A cybersecurity breach can significantly impact a company’s stock value. A 2019 study by Bitglass found that publicly traded companies lost 7.5 percent of their stock value after suffering a security incident. On average, it took 46 days for the stock value to recover. Clearly, a security breach poses a risk to investors.

The Securities and Exchange Commission has taken action to address this risk with new rules requiring companies to disclose “material” security incidents on Form 8-K. Companies must determine the incident’s materiality as soon as possible after discovery, then file the report within four business days.

That’s a tall order for many companies. When the SEC first proposed the new rule, many public companies complained that four days would not give them enough time to gather the necessary information. They also argued that publicly disclosing breaches before they were fully contained could allow hackers to expand their attacks. Nevertheless, the new rules became effective on Sept. 5, 2023, and companies must report incidents as of Dec. 18, 2023.

The term “screen scraping” refers to a method of collecting data from a display screen. This can be done automatically through software designed to recognize the various elements of the user interface. Screen scraping can also be performed by taking an image of the text and using optical character recognition (OCR) to translate the image into text. Simply copying down what appears on the display is a manual form of screen scraping.

Screen scraping has a number of legitimate uses. However, it also creates serious security and regulatory compliance risks, particularly in the banking and financial services, healthcare, and government sectors. Mobile devices used in a bring your own device (BYOD) model can be a significant source of malicious screen scraping. Organizations should take steps to prevent malicious actors from using screen scraping to steal user credentials and sensitive information.

There’s no question that mobile devices improve productivity. According to the Evolving Workforce Project, 83 percent of workers feel that advances in mobile technology have made them more productive. A Cisco study found that Bring Your Own Device (BYOD) policies enabled 37 minutes more productive time each week.

Unfortunately, that productivity can come at the expense of security. Mobile devices can get lost or stolen. Users fall victim to social engineering attacks and reveal their credentials. That puts corporate applications and data at risk of unauthorized access. This is particularly problematic in highly regulated industries such as banking and healthcare.

Geofencing is a powerful tool that can help reduce risk. With geofencing, a mobile app uses GPS, cellular data, Wi-Fi or radio frequency identification (RFID) to define a virtual boundary. Whenever the device exits that geographic area, the mobile app can be disabled. The DeSeMa team uses this technique frequently to secure sensitive applications.

Here are some examples of industry sectors where geofencing can strengthen mobile app security.

Many employees primarily use mobile devices for work. Cybercriminals are well aware of this fact, and mobile devices are increasingly targeted with malware, phishing and other threats.

Researchers at Zimperium say that sophisticated attacks against mobile devices are on the rise. According to the firm’s Global Mobile Threat Report, 80 percent of phishing attacks target mobile devices or both mobile and desktops. The researchers also identified more than 920,000 unique mobile malware samples, a 51 percent year-over-year increase. Malware was detected on 5 percent of mobile devices.

Mobile devices have greatly enlarged the attack surface. Organizations must prioritize security measures that reduce the risk that hackers will leverage mobile device vulnerabilities to infiltrate the rest of the network. However, many organizations make common mistakes with regard to mobile device security that increase costs and risk.

A 250-employee organization spends an average of $1,234 per employee annually on mobile enablement, according to a 2022 Oxford Economics study. That includes the cost of the device, software, connectivity and management. Even BYOD programs cost $893 per employee.

There is a fair amount of waste hidden in these costs. For example, a lot of organizations spend money on unnecessary security tools because they haven’t configured and deployed the tools they have. Antivirus is an excellent example. Many organizations believe they need third-party antivirus software to protect mobile devices. In reality, they need to tune up and enable the tools that are built into the operating system.

Microsoft knows its products better than a third-party vendor, and spends more on security. In fact, Microsoft bought one of the world’s largest antivirus companies, which still operates as a separate entity. Its product is integrated into the Windows platform and provides far better security than any third-party tool. The same goes for the Apple and Android platforms — their native security is superior to anything a third-party vendor can deliver.

Like it or not, all clouds have hardware and operating systems, and your application may perform better on one particular cloud or instance type than it would on others. The cloud runs on electrical devices that were optimized in different ways to achieve different objectives. We generally can’t tell from a human perspective, but those impacts are there.

Manual processes are a leading contributor to increased cloud costs — in ways you might not consider. When organizations try to manage their cloud environments manually, they wind up overspending on security tools, backup and other resources. There’s also the operational overhead of managing those tools.

The problem is that organizations don’t have a well-functioning CI/CD pipeline. The continuous integration (CI) component involves automatically building and testing code changes and releasing them into a shared repository. Continuous deployment (CD) automates the process of putting code releases into production. When the CI/CD pipeline is working properly, there’s no need for a human to touch any of those processes unless there’s a severe “break glass” situation.

In our last post, we explained why poor design is the likely cause of high cloud costs. Many organizations pay three times more than necessary for cloud services because they don’t know how to optimize their applications and security tools. They also fail to take advantage of available tools for automated monitoring of cloud usage.

Waste is another source of cloud overspending, according to the Flexera 2023 State of the Cloud Report. As we noted in our last post, organizations estimate that 28 percent of their cloud spend is wasted — and that number is likely low. OpenMetal extrapolated the Flexera numbers and determined that enterprises waste $7.2 million annually and small to midsize businesses waste $1 million.

Much of this waste stems from a lack of effective cloud governance. Unless guided by policies and procedures, cloud consumers will typically take the path of least resistance. They will turn on the level of cloud services they think they might need without considering the potential cost. Often, these services are left to run indefinitely, constantly running up the bill.

However, there are things organizations can do to minimize waste and get a better handle on their cloud spend. It comes down to setting up automated systems that suspend or shut down cloud instances when unneeded.

Managing cloud spend remains a top challenge for organizations of all sizes, according to the Flexera 2023 State of the Cloud Report. Cost concerns were cited by 82 percent of survey respondents, surpassing security for the first time in a decade to become the No. 1 challenge.

Organizations exceeded their cloud budgets by an average of 18 percent, up from 13 percent the previous year. They estimated that 28 percent of their cloud spend is wasted, although that number is likely low.

Many factors play a role in cloud budget overruns. If an organization lacks effective policies governing cloud provisioning, developers may specify more resources than the application being deployed needs. Development and test environments may run 24x7 even though developers only work during business hours. Resources may be scaled to support maximum workload requirements instead of using auto-scaling features to handle spikes in demand.

Most organizations have traditionally distinguished between “technical” and “nontechnical” projects. Today, however, it’s difficult to think of any business project that does not have a technology component.

In a recent Techaisle study, most midmarket executives agreed that all business strategy discussions involve technical considerations. This increases the complexity of business initiatives and requires a different approach to project management. Project leadership requires business acumen as well as project management skills, and the ability to think strategically about the organization’s overall objectives.

Many organizations have established project management offices (PMOs) to address this complexity. A PMO is a multidisciplinary team tasked with defining project management standards and ensuring that project managers follow best practices. Most importantly, the PMO provides documentation, KPIs and other guidance to help ensure that projects are completed on time and within budget.

Organizations that have multiple cross-functional projects are finding that a PMO is essential. According to a recent KPMG report, 57 percent of organizations use a PMO to coordinate their project portfolios.

Nontechnical project managers can doom an IT project. As we discussed in a previous post, nontechnical PMs often struggle to set appropriate project timelines, determine what resources are needed and prevent “scope creep” from muddling the effort. When it comes time to staff the project, they lack the know-how to vet candidates appropriately.

So why do organizations put nontechnical PMs in charge of IT projects? The reasons vary, of course, but in many cases they just aren’t aware of the downsides. Organizations believe that anyone with project management experience is qualified to spearhead the initiative.

Often, however, organizations try to use a nontechnical project manager because finding a truly technical PM is difficult due to the chronic shortage of IT talent. And if the organization isn’t technical to begin with, the people doing the hiring aren’t going to have the background needed to determine if a candidate has the needed expertise.

In our last post, we explained why your IT project needs an experienced IT project manager. Any individual with project management experience might seem capable of spearheading IT projects. In reality, however, it takes someone with technical skills to keep the project from going off the rails. With a nontechnical person at the helm, there’s a greater risk of unrealistic time estimates, lack of resources, “scope creep” and budget overruns. These are some of the textbook reasons why IT projects fail.

There’s an additional problem: the “trickle-down effect.” Nontechnical project managers likely won’t have the know-how to assemble the right team for the project. They’re going to grab some keywords and hunt for resumes based on those keywords.

