Arraya Insights

January 27, 2020 by Arraya Insights

Windows 10 Windows Server patches vulnerability

Heads up: Microsoft and the National Security Agency (NSA) just sounded the alarm on a newly-discovered Windows vulnerability, one that has left potentially hundreds of millions of devices open to attack. Designated CVE-2020-0601, it affects certificate validation within devices running Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803. Essentially, attackers leveraging this exploit could easily convince an affected device that a malicious application was actually something legitimate. Or, they could also use it to launch man-in-the-middle attacks by spoofing secure HTTPS connections or impersonating verified email addresses.

This is a big deal, though there is some minor disagreement over just how big. NSA didn’t hesitate to designate it as a “critical” vulnerability, one which needs to be addressed “as soon as possible.” Meanwhile, Microsoft classified the threat as “important” due to the fact that it hadn’t “yet” witnessed any malicious actors exploiting the vulnerability in the wild. “Yet,” of course, seeming to be the operative word in that sentence.

Although CVE-2020-0601 is the most talked about vulnerability in recent news, two other vulnerabilities may be just as bad or worse for your organization. CVE-020-0609 and CVE-2020-0610 allow remote code execution for Windows RDP Gateway Servers. This allows an attacker to run code without logging in and without user interaction.

No organization wants to find it’s become the first victim of any of these bugs – or a victim at all. Luckily, the recommended resolution is straightforward enough. Organizations can protect themselves simply by making sure they have installed all of Microsoft’s Patch Tuesday updates so far from January 2020. For some, it’s the scope of the vulnerability that could prove problematic. Those without a way of automatically pushing out updates organization-wide – or the support of, say, a technology partner able to handle patching duties – are suddenly facing quite a bit of unanticipated manual work.

Responding to vulnerabilities like CVE-2020-0601

NSA issued guidance on how to best structure those preventative efforts moving forward to organizations who find themselves in that boat. High priority items should include anything providing mission-critical or at least “broadly-relied upon” services as well as devices that are most likely to be exploited. The agency made particular note of:

Windows-based web appliances, servers, or proxies dealing with TLS validation
Endpoints hosting key infrastructure (e.g., domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation, etc.)
Internet-facing endpoints
Endpoints regularly used by privileged users (e.g., administrators, executive leaderships, etc.)

While it can be helpful to prioritize, NSA is quick to point, directly out under its own version of the above list, that: “Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints.”

Next Steps: Take immediate action to keep your organization safe

Even though there have been no recorded exploits of CVE-2020-0601 as of yet, it’s best not to let risks like these linger. Organizations should take immediate action and patch their systems. Furthermore, administrators must also be prepared to execute containment and remediation activities in the event that their system has indeed been compromised.

Need a hand deploying patches, scanning your network for malicious activity, or conducting cleanup efforts? Arraya’s Cyber Team (ACT) can help. ACT provides the tools, techniques, or in-the-field talent your organization needs to defend itself against threats like CVE-2020-0601 and beyond. You can open a line of dialogue with them today by visiting: https://www.arrayasolutions.com//contact-us/.

We want to hear from you! Leave us a comment on this or any of our blog posts by way of social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT learning opportunities.

January 17, 2020 by Arraya Insights

We used to think of a hybrid environment as having one foot in the cloud and the other planted firmly on-premises, but things are no longer that simple. Today’s hybrid environments can have one foot in one cloud, another foot in a different cloud, a third foot back on-prem, and maybe even a fourth foot at the network’s edge. Before we tack on any more extra feet, let’s just say hybrid has gotten more complex. Maintaining visibility into, managing, and securing these broad, intricate environments has proven to be a task of equal stature for IT departments, particularly those in the SMB space. However, at Microsoft’s Ignite conference last month, the company announced help was on the way.

Azure Arc follows on the spiritual heels of another Microsoft hybrid solution: Azure Stack. While that tool caters more toward the needs of enterprise-scale organizations, Azure Arc is intended to help all organizations gain greater insight into and control over technologically-diverse environments.

