The Imminent Death And Rebirth Of Cyber Insurance

For insurance companies, it is important to predict all possible outcomes within their realm of protective services. This is not the path cyber insurance has followed, making it somewhat unreliable.  The following piece, The Imminent Death and Rebirth Of Cyber Insurance, from Ntirety CEO Emil Sayegh was originally published in Forbes. 

 We wake up every day to a pattern of record ransoms being paid as well as record increases in cyber-insurance cost. The Bloomington School District in Illinois published its cyber-insurance renewal costs and reported a whopping 334% increase in premiums. Faced with challenges, it is common knowledge that businesses must continually evolve due to circumstances such as opportunity, missions, and risks. The cyber insurance industry is no different. In this climate of record ransoms and cyber incidents, these challenges are creating a shift in insurance market conditions signaling that cyber insurance will fade towards demise as we know it. While this seems like a bad thing, there is a silver lining in all this. 

 Mounting Ransom Costs 

We are living in the greatest period of data vulnerability in history. There are risks everywhere, all of which carry significant financial burdens including ransomware, downtime, compliance fines, and data loss. The global pandemic opened opportunities for threat actors to escalate their attacks and seize, causing dramatic increases in ransomware attacks alone. Amid the shifting security haze of 2020, the consumer GPS company Garmin paid a significant $10 million in ransom and the tales of ever-increasing ransoms go on. While the average cost of a data breach now hovers around $4.24 million, organizations routinely find their insurance only covers about 40 percent of the costs incurred due to a cyber incident.  

 The Trend was Not a Friend  

Cyber insurance is built on the careful analysis and management of risks in a present-day environment. It is unimaginable to think of a scenario where the cyber insurance industry is not challenged by the rising challenges and costs of cyber-crime now. Reported cyber losses continually reach into figures in the billions of dollars. Each month is a record now. Meanwhile, the historical loss data continues to shift according to changes and escalation of risks. There is a palpable element of unpredictability that does not work well for the cyber insurance market and those looking for coverage.  

One can reasonably wonder how the cyber insurance industry got this wrong. How did they miss this trend? After all, insurance relies on heavy predictive analytics based on historical data. Sadly, in this case, the historical trend was far from predictive. The calculus was based on historical patterns of small-time hackers or lone wolves looking to get a quick hack of a hit. However, in the last two years, all of this has changed at such a pace, that the cyber insurance industry was caught ill-prepared. What is now driving the acceleration of costs, attack volume, and social engineering are nation-state threat groups. These new hacker groups are incredibly well organized. Organizations of cybercriminals from around the world who are demonstrably sponsored or ignored by their respective governments. What this means is that in addition to financial gain to sustain their operations, the disruption of the target’s operations is also their constant and perhaps primary goal. Attacks on infrastructure, military, and business entities have been continually associated with outside countries, such as the SolarWinds attack discovered in 2020.  

One way of looking at this tells the tale of a dying industry, slammed by rising challenges and costs and a lack of interest to back cyber liabilities. For example, it is easy to draw a line between ransomware-related claims and capacity throughout the industry. As it stands, just a small sample of losses within the industry could quickly wipe out the premiums collected well ahead of time. This is classified as unbearable risk within the pool and in insurance terms, losses are not acceptable.  

 Indemnification and Comprehensive Security to the Rescue 

In addition to the array of risks, one must now consider whether the state of cyber insurance constitutes an additional risk to the organization. The stakes are high and legal conditions abound. New coverage and rising renewal rates are a major concern. Premiums are rising by 10 to 20 fold, and that is if a renewal is even available. Enterprises are left exposed, or have to pay exorbitant premiums. The answer lies in going back to the fundamentals of minimizing heavy reliance on cyber insurance through a comprehensive security framework. Comprehensive security frameworks provide better security outcomes and a better posture for the insured. Furthermore, enterprises can leverage the indemnification provided by their cybersecurity provider in lieu of getting their own cyber insurance coverage. However, in order to do that, organizations need to embrace a comprehensive security approach. There is no wiggle room on that. 

Comprehensive security approaches can manifest through full spectrum security programs that provide protection, recovery, and assurance services that minimize risks. 

  • Protecting data means protecting data everywhere, all the time— including the perimeter, malware detection, finding threats, ensuring encryption and access. 
  • The benefits of recovery include virtualized and ready-access redundancy/restoration of systems that are available in any type of disaster including a breach. 
  • Building out an assurance program means life cycle assessments of security, compliance, logging, and the integrity of compliance within a given environment. 

In a challenging threat and cyber-insurance environment, comprehensive security augments risk aversion and minimizes reliance on more stringent insurance scenarios. 

 A New Dawn for Cyber Insurance 

Cyber insurance has and will adapt to these conditions, and we will see this evolution include demands for improved cyber-hygiene and exclusions that will shield insurance companies from providing coverage when the insured fails to maintain high security standards. We see that in the home insurance industry when security alarms actually reduce the premiums. Similarly, the cyber insurance industry, while nascent, will mature. It has just emerged from two years of nightmare losses and a risk climate that was hard for them to anticipate. You can expect specific adaptations ahead and an emphasis towards better education and improved cybersecurity practices. The rebirth of cyber insurance is in the cards, but it will be in combination with proper, responsible security planning and comprehensive security strategy. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn

Security in a Non-Secure Environment

As a newly minted CISO, I have been injecting myself into the Ntirety environment, talking security at every corner of the company.  I come from a deep IT/security background where I have seen many companies fall prey to the ever-increasing cyber threat landscape.   

