From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Tom McKay

itbrew.com

Graphic of gravestones in descending height order

Scam obituary sites draw enterprise traffic, research finds

Obituary sites that currently scam users into installing push notifications and pop-ups could be a vehicle for malware.

Amanda Florian

Threat actors in China becoming ‘more brazen,’ NSA says 

Dave Luber of the NSA told IT Brew new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”

Billy Hurley

HSB adds cyber protections to automotive coverage

The insurance provider sees the car a lot like a computer—both can be hacked.

A shield with a checkmark inside icon denoting cybersecurity

Cybersecurity

Brianna Monsanto

For job huggers—people who cling to their current role even if they aren’t fully happy in that position—the answer is the former. However, job hugging is a little more nuanced than it might seem, and a little more risky for cyber pros.

 from job search platform Monster, based on a survey of 1,004 US employees, found that 48% of workers are considered job huggers. Thomas Vick, a senior regional director at management consulting company Robert Half, told IT Brew the behavior is driven by economic uncertainty, with employees 

“If you had the Great Resignation on one end of the spectrum, now we’re operating on the other end where people are a lot more cautious,” Vick said.

What does that have to do with cybersecurity?

 Job huggers may seem like an obvious issue for HR professionals and managers who want more 

 out of their teams, but some cybersecurity professionals believe the growing trend may also lead to a rise in 

. Ivanti CSO Daniel Spicer told IT Brew a disengaged employee does the “bare minimum” at their job…and for many, that doesn’t include cybersecurity best practices.

“They’re more likely to fall for a phishing email,” Spicer said. “They’re more likely to consider or accept an offer to share credentials or access to a third-party for ransomware.”

Other risky behaviors from unenthusiastic employees include being less likely to report security issues right away or paying less attention to software patches, according to Spicer.

“The weakest part of any security program is still people, and disengaged people are just that much weaker of the link,” he said.

Rajan Koo, CTO of insider risk management company DTEX, said that, when interviewed after an incident, malicious insiders often felt professionally stagnant or disengaged.

“Just because somebody is disgruntled, just because they’re stuck in their job and they’re not moving to another job, doesn’t necessarily mean they’re going to be a malicious insider,” Koo said. “But it is often a precursor for those that do become malicious insiders.”

, when employees and employers have a “positive mutual reliance” on one another, as especially relevant in the job-hugging era.

“They’re not happy in their current job and a lot of the time, that disgruntlement increases and that loyalty towards the company decreases and…it can be a recipe and a precursor for a range of things, whether that be non-malicious or malicious types of insiders,” said Koo.

Vick told IT Brew that job huggers can be hard to identify “if you’re not having regular communication as to what the career goals of that individual are” or what they want to learn.

What should a cybersecurity expert do if they suspect job huggers are present in their workforce? Spicer told IT Brew they could start by looking at employee engagement surveys within their organization, something he pays a lot of attention to. An IT Brew poll of 201 readers found that over one-third (35%) of professionals use engagement surveys in some capacity to gauge insider threats within their organization. The remaining two-thirds (65%) said they either don’t review or care for these workplace surveys or don’t use them to determine potential insider threats.

“Obviously, any good engagement survey doesn’t out an individual, but if I see a weakness in a particular department…that’s something that I need to have a conversation with my peers,” he said.

Koo added that when organizations detect a disengaged employee, that doesn’t automatically mean they should give them the boot. Instead, he suggests that companies spend time reengaging that employee.

“That’s the right time to be even more loyal to that individual, especially if they’re somebody who you feel is doing their job.”

Laptop with a manager messaging an employee "how are you feeling?" with a cursor hovering over a happy emoji and sad emoji

‘Job huggers’ are a new cybersecurity problem

One CSO says disengaged employees are more likely to fall for phishing emails and report security issues too late.

Eoin Higgins

The video game industry is the biggest entertainment sector in the world. For IT workers in video games, whether developers, security professionals, or others, that success means challenges and hard work.

Software development is going through changes, Chris Anley, a chief scientist with research firm NCC Group, told IT Brew, and the gaming industry is no different. Supply-chain issues plague software, and security is always top of mind. Meanwhile, a demanding user base wants top performance and seamless experiences.

“If you’re writing games, you’re trying to get the most performance out of the hardware you possibly can, you’re trying to provide the richest experience for your users,” Anley said.

The user base is demanding. Fastly CTO Artur Bergman noted that’s a part of the incentives of the industry.

