Listen to learn how current trends tell the future of cybersecurity.
"The threat environment is becoming more aggressive, and the footprint that businesses need to protect is huge. Businesses need to reframe their expectations and reframe their focus."
Reading the future is hard, especially in relation to cybersecurity. However, looking at current cyber trends helps us have a better idea of what is around the corner. Matthew Heffelfinger (Deputy CISO, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF, PECB) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to dive into the top 10 cybersecurity trends, and predict the future.
Listen to learn:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone.
I'm one of the principal security analysts here at SecurityMetrics, and I'm very excited to have back with me again today. If you haven't heard him before, he's been on before.
You've loved him before. I know this because people give me these comments. And he has his own podcast with one of his colleagues here at SecurityMetrics that where they talk about the news. Heff Oh, thank you.
Was going to do a bio, but I I I can't read this bio because it's no longer current. Will you please tell us about yourself?
So I get the great opportunity to find threats for our clients, and I am the deputy CISO here at SecurityMetrics. So Nice. We are out there. The team and I are trying to find the bad guys and notify our clients.
We like to think of ourselves as the Smokey the Bears. So we're out there just, hey. We found a fire. We found a fire.
You gotta go put out the fire.
So that's what we're doing. I heard also that you have been dubbed unofficially the security evangelist Oh, thank you.
For SecurityMetrics. So, that's pretty high praise.
Yeah. We're doing a lot of great things here, and we don't sometimes get it out. We don't get the message, the word out here.
Well, you're doing hear about.
You're doing your best, and I love being able to be part of that.
So one of the things that that, I wanted to talk to people about was kind of, cyber trends because people are asking me, well, like, they're actually anxious about the future. Where are we going? Every time we feel like we get a handle on something, something new pops up. And what about all of these companies that we we thought were good and they're getting popped and you know? So so I want you to to look into your magic ball.
I can do this. I can do this.
Okay. Perfect. Yeah. And then tell me, how do we predict the future?
Jen, it's so hard. I mean, it's so hard to try to predict predict the future. And, you know, knowing where the bad guys are going is so challenging. And especially, you know, for these smaller businesses Yeah.
To try to figure it all out. And and hiring expensive cyber people is not the best and easy thing to do. Yeah. And there's options out there to not have to go that pathway.
And and now, Jen, the ransomware variants Yeah. Because of this Russian cyber or Ukrainian war thing Yeah. We're seeing all these variants. And the real dangerous ones right now are data wiping malware.
That can drive a small business right out of the Right.
It's not just, hey. We're gonna lock this up and, but we'll give it back to you. No. No. Straight up data's getting taken right out of systems.
Yeah. It's bad. I mean, imagine if you're a business owner and you come in and your entire computer's everything locked, and they're demanding this huge ransom, which you can't pay.
Yeah.
And then you don't have anyone to help you really get everything back online.
So it's it's nuts. It really is.
And then and then they're they're left going, well, how do I re do I pay? Do I rebuild? Do I give up and go start, I don't know, raising chickens? Everybody should raise chickens just so you know.
There's no money in it.
But It's it's peaceful.
It is peaceful.
It's a balance.
Right? So we don't get burned out.
And there's food. So but but no. I mean, people will put their hearts and souls into these companies, and that's actually how SecurityMetrics got started.
Right.
Our CEO, he he was a victim of of a of a breach and and dealt with. And so that's what drives us here is we don't want that to happen to other people. And so, you know, what what do we how do they face this Yeah.
Without stressing out too much.
And the trends are just unreal. The complexity of these tactics, techniques, these procedures that these bad guys are using.
And I really tried to take a perspective of if I owned a business Yeah.
Where would the future go? If I was a network administrator for a business, what would I look at?
If I was a director of IT, what would I look at?
Right.
And focus my energy and efforts on trying to answer your question, the top trends that we're gonna see in the future.
Do you know the way that you that you, framed that, I think is is critical because, small businesses, medium business large businesses will often get, either people that work for them or people who try and help them out that don't think about their business needs first.
Yes. Yes.
And and knowing what what does the business do? How does it make us money? How do we, how do we stay functioning and and profitable? Because that is the nature of a business.
Yep.