 Sad Tales Abound 

In my previous roles with Hewlett Packard Enterprise and the FBI, I would often speak with companies before and after they had been breached.  One of my saddest experiences was with a prospective SMB customer who was concerned about security in his environment but wasn’t sure where to start.  We discussed various options including the deployment of a Firewall or maybe a security assessment to help him determine where the “right place to start” was.   

 He was non-committal, and we departed the meeting agreeing to meet again in a few months to see where he was in his decision.  I was concerned because I felt his corporate network was exposed and the threats against his company were rising as his company became more successful and lucrative.  

 You can imagine my horror when his company was hit with a ransomware attack six weeks after our conversation.  I sent my corporate contact an email expressing my desire to help in any way. Could I have done more?  Could I have been more convincing?  I don’t know, but my desire is to assist every customer in any way possible. I want every customer’s environment to be more secure than when I first met them.   

 Basic Security First 

What is the proper order to assist a customer in an insecure environment?  It feels like a “Chicken-or-the-Egg” conversation – do we secure the environment and then do a security assessment, or do we start with a security assessment and then see what we need to secure.  I feel like I have come down in the camp of basic security first, then let’s assess.   

 One of the first conversations I have with any customer is a request for the customer to assess their  security on a scale from 1-5 with a 1 being almost completely insecure.  If a company rates themselves as a 1 or 2, that means they know they are not secure or very easy to compromise.  I feel like we should immediately discuss how to get them some form of security before talking about a security assessment:  At a minimum some firewall protection and maybe multi-factor authentication but in this case, my experience has shown that the low-hanging fruit security gaps become easy targets.   

 This may go against conventional wisdom, and I have often been the champion of the security assessment first, but I worry that by delaying any action on securing an environment, we may leave the door open too long for an enterprising criminal to exploit another company.  The thought of another company being victimized while I am trying to help them is too much.  Let’s move the minimum security bar higher in all of our environments and make the criminals’ job that much harder.

Cyberthreats Are Turning Assets Into Liabilities

For a business, assets are anything that can be marketed and sold, while liabilities are debts that must be paid. The sooner organizations understand the potential of company assets turning into liabilities, proactive action can be taken to protect the business. Board members, owners, CEOs, investors, and CFOs need to heed this call to action. Ntirety CEO Emil Sayegh discusses the importance of recognizing these dangers in this piece, originally published in Forbes, Cyberthreats Are Turning Assets Into Liabilities. 

Cyberthreats Are Turning Assets Into Liabilities

 In the world of business technologies, the prevailing pace of evolution is directly aligned with increased technology investments, yet security incident headlines reinforce how for a good chunk of that history, security was nearly an afterthought. Protecting the organization’s information assets was seen as something for IT to do while it focused on ensuring applications and storage were up and available. Well, cybercriminals apparently didn’t get the memo about whose job it was to protect data; they kept busy looking for ways into the network, stealing data, and holding hostage everything from (very) private pictures to financial records. Earlier this year, conference software provider Zoom found themselves in a position of misplaced trust and paid a hefty price to the tune of $85 million, following their repeated crashes in 2020. 

IT Assets and Liabilities 

Every organization has information technology assets on one side of the ledger and liabilities on the other side. In the simplest context, IT assets are properties of an organization that includes software and hardware. Users outside and inside the organization get value out of these assets and rely on their integrity and availability. The right technology, when used properly, is an enabler of business growth and profitability. Gaps in diligence and cybersecurity planning, however, can make these assets leap from one side of the ledger to the other into liabilities. The offenses can include gaps in training, ongoing support, upgrade planning, cybersecurity programs, user training, and more.  Liabilities are the weak points throughout the chain that affect the value of the asset to the business. 

Zoom Out 

Over the course of the global pandemic, Zoom became a household name – exploding in use by schools, students, businesses, and more. Due to lockdown restrictions, this tool filled a significant need, making things such as classrooms, weddings, memorial services, court proceedings, and fitness classes a new virtual possibility.  

The enormous spike in users increased attention on the program’s security and privacy flaws. Eventually, a class action lawsuit came along, alleging that Zoom violated users’ privacy rights. Zoom agreed to pay $85 million to settle the case. The allegations included sharing personal data with Facebook, Google, and LinkedIn, while allowing “Zoom-bombing,” the practice of hackers disrupting meetings with inappropriate language, pornography, and other disturbing content. 

Crossing the Line into Liability 

Executives are now on notice that they need to treat cybersecurity as a business risk. They need to know more than just how susceptible their organization is to attack. They also need to understand what is at risk, including its assets, and they must recognize when they become liabilities. That’s not always straightforward since companies often use the same technology for both corporate and personal tasks. A recent survey by research firm Gartner found that 29% of employees in organizations with end-user devices allowed workers to connect their own personally owned devices (including laptops, tablets and smartphones) to the network – with less than half of them restricting access solely to business or work purposes.  