Let’s look at some challenges addressed by Azure Arc (which is still in the preview phase) that may make it a solution to watch in this year.

Managing diverse, expanding technology landscapes

First and foremost, back to the challenge referenced above. Today’s environments are a hodgepodg e of solutions and providers. It’s becoming increasingly common for organizations to have some workloads living in, say Azure, as others are stored in AWS. Maybe others are kept back on prem, contained within a Windows-powered server.

Azure Arc can streamline the task of managing multifaceted environments by wrapping them in Azure’s suite of management solutions, including Azure Resource Manager, Microsoft Azure Cloud Shell, Azure portal, API, and more. Azure Arc brings these capabilities on prem, to both Linux and Windows servers. It can also extend them out to Kubernetes clusters, whether they exist on the network’s edge, in the cloud, or closer to home.

By doing so, Azure Arc can make it easier for IT to create, update, or stay on top of workloads wherever they reside.

Accounting for changing needs and technology advances

Technology is always on the move. The same goes for the organizations that leverage it. As organizational needs and directives shift, it falls on IT to make sure technology aligns with those evolutions in a meaningful way. While doing so, IT must also keep in mind how those needs may ebb and flow over time and keep expenses in check.

Azure Arc makes it possible to run Azure data services from anywhere – or at least a pair of them. The plan is to roll out more moving forward, but, as of now, organizations have two database solutions they can utilize as part of this offering: Azure SQL Database and Azure Database for PostgreSQL Hyperscale. Again, these solutions can be deployed on-prem, in the cloud, or on the back of any Kubernetes cluster.

These solutions will help organizations to better keep pace with the latest Microsoft cloud innovations. They’ll also be able to deploy new solutions rapidly (think seconds not hours or longer) and scale capacity as the need arises with the freedom of a cloud cost model.

Navigating the high-risk world of App Dev

Developing and fine-tuning the applications modern organizations rely on is something of a mysterious, perilous process. So much so, in fact, that one of Arraya’s in-house experts has compiled a five-part blog series on some of the most common and hard-to-shake misconceptions about the topic. Misconceptions aside, false steps can leave end users without access to critical tools.

Azure Arc can help minimize risk by bringing freedoms typically found in the cloud to on prem-based, application-focused projects. Through Azure Arc, developers have the ability to choose which tools they want to use to build and maintain Kubernetes-hosted apps as opposed to being locked to whatever is in a preselected toolkit. Then, IT can leverage Arc to efficiently implement organization-wide standardization governing how those apps are deployed, configured, and managed.

The result? A balance between the freedom developers want and the control IT needs, one that ensures users have access to the apps they need to get the job done.

Securing an ever-widening attack surface

No conversations should take place in IT these days without security getting a prominent seat at the table. It doesn’t matter where a workload will eventually reside, be it in the cloud, on prem, or at the network’s edge, it will need to be secured against malicious activities emanating from both inside and outside the organization.

Azure Arc brings Microsoft’s cloud security muscle to hybrid environments. Capabilities such as role-based access control can limit who has access to what. Azure Activity Log showcases its value during security audits and remediation efforts. Azure Threat Detection can weed out advanced attack efforts before they have a chance to do harm to an organization.

These security solutions (and others) can help make technology environments more secure even as the attack surface increases.

Next Steps: Learn more about Azure Arc or try it for yourself

Azure Arc is open for trials now, giving you the opportunity to see for yourself if it makes sense for your organization. Want to learn more about Azure Arc or take it for a trial spin? Arraya can help! Visit https://www.arrayasolutions.com//contact-us/ to get a conversation started with our workspace and cloud teams today!

We want to hear from you! Leave us a comment on this or any of our blog posts through social media. Look for us on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and special events.

January 15, 2020 by Arraya Insights

There’s a great amount of interest in custom-built applications – and quite a few misconceptions about them as well. Arraya’s Application Development team has encountered many of these, including concerns about complexity, use cases, and more. During this five-part series, our team will seek to dispel some of the more common misunderstandings about custom-built applications in order to shed light on a sometimes murky topic.

