Not exactly. Cyberattacks are terrible and require the same dedication to overcome them as would any other disaster response effort. Just like natural disasters, cyberattacks cause millions of dollars in damage, disrupt infrastructure, and impede citizens from their daily lives. US cities like Baltimore, Allentown, and San Antonio have highlighted how cyberattacks are shifting how we think of disasters. Ever since May, Baltimore continues to deal with the cyberattack that shut down many of its services, and estimates put the current damage from the ransomware attack at over $18 million dollars. The city’s mayor and city council president are now calling for the ransomware attack to be classified a federal emergency, which would mark the first categorization of a cyberattack as a disaster that would require federal emergency assistance.
But should the cyberattack levelled against Baltimore be called a disaster? Baltimore believes that its situation merits the designation of “disaster” because the attacker or attackers used the EternalBlue exploit, a cyberweapon developed by the NSA, to enable the Robinhood ransomware attack carried out against the city (SmartCitiesWorld, “Baltimore Calls for Federal Emergency Declaration”). However, many cybersecurity experts have disputed the claim that the EternalBlue exploit was even part of the malware attack, as reported by cybersecurity journalist Brian Krebs (Krebs on Security, “Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware”). Even if the exploit was part of the ransomware campaign, Microsoft released the fix for that flaw in its operating system two years ago, making it appear as if Baltimore is trying to shift blame and avoid questions over why its systems weren’t patched immediately upon learning of the vulnerability.
Furthermore, what constitutes a disaster is rather difficult to determine. If we’re talking about the sheer cost of damages, according to Yale’s School of Forestry and Environmental Disasters, natural disasters caused $160 billion dollars in damage in 2018 (Yale Environment 360, “Natural Disasters Caused $160 Billion Dollars”). Compare that to ForgeRock’s recent estimation of the cost of data breaches for 2018, which calculated that the exposure of 2.8 billion consumer data records reached an estimated cost of $654 billion dollars (ForgeRock, “U.S. Consumer Data Breach Report 2019”). ForgeRock bases its estimate on the Ponemon Institute’s method for calculating the cost of data breaches in 2018 by taking into account the direct, indirect, and opportunity costs associated with detection and escalation, notification costs, post data breach response, and lost business costs.
Other similar man-made disasters, like the 2017 California wildfire caused by Pacific Gas & Electric, might look similar to Baltimore because of the neglect to update critical infrastructure. In both cases, a disaster was caused by failures in both organizations’ infrastructure, which resulted in severe costs to citizens, organizations, and municipalities. Furthermore, just like natural disasters, cyberattacks are reaching a new level of complexity that challenge traditional response efforts to contain and mitigate their effects.
Although Baltimore’s case for disaster assistance remains unclear, its situation is far from uncommon. After the 2017 NotPetya attacks that hit Ukraine and then spread around the world, Mondelez International was hit with the ransomware and ended up dealing damage upwards of $100 million for the company. When Mondelez filed an insurance claim for damages with Zurich American Insurance, because its all-risk property insurance policy covered both direct physical losses and indirect expenses from computer failures, its claim was rejected by Zurich because of an exception clause that “hostile or warlike action” protects insurers from dealing with costs related to damage incurred from war (New York Times, “Big Companies Thought Insurance Covered a Cyberattack”).
Because the US government claimed that NotPetya originated from Russian attacks against the Ukraine, insurance companies used this designation as an opportunity to wash their hands of one of the most significant cyberattacks in history. Mondelez, like other companies, have filed complaints against insurance companies, and many of these cases will not be decided for years. But without any clear definitions, companies and municipal governments are effectively collateral damage in cyberwarfare, leaving them at the mercy of more complex and unpredictable attacks.
Where do we go from here? Many organizations have a mix of current and legacy technologies in their system. An undated risk assessment report for Baltimore’s IT systems, for instance, warned that the city was using computer systems that “were a natural target for hackers and a path for more attacks in the system” (Baltimore Sun, “Baltimore’s Risk Assessment called a pair of aged city computer systems a ‘natural target for hackers'”). Failing to plan for how to deal with known vulnerabilities is planning to fail when those vulnerabilities lead to incidents.
