Omada Named a Leader in the Gartner Magic Quadrant 2019

SecurIT is proud to announce that Omada has been named a leader in the Gartner Magic Quadrant for Identity Governance and Administration 2019.

Omada believes that they are positioned as a Leader because of their pioneering best practices for IGA, the development of their unique identityPROCESS+ framework, their implementation methodology, and their Identity Governance and Administration product OIS delivered as software and as-a-service.

“Being recognized as a Leader by Gartner is an honor and an important milestone in our global expansion,” said Morten Boel Sigurdsson, CEO of Omada. “Yet, it is not our achievement alone. This is also a recognition of our partners who are building their businesses on Omada and our shared effort to create business value for customers.”

Discover why Omada is a Gartner Magic Quadrant for Identity Governance and Administration Leader
Omada has been named a Leader in Gartner’s Magic Quadrant for their ability to execute and completeness of vision. They see their position in the Magic Quadrant as a confirmation of their focus on using identity to create business value and accelerate digital transformation. 


THE NIST CYBER-SECURITY FRAMEWORK AND THE IMPORTANCE OF ‘IDENTIFY’

One of the areas that the National Institute of Standards and Technology or NIST is concentrating on is cybersecurity. As regular readers of this blog will know, cybersecurity incidents are at an all-time high. Last year, secretary of state, John Kerry, even described the security situation as being, “pretty much the wild west…so to speak”. It is within the context of this overbearing security incident landscape that the NIST Cybersecurity Framework has come into being.

Why Even Have A Framework for Cyber-Security?

You may well ask, why have an overarching framework for handling security issues, why can’t I just work it out myself as I need to? A framework is a positive and helpful reference system. Frameworks develop out of experience and knowledge of a given situation. You could apply the principles of a framework to pretty much any situation. For example, you could have a framework which expands upon the types of policies needed for a specific healthcare service, or one for a public transport system, and so on.

The cyber-security framework that NIST has developed is in a similar vein. It has been built upon the experience and knowledge of many organizations and individuals who have worked in the area of security. This collective expertise is used to create guidance on how to recognize, manage and mitigate cybersecurity risks.

Having an expert system, like a framework, is particularly useful for creating strategy and policy around cybersecurity threats. The framework was put together using the aggregated wisdom of over 3000 security professionals. It gives you the foundation stone to create your own internal targets and plans that you can use to build a more secure organization.  It means you can use already tried and tested protocols and procedures, without having to reinvent the wheel. In other words, it is a way to use security collaboration for the benefit of all.

Having an established set of guidelines for developing your own Cybersecurity program is recognized by many experts as now essential. PWC in their report on “Why you should adopt the NIST Cybersecurity framework” has stated that,

“It is our opinion that the NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards.”

PWC

What are the NIST Cybersecurity Framework Basic Functions?

The NIST Cybersecurity framework has a core, which is built upon five basic functions:

Identify

Protect

Detect

Respond

Recover

Each looks at different aspects of a Cybersecurity threat/attack lifecycle and how best to handle it. They follow a logical progression and build upon each preceding function. I’ll concentrate here on the first one, identity.

The definition of ‘identity is this:

“An understanding of how to manage Cybersecurity risks to systems, assets, data, and capabilities”

This is the most basic and fundamental of all of the NIST Cybersecurity functions and as such, it is the most important. Identify is all about identification – understanding what your critical assets are and understanding where the risks lie. Assets are wide and varied and literally, anything that can be breached or damaged is an asset. This includes intellectual property, customers’ data, proprietary information and also physical assets. This whole area is becoming increasingly complex as we expand our networks outwards into the Cloud and even more so as we enter the era of the Internet of Things (IoT).

