Category: Best Practices

If you’re a small business looking for the secret sauce to cybersecurity, the secret is out: start with a cybersecurity policy and make the commitment to security a business-wide priority.

Related: SMBs too often pay ransom

Small businesses, including nonprofit organizations, are not immune to cyberattacks. The average cost of a cybersecurity breach was $4.45 million in 2023, according to IBM’s Cost of a Data Breach Report, and over 700,000 small businesses were targeted in cybersecurity attacks in 2020, according to the Small Business Association.

Nonprofits are equally at risk, and often lack cybersecurity measures. According to Board Effect, 80% of nonprofits do not have a cybersecurity plan in place.

Given the risk involved, small businesses and nonprofits must consider prioritizing cybersecurity policies and practices to stay protected, retain customers, and remain successful. Financial information is one of the most frequently targeted areas, so it’s crucial your cybersecurity policies start with your finance team.

Taking an active role

Your cybersecurity policy should address your employees and technology systems.

Employee training is crucial. According to Verizon’s 2023 Data Breach Investigations Report, 74% of breaches were caused by human error, with phishing and text message phishing scams being some of the leading causes.

Training team members regularly with real-life scenarios will help them spot potential threats and protect them from exposing your business.

Taurins

It’s also essential your business evaluates its technology and keeps it regularly updated to the latest security standards. For example, your accounting technology should have features that work to protect your data, like internal controls, multi-factor authentication, or an audit trail that documents change to your data.

Consider these four best practices as the core of your finance team and business’ cybersecurity plan:

•Regularly update and back-up your data systems. Security places a crucial role in your technology. In the era of cloud computing, where programs and your information can be accessed anywhere, your business needs to keep its software up-to-date and back up critical systems. Cloud vendors often handle the security and backup processes automatically, so examine your technology and see if that is the case. If not, implement a plan to back up your information regularly and update your technology to the latest versions. These back-ups can also be used to form a disaster recovery plan in the event of a natural disaster.

•Set access privileges and internal controls. Best practice is to require teams to use enhanced security measures like strong passwords that are changed regularly and multi-factor authentication to ensure your team is the only one accessing financial information.

Also consider creating a policy for which employees can access which types of data. When multiple members of your team can easily access a wide range of data without internal controls, it creates vulnerability. Your team’s information is crucial, especially regarding financial information. Your technology should feature internal controls. Internal controls segment your company’s information by title or role and grant access to only the data they need.

•Monitor team member access through audit trails. Your accounting technology should be equipped with an audit trail that logs every change made to your data, including user data and the workstation from which the user has made the change. Monitoring who has made what changes protects your business and holds team members accountable for safe IT practices.

•Adequate IT compliance. Every business has a standard of IT compliance that team members are accountable for upholding. First, it is crucial to have systems that adhere to regulations, laws, and general industry standards. If you have concerns about protecting your financial data, consider hiring a data protection officer or an outside firm to help you maintain compliance.

No one person can prevent cyberattacks alone. The secret sauce is that it takes a thorough cybersecurity policy and a team committed to keeping your business finance and accounting teams safe. Stay proactive. Stay educated. Stay safe.

About the essayist: Neil Taurins is the General Manager of Nonprofit Solutions at MIP Fund Accounting by Community Brands. He has been with the company for over 12 years and is passionate about working with government organizations and municipalities to provide them with solutions to improve efficiency.

A fledgling security category referred to as Cloud-Native Application Protection Platforms (CNAPP) is starting to reshape the cybersecurity landscape.

Related: Computing workloads return on-prem

CNAPP solutions assemble a varied mix of security tools and best practices and focuses them on intensively monitoring and managing cloud-native software, from development to deployment.

Companies are finding that CNAPP solutions can materially improve the security postures of both cloud-native and on-premises IT resources by unifying security and compliance capabilities. However, to achieve this higher-level payoff, CISOs and CIOs must first bury the hatchet and truly collaborate – a bonus return.

In a ringing endorsement, Microsoft recently unveiled its CNAPP offering, Microsoft Defender for Cloud; this is sure to put CNAPP on a rising adoption curve with many of the software giant’s enterprise customers, globally. Meanwhile, Cisco on May 24 completed its acquisition of Lightspin, boosting its CNAPP capabilities, and Palo Alto Networks has continued to steadily sharpen its CNAPP chops, most recently with the acquisition of Cider Security.