We see this frequently at DeSeMa. A recruiter will call and ask us to change the keywords in a resume — from “security architect” to “cybersecurity architect,” for example. The recruiter is trying to make the resume match the keywords the project manager is looking for. Sadly, we can tell immediately that they don’t know what skill sets they need.

It’s difficult to get accurate statistics on IT project failures. Few organizations like to self-report wildly inaccurate time estimates and budget overruns. They hesitate to say that projects are abandoned because of these and other issues.

One frequently cited report from The Standish Group found that just 15 percent of IT projects are completed on time and within budget. That statistic is backed up by a later Project Management Institute (PMI) study. PMI found that 49 percent exceed the expected timeframe, 43 percent go over budget and 31 percent fail to meet their objectives. Most organizations bite the bullet and muddle through. However, 14 percent of projects are canceled outright.

Countless articles have been written discussing why these problems persist. Commonly cited reasons include poorly defined goals, poor communication, lack of a project sponsor and failure to follow project management best practices.

That may well be true for projects generally. For IT projects, however, problems often arise when a nontechnical project manager is selected to spearhead the effort.

Financial services organizations are showing keen interest in artificial intelligence. According to a recent report by the Economist Intelligence Unit (EIU), 85 percent of banks have a “clear strategy” for incorporating AI into their products and services. Almost half (46 percent) of bank executives said these initiatives can help them achieve their objectives “to a great extent.”

AI’s potential cuts across many aspects of financial services operations. At the most basic level, AI can help financial services organizations streamline and automate traditional processes to achieve new levels of efficiency. That’s only the beginning. AI can also enable the development of innovative products and services. It allows financial services to tap into vast amounts of transactional and unstructured data to create a 360-degree view of customers and provide more personalized services.

That has become a necessity in today’s hyper-competitive market. Banks can no longer rely on longevity and asset size to attract customers. Today’s consumers expect a personalized experience, and those organizations that can deliver will gain competitive advantages.

Artificial intelligence has many compelling use cases in healthcare. Computer vision systems, for example, can identify patterns that humans might not detect. A recent study published in the Lancet found that AI-assisted analysis of medical images improved the detection of breast cancer by about 20 percent. A 2022 Mayo Clinic study found that AI-assisted colonoscopies reduced the rate of missed cancers by 50 percent.

Machine learning systems can rapidly analyze vast clinical documentation and predict medical outcomes, enabling doctors to make more accurate diagnoses. AI can also identify previously unknown correlations in healthcare data, paving the way for new drugs and treatment plans.

AI systems based on large language models (LLMs) are increasingly accurate. A new study published in the Journal of Medical Internet Research found that ChatGPT made accurate clinical decisions about 72 percent of the time. Marc Succi, M.D., one of the study’s authors, said the chatbot’s accuracy compared to that of an intern or resident.

In 2022, New York City passed a law regulating the use of artificial intelligence to assess candidates for hiring or promotion. Local Law 144, which went into effect July 5, 2023, requires employers to conduct a “bias audit” to determine if the AI tool discriminates against candidates in protected categories. The audit must determine the “selection rate” for candidates based on race, color, national origin, sex, age and other criteria.

People often wonder what it would be like if computers could think. Computer vision is about enabling them to see. Not literally, of course. But the field of computer vision allows machines to understand the content of visual inputs and take action based on that information.

It’s pretty remarkable, really. Humans have complex physiological systems and years of context that enable them to distinguish between different types of objects. Most of us take for granted the ability to judge distance, perceive motion and understand other visual clues. Computer vision systems must replicate this ability with processors, cameras, algorithms and lots of training data.

The natural language processing market is booming. Researchers with Fortune Business Insights expect the NLP market to exceed $112 billion by 2030, a compound annual growth rate of 24.6 percent. Organizations are adopting NLP tools to increase the efficiency of business processes and capture more insight from large volumes of unstructured data.

Advances in deep learning technology have generated today’s hype surrounding artificial intelligence. Applications such as ChatGPT and Lensa AI have captured the imagination of users worldwide. The tools are fascinating because they can create text, art and more, blurring the lines between machine and human capabilities.

The term “artificial intelligence” was first popularized at the 1956 Dartmouth Conferences, and until the past few years it was largely considered science fiction. From R2D2 and C3PO to The Terminator, people have always wondered what it would be like if machines could think, learn, reason and behave like humans. AI made for great entertainment, but it was never realistic.

Now that more compute power is available, AI is no longer far-fetched. Graphics processing units (GPUs), which perform calculations much faster than traditional central processing units (CPUs), have helped enable the rapid growth of AI applications. Demand for AI hardware is high — TrendForce predicts that about 1.2 million AI servers will ship in 2023, representing almost 9 percent of total server shipments.

Today, it’s within the reach of almost any business to invest in AI technology. Before making those investments, however, organizations need to understand what AI is, what it is not, and how it can be used.

Artificial intelligence is transforming cybersecurity, and in many ways taking it out of human hands. Cybercriminals are using AI to accelerate their activities and gain new insights into the systems they’re trying to attack. In recent articles, we talked specifically about the use of ChatGPT in cyberattacks. ChatGPT enables more effective phishing campaigns and “quieter,” more adaptive malware. AI is also used to crack passwords, find vulnerabilities and analyze stolen data.

Software supply chain attacks have reached epidemic levels. In a 2023 study, 90 percent of IT professionals said their organizations had been affected by software supply chain threats in the past year. Additionally, 88 percent said these threats created risk for the entire organization. However, just 60 percent believe they have adequate defenses.

A Capterra report found that 50 percent of IT security professionals consider supply chain attacks to be an “extreme” or “high” threat. Another 41 percent say the risk is “moderate.”

Many supply chain threats come from open source software. The Capterra report notes that 94 percent of organizations use some form of open source software in their applications, with 57 percent using multiple open source platforms. A 2022 report from Sonatype found 88,000 malicious packages in open source software, a mindboggling 742 percent increase over 2019.

Organizations can “immunize” themselves against this threat with proper DevSecOps practices. The key is to take control of open source code so that it goes through the same rigorous security checks as internal software.

The technology industry is fond of buzzwords, and “artificial intelligence” is the buzzword du jour. In the few months since the introduction of ChatGPT, AI products have cropped up everywhere. Unfortunately, many companies are engaging in “AI washing” — claiming their products are AI-enabled when they really aren’t.

AI washing is similar to greenwashing, in which companies make false or misleading claims about the environmental sustainability of their products, services or operations. It seeks to increase sales by capitalizing on the latest industry hype. Ultimately, however, it reduces AI to just another buzzword and erodes confidence in the technology.

The recruiting industry is the latest sector to engage in AI washing, with many firms claiming that they’re using AI-driven technology. If a staffing company claims its processes are AI-enabled, it’s important to ask two questions:

• Are you actually using AI or just an algorithm you’re calling AI?
• If you are using AI, how useful is it if it’s being fed bad data?

In our last post, we discussed how bad actors can use ChatGPT to take phishing attacks to a new level. That’s not the only threat. The AI chatbot can also generate malware that is more effective at gaining access to the network and finding data that may be valuable to the hacker.

Some industry analysts are heralding ChatGPT as the solution to many cybersecurity problems. After all, hackers are using artificial intelligence to boost the scale and frequency of their attacks to unprecedented levels. Organizations are recognizing the need to leverage AI and machine learning to fight back against the onslaught.

It’s important to not lose sight of the first half of that equation. Hackers are already using AI, and ChatGPT gives them a new, powerful tool. Beyond AI-supported password guessing, advanced persistent threats and automated penetration testing, ChatGPT opens up sophisticated capabilities for the least sophisticated hackers.

For example, ChatGPT enables phishing at a scale that wasn’t possible before and removes some of the key indicators of phishing. Organizations will have to retool their processes for detecting and neutralizing phishing attacks.

Stryker Corp. has sued a former employee for allegedly downloading multiple folders of data to a personal thumb drive before resigning. The former employee also deleted hundreds of documents from her company-issued laptop and cloud-based storage. The medical equipment company says the data includes highly sensitive information and trade secrets.

Stryker could have avoided this problem if it had robust data loss prevention (DLP) in place. A well-designed DLP solution would have prevented the employee from downloading and deleting the data.

DeSeMa has DLP built into our fully managed endpoint services. Whether an employee is using a device provisioned through our service, another company-owned device or a personal device, we will put controls in place to prevent data exfiltration and exposure.