Identify is all about governance too. Our perimeters are becoming more fluid and fuzzy as they expand outwards and cross over the supply chain itself. In fact, the supply chain is one of the areas that can stand to benefit most from the use of the Identify function within the NIST Cybersecurity framework. Many organizations are now asking suppliers to provide a Framework profile, or providing their own template to suppliers, which sets out how the supplier approaches security and their own internal processes and procedures that fit in with the NIST philosophy. This forms the basis of their risk management strategy, again a fundamental of the Identify function.

The Identify stage of the NIST framework is the vital first step in understanding how to approach Cybersecurity risk mitigation. This step is the pivot upon which the other four functions work. Without having full sight of the various aspects of your business, across your expanded data universe for your own organization and any associated companies, you can’t hope to build a holistic and effective Cybersecurity management plan.

Making NIST and the Identify Function Work for Us

The NIST Cybersecurity Framework has been designed by collaboration with security professionals, who have gone through the pain of creating a solid Cybersecurity strategy.  We can all benefit from using their collective wisdom and following their recommendations. The first foot on the road to a solid Cybersecurity program is to know your enemy and their actions. Performing the Identify function is that first step on the road to a more secure organization.

There are many places you can get further information on applying the NIST cybersecurity framework principles. However, there is a book I can highly recommend, by Adam Anderson and Tom Gilkeson, “Small Business Cybersecurity”, that will help ease the complexity out of the equation and explain in simple terms how to utilize the NIST Cybersecurity framework and the Identify function. The book was written specifically to advise small to medium-sized company security professional on how to communicate the latest tools and techniques in security to C level executives and is a great reference guide.


Privileged Account Management for Dummies

Getting to know PAM

This book gives IT professionals a practical understanding of privileged account management (PAM). It describes what privileged accounts are, where they reside throughout an IT environment, and how they function. Most importantly, this book explains the risks associated with these accounts and how to best protect them from hackers and malicious insider threats. 

This book will help you:

  • Grasp the fundamentals of privileged account management (PAM) 
  • Develop strategies for building a PAM solution
  • Learn the top ways to protect your organization’s most critical accounts

PAM for Dummies is sponsored by Thycotic, an IBM partner whose technology powers IBM Security Secret Server.

Get your white paper here


About SecurIT

Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7). 


Ignore partner security at your cost: the importance of supply chain security and risk awareness

There was a ton of research into supply chain security issues this last year, likely due to the number of major attacks that occurred that originated with a supply chain member. Supply chain cyber-attacks come in all shapes and sizes. One of the most prolific and successful, was committed in 2014 by cyber-espionage group, code named, ‘Dragonfly’. This supply chain initiated security breach focused on attacking smaller supply chain members to get at larger pharmaceutical/energy suppliers in Europe and North America. Dragonfly, infected industrial control systems (ICS) with Trojans; they replaced legitimate code with their malicious code. The infected ICS software was then downloaded from the supply chain supplier’s site, infecting their enterprise customers. The software was downloaded around 250 times before being discovered! The costs are still rolling in, but estimates show the financial damage for gas and oil alone will be around $1.8 billion by 2018.

But it’s not just organized gangs of cybercriminals you need to be wary of. Insider threats are also a big issue for supply chain risk and security management. Small firms can’t afford large IT departments to investigate threats that are hard to uncover. PWC in their report on ‘2014 U.S. State of Cybercrime’ found that only 20% of smaller firms actually had any security function to check for insider treats. The rest just didn’t have the staff to handle the situation. We can see that the planets are aligned and supply chain members offer a perfect package for anyone attempting to steal data, intellectual property, financial details, or to even cause material damage to industrial processes. As PWC put it in the aforementioned report:

“Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It’s an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains.”

PWC

It is in light of this that we need to reconsider how we process bids from potential supply chain members.

The Importance of Supply chain Security Due Diligence

With all of this evidence pointing to the security breach potential within the supply chain, why then do we have so much of an issue working out the supply chain risk when we are evaluating bids?  One of the reasons is that evaluating bids takes time and adding any extra variable into the mix would increase this time, not only onto the bid process, but potentially the time to market too. IT projects are already under intense pressure. According to estimates by The Standish Group in the ‘Chaos Report’, only around 16% of projects ever come in on time and on budget. Any additional considerations and security is a big one, will add even more risk to a project.