Right? Instead, they'll get they'll get kind of, technology wonks that want them to get all of the technology and all of the tools and all of the people Yep. That may or may not address the actual needs of the organization. Yeah.
And and, you know, the enterprise level, they can just throw money at these problems. And for other businesses, they can't. So I wanted to take that balance with giving these trends to the audience on taking that balance. So and that's really kinda leads us into the first trend, which is we're headed for this ecosystem of cyber haves and cyber have nots.
And it's so many businesses, Jen. I know I know you see this. You have to see this Yeah. Where they're struggling Mhmm.
Underneath that security poverty line. And being able to have the resources to participate in that kind of crazy environment where they've got old pieces of equipment. Mhmm. They don't do automation.
They don't have the resources to make it happen, and they're probably never ever gonna engage in that crazy environment of throwing money at a problem. And that I think that's really what what we do here at SecurityMetrics. We do that really good where we try to help businesses stay above that security poverty line. And that is really trend line number one that's going on right now.
And so it it is interesting when I see, organizations that suddenly are faced with, oh, you need to be PCI compliant and a third party has to look at it for the first time or HITRUST or HIPAA, what whatever the the standard or regulation is, and they bring us in and they've never had third party eyes on. So they've gone along, you know, doing their best. They've got, antivirus on, basically, and some things, but they don't even realize the extent to which they are vulnerable, and they don't understand the potential costs, of of creating that. Yeah. And so sometimes, I I like to to give them solutions that are architectural.
In other words, taking a lot of that vulnerable attack surface away from their business Yep.
And put it onto a third party.
And that's that's a perfect it really is. That's a perfect approach. It's it's the perfect storm right now, Jen. We've got, you know, this combination of tight budgets, inflation, old equipment, perhaps staffing.
They may not have the staff or the resources to devote to stopping hackers. And then we've got ransomware as a service, all these vendors out there that are attacking, a huge footprint for many of these businesses to try to protect. And then and then, Jim, we've got this crazy thing with threat actors using automation to attack. So in the past, it was us, the good guys, using automation to try to make ten people feel like a hundred people.
And now the threat actors are doing that too. And then you marry that with this fabric of, all of these breach reporting laws that are changing state by state. Right. PCI, you just did a a podcast about that Yeah.
And how those those things are changing. And businesses can't devote the resources. It it's it's literally impossible to keep up with the Joneses. So Yeah.
Staying above the poverty security line is really the the first trend line that we're seeing out there.
Yeah. I think that's that seems accurate to me as well. Well, let's go on to trend number two. You you gave me a list of trends, and I I thought they were spot on.
I'm super excited because Yes. I thought, oh, no. Do I have to write this list? But, no, you provided me with amazing things.
Trend number two, more reframing of business approaches and expectations.
Can you speak to that a little bit? What does that mean?
And I you know, I think what it is, Jen, it's this aggressive threat environment. Right? We talked about ransomware as a service. Mhmm.
All these third party breaches, the huge footprints that these businesses have to protect, and it's becoming more aggressive at threat environment. And it's realistic excuse me, unrealistic expectations, Jen, that are out there. And this perception that the business owner may say, well, I have a network administrator who'll who'll handle it, or I've got an IT director, and or I'm gonna just give it to SecurityMetrics or a vendor to Yeah. To handle all my security.
But the reality is, expectationally, they're not gonna be able to run all the breaches. So Yeah. Businesses have to reframe their expectations and reframe their focus. And there's a couple ways they can do that.
Yeah.
So, you know, one one example is, you know, when we have that comment where we say, well, the CISO prevents all the breaches or the IT director or Yeah.
The vendor, stops all the breaches. And really the reframing there becomes something like the leader is gonna facilitate more of the risk management.
Yes.
The vendor. SecurityMetrics may help us reframe and facilitate our risk management.
I had a specific conversation about that just yesterday with a CEO of a company.
It was a small company, but he was trying to meet, in his case, it was HITRUST Yeah.
Some specific things there. And he wanted to know, how how to answer the question about, some firewall configurations and firewall rules. And he says, well, we have an MSP, and they just set up our firewall for us.
Yeah.
