Cybersecurity Trends, CMMC Compliance Rush, Shadow IT Risks, and Sustainable Energy Innovations

[00:00:02] It's Wednesday, October 23rd, 2024, and I'm Dave Sobel. Four things to know today. From ransomware defense to sustainable IT. How IT pros are addressing the evolving cybersecurity threats in 2024. A CMMC compliance rush looms with limited assessors and 76,000 companies in need of evaluation. Gartner warns of a rising shadow IT problem as SaaS use per employee doubles since 2019.

[00:00:30] And cybersecurity data protection and energy innovations we hear from Sonomi, SureWeb, PAX8, Google, and AWS. This is the business of tech.

[00:00:43] In a recent survey by Kaseya, IT professionals identified human behavior as the primary cybersecurity challenge, with 89% citing insufficient training and poor user habits as significant issues.

[00:00:56] The survey found that phishing remains the top threat, impacting 58% of businesses, while only 11% of companies reported paying ransomware demands, likely due to increased investments in backup and recovery technologies.

[00:01:10] Interestingly, over half of the respondents believe artificial intelligence will enhance their security, despite one-third expressing uncertainty about its impact.

[00:01:19] The survey also revealed that 61% of organizations have adopted cyber insurance, up from 27% in 2023, reflecting a growing awareness of cyber threats.

[00:01:30] As IT budgets remain stable, professionals plan to invest in various security measures, including cloud security and security awareness training.

[00:01:41] A recent survey conducted by Extreme Networks, which polled 200 CIOs and senior IT leaders, reveals that network security is the top priority for most respondents.

[00:01:50] The survey conducted in July and August of this year, found that 34% of CIOs ranked securing their network as their number one priority, while 22% emphasized the importance of integrating networking and security.

[00:02:04] A significant 88% of those surveyed desire a single integrated platform for networking, AI, and security, reflecting a growing trend towards platformization.

[00:02:15] While many organizations are focusing on AI implementation, challenges such as network bandwidth and security concerns remain prevalent.

[00:02:23] Additionally, 88% of respondents acknowledged that the IT department has a responsibility to recommend technologies that reduce the company's carbon footprint, highlighting the increasing importance of sustainable IT practices.

[00:02:36] And Datadog has released its State of Cloud Security 2024 report, revealing that 46% of organizations are still using unmanaged users with long-lived credentials, which pose significant security risks across all major cloud providers.

[00:02:52] Long-lived credentials, which do not expire, are frequently leaked in various sources, making them a leading cause of cloud security breaches.

[00:03:00] The report highlights that many of those credentials are old and unused, with 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft IntraID applications holding access keys older than a year.

[00:03:16] Additionally, the report notes a rise in the adoption of cloud guardrails, with 79% of S3 buckets now protected by access blocks, up from 73% last year.

[00:03:27] However, it also warns that over 18% of AWS EC2 instances and 33% of Google Cloud VMs have sensitive permissions that could be exploited by attackers.

[00:03:40] A recent report from Sophos reveals that 96% of small and medium-sized businesses struggle with critical cybersecurity skills, making it their second biggest security risk.

[00:03:51] The survey, which gathered responses from 5,000 IT and cybersecurity professionals across 14 countries, highlights that smaller teams often lack the resources for adequate security education.

[00:04:02] Alarmingly, one-third of SMBs report that no one actively monitors or responds to security alerts.

[00:04:09] And a recent report from WatchGuard Technologies highlights concerning trends in cybersecurity, revealing that seven of the top 10 malware threats observed in the second quarter of this year were new, indicating a shift in tactics among threat actors.

[00:04:24] Key findings include a significant rise in evasive malware detections, which surged by 168% quarter over quarter, despite an overall 24% decrease in malware detections due to a drop in signature-based threats.

[00:04:41] Why do we care?

[00:04:42] Across these reports, several key takeaways emerged.

[00:04:46] The importance of human-centric security measures, the growing demand for integrated platforms, and the increasing sophistication of threats.

[00:04:54] Only 11% of businesses reporting paying ransomware demands, likely due to the adoption of backup solutions.

[00:05:00] Perhaps prevention and recovery technologies are making headway in reducing ransomware's effectiveness.