We see headlines almost every day about big data breaches and hacking attacks on business. An impulse for many of us could be to assume that any outside party coming into our systems is going to lead us to a similar fate. I get it. In IT, it’s our duty to protect our company and the interests of our clients and we take that very seriously. An outside organization is a risk we can’t control.

However, I can tell you from personal experience that some distrust is misplaced; particularly when an established organization with a good track record and roots in the development community is going to do work for you. The stock in trade of such entities is expertise and trust; trust earned through long histories of creating unique solutions for companies.

Also, there is a kind of high-level vision that always comes with having an “outside set of eyes” examine a system. This is true in all facets of IT, including security. It is in our nature to become blind to potential risks because we have become accustomed to seeing things a certain way. If we get an outside view of our process, we gain perspective from which we would not otherwise benefit.

For example, I can recall an instance where a larger client trusted us to look at updating an internal security process that involved a chain of approvals and forms between various departments. Since we were looking at the issue from the 10,000 foot view, so to speak, we were able to realize that numerous steps in the process were actually being duplicated. Specifically, this involved repeatedly typing in key information. By virtue of what they are, repetitive manual processes carry some degree of risk. It’s easy for someone moving quickly to key something in incorrectly or incompletely. Depending on the project, this could either be a minor hiccup or a potentially painful security vulnerability.

In this case, we were able to automate the process and pass forms from department to department with the sections in question already filled out. In addition to saving time (as well as removing quite a bit of unnecessary work from a number of employees), there was a significant drop in resubmittal due to errors in data entry. In this case the client was, understandably, more focused on the micro elements and not the macro picture, causing them to miss the issue.

If we can move outside of our usual defensive space, which is admittedly not an easy thing to do, there are many firms and talented individuals out there who are able to not only work without compromising your security, but also give you another set of eyes on how your security is designed and to either validate or improve on what you have.

Want to learn more about Arraya’s Application Development services? Visit https://www.arrayasolutions.com//contact-us/ to open up a dialogue with us today!

Have some thoughts you’d like to share about this post? We want to hear from you! Leave us a comment on this or any of our blog posts through social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay updated on our industry insights and unique IT events.

December 19, 2019 by Arraya Insights

Dell EMC Cloud Storage Services use cases

Fresh from their trip to Dell Technologies World 2019 back in the spring, our Data Center team compiled a blog post highlighting the conference’s most newsworthy moments. Included in their recap was a brief write up of a brand new offering called Dell EMC Cloud Storage Services. In the post, our team teased a couple of possible use cases for the solution and promised more would follow. Now that Dell EMC Cloud Storage Services has a few months in the wild under its belt, our team felt the time was right to revisit the subject and investigate its use cases more thoroughly.

Before we get into that, however, it’s worth quickly reviewing what’s featured under the Dell EMC Cloud Storage Services banner. Dell EMC Cloud Storage Services is available in either a multi-cloud or a DR-as-a-Service (DRaaS) flavor. Multi-cloud lets organizations choose from a trio of Dell EMC storage options (Unity, PowerMax, or Isilon) and utilize the hardware remotely, on a subscription basis. They can then leapfrog the compute and storage workloads housed in that offsite environment into – and between – Azure, AWS, and Google public clouds. Meanwhile, the DRaaS configuration offers similar subscription-based access to remote Unity and PowerMax hardware. Those devices bridge seamlessly with VMC on AWS, allowing for automated, pay-as-you-go recovery.

Now that the refresher is out of the way, let’s get into four scenarios where Dell EMC Cloud Storage Services could make a difference.