If it’s a matter of finding resources, people, and technology to further mature security strategy, Baltimore could learn something from three UK councils that joined together under one Security Operations Center to improve efficiency, compliance, and security efforts (CSO Online, “Shared SIEM helps 3 UK local governments avoid outsourcing security”). Rather than outsource, which can be expensive and still not address underlying governance and process issues, combining resources allows smaller organizations to build what have some have called Global Security Operations Centers (GSOC). Universities, for instance, have also taken this step, showing that there are use cases for this tactic beyond three small councils in the United Kingdom.
As the above shows, there are serious advantages for building up your own security operations, especially when governments and insurance companies are still trying to figure out what to do for cities like Baltimore or companies like Mondelez.
French philosopher Maurice Blanchot wrote “disaster ruins everything, all the while leaving everything intact.” What Blanchot means is that risk is inherent to the way that we live and the way that we operate our organizations. We need to stop thinking about disasters as hypotheticals, because risk is at the center of every decision, action, and endeavor we undertake. Security Operations treats risk as an everyday reality because they embrace risk as the guiding principle of security by never ignoring the risks that could lead to disaster. Take action, because your organizations is ultimately accountable when disaster strikes.
Research by: Marc Mazur
Info-Tech Research Group
July 5, 2019
The Internet of Things (IoT) is increasingly embedded with our daily lives. Worldwide, we’ve seen an in the number of IoT devices to over 35 billion online devices. This includes cellphones, Wi-Fi accessible cars, televisions, fridges, and anything else that is connected to the internet. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Cybersecurity has become too costly for businesses to ignore. As a result, cybersecurity for many businesses has naturally become a top priority. By 2023, global spending cybersecurity is expected to increase to over $157 billion – up from $60 billion in 2019. However, for each device that is added to the IoT sum, the number of potentially compromised users whose data or security has been breached also increases. Vulnerability management for devices and networks is a common approach to dealing with security breaches. Yet, for IoT devices, vulnerability management has yet to be standardized or implemented. A report from IoT Security Foundation found that over 86% of consumer IoT device manufacturers do not have any form of vulnerability reporting. This process needs to change soon.
While there are no standards for securing an IoT device, new recommendations for securing IoT devices are in the works. The US Department of Homeland Security (DHS) published recommendations for securing IoT devices back in 2016, but none of these recommendations have passed as required by law. The European Union is in the process of proposing international standards for governing IoT devices. Developed by the European Telecommunications Standards Institute (ETSI), these standards are intended to develop a foundational guideline for IoT cybersecurity. This includes security and data protection provisions for consumer IoT devices such as:
These standards will be implemented by law and will force other countries to consider their IoT standards. The UK and Australia are in the process of proposing the legal codification of IoT standards. John Moor, managing director of the IoT Security Foundation, argued that while “the proposed standards don’t all use the same language, they’re basically all describing the same things.” While adding connectivity to every device is convenient in some respects, these systems should remain intentionally air gapped. Often companies that produce cutting-edge technology do not stop to ask the basic question, “Can we still effectively secure this?” This subsequently leaves the end user vulnerable and in a precarious position, as the manufacturer generally claims no accountability in the event of a breach or data integrity being compromised.
IoT is slated to become increasingly integrated into our lives. While this degree of integration is expected, the standards for IoT must also expand in tandem with its growth. While most nations have preliminary IoT policies enacted, they often offer little more than a symbolic gesture. IoT has experienced a rapid expansion of connected devices, and the privacy policies and accountability have thus far been unable to keep pace with this growth.
For businesses, there has been a lack of accountability. For many IoT manufacturers, the approach has been to achieve the bare minimum so that they can simply “check the boxes”. For example, consumer-level IoT products are often produced at the lowest cost possible. As a result, security and vulnerability reporting functions take a back seat, as only the bare minimum is needed to be cleared for public consumption. IoT as an industry has experienced growing pains for the past couple of years, the consequences of which are now being felt.