“Gamers are more technical and more verbal when things don’t work than most people,” Bergman said. “The patience for slow downloads and for any kind of errors is much lower.”

Slower download rates—a complaint his company encounters as part of providing software services for game developers—are of particular concern. People aren’t willing to wait around when downloading to play, and it’s a challenge that must be anticipated and dealt with.

And those traffic demands can be spiky, correlating to releases: “It behaves much more like a sports live event than it does normal traffic,” Bergman said. In September, 

, including Nintendo, PlayStation, Xbox, and Steam, due to demand.

Games are getting larger, especially when it comes to blockbusters, also known as AAA games. In addition to being heavy on the download side, they are particularly expensive to develop—2020’s 

 to make. The cost and time to produce new IP presents a risk as well; if a game isn’t financially successful, then the production is a sunk cost. Kevin Janzen, CEO of Globant’s gaming and ed. tech AI studio, told IT Brew that all adds to the pressure for staff, especially in the post-Covid sales landscape.

“There’s been this situation with so many companies having to rethink their plans, and so many others being acquired by larger studios that can’t afford the risk of making a game that doesn’t perform according to expectations, and that’s still not meaning bankruptcy,” Janzen said. “That has caused a state of uncertainty for the professional IT person.”

Making production more cost-effective will help to reduce studio dependency on just one project, Janzen said. Consumers don’t buy as many new games, meaning that staying profitable often requires delivering new experiences and good gameplay within existing properties. In order to stay viable and profitable—and maybe to develop the next 

—companies often turn to overworking their employees to keep up with competitors, often accelerating the demand during “crunch time” before a game 

. Janzen doesn’t feel that’s necessary, though.

“It’s not necessarily working harder or more hours, it’s trying to work more efficiently and trying to think, ‘How can we make sure that we have a good game that satisfies the expectation of consumers without necessarily increasing the expense of game development?’” Janzen said, adding, “It means to think differently and try to understand, how can we offset that risk?”

A retro video game controller photographed in front of an orange background

Video game industry IT full of challenges, user base concerns

Game CTO tells IT Brew the industry needs to “think differently.”

Have you ever been tempted to spend less than $1,000 on satellite equipment—just so you can show how much sensitive data can be easily accessed?

Computer scientists from the University of California, San Diego, and the University of Maryland answered “yes” to that question. In a 

 published Oct. 13, they wrote that they can use satellites to access large amounts of sensitive and unencrypted traffic from a variety of sectors, including the telecommunication, retail, and even the military.

The researchers focused their study on geostationary (GEO) satellites, which orbit the Earth’s equator, receiving and amplifying signals from the ground. Hardware used to conduct the study included a Ku-Band satellite dish, a low-noise block downconverter to amplify weak signals, and a dish motor to enable automated movement for tracking purposes, among other materials. In total, the equipment ran the researchers just under $700, or roughly what you’d pay to rent a one-bedroom apartment in Wichita, Kansas.

With their makeshift setup, the researchers set up base on the roof of a university building in San Diego, where they performed a “broad scan of IP traffic on 39 GEO satellites

From these scans, researchers said they saw “unencrypted cellular backhaul traffic from multiple telecommunications providers,” including KPU Telecommunications and AT&T Mexico. While listening to a nine-hour recording of raw data streams, they added, they identified three satellite beams that carried unencrypted T-Mobile traffic, and observed close to 3,000 user phone numbers from metadata. Neither KPU, AT&T Mexico, nor T-Mobile responded to IT Brew’s request for comment on the findings.

Telecommunications providers weren’t the only ones with exposed traffic. Researchers also noted unencrypted traffic from US-owned sea vessels and organizations within the Mexican government.

On the corporation side, researchers identified unencrypted Walmart Mexico internal system traffic, which contained private data, including encrypted internal corporate emails, inventory records, and logins to the company’s inventory management system. Walmart Mexico did not respond to IT Brew’s request for comment by the time of publication.

In total, 50% of GEO links observed in the study contained cleartext IP traffic.

Researchers reached out to affected parties to disclose their findings from the study, and several remedies have been deployed to address vulnerabilities. Based on their findings, they concluded that there is a “clear mismatch” between satellite customers’s expectations of data security and the security that is actually in place.

“Cell phone traffic is carefully encrypted at the radio layer between phone and tower to protect it against local eavesdroppers,” the researchers wrote. “It is shocking to discover that these private conversations were then broadcast to large portions of the continent, and that these security issues were not limited to isolated mistakes.”