Use Case: Enable Hands-Free Disaster Recovery – Today’s Recovery Time Objectives (RTOs) must be measured in minutes, not days. Having a dedicated disaster recovery site helps actualize that goal, however, these can be expensive and tough to maintain. Dell EMC Cloud Storage Services give workloads a cloud-based landing spot in the event of a crisis – cyber or otherwise. Rather than pay for an entire second site, organizations are only charged for the compute used during failback to production. In the event of more-sweeping issues, this can be converted to serve as a production site until recovery is possible.
Use Case: Support Storage-Hungry Applications – Organizations often want to – or are required to – keep the mountains of data generated by mission-critical applications close at hand. Dell EMC Cloud Storage Services provides a cloud-based home for that data, backed by the ability to replicate on prem without running up a long list of egress fees – or any at all. Additionally, Dell EMC Cloud Storage Services gives organizations the cloud-based compute needed to run those applications with easy scalability to adjust as needs do.
Use Case: Stay Active During Maintenance or Workflow Adjustments – Business demands don’t stop to allow time for maintenance nor do they wait patiently while network congestion clears. Dell EMC Cloud Storage Services work in step with this reality by enabling the cloud to serve as an extension of an organization’s data center. Workflows can failover into the cloud while maintenance or load-balancing activities take place at a primary site. Once those projects have wrapped, workloads can be easily routed back to their traditional pathway.
Use Case: Processing Large, Infrequent Analytics Workloads – Large, complex and – most importantly for this bullet – infrequent analytics exercises make it tough for organizations to accurately tune their compute capabilities. Dell EMC Cloud Storage Services lets organizations take data generated and stored in-house and move it up into the cloud where bandwidth can be scaled to perform the necessary analytics operations. Copies of those data sets are also able to be replicated into and stored in the cloud for recovery purposes.

Next Steps: Does your future include Dell EMC Cloud Storage Services?

These are just a few of the potential use cases for Dell EMC Cloud Storage Services. Think this solution might make sense for your organization? Reach out to Arraya’s team today. Our Data Center experts will work with you to review your existing storage, compute and disaster recovery capabilities and, if necessary chart a path to optimization. You can start a conversation with them today at: https://www.arrayasolutions.com//contact-us/.

December 12, 2019 by Arraya Insights

Imagine a world where Microsoft collaboration tools and Cisco collaboration tools went together like peanut butter and jelly. There was a time – as recently as earlier this year – when that was strictly the stuff of dreams. Instead, organizations could choose Microsoft’s collaboration solutions or they could choose Cisco’s. Or, they could embark on a long and complex process to forge a connection between the two. However, all of that is changing as the companies announced a new era of interoperability, one which puts customer needs and experience at the forefront.

“For too long Microsoft has been an ‘or.’ Microsoft or Cisco. Now we’re making it an ‘and.’ Cisco and Microsoft, said Sri Srinivasan, Cisco’s SVP/GM, Webex Meetings, Teams, Calling & Devices, onstage at Cisco’s 2019 Partner Summit in early November. “This is a big bet for our two big companies, for the sake of our end users.”

The view from the Microsoft side was equally rosy. Lan Ye – Microsoft’s GM of Microsoft Teams CMD (Calling, Meeting and Devices) – described the move as something of a natural progression for the companies. In a post on the Microsoft Teams blog, (entitled “Microsoft & Cisco partner to simplify meetings and calling for mutual customers”) Ye wrote that “This partnership aligns with both Microsoft and Cisco’s dedication to openness, interoperability and customer choice.”

How Microsoft and Cisco are transforming collaboration

Here’s what we know so far about what’s coming down the pike as a result of this new partnership:

Cloud Video Interop (CVI): Cisco is set to release a Microsoft-certified Cloud Video Interop solution during the first part of next year. What does this mean? Well, it means that Cisco’s fleet of Webex Room and SIP video conferencing solutions will be able to join Microsoft Teams meetings. From a user experience perspective, the companies promise a connection that will be both hassle-free as well as seamless.
Direct Guest Join: Microsoft and Cisco are also developing a solution to fully break down the walls between their meeting devices and meeting services. The companies plan to use connectivity solutions embedded into the devices themselves to allow Webex Room devices to connect to Teams meetings and Teams Rooms to connect to Webex meetings. This will occur through a direct guest join capability which is set to be released early next year.
Direct Routing: Finally, users will soon be able to dial out via the Microsoft Teams client by way of their organization’s pre-existing Cisco communication infrastructure. Even better is the fact that organizations won’t have to undertake any substantial environmental upgrades or redesigns. Cisco recently joined the ranks of Microsoft’s Session Border Controller (SBC) certification program. This will allow organizations using Cisco SBCs to roll out direct routing, giving them a dial tone in Teams.