[00:05:05] That jump in cyber insurance certainly implies recognition of the problem, and MSPs must ensure their clients meet the rigorous security standards set by insurers.

[00:05:16] The rise in cyber insurance and platform integration trends suggest that holistic, scalable solutions will be the next frontier for those looking to expand in a competitive IT services market.

[00:05:27] The Extreme Networks survey shows a clear demand at 88% for a single integrated platform covering networking, AI, and security.

[00:05:33] Want Ring to rule them all?

[00:05:38] Today's episode is supported by Huntress.

[00:05:41] You want to focus on your clients and are always looking for ways to get more time.

[00:05:46] Use Huntress' fully managed cybersecurity platform to fight off cyber threats.

[00:05:52] Huntress is more than cybersecurity software for endpoints and identities.

[00:05:56] It's a 24 by 7 security operations center.

[00:05:59] It's security awareness training, community engagement, and dedicated partner support with an average CSAT score of 99.3%.

[00:06:08] Technology can only get you so far.

[00:06:11] Human expertise is what's needed to truly elevate and protect small businesses.

[00:06:16] And you get that with Huntress.

[00:06:19] Secure your clients and help them thrive with the number one rated EDR for S&Bs on G2.

[00:06:24] Visit Huntress.com slash MSP radio to find out more.

[00:06:30] I've covered that the Defense Department has officially finalized the Cybersecurity Maturity Model Certification, or CMMC, outlining essential contractor guidelines.

[00:06:40] Eric Crousius, an attorney at Holland Knight, emphasized that this finalized rule clarifies what contractors must do to achieve compliance.

[00:06:50] There are currently between 50 to 60 assessors available to handle the anticipated 76,000 companies needing evaluation, indicating a potential rush for assessments as deadlines approach.

[00:07:02] Crousius noted that while compliance does not guarantee immunity from cyber incidents, it significantly enhances protection against them.

[00:07:11] He predicts that the second rule to operationalize CMMC could be released by the end of the first quarter of 2025, moving swiftly after a year of extensive commentary and feedback on the current rule.

[00:07:24] Why do we care?

[00:07:26] Why do we care?

[00:07:27] With up to 76,000 companies needing to undergo CMMC evaluations and only 50 to 60 certified assessors currently available, the demand for compliance preparation is set to surge.

[00:07:39] CMMC readiness services such as gap assessments, remediation plans, and ongoing monitoring are a potential area of expansion.

[00:07:46] The possibility of a second rule coming as early as Q1 of next year means that CMMC requirements could evolve quickly, making this an ongoing deal.

[00:07:57] The rise of generative AI tools is significantly increasing shadow IT risks as highlighted by recent findings from Gartner, which revealed that the number of SaaS applications used per employee has doubled since 2019.

[00:08:11] Many of these applications are utilized without IT oversight, leaving sensitive data vulnerable.

[00:08:16] Fred Ravien, CTO of Dashlane, emphasizes that traditional security measures like single sign-on and multi-factor authentication are no longer sufficient to manage the surge of unauthorized tools.

[00:08:28] With employees often sharing their credentials, the need for effective credential management has never been more critical.

[00:08:35] Ravien also discusses the potential of passkeys, that passwordless authentication method supported by the FIDO Alliance, to enhance security, though challenges remain in widespread adoption.

[00:08:46] Why do we care?

[00:08:48] Generative AI is changing how employees work, but without proper controls, it also increases the risks of data leakage.

[00:08:55] The rise in generative AI tools and increased SaaS usage is dramatically expanding shadow IT risks, leaving traditional security measures like SSO and MFA inadequate.

[00:09:04] For providers, this evolving landscape highlights a need for robust credential management, modernized security strategies, and early adoption of technologies like passkeys.

[00:09:15] Make sure there's data governance to bring it all together.

[00:09:19] Sunomi has launched the first online virtual CSO Academy, aimed at supporting managed service providers and managed security service providers in enhancing their virtual Chief Information Security Officer services.

[00:09:32] With cyber attacks on small and mid-sized businesses on the rise, the Academy provides essential resources and training to meet this need for cybersecurity guidance.

[00:09:42] SureWeb has announced the integration of Veeam's data resilience tools into its marketplace, enhancing the capabilities available to providers.