A comprehensive approach to cybersecurity should include monitoring software updates across the entire business, not just for IT systems but every aspect of the commercial software supply chain, from development through deployment onto production networks.  

Protecting software assets and products of an organization requires a comprehensive security approach. This includes building a plan upon the components of a proactive security foundation and practices which start with four steps that can create a more secure cyber infrastructure:  

  • Identify threats through an audit
  • Secure your application environments through a ground up security solution including Secure DevOps and Zero Trust
  • Set up a recovery mechanism in case of a hack
  • Build an assurance program that enables future compliance and resilience

Zoom In 

Clients of Zoom and other similar software services must recognize the inherent risk contained in the practices of the service they choose to implement. Organizations can satisfy regulatory requirements for preventing or minimizing data breaches while also mitigating their vulnerability footprint through proper implementation of security measures for software.   

In addition, security teams have to start working with business units across the enterprise on how they manage vendor relationships. In order for InfoSec experts to do their job properly, they need to scrutinize all third-party components that are introduced into systems – whether that’s commercial off-the-shelf software or any type of service that gets connected. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

New Year, But Classic Literature Never Goes Out of Style

The new year brings a chance to reset, restart, and set goals while reflecting on the past year’s accomplishments. With each coming year, new technological advancements are made, but we cannot forget our history or we are doomed to repeat it. 

 Reflecting on how our past and present often overlap in unexpected ways in two of his 2021 Forbes articles, Ntirety CEO Emil Sayegh references classic literature pieces, showing how their timeless themes provide a familiar perspective to modern-day cybersecurity issues. Explore these themes and perspectives from his articles  Never Truly Quiet On The ‘Western Front’ and Who Will The Cybersecurity Bells Toll For? highlighted below.. 

 Never Truly Quiet On The ‘Western Front’ 

First released in the late 1920s, the novel All Quiet on the Western Front was publicly burned, banned, derided, and censored for its “anti-war” and “unpatriotic” messages. Set in the final weeks of World War I, the story swings heavily on the contrast between false security and the realities of war. Today, we are talking about a different war that is dynamically morphing between a physical war and cyber war.  A real cyber war has been raging on the front lines of computer networks for a while and we must remain vigilant to the fact that an eerie silence may be the biggest threat of all.  

All Quiet on the Western Front was described as the most loved and hated novel about war; its messages threatened Nazi ideologies, sparking riots, mob attacks, and public demonstrations, yet it inspired an Academy Award-winning 1930 movie adaptation. Author Erich Maria Remarque may not have foreseen its full impact, but the story is laced with imagery describing starving soldiers, the brutally indiscriminate nature of (then) modern weapons, lost limbs, poison gas, and death—lots of death.  

False Sense of Security: Peace Before Death 

On the frontlines of computing, there is a false and persistent sense of security among CIOs, company boards, and most security professionals that reminded me of the end of this novel. Over the years, the phrase “all quiet on the Western Front” has been adopted in innumerable contexts to mean a lack of visible change or stagnation. It seems this is where many organizations are stuck today under this false sense of security. 

The final moments of the novel are (spoiler) deceivingly peaceful, contrasting with the overarching setting of war and its effects. It is in these moments, in the last “situation reports” from the military frontlines, where a false state of calm and security that belied the coming death of the story’s protagonist. It seems like the most important lessons in life must be learned time and again. 

That Silence You Hear is a Sign 

Across the landscape of organizations, there is a definite cyber war raging, and I am not talking about Call of Duty. You don’t have to read news headlines for very long to see that there are casualties all around us. There is an enemy lurking and there are no rules to hold them back. Defensively natured as cybersecurity practices can be, there are offensive principles that are a necessary part of the posture. That begins with an understanding that there is always a calm before the storm; and in today’s climate, we cannot afford the reassuring sense that all is well at any given point in time.  

Let us set the stage of this sea of “calm”: 

  • APT – In the age that followed the global pandemic, nothing in cybersecurity stopped that entire time. Advanced Persistent Threats (APT) continued and according to countless reports and breaches, they have accelerated.  
  • Mobile – Reports also show that mobile threats to the web and applications have gained more traction under new campaigns. 
  • Diversity – Hacker creativity is at an all-time high, with actors bringing in waves of zero-day threats into supply chain software attacks, phishing, and ransomware. Experienced groups and new players are combining forces and found new nearly undetectable ways to exchange information. 
  • Maximum Impact – Fueled and inspired by changing workforce composition as well as user behaviors, attacks today are designed to express maximum impact, driven by geo-political goals and financial gains.  

All the while, threat visibility has proven itself to be riddled with blindspots as hacks and incident reports continue to show compromised detection, a gap in understanding, and shortcomings in proper security practices. To add to these factors, technology continues to change, accelerate, and evolve—on both sides, while a crisis of talent resources continues. We can also see that intrusion incidents lead to ad hoc approaches to security funding, adding ineffective layers to cybersecurity health especially when spending tails off when all seems well.  