Next Steps: Best of breed providers. Best of breed collaboration solutions.

These three advances are helping Microsoft and Cisco transform into the peanut butter and jelly of the collaboration world. Want to learn more about any of the above enhancements and how they could impact your organization? Or maybe you’d like to learn how else your organization can benefit from this newly-minted, highly-collaborative pairing? Myself and my team can help. Strike up a conversation with us today by visiting https://www.arrayasolutions.com//contact-us/. From there, you can submit questions or schedule a more comprehensive learning session.

Want to leave us a comment on this or any of our blog posts? You can always reach Arraya Solutions through social media. Look for us on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT events.

December 12, 2019 by Arraya Insights

Cloud has dominated technology conversations in recent years, a trend which shows no signs of reversing come the new year. In its 2020 State of IT Report, Spiceworks projects that hosted/cloud-based services will command nearly 29% of organizational IT budgets next year, a figure on par with 2019 totals. With organizations continuing to spend big on the cloud or, in some cases, only just embarking on their own cloud journey, our team wanted to highlight one larger cloud discussion that doesn’t seem to happen early or often enough.

In truth, identity and access management should be among the first topics covered after the initial decision to move email, an application or some other workload into the cloud. It’s such a big deal, that identity and access management actually straddles at least two spots on the Cloud Security Alliance’s Top Threats to Cloud Computing: The Egregious 11 list. It ties into both number four (“Insufficient Identity, Credential, Access and Key Management”) and number five (“Account Hijacking”) on the not-for-profit research organization’s list of the biggest risks and vulnerabilities facing the cloud. Yet, it’s often set aside in favor of other topics.

To remedy this, we sat down with our team of experts to get their take on how to bring identity and access management into cloud conversations sooner rather than later. Here are their six essential talking points:

What authentication method makes the most sense for our organization? Once the decision is made to move workloads into the cloud, the next decision should be how to allow users to securely reach them. Either internally, or with the help of a partner, organizations must weigh the pros and cons of approaches such as pass-through authentication and federated authentication in order to find the right one for their environment and needs.
Do we want users to be able to access workloads, apps, etc. from anywhere? Working from home or on the road or from wherever has a definite appeal. However, it may not always be an option, due to internal attitudes or industry regulations. If it is in the cards, follow up conversations on topics such as conditional access will need to occur. Working “from anywhere” doesn’t have to mean literally anywhere as organizations may want to restrict access to known countries, circumstances, etc.
Do you want to enable multifactor authentication (MFA)? Considering how many cyber attacks can be prevented just by turning on MFA, the answer to this question should almost always be “Yes.” Maybe a better question to focus on is: “How are we going to present MFA to our end users?” Users may not be thrilled with extra steps, however, it does help to work with representatives from across an organization to find an approach to secondary authentication that values both security and user experience.
What are the legal ramifications of our cloud access strategy? Even organizations outside of traditionally heavily-regulated industries need to be cognizant of their responsibilities regarding the safety and security of data stored in and accessed via the cloud. Encryption is a huge part of this, including whether or not data must be encrypted both at rest and in motion. Also, laws like GDPR and California’s Consumer Privacy Act have much further reaches than some realize, making organizational legal counsel an unexpected, yet essential, voice in cloud conversations.
Do we want to allow data-sharing with third parties? Platforms like OneDrive for Business and SharePoint make it easy for users to share files and collaborate – both inside and outside the organization. Before turning users loose with these or any similar platform, organizations must determine what, if anything, they’re comfortable with users sharing outside of the company. Then, it’s up to admins to put the policies in place in support of that goal.
How are we going to keep track of all of this? The cloud has developed a reputation as a “set it and forget it” kind of tool, but that’s not the case. Organizations must keep a close eye on their environment and keep a running log of who’s accessing what, who’s making what changes, etc. By maintaining an auditable trail, organizations will be able to get to the root cause of (and correct) issues far faster than they could without.