The researchers say there’s no way to determine if someone has set up a dish to secretly listen to traffic. However, end users can use a VPN to encrypt network traffic they generate, as well as end-to-end encrypted apps for voice and messaging communications. Organizations should treat their satellite communication links like “unsecured and public wireless networks,” according to the researchers, who also suggest companies should also practice strong encryption.

“Encryption should be used at every layer as defense-in-depth protection against individual failures,” the researchers said. “Treat encryption as mandatory, not an add‑on.”

It takes less than $1k to access unencrypted satellite data: study

Researchers from the University of California, San Diego, and the University of Maryland say 50% of GEO links observed in their study had cleartext IP traffic.

If you hear techno bumping from Alex Lisle’s living room, it’s not a rave; he’s probably coding a graphics engine.

Lisle, currently CTO at deepfake detector Reality Defender, still finds programming calming, even when the background beats are loud. Decades before he joined the NY-based cybersecurity platform this past July, Lisle created video games, supporting consoles like the Sega Dreamcast and Sony PlayStation. He’s also worked for cybersecurity firms.

A security pro with gaming expertise is a rare combination, according to Lisle; gamers make things, and cyberteams tend to break things.

“Generally, really great cybersecurity guys don’t actually make great programmers…because they’re usually very good at finding holes in things,” he said.

Lisle spoke with IT Brew about his experience moving between hacker and programmer roles, and how the dual professional worlds have given him a unique perspective to help in his latest effort: spotting deepfakes.

Lisle began his professional game-development career in 1999. As a junior system administrator at Sega Europe, Lisle—a teen at the time, and about 10 years younger than his peers, he said—was tasked with creating and securing the internet service provider network built specifically for the Sega Dreamcast console. Years before taking the gig, young Lisle had taken an interest in offensive hacking, using tools like a network sniffer to spot unencrypted traffic—and unencrypted login credentials. At Sega, he was sniffing out hackers from the other side of the firewall.

“People wanted to hack Sega all the time, so it was kind of fun stopping people from hacking,” Lisle said.

The job reinvigorated his passion for programming, Lisle told us; he recalled beginning his lifelong computer journey by manually typing code into an Amstrad CPC, an 8-bit home computer. The final result, according to Lisle: a buggy fencing game.

After a year at Sega, Lisle went back to school to hone his programming skills and then became a research developer at Durham University, where he designed molecular-screening software.

Following the on-campus work, Lisle got back into gaming, spending stints at Sony and Venom Games.

His love for coding led him back to cybersecurity. In 2008, he joined Fortify Security as an engineer and helped to develop the company’s static analysis tool for finding code bugs. Other security roles followed over the years. Now, as Reality Defender’s CTO, he spends his time researching new deepfake attacks and making sure the company’s technology is prepared for them—more of that Sega-era, defensive-security fun, perhaps.

What makes a gaming pro a good security pro? 

Whether you’re a cyberattacker or a computer-game programmer, you’re pushing limits, according to Lisle. During his time programming video games, Lisle learned how to get the most out of limited hardware and graphics engines. “You can’t say to someone, ‘Hey, get a bigger GPU,’” he told us, recalling a time a colleague created two separate graphic engines to “push more polygons through” the Playstation platform.

A limit-pushing adversary finds vulnerabilities in an unexpected part of an environment. Lisle recalled the 2013 breach of Target, which 

 began via a compromise of an HVAC company.

“I mean, that’s lateral thinking,” he said, referring to a disruptive, creative, problem-solving approach.

What makes a gaming pro a good deepfake detector?

 found that listeners correctly spotted audio deepfakes 73% of the time. A James Cook study that same year revealed a 61% accuracy rate with 

; this reporter ended up with an 18/30 deepfake-minus.)

What Lisle has learned over the years, with deepfakes and with video games, is that a digital representation doesn’t have to be photorealistic to effectively deceive a human. We all have a programmer’s way of building an image in our minds, but not always breaking it down.

“When it comes to deepfakes, unless you’re really studying for it, your mind will fill in a bunch of the blanks,” Lisle said.

A portrait of Alex Lisle, CTO of Reality Defender.

Why a life in video games and cybersecurity helps with deepfake detection

Meet CTO, former hacker, and former video game programmer Alex Lisle

Avast! University employees are getting ambushed by pirate attacks, and not the kind that occur while sailing the seven seas.