Consider what IoT consists of: routers, printers, home speaker devices, televisions, and many more devices. Most of these devices only use the most basic of credentials for authentication and security. Even more troubling is that some of these IoT devices have no security protocols whatsoever. On the consumer side, most end users are unaware of the security features of their IoT products. Furthermore, manufacturers’ patching or vulnerability disclosure processes are inconsistent or nonexistent. These factors combined make IoT devices tantalizing for cyberattackers, and it is only a matter of time before these devices are attacked and repurposed.
The creation of vulnerability baseline policies in some countries is a step in the right direction and will force a discussion about vulnerability disclosures and IoT security. Arguably, IoT manufacturers should have included security measures and vulnerability disclosure policies with the initial inception of their products – not after the fact. However, because it was never asked of them, they either purposefully neglected these security measures or decided to never include them at all. If a manufacturer of IoT products is to continue in its production, we may see significant changes in the future. As of 2019, only 13.3% of IoT-producing companies have a disclosure policy in any form.
These preliminary discussions will pave the way for full-fledged legislation. As mentioned already, the European Union, the UK, and Australia are in the process of implementing standards for governance of IoT devices. These upcoming standards will force compliance for manufacturers down the line. While the US does have some recommendations in place for securing IoT devices, these are only recommendations, not compliance obligations, and as such do not extend to every state. Some states, like California and Oregon, have implemented standards requiring “reasonable security features” to be added to IoT devices. Manufacturers will be given additional standards in order to increase the security competency for themselves, as well as for clients. This should help rectify the fact that IoT devices are more susceptible to cyberattacks than other technology, in part due to their lack of standards.
Any use of IoT devices in businesses should be met with caution. Without the proper security basics, these products can become more of a liability than a business enabler. Be aware of what is on your network and ask yourself, “Is this technology secure enough to be on our network?” or alternatively, “Do we have the processes in place to secure it ourselves?” It is critical that manufacturers of IoT devices get on board with new regulations because whether with or without their approval, compliance regulations will be coming down the line.
Research by: Isaac Kinsella
Info-Tech Research Group
April 30, 2020
VMware and Citrix are promoting their flagship digital workspaces to CIOs as a way to improve employee engagement. If you implement them without stakeholder involvement, or adequate resourcing, it will backfire.
At Citrix’s industry analyst summit in 2018, the company unveiled a marketing shift. It is focusing on the CIO and positioning it Citrix Workspace, virtualization, and infrastructure offerings as tools that can improve employee engagement.
It was not surprising, then, to see the same at VMware’s End User Computing Industry Analyst Day 2019. The company in particular focused on how VMware Workspace ONE and VMware Horizon can improve the hiring and onboarding experiences.
A digital workspace is a platform that has security, device and app management, virtualization, and potentially other infrastructure and collaboration components build into it. Users can then interact with apps and data within that platform and the embedded security, management, etc. that has been built into it.
Citrix Workspace and VMware Workspace ONE incorporate application virtualization in order to theoretically support any app on any device. ZDNet suggests that platforms like Slack, Asana, and Office 365 can also be considered digital workspaces because of the vast number of apps that are listed in their respective app stores. BMC also offers a digital workspace.
This note focuses on Citrix and VMware as they have been advertising that their digital workspaces, along with the rest of their product portfolios, can improve employee engagement.
Both Citrix and VMware say their respective digital workspace apps and wider product portfolios can improve employee engagement by improving IT’s tools to enable a better hiring and onboarding experience, to scale business processes more easily, to apply security seamlessly, and to better support user choice.
These digital workspaces can reduce the time to fulfill requests. Citrix and VMware can integrate with ServiceNow to allow cross-product workflows for ITSM and ITAM processes. VMware Workspace ONE can also come preinstalled on Dell computers along with a set of applications, meaning that users don’t need to wait for gigabytes and gigabytes’ worth of files to download and install. Apps can be automatically provisioned to the end user’s devices using either solution. These features can allow new employees to be productive faster.
