Managed Compliant Security Solutions Leader Ntirety Announces New Suite Of Advanced Security Offerings Launch Furthers Ntirety’s Leadership in Comprehensive and Compliant Security Solutions that Permeate the Entire IT Stack We are excited to introduce a new set of security tools and continue our pledge to reduce risk, optimize IT spend, and improve business agility through services unlike any other IT provider in the market. This expansion of cybersecurity tools would not have been possible without the support of our partners. Ntirety will continue to search for the next way to keep you and your business safe and do all that we can to be proactive in keeping bad actors out of your cyber infrastructure. AUSTIN, Texas, Nov. 9, 2021 /PRNewswire/ — Ntirety, the most trusted Comprehensive Security provider and only company that embeds compliant security throughout the IT stack to safeguard the assets businesses rely on, today announced the launch of a new suite of advanced security solutions. “Security is everything, especially in today’s world; traditional IT security as people used to know it doesn’t work anymore,” said Emil Sayegh, CEO of Ntirety. “Ntirety has put security and compliance at the core of everything we do, extending the concept of comprehensive security across the entire IT stack. This new suite of services further cements our evolved approach to security and helps safeguard businesses to become virtually unstoppable.” “With this launch Ntirety continues to leverage its position as a deep rooted, managed service provider, adding now a full-fledged managed security service capability,” said Philbert Shih, Managing Director at Structure Research. “This combination raises the bar on its overall value proposition as cybercrimes have exponentially increased during the pandemic with the average cost of data breaches topping several million dollars per incident. Ntirety’s new suite of advanced security offerings offers businesses comprehensive protection for everything they hold dear and reflects the increasing complexity that organizations are faced with, which translates directly into demand for service providers and MSPs.” This new product suite augments Ntirety’s comprehensive security services in two of the primary cyberattack vectors, and shows how Ntirety continues to comprehensively protect IT environments by enhancing its protect, recovery, and assurance security framework. New offerings being brought to market include Managed Secure Email Services, next-gen Web Application and API Protection, and Managed ASV Scan. Please see below for a breakdown of Ntirety’s new product offerings included in its comprehensive service suite: Ntirety Managed Secure Email Services – Email is the leading target vector of attack for cybercriminals. Ntirety secures email by adding additional perimeter, internal, and end-point threat detection, which forms an integrated layer of email protection. Ntirety’s three U.S.-based Security Operations Centers maintain a comprehensive view of the entire email threat landscape and take proactive measures to protect them. Ntirety Web Application & API Protection – Ntirety keeps web applications safe and secure, the API’s safe from cyber threats across cloud, on-premise, and hybrid environments utilizing their state of the art Security Operations Center. Ntirety Managed ASV – This service allows Ntirety to manage the vulnerability scanning process required for PCI Compliance, which is often extremely complex to manage on your own. “Ntirety’s comprehensive security suite has been an impressive security shield for our business,” said Chris Becker, National IT Director of AbsoluteCare. “Our data is extremely important, and we cannot afford for it to get in the wrong hands. Additionally, we don’t have the budget to stand up our own internal infrastructure or internally hire the expertise required to protect against today’s artful criminals. We are grateful for our partnership with Ntirety, who keep our data safe and protected from unknown threats.” With a vision to “help businesses move forward with less risk”, Ntirety’s vision encompasses four foundational components that ensure successful customer experiences: Comprehensive Security First, Channel Only focus, and unfettered Customer Success. Ntirety continues to provide the highest quality customer service across all sectors of healthcare, manufacturing, FinTech, and SaaS applications.
