12 Cyber Readiness Strategies #1 and #2

Is your business ready to handle a targeted cyber-attack? Maybe you have been attacked and don’t even know it. According to the the 2020 Thales Data Threat Report, 49% of US companies have already experienced a data breach. To help you become more proactive and effective at defending against cyber threats, we are discussing 12 Cyber Readiness Strategies over the next few blogs.

1. Have a Cyber Readiness Plan

It may seem obvious, but to properly address all of the cyber-security threats to your organization, you first need to have a plan – specifically a Cyber Readiness Plan. Your ability to quickly and cost-effectively overcome security threats or breaches determines your business’s success and survival. How you handle and protect your data is central to your business’s security and customers, employees, and partners’ privacy expectations. You need a cyber readiness plan that includes prevention, continuity, and recovery strategies. The Federal Communications Commission provides an excellent planning guide that identifies six critical areas of cybersecurity for companies to address:

1. Privacy and Data Security

2. Scams and Fraud

3. Network Security

4. Email

5. Website Security

6. Mobile Devices

Download the associated cheat sheet as an easy outline to understand each of these areas to help you quickly navigate these best practices and assess your readiness.

2. Establish Strict Policies and Procedures

Cybersecurity policies and procedures help guide secure business operations and are essential for defining the standards of business conduct, system controls, employee awareness, and workplace definitions and expectations. While establishing strict, security-focused protocols is crucial, a system of validation and enforcement is equally important. In fact, all major cybersecurity and privacy frameworks, such as NIST CSF, ISO 27001, HIPAA, and PCI DSS, all require periodic auditing or continuous monitoring to make certain that policies are properly put into operation.

To help you start building your cybersecurity policy and procedure library, we have provided a few policy templates to start. Click to download 12 IT policy templates that are critical to any IT operation.

Microsoft 365 Trends in 2022

After a somewhat late start and mixed approach to offering services versus software (remember ASPs and Hosted Exchange), Microsoft 365 has become the dominant SaaS platform for mid-market and SMB companies. Microsoft 365 now has over 50 million subscribers. Not all of the other major SaaS providers provide their subscriber numbers but they include Adobe Cloud with 26 million subscribers and Salesforce with an estimated 17.8 million subscribers. 

With such a dominant role in corporate IT, our final trend predications for 2022 is focused specifically on the trends for Microsoft 365. 

1. More AI Features will Be Added 

 Artificial Intelligence (AI) is already a central focus of some 365 applications like Dynamics AI, but where most users feel the impact of AI is when these smart features are embedded into the core 365 apps. Like dynamic translations between languages in Word or the resume helper feature that pops up when Word believes you are working on one. 

Microsoft’s enormous user base puts them in a unique position to use AI techniques like machine learning (ML) that need a lot of user behavior data to work well. Microsoft will roll out these types of smart features in 2022 to offer uniqueness to their offerings that can only be added at their scale. 

2. Microsoft 365 will Get More Complex – not Less 

The approach that Microsoft has taken with 365 has been to constantly add to features and capabilities often without much of an announcement, documentation, or support. Many of these features are included in one or more of their subscription levels. The approach makes sense at the scale at which they operate, but it leads to adding more capabilities that make the 365 more complex to understand and utilize well. 

In 2022 this trend towards more complexity will continue. New features and new pricing plans will be an expanding story throughout the year. In Microsoft’s defense, it is really the right strategy for them right now. It is relatively low cost for them to add features to 365 and effectively test them on their large customer base. The features that are working and being used (like Teams) get more development and support effort, while the features that don’t work get less support and will even get removed (like Delve). 

3. More API Tendrils will Deepen Microsoft 365’s Grip 

The number of application programming interfaces (APIs) in Microsoft 365 is mind-boggling. In 2022, the breadth of API coverage will increase. This is a strategic play and a practical benefit associated with the size and scale of Microsoft 365. Providing broad API support gives an incentive to enterprise developers or third parties to use the 365 features and applications in the automation of their business workflows. 

Look for more API support in the core IT processes that are associated with email, security, remote working, and data loss prevention. 365 is at the center of where most company’s employees interact with technology and communicate with one another. API support for automation that leverages this unique position for 365, is highly strategic to companies and therefore to Microsoft also. 

4. Remote Collaboration Will Take Center Stage 

Regardless of what happens with the pandemic and changing attitudes about remote work, Microsoft 365 will see many new features added or expanded to enable better remote work. While there are clear indications that many employees will return or continue to work from an office location, the remote work wave among software and services will lag the trend since rolling out these features has taken so long. 

For 365, extensions to Teams and the collaboration features of the Office application suite will feature prominently in 2022, if for no other reason than they were in development in 2020 and 2021. These features will provide value to remote workers and remote teams but will not see as much impact as was originally expected in 2021. 