At RSA Conference 2023, I counted at least 35 other vendors aligning their core services to CNAPP, in one way or another; many more seem likely to jump on the CNAPP band wagon, going forward.

Newer vendors now primarily pitching CNAPP services include Uptycs,  Runecast and Ermetic. Others range from vulnerability management (VM) stalwarts Tenable, Rapid7 and Qualys, to vendors crossing over from the cloud security posture management (CSPM) space, like Caveonix, Lacework and Wiz. Even endpoint security giants Trend Micro and Sophos have commenced pitching CNAPP solutions; so too are API security supplier Data Theorem and secure services edge (SSE) vendor Zscaler.

Winckless

CNAPP at this juncture appeals mainly to enterprises that maintain large software development communities in the public cloud, Charlie Winckless, Gartner Senior Director Analyst, told me. “CNAPP products are tied to cloud maturity,” he explains. “This will continue to grow, but other security controls will remain important as well. CNAPPs protect cloud environments and the majority of organizations will be hybrid for a significant amount of time.”

Managing dynamic risks

Several developments have converged to put CNAPP on a fast track. Massive interconnectivity at the cloud edge is just getting started and will only intensify, going forward. This portends amazing advancements for humankind – and fresh revenue streams for innovative enterprises — but first a tectonic shift in network security must fully play out.

This is because the attack surface of cloud-native applications is expanding rapidly, with malicious hackers targeting insecure code up and down the software supply chain. Ransomware, email fraud and data theft continue to run rampant aided and abetted by insecure configurations of the myriad access points connecting on-premises and cloud IT assets.

The cybersecurity industry’s competitive bent hasn’t made it easy for companies to understand, much less gain control of these escalating exposures spinning out of a such a highly dynamic operating environment. To protect new cloud-native assets, rival vendors have pushed forward an alphabet-soup of upgraded iterations of legacy tools and all-new technologies – without paying much attention to interoperability.

The result has been a stark lack of integration which has translated into an excessive volume of alerts, a good percentage of them trivial or even false. Tension between security teams trying to cope and software developers striving to innovate as fast as possible has boiled over. Something in the form of CNAPP (as coined by Gartner) was bound to come along.

According to  Gartner’s March 2023 CNAPP market guide, CNAPP solutions consolidate multiple security and protection capabilities into a single platform capable of prioritizing excessive risks. This revolves around granular monitoring and management of cloud-native applications.

This type of overarching approach to securing modern networks can iterate from legacy security technologies, such as VM or endpoint detection and response (EDR,) or  it can extend from newer services, such as software composition analysis (SCA,) cloud workload protection platforms (CWPP,) cloud infrastructure entitlements management (CIEM.)

And now Microsoft has set out to prove that it makes good sense to come at it from the operating system level. That said, the Gartner report acknowledges that CNAPP is in a very early stage and cautions that no single vendor is best-of-breed in every capability.

New level of collaboration

It may be early, but CNAPP is demonstrating that it does a few things very well: reducing complexity, for one. There’s a huge need for this. Some 80 percent of respondents to Palo Alto Networks’ 2023 State of Cloud-Native Security Report expressed the need for a centralized security solution, with 76 percent reporting that using multiple security tools has created blind spots that make it difficult to prioritize and mitigate risk.

Segal

“Stitching together disparate security tools often results in security blind spots,” says Ory Segal, CTO of Prisma Cloud, Palo Alto’s CNAPP offering. “Attempting to triage security issues reported from multiple security systems, used by different teams, is close to impossible.”

One Palo Alto customer, a well-known global multimedia organization, recently replaced several tools with Prisma Cloud, which then swiftly detected a significant number of malicious bots abusing an API search function in one of their internet-exposed cloud workloads, Segal told me.

“Once they were aware of the abuse, they enabled bot protection on the platform and saw a dramatic decrease in daily operational costs — from thousands of dollars a day to $50 a day,” he says.