Ntirety’s Inaugural Partner Advisory Council Further Cementing our Channel-Only Strategy, Ntirety Selects Nine Partners for Exclusive Council to Create Long-term Channel Success. In the ever-evolving field of information and technology, it is important to be adaptable; new devices are released every year, so cybersecurity awareness and education are of utmost importance. Ntirety’s Channel-Only approach has proven to be the ideal way to help raise awareness and security postures through our trusted Channel Partners. To continue leading in the industry for both our partners and Ntirety, we invited partners to join our first Partner Advisory Council. We extend our sincerest thanks to our partners for their participation and for making Ntirety the trusted provider we are today. See our full press release covering the event below: AUSTIN, Texas, Oct. 19, 2021 /PRNewswire/ — Ntirety, the most trusted Comprehensive Security provider, today announced the creation of their inaugural Partner Advisory Council. This council brings together top partners from the Channel industry to advise on best practices and collaborate on goals and initiatives for the upcoming year. This comes to further cement Ntirety’s strategy as a company that exclusively sells through the Channel. The partners serve as the trusted voice of Ntirety customers, providing unique insights and firsthand knowledge on the brand’s services. The council’s goal is to help the Ntirety team fine-tune its product offerings, messaging, and marketing programs to further accelerate the adoption of its Compliant Security Suite of Services. “Ntirety is 100% Channel focused, and the forming of this council reaffirms the brand’s commitment to our Channel partners,” said Emil Sayegh, CEO of Ntirety. “I’m thrilled to be able to form this council of passionate channel professionals who care deeply about the success of our clients and delivering to them pervasive, compliant security services that empower businesses to move faster with less risk.” During the inaugural council meeting, partners gathered to align on bridging the gaps between technology, operations, and the human element of the Channel. The inaugural meeting identified a need for Channel partners to get more comfortable speaking about cybersecurity, as well as advising on compliance as new regulations across all industries continue to roll out. “It was an honor to participate in this inaugural gathering,” said Auburn Holbrook, CRO of Opex Technologies. “For the first meeting, the content, and presenters were excellent. Ntirety is unique on multiple fronts with their Channel Only and Security First strategy. Their offering of compliant data security services comprehensively and compellingly for enterprise are unique and differentiated.” The formation of this council directly follows Ntirety’s platinum sponsorship of the 2021 Avant Special Forces Summit in Austin, TX where CTO, Josh Henderson, and VP & Field CTO, Tony Scribner, were both featured panelists. It is the latest in a productive year connecting and collaborating with partners, including Ntirety’s participation as a platinum sponsor with speaking engagements at Telarus Partner Summit in San Diego, CA in June, and attending and co-hosting multiple events with Intelisys. Through these major conferences and summits to more exclusive gatherings, Ntirety continues to set the company apart with its cybersecurity thought leadership from other managed security providers in every interaction. Ntirety’s exclusive commitment to Channel includes dedicated training resources, co-branded marketing collateral, reciprocal opportunity generation, and partner advisory boards, as well as evergreen commission structures and opportunity-specific incentive plans. To learn more about Ntirety’s Channel Partner commitment or how to become a partner, visit ntirety.com/partners today!
Worldwide Cybersecurity Best Practices Part 2 Cybersecurity needs to constantly expand its resources because technology increasing with new devices released every year. Countries around the world have acknowledged this need and have played their part in making the cyber world a safer place. In part 2 of our series on Worldwide Cybersecurity Best Practices, learn about more cybersecurity initiatives across the globe. Canada The Canadian Government is investing $80 million over four years (2021-2022 to 2023-2024) to create the Cyber Security Innovation Network, a national network composed of multiple centers of cybersecurity expertise. This includes post-secondary institutions (colleges, universities, research centers, polytechnics), partners in the private sector, not-for-profits, and governments (provincial, territorial, municipal) to enhance research and development and grow cyber security talent across Canada. Ntirety Director of Governance Risk and Compliance Wing Lau works in the Vancouver office and will firsthand experience this expansion of cybersecurity resources. “With the digital economy continuing to grow rapidly, accelerated by the Covid-19 pandemic, cyber security is an ever-increasing concern for Canadians and businesses,” Lau said. Ghana Ghana’s Cybersecurity Act , enacted in December 2020, regulates cybersecurity activities, promotes the development of cybersecurity, and provides for related matters. Under this act, the National Computer Emergency Response Team was established and functions to: Be responsible for responding to cybersecurity incidents Co-ordinate responses to cybersecurity incidents amongst public institutions, private institutions, and international bodies Oversee the Sectoral Computer Emergency Response Team established under section 44 Under Section 60 of the act, the document states that education and awareness programs on cybersecurity will be carried out. As stated under section 61, research and development programs will be designed. This includes actions such as collaborating with academic research centers and developing a framework for cybersecurity training programs. Japan Japan released their Cybersecurity Strategy in September 2021 that included a plan that would stretch over the next three years to ensure a “free, fair and secure cyberspace.” In order to do this, the government plans on: Advancing digital transformation (DX) and cybersecurity simultaneously Ensuring the overall safety and security of cyberspace as it becomes increasingly public, interconnected, and interrelated Enhancing initiatives from the perspective of Japan’s national security The Cybersecurity Strategy acknowledged, for the first time, China, Russia, and North Korea as cyberattack threats. Spain In April 2021, the Spanish government committed to investing over €450 million over the course of three years to increase the country’s cybersecurity sector. Carme Artigas, Spain’s state secretary for digitalization and artificial intelligence announced that an online “Hacker Academy” would be available for the country’s residents ages 14 and older as a part of the cybersecurity expansion initiatives. This training attracted hundreds of participants. The National Cybersecurity Institute (INCIBE) oversees this strategic plan for spending relating to cybersecurity. Key components of increasing the business ecosystem of the sector and attracting talent include: Strengthening the cybersecurity of individuals Strengthening the cybersecurity of Small to Medium Enterprises (SMEs) and professionals Consolidating Spain as an international cybersecurity hub United States While the states within the U.S. have passed laws governing cybersecurity, federally nothing has been constructed as far as cybersecurity enforcement specifically. There are, however, national laws in place that protect individuals’ information considered “private.” An example of this would be the Health Insurance Portability and Accountability Act (HIPAA) that guards “individually identifiable health information” including data that relates to: The individual’s past, present, or future physical or mental health or condition The provision of health care to the individual The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual Individually identifiable health information includes identifiers such as name, address, birth date, and Social Security Number. The cyber-world can be accessed from almost anywhere on earth; this means that as individuals we must all use caution and do everything that we can to make a safe cyberspace for all. A seemingly harmless action such as clicking on a link can lead to your personal data being stolen and potentially the private data of others. The personal data of others is on the line when using a social media account, email, or other places where personal data such as name and birth date is shared online. Being a member of the cyber world means holding yourself and others accountable. Hackers will always be around as long as there is cyberspace, but as global cybersecurity efforts continue to increase, we can be more prepared and respond with greater speed and efficiency.