On March 22, 2023, Microsoft announced the release of a new version GitHub Copilot, its AI-assisted coding tool. Based on OpenAI’s GPT-4 multimodal large language model, the new solution adds chatbot functionality similar to Microsoft 365 Copilot. The chatbot sits inside integrated development environments (IDEs), allowing programmers to enter natural language requests.

The original GitHub Copilot solution integrates with popular code editors and offers code suggestions in real-time. The new version is more like a programming assistant, with the ability to rewrite code, look for security vulnerabilities and fix bugs. It can even analyze legacy software with limited documentation and explain how it functions, enabling programmers to spend less time reading and more time doing productive work.

Like Microsoft 365 Copilot, GitHub Copilot also creates significant security risks. Development teams must ensure that their environments and data are set up properly to prevent the introduction of vulnerabilities and the exposure of intellectual property.

Many hiring managers look for vendor certifications when vetting candidates for IT positions. Unfortunately, certifications are no longer a reliable benchmark for evaluating a candidate’s skills.

Years ago, most certifications required physical interaction with the vendor’s equipment. Today, most certification programs only require the candidate to pass a written test. Several vendors have lowered the barrier to entry for certifications for economic reasons.

Let’s say a company sells a network switch for $50,000, and makes a 5 percent to 10 percent margin on the sale. The customer won’t replace that switch for five years. Now let’s say the same company writes a certification exam for people who want to work on those switches. It costs $50,000 to create the exam, and the company partners with a third party to administer it. Every person who passes the test is going to pay the company $1,600 a year to renew their certification.

You can see very quickly that there’s more revenue to be made from certifying people than from selling the equipment. And the company has a financial incentive to make the test easier so that more people pay for renewals.

When most people think of zero trust, they think of network security. All users and devices attempting to access the network are considered threats until their identity is verified and access rights validated. Access rights are strictly limited to what users need to do their jobs.

However, networks are not the only vulnerable elements of the IT environment. In fact, applications are typically the initial targets of attackers. Users normally access applications after they are authenticated, but authentication alone does not provide adequate protection against threats. Applications are still vulnerable to SQL injection, cross-site scripting and other attacks, as well as the lateral movement of hackers who have gained access to the network.

That’s why it’s critical for organizations to protect their applications as part of their zero trust strategy. Problems arise when organizations do this with a monolithic firewall.

In our last post How DeSeMa’s Talent Appraisal Capabilities Take the Guesswork Out of Hiring, we discussed the challenges associated with endpoint provisioning and management as endpoint devices proliferate. Manual processes consume a significant amount of technicians’ time that could be better spent on business-enabling initiatives. User productivity is also negatively impacted, particularly for remote workers.

While organizations can gain efficiencies by implementing automated tools, endpoint provisioning and management remains a distraction. A better approach is to outsource to a managed services provider such as DeSeMa.

Our last point focused on the provisioning component of our endpoint managed services. Provisioning is only the beginning — our services span the endpoint device lifecycle, and cover PCs, laptops, mobile devices and fleet-managed cell phones.

When hiring IT professionals, managers often have more questions than answers. What skill sets do I need for this project or initiative? Does the candidate have those skill sets? Are the candidate’s certifications valuable? What kind of salary should I offer?

It’s a lot like buying a used car. You don’t know if that car has been in a serious wreck, had extensive mechanical problems or recalls, was ever stolen, or is encumbered by a lien — unless you get a CARFAX report. With that report, you have a better idea of what you’re getting and how much you should pay.

That’s the value DeSeMa brings to the technical recruiting process. Whether you’re hiring for a full-time position or using staff augmentation services to obtain resources for a short-term project, DeSeMa can conduct an in-depth technical review of a candidate’s skills to determine if that individual can perform the job.

It’s frustrating to have a key project funded, yet be unable to move forward due to a lack of human resources. It happens more often than you’d think, even among large enterprises. In a recent Gartner survey, IT leaders said that a shortage of talent was the most significant obstacle standing in the way of 64 percent of new technologies they’d like to adopt.

Given today’s complex IT environments, it’s virtually impossible for any organization to maintain all the skill sets needed for every project. If a funded project fails to get off the ground, it’s usually because the IT department lacks a key, high-level resource.

Filling these resource requirements can frustrate even the most well-connected IT manager. Human resources specialists are adept at finding candidates for routine IT job vacancies — permanent, contract-to-hire and contract positions with job descriptions and well-defined requirements. However, HR often lacks the technical know-how and resources to locate subject-matter experts (SMEs) with the highly technical skill sets needed for current, proposed and critical projects.

Everyone knows the fable of The Boy Who Cried Wolf. A shepherd boy repeatedly tells the villagers that a wolf is attacking the flock, so no one believes him when he calls for help in a real wolf attack. The wolf devours the sheep and, in some versions of the story, the boy. It’s a cautionary tale about false alarms that applies to today’s automation tools.

In a recent survey of senior cybersecurity professionals conducted by Opinion Matters, 68 percent of cybersecurity professionals said that security automation is somewhat or very important to their organizations. Almost all (98 percent) said they are increasing their security automation budgets. However, 97 percent reported barriers to achieving their automation objectives.

Alert fatigue is a common problem. A recent report by Trend Micro found that 51 percent of security pros feel overwhelmed by the number of security alerts they receive. In addition, 55 percent said they don’t feel confident in their ability to prioritize alerts.

Like crying wolf, alert fatigue can have real consequences. The far-reaching supply chain attack on Voice over IP vendor 3CX was not caught quickly because the company’s security team had been desensitized by the frequent false positives generated by their security tools.

In a previous post, we discussed version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS). All organizations that store, process or transmit payment card data must comply with PCI DSS, which requires minimum levels of security for all IT systems that are “in scope.” Version 4.0, launched on March 31, 2022, provides for a more flexible approach to compliance that can be customized to the organization’s specific needs. It also requires “continuous compliance” with the standard rather than a once-a-year, box-checking exercise.

At this point most organizations have had to file their first audit, and it was likely eye-opening. Given the traditionally low levels of PCI compliance, it’s likely that many organizations were not fully prepared for the changes implemented in PCI DSS 4.0. Full compliance won’t be mandated until March 31, 2025, but that offers a limited time to modify existing security controls.

Furthermore, auditors are allowed to tell you that you have an issue, but they cannot tell you how to resolve it. DeSeMa specializes in helping organizations identify the root cause of these issues so that they can maintain compliance for the long term.

Bank of America introduced the world’s first general-purpose credit card, the BankAmericard, in 1958 and promptly lost an estimated $20 million to credit card fraud over the next 15 months. Efforts to eliminate credit card fraud have been only marginally successful since then.

The unfortunate reality is that credit cards and fraud go hand-in-hand. According to data from the Federal Reserve, more than 80 percent of American adults have at least one credit card, with most owning three or more. At the same time, payment card fraud is now a multibillion-dollar criminal enterprise. According to the most recent Nilson Report, credit card issuers, merchants and acquirers lost more than $32 billion to fraud in 2021.

In 2004, major credit card companies launched the Payment Card Industry Data Security Standard (PCI DSS), requiring all businesses that accept card payments to meet minimum levels of security. However, annual studies reveal low levels of compliance with the standard. Just 43.4 percent of organizations were fully compliant with PCI DSS in 2021, according to the 2022 Verizon Payment Security Report.

Massive layoffs by tech companies have put more than 125,000 people back into the job market, but it has not made a dent in the IT skills shortage. According to workforce analytics firm CyberSeek, the global tech worker shortfall now stands at about 3.5 million people, with 68 workers per 100 job openings in the U.S.

Widespread migration to the cloud hasn’t eased the tech shortage, either. Think about it: Companies may need fewer IT professionals, but cloud providers need more. And cloud providers and other tech giants can afford to pay these pros more and offer better career opportunities than organizations in other sectors.

These forces are having a very real effect on organizations’ IT strategies. In a recent survey, two-thirds of organizations said a lack of skilled IT staff hindered their ability to leverage key technologies, including analytics, automation and edge computing. A number of organizations have reported that they’re consolidating systems and performing forklift upgrades of their IT infrastructure because they can’t find enough people with the right skill sets.

To avoid falling behind and potentially crippling your business, you can outsource IT operations to a managed services provider or hire additional staff. Each option has benefits depending upon your requirements.

Cloud repatriation is a hot topic, with IT industry analysts predicting that more organizations will migrate workloads from public cloud platforms back onto on-premises infrastructure. Cost is the usual reason. Many organizations have seen their cloud spend spiral out of control and are looking to rein in those costs.

