How Climate Change Impacts IT

Whether we like it or not, our planet is facing some detrimental damage. Ntirety CEO Emil Sayegh reminds us that IT is not immune to climate change in our latest blog. 

 How Climate Change Impacts IT 

 While our heads (and data) might be in the cloud, ultimately our IT and technology infrastructure lives right here on a planet that is facing an existential crisis. Global climate change is happening, though its causes continue to be a societal debate. While we know that global climate has changed since before recorded human history, many pinpoint the source of our current pattern changes to man-made reasons, with a steady focus on greenhouse gases, carbon emissions, and energy consumption. In any case, the planet is experiencing greater weather swings and events than recent memory can extend — floods, severe heat, blizzards, hurricanes, intense rain, and droughts appear to occur more often. 

These climate events do not only have an impact on lives. Significant events can affect the continuity and survival of industries and businesses, especially when they affect information technology systems. Climate change has a tangible and increasingly critical effect on IT — it is a business continuity issue, it is a cost issue, and it is also a core strategy issue. It is high time that we consider the impact of climate change on IT. 

Elon Agrees 

Tech legend Elon Musk halted purchases of Tesla vehicles with Bitcoin last year due to the “rapidly increasing use of fossil fuels for Bitcoin mining,” which experts estimate uses more energy than entire countries such as Sweden and Malaysia. Musk is not the only one to sound the alarm on the environmental impact of Bitcoin — Treasury Secretary Janet Yellen has also warned that it uses a “staggering” amount of power. Regardless of whether Bitcoin and other cryptocurrencies are a polluters or not, the negative connotations around the impact of its enormous energy consumption on the environment has affected its valuation, and even maybe its future trajectory. 

Threats are Significant and Real 

Historical weather events such as hurricanes Sandy and Katrina continue to echo years after their arrival. However, these unstoppable and formerly outlier events occur every year with greater frequency, causing hundreds of billions in damages and massive outages. Their aftermath must always be dealt with. In February of 2021, Texas endured a weeklong flash winter storm completely out of the weather norm. Known as the Great Texas Snow Storm, “Snovid,” or the “Snowmageddon,” the economic impact of that event was a staggering $200 billion. 

Disaster preparation and recovery are just a couple of reasons why organizations must focus on continual backups, replication to offsite locations, and the drive to create zero-downtime resilience through disaster recovery plans, power backups, and nimble cloud architectures. We do this because the threats are real and becoming more frequent. With enough planning, the right partners, tools and capabilities, you can get through these incidents with a minimal interruption to the business. 

Inside a Crisis 

Rather than drive inside all the reasons why you should prepare for a crisis and how, it would be better to set the tone of what happens behind the scenes When a crisis hits, it can appear to be a frantic scene. When a severe weather event hits and creates an IT disruption, efficient operations and a return to normal operations are more critical than ever for all impacted. 

The early moments are the most critical, but recovery events include: 

  • Emergency Notifications
  • Assessment
  • Monitoring of Disaster Recovery Operations
  • Triage\Troubleshooting
  • Analysis
  • Reassessment
  • Status updates

In a pressure-filled scenario, the impact of any potential missteps is amplified, adding time to the recovery efforts. Your IT disaster recovery plan must be clear, it must be relevant, and your team must be ready to execute its well-rehearsed disaster recovery plan. This is where all the documentation, preparation, planning, and partnerships meet the road. 

Hackers Ready to Pounce 

Here’s the bad news. When a weather disaster strikes an organization or locality, it is public information. You can expect that opportunistic scammers are somewhere close behind, just like vultures. That’s where you will see the relief scams, phony fundraisers, and other schemes that follow weather events. You will also see social hack attempts and phishing attempts come through when there are known disruptions in the air. 

