Cloud Compliance in 2022

This is the second in our series of 2022 trends. Last week we covered employee information management trends for 2022. This week we look at the trends for cloud compliance in 2022. 

Compliance – which in our context is specifically cybersecurity compliance – continues to be the way in which cybersecurity is managed and measured in modern IT. This is especially true is cloud services, where compliance standards have been an enabler to cloud growth. Cyber compliance standards like HIPAA, PCI DSS, NIST, and ISO 27001, help set the standards that businesses can use when evaluating how secure the cloud services are that they are evaluating and purchasing. 

As the nature of cybersecurity attacks change, so too do the standards for cybersecurity compliance. This leads to our big trends in cloud compliance for 2022. 

1. Companies Will More Broadly Apply CMMC to Their Non-Federal Clouds 

We discussed Cybersecurity Maturity Model Certification (CMMC) in a post a couple of weeks ago. This measurement standard from the Federal government will continue to expand into and provide influence over cybersecurity in the private sector. 

CMMC incorporates NIST SP 800-171 standards and provides a convenient five-level maturity measure. This type of measure has been used in IT in the past with the Capability Maturity Model (CMM) which was used by many CIOs in the early 2000s to measure their path toward better IT process and service orientation. 

With the recent announcement of CMMC 2.0, and with the prevalent knowledge of consultants that can lead IT organizations down the path of better cybersecurity, 2022 looks to be the year that CMMC measurement and reporting of the cloud becomes commonplace. 

2. Private-Public Hybrid Cloud Models Will Add Compliance Nuance 

In 2022, more companies will generate more of their data in the public cloud. Many of those companies will have policies to move portions of that data to their private cloud within defined periods of time. Which data is moved and when and where will continue to be a compliance challenge both for security as well as privacy. As compliance rules shift – like frequency of vulnerability scanning – companies that maintain hybrid clouds will need to update their procedures in both private and public contexts as well as the reporting for audits. Enforcement of data-related policies such as right to erase personal data will increase  

 3. Multi-cloud Application Compliance Will Become More Complex to Track  

When companies implement applications in a cloud today, they mostly isolate each application in one cloud – typically called hybrid cloud. Multi-cloud applications span more than one cloud and are increasing in popularity as different cloud vendors develop specialized and unique services. In 2022, more companies than ever will be using multiple clouds for a single application. 

For instance, maybe you develop a customer relationship management application for your sales team. You might store customer phone numbers in one cloud because their database service has privacy protections built-in, but you use a slick emailing app from another cloud that is easy to implement and extend. When emails and first names are temporarily stored in the second cloud, there becomes a second location for personally identifiable information (PII) to reside. Privacy policy understanding and enforcement is needed in both clouds, but without a rather technical review of each component of the application, this can be missed. 

Compliance audits and policy enforcement will need to get increasingly into the “weeds” on each application to understand where the cyber-risks are and how cyber-compliance policies apply. 

4. Compliance Ownership When Using Cloud-native Services Will Shift 

All the major clouds – AWSAzureGCPIBM – have co-management models for cloud compliance, but the policies are mostly utilized for first-gen cloud technologies like virtual machines. The differences in co-management of cloud compliance with cloud-native services have been treated as a special case by cloud providers. In 2022, the prevalent usage of cloud-native services will make it necessary for cloud providers to address the ambiguities of cloud compliance responsibilities that these services create. 

For example, with virtual machine implementations, responsibility for user credentials is clearly on the side of the customer. With cloud-native services, though, user credentials are exposed as they are used to access various services and/or are passed between services. How the user credentials are being handled by the cloud provider becomes important for compliance and security purposes for the cloud customer. 

What do you think about cloud compliance in 2022? What are your big concerns for the upcoming year? Let us know what you think at info@montra.io.