Dooley

A notable intangible benefit of CNAPP is that it eases the burden on stretched-thin security teams and creates space for more productive dialogues between security analysts, software developers and IT services. This is leading to a new level of collaboration that’s making a notable difference day-to-day for companies embracing CNAPP, says Doug Dooley, CTO at Data Thereom.

At present, security analysts and software developers tussle over shifting code audits to the left, as early as possible in the software development cycle, while IT staff separately focuses on wrangling configuration settings of cloud-hosted IT infrastructure, a piecemeal approach to security. “So this idea of artifact scanning, cloud configuration hardening, and runtime protection, particularly in production, those three programs needed to merge together,” Dooley says. “And that’s what CNAPP, when it works, does really well.”

CNAPP’s emergence happens to align with another trend gaining steam. As part of getting a better handle on their use of cloud-hosted IT infrastructure, some enterprises are reverting to running certain workloads back home — in an on-premises data center, observes Michiel De Lepper, Global Enablement Manager at Runecast. This “back-migration,” he says, is happening because certain workloads are proving to be too costly to run in the cloud, namely resource-intensive AI modeling.

De Lepper

“The IT industry is always evolving and essentially that means ever-increasing complexities because you’ve got disparate environments that you somehow need to cohesively manage,” De Lepper says.

According to Gartner, CNAPP’s superpower is that it can trump complexity by ingesting telemetry, at a deep level, across all key security systems. Advanced data analytics can then be brought to bear setting in motion automated enforcement of smart policies and automated detection and response to live attacks.

Runecast, for instance, takes a proactive approach to risk-based vulnerability management, configuration management, container security, compliance auditing, remediation and reporting. This helps with compliance, at one level, but also continually improves improving a company’s overall security posture, De Lepper told me.

“It’s no longer about creating shields,” De Lepper he says. “Instead, we’re helping our customers plug all the gaps we know that the bad guys can use.”

Synergistic intergration

I heard very similar messaging from all the CNAPP solution providers I’ve reviewed for this article. Indeed, all of them are designed to consolidate some mix of security capabilities into a single platform tuned prioritize and act upon cloud-native risks, and, by extension, exposures in related infrastructure, whether it be in the public cloud, hybrid cloud or  on premises.

The suppliers argue that this leads first and foremost to enhanced visibility not just of individual components, but much more crucially of all the communications between systems – especially connections happening ephemerally in runtime and in the API realm. This is a very positive development for security analysts, software developers and IT staff who desperately need a more unified toolset to help them collectively visually risk and make the highest use of this greater visibility.

CNAPP suppliers are starting to help these three groups lower the cost of compliance and remediate security vulnerabilities much more effectively. Gartner’s Winckless cautions that some vendors may not supply true integration, nor provide a robust feedback loop. “As with many other platforms, it’s important to look for these integrations to provide synergy and not to buy simply a collection of tools that are, at best, loosely interconnected from a single vendor in the hopes of gaining advantage,” he says.

Moving forward, CNAPP seems poised to arise as a core security component of modern business networks.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

To be productive in an interconnected work environment, employees need immediate access to numerous platforms both on- and off-premises.

Related: Why SMBs need to do PAM well

Keeping track of user activity and effecting proper on- and off-boarding is becoming more and more difficult, even as unauthorized access via unused, expired, or otherwise compromised access credentials has become the number one cybersecurity threat vector.

Some nine out of ten cyberattacks are estimated to begin with a threat actor gaining unauthorized access to a computer system via poorly managed access credentials.

The sophistication of cyberattacks is perpetrated through unused, old, expired, and otherwise mismanaged access credentials are increasing by the minute, at the same time as it’s becoming challenging to respond to these attacks in an organized and timely manner.

Context needed

Organizations that are used to workflow-based access systems or ticket-based systems, i.e. traditional Privileged Access Management (PAM,) must now make a big cultural shift. PAM enables granular access and monitors, detects, and alerts instances of unauthorized access through policy guardrails.

However, while PAM and other legacy access management systems do alert to unauthorized access, these warnings lack a clear picture of the user’s intent and the context behind the alert.

Today’s alert fatigue is not caused by the sheer number of alerts but by the poor quality of individual alerts.

SaaS platforms have led to very different types of user profiles over the last few years. Users are now dynamic; they move from platform to platform, and their need for access changes continuously.