And I said, okay. What rules? What understanding? Because when you have, an MSP, that distributed decision making comes broader and broader Yep.
If they are not clear what you as a leader want from for your company, then they're not gonna implement it properly. They just think, oh, you want information to flow. I'm gonna give you a firewall that lets information flow. Yeah.
And but instead, if you as a as a leader of your company, you're the CEO, you say to them, what are the firewall rules in and out of my organization, and why are they open?
Bingo.
Then you start you don't have to be an expert in firewall rules to have this conversation with the MSP that's handling your firewall management for you.
Right. Right. Here here's another great example, and that's a perfect example, by the way. I always hear the conversation is cyber risk is a security problem. Cyber risk is a security problem, and a reframing of that would be cyber risk is a is a business risk. And it's one risk out of many Mhmm.
That we need to have on our plate and give some sort of scoring to Yes.
And priority to in our environment.
Balance it against the other priorities in that business environment. Yeah. What's another leadership misconception?
I often hear where speed, security is a roadblock to speed. Security is a roadblock to speed.
Hear that too.
And, you know, sometimes you hear the thing, well, security, they're just gonna be the police department, and they're just gonna come in and put in all these security settings.
Department of no.
Yeah. The department of no. And, really, the reframing there becomes something like, security is an agile way to help us secure the business.
Right.
And it could be one such tool in our arsenal to help the business lower risk.
Right. And and if that well, there's another thing. So let's say that you have a security group and they have established a multi factor authentication against the cheapest one that they could do, but it happens to be kind of a drag for the people using it.
Yeah.
Well, what if leadership says no. Our priority is we want this to be seamless to the users, find a better solution, and we're willing to pay more for it.
But if the leadership isn't part of that decision making Yep.
For the from with the security team, how's the security team going to know what the priorities are and how to fulfill that? So leadership has to be part of that conversation.
And this really gets us into trend number three, which is all about and before I get there, I I always like there's a quote that I heard, and that is, you know, we we train security people how to do security better, but we do it with no resources. We we have to kinda change that approach and change that expectation where we have to really be thinking about holistically a bigger picture, systemic risk and looking we we we talked before the show started about threat modeling.
Threat modeling. More threat modeling.
And and I think that's such a fun activity, and more businesses need to engage in that kind of discussion. But, really, that kinda leads us into trend three, which is prioritizing your environment with high business value.
Threat modeling is all about this trend.
What where can if you're doing decision based risk thinking Mhmm. Where can you add business value with security? Mhmm. And you're again, you're not gonna be able to protect everything in your environment.
If you have a huge footprint Mhmm. You gotta kinda focus on what are the crown jewels in your environment, and then, you know, go go from there. So we have a big saying that we use in our department. He who defends everything, defends nothing.
Yeah. And the reality is for me to defend a business, we have to kinda prioritize what are the most important areas that we are gonna defend and and focus on.
Yeah. I have another example for for this. About six, eight months ago, I had a conversation with a company that was trying to become PCI compliant for the first time.
Yeah.
They were overwhelmed because they have a very complex organization, lots of systems, lots of different types of systems, and a flat network. And if anybody knows what a flat network is, I'll explain it because I don't wanna leave anyone out of the conversation. But if you have a network where everything in your network can communicate with everything else, you have a flat network. Yeah. You know, if there's no if there's no gates there. If you have if you have subnets where you're kind of chunking that network up Yeah.
Segmentation on in that area.
Yeah. That prevents the bad guy from really traversing very quickly and moving laterally through your your runner-up.
Exactly. So this this organization was complex. It was a flat network. There there were a lot of people in a very small security team.
And so they were asking me specifically about how to implement the different requirements. And I said, look. Before we go down this path, I want to ask you if you've considered maybe rearchitecting your network so that you have a PCI specific subnet Beautiful. That is very restricted.
It it does your do your business processes support this this type of thinking? If everything doesn't have to communicate with each other, then maybe take these things out and and let them only communicate in very specific ways. And that way, you're going to get even though I get that, rearchitecting a network and putting in different firewalls, etcetera, is going to be time consuming. In the end, it's going to get them there faster, and it's going to cost them less.
And it's going to allow them to focus on protecting the crown jewels like you were saying. Right?