We are big believers in Microsoft 365 and the increasing influence it will have on users across companies of all sizes. What do you think about Microsoft 365 in 2022? Where do you think Microsoft will expand this juggernaut for the upcoming year? Let us know what you think at info@montra.io. 

Remote Device Management Trends in 2022

In the third of our four-part series on trends for 2022, we are looking at device management trends. When we talk about devices we mean any physical asset that a person uses to connect to a network of information sources. 

Devices are proliferating, getting cheaper, and becoming more diverse, while our use of devices is expanding in frequency, location, and types of use. Whether we are talking about end-user devices or unattended ones, devices are front and center in the IT discussion and will be for 2022. 

With that in mind, the following are our trends for device management and security in 2022: 

1. Cyber-Attacks on Devices Will Get Bigger and Quieter 

With all the device proliferation, it’s no wonder that devices and the people that use them are now the frontline for security threats. The cloud and the systems and services that reside there are getting increasingly hardened against cyber attacks. Companies are continuing to shrink their private data centers while also getting better at securing them. This leaves devices – whether it’s an end-user device or an unattended one – as the current soft targets for cyber-criminals. 

In 2022, we will see more attacks of the sophisticated variety in which devices are compromised quietly until enough devices have been coopted that they can be used together in a coordinated attack. Unattended devices at the edge of the network are particularly vulnerable to this type of attack and are likely to be used in a number edge swarm attacks. 

2. Remote Management Wars Will Escalate 

Everyone wants to manage user devices – the hardware companies, the OS companies, the device owners, the app vendors, and telecom service providers. They all have legitimate business and technical reasons, usually centered around better device uptime, better service availability and device and data security. There is already a turf war for client software that needs to run on each device or gateway software that aggregates information on lower-end devices. It only makes sense for a very few remote management apps to be running on the device, and in 2022, the battle for that precious real estate will escalate. Corporations will increasingly need to turn to neutral third parties to help them understand how they navigate this battle for their devices. Many companies have opted for either no remote monitoring and management or defaulted to the hardware or security vendor. As the remote worker norm sets in, companies will need to make better-informed decisions about remote device management to make certain their uptime and security goals are maintained while also keeping employee productivity high and support costs minimal. 

3. Device-Cloud Will Kill Client-Server. Sort of. 

The future is already here – it’s just not evenly distributed.” William Gibson said that 18 years ago, but it applies to this world of device-cloud and client-server today. Client-server is the computing architecture that replaced mainframe and is basically a PC connecting to a local network on which there is a server (“a big PC”) that runs an application for many people to use simultaneously. That started in the 1980s and the mainframe business has been declared dead every year since. The mainframe market is still alive and kicking, but it ain’t what it used to be. And while many of us work for companies that still have some application that runs on a server, there is not one startup in the past 10 years that have reached unicorn status with a client-server application architecture. 

The replacement for client-server is device-cloud or just “the cloud”. It comes in many flavors but in this context, the device is a laptop, tablet, or smartphone, and the cloud is a SaaS application or “serverless” or “native” cloud application. 

There is not one enterprise software startup that will emerge in 2022 that builds their application on anything other than pure device-cloud architecture. In addition, the remote worker norm pushed client-server even closer to the grave because client-server does not perform well with large-scale remote users. The security layers that need to sit in front of client-server solutions to serve remote users create cost and performance issues. So, 2022 will be a watershed year in the corporate move away from client-server architectures, and we will find more than 80% of the screen-time of a typical user is on device-cloud apps. 

4. The PC CPU War Will Move to the Front Page 

The PC CPU ware has already begun, but only industry insiders have really cared. Anyone who has purchased a MacBook in the past 18 months knows about the M1 CPU and knows why it matters. The latest Macs no longer use Intel CPUs – effectively ending their 15-year run. Instead, they use an ARM chip designed by Apple and built by TSMC. The performance is incredibly fast and for Apple, there is no going back. The way ARM chips are designed and built is fundamentally different than the way traditional CPUs are built. The net of it is that large technology companies like Apple, Lenovo, Microsoft, Google, and others can design their own ARM chips and have them built by lower-cost chip manufacturers than Intel. 

The ARM race has been going for a while, but in 2022 it will explode onto the front page. Apple will expand its ARM strategy, but what will make this truly mainstream is that one of the major PC vendors will launch their first ARM-based laptops. When people experience the speed difference and the faster innovation cycles for new chip designs, it will make CPUs a watercooler topic for the first time in 20 years. 