Key variables

A modern access management system should handle the following:

•The sprawl of user roles and their privileges and activities, growing at the same rate as the infrastructure proliferation.

•The traditional Role-Based Access Control (RBAC) provides perpetual access based on a user’s roles – a methodology that has run its course. Even with the addition of zero-trust-based access on a granular level, RBAC is no longer enough.

•Today’s enterprise users wear multiple hats and use different software with varying privileges. The nature of these privileges has to be dynamic, or the access management system becomes a bottleneck.

•A user with a specific level of access may need to temporarily elevate their privilege because they need access to protected data to complete a task. Scaling workflow-based systems to match larger teams’ needs is difficult and creates a chaotic situation with many users simultaneously bombarding the security admins for approval.

*Some access monitoring solutions rely heavily on automated access controls, such as group policies or other sets of criteria, that will allow access requests to be processed automatically. Automation lacks the intelligence to adapt to changing user behaviors and entitlements.

Noisy ‘observability’

PAM and SIEM solutions are classic systems built on observability. But observability is no longer enough to keep your organization safe.

Observability system work by alerting to unauthorized access, but they also create a lot of extra noise, and experience shows that they are often not fully implemented. Another problem is that alerts come in after the fact and not in real time. Privileged access abuse is a hear-and-now problem that must be addressed as it happens.

One of the functions of Inside-Out Defense – Automated Moving Target Defense SaaS – is that it can immediately remediate privileged user access abuse in-line. This is accomplished by determining the context and intent behind every user activity.

Srivatsav

It provides customers, for the first time, an aggregated view of users, their profiles, and activities across different environments which is a big challenge faced by enterprises today. We provide a comprehensive 360-degree view of what every user is doing at any one time, along with an immutable forensic log, thereby enabling enterprises to stay in compliance.

At Inside-Out-Defense we know that threat actors are constantly becoming more cybersecurity sophisticated as they work to find new avenues for disruption. Current solutions focusing on static signatures of threats often miss a crucial understanding of cyber attackers’ sophisticated yet unknown behaviors. Customers need solutions like ours that can work at scale and in real-time to address some of the most persistent problems in network security.

About the essayist: Ravi Srivatsav is co-founder and CEO of Inside-Out-Defense, which emerged from stealth in April 2023 with a solution to solve privilege access abuse and provide real-time detection and remediation to today’s most prolific attack vector – privilege access abuse.

Miami, Fla. – June 20, 2023 –  ThriveDX, the leader in cybersecurity and digital skills training, today announced the official launch of its new Cyber Academy for Enterprise. This innovative solution, part of the company’s Human Factor Security suite, empowers organizations to reskill and upskill employees for cybersecurity positions while also attracting diverse external candidates, simultaneously addressing the growing talent and diversity gaps in the cyber industry.

Cyber Academy for Enterprise is more than a cybersecurity training program – it’s a complete solution that enables businesses and government agencies to cultivate their internal talents while simultaneously attracting diverse external candidates for cybersecurity positions.

Designed for an end-to-end cybersecurity learning journey, the program offers pre-training screening, intensive training, and post-training matching to facilitate an efficient talent acquisition and development process.

“The cybersecurity talent shortage and lack of diversity, is one of the biggest challenges of human resources and cybersecurity leaders. Effective reskilling of employees demands considerable investment, and recruiting diverse talent requires a comprehensive understanding of organizational needs to properly align candidates with open positions,” said Roy Zur, CEO of ThriveDX Enterprise.

“Our Cyber Academy for Enterprise creates unprecedented educational opportunities for all, irrespective of their background or skill level,” Zur continued. “It not only aids in talent acquisition from outside the company but also facilitates the reskilling and upskilling of current employees, fostering an environment of continual learning and development.”

Zur

The global shortage of cybersecurity talent and the skills gap continue to widen, with more than 3.5 million unfilled cybersecurity jobs worldwide. Eighty-percent of organizations attribute one or more recent breaches to a lack of cybersecurity talent and skills within their company.  At the same time, the industry suffers from a lack of diversity. The Cyber Academy for Enterprise targets both these issues, offering a robust platform for building cyber skills and enhancing diversity within the industry.