VMware and Citrix can scale workloads to various public clouds. This feature allows apps to better respond to increased demand. Both VMware and Citrix have strategic partnerships with Amazon AWS, Microsoft Azure, and Google Cloud Platform.
Both companies are powering threat management capabilities using artificial intelligence to identify suspicious behavior. Instead of locking out users that are either acting suspiciously or unwittingly install malicious software, the systems will auto-remediate by requiring reauthentication and/or performing a virus scan to remove malicious software.
Most importantly, employee choice is being championed by both. The workspace apps and any virtual or SaaS apps within the workspace provide the same user experience regardless of which device a user chooses. They can work productively on a Mac, Chromebook, or Windows PC, and the workspace app (along with the built-in UEM features) makes it easier for IT to manage the device. People can access ERP systems such as Workday and instant messaging or conferencing apps such as Slack, Cisco, and Asana on any device, anywhere.
Citrix and VMware also allow users to open files from and save files to Dropbox, Box, OneDrive, Google Drive, etc. IT can more easily support a variety of public storage options (and their business-oriented equivalents), allowing both users and business units to have more choice.
In order to truly take advantage of these advertised benefits, IT needs a strategy that is supported by the whole department and relevant business units. Infrastructure and Operations needs to work with Enterprise Apps teams. The Service Desk and Tier 2 support teams need training to ensure that Tier 3 can focus on projects that deliver business benefits. The digital workspace strategy will result in a program of projects, and these projects must be structured to enable early value. Most importantly, though, is organizational change management – mobile devices are incredibly personal to users (even corporately owned devices), and IT has to remember that.
Psychologists have known for a few years now that people are emotionally attached to their smartphones. As such, you need to ensure that you’re incorporating many organizational change management activities into your strategy. Involve users early and often, regardless of whether they’re using a corporate-issued device or a personally owned one.
Non-adoption and/or heavy-handed policies will have the opposite effect of the intended result. Employee engagement, and satisfaction with IT, will plummet. Effective organizational change management will ensure that your investment into a digital workspace app isn’t derailed by the very users you are trying to help.
The tool also must be easy to use. Only 50% of US adults have Level 3 computer skills – they can easily accomplish tasks that cross between apps, files, and web pages. Over a quarter have Level 2 skills – they can accomplish tasks that may have a slightly nebulous goal, that may involve going across two pages or apps – but almost 70% have Level 1 skills (able to use standard apps and accomplish tasks within one app), below Level 1, or can’t use a computer at all. As this chart shows, the rest of the world’s population is not much different.
Source: “Skills Matter: Further Results from the Survey of Adult Skills.” https://doi.org/10.1787/9789264258051-en OECD, 2016
Throughout this project, you will likely have to develop microapps that make it easy to perform various business processes. You definitely have to perform user acceptance testing and focus groups to ensure that the workspace is easy to use. Employee engagement will increase only if you go beyond the basic use cases of email and calendaring.
When we look at SoftwareReviews reports in the Enterprise Mobile Management category we see that customers of feature-rich EMM solutions (such as Citrix Endpoint Manager and VMware AirWatch) are less satisfied with their product than are customers of simple, point EMM solutions (e.g. Cisco Meraki) or tools that focus on managing one line of devices (e.g. Jamf Pro with Apple devices).
The more feature rich the device management tool, the more resourcing, training, and effort it will take to realize the tool’s potential. Reflecting on the data collected about Citrix and VMware in the SoftwareReviews EMM category, even large enterprises do not always seriously consider the resourcing required to implement and maintain these systems.
Source: SoftwareReviews Enterprise Mobile Management category. September 2018. https://www.softwarereviews.com/categories/enterprise-mobile-management
This theme carries over to Citrix’s and VMware’s digital workspace offerings. Citrix Workspace and VMware Workspace ONE are positioned as enterprise solutions because these customers can afford to invest in them. Midmarket IT departments can take advantage of these products – and the advertised benefits – so long as they devote the resources to a proper implementation project.
