Passwords are as out of style as skinny jeans are with Gen Z at this Cerritos, California-headquartered cloud-hosted SaaS company.

For the past year, vendors and employees at AuditBoard have been seeing traditional static passwords less and less as the company inches closer to being 100% passwordless.

AuditBoard CISO Richard Marcus told IT Brew that the move to the Holy Grail cybersecurity status was spurred after observing an increase in the number of third-party breaches that were occurring in AuditBoard’s vendor ecosystem. A 2024 study by Prevalent found that 61% of companies experienced a security incident related to the use of a third party in 2024, up from 41% in 2023.

“It’s just a wake-up call for us that as our world becomes more interconnected and we become more reliant on third parties, we just have to be really thoughtful about the sensitivity of the information we share with them and passwords are certainly in that category,” he said.

He added that the audit, compliance, and risk management software company also underwent the ongoing transition after seeing a 400% year-over-year increase in social-engineering attack attempts against its employees between 2023 and 2024.

“If you don’t have a password, you’re not susceptible to those attacks,” Marcus said.

Read the rest here.—BM

It’s the definition of poor communication.

That’s what security research firm CloudSEK is saying about a vulnerability in Zendesk, a SaaS tool that assists companies in internal and external communication processes.

In a report from Jan. 20, CloudSEK described how attackers can use the tool to infiltrate organizations. Because Zendesk allows users to sign up for free trials, there’s potential for malicious actors to register deceptive subdomains that can trick targets into handing over information. Threat researcher Noel Varghese broke down the plot for IT Brew.

“Threat actors can misuse it in such a way that they can create Zendesk instances that are imitating the name of the company they’re trying to target,” Varghese said. “Since social engineering and phishing attacks are somewhat common these days, they can use it as an additional arsenal in their toolset to land phishing emails to employee mailboxes.”

The mix up. One of the main concerns in the report is that Zendesk’s lack of email verification can make it easy for potential threat actors to create accounts using dummy emails and then dispose of them before using the service. Further, Zendesk drops its tickets into primary inboxes, meaning “employees can mistake orchestrated campaigns of similar vein to be circulated by a trusted authority—such as their place of employment,” according to the report.

Read more here.—EH

Government workers are getting a new tool to ask questions like, “Can you explain this code snippet?” or “What is DOGE?”

In an announcement on Tuesday, Microsoft-backed OpenAI introduced ChatGPT Gov—a version of the ChatGPT Enterprise prompt tool “tailored” specifically for government users.

With the offering, the company wants policymakers to use its AI-model’s capabilities to “deliver better services to the American people.” One enterprise-risk consultant who spoke with IT Brew, however, seeks clarity on data security and how the tech will be leveraged.

“Security concerns will be heightened for a government entity, given the type and volume of sensitive information that the government harnesses—everything from data related to national security to personnel information to the movement and schedules of top government officials,” Luke Tenery, partner at consultancy StoneTurn, wrote to IT Brew.

Keep reading here.—BH