Information Technology Navigator

 

On October 30, 2023, the US Securities and Exchange Commission (SEC) announced fraud charges against SolarWinds and its former chief information security officer (CISO), alleging that “SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments.” This comes on the heels of the SEC’s newly implemented rules for disclosures relating to cyber risk. Publicly traded companies (along with pre-IPO and foreign private issuers) must now adhere to new and prescriptive rules requiring the disclosure of “material cybersecurity incidents” as well as annual disclosures relating to “cybersecurity risk management, strategy, and governance.”

There is a lot going on with all the recent SEC and cyber headlines, so let’s break it down piece by piece. This blog outlines several high-level calls to action that CISOs and their stakeholders should consider as they work through their cyber risk strategy and their cyber and/or directors and officers (D&O) insurance renewals.

Read More

Microsoft has recently issued some retirement notices that impact VM default internet access on Azure and Basic Public SKUs. While there is runway on both of these notices, Microsoft recommends planning all new deployments with these changes in mind. We at Daymark agree. Here’s a quick summary of the announcements:

Default Internet Access Retirement

Read More

HashiCorp recently held their annual conference, HashiConf 2023, in San Francisco (and virtually) to unveil some exciting enhancements to their suite of multi-cloud infrastructure automation software. Key themes revolved around infrastructure and security with an emphasis on how to use the cloud operating model to achieve operational cloud maturity and improve the developer experience while enabling platform teams to put controls in place to manage risk and cost.

 

Here are some of the important enhancements to their products that we think will benefit Daymark customers (with links to additional information at the end of this blog):

Read More

Teachers everywhere demonstrate their unwavering dedication to educate the next generation in countless ways. Selflessly going above and beyond on a daily basis, year after year, frequently without acknowledgment or adequate compensation. One of the ways many teachers support their students is by spending their own money to ensure their students have the school supplies they need to learn.

Read More

 

The risk of a ransomware attack continues to increase at a frightening triple-digit annual growth rate. How bad is it? Bad, really bad. Businesses based in the U.S. face an 80% chance of an attack, compared to 31% chance in EMEA and 9% in the Asia-Pack region. As the attackers’ sophistication increases and cybergangs are forming, it is important to understand what the attackers are going after and how to increase your ransomware resilience.

 

Ransomware Demand and Payment Trends

•  In 2022, companies with $10 million in revenue or less had an average payout of $690,996¹
• Large enterprises (revenue of $5 billion plus) took a bigger hit, with an average $2,464,339² ransom payout
• Recent ransom demands have been as high as $30 million with payouts that have exceeded $8 million
• Threat actors are increasingly focused on extortion techniques—often layering them on top of each other
• Harassment is another extortion tactic being used in more ransomware cases. Ransomware threat actor groups will target specific individuals in the organization, often in the C-suite, with threats and unwanted communications³
• Cybercriminals threatened to leak stolen data in about 70% of ransomware cases involving negotiation in late 2022⁴
• The United States is still the most severely impacted, accounting for 42% of the observed leaks in 2022⁵
• As of late 2022, threat actors engaged in data theft in about 70% of cases compared to 40% in mid-2021⁶ 

Don’t Count on the Government for Help

Read More

Government organizations today face an unprecedented need for innovation and efficiency. From delivering public services to safeguarding national security, the challenges are immense, and the stakes are high. This is where Microsoft's Azure for US government (Azure Government), a proven and trusted cloud for US government agencies, in conjunction with Azure OpenAI, can step in as a transformative force. In this blog post, I’ll explore why government agencies and organizations that support the government should be taking note of the capabilities and benefits of Azure Government with Azure OpenAI.

Read More

There’s no doubt that Generative AI is an extremely disruptive technology, shaking up nearly all industries and rapidly being deployed in businesses today. For anyone paying even the slightest bit of attention to what’s happening in Generative AI, the recent hype surrounding OpenAI is impossible to ignore. GPTs (Generative Pre-Trained Transformers) are multimodal large language learning models that are essentially machine learning algorithms that respond to input with human-like text.

The enhancements in GPT-4 over the previous 3.5 version, such as image recognition, advanced reasoning, increased accuracy, and multilingual support, to name a few, are remarkable. The ability to handle increased complexity and understand nuanced instructions delivers dramatic results. OpenAI reports being able to create a functional website from a drawing on a piece of paper in minutes and scoring in or near the top 90^th percentile on standardized tests like the SAT, LSAT and GRE.

How to Leverage OpenAI, Including ChatGPT-4, Safely and with Scale:

Read More

Ensuring cybersecurity for an enterprise is a job that is never done. It’s a challenge that requires constant vigilance and, in recent years, has been exacerbated by low visibility into highly distributed and dynamic cloud data spread across increasingly fragmented environments. Our trusted cybersecurity partner, Rubrik, has taken another step to enhance cyber security by acquiring Laminar, a leading data security posture management (DSPM) platform. It’s a strategic move that results in Rubrik’s ability to offer customers a complete cyber resilience offering that reduces weaknesses in an organization’s security strategy.

Securing cloud data is different from securing your infrastructure. Businesses have innovated the way they use cloud data, but not the way they secure it. Not only do you need a data-centric tool for the job, you also need an agile, cloud-based approach to keep up with the dramatic expansion and replication of data manipulated by developers and data scientists so that they can leverage data for innovation without increasing exposure or data protection risks.

Read More

It’s been almost a year since we wrote about the risks of delaying CMMC (Cybersecurity Maturity Model Certification) compliance. The only thing that has remained constant since then is that CMMC is not going away. There have been many noteworthy recent developments in the DoD supply chain news space related to updates for DIB contractors to comply with the DFARS 7012 requirements to safeguard CUI (controlled unclassified information) data. The CMMC 2.0 final rulemaking timeline continues to shift from over the horizon to right around the corner, and the recently released NIST 800-171 revision 3 draft amplifies concerns about upcoming changes to the framework requiring additional protections for prime and subprime organizations supplying the DoD.

Read More

A CISO Primer on Navigating Cyber Insurance

After 10+ years of working with clients to negotiate and place cyber insurance, I’ve noticed that one of the most frequent challenges has always been getting the underwriters and my client’s information security stakeholder (like a CISO or CIO) to understand each other. It’s no surprise that insurance is *gasp* slow to evolve – but in their defense, underwriters have come a long way over the last three years. It’s also no secret that being a CISO is one of the most important leadership roles within a company these days. So why are there massive communications disconnects? Why are CISO’s often ill equipped (through no fault of their own) to navigate the cyber insurance ecosystem? How are brokers and their underwriting partners not ensuring that their clients understand the coverages within cyber policies and how the insurance contracts work? How can we bring all the stakeholders in the process together to make our clients more resilient and create a sustainable cyber insurance marketplace? This blog aspires to demystify cyber insurance for all the information security stakeholders in the room so that they are best equipped to dovetail their strategy with what the insurance marketplace is looking for.

Read More