A Time to Act 

When things seem calm, follow these general guidelines and remember that only the paranoid survive a cyber war like this one: 

  • Actively and proactively leverage multiple sources of Threat Intelligence and trusted resources to monitor the latest methods, tools, tactics, and keep a watchful eye on the roost on a daily or even hourly basis. 
  • Always verify and never trust. It is always a good time for zero-trust authentication and a zero trust posture throughout the organization. This protects systems outside and inside the “castle.” 
  • Detect, investigate, respond, and remediate issues on every endpoint, application, service, and server system. Commit to timely and near instant responses. 
  • Spin up more security awareness training to help minimize social engineering, phishing, and other user-focused attacks. 
  • If you can’t do these items on your own, and very likely you won’t, engage partners that specialize in a comprehensive security posture. 

All is Not Quiet  

North, south, east, west, up, down, or sideways—all is not quiet, or well, on the security front (and it never should be). Don’t hide the truth with skin-deep positive “situation reports” and always verify. Embark on a comprehensive security strategy that starts with the honest identification of your environment’s threats, then work to secure your environments comprehensively. After these two first basic steps, it is critical to also prepare for the eventuality of a breach with a fully vetted disaster recovery strategy. The final step is to continually assure and ensure that there are no gaps in your security posture through an assurance and compliance program that takes new threat vectors, and compliance requirements into account. Remember, there’s a massive storm out there even if you don’t see it or hear it. Silence is not golden, it’s a false sign of security. Let’s take lessons from All Quiet on the Western Front and avoid the horrors of an actual war.  

Who Will The Cybersecurity Bells Toll For? 

 From Room 511 in a famed Cuban hotel, the iconic writer Ernest Hemingway authored some of his most acclaimed works. One of his most famous books was For Whom the Bell Tolls, which was completed in 1940. Inspired by his observations in Spain during the Spanish Civil War, Hemingway weaved the tale of a loss of innocence, psychological and physical trauma, death, and human nature during times of war. The work was revolutionary and controversial as it deconstructed romanticized wartime concepts of bravery and contrasted them with the sheer impact of then-modern weapons. It even inspired the Metallica song “For Whom the Bell Tolls,” as a lyrical adaptation of a particular scene from the book. There are various interesting parallels from this story to the modern world we currently live in and more specifically the cybersecurity arena.  

The bell toll is a symbol of death, which carries a dark theme throughout the novel. From beginning to end, most of its characters manage to consider their own potential deaths or inflicting death upon others. This heavy tone and the plot narrative between fascists and the forces of resistance provided the perfect setting for the Second World War, which was brewing at the time the book was released.  

A Setting Reimagined 

The knowledge of historical works allow us to better navigate our present and future. As the saying goes, “If we do not learn from history, we are doomed to repeat it.” The lessons from Hemingway’s novel translate very well to our world today, and more specifically to the cyberwar that is raging now. The bells keep tolling for the daily victims of hackers, while we have unfortunately become apathetic due to the frequency of those attacks. In cyber warfare, we may not always be able to see the enemy with our own eyes, but the threats and actors are as real as they come. The bell could arrive for anyone, at any time, when we least expect it. 

Joining the Resistance 

The Spanish fascists from the story are a lot like the organized cybercriminal gangs of today. Sponsored, nefarious, and destructive in their ways, today’s misguided hackers seem to fancy themselves as guerilla forces, yet they are nothing but the makings of a Big Brother criminal network. The companies that try to defend themselves from this coordinated system of attacks fulfill the role of the “Resistance.” Organizations that are fighting back today must be resourceful and diligent in tactics. They should put themselves in a position to also refuse to acquiesce to the impact of a ransomware incident, just as we saw with the catastrophic attack against Ireland’s Health Service Executive (HSE) organization. HSE joined the “resistance” and refused to pay the ransom, as they had a disaster recovery plan in place. In another extreme, we witnessed the twin sagas of the Colonial Pipeline along the JBS meat producer plant and how, faced with little choice, these two organizations cowardly paid massive ransoms in hopes of recovering data and operations.  

A Wasteland of Attacks and the Endless Wave 

The main story-derived lesson for organizations today  comes straight out of the title. It doesn’t matter who you are or what your security budget is, you cannot successfully assume that the bell will only “toll” for someone else. Just ask FireEye, SolarWinds, Kaseya, or even Peloton. You can even ask the federal government itself regarding some of its disclosed and undisclosed hacks. Here is the simple reality: 30,000 websites and applications  are hacked every day with an attempted attack happening every 39 seconds. This industry is filled with conversations and false narratives of the latest security product lineups, cyber capabilities and reports of how attacks were averted.  The reality is that security standards are obsolete the moment they are released. The security landscape is evolving daily, and very few static standards are going to guard against zero-day, novel threats. 

Not an Island 

It can be safely stated and significantly inspired by Hemingway that “no man is an island,” and similarly that no company stands alone. It is not revolutionary to state that anyone can be a target, but at what point does targeting become real and inspire preparation, budgeting, and deploying best of breed safeguards? Far too often, we are called to address this question after the facts of a breach become clear. It is not too late for the community or for any company to mind the bells of attack. 

Every organization holds the opportunity to mature security and privacy programs and be fully aware and best positioned for the modern challenge of cybersecurity by leveraging facts, expertise, monitoring, and knowledge about what is vulnerable about their digital presence and valuable. The realization is that when data drives actions and security is comprehensively implemented throughout a formless and endless perimeter, you can escape the trap of false security “standards.”  