Unexpected disruptions and recovery efforts can open security vulnerabilities. For example, in the event where a backup or tertiary site comes online, there is an opening to take advantage of the possibility that the backup systems are exposed in any way—patches, permissions, vulnerabilities, default passwords, configuration, etc. Just as in all cybersecurity, it comes down to the weakest link in the chain. If one entry point behind the virtual security wall can be exploited during a weather-related recovery, that is all an outsider needs to find. 

Tech as Climate Readiness 

The challenge of business continuity is a core business mission, but with an increase in climate change related events around us, this challenge is more critical than ever before. Preparations, planning, and the right partnerships matter. Capabilities matter. Depending on the business in question and the locality of its IT systems, the impact that climate bears upon business continuity will vary. Almost every organization should prepare to leverage principles including offsite strategies, resiliency, security considerations, geographic strategy, and cloud technology in order to step up to this modern-day challenge. 

With one part process, another part readiness, and another part technology-focused, organizations that embrace cloud infrastructure have greater capabilities to roll through crisis scenarios because they have improved resiliency, speed, and the very nature of security is aligned with the fluid nature of cloud. We cannot know in advance the timing and arrival of every calamitous weather event, but we can prepare with better process, enabled by better tools to adapt through multiple situations. 

 Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Cyberthreats Are Turning Assets Into Liabilities

For a business, assets are anything that can be marketed and sold, while liabilities are debts that must be paid. The sooner organizations understand the potential of company assets turning into liabilities, proactive action can be taken to protect the business. Board members, owners, CEOs, investors, and CFOs need to heed this call to action. Ntirety CEO Emil Sayegh discusses the importance of recognizing these dangers in this piece, originally published in Forbes, Cyberthreats Are Turning Assets Into Liabilities. 

Cyberthreats Are Turning Assets Into Liabilities

 In the world of business technologies, the prevailing pace of evolution is directly aligned with increased technology investments, yet security incident headlines reinforce how for a good chunk of that history, security was nearly an afterthought. Protecting the organization’s information assets was seen as something for IT to do while it focused on ensuring applications and storage were up and available. Well, cybercriminals apparently didn’t get the memo about whose job it was to protect data; they kept busy looking for ways into the network, stealing data, and holding hostage everything from (very) private pictures to financial records. Earlier this year, conference software provider Zoom found themselves in a position of misplaced trust and paid a hefty price to the tune of $85 million, following their repeated crashes in 2020. 

IT Assets and Liabilities 

Every organization has information technology assets on one side of the ledger and liabilities on the other side. In the simplest context, IT assets are properties of an organization that includes software and hardware. Users outside and inside the organization get value out of these assets and rely on their integrity and availability. The right technology, when used properly, is an enabler of business growth and profitability. Gaps in diligence and cybersecurity planning, however, can make these assets leap from one side of the ledger to the other into liabilities. The offenses can include gaps in training, ongoing support, upgrade planning, cybersecurity programs, user training, and more.  Liabilities are the weak points throughout the chain that affect the value of the asset to the business. 

Zoom Out 

Over the course of the global pandemic, Zoom became a household name – exploding in use by schools, students, businesses, and more. Due to lockdown restrictions, this tool filled a significant need, making things such as classrooms, weddings, memorial services, court proceedings, and fitness classes a new virtual possibility.  

The enormous spike in users increased attention on the program’s security and privacy flaws. Eventually, a class action lawsuit came along, alleging that Zoom violated users’ privacy rights. Zoom agreed to pay $85 million to settle the case. The allegations included sharing personal data with Facebook, Google, and LinkedIn, while allowing “Zoom-bombing,” the practice of hackers disrupting meetings with inappropriate language, pornography, and other disturbing content. 

Crossing the Line into Liability 

Executives are now on notice that they need to treat cybersecurity as a business risk. They need to know more than just how susceptible their organization is to attack. They also need to understand what is at risk, including its assets, and they must recognize when they become liabilities. That’s not always straightforward since companies often use the same technology for both corporate and personal tasks. A recent survey by research firm Gartner found that 29% of employees in organizations with end-user devices allowed workers to connect their own personally owned devices (including laptops, tablets and smartphones) to the network – with less than half of them restricting access solely to business or work purposes.  

