Uncategorized

Corporate Mergers and Acquisitions in the Cloud: Four Things to Consider

Digitally transforming your organization to operate primarily in the cloud means minimized costs, increased flexibility, and the ability to provide better customer support. It also means,though, that it’s easier to lose control of technology spending and communication across departments. Imagine, now, how a merger or acquisition can highlight both the benefits and drawbacks of these cloud pros and cons. 

Recently, Deloitte published a blog post that compiled three ways cloud computing enables mergers and acquisitions, making the process better and smoother for everyone involved. 

Author David Linthicum specifies that this is because the cloud’s ability to exchange data intra-cloud is faster, easier and less expensive, because security systems can be synced in a fraction of the time traditional legacy security integration, and because the cloud encourages common data semantics and promotes a single source of truth on what is considered a customer, inventory, product, etc. 

Linthicum begins his article on cloud as the answer to life, the universe and acquisitions by saying, “it’s difficult to bring together the IT systems of both companies, and synergy can take years, not months to achieve. Both the customers and investors can become underwhelmed by the progress, and the company often pays the price by falling short of expectations.” 

This is very true. We think, however, that while the cloud can help to alleviate these issues, it cannot remove them entirely. Especially once two organizations reach a certain size and reliance on cloud-based processes and storage, approaching a cloud-based merger under the belief that things will go smoothly by default is a mistake. 

It’s also true that “cloud computing and its ability to more easily merge IT systems” can benefit merging companies, as Linthicum says, and that “cloud-based resources can be allocated as needed, and public cloud-based systems can easily work and play well with each other.”

But what are some of the potential “gotchas” of a cloud-based merger? Where are the scenarios in which both companies could end up losing money and compromising security because of SaaS? 

Here are four of the most common pitfalls to watch out for when merging corporations that are already digitally transformed:

  • Employees logging onto new systems with different levels of training and different guidelines. We’ve outlined five ways to build a secure culture, but all organizations exist at varying levels of cybersecurity maturity. If you acquire a company that has done less training on security risks with its employees, inviting them to access your systems could open security rifts that will be difficult to track with all the other acquisition activities going on. 
  • Disgruntled employees (on both sides). Change is hard. Whether your company is purchased by another and your employees are forced to assimilate, or your company purchases another and your employees need to welcome outsiders into their comfortable day-to-day, not everyone will take it well. There’s a good chance they’ll come around, but in the meantime, you’re allowing unhappy workers to access sensitive data in new systems. Watch for signs of malicious activity as you merge corporations. 
  • Wasting money while one organization or the other runs out duplicate contracts. There’s a good chance the merging organizations will have dual licenses to some of the most common software. Considering Gartner estimates most organizations overspend on cloud by 30% on their own, a merger may represent a period of significant overspend. There may be no way around it, but knowing which software license subscriptions each organization is paying for, and being able to track their usage and renewal dates, is priceless during a time of such upheaval at cloud-based companies. 
  • Higher chance of overpaying for duplicate functionality and unused licenses. Again, this happens under the status quo, too, but during a merger, it becomes even more difficult to tell who’s using what, who needs a license renewed and who will never use a license because another subscription provides the same functionality with more familiarity. Only when you track licenses, usage and functionality can you determine how your newly-combined organization can use the cloud most efficiently. 

Overall, we still encourage organizations to move to the cloud for many reasons – the enablement of smooth mergers and acquisitions is one of them. Deloitte is right on that. We just want to caution those of you eagerly approaching a merger that just because SaaS enables collaboration and combination doesn’t mean you can just look the other way when it comes to your software. There’s a lot to consider. The good news is, just by being aware of the places where cloud-based processes can allow money and security to fall through the cracks, you’re in a better position to prevent it. 

Uncategorized

Which of your employees are out to get you? Tips for identifying and understanding malicious insiders

Not to sound like a broken record, but protecting your organization’s information is a pretty big deal. Recent data breaches have cost corporations millions of dollars, and the trust of thousands of people. Like we’ve pointed out in the past, many of these breaches are caused by your employees and the other people who have access to your systems – the insiders. These insiders fall into four broad categories – and two of them aren’t even threatening your security on purpose. Those inadvertent insiders are the categories Applogie protects against. 

But what about the other two categories? The malicious insiders and the professional insiders? There are fewer people who are actively scheming to steal your company data, but they are out there – and they’re motivated. 