Worldwide Cybersecurity Best Practices Part 1 Information Technology has created the ability to connect people from virtually (no pun intended) anywhere in the world. With new internet-connected devices being released every year, safety must only continue to increase along with it. Countries all across the globe have acknowledged the importance of enforcing cybersecurity and creating a safer cyber world for everyone. In this two-part series, we will take a look at how eight countries from across the world implemented cybersecurity initiatives in the past few years, including Ntirety’s global offices in Bulgaria, Canada, and the United States. Australia In May 2021, the Critical Infrastructure Uplift Program (CI-UP) was presented by the Australian government to aid in identifying and repairing vulnerabilities in critical infrastructure. This program was set in place to help providers evaluate their current security program and implement recommended strategies to reduce risk. This program is available to critical infrastructure businesses that are Australian Cyber Security Centre (ACSC) partners. According to ACSC, this program was created to: Deliver prioritized vulnerability and risk mitigation strategies Assist partners to implement the recommended risk mitigation strategies Brazil In Feb. 2020, Brazil introduced its first national cybersecurity strategy. The country that ranked 70th in the Global Cybersecurity Index, moved its way up to number 18 on the list in 2020. While the bones were set in place with the passing of the National Policy on Information Security in Dec. 2018, there were still more steps needed to create a strategy to secure the biggest economy in Latin America. The National Cyber Security Strategy, E-Ciber, details a four-year plan (2020-2023) to improve the “security and resilience of critical infrastructure and national public services.” Strategic Objectives include: Make Brazil more prosperous and reliable in the digital environment; Increase Brazil’s resilience to cyber threats; and Strengthen the Brazilian action in cybersecurity in the international scenario. Strategic Actions involve: Strengthen cyber governance actions Establish a centralized governance model at the national level Promote participatory, collaborative, reliable and secure environment, between the public sector, the private sector and society Raise the government’s level of protection Raise the level of protection of National Critical Infrastructures Improve the legal framework on cybersecurity Encourage the design of innovative cybersecurity solutions Expand Brazil’s international cooperation in Cybersecurity Expand the partnership, in cybersecurity, between the public sector, the private sector, academia and society Raising society’s maturity in cybersecurity Bulgaria The strategy, Cyber Resilient Bulgaria 2020, was established to create a framework to ensure a safe cyber environment. The strategy was released in 2016 and the plans were carried through the year 2020 with the hopes of increasing growth in cybersecurity resources and leadership. The strategy was broken into 3 phases: Between 2016-2017 the goal was to achieve the minimum required information and cybersecurity and capability for responding to cyber incidents and attacks at organizations and networks. When it came to cyber incidents, crises and systematic prevention activities, 2018-2019 was dedicated to bringing the work of individual systems to coordinated responses. 2020 achieved a level of maturity which would provide cyber resilience at the national level and effective interaction and integration at international level (An example being the North Atlantic Treaty Organization (NATO)). “This strategy aims to provide better protection for citizens, businesses, governments and critical infrastructure,” Security Operations Analyst Teodora Mincheva said. The cyberworld can be accessed from almost anywhere on earth; this means that as individuals we must all use caution and do everything that we can to make a safe cyber space for all. Stay tuned for the second part of Worldwide Cybersecurity Best Practices!