The problem is that few organizations understand why their cloud costs are skyrocketing. They also assume they have no control over those costs. In reality, however, there are steps they could take to reduce their cloud expenses while still enjoying the benefits of a public cloud environment.

Let’s look at the three real reasons for sky-high cloud costs.

The average enterprise manages 135,000 endpoint devices, according to a 2022 report from the Ponemon Institute. Despite this enormous volume, most organizations continue to provision and manage endpoints manually.

Technicians often spend hours provisioning a single device, and ongoing administration and support add further operational overhead. Organizations must dedicate significant resources to this effort — resources that could be allocated to tasks that are more valuable to the business. Meanwhile, users sit idle while their devices are configured, updated or repaired.

Efficient endpoint management requires a dedicated team of experts, well-defined processes, strong vendor relationships and investments in automated tools. While organizations can implement this in-house, many choose to outsource to a qualified provider such as DeSeMa. DeSeMa delivers a comprehensive suite of endpoint provisioning and management services for a fixed monthly fee, reducing operational overhead, increasing IT and user productivity, and enhancing endpoint device security.

OpenAI’s ChatGPT software has dominated IT industry headlines in recent months, with many pundits pontificating on the future of artificial intelligence. When asked an open-ended question, the ChatGPT app will generate text on that subject. GPT-3, the pre-trained multi-modal large language model behind ChatGPT, is also used to create graphics, power search engines, gain insight from customer feedback, and more. OpenAI introduced a new version, GPT-4, on March 14, 2023.

Two days later, Microsoft announced the debut of Microsoft 365 Copilot, an AI-powered assistant based on GPT-4. Copilot can help Excel users take advantage of advanced functions and data visualizations, and generate the first draft of a document in Word for the user to edit and expand.

But Business Chat is the most intriguing Copilot feature. This chatbot tool crawls all the data in the organization’s Microsoft ecosystem — Outlook emails, Teams messages, calendar entries and documents — and summarizes any data relevant to the user’s natural language prompt. It then works with other Office apps to draft emails, generate Word docs, create PowerPoint presentations and more.

It also opens a Pandora’s box of security and regulatory compliance threats. Is your data ready?

You’ve developed a cloud-based application. Do you have the foundation you need to put your app into production?

Software-as-a-Service is a popular application delivery model in a wide range of industries, from healthcare to financial services to hospitality and retail. It enables developers to sell their software as a subscription-based service rather than a one-time license, giving them recurring revenue, a low barrier to entry and access to a larger customer base. Customers like it because it doesn’t require an upfront investment and maintenance and updates are built in.

In order to maximize the value of SaaS, however, developers must pair it with the DevOps model. DevOps helps ensure the efficiency of SaaS delivery by automating many processes and enabling collaboration between development and operations. It is proven to speed time to market, reduce operational costs and encourage continuous improvement.

That said, implementing DevOps processes and a CI/CD pipeline can be challenging, particularly for startups and organizations transitioning to a more agile model. DeSeMa’s SaaS managed service is designed to bridge this gap.

They say that moving is the third most stressful event in life, following death and divorce. If the millions of Americans who will move their households this year are feeling the pinch, just imagine the pressure on IT managers who must oversee the relocation of corporate data center facilities.

Coordinating the move of servers, storage subsystems, and LAN and WAN infrastructures is a monumental task that must be approached with the strategic precision of a military campaign. Today’s complex IT environments, coupled with the “always on” nature of today’s mission-critical systems, create a high risk of failure. On top of that, harried IT managers must try to manage the migration while keeping up with day-to-day tasks.

For that reason, it often makes sense to partner with an IT provider with the knowledge and expertise to handle a data center migration project. Here are some key reasons why data center moves fail, and how DeSeMa can help overcome them.

Building a DevOps team isn’t easy, and a skills shortage adds to the challenge. DevOps professionals are in high demand, which means they’re in limited supply. In a recent DevOps Institute survey, 64 percent of IT leaders said they’re having a hard time finding professionals who are skilled in the DevOps discipline.

Automation can help relieve some of the pressure on DevOps staff and enable development and operations teams to collaborate more efficiently. However, there are even fewer people with expertise in DevOps automation at a production scale, making it difficult to capitalize on the benefits of automated tools.

These factors make DevOps outsourcing an attractive alternative. Organizations gain access to DevOps experts who can help build CI/CD pipelines or assess existing processes and recommend improvements. The right outsourcing partner will also have expertise in automation, cloud services, security and optimization. Although DevOps outsourcing isn’t right for every organization, it can help accelerate the implementation of DevOps processes and tools and deliver a number of bottom line benefits.

“Identity is the new perimeter.” Security experts have repeated this catchphrase for at least 10 years. It started when organizations began large-scale adoption Software-as-a-Service applications, and the workforce became increasingly mobile. These trends created a porous network perimeter that’s difficult to secure.

Remote and hybrid work models, Internet of Things (IoT) devices, and third-party access have further eroded the network perimeter. In order to protect sensitive applications and data, organizations must ensure that only authorized users are able to access them. However, many organizations continue to struggle with identity and access management (IAM).

Faced with growing numbers of users, machines and applications that require access to IT resources, many organizations devote significant time and effort to the task of adding, changing and deleting user identities and permissions. In many organizations, user identities must be manually updated across disparate applications and resources, leading to mistakes and delays that impact productivity and increase the risk of a security breach.

Three trends have converged to drive a dramatic increase in endpoint security threats:

It has often been said that public cloud services are more secure than the typical corporate data center. While that’s true, consider the following:

· Approximately 1.6 million files involving more than 80 municipalities were exposed due to a misconfigured Amazon S3 bucket related to MapsOnline, a software service provided by PeopleGIS. The data included personal information of area residents and their properties.

· A misconfigured S3 bucket led to the exposure of 3TB of data held by four airports in Colombia and Peru. The data included ID photos and personally identifiable information of airline employees.

· Japanese website Doctors-Me.com failed to properly configure a bucket, giving hackers access to 300,000 images uploaded by patients seeking medical consultation. Some of the images provide enough information for someone to identify the patient, including adults and children.

Cloud service providers such as Amazon have world-class data center facilities and teams of experts who are steeped in the latest security techniques. However, the cloud is only as secure as you make it, as these three data leaks show. The cloud operates under a shared responsibility model, in which cloud service providers are responsible for the security of their data center infrastructure, and customers are responsible for what’s stored there. However, there are variations to this rule.

It is nearly impossible to overstate cybercrime’s threat to global economic growth and stability. Recent research from the United Nations, the World Economic Forum and others suggests that cybercrime now costs the world more than $11 million per minute! Threats are being compounded by the increasing involvement of organized crime groups, who have made cybercrime more profitable than illegal drug trafficking.

Skyrocketing cybercrime — much of it perpetrated by sophisticated hacking groups backed by state actors — is driving record spending on security solutions. Forbes Business Insights predicts that the information security market will exceed $366 billion by 2028. Despite these investments, businesses of all shapes and sizes are finding it increasingly difficult to stem the rising tide of attacks.

The accelerated adoption of cloud, mobile, edge and wireless technologies to support mass numbers of remote workers has dramatically expanded the attack surface. The continuing skills gap is making it hard to find, hire, train and keep qualified cybersecurity specialists. In a recent Sophos survey, 54 percent of respondents said their organizations’ IT departments are unable to handle today’s sophisticated attacks on their own.

On Nov. 25, 2022, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) issued a joint alert warning of attacks directed by the Hive ransomware gang. The agencies say the attacks have victimized more than 1,300 organizations in critical infrastructure sectors — particularly healthcare and public health. Victims have made ransom payments of more than $100 million since June 2021.

Cybercrime targeting healthcare organizations has reached epidemic proportions. A recent study by research firm Vanson Bourne found that two-thirds of healthcare organizations suffered ransomware attacks in 2021 — almost twice the number in 2020.

Federal officials warn that ransomware its patients at risk by forcing hospitals to postpone appointments, cancel surgeries and close some units. Ambulances may be diverted to more distant facilities, delaying access to critical care.

A 2020 report found that 75 percent of organizations need to upgrade their IT infrastructure in order to take advantage of new technologies. Many are leveraging the cloud to minimize capital investments and implement new solutions with limited risk. However, the manual processes associated with building and configuring new environments often create substantial roadblocks. IT teams devote significant time to mundane, repetitive tasks, delaying progress on new initiatives.