Employee Information Management Infographic

Employee Information Management in 2022

Employee information management is an important topic for a lot of mid-sized companies, especially those that are experiencing or are planning for a lot of growth. Running efficient on-boarding and off-boarding processes, keeping track of the latest employee information, and maintaining proper access to the right systems and services, are all functions impacted by good employee information management. Click to download our infographic on the top Employee Infromation Management trends in 2022

Download Infographic

Employee Information Management Trends for 2022

The past two years have had a major impact on everyone’s lives, so we are looking forward to 2022 with anticipation (well, not as much as the anticipation last year leading into 2021.) Some of the biggest changes as it relates to work have been in how and where we work, the increasing number of cybersecurity threats, and the changes in how IT services are delivered. As we look forward to 2022, we can see that these trends will have a big impact on how and why companies manage their employee information.

Employee information management is an important topic for a lot of mid-sized companies, especially those that are experiencing or are planning for a lot of growth. Running efficient on-boarding and off-boarding processes, keeping track of the latest employee information, and maintaining proper access to the right systems and services, are all functions impacted by good employee information management.

One of the challenges for businesses with their people information management is that there are islands of data on employees and contractors that exist within most organizations. Recruiting databases, HRIS, email systems, physical security access systems, finance systems, and other services, all maintain subsets of data on employees. Due to security and privacy concerns, it is difficult to access and update all these systems either by employees or by the admins. Additionally, the systems almost never talk to each other to synchronize changes.

This leads to three critical areas of concern with poor employee information management:

1. Employee Onboarding Takes Too Long: it takes longer to get new employees operational and effective

2. Security Risk is High: it is difficult to track employee credentials across all the systems and services for which they should be granted access

3. Employee Data Gets Stale and Inaccurate: Applications that rely on this data – like disaster recovery services – can become completely ineffective.

With that in mind, here are our top trends for Employee Information Management in 2022:

1. Increasing Employee Churn Will Drive Need for Better Employee Onboarding / Offboarding

The economy will continue its post-lockdown expansion. This will continue to fuel the higher rates of employee departures and arrivals than ever before. Employers are more pressured than ever to make certain the onboarding process is as quick and accurate as possible, while the offboarding process is secure and trackable for cybersecurity and compliance purposes.

2. The Definition of the Employee Workplace Will Continue to Broaden

The workplace has been changed forever over the past couple of years. More employees are working at home, in a co-working space, or even a in a second home away from major cities. What used to be a special case (“We have 3 offices and a few people that work from home.”) will continue to move toward the norm in 2022. Systems that track employee location today are almost all static and assume that a limited number of workplace addresses exist. Employers need to rethink what an employee workplace is and how they plan to handle this more dynamic and fragmented nature of the workplace.

3. Workplace Information Will Need to Be More Dynamic Than Ever

Understanding where an employee is, was, and will be, will become critical for company IT staff and others needing accurate workplace information in 2022. For cybersecurity policies and compliance to work properly, accurate information about a person’s location is needed. Different access policies can be enforced, and audit trails can be created to trace issues when they occur. Additionally, in the case of a disaster or other emergency, employers can know who was in what workplace and how notifications and recovery processes should be handled.

4. Employee Offboarding Will Need to Be More Accurate

Most mid-sized and high-growth companies do not well-run offboarding processes. With more employees leaving a company, any inefficiencies in the offboarding process will get exposed in 2022. In the past when a person was exited, the accuracy of removing access to every system was not that critical. If physical access to the building and email access was removed, offboarding was “80% done”. The rest of the systems could be updated at leisure. The modern workplace in 2022 will drive the need for accuracy. Enabling this means employee information about account and systems credentials needs to be accurate and easily accessible to the appropriate people. If the information is accurate, the former employee could have access to data or services that put the company at risk.

5. Companies Subject to Cyber and Privacy Compliance Requirements Will Expand

In 2022, expansions to the compliance requirements in HIPAA, PCI-DSS, CCPA, and GDPR, will pull more companies under the cybersecurity compliance and data privacy umbrellas. The definition of “third party” has now been expanded to “fourth party” in these frameworks, which broadly expands which companies must comply. Think “Six Degrees of Kevin Bacon” but a lot less fun. So even if your company isn’t specifically in the healthcare business, if your company does business with a company that does business with a company in healthcare, then your company may be subject to HIPAA.