A comprehensive approach to cybersecurity should include monitoring software updates across the entire business, not just for IT systems but every aspect of the commercial software supply chain, from development through deployment onto production networks.  

Protecting software assets and products of an organization requires a comprehensive security approach. This includes building a plan upon the components of a proactive security foundation and practices which start with four steps that can create a more secure cyber infrastructure:  

  • Identify threats through an audit
  • Secure your application environments through a ground up security solution including Secure DevOps and Zero Trust
  • Set up a recovery mechanism in case of a hack
  • Build an assurance program that enables future compliance and resilience

Zoom In 

Clients of Zoom and other similar software services must recognize the inherent risk contained in the practices of the service they choose to implement. Organizations can satisfy regulatory requirements for preventing or minimizing data breaches while also mitigating their vulnerability footprint through proper implementation of security measures for software.   

In addition, security teams have to start working with business units across the enterprise on how they manage vendor relationships. In order for InfoSec experts to do their job properly, they need to scrutinize all third-party components that are introduced into systems – whether that’s commercial off-the-shelf software or any type of service that gets connected. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Capco Gains IT Visibility and Accurate Security Monitoring with Ntirety

Global technology and management consultancy Capco specializes in driving digital transformation in the financial services industry worldwide. With a growing client portfolio comprising of over 100 global organizations, Capco needed to optimize and better secure their IT environment.  

The consultancy’s legacy IT systems were causing their team and outside security provider to chase false positives in monitoring applications and environments. The system in place did not give Capco visibility to see what their legacy security provider could see and vice versa. 

Ntirety’s solution implemented collaboration, clear communication and visibility of changes that are made. The Ntirety solution gave Capco the ability to create and customize specific security rule sets to limit accessibility to applications and ensure the intended users are the ones using them. 

Read more about how the Ntirety solution secured Capco’s IT infrastructure in the full case study here. 

 

 

What is Cybersecurity?

This question stumps the average person. How does one have a secure cyber-environment? What is going on in computers and IT systems that keep away the hackers?

Cybersecurity according to Merriam Webster is “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” These measures are administered by people, processes, and technology. The people part of cybersecurity are typically an organization’s Information Technology (IT) team who create the processes necessary to provide instruction for identifying and protecting against potential threats.

Ntirety Director of Cyber Security Operations Christopher Houseknecht considers himself a “computer geek” and has been interested in the operation and evolution of the cyber world for the last 25 years growing up with it and today working for our cybersecurity company, Ntirety.

“Everything from what kind of business I conduct on my phone, private, or business related, as well as the kind of things my children do, [cybersecurity] impacts me throughout every aspect of my life,” Houseknecht says.

Houseknecht as well as Chief Technology Officer (CTO) and SVP Development and Engineering Joshua Henderson both described cybersecurity as being in “layers.” Houseknecht says these layers are made up of components such as encryption, antivirus, endpoint detection response capabilities, and separation from the network or internet. Cybersecurity is not one singular layer of protection; there are numerous layers needed to fully protect precious data.

It is always important to have a backup plan. If the first line of defense falls through, your backup plan saves you from scrambling to assess how to handle a situation before it is too late. Similarly, cybersecurity must exist in “layers” so if the bad guys somehow find their way through the first layer, precious data is not lost and stolen.

Product Manager Dave Considine also emphasizes the importance of layered security. Considine describes this as giving someone access to a resource, but limiting what they can do within it. He explains that not everyone in a company should be able to access every resource.

Henderson describes cybersecurity as making sure data is safe and available, up and running for the people who need to and are meant to access it. It is the effort from the people, technology, and processes to keep the cybercriminals out. Houseknecht explains further that technology can only do so much; it is important to have a team of people and processes in place to guide the technology to do what it needs to do.