Earlier this month, Microsoft Threat Intelligence 

 on a scam campaign targeting US university employees, where threat actors successfully divert salary payments from employee accounts to their own. The scheme has been dubbed a “payroll pirate” attack by the broader industry.

 Microsoft researchers referred to the threat actor behind the scheme by the alias Storm-2657. In the observed campaign, Storm-2657 gained access to employee accounts through adversary-in-the-middle phishing, a form of 

 malicious actors use to bypass multi-factor authentication (MFA).

Phishing emails used to lure victims targeted accounts at universities, according to the researchers. Some of these convincing phishing emails alluded that the receiver may have been exposed to a campus illness outbreak. Others focused on classroom misconduct reports. Phishing emails also featured Google Docs links, which are commonplace in academic settings.

After obtaining an MFA code, Storm-2657 compromised victims’s Microsoft Exchange Online accounts and gained access to their Workday profiles, then covered their tracks by enforcing automated instructions to delete “warning notifications” from the software platform. From there, the attacker redirected future employee salary payments to bank accounts of their own.

Storm-2657 used some successfully compromised emails to send out even more phishing emails. Microsoft said it observed 11 successfully compromised accounts at three universities that collectively sent phishing emails to 6,000 email accounts since March.

The threat actor focused on Workday profiles in the observed campaign, which took place in H1 2025. However, the researchers claim the same technique can be used to target other SaaS systems storing HR or banking information. Microsoft said the pirate payroll attacks don’t reflect any vulnerabilities in Workday’s platform and that the 

 company has already released guidance for consumers.

Payroll pirates aren’t the only type of criminals educational institutions are warding off. IT Brew 

 the growing problem of ghost students, malicious actors who pose as university and college students to reap financial aid and other student benefits.

Malicious actors continue to launch classic 

 found that schools, colleges, and universities experienced a 23% uptick in ransomware attacks YOY in H1 2025.

Microsoft recommends organizations protect themselves from payroll pirate attacks by ditching traditional credentials and embracing 

 workflows: “Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise.”

A thief surrounded by cards on fishing hooks floating above a laptop.

‘Payroll pirate’ attackers are going after university employees

These attacks are when cybercriminals compromise employee Workday and other third-party accounts and divert salary payments to their own accounts. 

Caroline Nihill

With seemingly endless cybersecurity tools available to organizations, it can be difficult to determine what to invest in—whether tried and true tools or something newer like agentic AI. But with cybersecurity budgets in flux, experts say relying on agentic AI could prove a cost-efficient way to handle threats…with some caveats.

AI can help cybersecurity workflows with everything from natural language processing and data mining to predictive analytics and machine learning, 

Experts like Loreli Cadapan, VP of product management at software delivery solutions provider for enterprises company CloudBees, said cybersecurity applications using agentic AI can reduce friction throughout code production. While she acknowledged the approach isn’t directly reducing infrastructure spend, it reduces cost from a “developers’ toil perspective.”

“There’s a lot less context switching on the developer side, and that also allows them to spend more time on innovation, rather than the mundane task of triaging build failures…or triaging a security vulnerability,” Cadapan said.

Kara Sprague, CEO of HackerOne, said she believes it’s smart to employ agentic AI in a cybersecurity context, “because we have surpassed the point where humans can scale to the level needed for security.”

However, it’s important for IT professionals to ensure AI-supported cybersecurity has proper guardrails in place. “A lot of times, those humans are going through some sort of background check, some sort of verification, there’s organizational data and information sharing policies that that human has to comply with,” Sprague said. “We need to think about similar controls around the AI agents that we’re implementing.”

How do we solve a problem like no money? 

The Institute for Applied Network Security (IANS) 

 that in 2025 organizations have scaled back security budgets.The average annual security budget growth dropped to its lowest point in five years at 4%—compared to 2024’s growth level of 8%.

When funding levels drop, Vidya Shankaran, field CTO of emerging technologies at Commvault, says that a strong business case needs to be made for cybersecurity solutions.

“It’s not as straightforward as saying, my antivirus tool is called, it’s going to cost me XYZ, so I’m just going to go all guns blazing and invest in the cheapest product,” Shankaran said. “Because sometimes that may not [be] correct, probably it does not meet all the risk parameters that you’re looking to offset within your organization.”

Cadapan said that if an IT team isn’t focused on increasing efficiency in the project timeline, it gets more expensive to fix issues from a security and compliance perspective.