Beyond the Chaos 

It all starts with an identification of gaps and threats and securing against those threats. Disaster recovery planning follows, since no matter the security measures, the enemy may still break through the defenses. The journey of cybersecurity cannot be complete without an assurance program that maps to the never ending quest to find ways to stay a step ahead of the enemies and ahead of our personal limiting concepts. An awakening must happen through the sharing of the phenomenal cybersecurity statistics that line the battlegrounds of today. From the frontlines of cybersecurity, there are so many close calls and so many seemingly minor events that can be the first of a chain of “perfect storm” events that lead to a major security incident. This happens thousands of times per day.  

All the while, strewn among the spent tools of cyber warfare are targets that defy simple definitions. No business domain is immune, and it matters little whether an attack is launched against large or small organizations, profit or not for profit, public or private. No one is safe—plan accordingly. 

 

Classic literature remains relevant because of its timeless themes that even after a decade or  a century still stands and can be related to modern people. History may repeat itself, and we must continue to prepare for any possible scenario in the cyber field. 

Schedule an assessment with us today to learn more about preventative security measures you can take to secure your cyber environment.

Readying For Regulation Response To Cyber Incidents – Forbes Article by Ntirety CEO Emil Sayegh

Recently, utility companies have been a major target for hackers, and critical infrastructure has been put at stake. As these cyberattacks have increased, taking action to keep bad actors away from our cyber environments must be a top priority. For industries such as utilities that provide services to almost all of us, we must all do our part to ensure security is enforced. 

 Ntirety CEO Emil Sayegh emphasizes the importance of the United States government’s involvement in protecting the ever-growing cyberspace, and the businesses and people whose lives could drastically change. The following piece, Readying For Regulation Response To Cyber Incidents, was originally published in Forbes.

Readying For Regulation Response To Cyber Incidents

In the wake of a prolonged season of significantly impactful cyberattacks, new regulations have arrived on the scene and we can expect more to soon follow. Good, bad, and ugly, regulations are a natural governmental response to significant situations that carry national implications. For now, the focus is on pipeline operators. But with so much vulnerability in the wild, a lack of overall standards -and also the fact that so much is at stake -cyber regulation is on a trajectory of growth, and may also find itself on a collision course across many more sensitive industries.

Back in May, the world was shocked when the Colonial Pipeline Company revealed that it was a victim of a ransomware attack. The immediate response was to halt operations in order to contain the attack. Five days later, operations resumed, but not before fuel prices on the East Coast of the U.S. skyrocketed and fuel shortages crippled the Eastern Seaboard.

Regulatory Response

The same day that operations resumed, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity.” Moving from voluntary participation to mandated compliance, some 100 pipeline operations had to formally designate a 24/7 cybersecurity coordinator and report confirmed and potential incidents to the Cybersecurity and Infrastructure Security Agency (CISA) under the new directives.

In late July, the rules tightened up from there with further regulations. The specific details that accompany this mission have not been fully revealed to the public, but some elements have been shared about the program. Participants will need:

  • To develop a cybersecurity contingency and recovery plan
  • Conduct a cybersecurity architecture design review
  • To implement mitigation measures to protect against cyberattacks immediately

In addition, the regulations have a bit of a bite to them, leveraging potential fines that can amount to close to $12,000 per day for each violation.

The Regulatory Trajectory

The age of self-driven, voluntary standards and industry participation is beginning to change as a response to the rash of successful attacks against critical organizations. With solid research and preparation, the implementation of these forthcoming compliance measures could possibly roll out smoothly. It is also likely that challenges will be felt throughout the industries affected by new compliance measures. Revisions and updates will follow, as already exhibited in the pipeline industry.

For most, compliance and regulation are not completely new territory, however the horizontal rollout and application to formerly voluntary industries will carry some challenges along for the ride. New technologies, cutting-edge standards, and continual assessment are not always associated with the considerably comprehensive publications of ordinary regulations.

Rolling out successful cybersecurity regulations in a comprehensive effort is going to require awareness on the contextual history of regulations as well as measures to keep regulations up-to-date and achievable.

Preparing Now

Based on technical and operational components, the gold standard reference point throughout the industry are the standards set forth by CISA. Organizations can get ahead of these and create a better security baseline by assessing cybersecurity policies and procedures and updating them as necessary.

Among the advancing best security practices and technologies, prepare to assess and incorporate:

  • Updated backup and recovery tools and processes
  • Risk prioritization exercises
  • Secure cloud service practices
  • Segmenting networks
  • Multi-factor authentication
  • Zero trust capable architecture
  • Robust endpoint management
  • Enterprise threat mapping
  • Data encryption at rest and in transit

Every environment is different, with different realities to consider.

It can be difficult to turn down the background noise of emerging products, industry buzzwords, and marketing smoke. With so much to navigate, I cannot blame anyone that has completely tuned out. But please don’t. Silence is not bliss in this case. Most companies are ill-equipped to deal with this threat alone and must find competent cybersecurity partners. This movement has already started-this is a clarion call and moment of action on every digital front. Cybersecurity is becoming an imperative across the land.

Happy Thanksgiving – A Message from Ntirety CEO Emil Sayegh

Thanksgiving has always been one of my favorite holidays. What is not to like? Good food, good time with family, cool weather, and college football. Also, there is no pressure associated with exchanging gifts. Although Black Friday is around the corner, I prefer to not partake in it, and I always let the glow that comes from the Thanksgiving Holiday permeate the whole weekend. 