However, the current cybersecurity chaos has meant that security of supply chain members has become a vital part of the procurement process. A KPMG study in 2015 across multiple sectors found that procurement managers are starting to listen, with 70% of them stating that they now look seriously at how a smaller organization can handle their clients’ data. 94% of the procurement mangers said that cybersecurity was now an ‘important consideration’ in the procurement process.

However, one of the renowned bugbears of anyone handling a bid process is the involvement of outside parties like security audit. Security is an area that is notoriously complicated to assess and takes time. Security departments and procurement are often thought of as being on opposing sides, with security seen as being a hurdle to cross, rather than an important voice in the bid process. The KPMG study demonstrates that this is changing, but the timing issue remains a challenge. The trick is how to square the round, keeping the bid process moving, while completing security due diligence. A balance needs to be struck and simply not performing security assessments, is a false economy that can result in stalled projects and issues such as:

A project that starts but has unknown security problems as no audit has been performed – the new supplier then poses potential security risks to the organization.

The bid process is completed without the security check, the work begins, but then security realizes that checks must be done before the project can begin and so the process goes back to square one, creating all round confusion, time loss and financial impacts.

Security and Procurement Working in Harmony

It is worth considering having some sort of metric to evaluate the security practice and risk profile of a vendor, along with the other standard criteria, such as price and quality. Procurement after all is just a collation of considered risks – security needs to become an embedded consideration.

Placing security into the due diligence mix, in light of the serious nature of the burgeoning supply chain security risks, is plain common sense. Not doing security due diligence could add considerable risk to your organization that could end up costing a hefty amount if your supply chain is breached and your data and processes compromised.


The importance of vetting your vendors: Vendor risk management


In 2013 U.S. department store, Target, suffered a major breach. The breach resulted in 70 million customer records being stolen. These records included personally-identifying information (PII) as well as 40 million credit and debit card details. The impact of the breach was far-reaching and is still rumbling on. The latest problem to rear its head is a class action against Target from financial institutions which may result in pay-outs of around $67 million.

The Target breach was caused by a supplier in their supply chain; this supplier, an HVAC company, was spear phished. That is, specific employees in the supplier organization were targeted with a phishing email that tricked them into entering login credentials into a spoof site, which then sent them onto a hacker. These credentials turned out to be network credentials for Target’s own IT network. Before Target even had a whiff of a security issue, they’d lost the data and the rest is history.

The story above is a modern-day horror story, but one that brings into sharp relief the need to know your supplier and their operational practices. Vendor Risk Management, or VRM, is an increasingly important area of business risk mitigation. A modern company will often use multiple vendors to supply everything from machine parts to software applications. These vendors often have a very close relationship with an organization, even, like in the case of the Target suppliers, having privileged access to a privileged network. Vendors can be seen as an extension of your own company and as such, need to have the same stringent checks as you would place on your own employees and company dealings. Having a formalized strategy to deal with VRM is an important activity that helps reduce the risks that are associated with working with third parties.

Types of Risks in Vendor Relationships

The types of risks that an organization needs to be aware of when building a vendor relationship are:

1.     Data transfers: In nearly all vendor relationships you will have to share some sort of data. This may be data about joint customers, financial details, or even your own proprietary intellectual property. Data exchange and storage needs to be monitored and must adhere to the relevant compliance requirements of the industry, as well as any data protection and privacy laws that exist in your own and the vendor’s country.

2.     Network access: If you need to give your vendor access to your IT resources, such as access to databases, you should look at the security options for protecting this access, not just from phished credentials, but from insider threats too. In the case of credential theft, second-factor authentication measures such as key fobs, mobile-based, or other out-of-band methods can offer additional security. Insider threats are harder to prevent, but behavioral monitoring and employee vetting can help.