“With the rise of AI, more developers are actually producing code, leveraging AI…and many other tools out there that [are] available for developers today,” Cadapan said. “Where I’m seeing and hearing from customers, from developers out there, is the shift in mindset of, ‘How can we leverage AI to reduce this friction on the code review, on the testing, all the way down to the production perspective?’”

Cybersecurity pros can’t really check every single sensor or detecting tool every single day (or if they did, it would take too much time). Erin McFarlane, VP of operations at Fairmarkit, suggested that agentic AI can give an organization a guard who works around the clock.

“[AI] can really give you a best-practices view of whatever it is that you’re looking at from an agentic perspective,” McFarlane said. “So much of security tends to be reactive, and that’s always been the complaint, that we’re preparing for something after it happens rather than… for sensing various signals.”

In McFarlane’s opinion, AI should increase organization budgets because it presents new risks, even as it saves IT infrastructure from bad actors.

Sprague said that those who are looking to implement agentic AI into a cybersecurity stack on a budget should examine existing tools and ensure that the enterprise is taking advantage of the full set of capabilities already available.

“I would advocate for security leaders to be doing some amount of zero-based budgeting and really to…do an assessment of where are the biggest risks across my organization, and am I invested appropriately across my security tools and practices and solutions to mitigate those risks,” Sprague said.

Correction 10/16/2025: Vidya Shankaran's title has been updated.

Agentic AI could be the savior of cybersecurity budgets

“So much of security tends to be reactive, and that’s always been the complaint,” one expert says.

OpenAI is expecting to see more attackers use ChatGPT and other AI models to produce malicious code and tools, according to a new report. However, the company sees no evidence that attackers are using its AI models to produce novel offensive capabilities.

, OpenAI outlined several instances where it disrupted bad actors, including nation-state actors and criminal groups, who were attempting to use ChatGPT’s capabilities to produce malware or engage in other nefarious activities against what the company called “the democratic principles America has always stood for.”

“[Promoting democratic AI] includes preventing the use of AI tools by authoritarian regimes to amass power and control their citizens, or to threaten or coerce other states; as well as activities that may result in society-scale harms such as malicious cyber activity, organized crime and scams, and covert influence operations,” the report stated.

 to the White House Office of Science and Technology Policy’s AI Action Plan as evidence of the company’s commitment to building and maintaining “democratic AI.”

OpenAI did not respond to a request for comment in time for publication.

The company reportedly found individuals linked to People’s Republic of China (PRC) government entities using ChatGPT to help with “development, profiling, and bureaucratic functions.”

Specifically, some of those accounts were trying to use ChatGPT for large-scale monitoring activities, such as analyzing datasets gathered from social media platforms. OpenAI reported users asked the model to help design tools and generate promotional materials, but hadn’t put actual monitoring into practice.

“For example, we recently banned a user, possibly using a VPN to access our services from China, who was asking ChatGPT to help design promotional materials and project plans for a social media listening tool, purportedly for use by a government client,” the report said.

OpenAI described its disruption tactics as banning users who appeared to be linked to PRCe government entities and seemed to be using ChatGPT for “more bespoke” targeted profiling and online research. According to the report, the models only returned publicly available information instead of sensitive details when utilized by political actors.

In another case study, OpenAI pointed to a Russian-language malware tool developed through vibe coding. The company disrupted the use of the tool, which it linked to Russian-speaking criminal groups.

According to the report, OpenAI discovered accounts trying to use ChatGPT to develop and refine malicious tools that included credential stealers, a remote-access trojan, and features to evade detection. With safeguards in place, the models “refused requests that were clearly malicious and lacked any legitimate application,” and didn’t execute any threat actor tooling and workflows.

 OpenAI reported that it interrupted threat actors who seem to be using various AI models for recidivism, or repeated harmful activity, and phishing.

The company reported individuals involved in these harmful activities have been adapting their behavior, including scrubbing signs of AI usage from their content—specifically manually removing the use of em-dashes before publication.

Zohaib Ahmed, CEO of deepfake detection platform Resemble.ai, told IT Brew in an email that OpenAI’s approach to preventing misuse is at the model level, and the industry still needs additional detection capabilities.

“That’s important, but the report shows bad actors are using multiple AI providers and hopping between models when they get banned,” Ahmed wrote. “This is why detection infrastructure is critical—you can’t rely on model-level restrictions alone.”