Okay, so the Applogie platform isn’t going to track down the people who are hellbent on stealing your information, but we’re experts in data protection, and we want to make sure you’re educated about all the ways in which your data could slip through the cracks. That’s why we want to run through some tips for spotting and understanding insider threat. It’s time to get to know your malicious insiders. 

Who are they? 

Research done by Carnegie Mellon University’s CERT Insider Threat Center states “the employees that pose the greatest risk for insider threat/theft include technical staff such as engineers and scientists, managers, sales personnel and programmers,” and warn organizations to pay particularly close attention to employees with administrative rights and specialized users of IT systems, because “these employees know the strengths and vulnerabilities of the systems.”

What’s their motivation?

The CERT Insider Threat Center has identified four categories of motivation for someone stealing corporate data: 

  • IT sabotage: When an insider wants to steal code, proprietary programs or other IT assets as retribution against the company for a perceived slight.
  • Business advantage: When an insider takes corporate data to use as an advantage at a new job (probably with one of your competitors) or to start a new business of their own. 
  • Financial gain: When an insider steals Social Security numbers, credit card data or banking information in order to defraud your company of money. 
  • Espionage: When an insider is spying on your company and taking its information to “the enemy” for corporate advantage, political gain, or financial reward. 

How do they do it? 

Malicious insiders steal and move corporate data in a variety of ways, including: 

  • Over email: Email is one of the easiest ways to transfer smaller amounts of data (less than 10 GB). 
  • Via FTP (File Transfer Protocol): Malicious insiders who know what they’re doing are likely to upload stolen data to an FTP site.
  • With removable media: Physically transferring data to a USB drive, cell phone, tablet or external hard drive is an easy way to copy data and carry it out of the office. It’s also tough to track and trace. 
  • By accessing your systems remotely: If your data is in the cloud (and it probably is), employees likely have access to it from anywhere, meaning they can download and save it to personal devices, machines and servers. 
  • On paper: Sure, it’s old-school, but it still works. Malicious insiders can easily grab paper documents containing your information and pass them into the wrong hands. 
  • Taking pictures and screenshots: Taking a picture of information on a computer screen with a personal cell phone is one of the easiest, quickest ways to get proprietary data off-site, and it’s nearly impossible to track. 

How do you spot a malicious insider? 

A 2019 Security Today article points out risk signs that an employee might be up to no good or desperate enough to feel that stealing from your company is their best option. These risk signs include: 

  • Extreme interest in matters outside their role and job duties
  • Working odd hours without authorization
  • Excessive negative commentary about the organization
  • Signs of drug or alcohol abuse, financial difficulties, gambling, and poor mental health

As with all cloud and cybersecurity matters, reducing your risk of a data breach by malicious insider isn’t just one person or one department’s job. 

“HR and IT security teams should be vigilant in the wake of significant organizational events, such as a layoff or if an employee believes they are going to receive a promotion and do not,” says Security Today. “Most important is coordination between HR and IT security around these events.”

Of course, it’s important to remember that two-thirds of total data records compromised in 2017 were the result of inadvertent insiders. So while there’s still a significant chance of purposeful, malicious breach, it’s probably more important to defend your organization against the people who don’t know any better. Here are some steps to take to do so, and here’s how the Applogie platform puts automated protection in place. Try it today for free!

Uncategorized

The riskiest types of insider security threats

For a few years now, research has shown upwards of 60% of all cybersecurity attacks against corporations have been committed by insiders – employees, partners, vendors, etc. And according to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider incidents was $8.76 million in 2017 – more than twice the $3.86 million global average cost of all breaches during the same year.

It’s not a pleasant thought – knowing the biggest risk to your organization comes from the people you trust with your most sensitive systems, data and logins.

What’s even tougher, though, is not knowing what exactly that insider threat looks like. Who is it that you have cause not to trust? Should you have been more careful with your hires, your background checks, your PC monitoring? Not necessarily.

When Teramind determined four separate types of insiders that could be threatening your organization, they did include the two “blockbuster movie hacker” types you might be picturing:

  • The malicious insider: “Insiders that steal data intentionally, or destroy company networks – such as an employee that deletes company data on their last day of work.” These are your disgruntled workers, scorned staff, passed-up-for-promotion professionals. While the possibility of this type of attack is real, it would take someone in a very specific position to do real and lasting damage to your organization’s data without serious repercussion.
  • The professional insider: “Insiders making a career off exploiting network vulnerabilities, and selling that information on the DarkWeb.” These are the guys they make movies about … the moles, the ones really committed to the long con. Again, this threat is possible but not probable – especially for most types of organizations (no offense).