5. Secure Remote Erasure of Devices Will Become a Thing 

Today devices can be locked and erased remotely. This is mostly executed by companies when a remote worker has left their company and the company wants to secure the device as quickly as possible. Separately, the same devices or other devices will be shipped back to a common location, where they are erased using highly secure erasure techniques recommended by the Department of Defense (DoD 5220.22-M) or the National Institute of Standards and Technology (NIST Special Publication 800-88). 

As more companies increasingly treat remote work as the norm rather than the exception, these workflows will need to merge. In 2022, more and more companies will begin to require remote secure erasure processes. This will allow companies to protect the corporate data that is stored on the remote devices, and either never retrieve the device or allow the device to ship directly to an ITAD service – saving time and money. 

What are you thinking about device management and security in 2022? What are your big concerns for the upcoming year? Let us know what you think at info@montra.io. 

Cloud Compliance in 2022

This is the second in our series of 2022 trends. Last week we covered employee information management trends for 2022. This week we look at the trends for cloud compliance in 2022. 

Compliance – which in our context is specifically cybersecurity compliance – continues to be the way in which cybersecurity is managed and measured in modern IT. This is especially true is cloud services, where compliance standards have been an enabler to cloud growth. Cyber compliance standards like HIPAA, PCI DSS, NIST, and ISO 27001, help set the standards that businesses can use when evaluating how secure the cloud services are that they are evaluating and purchasing. 

As the nature of cybersecurity attacks change, so too do the standards for cybersecurity compliance. This leads to our big trends in cloud compliance for 2022. 

1. Companies Will More Broadly Apply CMMC to Their Non-Federal Clouds 

We discussed Cybersecurity Maturity Model Certification (CMMC) in a post a couple of weeks ago. This measurement standard from the Federal government will continue to expand into and provide influence over cybersecurity in the private sector. 

CMMC incorporates NIST SP 800-171 standards and provides a convenient five-level maturity measure. This type of measure has been used in IT in the past with the Capability Maturity Model (CMM) which was used by many CIOs in the early 2000s to measure their path toward better IT process and service orientation. 

With the recent announcement of CMMC 2.0, and with the prevalent knowledge of consultants that can lead IT organizations down the path of better cybersecurity, 2022 looks to be the year that CMMC measurement and reporting of the cloud becomes commonplace. 

2. Private-Public Hybrid Cloud Models Will Add Compliance Nuance 

In 2022, more companies will generate more of their data in the public cloud. Many of those companies will have policies to move portions of that data to their private cloud within defined periods of time. Which data is moved and when and where will continue to be a compliance challenge both for security as well as privacy. As compliance rules shift – like frequency of vulnerability scanning – companies that maintain hybrid clouds will need to update their procedures in both private and public contexts as well as the reporting for audits. Enforcement of data-related policies such as right to erase personal data will increase  

 3. Multi-cloud Application Compliance Will Become More Complex to Track  

When companies implement applications in a cloud today, they mostly isolate each application in one cloud – typically called hybrid cloud. Multi-cloud applications span more than one cloud and are increasing in popularity as different cloud vendors develop specialized and unique services. In 2022, more companies than ever will be using multiple clouds for a single application. 

For instance, maybe you develop a customer relationship management application for your sales team. You might store customer phone numbers in one cloud because their database service has privacy protections built-in, but you use a slick emailing app from another cloud that is easy to implement and extend. When emails and first names are temporarily stored in the second cloud, there becomes a second location for personally identifiable information (PII) to reside. Privacy policy understanding and enforcement is needed in both clouds, but without a rather technical review of each component of the application, this can be missed. 

Compliance audits and policy enforcement will need to get increasingly into the “weeds” on each application to understand where the cyber-risks are and how cyber-compliance policies apply. 

4. Compliance Ownership When Using Cloud-native Services Will Shift 

All the major clouds – AWSAzureGCPIBM – have co-management models for cloud compliance, but the policies are mostly utilized for first-gen cloud technologies like virtual machines. The differences in co-management of cloud compliance with cloud-native services have been treated as a special case by cloud providers. In 2022, the prevalent usage of cloud-native services will make it necessary for cloud providers to address the ambiguities of cloud compliance responsibilities that these services create. 

For example, with virtual machine implementations, responsibility for user credentials is clearly on the side of the customer. With cloud-native services, though, user credentials are exposed as they are used to access various services and/or are passed between services. How the user credentials are being handled by the cloud provider becomes important for compliance and security purposes for the cloud customer. 

What do you think about cloud compliance in 2022? What are your big concerns for the upcoming year? Let us know what you think at info@montra.io.

