real-time token usage, budget allocation and reporting.
Organization-level governance and tracking at the user, group, department or organization level.
AI resource consumption chargeback and cost accounting.
Single-pane-of-glass management integrated into existing compute and storage governance.

ACTIVATE AI Gateway governance capabilities are currently deployed within FutureTech’s large system-integrator environment, supporting thousands of users while managing token consumption across complex AI workloads. The platform helps VARs and system integrators control inference costs and govern AI resources efficiently across cloud and on-premises environments.

Availability

The ACTIVATE AI Gateway governance and token budgeting capabilities are now available. The functionality is designed for large enterprises, government and defense organizations, HPC environments and research institutions that deploy private GPU infrastructure or consume commercial AI APIs at scale.

Resources

Parallel Works Blog: https://parallelworks.com/blog/2026-ai-gateway
ACTIVATE AI Website: https://parallelworks.com/ai
ACTIVATE AI Overview Video: https://parallelworks.com/activate/ai?video

Leave a comment »

100 Days ‘til 1st Major EU CRA Deadline: a 24-Hour Reporting Clock

Posted in Commentary with tags EU on June 9, 2026 by itnerd

Cybersecurity experts, OEMs, software publishers and end user organizations have focused on the EU Cyber Resilience Act’s ultimate December 2027 compliance deadline for years. What’s gotten far less attention is the first major enforcement milestone on September 11, 2026, now less than 100 days away.

On that date, anyone selling connected products and applications into the EU must report actively exploited vulnerabilities and significant security incidents to regulators under strict timelines – within 24 hours.

Doc McConnell, Head of Policy and Compliance, Finite State, said

“For many companies, the challenge isn’t simply reporting, it’s determining within a few hours whether a vulnerability exists inside their products, whether it’s being actively exploited, and who might be affected.

“The biggest obstacle isn’t paperwork, it’s visibility. Many companies lack accurate software inventories across their product lines, and have limited insight into third-party components embedded in products. Even more lack an in-place internal decision process to meet that 24-hour reporting mandate. The CRA readiness gap persists across sectors: ICS, automotive, medical devices, consumer electronics, IoT, IT gear, mobile applications distributed to EU end users, embedded software and more. And are their legal and compliance departments ready to assess cyber resilience?”

Ryan McCurdy, VP, Liquibase, added:

“The CRA turns cybersecurity from a best practice into a reporting obligation. That creates a simple test for software manufacturers: can you prove what changed, who changed it, when it changed, and whether the right controls were applied? For many organizations, the database layer is where that proof breaks down. Manual scripts, schema drift, and inconsistent approvals make it hard to show control when regulators, customers, or auditors ask. The companies that are ready for CRA will not just have security policies. They will have governance and proof of control across the full software lifecycle, including database change.”

The bottom line is that we’ll see if 100 days is an administrative nightmare, or a nothing burger. And it will be up to software vendors to decide which side of the fence that this falls on.

Leave a comment »

LG launches “Match Day Heroes” contest

Posted in Commentary with tags LG on June 8, 2026 by itnerd

LG Electronics is celebrating the local businesses, gathering places and passionate fans that bring communities together through the game.

Today, LG Electronics Canada announced the launch of Match Day Heroes – a national contest and video content series spotlighting the community spaces where Canadians gather to cheer, connect and celebrate match day moments.

In partnership with Ottawa-born soccer star Jonathan David, LG is inviting Canadians from coast-to-coast to nominate the local footy hubs that make match days unforgettable for a chance to win the ultimate LG Match Day Upgrade.

From neighbourhood sports bars and cafes to beloved community gathering spaces, one winning ‘hub’ will receive a premium LG technology upgrade valued at up to $10,000.

Rooted in LG’s Life’s Good brand promise, the campaign celebrates the connection and sense of belonging that sports can inspire in communities across Canada. By shining a spotlight on the local businesses and gathering places or footy hubs where fans come together to celebrate the game, LG aims to recognize the people and spaces that create meaningful shared experiences during Match Day.

Canadians can nominate their Match Day Heroes beginning today by visiting https://www.lg.com/ca_en/about-lg/sponsorship/ and sharing why their favourite local footy hub deserves the ultimate LG Match Day Upgrade. Eligible nominations can include neighbourhood sports bars, cafes, restaurants and other local gathering spaces – or even your own backyard – where fans come together to watch and celebrate the game. The winning entry will receive an LG technology upgrade package designed to elevate the viewing experience for fans. The contest closes on July 26, 2026.

As part of the Match Day Heroes campaign, LG has also produced a video content series highlighting four Toronto-area small businesses and community gathering spaces: Nganda, Liberty Village Market, Este es Columbia, and Amigos da Dundas.

The series celebrates the passion, diversity and community spirit that makes footy culture in Canada so unique while highlighting how sport can strengthen local communities and bring people together through shared experiences – an extension of LG’s belief that Life’s Good when the community comes together.

To watch the Match Day Heroes videos series, visit https://www.lg.com/ca_en/about-lg/sponsorship/.

Visit LG’s Sponsorship page to access the Contest entry form and complete all required fields, including submitting a minimum of two photos of the Entrant’s footy hub, showcasing the space and reason for the nomination on the Contest entry page:

Share your hub’s story. The more detail, the better. Here are a few things to cover: Origin story: How did your hub start? Was it a spontaneous gathering that grew into something bigger? Traditions & rituals: What matchday customs have become part of your culture? Your crew: Who shows up, and how did this group come together? Why does it deserve an LG technology upgrade?

Upload at least 2 photos, with a maximum of 6 photos: Show us your hub at its best! Submit photos that capture your space set up and ready for matchday! Think screens, appliances, seating, decorations, and any theming that makes your hub uniquely yours and candid shots of your crew in the moment. Picture 1: Show us your crew! A selfie of you and the community you gather with on match days. Pictures 2-6: Show us your footy hub! Include the decorations, layout, appliances/electronics that make up your Match Day viewing.

Submitted materials may be used for marketing purposes, see full contest rules for details.

NO PURCHASE NECESSARY. Open to legal residents of Canada, 19 years of age or older. Contest runs from June 2, 2026 to July 26, 2026. Limit one (1) entry per person. One (1) prize package available, consisting of up to three (3) LG products (approximate retail value up to $10,000 CAD). Odds of winning depend on the number of entries received. Winner must correctly answer a skill-testing question. Sponsored by LG Electronics Canada Inc. Full rules available on the LG’s Sponsorship Page. Self-nominations are eligible to win the Prize. If entrant nominates the community hub, the community hub will receive the Prize if declared a winner. The owner of the nominated community hub must agree to the Contest rules and regulations and consent to receiving the Prize on behalf of their establishment.

Leave a comment »

The IT Nerd

Archive for the Commentary Category

Shai-Hulud supply chain attacks: Commentary on what NIST 800-171 actually covers (and where it falls short)

New Research Reveals the More Confident Organizations Are in Their AI Security, the More Likely They’ve Already Been Breached

DTEX Introduces AI Risk Management

Monitor and Protect AI Activity

Availability

Lookout Study Reveals 93% of CISOs Blinded by False AI Confidence as 59% of Mobile AI Traffic Flows “Dark”

New Research Reveals the More Confident Organizations Are in Their AI Security, the More Likely They’ve Already Been Breached

Bitdefender Releases 2026 Global Scam Intelligence Report

Hackers steal $1.7M worth of condoms after hijacking Walmart shipment

Parallel Works Brings AI Under One Governed Gateway

100 Days ‘til 1st Major EU CRA Deadline: a 24-Hour Reporting Clock

LG launches “Match Day Heroes” contest

Pages

Blogroll