Building a digital workspace will involve the entire IT group. In order to support business processes in the workspace, you will need to involve your Enterprise Apps teams. In order to ensure that the environment is secure, you will need to involve your Cybersecurity teams. In order to ensure that the underlying IT infrastructure will support the workspace, your IT Infrastructure team needs to be involved. To ensure that the environment runs smoothly and can be maintained, you need to involve Operations.
You also need support from HR, Finance, Procurement, and Legal. HR has to be involved in your work surrounding hiring, onboarding, and offboarding. Any use cases that streamline IT asset management should involve the finance group. HR and Legal need to be involved in the policies that support the digital workspace. Legal and Procurement should help you review your existing contracts with software vendors and review any new contracts that are related to this initiative.
Several teams will need to work together in order to achieve the desired benefit of improved employee engagement.
When so many teams need to work together, and when the desired project goal is so nebulous, Agile is more suitable than Waterfall-style project management. The traditional Waterfall approach is to work in stages: completely gather the requirements, completely design the deliverables, completely build the solution, and then completely create the training materials. For projects where the requirements are not likely to change during the project, Waterfall tends to be a better approach.
This is not true for digital workspace projects (or programs of projects). Your requirements are likely to change throughout the project, and the available resources are likely to change throughout the project, and the available resources are likely to fluctuate (especially with operational staff). Therefore, an Agile approach is more likely to be successful. Perform requirements gathering, design, and execution in parallel. Develop functionality in iterations and incrementally, and plan to provide early value – allow users to start taking advantage of the features being built before the project is fully built.
Prioritize supporting user groups that are most closely aligned with business value and that are also friendly towards IT. Start with features that can be used by most users (e.g. mail, instant messaging) as well as features that are specific to the processes used by the prioritized user groups.
One key difference here is to gather only the high-level requirements that are necessary to start the project. It can be difficult to identify where that line is. Focus on gathering enough requirements to make the following decisions:
This information should provide IT with enough information to come up with a high-level implementation roadmap. You will of course need to continue to gather more requirements throughout the project, but since those requirements will change, you do not want to make it a hard finish-to-start dependency.
These are complicated systems. Respondents do not think highly of these systems’ usability and IT administrator experience.
In order to harness the potential of these systems, Infrastructure leaders need to be able to focus on strategic project work – digitizing business processes, developing new functionality, etc. You need to devolve maintenance work to Tier 2 and incident resolution to Tier 1. Time that you spend working on patches and updates means lost time toward developing new functionality.
Digital workspace apps can help IT become seen as a strategic partner by improving employee engagement. If you don’t properly resource the project and plan your strategy, however, it can completely backfire.
Research by: Ken Weston
Info-Tech Research Group
July 5, 2019
What is changing in the HR technology space as a result of COVID-19? Some organizations are seeing an uptick in interest and customer support, while others are providing free access to their product.
According to the HCM Technology Report, some HR technology companies have seen an increase in needed support and/or interest in their product. For example, LMS-focused business Docebo has seen a surge of customer calls. This could be a result of an increased interest in trainings and learning courses to train employees on new skills, as a result of the pandemic. HCM Technology Report also mentioned that a virtual recruiting technology company saw surges in call support as organizations must now complete interviews online. This may change depending on the economic outcome of the outbreak.
Select HR technology companies are offering free access to their product for limited time. HR Executive reported that Grokker, ThinkHR, and HR Acuity are all making services available free.
Grokker, which provides health and well-being online videos, had given free access from March 2020 until April 30, 2020. This could be helpful for employees while working in isolation and living through the impacts of COVID-19.
ThinkHR has been providing up-to-date information regarding COVID-19. It is providing open access to some of its content based on the overwhelming need for support. The most common topics discussed are related to employee health and pay as well as workforce planning for the future.
HR Acuity is providing free services specifically related to employee relations and workforce management. Its product focuses heavily on various documentation such as performance management, sick leave, etc. Due to mass employee populations working from home and needing to track work, this type of product could be highly important for organizations.
The success of HR technology companies will depend on their ability to support HR departments (and entire organizations) during the pandemic and next few months. The major topics HR professionals are concerned about must be addressed by the HR vendor or the buyers may seek a new technology solution that can better assist in the new age of working.