But, you know, I gotta tell you, you know, you don't even have to spend money on that piece. Just renaming parts of your network that have been segmented off in different, we call it security through obscurity. So if you instead of renaming your network the p this is the PCI network, you give it a color name. Right? This is the red network. This is the green network. This is the blue network.
Threat actors are not gonna Slows them down a bit.
Yeah.
It slows them down a little bit. So, yeah, that's a great, great approach. And, again, you know, with this whole trend number three, prioritizing areas with high business value, Jen, it it really goes down to foundationally concentrating on a relatively small number of activities that are gonna give you the greatest return on your time Mhmm. Return on your resources in securing your environments.
Right. And and and the the the way that, this prioritization works is if you do threat modeling and you say, alright. If we get into these systems, it is literally gonna level us. Yeah.
We can't do business. We're gonna lose revenue stream. It's it's everything's gonna drop. But if somebody gets into these systems, it's going to be annoying, and it's probably gonna impact our bottom line a bit, but it's not gonna, like, take down our company.
Yeah.
And so that's where you where you can, understanding the business side of things helps you model the threats against those things and put the the right kind of resources towards what's really important.
Big time. And when most people approach this trend, prioritizing areas with high business value, they typically take a different pathway. They'll either go, well, let's look at the areas that have, revenue impact. Where can we secure the areas that have revenue impact?
Or do we look at things that can, create more cost efficiency in our environment? Or a third pathway might be, do we look at risk mitigation? And, really, those are kinda like the questionnaires. Where areas add the most value to the business that we can secure?
So Yeah. That is really a it's an awesome trend line, and you're gonna see more and more businesses do that.
This episode is brought to you by SecurityMetrics Shopping Cart Monitor Inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security. Here's what I know about it. A lot of times people say, well, hey, I am PCI compliant because I passed my SAQA.
Great. You're missing most of the things that people are actually stealing information from right now. Shopping Cart Monitor was created to actually close those gaps and help you against things like made cart and other known ecommerce issues. To learn more about this shopping cart monitor, head to our website www.securitymetrics.com.
So I did have another quote, and one of the other quotes is is is helping small to medium sized businesses especially emphasize risk based decision making. Mhmm. And, you know, it's I don't I don't think I've ever met any business that has ever said something like, oh, we have everything we need. We're good to go.
We we're good. We're awesome. You know, but risk making risk based decision making means putting energy, time, resources, efforts into perhaps one or two or three specific areas that are gonna give you that big bang for your buck. Yeah.
And that's where it really has to be. Alright.
So what is trend number four?
Well, it's it's all about making ten men or women feel like a hundred. And you remember that movie Star Wars Rogue One? Have you ever seen it?
I have.
You have not? Oh, well, it's a common quote in that movie that, you know, make ten men or women feel like a hundred. And and that is really trend number four is about empowering your entire business to help lead security activities.
Now before we go on, I wanna make it clear that my first crush was Han Solo.
It was Han Han excellent. Excellent.
It's not that I dislike I love Star Wars, the first movie that came out before they changed it, and I I really haven't liked anything since.
You know what? You're not alone in there. If you get on Reddit right now, that's what everyone's talking about.
Oh, is it? Yeah.
Why are these new ones? Alone. I don't like these new Star Wars movies. Alright. But, you know, again, you're helping your business lead security activities.
And for what I like to think of it as developing good cyber judgment, that's what I like to call it as. So for these small to medium sized businesses, again, they have limited staff, limited resources, and what you're gonna try to do is help it really equip all the employees with a security mindset. And here's a great example. Right?
An employee comes into work and they say, you know, I got this really weird email, but they don't share it with anybody. They don't talk about it other than just maybe in a casual conversation. Oh, I got this weird email, and it was a maybe it was a phishing email. But now, a a a different approach might be actually having that employee say, hey.
I got this email. I wanna share it with all of you Yeah. So you don't click on it because I think it's a fish. Right.
So everyone raises the ship. Everyone raises the bar. Everyone feels confident that they're helping make good cyber judgment to help protect the business. So, there's a couple areas in here where vendors like us, for example, SecurityMetrics, we really excel, where we're helping lead some of those security activities Mhmm.
