This Week in Cybersecurity: Salesforce Strikes Again, Deep Fake Protection, Regulatory Changes, Insider Threats, Browser Attacks Grow, and Why are Businesses Still Using Gmail?

Summary 

Cybersecurity continues to move at a pace that outsteps regulation, technology adoption, and company preparedness. Each week brings headlines that show how attackers adapt, how regulators respond, and how technology providers struggle to balance innovation with security. At Armes Vantage, we review these developments focused on business impact, compliance requirements, and the strategic moves leaders should consider. 

1. FBI Warns of Salesforce Data Theft by UNC6040 and UNC6395 

The News: The FBI issued a warning that advanced threat groups UNC6040 and UNC6395 are actively targeting Salesforce environments to steal sensitive customer and sales data. Attackers are exploiting misconfigured integrations and weak identity controls, gaining persistence inside customer relationship management (CRM) systems. This is not a zero-day exploit — it is opportunistic abuse of poorly managed platforms. 

Why It Is Important: CRM data is the crown jewel for many organizations, containing customer details, financial forecasts, and sensitive contracts. A breach here doesn’t just expose information; it undermines trust in client relationships. For executives and boards, this highlights the gap between vendor reliance and governance oversight. You cannot assume Salesforce (or any SaaS provider) handles security for you. 

Actions: 

• Require platform configuration reviews against CIS Benchmarks and NIST CSF PR.AC (Access Control). 

• Mandate multi-factor authentication (MFA) and session logging for all CRM admin accounts. 

• Establish third-party oversight controls under NYDFS 23 NYCRR 500, NAIC Cybersecurity Model Law and CCPA/GLBA vendor management rules. 

2. Pixel 10 Brings AI Fake Detection to Photos 

The News: Google announced the Pixel 10’s new ability to cryptographically watermark images at the point of capture, allowing downstream platforms to verify authenticity. This is the first step toward establishing “content provenance” ensuring photos and videos can be traced to their creator. The feature is expected to be widely adopted across devices in the years ahead.  

Why It Is Important: Deepfakes and AI-generated media are eroding trust in digital information. For boards, this is not just a social problem, it’s a reputational and legal risk. A CEO deepfake can trigger stock manipulation, false narratives, or fraudulent transactions. The Pixel 10 represents the first move toward a universal standard of verification. Hopefully one that will likely become a compliance expectation for regulated industries. 

Actions: 

• Monitor adoption of C2PA (Coalition for Content Provenance and Authenticity) standards. 

• Update governance policies to anticipate regulatory requirements for verified media. 

• Educate executives and employees about verifying digital media as part of NIST CSF DE.CM (Detection and Monitoring) controls.  

3. Maryland Passes the Online Data Privacy Act (MODPA) 

The News: Maryland’s new law expands the growing patchwork of U.S. state privacy regulations, imposing strict consent, transparency, and data minimization requirements. Like California’s CCPA, it gives consumers stronger rights while increasing compliance obligations for businesses that handle Maryland residents’ data. If you are not operating in Maryland, it is right to adopt anyway as every state will soon follow.  

Why It Is Important: Executives must understand that state-by-state privacy laws are no longer optional compliance projects. Regulators, investors, employees, and customers expect a unified data governance strategy. Companies that delay will face legal risk, operational complexity, and higher costs down the line. 

Actions: 

• Map personal data against CCPA, GDPR principles and NIST CSF PR.DS (Data Security). 

• Ensure your compliance team can demonstrate adherence to multi-jurisdictional privacy rules (CCPA, MODPA, Colorado, etc.). 

• Move toward a centralized data governance and retention program to avoid fragmented responses. 

4. Insider Threats Continue to Rise 

The News: A new report shows insider threats both malicious and accidental are climbing in frequency and cost. Despite investments in “culture building” and employee awareness, incidents tied to insider misuse, errors, or theft remain a significant driver of breaches. 

Why It Is Important: Culture alone is not control. Executives cannot assume training replaces oversight. Insider incidents erode board confidence, invite regulatory scrutiny, and cause significant reputational damage. “Trust but verify” must be applied to your workforce. 

Actions: 

• Deploy user and entity behavior analytics (UEBA) aligned with NIST CSF DE.CM. 

• Implement least privilege, separation of duties, and data loss prevention (DLP). 

• Regularly review logs for anomalies — mapped to CIS Control 8: Audit Log Management. 

5. Browsers Are the New Identity Attack Vector 

The News: Researchers highlighted six emerging browser-based attacks that target identity tokens, cookies, and session hijacking. As organizations shift workloads to SaaS, the browser itself has become the new enterprise perimeter. 

Why It Is Important: Executives often underestimate browser security. Yet this is now the single point of access to corporate applications, customer data, and cloud assets. If the browser is compromised, the company’s digital front door is wide open. 

Actions: 

• Require secure browser configurations and hardened policies (CIS Benchmarks). 

• Deploy phishing-resistant MFA (FIDO2/WebAuthn). 

• Include browser-based threats in your Zero Trust strategy under NIST CSF PR.AC and DE.CM. 

6. Employees Using AI Tools with Sensitive Data 

The News: A recent survey shows employees are feeding sensitive company information into generative AI tools without controls. This introduces regulatory, privacy, and intellectual property risks, as many AI platforms retain or share prompts. 

Why It Is Important: Safeguards for AI are no longer optional. Boards must recognize that regulators will soon require proof of AI governance. Unchecked employee use of AI tools may already violate privacy and data protection laws. 

Actions: 

• Establish an AI Acceptable Use Policy mapped to NIST AI Risk Management Framework. 

• Require vendor risk assessments for AI platforms under NAIC Cybersecurity Model Law, 23 NYCRR 500, CCPA, and GLBA. 

• Train employees on redline boundaries for sensitive data with practical “do and don’t” rules. 

7. Gmail Security Alert: Why Are Companies Still Using It? 

The News: A new Gmail security flaw has raised concerns affecting over a quarter of the world’s population. Despite repeated issues, many businesses continue to rely on Gmail, exposing themselves to risks around privacy, security, and compliance. 

Why It Is Important: Free consumer-grade platforms are not enterprise-grade solutions. Boards should challenge IT leadership on why Gmail remains in use, given its history of vulnerabilities, privacy issues, and limited compliance controls. Continuing to rely on Gmail may create fiduciary exposure for executives who fail to act. 

Actions: 

• Evaluate secure alternatives such as Proton Mail for Business, Microsoft 365, or other enterprise-grade providers. 

• Ensure email security gateways (SEG) and DLP are enforced as part of NIST CSF PR.DS. 

• Align email platform selection with SOX, HIPAA, CCPA, and GDPR compliance requirements. 

The Armes Vantage Point 

This week’s news shows recurring themes like reliance on vendors without oversight, the rising cost of insider and identity threats, and the need to govern emerging technologies like AI and media verification. Boards and executives cannot outsource accountability. Regulators, shareholders, employees, and customers will hold leadership responsible for data governance, secure operations, and responsible controls, workflow, and technology adoption. 

At Armes Vantage, our point of view is clear that cybersecurity is no longer an IT problem and it is a board-level responsibility tied to business resilience. Companies must move from reactive fixes to strategic frameworks, embedding security into every decision. Secondly, secuirty must be removed from IT. Those who do will not only avoid tomorrow’s headlines but also earn trust as leaders in an era where trust can be currency.