Begin the next phase of your cloud journey on a secure foot

Need a hand designing, revising or implementing your own access and identity management strategy? Arraya’s team can help. Our experts have the in-the-field experience and insights needed to help organizations of any size or specialty be more productive and secure in the cloud. Please visit https://www.arrayasolutions.com//contact-us/ to start a conversation with our engineers.

We want to hear from you! Let us know what you think of this blog using social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date with our latest blogs, podcasts and exclusive IT training opportunities.

December 10, 2019 by Arraya Insights

During the summer of 2017, pharmaceutical giant Merck was one of countless companies, around the world hit by the most devastating cyber-attack in history: NotPetya. Initially masquerading as ransomware, NotPetya turned out to be far worse: a strain of malware designed to destroy systems rather than hold them hostage. The toll NotPetya inflicted on Merck was devastating. As many as 30,000 laptops and desktops were taken off line as were 7,500 servers. One employee estimated losing 15 years of work as a result of the attack. Another estimated that, for two weeks, operations completely stopped as cleanup efforts raced on.

Merck totaled up the costs connected to NotPetya to $1.3 billion – an astronomical amount, but at least the company had a sizeable cyber security insurance plan to fall back on. Its insurers, however, saw things differently. Many of its insurers rejected Merck’s claims on the grounds that the cyber-attack wasn’t covered after all. Their reason? The insurers claimed NotPetya was an act of war and thus outside the scope of Merck’s coverage.

GRU, Russian’s military intelligence agency, was credited with unleashing NotPetya as yet another weapon in that country’s ongoing conflict with Ukraine. The malware nearly decimated Ukraine’s technological infrastructure, wiping out an estimated 10% of computers across the entire country. Insurers believe organizations like Merck – which saw NotPetya enter its system through a server in the company’s Ukraine branch – as simply getting caught in the crossfire.

Merck has taken its case to court but may be in for an uphill fight. The White House has publicly linked NotPetya directly to Russia’s destabilization efforts in Ukraine, potentially putting insurers on solid legal ground and leaving Merck – and others in the same boat – hanging.

What to consider before buying cyber insurance

Analysts have great expectations for the cyber security insurance industry over the coming years, although they can’t quite agree on just how great. In a recent story, Tech Republic quoted research that predicts gross written premiums for cyber security insurance totaling just under $8 billion by 2020. Elsewhere on the Internet, Adroit Market Research claims premiums will total $23 billion by 2025. How much or how quickly the industry is going to grow is beside the point, which is that – given the omnipresence of cyber security incidents – it will grow. As more organizations invest in cyber security insurance, here are a few things to remember when trying to pick the right plan.

Cyber security insurance shouldn’t replace cyber security solutions. Preventing attacks is always the best policy even with a safety net like insurance in place. Insurance, after all, can’t repair the reputational damage incurred during a data breach. Furthermore, insurers will likely take a hard look at an organization’s cyber security posture following an attack in search of weak points that might allow them to avoid paying up.
Get perspectives from outside IT. Cyber security isn’t an IT-only concern and the same goes for cyber security insurance. For example, Legal might be able to red flag coverage gaps – like, potentially, an “act of war” exemption. Other teams can spot other shortfalls specific to their areas that could prevent an organization from receiving the insurance benefits it needs, when it needs them most.
Put together a checklist of ‘must-haves’. The ideal policy is going to vary from company to company. However, the Delaware Business Times shared a list of core items that the majority of those in the market for cyber security insurance will want. This includes covering internal and external loses and costs associated with: legal representation, forensic investigation, PR, business disruption, “make-good” services like credit monitoring, and regulatory fines.
Decide how much coverage is needed. It seems that organizations increasingly don’t want to get stuck without cyber insurance. They also don’t want to get stuck paying for more coverage than they will need. It’s a balancing act, one that can be achieved through internal risk assessments as well as by enlisting the help of outsiders with experience in the field.