Holistic training

The academy offers a holistic training experience, with rigorous learning supplemented with access to virtualized cyber labs and challenges. Overall, trainees have an opportunity to access 1000+ hours of immersive learning and hands-on practice, ensuring they are thoroughly prepared for real-world cybersecurity scenarios. Key advantages of the Cyber Academy for Enterprise include:

•Access to over 1000 hours of immersive, hands-on training, adhering to globally recognized cybersecurity education frameworks such as the National Initiative for Cybersecurity Education (NICE) and National Institute of Standards and Technology (NIST).

•Real-world simulations on a skills-based learning platform, providing trainees with exposure to current threat landscapes.

•A comprehensive curriculum, offering diverse cybersecurity modules tailored to various career tracks.

•Access to a network of 1000+ professional cybersecurity trainers

•Pre-training screening to identify high-potential talent, offering an objective comparison of candidates and unbiased talent assessment.

•Data-driven post-training matching, enabling optimization of both internal and external recruitment practices.

•Partnership option to run the academy in conjunction with leading universities, providing graduates with a university certificate.

ThriveDX’s Cyber Academy has been implemented and deployed with global universities, enterprise, MSSPs, non-profits, and government agencies to broaden access to cybersecurity training and employment opportunities across all regions.

“We aim to democratize access to cybersecurity education, allowing anyone, regardless of their technical background, to embark on or advance a cybersecurity career. Having already reskilled more than 60,000 learners globally into cybersecurity and related positions, we now provide organizations with the tools to attract, develop, and retain diverse talent, educated in the latest cybersecurity technologies, and capable of mitigating enterprise risk,” Zur added.

For more information and to request a demo please visit thrivedx.com.

About the company:  The ThriveDX team is composed of military-trained cyber experts, industry veterans, and seasoned educators united in the mission to close the worldwide skills and talent gap in cybersecurity, and encourage diversity, equity and inclusion across industries.

# # #

Cambridge, Mass., June 15, 2023. The World Wide Web Consortium today announced a standardization milestone for a new browser capability that helps to streamline user authentication and enhance payment security during Web checkout. Secure Payment Confirmation (SPC) enables merchants, banks, payment service providers, card networks, and others to lower the friction of strong customer authentication (SCA), and produce cryptographic evidence of user consent, both important aspects of regulatory requirements such as the Payment Services Directive (PSD2) in Europe.

Publication of Secure Payment Confirmation as a Candidate Recommendation indicates that the feature set is stable and has received wide review. W3C will seek additional implementation experience prior to advancing this version of Secure Payment Confirmation to Recommendation.

Customer authentication

For the past 15 years, e-commerce has increased as a percentage of all retail sales. The COVID pandemic appears to have slightly accelerated this trend. Improvements to in-person payment security and other factors have led to ongoing increases in online payment fraud.

To combat online payment fraud growth, Europe and other jurisdictions have begun to mandate multifactor authentication for some types of payments. Though multifactor authentication reduces fraud, it also tends to increase checkout friction, which can lead to cart abandonment (cf. for example, Microsoft merchant experiences with SCA under PSD2).

In 2019 the Web Payments Working Group began work on Secure Payment Confirmation to help fulfill Strong Customer Authentication requirements with low checkout friction. Stripe conducted a pilot with an early implementation of SPC and, in March 2020 reported that, compared to one-time passcodes (OTP), SPC authentication led to an 8% increase in conversions at the same time checkout was 3 times faster.

W3C continues to receive feedback about Secure Payment Confirmation through pilot programs, including a second experiment by Stripe. The Web Payments Working Group anticipates more experimental data will be available by September 2023.

Industry collaboration

Telford-Reed

In the Web Payment Security Interest Group, W3C, the FIDO Alliance, and EMVCo pursue improvements to online payment security through the development of interoperable technical specifications. Secure Payment Confirmation reflects this collaboration: it is built atop Web Authentication and is supported by both EMV® 3-D  Secure (version 2.3) and EMV® Secure Remote Commerce (version 1.3); see the Web Payment Security Interest Group’s publication How EMVCo, FIDO, and W3C Technologies Relate for more details.

