Cyberthreats Are Turning Assets Into Liabilities

For a business, assets are anything that can be marketed and sold, while liabilities are debts that must be paid. The sooner organizations understand the potential of company assets turning into liabilities, proactive action can be taken to protect the business. Board members, owners, CEOs, investors, and CFOs need to heed this call to action. Ntirety CEO Emil Sayegh discusses the importance of recognizing these dangers in this piece, originally published in Forbes, Cyberthreats Are Turning Assets Into Liabilities. 

Cyberthreats Are Turning Assets Into Liabilities

 In the world of business technologies, the prevailing pace of evolution is directly aligned with increased technology investments, yet security incident headlines reinforce how for a good chunk of that history, security was nearly an afterthought. Protecting the organization’s information assets was seen as something for IT to do while it focused on ensuring applications and storage were up and available. Well, cybercriminals apparently didn’t get the memo about whose job it was to protect data; they kept busy looking for ways into the network, stealing data, and holding hostage everything from (very) private pictures to financial records. Earlier this year, conference software provider Zoom found themselves in a position of misplaced trust and paid a hefty price to the tune of $85 million, following their repeated crashes in 2020. 

IT Assets and Liabilities 

Every organization has information technology assets on one side of the ledger and liabilities on the other side. In the simplest context, IT assets are properties of an organization that includes software and hardware. Users outside and inside the organization get value out of these assets and rely on their integrity and availability. The right technology, when used properly, is an enabler of business growth and profitability. Gaps in diligence and cybersecurity planning, however, can make these assets leap from one side of the ledger to the other into liabilities. The offenses can include gaps in training, ongoing support, upgrade planning, cybersecurity programs, user training, and more.  Liabilities are the weak points throughout the chain that affect the value of the asset to the business. 

Zoom Out 

Over the course of the global pandemic, Zoom became a household name – exploding in use by schools, students, businesses, and more. Due to lockdown restrictions, this tool filled a significant need, making things such as classrooms, weddings, memorial services, court proceedings, and fitness classes a new virtual possibility.  

The enormous spike in users increased attention on the program’s security and privacy flaws. Eventually, a class action lawsuit came along, alleging that Zoom violated users’ privacy rights. Zoom agreed to pay $85 million to settle the case. The allegations included sharing personal data with Facebook, Google, and LinkedIn, while allowing “Zoom-bombing,” the practice of hackers disrupting meetings with inappropriate language, pornography, and other disturbing content. 

Crossing the Line into Liability 

Executives are now on notice that they need to treat cybersecurity as a business risk. They need to know more than just how susceptible their organization is to attack. They also need to understand what is at risk, including its assets, and they must recognize when they become liabilities. That’s not always straightforward since companies often use the same technology for both corporate and personal tasks. A recent survey by research firm Gartner found that 29% of employees in organizations with end-user devices allowed workers to connect their own personally owned devices (including laptops, tablets and smartphones) to the network – with less than half of them restricting access solely to business or work purposes.  

A comprehensive approach to cybersecurity should include monitoring software updates across the entire business, not just for IT systems but every aspect of the commercial software supply chain, from development through deployment onto production networks.  

Protecting software assets and products of an organization requires a comprehensive security approach. This includes building a plan upon the components of a proactive security foundation and practices which start with four steps that can create a more secure cyber infrastructure:  

  • Identify threats through an audit
  • Secure your application environments through a ground up security solution including Secure DevOps and Zero Trust
  • Set up a recovery mechanism in case of a hack
  • Build an assurance program that enables future compliance and resilience

Zoom In 

Clients of Zoom and other similar software services must recognize the inherent risk contained in the practices of the service they choose to implement. Organizations can satisfy regulatory requirements for preventing or minimizing data breaches while also mitigating their vulnerability footprint through proper implementation of security measures for software.   

In addition, security teams have to start working with business units across the enterprise on how they manage vendor relationships. In order for InfoSec experts to do their job properly, they need to scrutinize all third-party components that are introduced into systems – whether that’s commercial off-the-shelf software or any type of service that gets connected. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Capco Gains IT Visibility and Accurate Security Monitoring with Ntirety

Global technology and management consultancy Capco specializes in driving digital transformation in the financial services industry worldwide. With a growing client portfolio comprising of over 100 global organizations, Capco needed to optimize and better secure their IT environment.  

The consultancy’s legacy IT systems were causing their team and outside security provider to chase false positives in monitoring applications and environments. The system in place did not give Capco visibility to see what their legacy security provider could see and vice versa. 

Ntirety’s solution implemented collaboration, clear communication and visibility of changes that are made. The Ntirety solution gave Capco the ability to create and customize specific security rule sets to limit accessibility to applications and ensure the intended users are the ones using them. 

Read more about how the Ntirety solution secured Capco’s IT infrastructure in the full case study here. 

 

 

What is Cybersecurity?

This question stumps the average person. How does one have a secure cyber-environment? What is going on in computers and IT systems that keep away the hackers?

Cybersecurity according to Merriam Webster is “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” These measures are administered by people, processes, and technology. The people part of cybersecurity are typically an organization’s Information Technology (IT) team who create the processes necessary to provide instruction for identifying and protecting against potential threats.