Infrastructure-as-Code (IAC) enables organizations to automate provisioning, monitoring and management, minimizing errors and accelerating deployments. Also referred to as software-defined infrastructure, IAC expands on the concept of scripts by using a higher-level language to program more complex deployment processes. The applications of DevOps methodologies further enable the consistent and reliable delivery of infrastructure at scale.

IAC offers a number of advantages, including reduced costs, greater speed and efficiency, and improved security. As with any IT operational process, best practices can help maximize the benefits of IAC.

The term “shift left” has traditionally been applied to the process of testing “early and often” in software development. Today, that concept also extends to security.

Conventional software development focuses on solving a problem, with security tacked on once the application is put into production. However, it’s typically more time-consuming, expensive and complex to embed security into an application after it’s implemented. DevOps teams are often left with the headache of stomping out security fires as they crop up. Shift-left security builds security best practices into the development process to minimize this technical debt.

The same principle applies to the continuous integration / continuous delivery (CI/CD) pipeline. By embedding security in their CI/CD pipelines, DevOps teams can deliver, release and operate systems that are more reliable and secure.

Here are four best practices to follow.

Organizations are putting a lot of time, money and effort into combating cybersecurity threats. In a recent Gartner survey, 66 percent of CIOs said that cybersecurity is their top area for increased investment in 2023, even though many are facing a budget squeeze.

The research firm predicts that global cybersecurity spending will total $188.3 billion in 2023, and grow at a rate of 11 percent annually to reach $262 billion by 2026. Remote and hybrid work models, the adoption of zero-trust network access (ZTNA), and the continued shift to cloud-based solutions are driving market growth.

Given all the money invested in security tools and services, you’d think that organizations would be getting a handle on cyber threats. However, very few days go by without a major cyberattack or data breach, reminding us that there’s still much work to be done. Part of the problem is that few organizations have developed a strategic, risk-oriented approach even though most recognize that cybersecurity is a business issue as well as an IT issue.

Organizations have a lot to gain by migrating their databases to the cloud.

Traditionally, databases are installed on “bare metal” servers and carefully configured by expert administrators. Once the database is implemented — a process that could take weeks or even months — significant resources and budget must be dedicated to ongoing maintenance and management. In a database-as-a-Service (DBaaS) model, the service provider is responsible for building and maintaining the physical infrastructure needed to support the database, and for handling backups, installing security updates and scaling storage resources. Customers simply access the database resources they need on a subscription basis.

DBaaS delivers all the classic cloud benefits — minimal capital investments, reduced operational overhead and near-infinite scalability to support rampant data growth. It also facilitates disaster recovery. And because it enables rapid deployment with limited risk, DBaaS offers a cost-effective platform for proofs of concept, application development and testing.

Cloud adoption continues to accelerate. Gartner has forecast that spending on public cloud services will increase 20.7 percent in 2023, up from the 18.8 percent growth predicted for 2022. The KPMG Global Tech Report 2022 finds that 88 percent of businesses consider themselves advanced in their cloud adoption, with 73 percent migrating strategic workloads to the cloud. The rapid adoption of cloud services without upfront planning can lead to management challenges. However, many organizations lack the skillsets needed to plan properly and develop a clear strategy.

A cloud readiness assessment performed by third-party experts can help organizations maximize the benefits and avoid the potential pitfalls of cloud migration. The process will require a thorough evaluation of the current IT infrastructure, application portfolio, workloads and bandwidth requirements to determine what applications and services are good fits for cloud deployment.

DeSeMa helps customers complete a rigorous assessment process to prepare for cloud migrations. We have the expertise, toolsets and proven framework to guide cloud migrations that help customers meet their strategic objectives. Here are a few key considerations we help customers address:

Internet of Things (IoT) devices provide significant value to organizations in a wide range of industries. If they’re not properly secured, however, they pose significant risk to mission-critical operational technology (OT) systems.

The Microsoft Defender for IoT research team recently investigated attacks on water utilities in the United Kingdom. The researchers found that the utilities were using routers that were intended for use by consumers. Attackers leveraged a remote code execution vulnerability in the routers to install the Mirai botnet. A patch for this vulnerability had been available for more than two years, but the update had not been applied.

In this case, the SCADA systems that monitor water quality were not breached. However, the vulnerable routers could have allowed the attackers to move laterally through the network and gain access to sensitive OT systems.

This is the conundrum posed by the IoT. Organizations are deploying IoT devices with the presumption that those devices are secure. However, many IoT devices weren’t really designed to be connected to the open Internet and have only the most rudimentary security controls.

Organizations should perform regular vulnerability assessments to find risky IoT devices. They should also develop and implement a security program that specifically addresses IoT risk.

Well-funded hackers with sophisticated tools strike fear into everyone responsible for cybersecurity. For instance, the Conti ransomware gang was responsible for 20 percent of ransomware attacks in the first quarter of 2022, including one that caused Costa Rica to declare a state of emergency. Other notorious gangs include North Korea’s Lazarus Group, the Magecart Syndicate and Russia’s Evil Corp.

As menacing as these groups may sound, Stephen in sales and Ellen in engineering likely pose more imminent threats.

According to recent Proofpoint report, 58 percent of CISOs believe the greatest risk of a breach comes from insiders — whether employees or trusted vendors. Consider these headline-making incidents:

• A 17-year-old tricked a Twitter employee into providing the credentials for corporate administrative tools, enabling the Florida teenager to take over verified accounts and use them in a Bitcoin scam.
• A disgruntled former employee of Kansas rural water district was able to access the agency’s computer system remotely and tamper with the cleaning process, putting customers in eight counties at risk.
• Multiple employees of South Africa’s Postbank copied the primary encryption key, making more than $3.2 million in fraudulent transactions and forcing the bank to pay $58 million to reissue more than 12 million payment cards.

In August 2022, the California Office of Attorney General (OAG) issued its first fine for California Consumer Privacy Act (CCPA) violations. The OAG sued cosmetics retailer Sephora, in part for failing to provide consumers with a “Do Not Sell My Personal Information” link and continuing to sell information to third parties after consumers had opted out via General Privacy Controls (GPCs). Sephora entered into a $1.2 million settlement agreement with the OAG.

Many organizations are preparing to comply with the California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, with enforcement to begin on July 1, 2023. However, California AG Rob Bonta made it clear that his office is enforcing the existing CCPA. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable,” he said in a statement.

Although the CCPA is state legislation, it has global reach. It applies to any covered business that collects data from California residents — regardless of where the business is physically located. Other states are also following the California model. Colorado, Connecticut, Utah and Virginia have enacted data privacy laws, and at least 38 other states introduced consumer privacy legislation.

Cyberattacks are among the most significant threats organizations face, and boards of directors are taking notice. Not long ago, boards had limited awareness of cyber threats. Today, 77 percent of board members say cybersecurity is a priority, according to a new study conducted by MIT Sloan’s research consortium.

In fact, board members are more likely than chief information security officers (CISOs) to believe their organizations are at risk. The study found that 65 percent of board members think their organization will experience a cyberattack that materially affects the business within the next year. Just 48 percent of CISOs agree.

Boards and CISOs are in greater alignment when it comes to the biggest cybersecurity threats. Email fraud, cloud account compromise, ransomware attacks and supply chain attacks topped the list for both board members and CISOs. About half of board members and CISOs agree that their organizations are unprepared for these attacks.

Organizations are shifting their applications to the cloud to gain new levels of efficiency, elasticity and scalability. According to Flexera, 57 percent of organizations have moved workloads to the cloud, and that number should continue to increase.

However, moving mission-critical apps into the cloud is rarely a “lift-and-shift” proposition in which an app is rehosted without any modifications. In fact, rehosting is often a costly disaster because it doesn’t take full advantage of cloud services.

Before migration, organizations should perform multiple analyses related to cost, performance, availability and connectivity, and develop a formalized cloud migration plan. They must also account for application dependencies and ensure that the cloud platform will support key business and technical requirements.

Security is another important consideration. Too many organizations migrate applications to the cloud and worry about security later. However, cloud migration almost always involves changes to security protocols. The cloud comes with different security tools, techniques and skillsets, complicating the migration process.

Recent cyberattacks such as the SolarWinds hack, along with exploits that take advantage of vulnerabilities such as Log4j, have highlighted the weaknesses inherent in the software supply chain. In light of the risk, the White House issued Executive Order (EO) 14028 on May 12, 2022, establishing new requirements for securing the software supply chain utilized by the federal government.