What is Cybersecurity? This question stumps the average person. How does one have a secure cyber-environment? What is going on in computers and IT systems that keep away the hackers? Cybersecurity according to Merriam Webster is “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” These measures are administered by people, processes, and technology. The people part of cybersecurity are typically an organization’s Information Technology (IT) team who create the processes necessary to provide instruction for identifying and protecting against potential threats. Ntirety Director of Cyber Security Operations Christopher Houseknecht considers himself a “computer geek” and has been interested in the operation and evolution of the cyber world for the last 25 years growing up with it and today working for our cybersecurity company, Ntirety. “Everything from what kind of business I conduct on my phone, private, or business related, as well as the kind of things my children do, [cybersecurity] impacts me throughout every aspect of my life,” Houseknecht says. Houseknecht as well as Chief Technology Officer (CTO) and SVP Development and Engineering Joshua Henderson both described cybersecurity as being in “layers.” Houseknecht says these layers are made up of components such as encryption, antivirus, endpoint detection response capabilities, and separation from the network or internet. Cybersecurity is not one singular layer of protection; there are numerous layers needed to fully protect precious data. It is always important to have a backup plan. If the first line of defense falls through, your backup plan saves you from scrambling to assess how to handle a situation before it is too late. Similarly, cybersecurity must exist in “layers” so if the bad guys somehow find their way through the first layer, precious data is not lost and stolen. Product Manager Dave Considine also emphasizes the importance of layered security. Considine describes this as giving someone access to a resource, but limiting what they can do within it. He explains that not everyone in a company should be able to access every resource. Henderson describes cybersecurity as making sure data is safe and available, up and running for the people who need to and are meant to access it. It is the effort from the people, technology, and processes to keep the cybercriminals out. Houseknecht explains further that technology can only do so much; it is important to have a team of people and processes in place to guide the technology to do what it needs to do. “[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.” CEO Emil Sayegh emphasizes how important it is for businesses to have a comprehensive security plan and a partner operating 24/7 to protect themselves and their clients. He explains that one aspect of cyber protection will not defend against all possible cyber attacks. Phishing, malware, DDoS attacks and more require different solutions. Handling cybersecurity internally as a business may seem like the easier and cheaper option, but there are so many products that must be invested in and many people constantly monitoring and operating the technology. In the long run, off-the-shelf security products can cost more as they keep piling on as the threats become more complicated and hackers become more sophisticated, not to mention the cost of hiring or training employees to tackle these evolving risks. “That’s where someone like Ntirety has a really beneficial solution to most customers and companies out there,” Henderson says. “The average company is not going to really want to operate or find the staffing to do it the right way.” While it is important to bring on a team of qualified individuals to help maintain the safety of normal IT-related business operations, it is crucial to abide by cybersecurity best practices every day on your own. Henderson and Houseknecht both mentioned the importance of having good cyber-hygiene. Cyber-hygiene is how someone presents themselves in the cyber-world. This includes practices such as not sharing passwords, not clicking suspicious links, using two-factor authentication, or not plugging in a USB that you are unsure of where it was from. Houseknecht also expressed the importance of having resiliency in cyber-matters. “Never assume it won’t happen to you,” Houseknecht warns. “[Hackers] don’t care whether you’re just an average Joe using computers to play video games or if you’re running a cybersecurity company.” The recent cyberattack on IT software and management company SolarWinds, is an unfortunate example of a cybersecurity business that was hacked and faced disastrous consequences. The company works with businesses and government agencies, but it’s not just larger companies that need to worry. So much of our lives exist online now — medical records, academic information, financial details and more are stored online. In addition to this, social media has become a way of connecting with family, friends, and businesses all around the world. There will always be people who will misuse resources and seek to steal private information for personal gain. But that’s where cybersecurity comes in to provide peace of mind through proactively keeping the bad guys out and keeping important data in. The cyber-world has moved from a “perimeter” to a “distributed mindset,” according to Considine. The “perimeter” concept of cybersecurity is an outdated approach, sometimes referred to as the “castle mentality,” and is defined as the idea that securing the perimeter of an IT environment (i.e. building castle walls and digging a moat) is enough. It is outdated because it ignores activity within the environment that may be malicious, and it is becoming more and more difficult to secure the perimeter of more advanced cloud and hybrid environments. “Trust your instincts.” Cloud services, capability, and computing have eliminated the perimeter mindset. People distributed across the world are able to access the services from anywhere thanks to cloud computing. With this greater access to resources, there is an even greater need for cybersecurity. In addition to the cyber-world’s shift to distributed mindset, remote work became increasingly more common with cloud computing resources increasing, but especially after the start of the Covid-19 pandemic – pushing a huge portion of workforces to work from home and introducing a whole new slew of cyber-risks. More workspaces have adapted fully remote or partially remote work schedules and your security posture needs to adapt as well. The effects of data theft can impact not only personal data and the terrible personal consequences that follow, but large businesses and landmarks, a recent example being the Colonial Pipeline. The oil pipeline system that stretches from Texas to New York is responsible for carrying gasoline and jet fuel to the southeastern portion of the United States, and it uses computerized equipment to help manage it. The ransomware attack hindered operations so much to the point that the President of the United States declared a state of emergency. The company ended up paying millions in ransom. With computers making up so much of our daily social and business functions, cybersecurity must be at the forefront of our minds. Cybersecurity starts with you. Sayegh urges anyone utilizing a computer or IT environment to be alert and aware to potential threats. Many times, cyber criminals express urgency in getting personal details from you, but Sayegh expresses the importance of always double checking sources, and never being too quick to give out information. “Trust your instincts,” Sayegh said. “Anything that smells fishy [or is] too good to be true, don’t do it.”