Next Steps: Prepare for whatever cyber criminals throw your way

As cyber attacks become part of the cost of doing business, it seems so too may cyber security insurance. It’s not just a topic for enterprise-sized organizations. Nor does it take a global cyber crises engineered by a foreign power like NotPetya to put a company out of business. Garden variety ransomware can have cataclysmic repercussions for organizations of any size. And this subject will only get more complicated as current regulations expand and new ones are rolled out.

Want to talk more about this topic and what your organization can do to successfully navigate today’s ever-changing threat landscape? Start a conversation with our Cyber Security team now by visiting: https://www.arrayasolutions.com//contact-us/.

We want to know what you think of this post! Leave us a comment on this or any of our blog posts through social media. Look for us on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique technology learning opportunities.

December 5, 2019 by Arraya Insights

Here’s something we can all be thankful for this holiday season: Larger cyber security budgets are reportedly on their way! In a recent FireEye study, 76% of participants said they expect their security budgets to increase in 2020. That’s obviously encouraging for those fighting the good fight and bad news for those on the other side of the digital battlefield. Still, despite the extra funds, security pros can’t afford to let their guards down because cyber security success isn’t defined by the size of an organization’s budget.

That’s not to diminish the importance of cyber security spend. As part of its research paper The Security Bottom Line: How Much Security Is Enough?, Cisco analyzed how security postures differed between those with more to spend and those with less to spend. The technology leader found 27% of companies with annual cyber security budgets of $1 million or more felt they were able to afford their minimum security needs. That figure – 27% – isn’t wholly impressive in and of itself. Drop into the $250,000 to $999,999 budget range and suddenly just 9% of participants were willing to make similar claims.

Yet, the consensus across all budgetary ranges is that organizations, no matter what they’re spending, believe they still have a ways to go on their security journeys. According to Cisco:

94% of those spending $1 million or more on security each year believe their programs and initiatives still have room to grow
95% of those spending $250,000 to $999,999 said the same
92% of those spending less than $250,000 said they want to do more

It seems budgets don’t tell the entire cyber security story. In its report, Cisco highlighted three other areas organizations must focus on to succeed against today’s advanced persistent threats.

Expertise

Cyber security expertise is somewhat rare these days. In its report, Cisco cites research from (ISC)² which found a global security skills shortage of around 3 million. Rarer still is having that expertise in-house. Cisco’s own research states that just 37% of surveyed organizations say they rely on their internal staff most for cyber security expertise.

Bringing these kinds of skills in-house can be expensive – going back to budget again. Plus, sharing knowledge with other organizations in similar situations is an effective way to stay ahead of the bad guys. The issue is, without the in-house talent to interpret and adapt it, that peer-to-peer insight can be too general, too removed from an organization’s individual needs to be truly effective.

It makes sense for organizations coming up short on security talent to work with a managed services provider. Any provider worth its salt will dedicate ample time early on to learning the ins and outs of an organization’s environment. This achieves a best-of-both worlds approach, mixing reliable insider knowledge with affordability and flexibility.

Capability

Having expertise is one thing. Having the ability to act on it is something totally different which is where capability fits in. Some projects may be too onerous – either in terms of cost or complexity or some other factor – for those tasked with promoting security to undertake. Still others may fall outside of that particular department’s jurisdiction. Whatever the case may be, IT and security teams often know what needs to be done but are unable to execute.

Cisco explained the issue of capability as one of cyber security maturity. First tier organizations have a clear understanding of their IT asset library. They know what they have and they know what it’s doing. The next step up are organizations where security has control over initiating and preventing changes to those assets. Above that are organizations who, for a lack of a better phrase, get it. They understand which resources criminals are most likely to target, how they’re likely to be targeted and how to repel those attacks. Lastly, the most mature (and capable) organizations are those effectively deploying and leveraging security tools to defend themselves organization-wide.