But we're not owning it. We're helping them get to the finish line, figure out where the risks are, and, you know, you have different levels of trust in that. So as you gain levels of trust with your employees, you can offload some of those activities to them.
Yeah. And, you know, nothing builds builds trust quite like, having confidence in yourself and confidence in what the other person is going to do. And so Yeah.
If you if you are confident enough to come in and say, hey. I got this weird email. Do you wanna take a look at it? Right? Because they trust you.
Yeah. Big time.
Because you have confidence in them and and that they're going to to do this in good faith, and nobody's going to get mad at somebody else. Right. Right. So so many times that we kill the security culture because people get in trouble.
Like, some of these horrible phishing campaigns, that that just make people feel bad about themselves Yeah. And don't actually raise knowledge and understanding or or, you you know, there's there's different cases where people just get in trouble for security issues when instead of they can be used as a teaching moment. They can be used as so so even when you do something that you're like, I think I did something sketchy, are you gonna go to somebody you don't trust with that?
Yeah. I I meant to ask you. I mean, I I know when you go in to do an audit, the first time you've ever meet with a client, they're probably relying more on you as a subject matter expert. But then as you go through time and you do multiple audits Mhmm.
Do you notice the trust levels change? You can offload some of those tasks. They're already coming into the audit in year two and three, more prepared, even more prepared by year three and four. Yeah.
I'm I'm sure you see that. So that's that's really what this is about.
Absolutely. It's it's understanding well, knowing everybody's capabilities and what they what they are going to present to you when you get there.
Yeah.
It from a from an assessor's perspective, it it's interesting.
If I'm working with a company for the very first time, I can always tell the ones that have been basically abused by previous auditors. Right? So because they're they only give short answers. They don't volunteer anything. They're they're worried that they're going to get just thrown under the bus for anything that that might need remediation. And and what I tell them is, look, PCI is geared towards collaborative work.
Big time.
You know, we're going to look at this together, and I'm not gonna tell you you failed. We're gonna look it together. I'm gonna point out what the what the, standard says. You're gonna say how you think you meet it.
And and together, we're gonna find out when there's gaps and you're gonna have the opportunity to fix it. Right? And so, year on year, I don't have to have that conversation the next year because they'll say, hey. Remember when we fixed that gap last year?
It's still in place this year.
Mhmm.
A lot of times you'll see, like, ASV scans weren't run properly.
Right? Or or or, you know, something like that. And then they're then they're very they're just stoked that they can tell me we did all of these things that we talked about last year, and we had to kinda scramble to fix. We did it alright this year. Right? So so making them feel like they take ownership for those fixes, they take ownership for knowing what needs to be done. It it creates that high level of trust and confidence, and then security culture is built.
Yeah. And that kinda leads us into the next trend line, which is we're seeing more and more companies do this, holistic. And I love that word, holistic. People just throw it out there all the time.
Holistic security awareness programs. And I'm sure you've seen this where you have companies that just do they they check the box security. Yep. And we're not like that here at SecurityMetrics.
We want we want people to do more more training than just one time a year. So, oh, yeah. We did our our our one little training class on cybersecurity and phishing and so on. But, you know, human error continues to be the factor in almost all of these data breaches.
And there was this report that came out, something like forty four percent of all ransomware victims were less than a hundred employees.
Mhmm.
I think the reports said something like eighty two percent of all ransomware attacks. It targeted organizations that had less than a thousand employees. And the number one vector, initial attack vector has always been phishing, and it's not going away. So all employees kinda need to be part of that process of security training is not one time a year.
It's all like a car.
Everybody gets phished. Yeah. But then they have to take an action.
They do.
Give information or download something. And then malware is in the system, and then they're you're done. Right? But that first piece, yes. I I love that we need to recognize that human error is a factor. But if we know that, maybe instead of trying to train our way out of this issue, maybe we should look at the second step. You can't download something.
Right.
And there's there's controls and there's technical controls out there that can be done to help prevent prevent and mitigate some of that stuff.
Exactly. Or Yeah. Like like, the it's kind of the famous one. We we hear this happen every once in a while. Hey. It's the CEO, and I need you to wire transfer this to this. Well, there should be processes in place that don't allow one person to kick off a high dollar anything to anyone.