Calculating the Real Cost of Downtime for Your Business Be prepared for the worst-case scenario From startling headlines that have highlighted recent data breaches to the impending doom a single storm can spell for data centers, it becomes clearer every day that business continuity and disaster recovery are critical components to every IT strategy. While getting familiar with today’s modern IT threats, risks, and possible vulnerabilities within current systems is important, understanding downtime resulting from a disaster and its long-lasting repercussions—numbers unique to each individual business—is even more vital when designing an effective business continuity plan. In order to determine the cost of downtime and its consequences due to an unexpected disaster, IT professionals first need to break down the overall elements that can contribute to it. Where do the costs add up? Time is money, so the saying goes, and the monetary impact of downtime impacts more areas than just the IT team including: Idle workers across departments still on the clock but cannot perform their job duties Physical damage to infrastructure, equipment or the building itself Lost revenue due to inoperable POS or delivery of products to market Hiring additional outside resources and specialists for data recovery Repair or replacement of technology components Reputation damage from vendors, clients and prospects With the different elements to consider, it is little wonder that research by Gartner reports the average cost of IT downtime as $5,600 per minute. While that statistic may seem staggering—even unbelievable to some—finding the cost of downtime for an individual organization can be easily accomplished. How to calculate the cost of downtime? Calculating the unique cost of downtime can be done in terms of revenue loss and productivity cost. Both can be achieved (and reassessed over time) with clear formulas, using the information specific to the company. To calculate revenue loss, gather the following information: Gross yearly revenue (GR) Total annual working hours (TH) Percentage impact (I) Number of downtime hours (H) With the numbers identified, use this formula: (GR/TH) x I x H = revenue loss To calculate productivity cost, gather the following information: Number of employees affected (E) Percentage of employees affected (A) Average cost of employees per hour (C) Number of downtime hours (H) With the numbers identified, use this formula: E x A x C x H = productivity cost Armed with real numbers, crafting the disaster recovery and business continuity plan to adequately prepare and protect an organization can become a priority supported throughout operations. Control costs and continuity with a trusted IT partner While the cost of downtime can be calculated with simple formulas, constructing worst-case scenario plans to minimize the impact of such costs is anything but simple. Engaging with experts to design recovery and business continuity plans not only ensures that every detail of an organizations IT systems has been accounted for, but also saves internal IT teams the time of being distracted by “what-ifs” instead of business goals. Ntirety Disaster Recovery (DR) Services help ensure mission-critical applications are safeguarded against malicious attacks, weather-related phenomenon, and other triggers for unexpected downtime. From platform management to continuous data protection and architecture design, Ntirety DR empowers enterprise companies to provide continuous service to customers and stakeholders with confidence. Assess Your Security Posture Due to limited time, resources, and expertise, prepping for disasters, avoiding security threats, and meeting ever-changing compliance regulations can be a huge source of pain for enterprise organizations. Take this quick interactive questionnaire to help determine if your strategy is broken.
Security Gap Gives Hacker Access to 100 Million Bank Customers’ Personal Information Capital One is the Latest Enterprise to Hit the Headlines Over a Data Breach On Monday, July 29, 2019, Capital One Financial Corp. announced that more than 100 million of its credit card customers and card applicants in the U.S. and Canada had their personal information hacked in one of the largest data breaches ever. Paige Thompson, a software engineer in Seattle, is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information. The Justice Department released a statement Monday confirming that Thompson has been arrested and charged with computer fraud and abuse. As the CISO of a global IT solutions provider, I am always hesitant to comment on these situations because if it can happen to one of the biggest players in the industry, then everyone is at risk. Bad actors have unlimited time, resources and motivations—that’s why advancing a cybersecurity program is critical to every organization’s maturity process. We, the cybersecurity community, must do better collectively. While the Capital One data breach is staggering with more than 100 million affected, this is just another event in a long list of massive data incidents during recent years, including Equifax, Marriott, Home Depot, Uber, and Target. Adding to the list of compromised information, “improper access or collection of user’s data” like Cambridge Analytica or WhatsApp have also made recent unsettling headlines. Don’t Wait for Hackers to Find the Vulnerabilities from Within Court filings in the Capital One case report that a “misconfigured web application firewall” enabled the hacker to gain access to the data. As infrastructures, support structures, and data flows become more complex, the security and need for visibility exponentially increases. Fundamentals like asset management, patching, and user access with role-based access is critical and cannot be over looked. These pillars of protection are achievable with the help of experienced partners, like the managed security experts at Ntirety, focused on finding and filling any gap in existing infrastructure and applications. Learn more about how Ntirety’s Managed Security services can be the better shield for your data against hackers. >> Take Charge on a Personal Level by Using a Passphrase Even with all the internal work and effort businesses put towards protecting data, consumers should still take precautions and be proactive protecting their identity. Never give personal information out over the phone—even if the caller appears to be from a reputable organization like Capital One. Phishing scams through calls, emails, and text messages are only increasing. Even offers for IT protection from unvetted parties can be attempts to gather or “fill in” additional information for malicious purposes. One of the quickest ways to boost protection of your personal information is to change your password to a passphrase. Create a great passphrase in three easy steps: Use personally *meaningless* passphrases A pseudo-random mixed 15-character password Pick a minimum of 4 words—RANDOMLY Simply combining random words (like DECIDE OVAL AND MERRY = Decide0val&andmerry) can build a new passphrase far more secure than “12345” or “password1”. Let Partners Provide You Peace of Mind Against Security Threats While every individual should be an active participant in protecting their identity and personal data, enterprise companies can’t ignore the devastating regularity of these hacks and breaches. IT security is a crucial component for any modern business, and equally important is the constant vigilance to keep those security measures validated and updated. Vulnerabilities emerge with every new technological advance, making an experienced partner to keep a steadfast watch necessary to allow organizations’ own IT teams to focus on innovation and business goals. Ntirety’s Managed Security services bridges the gaps every company faces as systems, tools, and data grow rapidly. Expert monitoring and risk reduction and mitigation from trusted IT partners empower internal teams to focus on pushing business forward. Don’t trust that your basic security is enough to keep your company out of the hacker headlines—get real peace of mind with cybersecurity experts like Ntirety watching your backend systems, infrastructure, and applications. Schedule a consultation with Ntirety today to proactively protect your data from hacker threats and data breaches.