Thanksgiving marks a time to show appreciation to all those that have helped us and made our lives a bit easier. While this holiday is traditionally celebrated in North America, the message of giving thanks and reflecting on the past year’s accomplishments is important in many more cultures around the world. It is always important to and take a step back to look at the joys in everyday life. First and foremost, I would like to thank the customers, partners, and employees of Ntirety for the amazing success we had in this past year despite the pandemic and all the turbulence that came with it. I personally am thankful for our partners and customers who have enabled us to continue to grow. Thanks to them, and our amazing team, we will only continue to reach new heights and remain as the premier Comprehensive Security Services provider. 

I hope that each of you get to spend the entire Thanksgiving weekend surrounded by family and friends, taking a well-deserved break. For our customers, partners, and members of the Ntirety team that are working this weekend, I am grateful for your dedication and drive. I extend a huge thanks to you for being there for all of us to enable us to take a break. During this Thanksgiving season, certainly thank your friends and family who are special to you, as well as others that may not be as close. Kindness and gratitude start one step at a time. Let’s spread the love and gratitude around.  

I am thankful for all of you!  

Happy Thanksgiving.

Managed Compliant Security Solutions Leader Ntirety Announces New Suite Of Advanced Security Offerings

Launch Furthers Ntirety’s Leadership in Comprehensive and Compliant Security Solutions that Permeate the Entire IT Stack 

We are excited to introduce a new set of security tools and continue our pledge to reduce risk, optimize IT spend, and improve business agility through services unlike any other IT provider in the market. This expansion of cybersecurity tools would not have been possible without the support of our partners. 

Ntirety will continue to search for the next way to keep you and your business safe and do all that we can to be proactive in keeping bad actors out of your cyber infrastructure.  

AUSTIN, Texas, Nov. 9, 2021 /PRNewswire/ — Ntirety, the most trusted Comprehensive Security provider and only company that embeds compliant security throughout the IT stack to safeguard the assets businesses rely on, today announced the launch of a new suite of advanced security solutions. 

“Security is everything, especially in today’s world; traditional IT security as people used to know it doesn’t work anymore,” said Emil Sayegh, CEO of Ntirety. “Ntirety has put security and compliance at the core of everything we do, extending the concept of comprehensive security across the entire IT stack. This new suite of services further cements our evolved approach to security and helps safeguard businesses to become virtually unstoppable.” 

“With this launch Ntirety continues to leverage its position as a deep rooted, managed service provider, adding now a full-fledged managed security service capability,” said Philbert Shih, Managing Director at Structure Research. “This combination raises the bar on its overall value proposition as cybercrimes have exponentially increased during the pandemic with the average cost of data breaches topping several million dollars per incident. Ntirety’s new suite of advanced security offerings offers businesses comprehensive protection for everything they hold dear and reflects the increasing complexity that organizations are faced with, which translates directly into demand for service providers and MSPs.” 

This new product suite augments Ntirety’s comprehensive security services in two of the primary cyberattack vectors, and shows how Ntirety continues to comprehensively protect IT environments by enhancing its protect, recovery, and assurance security framework. New offerings being brought to market include Managed Secure Email Services, next-gen Web Application and API Protection, and Managed ASV Scan. 

Please see below for a breakdown of Ntirety’s new product offerings included in its comprehensive service suite: 

  • Ntirety Managed Secure Email Services – Email is the leading target vector of attack for cybercriminals.  Ntirety secures email by adding additional perimeter, internal, and end-point threat detection, which forms an integrated layer of email protection.  Ntirety’s Security Operations Centers maintain a comprehensive view of the entire email threat landscape and take proactive measures to protect them.  
  • Ntirety Web Application & API Protection – Ntirety keeps web applications safe and secure, the API’s safe from cyber threats across cloud, on-premise, and hybrid environments utilizing their state of the art Security Operations Center.  
  • Ntirety Managed ASV – This service allows Ntirety to manage the vulnerability scanning process required for PCI Compliance, which is often extremely complex to manage on your own. 

“Ntirety’s comprehensive security suite has been an impressive security shield for our business,” said Chris Becker, National IT Director of AbsoluteCare. “Our data is extremely important, and we cannot afford for it to get in the wrong hands. Additionally, we don’t have the budget to stand up our own internal infrastructure or internally hire the expertise required to protect against today’s artful criminals. We are grateful for our partnership with Ntirety, who keep our data safe and protected from unknown threats.” 

With a vision to “help businesses move forward with less risk”, Ntirety’s vision encompasses four foundational components that ensure successful customer experiences: Comprehensive Security First, Channel Only focus, and unfettered Customer Success. Ntirety continues to provide the highest quality customer service across all sectors of healthcare, manufacturing, FinTech, and SaaS applications.  

Ntirety’s Inaugural Partner Advisory Council

Further Cementing our Channel-Only Strategy, Ntirety Selects Nine Partners for Exclusive Council to Create Long-term Channel Success.

In the ever-evolving field of information and technology, it is important to be adaptable; new devices are released every year, so cybersecurity awareness and education are of utmost importance. Ntirety’s Channel-Only approach has proven to be the ideal way to help raise awareness and security postures through our trusted Channel Partners.

