Up Times
by Bryley · September 2023
Bryley’s 9th MSP 501 Award
Bryley continues to be ranked among the top in its industry
MSP 501 is an IT industry signifier that recognizes the MSP (managed service provider) industry’s highest operational efficiency and business models. The MSP 501 award is based on a sixty-point audit to verify the fitness and stability from which independent IT providers can serve their clients with dependable IT.
With its detailed questionnaire (over sixty areas of scrutiny) and the requirement to have financial results certified to the auditors, the MSP 501 award helps benchmark which MSPs are fit to earn their clients’ trust … [3 min. read]
2,742,354,049
That’s $2,742,354,049 lost to Business Email Compromise in the US in 2022
That number is eight times the population of the United States. If you stacked that number of dollar bills like a giant deck of cards and laid them horizontally, it would take you more than a day to drive that distance.
In your organization’s defense
Unless you’re aware of the continually evolving cyber-threats, how can you make the most informed decisions about how to protect your organization?
As Bryley partner Barracuda describes them, Business Email Compromise (BEC) attacks are audacious. The over 2.7-billion-dollar losses suffered via BEC far outstrip the money lost to ransomware – in 2022 there were $34 million dollars in reported ransomware payouts. And to pull off a BEC attack takes a lot more know-how and investment than ransomware does – Ransomware-as-a-Service can be found cheap – it’s like subscribing to a cloud service – on the dark web. BEC actors are stealthy, manipulative and tend to go big, to make it much harder for employees to suspect them … [5 min. read]
Business Continuity Mixtape – Bryley-curated stories from around the internet:
We Do Not Negotiate with Terrorists, or Do We? The FBI is taking a hard line against the proposal in Congress that would make ransomware payments illegal. No one would argue with Congress’ goal of stopping ransomware. But if payments become illegal, as the FBI’s Bryan Vorndran says, you’re putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities.
The government’s proposed scenario would play out something like this: a business would be compelled to report a cybercrime to the FBI. The FBI then shares the data with the IRS, who would audit the business to ensure payments were not made to criminals; if the business, to try and resolve its ransomware problem, falsely denied it had made payments, the IRS would prosecute the crimes of ransomware payment and false reporting.
Maybe there is a better solution than to put businesses under this added duress? Dealing with ransomware is difficult enough for a business to survive.
But currently what happens in business a lot is the ransomware payment burden is laid at the feet of the Chief Information Security Officer (CISO) or someone in an equivalent role in smaller organizations – aka the fall guys. Gary Barlet writing for the Harvard Business Review explains: a breach occurs, often due to some kind of misconfiguration or lax security practice within the organization or a third-party software provider, and, to save face with customers … a new CISO is swapped in for the old. And the stakes are growing higher, Barlet shows, with the example of Uber’s CISO Joe Sullivan’s conviction for under-reporting a cyberattack. So Barlet is in favor of outlawing ransomware payments to pressure organizations to take the threat of ransomware more seriously before a breach. Breaches, he argues, reflect not one department, but the business’ priorities. Did the CEO fully fund the CISO’s recommendations?
Strangely the original hard line, about no negotiations with terrorists goes back to a kidnapping-for-ransom event during the Nixon administration. Not negotiating at that time ended in the deaths of the hostages.
Do you think the government should bar ransomware payments? Or do you think payments are at least a path to negotiate the unlocking of data? (please send your thoughts) [3 min. read] cnn.com
An Actual Cybersecurity Rule Change — The SEC this month enacted its Cybersecurity Disclosure Rules. And while these changes may not yet affect your business, what happens at SEC-governed companies has a way of trickling down to smaller organizations – so the business can continue to be in compliance with industry regulatory boards and so it remains attractive to investors.
According to Marc Gaffan of Ionix the most important change is the shift in responsibility for cybersecurity to the board room: CISOs [Chief Information Security Officers) might have anxiety about presenting to the board because they are the only C-level executives without a tool of their own to measure ROI. From Salesforce to Workday to Marketo, C-suite executives have platform solutions aggregating, analyzing, and reporting on every aspect of the operation. There is no such solution for the CISO, making it harder to measure security program ROI or to demonstrate business value.
The SEC rule change, Gaffan continues, is an opportunity to place cybersecurity in the context of business decisions that the board understands … [to] talk about the cyber consequences of business decisions that are made every day. [For example] the use of SaaS apps that make employees more productive in a hybrid work environment also leaves the organization more exposed to risk, as critical business data is now [under the] control of a third party. Business partnerships that drive geographic expansion, rushing new apps to market as fast as possible to capture market share, or acquiring [another business in order] to scale the engineering team all have tremendous cybersecurity consequences … When you acquire a company, you also inherit its attack surface. It is not only a new group of employees who need access to enterprise resources, but all their contractors, partners, suppliers, and so on. It is a tangled, extended digital web of connected assets and implications … [5 min. read] darkreading.com
Rule of Least Power — Strange as it seems, simplicity was canon at the World Wide Web’s beginning. On choosing the web’s code language so that it grants the broadest distribution of information, Tim Berners-Lee (the web’s inventor) wrote there is a tradeoff in choosing between languages that can solve a broad range of problems and languages in which programs and data are easily analyzed [Berners-Lee gave a print “2+2” example as something very easy for a person to analyze].
Computer Science in the 1960s through 1980s, Berners-Lee explained, spent a lot of effort making languages that were as powerful as possible. Nowadays we have to appreciate the reasons for picking not the most powerful solution but the least powerful … Less powerful languages [increase] the flexibility with which information can be reused: the less powerful the language, the more you can do with the data stored in that language.
He added, less powerful languages are usually easier to secure … [it’s] easier to analyze … easier to identify the security problems …
Well, I suspect you’ve noticed the web has become a lot more complicated and so has securing it, too. Here’s a reminiscence from Daniel Kehoe about the root of the web in simply sharing information … have we lost the thread? [5 min. read] hackernoon.com
Why make things easy for the bad guys? A credential stuffing attack is when criminals get ahold of login credentials and then they try those out (including with variations like just swapping in dollar signs for the letter S [per CSO Magazine]) on many other sites.
Bryley partner Microsoft reports a rise in credential stuffing attacks, some of which they ascribe to criminal use of AI tools that can be used to almost instantly generate password variations, known in the credential trade as mangling.
Multi-factor authentication and strong passwords (usually achieved in an organization with a password manager) can decrease the likelihood that this type of attack will do harm … [5 min. read] msn.com
Note: The Mixtape section is Bryley’s curated list of external stories. Bryley does not take credit for the content of these stories, nor does it endorse or imply an affiliation with the authors or publications in which they appear.
Monthly Help for Your Business’ Continuity
Up Times by Bryley arrives monthly in your email box. It’s a New England-based resource, in continuous publication since 2000.
Subscribe free, below. Unsubscribe any time via the link at the bottom of each newsletter.
And be assured: in more than twenty years, Bryley’s subscriber list has not been shared with any third-party and will not be in the future. Bryley’s Privacy Policy can be found here.
Sign up for Up Times to have tech news and tips delivered monthly via email