6. Demand for Better Employee Information Sharing Will Increase

With all these employees working from home or in smaller satellite offices, what happens to the serendipitous interactions that happen in larger centralized workplaces? What happens to the friendships and even marriages that routines developed in the workplace of the past? Collaboration tools like Zoom and Slack exist already to make communication happen easily and quickly, but the tools to enable the sharing of deeper information are almost non-existent. Think: LinkedIn but for internal use only. Enabling employees to publish workplace relevant information and search on the information of others will spike in demand in 2022. This new area will continue to expand and evolve as the need for better familiarity and collegiality will be needed to enable better teamwork.

Download our Employee Information Management Infographic here 

What do you think about managing your employee information? How do you think it will change in 2022? Let us know what you think at info@montra.io.

Phishing in the Workplace: 3 Attacks and 3 Ways to Protect Yourself

About the time most people learn how to spell phishing, they realize that it is an email-based social engineering tactic to get access to a user’s account or financial information. It probably won’t come as a surprise that phishing is now fairly common on LinkedIn and Text. 

No matter whether it is email, LinkedIn, or text, the tactics the scammers use are consistent. Here are three of the most common tactics being used by scammers today: 

1. Fake Messages from the “Boss” 

This is a particularly insidious and effective tactic. A message is sent via email/text/LinkedIn to the user with an urgent request to contact them from the CEO, CFO, or other high-ranking employees at the company. The scammer typically uses more targeted language in the messages that applies to the business to make the attack more effective. This is typically called a spear-phishing attack because of its more targeted nature.

2. Fake Tech Support Messages  

Some phishers try to mimic the IT support staff rather than an executive to get people to engage. The focus of this type of attack is to get the target to give up their credentials to important company accounts. The attacks usually start with something like “Important Alert: Your Account Has Been Hacked”. The user will then be instructed to click on a link to reset their password and/or give up other important information. The links will always go to fake sites that will not match the company name or name of the software that has been supposed hacked. 

3. Fake Contact Requests 

This is used most often on social platforms like LinkedIn, but it is seen on email and text also. When a fake LinkedIn request comes via email, the link embedded in the email will go to a nefarious site that can load malware or ask for login information. We are often excited to receive a request that might lead to new business, so these attacks are particularly effective on sales and finance staff. 

These are just a few examples, and it is important to know that the types of phishing attacks and the format by which employees are targeted in the workplace continue to expand. Regardless, there are some basic tactics that apply across email, text or LinkedIn. Here are three ways to keep yourself from getting “social engineered” by one of these attacks:

1. Look at the Sender Information 

Whether in email, text, or LinkedIn, the sender’s information will look wrong. Most sending info will have the right name with the incorrect email like: 

Boss Lady <badactor234@gmail.com> 

In the case of LinkedIn, you need to look at their profile picture, name, and work history. The picture will typically be pulled from publicly available photos and the work history will be very limited. 

2. Look for Poor Grammar and Terminology 

While the sophistication of attacks continues to improve, it is difficult to completely mimic a message from a boss, customer, or colleague. If the fake sender is using the term “customer” when you know the real sender always says “client”, you should be concerned. 

“Hey, send me your phone number. I have some important work for you” 

Also, if they send an email to ask for your phone number, you need to think whether that fits with how they would really interact with you. Once they ask for your phone number, and they text you rather than call you then it is 100% a scam. 

 3. Reach out Separately or Just Don’t Respond 

In most workplace phishing attacks, you have alternate ways to communicate with the supposed sender. If you are concerned, reach out to them by a different method – phone call or Slack – and see if that is really them. If you do not have another way to verify the information, and you are not certain if it is legitimate then ‘do nothing’ is not a bad option.

“John, I just received a strange email message that is supposedly from you. Did you just send me something?” 