3.     Access to premises: As with network access risk, access to premises comes with its own challenges. Hacking sensitive data has become easier. For example, there is a USB key called RubbyDucky, costing less than $43, which allows anyone with access to company computers to extract sensitive data, including login credentials, in seconds. Ensuring that vendor access is closely monitored and computer and network access is managed is part of your overall security strategy.

Vendor Risk Management Strategy

There are a number of areas that you should look at when creating a strategy around VRM, from financial, to reputational, to operational. They should also include:

1.     Know Your Supplier (KYS): Make sure you have your supplier details such as primary contacts, tax information, business addresses and so on. This information forms the basis of your working relationship with the supplier and lets you build up supplier profiles and retain records on each. You can use software systems such as ERP and e-procurement, to track supplier performance and ensure you always have up to date information on your working relationship. You can extend your data collection on suppliers to keep news articles and general business information on them; information that could alert you to security breaches, or similar issues, that you can use to ensure your own data security. Analysts Aberdeen Group found that companies who closely, collate, store and track supplier data had better project outcomes and showed greater cost savings. McKinsey and Company have looked in-depth at how to best manage large vendor eco-systems. They suggest the use of work-flow to audit vendors and create programs of accountability.

2.     Security and compliance considerations: Price Warehouse Coopers in their report on, ‘Third Party Risk Management’ found that there has been an increase in security incidents that originated from a third party vendor. They attributed this to the fact that although 71% of the surveyed companies had effective internal security measures, only 32% of those required the same levels of security from their partner companies.

Security is something that has a domino effect across associated organizations. If one company becomes infected by malware, there is a higher chance an associated company will also suffer the infection. The Bring Your Own Device (BYOD) revolution has ensured the seamless proliferation of malware. If a vendor regularly uses their own device within your network and that device is infected, then your data is also at risk.

In addition, there are a number of regulatory drivers that push for greater security awareness across the supply chain. This is particularly true for companies that share data. Most countries have data protection laws and many, like the EU have stringent privacy laws. A number of countries and industry-specific compliance standards and laws need to be considered across all touchpoints of the company-vendor interface.

Vendor employee security vetting may also be a consideration under certain circumstances and dependent on the level of access required within a project. If a project requires access to sensitive company data, such as intellectual property, or even source code, the vendor employees should come under the same level of security vetting as your own internal employees. This may mean requiring individual non-disclosures and security checks.

Creating an Efficient and Effective Vendor Eco-System

The risk factors around our vendor eco-system are not something that we can just ignore. This is especially true for any areas that involve security and compliance. Our vendors are in many ways like an extension to our own business and as Cloud working and BYOD enter our enterprise arena, this is even more so. Improving control of your vendor management will ensure that your data and systems retain the same levels of security policies as you expect from your own internal strategy. This will allow you to adhere to the various compliance expectations and data security requirements. It will also mean that you mitigate the risk around security breaches, something that is becoming an urgent need for businesses of all sizes as the cyber threat landscape becomes ever more threatening.


Compliance: It’s necessary but it doesn’t mean you are secure

Any organization that functions under the guidelines and requirements of an industry that requires ‘compliance’, is aware of the challenges that must be met and the ‘hoops’ that must be jumped through for accommodation. Beyond just the intense proof that your system and data is being stored in the required secure method, there are often intense processes that must be met for continual auditing. But even with all of these protocols in place and the vast amount of experienced professionals required to reinforce the process, circumstances still exist that can wreak havoc and demonstrate that you are not as secure as you might think.

For example: Whenever there is human intervention, there is a possibility for error. In the world of compliance, whether FERC, NERC, HIPAA or other government regulated scenarios, people are usually the main reason for lowered system security. You might ask how such well-planned and executed systems could possibly allow something as simple as human intervention to cause such problems. The answer goes beyond just the lack of keeping security software updated and enters into the realm of negligence.