CISO Chris Riley’s CloudEXPO Presentation: The Great Migration: Retreat from the Cloud Sacrificing Security? On June 24th, Ntirety CISO Chris Riley was proud to present The Great Migration: Retreat from the Cloud Sacrificing Security? at the 23rd International CloudEXPO conference in Silicon Valley. With over 20 years of enterprise IT experience, Riley brought unparalleled perspectives to the CloudEXPO stage on the current state of IT security, including shared concerns, hidden risks, and the tested tactics to protect data. Security Threats Remain Even in New Cloud Solutions Migrating to the cloud provides numerous benefits to enterprise organizations, but do-it-yourself or one-size-fits-all approaches to cloud selection and management has created a number of concerns for internal IT teams across industries. This phenomenon has led to a shift away from the one-size-fits-all approach to more hybrid cloud options, as noted in Ntirety CEO Emil Sayegh’s keynote presentation. However, while hybrid solutions do eliminate issues relating to cost and performance, it can still leave gaps in security and compliance. Despite the advances hybrid and multi-cloud options bring, threats can spring from a variety of both external and internal sources. Calling these threats the “Treacherous 12,” Riley shared the most critical issues that plague cloud security from a survey by Cloud Security Alliance: Data Breaches Weak Identity, Credential and Access Management Insecure Application Programming Interfaces (APIs) System and Application Vulnerabilities Account Hijacking Malicious Insiders Advanced Persistent Threats (APTs) Data Loss Insufficient Due Diligence Abuse and Nefarious Use of Cloud Services Denial of Service Shared Technology Issues From massive data breaches, to the headaches of employees sharing passwords, these challenges exist—knowingly or unknowingly—for all organizations in the cloud. Combatting Risks with Better Internal Tactics Although the above list may seem daunting, Riley illustrated to CloudEXPO attendees that there is hope. Visibility, segmentation, automation—all these modern cloud security pillars are achievable through more detailed and dedicated processes, like enforcing access control, re-architecting systems, and monitoring behavioral activity. All the elements for better security and data protection are obtainable, Riley explained, if cross-functional internal teams can work together and prove that investing in greater measures is not only worthwhile but vital for every cloud solution. “The fact of the matter is we have to demonstrate the value, we have to enable the business, and we have do it in near real-time fashion,” said the Ntirety CISO to his audience. “Because the business isn’t going to wait for us.” Bringing diverse members of a company’s team together for increased communication is a key component to implementing any new security strategy or process, specifically the imperative collaboration necessary between the departments of Development, Security, and Operations. Coining this as the “trifecta of success”, Riley emphasized how encouraging frequent and in-depth conversations between DevSecOps will “inherently have a strong mentality to code things right, to secure things appropriately, and to allow the business to be successful.” Better Security from the Inside Out The concerns are real and more relevant than ever, but so are the tactics to tackle them, Riley ensured his audience in Silicon Valley. He elucidated on the current state of IT security—the good, the bad, the ugly—and ways enterprise companies can stay ahead of the threats. For CloudEXPO attendees, understanding the practical ways Riley outlined to protect systems and data in today’s increasingly insecure world were just the kind of insights enterprise IT professionals look for: identifiable risks, actionable plans, and sustainable methods. Ready to get your own IT security insights from trusted cloud experts? Schedule your consultation for better data protection today!