Research by: Rebecca Factor
Info-Tech Research Group
March 29, 2020
COVID-19 has changed a great deal about how businesses operate. From a security perspective, however, COVID-19 caught many businesses off guard. The shift from working in the office to working from home has made it difficult for security measures to keep pace. Specifically, how are businesses meant to maintain the same secure networks when their employees are no longer working in the office? Outside of the security of the IT departments, IT and security have a tough time ensuring that patching and vulnerability management remain at the forefront of a business’s priorities.
Supporting employees who are working from home presents a number of new security challenges. The main issues centers around the fact that employees are no longer working under the umbrella of their workplace’s security network, which has increased safety measures and scheduled updates and patches. Vulnerability management and patch management become increasingly difficult to secure effectively when you consider the role of VPNs, BYOD, and cloud services. As we move to the new normal, businesses will have to adjust as the current work-from-home environment is here to stay. If anything, COVID-19 has proven that many businesses can effectively operate outside of the office, and as such, these are new security issues that business and IT leaders will have to consider while maintaining the same operational capacity.
The challenges listed will each have to be dealt with as we shift to the new normal. Consider how the work-from-home (WFH) status quo will change the use of VPNs and remote security. Patching solutions already have limitations when it comes to remote patching; even Windows is not immune to the problem. VPNs still must communicate with on-premises infrastructure to remain updated and unified. As a result, IT teams will have to spend additional time restructuring an enterprise’s VPN network to accommodate all of the additional VPN traffic on the network to ensure that WFH employees remain up to date in their patching and to manage any vulnerabilities.
Subsequently, the increased traffic has the potential to overload underprepared networks, creating lag or downtime for employees trying to connect remotely. Enterprises seeking to accommodate VPN usage could make allowances for individuals’ devices to directly download from Windows to increase bandwidth, however, in doing so, IT departments will lose more control over the security of their networks and patching visibility. IT departments will need to decide on restructuring their VPN to accommodate additional traffic or forgo this to maintain their patching cadence.
Another new consideration with the work from home environment is the increased introduction of personal devices and a shift toward bring your own device (BYOD). Again, businesses that were not set up for the increase in WFH may now be experiencing a shift to having a multitude of potentially unsecured devices. While workplaces have adapted to BYOD, the majority have not adopted it. Furthermore, making this transition in a short period is difficult almost to the point of it being unmanageable. Enterprises must now cope with having corporate data accessed from unsecured devices. Security teams will need to consider how they can ensure patching fidelity on these devices without having direct oversight into the process.
Businesses should consider implementing hybrid-based cloud patch management solutions. This can help to ensure that people who are working from home can still report regularly to their on-premises network. Cloud services allow for continual updates and results, but this relies heavily upon your relationship with your vendors. This solves one of the problems with VPNs in addressing network bandwidth and thoroughfare. It is also promising that many vendors have increased their offerings of BYOD considerations, and licenses to maintain security and compliances during the pandemic.
Understandably, many businesses’ primary focus is simply staying afloat during COVID-19, and as such, they are unable to restructure aspects of their IT processes. Hybrid and cloud support are excellent ways to alter your business processes without a major overhaul. Because we’re still unsure how long the pandemic will persist, security and IT should aim to support all offsite systems. Patching is a foundational aspect of business security, but it is not the only aspect. A layered security approach is best, especially in a remote work environment where security threats can come from a myriad of new vectors. Use a full toolkit of security options including vulnerability management options, privileged access management, application whitelisting, regular back-ups, education & training, multi-factor authentication, etc.
Remote environments and work from home will change how business takes shapes moving forward. COVID-19 has proven that many businesses can still operate effectively in a remote environment. Security and IT should continually work to maintain these new connections to the best of their abilities and to remain some form of a patching cadence, even with remote work. With a hybrid approach to security and cloud-based patching options, work from home will remain a viable option, likely stretching beyond COVID-19 to enforce new security and IT considerations within businesses.
Research by: Isaac Kinsella,
Info-Tech Research Group
July 10, 2020