[00:09:49] This includes the Veeam data platform, Cloud Connect, and service provider console, aimed at improving data protection through services such as backup and disaster recovery.

[00:09:59] This move follows SureWeb's recent launch of Acronis CyberProtect Cloud.

[00:10:05] ConnectWise and Pax8 have announced a strategic partnership which will integrate ConnectWise's managed detection and response solution into the Pax8 marketplace.

[00:10:14] The partnership is set to be detailed further at the IT Nation Connect event in November, which I will be in attendance for.

[00:10:21] Nametag Inc. has unveiled its next-generation identity verification engine, DeepBake Defense.

[00:10:27] This solution utilizes cryptography, biometrics, and AI to combat sophisticated deep bank attacks that threaten enterprise security.

[00:10:35] And two that show a larger trend.

[00:10:38] Google has entered into an agreement with startup Karyos Power to deploy seven small nuclear reactors to power its data centers by the end of the decade.

[00:10:47] This deal promises 500 megawatts of power, with the first modular reactor expected to be operational by 2030.

[00:10:54] The technology, utilizing a molten salt cooling system, is still in early development but has already made significant progress, including the construction of a non-powered demonstration reactor in Tennessee.

[00:11:06] The first of its kind to receive a construction permit from the U.S. Nuclear Regulatory Commission.

[00:11:13] And Amazon Web Services is investing over $500 million in nuclear power, focused on the development of small modular reactors, or SMRs, in Virginia and Washington State.

[00:11:23] This initiative aims to meet the growing energy demands of its expanding services, particularly in generative AI, while supporting Amazon's goal of achieving net-zero carbon emissions.

[00:11:34] AWS has signed an agreement with Dominion Energy to explore building an SMR near the North Anna nuclear power station.

[00:11:41] Virginia is home to nearly half of the U.S. data centers, with power demand projected to rise by 85% over the next 15 years.

[00:11:49] AWS expects the new SMRs to contribute at least 300 megawatts to power the region.

[00:11:56] Additionally, Amazon has partnered with Energy Northwest to fund four SMRs in Washington, with the potential to expand to eight more.

[00:12:03] This move reflects a broader trend among the giants, as Microsoft, Google, and Amazon all invest in nuclear technology to power their data centers.

[00:12:12] Why do we care?

[00:12:14] Google's deal and AWS's investment reflect a trend to secure reliable, sustainable energy sources for rapidly expanding data needs.

[00:12:22] Data centers are becoming increasingly energy-hungry, especially with the rise of generative AI.

[00:12:27] One thing to keep an eye on here, how will these efforts become profitable?

[00:12:33] At some point, all these investments need to make money, and so far, we haven't seen a plan for that.

[00:12:40] Today's episode is supported by CoreView.

[00:12:43] Your customers need your Microsoft 365 expertise, and CoreView has the only M365 management platform designed for MSPs.

[00:12:52] Manage hundreds of tenants, automate manual tasks, and monitor compliance, all while intelligently comparing to the baseline.

[00:13:00] With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration.

[00:13:06] This powerful platform enables automatic reporting and remediation, ensuring optimal performance and security.

[00:13:13] The best part?

[00:13:14] You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency.

[00:13:22] Want to know more?

[00:13:24] Visit coreview.com slash MSP and find out more.

[00:13:31] Thanks for listening.

[00:13:32] It's National Slap Your Coworker Day.

[00:13:34] Do I need any day other than that one?

[00:13:37] If you got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast.

[00:13:43] And if you enjoy the show, please give it a review and make sure you've subscribed or followed on your favorite platform.

[00:13:50] I'll talk to you again tomorrow.

[00:13:53] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:14:01] If you like the content, please make sure to hit that like button, follow, or subscribe.

[00:14:06] It's free and easy and the best way to support the show and help us grow.

[00:14:10] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech.

[00:14:24] Finally, if you're interested in advertising on this show, visit MSP radio.com slash engage.

[00:14:31] Once again, thanks for listening to me.

[00:14:33] I'll talk to you again on our next episode of the Business of Tech.

[00:14:40] Part of the MSP radio network.

[00:14:42] Thanks for listening on the show.

[00:14:42] I'll talk to you again on the show.

[00:14:42] I'll talk to you again on the show.

[00:14:43] Thank you.