To continue leading in the industry for both our partners and Ntirety, we invited partners to join our first Partner Advisory Council. We extend our sincerest thanks to our partners for their participation and for making Ntirety the trusted provider we are today. See our full press release covering the event below:

AUSTIN, Texas, Oct. 19, 2021 /PRNewswire/ — Ntirety, the most trusted Comprehensive Security provider, today announced the creation of their inaugural Partner Advisory Council. This council brings together top partners from the Channel industry to advise on best practices and collaborate on goals and initiatives for the upcoming year. This comes to further cement Ntirety’s strategy as a company that exclusively sells through the Channel.

The partners serve as the trusted voice of Ntirety customers, providing unique insights and firsthand knowledge on the brand’s services. The council’s goal is to help the Ntirety team fine-tune its product offerings, messaging, and marketing programs to further accelerate the adoption of its Compliant Security Suite of Services.

“Ntirety is 100% Channel focused, and the forming of this council reaffirms the brand’s commitment to our Channel partners,” said Emil Sayegh, CEO of Ntirety. “I’m thrilled to be able to form this council of passionate channel professionals who care deeply about the success of our clients and delivering to them pervasive, compliant security services that empower businesses to move faster with less risk.”

During the inaugural council meeting, partners gathered to align on bridging the gaps between technology, operations, and the human element of the Channel. The inaugural meeting identified a need for Channel partners to get more comfortable speaking about cybersecurity, as well as advising on compliance as new regulations across all industries continue to roll out.

“It was an honor to participate in this inaugural gathering,” said Auburn Holbrook, CRO of Opex Technologies. “For the first meeting, the content, and presenters were excellent. Ntirety is unique on multiple fronts with their Channel Only and Security First strategy. Their offering of compliant data security services comprehensively and compellingly for enterprise are unique and differentiated.”

The formation of this council directly follows Ntirety’s platinum sponsorship of the 2021 Avant Special Forces Summit in Austin, TX where CTO, Josh Henderson, and VP & Field CTO, Tony Scribner, were both featured panelists. It is the latest in a productive year connecting and collaborating with partners, including Ntirety’s participation as a platinum sponsor with speaking engagements at Telarus Partner Summit in San Diego, CA in June, and attending and co-hosting multiple events with Intelisys. Through these major conferences and summits to more exclusive gatherings, Ntirety continues to set the company apart with its cybersecurity thought leadership from other managed security providers in every interaction.

Ntirety’s exclusive commitment to Channel includes dedicated training resources, co-branded marketing collateral, reciprocal opportunity generation, and partner advisory boards, as well as evergreen commission structures and opportunity-specific incentive plans.

To learn more about Ntirety’s Channel Partner commitment or how to become a partner, visit ntirety.com/partners today!

Worldwide Cybersecurity Best Practices Part 2

Cybersecurity needs to constantly expand its resources because technology increasing with new devices released every year. Countries around the world have acknowledged this need and have played their part in making the cyber world a safer place.

In part 2 of our series on Worldwide Cybersecurity Best Practices, learn about more cybersecurity initiatives across the globe. 

Canada   

The Canadian Government is investing $80 million over four years (2021-2022 to 2023-2024) to create the Cyber Security Innovation Network, a national network composed of multiple centers of cybersecurity expertise. This includes post-secondary institutions (colleges, universities, research centers, polytechnics), partners in the private sector, not-for-profits, and governments (provincial, territorial, municipal) to enhance research and development and grow cyber security talent across Canada.   

Ntirety Director of Governance Risk and Compliance Wing Lau works in the Vancouver office and will firsthand experience this expansion of cybersecurity resources.    

“With the digital economy continuing to grow rapidly, accelerated by the Covid-19 pandemic, cyber security is an ever-increasing concern for Canadians and businesses,” Lau said.   

Ghana   

Ghana’s Cybersecurity Act , enacted in December 2020, regulates cybersecurity activities, promotes the development of cybersecurity, and provides for related matters. Under this act, the National Computer Emergency Response Team was established and functions to:   

  • Be responsible for responding to cybersecurity incidents
  • Co-ordinate responses to cybersecurity incidents amongst public institutions, private institutions, and international bodies
  • Oversee the Sectoral Computer Emergency Response Team established under section 44

Under Section 60 of the act, the document states that education and awareness programs on cybersecurity will be carried out. As stated under section 61, research and development programs will be designed. This includes actions such as collaborating with academic research centers and developing a framework for cybersecurity training programs.   

Japan   

Japan released their Cybersecurity Strategy in September 2021 that included a plan that would stretch over the next three years to ensure a “free, fair and secure cyberspace.” In order to do this, the government plans on:   

  • Advancing digital transformation (DX) and cybersecurity simultaneously  
  • Ensuring the overall safety and security of cyberspace as it becomes increasingly public, interconnected, and interrelated
  • Enhancing initiatives from the perspective of Japan’s national security

The Cybersecurity Strategy acknowledged, for the first time, China, Russia, and North Korea as cyberattack threats.   