Here’s the thing. Most of your employees care about your organization and want to do a good job – or at the very least, they want to do a job and go home. They’re not out to get you at a global level, and they probably don’t have all that much to gain from sneakily stealing your data. Unfortunately, they’re the scariest ones.

Two-thirds of total data records compromised in 2017 were the result of inadvertent insiders, according to the “2018 IBM X-Force Threat Intelligence Index.” These inadvertent insiders take two primary forms:

  • The oblivious insider: “Insiders with important access to company information that have been compromised from the outside. Because the system is monitored from the outside, the employees are usually oblivious to the act,” and
  • The negligent insider: “Insiders that are usually uneducated on potential security threats, or simply bypass protocol to meet workplace efficiency. These employees are most vulnerable to social engineering.”

Often, oblivious and negligent insiders are one and the same. They’re the employees who didn’t pay attention to training, didn’t follow the practices outlined in those trainings and then – when this lack of protocol-following made them vulnerable – didn’t recognized the signs that their system had been compromised from the outside.

As we mentioned earlier this year, Verizon’s 2018 Data Breach Report found that an average of 4% of targets in a phishing campaign will click, and that people who have clicked once are more likely to click again. Sure, you could generalize about who these employees are most likely to be, but it’s more effective to make sure everyone takes part in regular training reminding them of the signs of phishing campaigns and how to respond if they think they’re an attempted target.

You should also make an effort to squelch one of the most common ways threats enter your organization: through what we like to call the connected compromise.

When researchers at Virginia Tech University and Dashlane analysts carried out one of the largest empirical studies (on a database of 28 million users and their 61 million passwords), on password reuse and modification patterns, they found 52% of people use the same passwords (or very similar and easily hackable ones) for different services – most of which are outside your organization’s purview.

That’s one of the places Applogie comes in. With our data breach discovery feature, you have access to the security of your users’ other accounts, in near real-time, and without compromising their privacy. Here’s how it works: when you know that an insider’s account has been a victim of a data breach somewhere else online, you can prompt that employee to change his or her corporate password and login info immediately. This greatly reduces the chance that your own corporate systems are at risk of a breach.

Nobody wants to think they can’t trust their employees, and nobody has time or energy to spend worrying about the potential “call coming from inside the house.” We can help.

Ready to see what Applogie can do? Give our platform a no-strings-attached spin with a free trial today.

Uncategorized

Five ways to encourage security at your organization

Your employees are all smart, savvy people, right? You probably wouldn’t have hired them otherwise. While this intelligence and shrewdness keeps your organization running, it can also work against you in certain situations – when it comes to cybersecurity, for example.

“That doesn’t make sense – my people have been working digitally for years – they know how to protect themselves and the company,” you might think. But Verizon’s 2018 Data Breach Report found that an average of 4% of targets in a phishing campaign will click, and that people who have clicked once are more likely to click again.

Last year, 60% of security professionals responding to the EY Global Information Security Survey ranked employee carelessness or negligence as a top threat, up from 44% in 2015. And their wariness isn’t misplaced: a 2017 report from Willis Towers Watson found 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, and the FBI reported a staggering $12.5 billion lost in 2018 due to business email compromise alone.

One of the biggest problems is that people are now so comfortable working, communicating and conducting business online, they’ve become overconfident in their immunity to risk.

“Most modern workers think they know how to avoid security threats,” says Dark Reading. “We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.”

Making sure your employees know what actions to take, and encouraging them or requiring them to do so, is primarily the responsibility of your organization. Here are five steps you can take to build and maintain a culture of true, educated, actionable cybersecurity at your organization:

  1. Conduct regular, relevant, updated training: We’ve all seen the dated training videos about cybersecurity risks … like leaving confidential documents sitting on a fax machine … and we’ve all laughed at them and zoned them out. It’s worth investing in personalized training that takes your organization’s policies, practices and risk factors into account. When employees feel that a trainer or training program really understands company culture and any potential threats, they’re much more likely to pay attention.
  2. Require password updates and security measures: Nobody likes a forced PC restart due to an antivirus software. People really don’t like being forced to choose a new 15-character password with at least one number and one special character every three months. But these measures are extremely important for maintaining protection over your organization’s information. Unique passwords (that aren’t the same as passwords your employees use for banking, shopping and accessing medical records) can help discourage breaches from occurring, and company-wide antivirus software installation and maintenance can help protect you from threats that do manage to break through.
  3. Start from the top:  Corporate cybersecurity cannot be a ‘do as I say, not as I do’ situation. Employees need to see your organization’s leadership following best practices too. When good behavior is modeled for them and they see executives following the same policies they are told to follow, they are more likely to do so.
  4. Remind employees it’s about them too, not just the company: No matter how loyal your people are, the idea of a threat to their personal bank accounts or identifying information will probably encourage action better than if they think only corporate information is at risk. Remind them that because so much of our lives are lived online these days, a breach to their corporate accounts can mean increased risk to their personal accounts.
  5. Invest in a solution to monitor individual security breach risk: On the flipside of that, if an employee’s information is compromised elsewhere on the internet, your organization is more at risk. With Applogie’s data breach discovery feature, you can get alerted when an employee account has been compromised somewhere else online. Then you can prompt that employee to change his or her corporate password immediately, greatly reducing the chance that your own corporate systems are at risk of a breach as well.

We all think we’re smart enough to avoid security threats online, but we all get careless. The right corporate policies and solutions can help your employees shoulder less of the responsibility, and the right educational tactics and behavior modeling will encourage them to be as safe as possible with your organization’s systems and information.

Uncategorized

How you’ll use SaaS in 2019 and beyond: Four predictions

It’s official now. SaaS is everywhere. Cloud computing is computing. The legacy on-prem systems your enterprise has used for years or decades have moved to the cloud (or if they haven’t quite yet, they’re working on it – ask them). SaaS-based startups are coming out of the woodwork to manage, improve and optimize aspects of your life and business you never even considered could be managed, improved or optimized. Culturally, we’re experiencing a global shift in how we expect information and services to be stored, accessed and available. There’s no turning back now.

And as access to the cloud becomes more and more ubiquitous, we’ll need to continue honing the way we use and manage it. Little things about how we operate in the cloud will start to change and evolve, and we will need to make sure our awarenesses and attitudes are changing along with them.

Here are four of those “little things” I predict will make a big impact by the end of 2019:

  1. More SaaS spend will end up on your corporate credit card accounts. Don’t fight it – it’s good for the growth, health and innovative spirit of your business. You want to create a culture of experimentation, in which your people have the freedom and agility to test and pick the right products and solutions for the way they work. The best way to foster that freedom is by allowing people to sign up for SaaS-based solutions on their own, with their p-cards. But – of course there’s a but – this means you need a way to keep track of these subscriptions, so you can monitor what’s being purchased, what’s being used, where there’s overlap, and when you need to start putting parameters around the practice.
  2. You’ll need to pay closer attention to which users have access to which systems. This prediction is closely related to the first, and based on this cultural shift we’re undergoing. Because it’s becoming so easy to sign up for software subscriptions and share access with multiple users, people are more comfortable doing so. This applies to subscriptions purchased on corporate cards, yes, but also to the subscriptions handled through your ERP. How often does an employee ask for access to a cloud-based solution and it’s just handed over without any thought, and not recorded anywhere? What’s your process for removing employees from those same solutions after they leave the company or it’s clear they’re just not logging into the application?  More SaaS equals more forgotten users, and those forgotten users not only lead to massive wasted spend, but to one of your organization’s largest risks of security breach.
  3. You’ll be on higher alert for – and more at risk of – massive data breaches. They’re still coming – more of them and bigger than ever before. You’ve likely heard about what just happened with Marriott – where a breach of its Starwood reservation system exposed the personal information of potentially 500 million people. Here’s what that has to do with you – as much as you hope your users aren’t reusing passwords across the web … they are. It’s almost guaranteed. You can tell them not to and impose strict password standards for the systems you control, but ease of use means they’ll likely be using variations on the same username and password everywhere. Yes, everywhere. You can’t know for sure what they’re doing outside your systems, but you can know when their emails are compromised on the dark web, thanks to Applogie’s newest feature.  
  4. You’ll start saving real money. That’s right – not all of my predictions involve more work or risk for you or your organization. Broader adoption of SaaS & IaaS means you really can start realizing the efficiencies these solutions promise – if they’re managed correctly. 2019 is the perfect time to invest a little in a solution that helps you manage your software commitments, so that you can optimize your investments in all your other subscriptions – and reprioritize the dollars saved into what matters – going forward.

I, for one, am thrilled to see what’s in store for the SaaS market this year. I’m confident these four predictions will become reality soon – I can’t wait to see what other exciting developments come along with them.