Maturity is dependent upon a strong cohesion among internal teams. Security needs to work in lock step with operations and finance and every other department to fully understand the scope of what they have, what they’re facing, and how to stay safe. Once again, sometimes bringing in an outside, independent voice is the best way to foster that level of internal collaboration.

Influence

The final area Cisco underscores as a pathway to better cyber security is influence. A couple of different points are called out in this section of the report. First, influence can refer to an organization’s ability to hold vendors to its own cyber security standards. It can also mean having the clout necessary to learn about potential cyber security risks from vendors before they become common knowledge. Trouble is, modern IT environments tend to be a patchwork of solutions and providers, lessening most organizations’ ability to exert much influence.

Cisco’s researchers found 38% of organizations that spend $1 million or more each year on security said they were always able to dictate security-related conditions to vendors/partners. Just 17% of organizations that spend less than $250,000 annually on security were in the same boat. Meanwhile, 86% of organizations with 10,000+ employees said they learned about security vulnerabilities and incidents affecting them from vendors before they were public knowledge. Compare that to just 60% of organizations with fewer than 1,000 employees who said the same.

It’s clear from Cisco’s findings that influence is often reserved for those with enterprise-sized budgets or employee rolls – or both. This doesn’t have to be the case. Organizations just need to find a partner with the experience and connections necessary to serve as a bridge between them and security-first, industry-leading vendors.

Next Steps: Maximize security without maximizing budgets

Strong cyber security isn’t just about having the highest budget. It’s a combination of multiple factors, including spending on the right resources, building connections to industry-leaders, and having access to a team who understands security as well as what makes your business unique. Arraya’s Cyber Security Team takes pride in being able to deliver on those goals for our customers. We provide the people, processes, and solutions needed to navigate today’s threat landscape. Start a conversation with our team now by visiting: https://www.arrayasolutions.com//contact-us/.

December 3, 2019 by Arraya Insights

There’s a great amount of interest in custom-built applications – and quite a few misconceptions about them as well. Arraya’s Application Development team has encountered many of these, from concerns about complexity, use cases, and more. During this five-part series, our team will seek to dispel some of the more common misunderstandings about custom-built applications in order to shed some light on a sometimes murky topic.

For many of us, when we imagine a company pulling in a third party to help them realize their technological vision for their business, we think of giants like Amazon or GM bringing in massive teams of specialists to pull off feats of engineering. While large and extensive projects are certainly a constant in the app dev field, the bulk of projects, by numbers, are actually for smaller companies that have a vision for what they want to do with technology. The reality is that, thanks to the increasing capabilities of IT professionals and the tools available to them, there’s never been a time where a few can do so much in the sphere of creating custom solutions.

Today, many solutions are already available via third parties to companies of all sizes. The same is true of custom development. It’s only a question of tailoring the project to match what a given company wants to accomplish. The real key to finding custom solutions that suit a business of any size, is partnering with someone who can help you realize your vision.

Whether you’re working with one talented individual or an entire firm, you should feel that the size of your business is not something that precludes having a custom solution created. In one instance, a small business of about eight people engaged Arraya for help with their Office 365 implementation. It was not a gigantic, world-altering piece of work. Instead, it was a sensible set of automations that leveraged the existing platform they were paying for in ways they didn’t think possible. The result greatly improved their ability to work and collaborate on a day to day basis.

Now, maybe you’re thinking “my business does ____, how could automation really improve anything?” Every company, no matter the size, can benefit from having an easier day, better communications, and improved organization. In our above example, most of it was leveraging SharePoint and OneDrive to allow documents to be shared and managed more efficiently. Often times, a project that will suit your company can be hiding in plain sight, one that uses platforms and tools you already own. Don’t be afraid to sit down for a conversation and see what can be done for you, no matter how big or how small your company is!