Yeah.
Right? So so instead of, saying, hey. You just need to be aware of things that are gonna happen and then recognize it and deal with it properly when it happens.
No. No. And and, you know, that's a problem too. I mean, obviously, it's a resource challenge issue, but IT teams need to be thinking about moving away from outdated compliance focused security awareness and training programs Right.
And going more towards a holistic approach. So, you know, what does that look like for small to medium sized business? Well, it means a new way of thinking. And we kinda gave out that one example where an employee gets a fish, and they don't just keep it to themselves.
They share it with the company. Say, hey. You're not gonna believe what I found. I got this fish, and I want you all to be aware of it so you don't get popped with it.
So it's a challenge moving away from this just one training a year and going to the holistic.
Yeah. So so, yes, definitely, a a cyber, security awareness instead of a security training is going to help. But then making sure that you have not just, technology tools, but also processes defined processes in place where you know you potentially could get popped for for big dollars.
And it's a big part of what we do here at SecurityMetrics where we have this YouTube channel where we put together these ten minute videos talking about the latest phishing emails that have come out, the latest threats so your team's aware of it and your business is aware of it.
So ten minutes of your life to know what what the newest threats are, I think, is a reasonable time.
Of them are super entertaining.
They are. They are.
Which kinda gets us into trend number six, which is the attack surface. And that's just expanding exponentially. I cannot tell you folks how crazy the attack surface is right now. And you think about it.
For a business that you you help out, they have not just the cash registers. They have their online shopping carts, all that back office computer stuff, all those servers, probably third parties, real complex supply chains. They got cloud now in their environment. All those social media accounts that are exposed.
A lot of attack surface Right. That's out there that for a small business, medium sized business, that's real difficult to try to get a handle on.
Right. Exactly. And attack surface is something we talk about all the time, but some people might be going, what are you talking about? Tax surface is just the way the bad guys get in. And it could be anything. It could be and some you know, we think of surface as something physical, but it's not in this world. It's it's very, you know, different digital, assets can be popped in different ways.
It's it's amazing how big the attack surface is, and you can't you can't approach it and try to do it all at once. You know, how do you eat a fit how do you eat a shark or a whale? You eat one bite at a time. Well, it's very similar to cybersecurity.
You're gonna prioritize your environment, business business first.
But, you you know, we We don't eat the whales, half.
We don't eat whales.
We don't eat the whales.
Don't eat the whales, folks.
But, you know, a lot of businesses, they don't they don't really even know how big their attack surface is. So a hot trend that we're seeing right now is subdomain takeover attacks. And you're gonna hear a lot more about this in the news, folks, where you're what what's exposed on the website of the house. Mhmm.
You gotta really understand how big that is in your environment. So, some so many businesses don't have IR plans, incident response plans. Right. They don't have policies in place.
Or they haven't tested them.
If you do get taken over, how do you negotiate with the bad guys? Do you have a Bitcoin wallet if you are I don't recommend you negotiate with bad guys.
And deciding that in the moment is the worst time to decide.
That's the last place you need to be. So, you know, having those decisions already made and laid out in a process and a policy helps. But that attack surface, folks, is just gonna keep getting bigger.
So Let's, let's move on to number seven.
Yeah. This is the big one that's been in the news. Obviously, we talked about, in past in our briefings and stuff, we talked about the supply chain attacks.
Yes.
So that's been hot news. It's the Colonial Pipeline and Microsoft Exchange Server. All those breaches. Log four j was the most recent one that hit the news.
They're not going away anytime soon. So getting a handle on what third parties are in your environment Mhmm. And having a process in place to manage that, know what risk they create for you is critical. Right.
You know, before you choose a vendor, do your homework. Right. It's really do your due diligence. Know what's what you're who you're bringing on as a partner, that risk based thinking.
Spend a little extra time researching that vendor before you bring them in your environment.
Exactly. And and if that vendor if if you're relying on that vendor and their security to not take down your business, you know, you need to look at your side of it. What happens if what happens if you're using a vendor that does, get breached? In what way is that going to affect your business?
