Patrick Opet, the Chief Information Security Officer of JPMorgan Chase, has called on software companies to slow down and focus more on building secure systems rather than rushing their products to market. In a public letter, he warned that security gaps in third-party software are creating serious risks, especially as many global businesses now depend on just a handful of technology providers.
The Problem with Relying on External Vendors
Today’s companies use many third-party tools for essential services, from managing data to running operations. But this convenience also comes with danger. When even one of these vendors faces a security issue, it can affect not just one business—but many others connected to it.
Opet shared that JPMorgan has already dealt with several such incidents involving their outside service providers. In these cases, the bank had to respond quickly by cutting off access to the affected vendors and using large amounts of resources to fix the issue and prevent further harm.
Real Events Show the Risk Is Real
Earlier in 2024, the bank revealed that a software issue involving an external provider affected more than 451,000 people. In another case, a flawed software update from cybersecurity firm CrowdStrike caused a massive technical outage worldwide. This update caused millions of Windows devices to crash, affecting airlines, hospitals, banks, and more.
Why Attackers Target Third-Party Tools
Newer tech systems often use tools that connect different platforms to each other. While these tools improve efficiency, they also make it easier for hackers to get inside private company networks. Criminals are increasingly using this path to steal confidential information or disrupt services.
Opet pointed to recent reports showing how state-linked cyber groups are using cloud platforms and remote access software to get into systems and carry out their attacks.
What Needs to Change
Opet released his letter just before a large international cybersecurity conference in San Francisco. He hopes this message will inspire software makers to set higher safety standards, be more honest about how they manage sensitive access, and explore privacy-focused technologies that better protect user data.
His concerns match those of other experts who have also pushed for stronger security measures, including building protections directly into software from the start. Some industry professionals have even said legal accountability should be introduced if providers fail to protect their systems properly.
The UK government has introduced a new policy that stops public sector organizations from making payments to cybercriminals during ransomware attacks. This decision was made to reduce the number of attacks by taking away the money motivation behind them.
The government believes that if attackers know they won’t get paid, they may stop targeting essential services like public hospitals, schools, or councils. However, this move has sparked a lot of discussion among cybersecurity experts and business leaders.
Why This Rule Could Be Difficult to Enforce
While the aim is to protect public services, some people believe organizations might still find ways to make payments secretly. For instance, if a company operates both in the UK and another country, it might use its foreign office to make the payment. Others might try to hide the payment by calling it a regular business expense.
These loopholes could weaken the purpose of the ban. It might even create an unfair situation where some organizations quietly pay and recover faster, while others follow the rules and face longer disruptions.
The Pressure on Business Leaders
Leaders responsible for cybersecurity face a difficult situation. While no one wants to support criminal activity, refusing to pay can lead to bigger problems. For example, a ransomware attack could shut down critical services or expose personal information.
In some extreme cases, businesses might feel that paying the ransom is the only way to continue operations or protect sensitive data. This rule could put extra pressure on leaders who are already struggling to make the right decision during a crisis.
Less Reporting, More Risks
Another concern is that if payments are banned, organizations might stop reporting ransomware incidents altogether. They may choose to hide the true nature of the attack to avoid breaking the law or getting into trouble.
This lack of transparency can be dangerous. If fewer cases are reported, cybersecurity experts won’t have enough data to understand new threats or how attacks are evolving. That means it will be harder to prepare for future attacks, leaving more organizations at risk.
Is There a Better Way Forward?
Many experts believe that instead of a complete ban, the government could allow exceptions in very serious situations. Organizations could be required to report the attack immediately and get approval from authorities before making any payments.
This would give the government better visibility into ransomware activity while still giving organizations the flexibility to act when needed. At the same time, public sector workers should receive better training so they know how to handle cyber threats early and prevent serious damage.
In short, while the new rule is a step toward fighting cybercrime, it’s important to create a balanced plan that supports both security and practicality.