“[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.”

CEO Emil Sayegh emphasizes how important it is for businesses to have a comprehensive security plan and a partner operating 24/7 to protect themselves and their clients. He explains that one aspect of cyber protection will not defend against all possible cyber attacks. Phishing, malware, DDoS attacks and more require different solutions.

Handling cybersecurity internally as a business may seem like the easier and cheaper option, but there are so many products that must be invested in and many people constantly monitoring and operating the technology. In the long run, off-the-shelf security products can cost more as they keep piling on as the threats become more complicated and hackers become more sophisticated, not to mention the cost of hiring or training employees to tackle these evolving risks.

“That’s where someone like Ntirety has a really beneficial solution to most customers and companies out there,” Henderson says. “The average company is not going to really want to operate or find the staffing to do it the right way.”

While it is important to bring on a team of qualified individuals to help maintain the safety of normal IT-related business operations, it is crucial to abide by cybersecurity best practices every day on your own. Henderson and Houseknecht both mentioned the importance of having good cyber-hygiene. Cyber-hygiene is how someone presents themselves in the cyber-world. This includes practices such as not sharing passwords, not clicking suspicious links, using two-factor authentication, or not plugging in a USB that you are unsure of where it was from.

Houseknecht also expressed the importance of having resiliency in cyber-matters.

“Never assume it won’t happen to you,” Houseknecht warns. “[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.”

The recent cyberattack on IT software and management company SolarWinds, is an unfortunate example of a cybersecurity business that was hacked and faced disastrous consequences. The company works with businesses and government agencies, but it’s not just larger companies that need to worry.

So much of our lives exist online now — medical records, academic information, financial details and more are stored online. In addition to this, social media has become a way of connecting with family, friends, and businesses all around the world. There will always be people who will misuse resources and seek to steal private information for personal gain. But that’s where cybersecurity comes in to provide peace of mind through proactively keeping the bad guys out and keeping important data in.

The cyber-world has moved from a “perimeter” to a “distributed mindset,” according to Considine.

The “perimeter” concept of cybersecurity is an outdated approach, sometimes referred to as the “castle mentality,” and is defined as the idea that securing the perimeter of an IT environment (i.e. building castle walls and digging a moat) is enough. It is outdated because it ignores activity within the environment that may be malicious, and it is becoming more and more difficult to secure the perimeter of more advanced cloud and hybrid environments.

“Trust your instincts.”

Cloud services, capability, and computing have eliminated the perimeter mindset. People distributed across the world are able to access the services from anywhere thanks to cloud computing. With this greater access to resources, there is an even greater need for cybersecurity.

In addition to the cyber-world’s shift to distributed mindset, remote work became increasingly more common with cloud computing resources increasing, but especially after the start of the Covid-19 pandemic – pushing a huge portion of workforces to work from home and introducing a whole new slew of cyber-risks. More workspaces have adapted fully remote or partially remote work schedules and your security posture needs to adapt as well.

The effects of data theft can impact not only personal data and the terrible personal consequences that follow, but large businesses and landmarks, a recent example being the Colonial Pipeline. The oil pipeline system that stretches from Texas to New York is responsible for carrying gasoline and jet fuel to the southeastern portion of the United States, and it uses computerized equipment to help manage it. The ransomware attack hindered operations so much to the point that the President of the United States declared a state of emergency. The company ended up paying millions in ransom.

With computers making up so much of our daily social and business functions, cybersecurity must be at the forefront of our minds. Cybersecurity starts with you.

Sayegh urges anyone utilizing a computer or IT environment to be alert and aware to potential threats. Many times, cyber criminals express urgency in getting personal details from you, but Sayegh expresses the importance of always double checking sources, and never being too quick to give out information.
“Trust your instincts,” Sayegh said. “Anything that smells fishy [or is] too good to be true, don’t do it.”