As directed by the EO, the National Security Agency (NSA), Cybersecurity Infrastructure Security Agency (CISA) and Office of the Director of National Intelligence (ODNI) have published guidance to help developers create more secure software. The document outlines best practices for planning, designing and maintaining software from a security perspective.

Those federal agencies aren’t alone. The National Institute of Standards and Technology (NIST), along with the Linus Foundation and OpenSSF, have also published software supply chain guidance recently. The objective of these publications is to inform software developers, suppliers and buyers of the risks of software supply chain attacks and the role each plays in preventing them.

Although the number of attacks declined in the first half of 2022, ransomware remains the most significant cybersecurity threat organizations face. In a recent SpyCloud survey of IT professionals in organizations with 500 or more employees, 90 percent said they had been affected by ransomware in the preceding 12 months. What’s more, 65 percent of these attacks successfully encrypted data, up from 54 percent the previous year. Many organizations suffer multiple attacks. The study found that 50 percent of organizations were attacked two to five times, 20 percent six to 10 times, and 7 percent 10 or more times. Smaller organizations with fewer than 1,000 employees were as likely to be affected as large enterprises.

The costs are substantial. Organizations paid an average of $1.4 million to remediate ransomware attacks, including mitigation and recovery costs, lost productivity and impact on customer-facing services. In a survey conducted by research firm Vanson Bourne, 90 percent of organizations said that a ransomware attack shut down their operations, and 86 percent said they lost revenue. A Censuswide study found that 37 percent of organizations had to lay off employees as a result of a ransomware attack.

With millions of employees now accessing IT resources remotely, the corporate network perimeter has all but disappeared. That’s why the “zero trust” model has become an essential element of modern security. Zero trust is a system-wide cybersecurity strategy that assumes every user and device is a threat until their identity has been verified and access rights validated. Core zero-trust technologies include identity and access management (IAM), multifactor authentication, real-time user verification, device validation, privilege limitations and network segmentation.

It isn’t a particularly new concept — Forrester Research outlined a version of zero trust back in 2010. In fact, private-sector companies worldwide have been building zero-trust concepts into their core security fabric for some time. However, the mass transition to remote work has accelerated adoption. According to one recent study, 88 percent of senior security executives now consider zero trust a business imperative. Gartner has projected that spending on zero trust will reach almost $900 million in 2022 and exceed $2 billion by 2026.

In his 2004 book “The Paradox of Choice: Why More is Less,” psychologist Barry Schwartz suggests that an overabundance of choice contributes to anxiety, dissatisfaction and regret by setting us up for unrealistic expectations. With so many choices, he theorizes, we will invariably second-guess any selection we make.

Recent research suggests cybersecurity professionals are experiencing a similar phenomenon. In a recent survey by LogRhythm, more than 90 percent of security professionals said they lack the tools they need to detect known threats and close security gaps. However, 68 percent also admitted their organization has deployed redundant security tools, with most suggesting this overlap results from poor strategic oversight.

2022 is shaping up as a potentially grim year for cybersecurity due to a combination of factors, including the inherent risks of remote working, the chronic shortage of IT security professionals and the spread of increasingly sophisticated threats. As such, all organizations should conduct regular network penetration tests to identify and correct any weaknesses that cybercriminals could exploit. A penetration test, or pen test, is an ethical hacking exercise in which security professionals launch simulated cyberattacks to assess technical, operational and physical security measures. The industry consensus is that organizations should conduct pen tests at least once a year, although additional tests should be run whenever there are significant changes to the IT infrastructure.

Pen testing provides valuable insight into your security posture — if done properly. However, testing can also create network performance issues and business disruptions. Because testers use the same techniques and tools employed by criminal hackers, the process can slow down the network, crash servers, corrupt files or expose data. Few organizations have the resources to conduct their own pen tests. Up-to-date, professional-grade scanning tools require a substantial investment for something that's used only occasionally. More significantly, organizations lack adequate staff to conduct comprehensive tests, evaluate the results and write reports.

Cloud computing has turned IT management on its head in multiple ways. Users have the power to procure and use cloud resources without the involvement of IT. In light of that, users have a greater need for privileged access to those resources, increasing the complexity of managing privileged accounts.

A privileged account allows the user to take administrator-level action, such as changing systems settings and permissions, adding users, and downloading software. Because of the power afforded to privileged accounts, they demand greater security than regular accounts. Many of the most notorious cyberattacks were executed through the successful exploitation of privileged accounts.

Any organization seeking to improve the security of its privileged accounts will quickly run into a couple of acronyms — PIM (privileged identity management) and PAM (privileged access management). The two terms are closely related and often used interchangeably but there are distinct differences.

In a global economy, businesses are highly dependent on goods and services moving through a complex supply chain of international participants. Bringing a product to market involves intricate relationships with hundreds or even thousands of “links” in the chain, including third-party vendors, producers, suppliers, subcontractors and distributors. One glitch along the way can create big trouble.

Cybersecurity and compliance risks are a growing problem. To achieve operational efficiencies, organizations are giving supply chain partners access to their systems, applications and data. If a partner does not maintain strong security, such access can lead to a security breach that has a cascading effect throughout the supply chain. In a recent Forrester study, 55 percent of cybersecurity professionals said their organization had experienced a security incident involving a supply chain partner in the preceding 12 months.

Despite the stakes, a new study by Refinitiv suggests that many companies are doing very little to reduce risk from their supply chain partners. The study found that multinational corporations have, on average, almost 10,000 third-party relationships, but almost half of those are not subject to any form of due diligence. The study also found that most companies don’t know if any of their third-party partners are outsourcing work to someone outside the supply chain.

Software-as-a-Service (SaaS) has long been the most popular cloud computing model. It enables organizations to eliminate the cost and headaches of implementing and managing applications on premises. SaaS also increases productivity and flexibility, and allows organizations to take advantage of solutions they might otherwise be unable to afford.

The rise of remote and hybrid work models has revealed another advantage — SaaS makes it easier for employees to access applications and data from anywhere. According to a report from Blissfully, average per-company spending on SaaS increased 50 percent in 2020 compared to 2018.

Despite the proven benefits of SaaS, it comes with undeniable IT management challenges. SaaS upended traditional procurement practices, giving users the power to acquire applications and services without IT’s involvement. Users may turn to SaaS to fill gaps left by company-approved applications, or deviate from corporate standards because they prefer a particular SaaS platform. Either way, this shadow IT environment creates security and compliance risks.

Redundancy is the linchpin of resilience. Organizations commonly implement redundant IT infrastructure to ensure the availability of applications in the event of hardware failure or network outage. The same principles apply to cloud applications. Although public cloud services are highly reliable, major cloud providers have had recent service interruptions lasting several hours or more, such as the Amazon Web Services (AWS) outage in December 2021. In that event, several web service providers that run their applications in the AWS cloud experienced service interruptions.

A multi-hour outage could be devastating to an organization that cannot afford any downtime, with limited compensation from the service provider. Cloud providers’ service-level agreements (SLAs) typically apply to their services, not their customers’ applications. Distributing cloud applications across multiple virtual machines (VMs), availability zones or regions can reduce the risk of downtime in the event of a service provider outage. There are multiple ways to design a distributed cloud service, with varying costs and levels of protection.

There has long been a tug of war between software developers and IT security. Developers want the freedom to download and run whatever applications they want. IT teams are concerned with ensuring that systems are secure.

A lot of organizations walk a fine line between locking down developer machines in the name of security and making it too difficult for developers to get the tools they need. They also question how they can give developers without affecting their ability to get their code to function in a production-like environment where those security controls are in place.

Organizations can eliminate this dichotomy using local virtual machine instances that give developers flexibility while locking down the operating system they use on a day-to-day basis. Developers can download and use software without having to worry about compromising the security of the rest of the IT environment. The virtual machines can also encapsulate a developer environment that closely matches the build specifications for production systems.

On July 6, the heads of the FBI and MI5 issued an unprecedented joint statement about the threat of corporate espionage, intellectual property theft and election tampering from China. FBI Director Christopher Wray said that Chinese government-backed cybercrime “poses the biggest long-term threat” to the economic and national security of the U.S., U.K. and their allies. According to Wray, China’s hacking activities are “bigger than that of every other major country combined.” He warned business leaders that China is “set on stealing your technology.”

The U.S. and U.K. security agencies are doubling their efforts to combat Chinese cybercrime. Businesses should do the same. As we noted in a previous article, data loss prevention tools (DLP) can help reduce the risk of sensitive information falling into the wrong hands. Organizations also need security controls that can distinguish nefarious activities from normal user activities.