And then that can help you make decisions on how do I, from from inside, kind of, mitigate anything that might happen there, because you can't you can't always predict what's going to happen with some of these third parties.
I know that that PCI tries to help this and and some of the other standards as well by saying, look. If you're using a third party, they need to be certified. Well, there's different levels of certification. So I see hundreds of, AOCs, attestations of compliance, from service providers every year.
Yeah.
And some of them are terrible. They are. They're I'll I'll read and Crayon.
They're written in crayon. Right?
Yeah. They're obviously Just kidding about my crayon. It's just about.
But but so sometimes I'll say to to, you know, a customer, I'm doing a a report for them, and and and I'll say, alright. Show me the, whatever AOCs you have from your service providers. They'll hand them over. We'll look through them.
I'll and if if they are self attested, which is service providers allowed to do, they're allowed to go through and check their boxes and sign the thing. You have to ask yourself, to what degree is this service provider serious about this? Are they just handing over a piece of paper that was signed by some guy in marketing so that they could get your business? Or did they actually thoughtfully go through these things?
Yeah. Security theater is what a lot of companies do. They're not they're not actually in it to help you. They're just in it to collect a check, and that's the wrong business. You you don't wanna be hiring.
Yeah. And so whenever I see that, I'll I'll say to the the the business that I'm working with, look. You can you're allowed to accept this. You're allowed to even do business with a company that is not Yeah.
Certified or doesn't have an AOC. But you are responsible for your due diligence. So that means I wanna see a line item in your risk assessment that discusses your businesses Yeah. Your leadership's decision to go with this organization that refuses to do any more than the bare minimum for you.
Yeah. I gotta throw out a quick stat. I heard a stat. By twenty twenty five, forty five percent of all businesses worldwide will have experienced a third party supply chain attack.
So throw that out. That's crazy. Twenty twenty five forty Forty five percent of all businesses will have an attack on their supply chain. So, again, get get a handle on your third parties, know what's in your environment, and know how they what their approach is to to security.
Yeah.
So Yeah.
Alright. Trend number eight. You wanna talk about this one?
Yeah. Consolidation of vendors.
Yeah. I think this is a trend that's gonna you're gonna see more and more. You're starting to hear it at at the enterprise level, and it's gonna start trickling down where, you know, these businesses are getting out there, and they're hiring all these third party vendors. They're outsourcing everything, and the attack surface keeps expanding, and third party breaches keep expanding.
So how do you fix that? And the really one pathway to take is to reduce the complexity of your environment.
Mhmm.
And and you mentioned you mentioned the flat networking, the flat network. That's one approach to it. But, again, this trend for small to medium sized businesses Yeah. Is huge.
You could reduce your administrative overhead costs, make it easier for your security team to defend that environment. And, again, this is what we do at SecurityMetrics. We're a one stop shop. You can get it all the complete package, consolidate the vendors, one vendor that can can really help you out from compliance to pen testing to finding the the the threats all in one package.
Yeah. Yeah. I think that, that like you said, the complexity because, the more responsible any organization is for the security of its of its supply chain. And and this is more and more in the news, and so I wouldn't be surprised if we get some kinda, I don't know, regulations.
I hate regulations. But, you know It's coming. If it's coming and then they exist. And and, if you look at that and say, well, how do I, as a small or medium business or even an enterprise business, how do I juggle all of these service providers?
It's it's no it's no easy feat. Like, just because you have service providers doesn't mean it doesn't take time from somebody in your organization to manage that relationship.
Big time. Big time. Yeah. And and this, this is not really connected so much to the last trend, but the trend number nine is identity and access management.
And what we're seeing, especially for small to medium sized businesses we mentioned phishing as a primary attack vector. Mhmm. Well, one of the top ones out there is threat actors going into your environment, getting in through your identity and access management, misusing credentials, getting access to those credentials, and then misusing them in your environment. So this has to be a risk based decision here.
How important is it that your front door is locked? Yeah. That when people log in to their their software in your environment, that that considerable effort has to be placed on securing this area.
Well, but I have a username and password that I log in with.
But we haven't changed it in how long? Oh. Yeah.
Okay. Well but I have to be able to log in from my home.