If the scammer is trying to create a false sense of urgency for the boss or a customer, this is difficult to do. Just remember, though, if it is really an emergency – even in today’s world – they will call you. If it is a social network connection request, just login to the service separately and view the request there rather than clicking the email link. 

There is a lot more your company can do to help including using email filters and text blockers on company accounts and providing cybersecurity training on an annual basis. In fact, for many companies, these actions are required for them to follow industry cybersecurity regulations. If you aren’t certain what tools are available to you, reach out to your company’s IT staff or service provider. They will be happy to help you stay safe!  

Tis the Season for Cyberthreats: 3 Ways to Keep Your Device Secure Over Turkey

It’s that time of year for travel, visiting family, eating too much, and rushing around for last-minute errands and gifts. It is a hectic and wonderful time but if you are like me, it is also when you are trying to fit work into different locations, times, and levels of sobriety.  

It is easy to be distracted in this season. Cyber attackers know this and you should be rightfully concerned. 

Here are a few ways to keep you and your devices safe as you find yourself in new workplaces during the holidays. 

1. Watch Where and How You Connect 

Whether you are connecting on your parents’ wifi or from the closest Panera, you will be connecting differently and probably less securely than your normal home office. If your mom’s wifi doesn’t have “one of those silly passwords”, then you need to protect your presence on that connection: 

 

  • If your company has a VPN, you should use it. Or consider a paid VPN service. 
  • Keep your laptop firewall always running. Windows and Mac both have this built-in. 
  • Set yourself in stealth mode if you can. 
  • Make sure you have updated antivirus (AV) or endpoint detect and respond (EDR) software installed 
  • On your mobile device, use a security app like what AT&T and Verizon provide for free. 
  • If you want to be the safest, skip the wifi and tether your laptop to your phone with security app running.  

If you follow these basic steps, you should be safe at your closest coffee shop to “get some work done” while enjoying some peace and quiet.  

2. Think About How You Are Mixing Your Work and Personal Tasks 

You are going to be doing a lot more personal tasks on your laptop than you normally do. This could lead to exposure on shopping sites, gaming sites, or elsewhere, which opens you to new threats. Be mindful of where that search for “adult sized Elf costume” or “Thanksgiving movies on Netflix” is taking you. Also keep in mind that if you are connected to your company VPN, you are traversing company property and are subject to their acceptable use policy. Tread carefully. 

To help keep your focus, you might consider using one browser for your personal stuff and one for your work. Or if your browser supports tab groups, you can group your personal and work tabs separately. If you keep your screen organized, you are less likely to be confused by a popup or email request that is really a phishing attempt. 

3. Be Aware of Who is Using Your Device 

It’s easy to leave your laptop open on the table after you’ve found that recipe for leftover turkey melts. While you are searching your mom’s fridge for gruyere, your weird Uncle Steve might ask to “check his fantasy team.” You and your uncle might have a different idea of what a fantasy team is, and you could get the leftover spyware and bloatware that his surfing has put on your laptop. 

A few items to help you with your potentially “over-shared” device: 

  • Make certain your device quickly locks when not in use. This is easy on phones, but on laptops you may want to set it to the minimum setting for the holidays. 
  • Close your devices and put them away if you won’t be using them for a while. Not that anyone is going to do anything to them, but gravy in the keyboard is just as problematic as privacy loss. 
  • If your device is running the Jackbox game or your phone someone got volunteered to play Heads Up!. Just make certain that you get it back at the end of the game. It is easy after a few glasses of wine to forget that your work laptop with all your year-end data is still sitting by the fire when midnight rolls around. 

 So while your uncle or cousin may not be trying to hack your device themselves, they are not going to be as concerned as you about what sites they visit and what fun new games they download. It is the season of giving, but I think you should be a bit selfish with your devices. 

Stay safe and stay private this holiday season!

CMMC Compliance Infographic

CMMC & Cloud Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness.  CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher. Click to download our infographic to learn more.

Download Infographic