A BakerHoestler Privacy and Data Protection Team study was released on the number of data security incidents in 2014. The report showed that 36% of the situations were a direct result of negligence by employees and identifying the situations took an average time lapse of 134 days from the occurrence. These situations resulted in the leak of proprietary information regarding patient medical data and resulted in a variety of scenarios from notification to litigation.

While cloud storage remains the most secure method of storing information, much of this data is shared with API situations and not all ‘partner vendors’ may be secure. From email malware to human error input by selecting the wrong ‘field’ to upload, the methods of exposing both the security of a system as well as the data itself crosses a broad spectrum of opportunities.

The complicated world of compliance requires a focus on trying to ensure that the data and information itself is maintained in a strict environment, but often forgoes the small ways that a breach can actually occur. Such situations as employee training to avoid methods of intrusion, as well as recognition and actions when a system breach occurs, can not only allow a break in the security but create a situation where lack of discovery creates a bigger situation.

Remote access to information, even on those systems that have focused on their security has opened the doors to potential security hazards. It’s not enough to simply have a high-level password and encryption, but also requires the validation of the technology devices themselves. Cybercriminals are aware of these tactics and take every advantage with sophisticated viruses and programs designed to infiltrate.

Strict compliance standards have typically not included the focus on potential breaches due to human error. They have been established to concentrate on the methodology of storage and transmission, but not in the small ways that people can affect those processes. All organizations that are involved in a line of business that has serious compliance requirements must add this element into their security practices.


The times they are changing: ‘How cybercrime is hitting the smaller company’

You can’t help but notice all the recent news events on hacked identities and financial information stolen by cybercriminals; News about some major company being breached and millions of customer credit card details stolen. These breaches seem to be more regular and it’s true, they are. The latest research by Price Waterhouse Cooper (PWC) in their Global State of Information Security Survey shows that there were 42.8 million cybersecurity incidents in 2014, an increase of 48% from the previous year.

As a smaller business, it’s easy to brush cyber threats off as being a problem for the ‘big boys’. That was certainly the case, 10 years ago, but not now. Now cybercriminals are turning their bready eyes on you – the small business.

Analysis of the situation has borne this out. A number of analysts and companies have quantified the threat to smaller organizations from cybercrime. A report by Verizon found that almost 62% of breaches were against SMB’s. And according to IBM and the Ponemon Institute, smaller companies feel the pain of a breach more too, with a higher per capita cost than an enterprise. 

It seems that cybercriminals want to expand their portfolio and they are doing it at the cost of the smaller organization. In the security report by PWC mentioned above they describe the situation like this:

“Small firms often consider themselves too insignificant to attract threat actors—a dangerous misperception.”

Why are Smaller Companies a Target?

There are three main reasons why cybercriminals are targeting the SMB:

1.     You seem like easy prey. Smaller organizations don’t have the time, money or internal knowledge base to cope with cyber threats

2.     You are often part of a bigger chain. Cybercriminals are targeting smaller organizations as a way of getting at the ‘big boys’ through the supply chain

3.     It is becoming easier to hack. Malware can be bought, sometimes for a few dollars from the dark web. Legitimate devices used by penetration testers can be bought for less than $100 and can be used to intercept internet traffic and steal login credentials.

Types of SMB Focused Cyber Threats

Let’s look at some of the ways that smaller companies are being targeted.

Phishing emails: Phishing and its partner in crime, spear phishing, is the weapon of choice for infecting a small company with malware. Phishing emails are emails that look like they’ve come in from a legitimate company like PayPal or Amazon and they ask you to click on a link. The link takes you to a site that looks just like the real one. There, you are asked to log in. If you do, the phisher takes your login credentials and hey presto can now access your real account.