Most organizations get the big things right when it comes to security. They are really good at securing the perimeter and patching the major security holes. They understand what they need to do to keep critical systems and applications secure.

Problems often arise with the little things in the environment — small applications that weren’t intended for production or components that are added to the network but don’t meet enterprise security standards. The little things create gaps and leave weaknesses that give hackers a foothold that enables them to go after the bigger systems and applications.

Organizations are outsourcing many business functions, from recruiting to purchasing to legal and compliance processes. In today’s tight job market, outsourcing can be an effective way to gain needed skills while allowing existing staff to focus on core business functions.

IT has long been a target for outsourcing, for multiple reasons. Many organizations consider it an essential but non-core function, and lack the in-house expertise to handle it effectively. The persistent and growing IT skills gap has added greater impetus to the outsourcing trend.

Outsourcing isn’t always cost-effective, however. Many organizations choose their outsourcing agency based on the lowest dollar amount. That doesn’t mean it’s going to cost less to get the work done. An organization may be able to hire three junior-level individuals for the same rate as one senior person, but it ends up taking more staff hours to accomplish the same work. Over time, it costs more and takes longer to complete projects.

The same thing happens with outsourcing. Just because a company has an aggressive bill rate doesn’t mean that the people there will be effective at meeting company objectives.

Every user needs access to technology tools and resources to do their jobs. However, organizations must restrict access to IT resources to reduce the risk of security incidents. When security is prioritized over access, productivity suffers. Users start looking for workarounds to get their jobs done.

The problem is particularly acute among technical teams. According to a recent survey of IT professionals conducted by Pollfish, 57 percent of organizations require days or weeks to grant access to IT resources. Technical staff reported daily or weekly work interruptions due to access issues in 64 percent of organizations. To overcome these productivity drains, technical users resorted to workaround such as maintaining backdoor access to systems (55 percent), sharing credentials (53 percent) and using shadow IT tools (42 percent).

However, good security is agnostic, giving employees the flexibility to use the devices and tools that make them most comfortable and productive. There isn’t any reason why an organization can’t support Windows PCs, Macs, Linux-based desktops and other devices that users are familiar with. Properly defined policies and controls should allow users to install the software they need without being given administrator privileges over their systems.

Application modernization is a top priority of organizations looking to streamline business processes, enhance the user experience and move more workloads to the cloud. Many organizations have business-critical software that has been used for decades, and dedicate as much as 70 percent of their IT budgets to supporting these applications.

But some organizations remain hesitant to replace legacy software that’s still getting the job done. Often they’re concerned about the costs and business risks of upgrades, or simply don’t realize the extent to which the old apps are holding them back.

Here’s a look at some of the major drawbacks of maintaining legacy applications.

Today’s economy is driven by software, with businesses constantly using applications for a wide range of tasks and processes. One recent survey found that the average knowledge worker uses 9.4 apps in a given day.

The cloud has accelerated application adoption. According to a Produtiv study of Software-as-a-Service (SaaS), the typical department has 40 to 60 applications, with most companies averaging more than 200 apps. A report by the Cloud Security Alliance found that the average enterprise runs more than 464 custom apps, and that number is growing rapidly.

However, user engagement with these apps tends to be low. The Productiv study found that just 45 percent of users actually engage with apps at the feature level. Research by Blissfully revealed that nearly 75 percent of organizations with 100 or more employees have “orphaned” SaaS tools with no billing owner.

Many organizations see tremendous value in open source software. Most open source solutions are available for free download, and organizations can customize the source code to meet specific needs. Because open source licensing schemes generally prohibit the addition of proprietary components, organizations are freed from vendor lock-in.

Open source software licenses encourage users to copy, redistribute and make improvements to the code, fostering a “community” paradigm that encourages voluntarily contributions. The goal of this cooperative movement is to reduce costs, speed the cycle of new releases and enhancements, and encourage innovation.

However, that model is also the downside of open source. Software needs to be audited and thoroughly tested to ensure that it’s secure, but the open source community generally doesn't do it. Nobody enjoys that kind of work, and nobody's getting paid to do it. Organizations that use open source software end up transferring the cost and burden of that effort onto their IT teams.

Most people think of cybersecurity as locking users out of particular systems or keeping them away from certain types of data. But truly good security is more about enabling users to work where and how they want, and accomplish tasks seamlessly and efficiently.

This typically involves allowing employees to bring their own devices into the workplace and use them while mobile or remote. The right security tools and processes help ensure that organizations maintain compliance and control over their data while giving users the freedom and flexibility that comes with BYOD.

However, an effective BYOD strategy requires more than security tools. Organizations need to establish policies and procedures to ensure that employees are using their devices effectively. The right policies address not only security and compliance but a number of legal and human resources issues.

IT security systems are designed to prevent malicious outsiders from invading the network. However, these systems generally do little to keep data inside the network. After all, employees, contractors, suppliers, partners and even customers need ready access to data in order to keep the organization running smoothly. Preventing that access would cause operations to grind to a halt.

The loss of sensitive data can be extremely costly, however. Negligent users can create data loss risks by emailing files to their personal accounts or copying them to a thumb drive or consumer-grade cloud storage. These types of risky behaviors have become more prevalent in the age of remote work and mobility.

Malicious insiders can also steal data for corporate espionage or personal gain. A well-established organization is going to be difficult to hack. It’s a lot easier for competitors or opportunities to send in individuals to obtain jobs that allow them to access the data.

On average, it takes organizations 212 days to identify a security breach and 75 days contain it, according to the 2021 Cost of a Data Breach Report by the Ponemon Institute and IBM. Breaches that took more than 200 days to identify and contain cost 35 percent more than those that were contained in less than 200 days.

Note that 287 total days is the average. Breaches involving compromised credentials took 250 days to identify and 91 days to contain.

A hacker can live inside an organization’s IT environment for months without being detected. Unless the hacker makes a mistake or takes aggressive action — accidentally damages a system or intentionally makes something inoperable — They can simply be quiet and continue to exfiltrate data.

However, the hacker typically leaves a backdoor open so that he can come and go. What often happens is that another hacker will find that door and try to hold the company hostage.

In our last article 6 Tips for Getting Your Cloud Spend Under Control, we discussed six tips for getting the cloud spend under control. Here are six more advanced techniques.

Managing the cloud spend is a top challenge for 81 percent of organizations, according to the Flexera 2022 State of the Cloud Report. Survey respondents said that their public cloud spend exceeded budget by 13 percent on average, and estimated that 32 percent of their cloud spend is wasted. However, organizations tend to underestimate the amount of waste and fail to take advantage of tools and techniques that can optimize costs.

Clouds may seem isolated, but in reality they are just a component part of the extended IT infrastructure. Treating them as distinct entities only creates headaches and risk.

Even organizations that have standardized on a single cloud technology stack have a hybrid, multi-cloud environment. The cloud provider still needs to interact with endpoints, and has its own techniques for managing those endpoints at scale. The cloud software that manages those endpoints is separate from the software that manages the server side of the environment. However, few organizations take full advantage of the tools at their disposal, and attempt to manage endpoints and user identities with traditional on-premises tools.

Security depends on the ability to determine what endpoint is in the user’s hand and manage it in the same way as the cloud. That’s why organizations invest in mobile device management (MDM) solutions — IT needs the ability to configure any settings on endpoint devices with the same ease that they manage cloud resources. However, a traditional MDM solution separates the management of endpoint devices from the management of cloud servers. It works for the most part but results in an unnecessarily complex environment that leaves security gaps.

Most organizations understand their regulatory compliance obligations with regard to data security and privacy. Or do they?

Two key trends are complicating compliance: laws and regulations are becoming more numerous and complex, and organizations are storing more data than ever. For example, organizations that have COVID-19 vaccination requirements are storing information on their employees’ vaccine status. In other words, organizations outside the healthcare industry are storing personal health data that must be kept private and secure. The HR department is often a treasure trove of information, including Social Security Numbers, insurance coverage, 401(k) and retirement funds, and more. The payroll department has salary, bank account and tax information. A data breach affecting any of these data stores would be devastating. A data breach that exposed data across the enterprise would be cataclysmic. In addition to the cost and business disruption of the breach and the impact on productivity and morale, the organization could be facing stiff fines and other penalties due to regulatory compliance violations.

The rise of electronic health records (EHRs) means that healthcare organizations are collecting, storing, and sharing more data than ever before. That data is very valuable to cybercriminals.