Keep Your Company Out of the Shocking Data Breach Headlines Rising Statistics Show Internal Security is Not Enough to Protect Data On Monday June 3, Quest Diagnostics, the largest blood-testing company in the world, reported that nearly 12 million patients’ personal information, including financial data, social security numbers, and medical records, was exposed through a data breach at a third-party billing collection agency. While lab results were not affected, the sheer number of patients affected makes this event the second largest healthcare data breach ever reported, following only health insurer Anthem’s 78.8 million record data breach in 2015. The Overlooked Third-Party Risk How could a global company like Quest’s patient data be so vulnerable? The risk did not come from within the enterprise healthcare company, but through a data breach by American Medical Collection Agency (AMCA), a third-party billing collection service vendor providing services to Quest’s healthcare revenue manager, Optum360 LLC. External entities like AMCA are widely used across industries. A recent Deloitte poll found 70% of enterprise businesses report a moderate to high reliance on third-party services, but all the rewards come with equal risks. The same poll found that 47% of the organizations surveyed had experienced a risk incident involving the use of third-party services in the last three years. Quest is Not Alone and That’s Not a Good Thing Healthcare is an appealing target for hackers, and third-party services have provided the perfect backdoor access to data for several major breaches in 2019. Just one day after Quest made their announcement, diagnostics company LabCorp reported nearly 7.7 million patients’ personal data was exposed as a result of a massive breach at the same third-party billing collection agency as Quest: AMCA. Additionally, Rush System for Health reported in March 2019 that the personal information for approximately 45,000 patients was compromised due to their third-party claims processing services vendor, and Emerson Hospital reported around the same time that 6,314 patients had portions of their protected health information exposed due to a security breach at a third-party services vendor. Beyond healthcare, big-name companies across industries have made headlines due to compromised data, including Target, Home Depot, Applebee’s, and Saks Fifth Avenue. A 2018 study by Opus & Ponemon Institute found that 59% of companies experienced a third-party data breach that year, but a mere 16% claimed they effectively mitigated third-party risks. While it may seem obvious that outside entities can create security gaps, it appears dedicated evaluation and management of these additions can often be substandard, with only 37% of the study’s respondents indicated having enough resources to manage third-party relationships. Cautionary tales featuring global healthcare companies, retail giants, and national restaurant chains might be enough to change those eye-opening statistics, but lawmakers are now asking impacted companies about “vendor selection and due diligence process, sub-supplier monitoring, [and] continuous vendor evaluation policies,” and pointedly asking about the recent breach headlines “how many times has Quest Diagnostics conducted a security test which evaluates both Quest Diagnostics’ systems as well as the systems of any companies it outsourced to?” Don’t be in the News for a Breach and Don’t be a Statistic – Here’s How First, following best practices and compliance mandates can set enterprise organizations up to better protect their data from any vulnerabilities third-party entities present, including: Regularly scheduled vulnerability assessments HIPAA-required risk assessments for healthcare organizations Dedicated security management and monitoring Disaster Recovery planning BAAs are Necessary but Not Sufficient Enterprise companies must always ensure that they have a solid and trustworthy partner that can deliver secure infrastructure with a comprehensive Business Associate Agreements (BAA). A BAA acts as a binding contract to create liability between the company and vendor that upholds both parties to stringent HIPAA regulations, but more can be done to truly ensure security for critical data. Ntirety provides peace of mind with industry-leading BAAs and more so with our HITRUST CSF Certified status, demonstrating that all the certified applications appropriately managing risk by meeting key regulations and industry-defined requirements. “HITRUST CSF is the gold standard,” says CEO Emil Sayegh. “In the face of mounting data breaches, companies handling sensitive data must remove all doubt by working with trusted cloud providers with deep experience in security protocols and regulatory compliance.” Trust is Possible with the Right Third-Party Vendors Whether starting for square one or proactively planning for a worst-case scenario, organizations can avoid a data breach disaster at the hands of a third-party vendor with diligent vetting, managing, and planning – all of which can be time-consuming and drain resources, falling back to the 37% statistic above. Meeting HIPAA compliance and setting strong BAAs are a good start, but with the help of experienced HITRUST-certified experts, businesses can better trust their third-party associates. Like an extension of their own teams, Ntirety guides and supports with our detailed and compliance-focused assessments, steadfast monitoring, and rigorously tested recovery plans. Ntirety is ready to meet any organization’s needs, such as our client BlueSky Creative, Inc. who had “a lot of questions and need[ed] to be 100% confident in the provider”, but Vice President Stephanie Butler explains that with Ntirety “from day one, all my questions were answered, and I was given all the guidance I needed and more.” As a tenured IT services company with over 20 years of experience, Ntirety solutions meet compliance for PCI, HITRUST, HIPAA, FERPA, and GDPR guidelines, and our BAAs strengthen the mutual commitments to safeguard customer data. Our design for data security thoroughly evaluates all third-party vendors and how they interact with all systems and platforms and continue with safeguard evaluations, so no customer ever has to worry about becoming a statistic. Schedule a consultation with Ntirety to protect your data and keep your third-parties secure.