Secure Payment Confirmation is not just for card payments. The Web Payments Working Group regularly discusses how SPC might be integrated into other payment ecosystems such as Open Banking, PIX (in Brazil), as well as in proprietary payment flows.

“Making it easy for people to pay for things online while improving security has been the vision of our working group since we started in 2015,” said Working Group co-Chair Nick Telford-Reed. “Secure Payment Confirmation means that for the first time, there will be a common way of authenticating shoppers across payment methods, platforms, devices and browsers, and builds on the success of W3C’s Payment Request and the work of both the FIDO Alliance and EMVCo.”

Secure Payment Confirmation

Secure Payment Confirmation adds a “user consent layer” above Web Authentication. At transaction time, Secure Payment Confirmation prompts the user to consent to the terms of a payment through a “transaction dialog” that is governed by the browser; the Chrome implementation of the transaction dialog is shown above. The transaction details are signed by the user’s FIDO authenticator, and the bank or other party can validate the authentication results cryptographically, and thus that the user has consented to the terms of the payment (a requirement under PSD2 called “dynamic linking”). EMV® 3-D Secure and other protocols can be used to communicate the authentication results to banks or other parties for this validation.

SPC is currently available in Chrome and Edge on MacOS, Windows, and Android. During the Candidate Recommendation period the Web Payments Working Group will seek implementation in other browsers and environments.

About W3C: The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. W3C is a public-interest non-profit organization incorporated in the United States of America, led by a Board of Directors and employing a global staff across the globe. For more information see https://www.w3.org/.

Media Contact: Amy van der Hiel, W3C Media Relations Coordinator w3t-pr@w3.org +1.617.453.8943 (US, Eastern Time)

# # #

Cyber threats have steadily intensified each year since I began writing about privacy and cybersecurity for USA TODAY in 2004.

Related: What China’s spy balloons portend

A stark reminder of this relentless malaise: the global cyber security market is on a steady path to swell to $376 billion by 2029 up from $ 156 billion in 2022, according to Fortune Business Insights.

Collectively, enterprises spend a king’s ransom many times over on cyber defense. Yet all too many companies and individual employees till lack a full appreciation of the significant risks they, and their organizations, face online. And as a result, many still do not practice essential cyber hygiene.

Perhaps someday in the not-too-distant future that may change. Our hope lies in leveraging machine learning and automation to create very smart and accurate security platforms that can impose resilient protection.

Until we get there – and it may be a decade away — the onus will remain squarely on each organization — and especially on individual employees —  to do the wise thing.

A good start would be to read Mobilizing the C-Suite: Waging War Against Cyberattacks, written by Frank Riccardi, a former privacy and compliance officer from the healthcare sector.

Riccardi engagingly chronicles how company leaders raced down the path of Internet-centric operations, and then cloud-centric operations, paying far too little attention to unintended data security consequences. Here are excerpts of my discussion with Riccardi, edited for clarity and length.

LW: Catastrophic infrastructure and supply chain breaches, not to mention spy balloons and Tik Tok exploits, have grabbed regulators’ attention. How does your main theme of tie in?

Riccardi: My book discusses how the perception of cyberattacks shifted from being mere data breaches to having real-world consequences, especially after high-profile cases in 2021, like Colonial Pipeline and Schreiber Foods.

These attacks sparked public realization that cyber threats can disrupt daily life, leading to anger against corporations, not just cybercriminals, if they failed to implement basic cybersecurity measures. My book emphasizes the heightened responsibility of C-suite leaders, considering the increased public, media, and regulator scrutiny.

LW: You come from the private sector, so you know first-hand how cybersecurity is typically viewed as a cost center and an innovation dampener. Will that have to change?

Riccardi

Riccardi: Absolutely. Cybersecurity shouldn’t be seen as a mere cost but as an existential need. Cyberattacks are increasing, and viewing cybersecurity as a cost center is a dangerous mistake. Companies can leverage cybersecurity as a business enabler and a revenue generator, like Apple and Microsoft.

It’s crucial for companies to perceive cybersecurity as a competitive advantage rather than an innovation dampener.

LW: What must SMBs and mid-market enterprises focus on?

Riccardi:  SMBs face challenges when dealing with cybersecurity implications of software-enabled, cloud-based operations due to financial and skill limitations. Cyber risks from third-party vendors further complicate the situation.