Phishing is quite widely understood, but its counterpart, spear phishing is more sinister and is on the rise as a means of attack against the smaller business. It originally was the preserve of large enterprises such as Microsoft who suffered at the hands of spear phishers. But a 2015 report by Symantec on the levels of spear-phishing experienced by different size companies has shown that firms with 1-250 employees suffer spear-phishing attacks almost as much as those with 2500+ employees, seeing 31.5% and 37.6% of spear-phishing attacks respectively.

A spear-phishing email is targeted. They find a company, pick a high-level employee, typically a business owner, director, or IT administrator and send out a phishing email to that person. The email will be highly personalized; it will use their name and often masquerade as an internal email, perhaps from a superior, asking the user to login to the network. The type of person they target will invariably have privileged access to their company resources. Again, the link in the email will be to a spoof site. Once login credentials are entered the cybercriminal has your login details and can access whatever business resources you can.

Spear phishing emails have been behind some of the largest cyber-breaches in recent years. In many cases the email is sent to a supply chain member – a small vendor who services a much larger company. Often supply chain members are given privileged access to network resources. This was the case in the Target breach, which saw the loss of 70 million personal records. In this breach, a spear phishing email was sent to an HVAC company in the supply chain. Once phished, the login credentials were used to hack Target – I doubt that Target employ that company now.

Business email compromise: Hackers are going after small business bank accounts big time. The FBI began tracking these types of attacks in 2013 and has seen losses of $740 million in the U.S. alone. This type of scam uses social engineering, or computer intrusion techniques, to gain access to the email accounts of senior executives or spoof emails. There are several variants of this attack but all involve some sort of reconnaissance on their targets, which can be small or large companies across all sectors. Sometimes email accounts of executives are hacked, sometimes, it is a phishing email, but the results are a wire transfer to a ‘trusted supplier’ or ‘law firm’ into a hackers account.

Ransomware: one of the most scary and nasty pieces of malware is the infamous ransomware. A variant of this is Cryptowall. Ransomware is a type of malware. If you become infected it will encrypt data on your local machine, network drives and even cloud storage. Once encrypted it then opens a screen on your computer which says if you pay up (usually $500-$1000, but sometimes as much as $10,000) in 7 days, your data will be decrypted. Of course we’re dealing with cybercriminals here so there’s no guarantee decryption will happen. The FBI has said that Cryptowall is the largest ransomware threat to small business. In the 2nd quarter of 2015 Cryptowall extorted $18 million from U.S. businesses.

Data losses: IBM x-Force in conjunction with Ponemon Institute has shown that 2014 was the year of the leaked record. 2014 saw more than 1 billion pieces of Personally Identifiable Information (PII) stolen, up 25% on 2013, which in itself was a record year. Cyber thieves are after data. If you hold customer records, have intellectual property or proprietary information, cybercriminals are after it. There are a number of ways that data can be stolen – phishing emails that grab login credentials, malware that sits and slowly steals data, and insiders, simply stealing information they have access to.

What Can a Small Business Do To Thwart Cybercrime?

There are some basic actions you can take to help mitigate the threats of cybercrime against you, your business and your customer.

1.     Keep software patched. Malware is usually successfully installed because it finds a hole in your software. Make sure you have the latest versions of software such as, operating systems, browsers and Adobe Flash installed. Also check with your web hosting company that web servers and third party plug-ins are secure and patched.

2.     Have robust sign in credentials. If you only have the choice of a username/password, then make sure they are both not easily guessed and are strong. If you have a choice to use second factor, such as a text message pin number, do so, this is especially important for server and website administration access.

3.     Backup critical data. Make sure you have redundancy in your backups too.

4.     Train your employees. About phishing and especially spear phishing; be guarded.

5.     Think about security. Put a strategy in place to handle security threats, incidents and breaches.

6.     Cyber insurance. Look into putting some sort of insurance plan in place.

Small businesses are as much of a target as a large enterprise, but often don’t have the resources to manage cyber threat levels. Being aware of the methods that cybercriminals use to target your company and knowing what you can do to lower those risks, may start to waken the world of cybercrime up and show them that small doesn’t mean an easy target.