The Many Names and Faces of Disaster Recovery When discussing disaster recovery, people often throw out a variety of words and terms to describe their strategy. Sometimes, these terms are used interchangeably, even when they mean very different things. In this post, we’ll explore these terms and their usage so you can go into the planning process well-informed. Disaster Recovery: This is a term that has been making the rounds since the mid- to late-seventies. Although the meaning has evolved slightly over time, the disaster recovery process generally focuses on preventing loss from natural and man-made disasters, such as floods, tornadoes, hazardous material spills, IT bugs, or bio-terrorism. Many times, a company’s disaster recovery plan is to duplicate their bare metal infrastructure to create geographic redundancy. Recovery Time Objective (RTO): As you build your disaster recovery strategy, you must make two crucial determinations. First, figure out how much time you can afford to wait while your infrastructure works to get back up and running after a disaster. This number will be your RTO. Some businesses can only survive without a specific IT system for a few minutes. Others can tolerate a wait of an hour, a day, or a week. It all depends on the objectives of your business. Recovery Point Objective (RPO): The second determination an organization must make as they discuss disaster recovery is how much tolerance they have for losing data. For example, if your system goes down, can your business still operate if the data you recover is a week old? Perhaps you can only tolerate a data loss of a few days or hours. This figure will be your RPO. IT Resilience: This term measures an organization’s ability to adapt to both planned and unplanned failures, along with their capacity to maintain high availability. Maintaining IT resilience is unique from traditional disaster recovery in that it also encompasses planned events, such as cloud migrations, datacenter consolidations, and maintenance. Load Balancing: To gain IT resilience and keep applications highly available, companies must engage in load balancing, which is the practice of building an infrastructure that can distribute, manage, and shift workload traffic evenly across servers and data centers. With load balancing, a downed server is no concern because there are several other servers ready to pick up the slack. Streaming giant Netflix often tests the load balancing ability of their network with a proprietary program called Chaos Monkey. Using this tool, they ensure that their infrastructure can sustain random failures by purposefully creating breakdowns throughout their environment. This is a great example for companies to follow. Ask yourself: What would happen if someone turned off my server or DDOSed my website? Would everything come crashing to a halt if an employee accidentally deleted a crucial file? Backup: Backups are just one piece of the disaster recovery puzzle. Imagine if you took a snapshot of your entire workload and replicated it on a separate server or disc—that is a backup. With backups, you always have a point-in-time copy of your workload to revert back to if something happened to your environment; however, anytime you must revert to a backup, anything created or changed between the time the last snapshot was taken and the time the disaster occurred will be lost. Failover Cluster: Another piece of the disaster recovery puzzle, failover clusters are groups of independent servers (often called nodes) that work together to increase the availability and scalability of clustered applications. Connected through networking and software, these servers “failover,” or begin working, when one or more nodes fail. Which type of failover server you choose depends on how crucial the system is, along with the RPO and RTO objectives of the disaster recovery plan. Failover servers are classified as follows: Cold Standby: Receives data backups from the production system; is installed and configured only if production fails. Warm Standy: Receives backups from production and is up and running at all times; in the case of a failure, the processes and subsystems are started on the warm standby to take over the production role. Hot Standby: This configuration is up and running with up-to-date data and processes that are always ready; however, a hot standby will not process requests unless the production server fails. Replication: This term represents the process of copying one server’s application and database systems to another server as part of a disaster recovery plan. Sometimes, this means replacing schedule backups. In fact, replication happens closer to real-time than traditional backups, and therefore can typically yield an adherence to shorter RPO and RTO. Replication can happen three different ways: Physical server to physical server Physical server to virtual server Virtual server to virtual server Database Mirroring: As with backups and replication, database mirroring involves copying a set of data on two different pieces of hardware; however, with database mirroring, both copies run simultaneously. Anytime an update, insertion, or deletion is made on the principal database, it is also made on the mirror database so that your backup is always current. Journaling: In the process of journaling, you create a log of every transaction that occurs within a backup or mirrored database. These logs are sometimes moved to another database for processing so that there is a warm standby failover configuration of the database. At the end of the day, what you really need is business continuity. A well-formed business continuity plan will use all of these methods to ensure your organization can overcome serious incidents or disasters. Going beyond availability, business continuity plans determine how your business will continue to run at times of trouble. Can your business survive a systems failure? Can it survive a situation where your offices burn down? How quickly can you access your mission-critical data and mission-critical applications? How will people access your mission-critical applications while your primary servers are down? Do you need VPNs so employees can work from home or from a temporary space? Have you tested and retested your business continuity plan to ensure you can actually recover? Does your plan follow all relevant guidelines and regulations? The right mix of solutions will depend on the way your business operates, the goals you’re trying to achieve, and your RPO and RTO targets. In the end, the resilience of any IT infrastructure or business comes down to planning, design, and budget. With the right partner to provide disaster recovery and business continuity management services, you can come up with a smart plan that proactively factors in all risk, TCO goals, and availability objectives. To start planning your own battle-tested IT disaster recovery plan and business continuity strategy—and ensure that your business is ready for anything—contact one of our experts for a free risk assessment today.