Spain 

In April 2021, the Spanish government committed to investing over €450 million over the course of three years to increase the country’s cybersecurity sector. Carme Artigas, Spain’s state secretary for digitalization and artificial intelligence announced that an online “Hacker Academy” would be available for the country’s residents ages 14 and older as a part of the cybersecurity expansion initiatives.   

This training attracted hundreds of participants. The National Cybersecurity Institute (INCIBE) oversees this strategic plan for spending relating to cybersecurity. Key components of increasing the business ecosystem of the sector and attracting talent include:  

  • Strengthening the cybersecurity of individuals   
  • Strengthening the cybersecurity of Small to Medium Enterprises (SMEs) and professionals   
  • Consolidating Spain as an international cybersecurity hub  

United States   

While the states within the U.S. have passed laws governing cybersecurity, federally nothing has been constructed as far as cybersecurity enforcement specifically. There are, however, national laws in place that protect individuals’ information considered “private.”   

An example of this would be the Health Insurance Portability and Accountability Act (HIPAA) that guards “individually identifiable health information” including data that relates to:   

  • The individual’s past, present, or future physical or mental health or condition 
  • The provision of health care to the individual 
  • The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual   

Individually identifiable health information includes identifiers such as name, address, birth date, and Social Security Number.   

The cyber-world can be accessed from almost anywhere on earth; this means that as individuals we must all use caution and do everything that we can to make a safe cyberspace for all. A seemingly harmless action such as clicking on a link can lead to your personal data being stolen and potentially the private data of others.    

The personal data of others is on the line when using a social media account, email, or other places where personal data such as name and birth date is shared online. Being a member of the cyber world means holding yourself and others accountable. Hackers will always be around as long as there is cyberspace, but as global cybersecurity efforts continue to increase, we can be more prepared and respond with greater speed and efficiency.   

Worldwide Cybersecurity Best Practices Part 1

Information Technology has created the ability to connect people from virtually (no pun intended) anywhere in the world. With new internet-connected devices being released every year, safety must only continue to increase along with it. Countries all across the globe have acknowledged the importance of enforcing cybersecurity and creating a safer cyber world for everyone.  

 In this two-part series, we will take a look at how eight countries from across the world implemented cybersecurity initiatives in the past few years, including Ntirety’s global offices in Bulgaria, Canada, and the United States.  

 Australia 

In May 2021, the Critical Infrastructure Uplift Program (CI-UP) was presented by the Australian government to aid in identifying and repairing vulnerabilities in critical infrastructure. This program was set in place to help providers evaluate their current security program and implement recommended strategies to reduce risk.  

 This program is available to critical infrastructure businesses that are Australian Cyber Security Centre (ACSC) partners. According to ACSC, this program was created to:  

  • Deliver prioritized vulnerability and risk mitigation strategies  
  • Assist partners to implement the recommended risk mitigation strategies  

 Brazil 

In Feb. 2020, Brazil introduced its first national cybersecurity strategy. The country that ranked 70th in the Global Cybersecurity Index, moved its way up to number 18 on the list in 2020. While the bones were set in place with the passing of the National Policy on Information Security in Dec. 2018, there were still more steps needed to create a strategy to secure the biggest economy in Latin America.  

 The National Cyber Security Strategy, E-Ciber, details a four-year plan (2020-2023) to improve the “security and resilience of critical infrastructure and national public services.”  

 Strategic Objectives include:  

  1. Make Brazil more prosperous and reliable in the digital environment;  
  2. Increase Brazil’s resilience to cyber threats; and  
  3. Strengthen the Brazilian action in cybersecurity in the international scenario.  

Strategic Actions involve:  

  1. Strengthen cyber governance actions 
  2. Establish a centralized governance model at the national level  
  3. Promote participatory, collaborative, reliable and secure environment, between the public sector, the private sector and society  
  4. Raise the government’s level of protection  
  5. Raise the level of protection of National Critical Infrastructures  
  6. Improve the legal framework on cybersecurity  
  7. Encourage the design of innovative cybersecurity solutions  
  8. Expand Brazil’s international cooperation in Cybersecurity  
  9. Expand the partnership, in cybersecurity, between the public sector, the private sector, academia and society  
  10. Raising society’s maturity in cybersecurity   

 Bulgaria 

The strategy, Cyber Resilient Bulgaria 2020, was established to create a framework to ensure a safe cyber environment. The strategy was released in 2016 and the plans were carried through the year 2020 with the hopes of increasing growth in cybersecurity resources and leadership.  

 The strategy was broken into 3 phases:  

  1. Between 2016-2017 the goal was to achieve the minimum required information and cybersecurity and capability for responding to cyber incidents and attacks at organizations and networks.  
  2. When it came to cyber incidents, crises and systematic prevention activities, 2018-2019 was dedicated to bringing the work of individual systems to coordinated responses.  
  3. 2020 achieved a level of maturity which would provide cyber resilience at the national level and effective interaction and integration at international level (An example being the North Atlantic Treaty Organization (NATO)).  

 This strategy aims to provide better protection for citizens, businesses, governments and critical infrastructure,” Security Operations Analyst Teodora Mincheva said. 

 The cyberworld can be accessed from almost anywhere on earth; this means that as individuals we must all use caution and do everything that we can to make a safe cyber space for all. Stay tuned for the second part of Worldwide Cybersecurity Best Practices!