A recent study has shown that more than one in three people have had at least one of their online accounts broken into during the past year. The main reason? Poor or stolen passwords.
The report comes from the FIDO Alliance, a group that focuses on improving online safety. Their findings reveal that passwords are still a major weak spot in keeping digital accounts secure.
People Struggle with Passwords
The research found that 36% of people had their accounts hacked because their passwords were either easy to crack or already leaked online. Many users still rely on passwords that are short, simple, or reused across different accounts. These habits make it easier for cybercriminals to gain access.
Forgetting passwords is another common issue. Nearly half of the participants said they gave up making a purchase online because they couldn’t remember their password.
What Are Passkeys and Why Are They Safer?
To fix the problem with passwords, many websites and apps are now supporting a new method called passkeys. These don’t require typing anything in. Instead, you can log in using your fingerprint, face scan, or a PIN stored on your device.
This system is safer because the login details never leave your phone or computer, and they don’t work on fake websites. This means scammers can’t trick people into handing over their login details like they do with traditional passwords.
According to the study, most people are now aware of this new method. Around 69% have already used passkeys on at least one of their accounts, and over a third said they’ve switched entirely to using them wherever possible.
Big Tech Companies Back Passkeys
On May 2, Microsoft said it is now letting all of its users log in with passkeys instead of passwords. The company admitted that passwords simply aren’t strong enough to protect people’s accounts, even if they’re long or frequently updated.
Microsoft users can now sign in using face ID, fingerprint, or PIN on devices from Windows, Apple, or Google.
Moving Away from Passwords Altogether
To raise awareness, FIDO has renamed its annual event “World Passkey Day.” The goal is to encourage companies and users to stop relying on passwords and start using safer login tools.
As part of the event, FIDO launched a pledge for businesses that want to commit to using passkeys. More than 100 organizations have already joined in.
FIDO’s leader, Andrew Shikiar, said the shift to better login methods is necessary. He explained that years of account hacks and data leaks have shown that traditional passwords no longer offer the protection we need in a digital world.
The study surveyed 1,389 adults from the US, UK, Japan, South Korea, and China.
The main highlight of the M-Trends report is that hackers are using every opportunity to advance their goals, such as using infostealer malware to steal credentials. Another trend is attacking unsecured data repositories due to poor security hygiene.
Hackers are also exploiting fractures and risks that surface when an organization takes its data to the cloud. “In 2024, Mandiant initiated 83 campaigns and five global events and continued to track activity identified in previous years. These campaigns affected every industry vertical and 73 countries across six continents,” the report said.
Ransomware-related attacks accounted for 21% of all invasions in 2024 and comprised almost two-thirds of cases related to monetization tactics. This comes in addition to data theft, email hacks, cryptocurrency scams, and North Korean fake job campaigns, all attempting to get money from targets.
Exploits were amid the most popular primary infection vector at 33%, stolen credentials at 16%, phishing at 14%, web compromises at 9%, and earlier compromises at 8%.
Finance topped in the targeted industry, with more than 17% of attacks targeting the sector, followed closely by professional services and business (11%), critical industries such as high tech (10%), governments (10%), and healthcare (9%).
Experts have highlighted a broader target of various industries, suggesting that anyone can be targeted by state-sponsored attacks, either politically or financially motivated.
Stuart McKenzie, Managing Director, Mandiant Consulting EMEA. said “Financially motivated attacks are still the leading category. “While ransomware, data theft, and multifaceted extortion are and will continue to be significant global cybercrime concerns, we are also tracking the rise in the adoption of infostealer malware and the developing exploitation of Web3 technologies, including cryptocurrencies.”
He also stressed that the “increasing sophistication and automation offered by artificial intelligence are further exacerbating these threats by enabling more targeted, evasive, and widespread attacks. Organizations need to proactively gather insights to stay ahead of these trends and implement processes and tools to continuously collect and analyze threat intelligence from diverse sources.”