Right. And that's where the business needs to take a have to take a risk based approach.
Exactly. You know?
You have to understand what's best for the business. It's not what's best what Jen says or Heath here says. It's what's best for the business.
Right.
So And there are ways to do all of the functions that you need as a business remotely in this new remote world of ours Yeah.
That that are are reasonable, like multifactor authentication. Yeah.
That's huge.
Do you wanna use a u username and a password only? Well, that's dumb.
Or an authenticator? Using authenticator is very helpful.
You wanna use some other thing that that somebody can't just know and type in from where they are. Right? Because chances are that that you might give that password up and that it wouldn't it would be, again, those phishing attacks. So if you're in a company where where you're allowing people to work remotely and all they have to do is use a username and password to get in from home and all they have to do to let a bad guy in is give at give up that username and password, then you haven't put in place the tools, the technologies that are going to, help help that, help that person help themselves.
Yeah. And, you know, let me add to that because, again, we're talking about tread number nine here.
Mhmm.
Identity access management, all that that detection and response Yeah. When a bad guy gets in. But it's not just all those technical controls. It's also having the right policies in place. Yeah. For example and I've had a couple clients do this, where an employee leaves the company, but they leave that account active.
Yeah.
Can you imagine that?
No. They don't have any prospects. I can't imagine it because I see it. It's not good.
The inactive accounts. I mean, that's crazy to me that you'd leave that stuff up and running. But the reality is that particular client did not have a policy in place to say, we need to remove as crazy as it sounds, we need to remove all these inactive accounts. They never had a policy to Yeah.
And so nobody's gonna do it if nobody's told to do it. Right. I mean, they might get somebody that goes, hey. I think this is a good idea. But but, typically, it's unless it's formally written down and these are the policies and procedures that we follow, you know, turnover changes things. You you it's a mixed bag. Who's gonna think of something and who's not?
It is. It is. It is. I feel like we should have a drum roll for number ten. Final trend that we're gonna talk about. Yeah. Drum roll, please.
Cybersecurity mesh architecture.
It's a big word, isn't it?
It is. What does that mean?
And a lot of people probably have never heard this term before, but this is really a trend for the future here where cybersecurity does not exist in isolation. Everything that we do builds upon one another. So if you're brand new to the table and you're worried about your PCI, that's the first step. And maybe that's not even the first step.
Maybe you've already done your your basic cyber hygiene, for example. You know where you what what assets you have in your environment. You know, what version numbers of software you and hardware you have in your environment. You have a list of all your third party vendors.
But, really, you start to have a mesh architecture is one where the policies, the processes, the apps that you chose to put in your environment, the hardware, your cloud security, your third party, they all work harmoniously together, and it's like a beautiful ballet when it's done correctly. Yeah. And you're seeing this right now at the enterprise level where they're trying to roll out a a common integrated security structure Mhmm. Architecture where everything can talk to each other So you know when contracts are expiring, for example, for third parties.
You know when you haven't done your training. Alright? And you haven't done it every month. You know, those kind of things.
They're all become easier when everything's talking to everything.
So this this type of orchestration that you're talking about, are are there groups out there already doing it?
There are. In fact, there are tools that, obviously, you can leverage and purchase, but, you know, you don't have to go that pathway. You can simply just start up with some basic steps in your own environment where you start to mesh everything together, and and and that is one pathway to take to make this happen without spending money. But you're gonna hear a lot more about this term. It's not going away. Mesh architecture.
Terrific. So Alright. Well, thank you so much for joining me and and talking to me about these future trends. I know that that a lot of people are going to be super interested in, and and you brought a lot of interesting concepts to the table.
Well, thank you.
I appreciate it. Yeah. There is an order of operations, obviously, and we throw out a lot of concepts, a lot of Mhmm. Lot of topics here. But, you know, when you road map all this out, there's a pathway that you can take where this makes sense, where you're you're not trying to go from trend one to trend five, and you miss all these things in in between. But I hope the audience got value from it. I know I know we love talking about it.
Yeah. No. That was great. So thank you for joining us once again here at the SecurityMetrics podcast.
And I hope you share this with people who might also find it interesting. Like, comment, and look forward to talking to you again in the future. Bye. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