Employee Information Management Infographic

Employee Information Management in 2022

Employee information management is an important topic for a lot of mid-sized companies, especially those that are experiencing or are planning for a lot of growth. Running efficient on-boarding and off-boarding processes, keeping track of the latest employee information, and maintaining proper access to the right systems and services, are all functions impacted by good employee information management. Click to download our infographic on the top Employee Infromation Management trends in 2022

Employee Information Management Trends for 2022

The past two years have had a major impact on everyone’s lives, so we are looking forward to 2022 with anticipation (well, not as much as the anticipation last year leading into 2021.) Some of the biggest changes as it relates to work have been in how and where we work, the increasing number of cybersecurity threats, and the changes in how IT services are delivered. As we look forward to 2022, we can see that these trends will have a big impact on how and why companies manage their employee information.

Employee information management is an important topic for a lot of mid-sized companies, especially those that are experiencing or are planning for a lot of growth. Running efficient on-boarding and off-boarding processes, keeping track of the latest employee information, and maintaining proper access to the right systems and services, are all functions impacted by good employee information management.

One of the challenges for businesses with their people information management is that there are islands of data on employees and contractors that exist within most organizations. Recruiting databases, HRIS, email systems, physical security access systems, finance systems, and other services, all maintain subsets of data on employees. Due to security and privacy concerns, it is difficult to access and update all these systems either by employees or by the admins. Additionally, the systems almost never talk to each other to synchronize changes.

This leads to three critical areas of concern with poor employee information management:

1. Employee Onboarding Takes Too Long: it takes longer to get new employees operational and effective

2. Security Risk is High: it is difficult to track employee credentials across all the systems and services for which they should be granted access

3. Employee Data Gets Stale and Inaccurate: Applications that rely on this data – like disaster recovery services – can become completely ineffective.

With that in mind, here are our top trends for Employee Information Management in 2022:

1. Increasing Employee Churn Will Drive Need for Better Employee Onboarding / Offboarding

The economy will continue its post-lockdown expansion. This will continue to fuel the higher rates of employee departures and arrivals than ever before. Employers are more pressured than ever to make certain the onboarding process is as quick and accurate as possible, while the offboarding process is secure and trackable for cybersecurity and compliance purposes.

2. The Definition of the Employee Workplace Will Continue to Broaden

The workplace has been changed forever over the past couple of years. More employees are working at home, in a co-working space, or even a in a second home away from major cities. What used to be a special case (“We have 3 offices and a few people that work from home.”) will continue to move toward the norm in 2022. Systems that track employee location today are almost all static and assume that a limited number of workplace addresses exist. Employers need to rethink what an employee workplace is and how they plan to handle this more dynamic and fragmented nature of the workplace.

3. Workplace Information Will Need to Be More Dynamic Than Ever

Understanding where an employee is, was, and will be, will become critical for company IT staff and others needing accurate workplace information in 2022. For cybersecurity policies and compliance to work properly, accurate information about a person’s location is needed. Different access policies can be enforced, and audit trails can be created to trace issues when they occur. Additionally, in the case of a disaster or other emergency, employers can know who was in what workplace and how notifications and recovery processes should be handled.

4. Employee Offboarding Will Need to Be More Accurate

Most mid-sized and high-growth companies do not well-run offboarding processes. With more employees leaving a company, any inefficiencies in the offboarding process will get exposed in 2022. In the past when a person was exited, the accuracy of removing access to every system was not that critical. If physical access to the building and email access was removed, offboarding was “80% done”. The rest of the systems could be updated at leisure. The modern workplace in 2022 will drive the need for accuracy. Enabling this means employee information about account and systems credentials needs to be accurate and easily accessible to the appropriate people. If the information is accurate, the former employee could have access to data or services that put the company at risk.

5. Companies Subject to Cyber and Privacy Compliance Requirements Will Expand

In 2022, expansions to the compliance requirements in HIPAA, PCI-DSS, CCPA, and GDPR, will pull more companies under the cybersecurity compliance and data privacy umbrellas. The definition of “third party” has now been expanded to “fourth party” in these frameworks, which broadly expands which companies must comply. Think “Six Degrees of Kevin Bacon” but a lot less fun. So even if your company isn’t specifically in the healthcare business, if your company does business with a company that does business with a company in healthcare, then your company may be subject to HIPAA.

6. Demand for Better Employee Information Sharing Will Increase

With all these employees working from home or in smaller satellite offices, what happens to the serendipitous interactions that happen in larger centralized workplaces? What happens to the friendships and even marriages that routines developed in the workplace of the past? Collaboration tools like Zoom and Slack exist already to make communication happen easily and quickly, but the tools to enable the sharing of deeper information are almost non-existent. Think: LinkedIn but for internal use only. Enabling employees to publish workplace relevant information and search on the information of others will spike in demand in 2022. This new area will continue to expand and evolve as the need for better familiarity and collegiality will be needed to enable better teamwork.

Download our Employee Information Management Infographic here 

What do you think about managing your employee information? How do you think it will change in 2022? Let us know what you think at info@montra.io.