Every size business needs to be alert to cybersecurity

Almost every week we hear about one of the large giant corporations that have suffered from a cyberattack. These are the companies that have invested large dollar volume in security and IT staff and a lot of time and effort in trying to keep themselves protected. The main question that always occurs is: “If it can happen to them, what about the small or medium business that doesn’t have their budget?” Cybercriminals are becoming increasingly aware of the fact that proprietary information may be easier to access in the small to medium-sized business arena. If this fits your company profile, it’s time that you sit up, pay attention and take action.

From malware to viruses, criminals are becoming much more sophisticated in the methods for their madness. While the government is on a continual hunt in the ‘dark net’ to find and prosecute those involved in cybercrime, the culprits are working around the globe and locating them takes time.  Their ability to anonymous and elusive while targeting companies to access critical data has been the mainstay of the cybercrime world. Any business that does not have a security strategy in place, combined with staff education on recognizing and emergency actions for a breach, is literally a ‘sitting duck’ for an attack.

The Symantec 2015 ISTR20 Internet Security Threat Report stated, “Almost no company, whether large or small, is immune. Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year. Small- and medium-sized businesses also saw an uptick, with attacks increasing 26 percent and 30 percent, respectively.”

There is also an evolution in cybercrime. The number of email attacks seems to be reducing, but attacks on an unprotected or barely protected company system are fair game for these criminals. Their ability to send more sophisticated inquiries to test and try out the security levels are also combined as multiple attacks on the mobile and website fronts. Any access point that they can locate is an entrance for a virus, malware of full-on system takeover.

In the same Symantec report, they included: Attackers Are Streamlining and Upgrading Their Techniques, While Companies Struggle to Fight Old Tactics

In 2014, attackers continued to breach networks with highly targeted spear-phishing attacks, which increased eight percent overall. They notably used less effort than the previous year, deploying 14 percent less email towards 20 percent fewer targets. Attackers also perfected watering hole attacks, making each attack more selective by infecting legitimate websites, monitoring site visitors and targeting only the companies they wanted to attack.

Further complicating companies’ ability to defend themselves was the appearance of “Trojanized” software updates. Attackers identified common software programs used by target organizations, hid their malware inside software updates for those programs, and then waited patiently for their targets to download and install that software—in effect, leading companies to infect themselves. Last year, 60 percent of all targeted attacks struck small- and medium-sized organizations. These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This puts not only the businesses but also their business partners, at higher risk.

The picture that is painted isn’t all doom and gloom. There are strategies that can be put in place to assist in protecting your proprietary company information as well as that of your customers. Many small to medium-sized businesses find themselves in the position where they have either not sufficiently prepared for an attack, have allowed software updates to lapse, or lack the trained staff or personnel to take emergency action. In these situations, a cyberattack could occur and not be discovered for many months.

Protection of your business reputation and data is the key element. Coordinating efforts with a professional company that can work with your company for an overall strategy is the best method to combat against a breach. Educating staff as well as having a set of emergency actions in place can help to maintain your system integrity. 


Breaches happen and they could come from you friends…

You take pride in your company and have spent years building up your products, services, and reputation. However, one of the weak spots that occur in many small to medium businesses is the “it won’t happen to us” syndrome. When it comes to security breaches and cyberattacks, many smaller companies assume that the criminals are looking for the ‘big fish’ and that they won’t come after you. This assumption is incorrect, as the attacks on smaller businesses are on the increase and these wily and crafty people look to any access method, including and unknowingly through your own partner vendors.

In a 2014 Sans Whitepaper, sponsored by the security company, Symantec, they pointed out the importance of Know What You Have:

Being prepared to detect and respond to attacks and attempted attacks starts with knowing your environment, no matter how complex, as described in the first two Critical Security Controls. Getting full visibility into your environment is not as easy as it sounds. Automated tools such as Nmap provide some visibility into devices, systems and users on the network, but they may fail to recognize other entry points such as: Wi-Fi networks, virtual server instances, rogue web applications with access to the data center, printers or other devices with network access.”