Ntirety Director of Cyber Security Operations Christopher Houseknecht considers himself a “computer geek” and has been interested in the operation and evolution of the cyber world for the last 25 years growing up with it and today working for our cybersecurity company, Ntirety.

“Everything from what kind of business I conduct on my phone, private, or business related, as well as the kind of things my children do, [cybersecurity] impacts me throughout every aspect of my life,” Houseknecht says.

Houseknecht as well as Chief Technology Officer (CTO) and SVP Development and Engineering Joshua Henderson both described cybersecurity as being in “layers.” Houseknecht says these layers are made up of components such as encryption, antivirus, endpoint detection response capabilities, and separation from the network or internet. Cybersecurity is not one singular layer of protection; there are numerous layers needed to fully protect precious data.

It is always important to have a backup plan. If the first line of defense falls through, your backup plan saves you from scrambling to assess how to handle a situation before it is too late. Similarly, cybersecurity must exist in “layers” so if the bad guys somehow find their way through the first layer, precious data is not lost and stolen.

Product Manager Dave Considine also emphasizes the importance of layered security. Considine describes this as giving someone access to a resource, but limiting what they can do within it. He explains that not everyone in a company should be able to access every resource.

Henderson describes cybersecurity as making sure data is safe and available, up and running for the people who need to and are meant to access it. It is the effort from the people, technology, and processes to keep the cybercriminals out. Houseknecht explains further that technology can only do so much; it is important to have a team of people and processes in place to guide the technology to do what it needs to do.

“[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.”

CEO Emil Sayegh emphasizes how important it is for businesses to have a comprehensive security plan and a partner operating 24/7 to protect themselves and their clients. He explains that one aspect of cyber protection will not defend against all possible cyber attacks. Phishing, malware, DDoS attacks and more require different solutions.

Handling cybersecurity internally as a business may seem like the easier and cheaper option, but there are so many products that must be invested in and many people constantly monitoring and operating the technology. In the long run, off-the-shelf security products can cost more as they keep piling on as the threats become more complicated and hackers become more sophisticated, not to mention the cost of hiring or training employees to tackle these evolving risks.

“That’s where someone like Ntirety has a really beneficial solution to most customers and companies out there,” Henderson says. “The average company is not going to really want to operate or find the staffing to do it the right way.”

While it is important to bring on a team of qualified individuals to help maintain the safety of normal IT-related business operations, it is crucial to abide by cybersecurity best practices every day on your own. Henderson and Houseknecht both mentioned the importance of having good cyber-hygiene. Cyber-hygiene is how someone presents themselves in the cyber-world. This includes practices such as not sharing passwords, not clicking suspicious links, using two-factor authentication, or not plugging in a USB that you are unsure of where it was from.

Houseknecht also expressed the importance of having resiliency in cyber-matters.

“Never assume it won’t happen to you,” Houseknecht warns. “[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.”

The recent cyberattack on IT software and management company SolarWinds, is an unfortunate example of a cybersecurity business that was hacked and faced disastrous consequences. The company works with businesses and government agencies, but it’s not just larger companies that need to worry.

So much of our lives exist online now — medical records, academic information, financial details and more are stored online. In addition to this, social media has become a way of connecting with family, friends, and businesses all around the world. There will always be people who will misuse resources and seek to steal private information for personal gain. But that’s where cybersecurity comes in to provide peace of mind through proactively keeping the bad guys out and keeping important data in.

The cyber-world has moved from a “perimeter” to a “distributed mindset,” according to Considine.

The “perimeter” concept of cybersecurity is an outdated approach, sometimes referred to as the “castle mentality,” and is defined as the idea that securing the perimeter of an IT environment (i.e. building castle walls and digging a moat) is enough. It is outdated because it ignores activity within the environment that may be malicious, and it is becoming more and more difficult to secure the perimeter of more advanced cloud and hybrid environments.

“Trust your instincts.”

Cloud services, capability, and computing have eliminated the perimeter mindset. People distributed across the world are able to access the services from anywhere thanks to cloud computing. With this greater access to resources, there is an even greater need for cybersecurity.

In addition to the cyber-world’s shift to distributed mindset, remote work became increasingly more common with cloud computing resources increasing, but especially after the start of the Covid-19 pandemic – pushing a huge portion of workforces to work from home and introducing a whole new slew of cyber-risks. More workspaces have adapted fully remote or partially remote work schedules and your security posture needs to adapt as well.

The effects of data theft can impact not only personal data and the terrible personal consequences that follow, but large businesses and landmarks, a recent example being the Colonial Pipeline. The oil pipeline system that stretches from Texas to New York is responsible for carrying gasoline and jet fuel to the southeastern portion of the United States, and it uses computerized equipment to help manage it. The ransomware attack hindered operations so much to the point that the President of the United States declared a state of emergency. The company ended up paying millions in ransom.

With computers making up so much of our daily social and business functions, cybersecurity must be at the forefront of our minds. Cybersecurity starts with you.

Sayegh urges anyone utilizing a computer or IT environment to be alert and aware to potential threats. Many times, cyber criminals express urgency in getting personal details from you, but Sayegh expresses the importance of always double checking sources, and never being too quick to give out information.
“Trust your instincts,” Sayegh said. “Anything that smells fishy [or is] too good to be true, don’t do it.”