To navigate this, SMBs need to conduct an enterprise risk assessment, implement basic cybersecurity controls, train their workforce, and consider outsourcing cybersecurity to a security-as-a-service provider.

LW: You discuss password management and MFA; how big a bang for the buck is adopting best practices in these areas?

Riccardi:  Basic cyber hygiene is 90 percent of what cybersecurity is all about.  Sure, you need state-of-the-art cybersecurity technology like firewalls, anti-virus software, and intrusion detection systems to keep cybercriminals on the back foot.

The law of large numbers favors the bad guys.  A company may have thousands of employees, but it only takes one phished employee for cybercriminals to bring the network to its knees.

Strong passwords can repel a brute force attack, but MFA is the extra layer of protection when a reused password is used in a credential stuffing attack.  And when strong passwords and MFA let you down, encryption can keep sensitive data from being accessed by cybercriminals.

LW: How important is effective cybersecurity awareness training?

Riccardi:  The human factor is the weakest link in cybersecurity, and that’s why cybercriminals zero in on the company’s employees to bypass cybersecurity defenses.

Companies can prevent social engineering attacks by steeping employees in cyber hygiene and warning them about the sneaky ways cybercriminals launch cyberattacks.  Unfortunately, many cybersecurity training initiatives nose-dive because they are too technical for non-geek employees to understand.

Boring check-the-box training leads to poor employee engagement and a workforce asleep at the switch when cybercriminals come knocking.  The way to avoid this is by taking into account the human factor when designing cybersecurity training; this means making training fun and engaging and helping employees understand their roles and responsibilities in cybersecurity.

LW: Given rising compliance, led by President Biden’s cybersecurity initiatives, where do you see things going in the next 2 to 5 years?

Riccardi: In the next 2 to 5 years, I expect strenuous efforts from the Biden administration to partner with private enterprise to beef up cybersecurity across all industries.  I suspect we’ll see a carrot-and-stick approach combining incentives with regulations to cajole SMBs into adopting cyber hygiene best practices, such as MFA.

Executive accountability and liability for cyberattacks will skyrocket as ransomware progresses as a national security threat and front-page news.

SMBs are likely in a jam, as companies without the means and expertise to build a decent cybersecurity program will struggle in this regulatory environment.  However, engaging a SaaS provider may be a cost-effective way for SMBs to obtain a world-class cybersecurity function that meets compliance requirements.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

The inadequacy of siloed security solutions is well-documented.

Related: Taking a security-first path

The good news is that next-gen security platforms designed to unify on-prem and cloud threat detection and remediation are, indeed, coalescing.

At RSA Conference 2023 I visited with Elias Terman, CMO, and Sudarsan Kannan, Director of Product Management, from Uptycs, a Walthan, Mass.-based supplier of “unified CNAPP and EDR ” services.

They described how Uptycs is borrowing proven methodologies from Google, Akamai, SAP and Salesforce to harness normalized telemetry that enables Uptycs to correlate threat activity — wherever it is unfolding. Please give a listen to the accompanying podcast for a full drill down.

Guest experts: Elias Terman, CMO, Sudarsan Kannan, Director of Product Management, Uptycs

Kannan described how Uptycs technology platform was inspired by Google’s dynamic traffic monitoring, Akamai’s content distribution prowess and Salesforce’s varied use cases based on a single data model, to help companies materially upgrade their security posture. The aim, he says, is to think like attackers, who certainly don’t operate in silos.

Terman offered the analogy of a “golden thread” stitching together varied threat activities and serving as a cloud security early warning system. The entire value chain is thereby protected, Kannan added, from the developers writing the code to automated connections to critical cloud workloads.

Terman detailed how Uptycs’ platform, indeed, touches everything within the modern attack surface and, in doing so, breaks down legacy silos and facilitates  better security outcomes.

This is part and parcel of the helpful dialogue that will carry us forward. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

The ransomware plague endures — and has arisen as a potent weapon in geopolitical conflicts.

Related: The Golden Age of cyber espionage

Cyber extortion remains a material threat to organizations of all sizes across all industries. Ransomware purveyors have demonstrated their capability to endlessly take advantage of a vastly expanded network attack surface – one that will only continue to expand as the shift to massively interconnected digital services accelerates.

