Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Guest Blog Post

 

GUEST ESSAY: Testing principles to mitigate real-world risks to ‘SASE’ and ‘Zero Trust’ systems

By Sashi Jeyaretnam

A new generation of security frameworks are gaining traction that are much better aligned to today’s cloud-centric, work-from-anywhere world.

Related: The importance of ‘attack surface management’

I’m referring specifically to Secure Access Service Edge (SASE) and Zero Trust (ZT).

SASE replaces perimeter-based defenses with more flexible, cloud-hosted security that can extend multiple layers of protection anywhere. ZT shifts networks to a “never-trust, always-verify” posture, locking down resources by default and requiring granular context to grant access.

With most business applications and data moving to cloud and users connecting from practically anywhere, SASE and Zero Trust offer more versatile and effective security. Assuming, of course, that they work the way they’re supposed to.

Effective testing

Modern SASE/ZT solutions can offer powerful protection for today’s distributed, cloud-centric business networks, but they also introduce new uncertainties for IT. Assuring performance, interoperability, resilience, and efficacy of a SASE implementation can be tricky.

What’s more, striking the right balance between protecting against advanced threats and ensuring high Quality of Experience (QoE) is not easy when new DevOps/SecOps tools are pushing out a 10X increase in software releases.

GUEST ESSAY: The case for complying with ISO 27001 — the gold standard of security frameworks

By Matthew Sciberras

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Related: The demand for ‘digital trust’

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

GUEST ESSAY: Too many SMBs continue to pay ransomware crooks — exacerbating the problem

By Zac Amos

Well-placed malware can cause crippling losses – especially for small and mid-sized businesses.

Related: Threat detection for SMBs improves

Not only do cyberattacks cost SMBs money, but the damage to a brand’s reputation can also hurt growth and trigger the loss of current customers.

One report showed ransomware attacks increased by 80 percent in 2022, with manufacturing being one of the most targeted industries. Attack that drew public scrutiny included:

•Ultimate Kronos Group got sued after a ransomware attack disrupted its Kronos Private Cloud payment systems, relied upon by huge corporations such as Tesla, MGM Resorts and hospitals That ransomware attack shut down payroll and human resources systems.

•The Ward Hadaway law firm lost sensitive client data to ransomware purveyors who demanded $6 million, or else they’d publish the data from the firm’s high profile clients online.

SHARED INTEL: The expected impacts of Pres. Biden’s imminent National Cybersecurity Strategy

By Shannon Flynn

The United States will soon get some long-awaited cybersecurity updates.

Related: Spies use Tik Tok, balloons

That’s because the Biden administration will issue the National Cyber Strategy within days. Despite lacking an official published document, some industry professionals have already seen a draft copy of the strategic plan and weighed in with their thoughts. Here’s a look at some broad themes to expect and how they will impact businesses:

•New vendor responsibilities.  Increased federal regulation puts more responsibility on hardware and software vendors compared to the customers who ultimately use their products.

Until now, people have primarily relied on market forces rather than regulatory authority. However, that approach often leads to bug-filled software because makers prioritize new product releases over ensuring they’re sufficiently secure.

These changes mean business representatives may see more marketing materials angled toward what hardware and software producers do to align with the new regulations.

GUEST ESSAY: Data loss prevention beccomes paramount — expecially in the wake of layoffs

By Guy Eisdorfer

When a company announces layoffs, one of the last things most employees or even company owners worry about is data loss.

Related: The importance of preserving trust in 2023

Valuable or sensitive information on a computer is exposed to theft or to getting compromised. This can happen due to intentional theft, human error, malware, or even physical destruction of servers. But it’s a real and growing risk to be aware of.

In 2020, Forbes reported that pandemic layoffs and remote work served to increase the risk of company data loss. Tesla, for example, suffered two cybersecurity events after layoffs back in 2018.

Data loss isn’t necessarily spiteful. Imagine an employee creates a spreadsheet showing all your clients and the main points of contact for each. She updates this sheet, but forgets to share it internally.

She gets laid off, and she takes the spreadsheet with her because she believes that the work she created at her job belongs to her. This may sound like an edge case, but a survey by Biscom found that 87 percent of employees took data that they themselves had created from their last job.

Data theft can also be deliberate and malicious. That same employee might use that spreadsheet as a bargaining chip in securing a new job with your competitor.

GUEST ESSAY: Advanced tools are ready to help SMBs defend Microsoft 365, Google Workspace

By Adrien Gendre

Throughout 2022, we saw hackers become far more sophisticated with their email-based cyber attacks. Using legitimate services and compromised corporate email addresses became a norm and is likely to continue in 2023 and beyond.

Related: Deploying human sensors

Additionally, with tools like ChatGPT, almost anyone can create new malware and become a threat actor.

According to a recent report, small businesses (defined as those with under 250 employees) receive the highest rate of targeted malicious emails at one in every 323 emails, and 87 percent of those businesses hold customer data that could be targeted in an attack.

Another report by Vade completed last year found that 87 percent of respondents agreed their organization could take the threat from email security more seriously.

SHARED INTEL: The common thread between China’s spy balloons and Congress banning Tik Tok

By Dan Meyer and Lachlan McKinion

The decision by the House of Representatives to ban  TikTok  from federal devices is noteworthy, especially as the Chinese spy balloon crisis unfolds.

Related: The Golden Age of cyber espionage

On December 23, 2022, Congress, in a bipartisan spending bill, banned TikTok from all government devices. The White House, the Pentagon, the Department of Homeland Security, and the State Department have already banned the social media app, as have more than a dozen other states.

The Tik Tok decision combines national security, social media, and “China” in only one institution’s change of policy. It reflects the challenge that continued use of social media presents to those within the federal circle of trust.

The Chinese government, as well as other foreign powers, actively probe all aspects of American life for information useful in compromising the Republic’s national security interests. They are active not only in stealing the federal government’s data, but also doing the same in our private and public corporations.