While this may sound a bit like paranoia, in today’s business world, the top security companies advise you and your company to be paranoid, suspect everything and be diligent in having the right security in place. One of the critical elements that small and medium-sized organizations take for granted is the trust that they place in their partner vendors. Even when both of your IT staff members have talked things out and may be convinced that you are both safe in sharing or transmitting data, there is always a possibility for error.

A typical data exchange through an API may seem like it is safe enough. After all, there is a level of encryption in place and the proprietary or even customer data should be secure. However, if a cyber hacker has inserted malware and your partner is infected, the malware can be hidden and then transmitted to your company and potentially into your server. The ‘infection’ can happen so quickly and with very few symptoms that even trained IT professionals don’t discover the damage for long periods of time.

The more recent types of attacks in the last few years have been ‘ransomware’ that appears as though it is arriving from a valid email address and could be emulating one of your business partners. Once opened, there is an attachment that immediately takes over the computer, seeks out access to the network and encrypts all of the important files. The user then sees a display on their screen that alerts them to the fact that they cannot have access or the de-encryption ‘key’ until a specified amount of money is paid. (Usually Bitcoin, but some are now choosing PayPal cards).

Small to medium companies don’t have the budget to devote to the high-end requirements of top IT staff or to the type of monitoring and protection that is crucial in protecting your information as well as your reputation. But in this changing world of cybercrime, the answer is in aligning yourself with a professional company that can come in, work with your existing staff, accomplish a system analysis, makes recommendations to assist in the protection that you need and educates everyone on what to look out for. This is a company that stays on top of the constantly evolving requirements that are needed to keep your business safe. Choosing a professional security organization will allow you to focus on your success without the need for hiring additional IT employees. 


SecurIT receives highest partner level in CyberArk’s new Partner Program

CyberArk has introduced a new Partner Program focused on a competency-based model that enables increased opportunities to grow. The new program is comprised of three tiers (Advanced, certified, and Authorized), and SecurIT is proud to receive the highest partner level “Advanced“. SecurIT is one of the few companies in The Netherlands with “advanced” status.

The demand for Privileged Access Security and Privileged Account Management solutions are driving the need for a more knowledgeable and skilled partner community to help CyberArk address customers’ most critical security business challenges. To address this demand, they have shifted their program to a competency-based model so that both CyberArk and their partners are in a better position to ensure customer success through increased certification and training.

Moreover, the CyberArk Partner Network recognizes partners that have invested time and resources in developing significant expertise in CyberArk security products and solutions by providing preferred benefits and increased revenue opportunities for those advanced partners.

Certifications for Partners

Partner tiers within the CyberArk Partner Network (Authorized, Certified, and Advanced) are determined by the number of certifications obtained by an organization. CyberArk maintains dedicated learning paths for sales, pre-sales, and delivery engineers to align with the competency requirements of the CyberArk Partner Network.

CyberArk certification enables SecurIT to:
– Build our knowledge and skillset with the industry’s leading privileged account security solution
– Validate our proficiency to secure against harmful and costly cyber-attacks
– Demonstrate our security expertise and position ourselves as a valuable asset to today’s security-challenged organizations
– Establish our team as professionals on the leading edge of one of today’s greatest business challenges – securing and protecting high-value information assets, infrastructure, and applications
– Affirm our ability to implement innovative cyber threat solutions to global organizations deploying CyberArk Privileged Access Security technology

The CyberArk Partner Network allows for global consistency, program scalability, and continued partner profitability with increased focus and emphasis on competency-based requirements and associated benefits. In return, partners gain access to an escalating array of resources and support to build their business with CyberArk:
• Technical and Sales Training
• Business Development Tools
• Technical Support
• Sales and Marketing Resouce


en_USEnglish
nl_NLNederlands en_USEnglish