Meanwhile, Russia has turned to weaponing ransomware in its attempt to conquer Ukraine, redoubling this threat. Now that RSA Conference 2023 has wrapped, these things seem clear: ransomware is here to stay; it is not, at this moment, being adequately mitigated; and a new approach is needed to slow, and effectively put a stop to, ransomware.

I had the chance to visit with Steve Hahn, EVP Americas, at Bullwall, which is in the vanguard of security vendors advancing ways to instantly contain threat actors who manage to slip inside an organization’s network.

Guest expert: Steve Hahn, EVP Americas, Bullwall

Bullwall has a bird’s eye view of Russia’s ongoing deployment of ransomware attacks against Ukraine, and its allies, especially the U.S.

Weaponized ransomware doubly benefits Russia: it’s lucrative, generating  billions in revenue and thus adding to Putin’s war chest; and at the same time it also weakens a wide breadth of infrastructure of Putin’s adversaries across Europe and North America.

Containment is a logical tactic that could make a big difference in stopping ransomware and other types of attacks. For a full drill down, please give the accompanying podcast a listen. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

 

Attack surface expansion translates into innumerable wide-open vectors of potential unauthorized access into company networks.

Related: The role of legacy security tools

Yet the heaviest volume of routine, daily cyber attacks continue to target a very familiar vector: web and mobile apps.

At RSA Conference 2023, I had the chance to meet with Paul Nicholson, senior director of product marketing and analyst relations at A10 Networks. A10 has a birds eye view of the flow of maliciousness directed at web and mobile apps — via deployments of its Thunder Application Delivery Controller (ADC.)

We discussed why filtering web and mobile app traffic remains as critical as ever, even as cloud migration intensifies; for a full drill down, please give the accompanying podcast a listen.

Companies today face a huge challenge, Nicholson says. They must make ongoing assessments about IT infrastructure increasingly spread far and wide across on-premises and public cloud computing resources.

Guest expert: Paul Nicholson, senior director, product marketing & analyst relations, A10 Networks

The logical place to check first for incoming known-bad traffic remains at the gateways where application traffic arrives.

At RSAC 2023, A10 announced the addition of a next-generation web application firewall (NGWAF,) powered by Fastly, to its core Thunder ADC service. This upgrade, he told me, is expressly aimed at helping companies optimize secure performance of their hybrid cloud environments.

This is another encouraging example of stronger together advancement. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we co

 

At 10 am PDT, next Wednesday, April 19th,  I’ll have the privilege of appearing as a special guest panelist and spotlight speaker on Virtual Guardian’s monthly Behind the Shield cybersecurity podcast.

Related: The Golden Age of cyber spying is upon us

You can RSVP – and be part of the live audience – by signing up here. The moderator, Marco Estrela, does a terrific job highlighting current cybersecurity topics ripped from the headlines. For my part, I’m going to ‘follow the money’ with respect to the strategic use of weaponized ransomware on  the part of Vladimir Putin.

I recently had the chance to drill down on this topic as part of a Last Watchdog Fireside Chat podcast I’m currently producing. Stay tuned for my eye-opening discussion with BullWall, a Danish startup that’s in the midst of helping companies effectively mitigate cyber extortion.

Meanwhile, in the April 19th episode of Behind the Shield,  I’m going to attempt to summarize the big theme I’m hearing from BullWall and numerous other security vendors as I get ready to make the trek to San Francisco’s Moscone Center to cover RSA Conference 2023 in person – after two years of covering it remotely.

And that theme is . . . the unfolding reconstitution of network defense. There’s a common thread running through all of the advanced tools, new security frameworks and innovative security services that are rapidly gaining traction.

At some level, they all drive us in the direction of creating a new tier of overlapping, interoperable, highly automated security platforms.  The end game quite clearly must be to bake security deep inside the highly interconnected systems that will give us climate-rejuvenating vehicles and buildings and spectacular medical breakthroughs.

I’ll get this discussion going at Virtual Guardian’s Behind the Shield podcast next week. And I’ll try to ramp it up in my upcoming series of Last Watchdog RSA Insights Fireside Chat podcasts to follow. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.