Experts say that a full medical record can sell on the black market for as much as $1,000 due to the amount of identity data involved. Medical identity theft can take months or even years to detect, giving criminals ample opportunity to file fraudulent insurance claims and obtain drugs and medical devices to sell.

According to a March 8, 2022, report, analysts at Armis Research Labs discovered three vulnerabilities in uninterruptible power supplies (UPSs) that could allow attackers to take down critical infrastructure. The security flaws, collectively dubbed TLStorm, could enable remote code execution, allowing a hacker to execute a ransomware attack or steal data. The attacker could potentially take over the device, disrupt the power supplied to equipment, and even cause a fire hazard.

The EU’s General Data Protection Regulation (GDPR). Sarbanes-Oxley. The Health Insurance Portability and Accountability Act (HIPAA). Gramm-Leach-Bliley. The Payment Card Industry Data Security Standard (PCI DSS). These are just a few of the regulations that include stringent requirements for IT security and data protection. Covered organizations must comply with these regulations or face penalties in the event of a security breach.

DevOps has seen widespread adoption in recent years as organizations seek to accelerate technological innovation. The DevOps model integrates software development and system operations skill sets, enabling these teams to become more agile and customer-focused. It incorporates a set of practices and highly automated tools to accelerate application development and provide for the continuous delivery of high-quality software.

Recognizing the need for faster, more automated development-to-production processes, almost 75% of organizations have adopted DevOps practices. Yet, security remains a significant gap.

In a 2021 Osterman Research study, just 56% of security professionals felt confident that their development and engineering teams could develop secure applications. Most organizations understand the importance of addressing security early in the software development lifecycle (SDLC). Nevertheless, security is still “bolted on” to application development projects due to cultural, training, and resource gaps.

Survey respondents expressed a desire to “shift left” and integrate security into every phase of the SDLC. However, only 42% of security practitioners said they had the time to address known security issues. Only 50% of front-line security pros and just 27% of front-line developers felt that application security is a critical part of their responsibilities. Not surprisingly, 81% of developers admitted to knowingly releasing vulnerable code.

When most IT shops look at asset management, they’re thinking about managing the physical equipment. They track when the equipment was purchased, where it was deployed in the organization, and any associated maintenance agreements. Some organizations also track software licenses as part of their asset management program.

Data is seldom part of the equation. Although data is the new “digital currency,” the most valuable IT asset an organization owns, few organizations track it properly. They don’t really understand how they’re ingesting data, what systems it passes through, where it is stored, and who can access it. When something goes wrong — a data leak or network intrusion — they don’t know what data assets are at risk.

Every organization should have procedures and tools for tracking data assets, particularly when it comes to personally identifiable information, credit card data, and other sensitive records. Data asset management helps organizations protect and secure this data, meet regulatory compliance requirements, and dramatically reduce business risk.

If you’re in need of assistance with your IT asset management, DeSeMa can help! We offer years of experience and can provide you with the tools and resources needed to keep your company data safe. Continue reading to learn more, and give us a call to get started!

Cybersecurity Ventures estimates that cybercrime cost $6 trillion globally in 2021, making it more profitable than the combined global trade in illegal drugs. Because much of the impact falls directly on businesses, it is one of the most significant threats organizations face. In a recent McKinsey survey of boards of directors, respondents said cybersecurity is one of their top four priorities. However, the same study found that only 20% of directors rank security among their key challenges. This disconnect comes, in part, from the persistent notion that security is an IT issue. Organizations need executive-level leadership to help translate security concerns into business risks.

When you engage an IT consultant or solution architect, one of the first questions you should ask is how that person is being compensated. The same goes for the engineers who implement the solution. The answer may surprise you.

In our last post, we covered some of the ongoing costs of poor cybersecurity practices. Organizations with inadequate security often suffer from network performance problems and have increased IT staffing needs due to improperly tuned security tools. Inflexible security environments limit remote work and data sharing with partners and suppliers. Inadequate security also creates a roadblock to digital transformation initiatives.

Those indirect costs can be difficult to measure. However, organizations can easily justify security improvements by looking at the impact on their cloud budget.

The cost of a security breach is well documented, but it’s only one of the financial consequences of inadequate security. Poor security practices can have effects that resonate across the organization and impact the top and bottom lines.

At DeSeMa, we’re proud to offer expert IT security services to ensure that your business’s security performance is up to date and can protect your data the way it should. Learn more about the consequences of poor IT security below, and reach out to our team to see how we can help today!

The COVID-19 pandemic has spurred the Great Resignation, with millions of people leaving their jobs. According to Harvard Business Review, resignations have been highest among mid-career workers between 30 and 45 years old. The tech industry has been hit particularly hard, with turnover increasing 4.5% year-over-year in 2021. In a recent Robert Half International survey, about one-third of tech professionals said they were looking for new jobs.

Most organizations recognize the critical importance of endpoint security. In a recent Ponemon Institute study, 68% of respondents said their organization had been compromised by at least one endpoint attack during the preceding 12 months. The average cost of a successful attack, including lost productivity and theft of information assets, was almost $9 million. Almost three-fourths (73%) of respondents said that new and unknown endpoint threats have increased significantly. On average, 80% of successful breaches are “zero-day” attacks, exploiting unknown vulnerabilities or new malware variants. More than half (51%) of respondents say their organization is ineffective at detecting and blocking these attacks.

Endpoint security involves protecting devices that access the network from malicious attacks and risky user behavior. Although it sounds straightforward in theory, many organizations struggle to effectively secure these points of entry against internal and external threats. Common misconceptions are putting many organizations at risk of a costly and disruptive endpoint attack.

In this post, we will discuss five myths about endpoint security to give you a better understanding of what it does and how it can protect your company. If you have any questions or you would like to learn more about endpoint security, don’t hesitate to reach out to our team at DeSeMa!

In November 2021, security researchers noted a zero-day exploit affecting the Java version of the Minecraft video game. Hackers could execute malicious code by manipulating Minecraft log files — simply by typing things in a chat box. When it became apparent that the vulnerability was in a utility called log4j, the cybersecurity community became alarmed. Log4j is open source code that handles logging functions in countless Java-based applications. Developers use utilities like log4j so they don’t have to write code to handle log files. The log4j utility is maintained as part of the Apache Logging Services Project and available at no charge to the public.

Because log4j is designed to log a wide range of events, from system errors to messages sent and received by users, hackers figured out that they could trick it into saving specific character strings. This makes systems vulnerable to remote code execution, in which an attacker installs malware to compromise the machine. Since the initial flaw was found, several more have been reported, and security researchers have seen attackers searching the internet for vulnerable machines.

If you are worried about log4j vulnerability or other IT security issues, our team at DeSeMa can help! Our experts have years of experience, and we can provide you with advice and guidance on how to keep your data secured. Continue reading to learn more about the log4j vulnerability, and reach out to our team to get started with your own security measures.

The average organization used 110 Software-as-a-Service (SaaS) applications in 2021, according to a new report from Statista. That’s 110 different places where data is entered, processed and stored. Generally, these standalone applications don’t talk to one another, so users end up having to repeat data entry in multiple systems. Manual data re-entry wastes time and increases the risk of errors and inconsistencies. Without a “single version of the truth,” users don’t always have access to the most recent data. Security and data protection become more difficult and comprehensive reporting next to impossible. These complexities also make it challenging to meet data privacy mandates and regulatory compliance requirements.

Data integration can relieve these headaches. It involves the use of software “hooks” into SaaS applications that enable data to be replicated and shared among them automatically. SIEM unifies data from disparate systems and single-purpose security solutions that can only recognize and understand certain data types. All security data can be analyzed and cross-referenced from a single interface, enabling human IT analysts to make better decisions. Alerts and reports are generated automatically so that the IT team can respond quickly to anomalous conditions.

DeSeMa transforms complex IT environments into streamlined, highly secure systems. We make your IT assets work together more effectively to save money, increase operational efficiency, and reduce risk. Keep reading to learn about our expertise and the IT services we offer, and contact us today!

In principle, security information and event management (SIEM) sound like the solution to the challenge of detecting cyber threats. SIEM collects log files and other security data from across the enterprise and stores it in a central database. The system then correlates and analyzes the data to identify abnormal patterns that could suggest a vulnerability, threat, or active incident.

SIEM unifies data from disparate systems and single-purpose security solutions that can only recognize and understand certain data types. All security data can be analyzed and cross-referenced from a single interface, enabling human IT analysts to make better decisions. Alerts and reports are generated automatically so that the IT team can respond quickly to anomalous conditions.