EU Regulatory Pressure on Tech Giants, SaaS Security, AI Incident Response, and MFA Adoption

[00:00:00] It's Tuesday, June 25th, 2024, and I'm Dave Sobel. Four things to know today. A study reveals 63% of businesses at risk from improper offboarding, Apple under serious pressure in the EU, NIST, the FCC, and CISA leading regulatory and security initiatives around cybersecurity,

[00:00:20] and SAS Alerts enhances capabilities with automated remediation for Google Workspace Security. This is the Business of Tech. A recent study by Wing Security highlights the risk of weak offboarding management and insider threats. The study found that 63% of businesses may have former employees with access to organizational data,

[00:00:42] emphasizing the importance of automating SAS security to mitigate offboarding risks. Improper offboarding can lead to data breaches, compliance violations, insider threats, and intellectual property theft. Automation in SAS security posture management is recommended as a best practice to ensure consistent and thorough offboarding, saving time and reducing manual errors.

[00:01:05] According to the Open Text Cybersecurity Global Managed Security Survey, most managed service providers and managed security service providers see increasing AI-led security and threat intelligence services as the major drivers of business growth.

[00:01:21] Comprehensive security and composable on-demand security expertise are the primary reasons enterprise and SMB customers seek MSP and MSSP services. The survey also found that priorities have shifted towards embedded AI and holistic security with single vendors,

[00:01:40] and the incorporation of AI into security is seen as a top challenge and business opportunity. Forescout Research and Vedder Labs examined nearly 19 million devices to determine the riskiest connected devices of 2024. The most vulnerable device types include wireless access points, routers, printers, voice-over IP devices, and IP cameras.

[00:02:05] The riskiest verticals are technology, education, and manufacturing. In the Internet of Things category, network video recorders are a new entry on the list of risky devices. Operational technology devices with high risk include uninterruptible power sources, distributed control systems, programmatical logic controllers, robotics, and building management systems.

[00:02:30] The Internet of Medical Things devices that pose the most risk are medical information systems, electrocardiograph machines, DICOM workstations, picture archiving and communication systems or PACs, and medication dispensing systems. Why do we care? We have business strategy pain points and then operational pain points.

[00:02:52] Address the larger ones with service offerings that include addressing the pain points of operations. That's how I'd look at this data. Are you an MSP navigating the evolving landscape of Microsoft 365 and Copilot?

[00:03:06] Skykick is here to help you identify ideal clients for Copilot and mitigate risks for your customers enabling Copilot in their business. As MSPs, you all know it's not as simple as just turning it on.

[00:03:18] In eight steps, Skykick Automation will help you identify which customers are ideal candidates for Copilot and set a variety of standards to ensure their data is safe before Copilot is enabled. Embrace this AI revolution. Offer advanced automation, improve efficiency, and reduce manual workload with Skykick's tailored solutions.

[00:03:39] Educate your clients on the benefits and adapt your services to include enhanced security measures. Don't just adapt to change, lead it. Elevate your MSP business with Skykick and Microsoft's Copilot. Visit skykick.com.mspradio to learn more and start transforming your services today.

[00:03:59] I often talk about how the EU is distinctly shaping technology policy. Well, Apple has announced that its upcoming features including Apple Intelligence Generative AI tools, iPhone mirroring, and SharePlace screen sharing may not be available in the European Union due to regulatory concerns related to the Digital Markets Act.

[00:04:19] The DMA imposes strict requirements on gatekeepers of online platforms, potentially compromising user privacy and data security. Apple is committed to finding a solution with the European Commission to deliver these features without compromising safety.

[00:04:34] And Apple has been charged with violating the EU's DMA for its App Store steering policies which restrict competition. The European Commission has also launched an investigation into Apple's support for alternative iOS marketplaces. Apple could face fines of up to 10% of its annual global revenue for infringement.

[00:04:54] It's not the first time Apple has faced scrutiny from the EU as it was previously fined for anti-steering practices. Apple has time to respond to the preliminary assessment before making the final ruling. Back in the US, Engadget profiled how users frustrated with Meta's lack of customer support

[00:05:11] are turning to Small Claims Court to regain access to their accounts. Meta's automated tools and official help pages often lead to dead-end links or unresponsive emails. Frustrated users have found success in Small Claims Court

[00:05:25] with some being able to restore access to their accounts and even win financial damages. The low barrier to entry and the attention it brings to Meta's legal team make Small Claims Court an attractive option for users seeking recourse.

[00:05:38] And the US government is suing Adobe for allegedly hiding expensive fees and making it difficult to cancel subscriptions. The lawsuit claims that Adobe fails to disclose important plan terms and imposes an onerous cancellation process, including early termination fees. The complaint also targets Adobe executives.

[00:05:58] The lawsuit follows regulatory scrutiny of Adobe's cancellation practices and its subscription model, which has frustrated users in the creative industry. Why do we care? Notably, I told the story out of order. Apple was charged first. Is this retaliation or leveraging market position?

[00:06:17] If nothing else, there's reason to be suspicious. I did want to highlight how EU regulatories are making a tangible difference in business strategy regardless. And I also wanted to highlight that Meta story. The low barrier to entry and the direct attention to Meta's legal team

[00:06:33] makes Small Claims Court an effective recourse for individuals facing customer service dead ends. The trend highlights the growing dissatisfaction with automated customer service systems and the lengths to which consumers will go to assert their rights. Increased use of Small Claims Court could pressure companies like Meta

[00:06:51] to improve their customer support services to avoid those legal actions and negative publicity. While most companies will not strip their customer service so low to hit that minimum, there's a healthy debate to be made about a minimum requirement legally for support

[00:07:05] and how much is already there in the FTC's guidance. The National Institute of Standards and Technology is collaborating with the Digital Benefits Network and the Center for Democracy and Technology to adapt its digital identity guidelines for state and local benefits programs.

[00:07:23] The resources development will help public sector organizations evaluate authentication and identity-proofing practices for the secure delivery of specific benefits. The project aims to address concerns about fraud, cybersecurity threats, privacy, data security, due process, and biases in systems that impact marginalized groups.

[00:07:42] Community engagement and public workshops will be used to gather input and feedback. The Federal Communications Commission has refused to suspend its net neutrality rules, setting up a court battle with ISPs who claim the rules violate the law and cause financial harm.

[00:07:58] The rules, scheduled to take effect on July 22, 2024, prohibit ISPs from blocking or throttling lawful content or accepting payment for prioritizing content. The FCC has also filed a motion to move the net neutrality litigation to the D.C. Circuit in Washington.

[00:08:16] The Cybersecurity and Infrastructure Security Agency is focusing on data stewardship as part of the Zero Trust push in federal agencies. CISA is working to understand, protect, and connect its cybersecurity data, applying strong security controls and data governance controls.

[00:08:33] CISA has identified chief data stewards responsible for managing specific datasets and combines data access controls with strong identity governance to move towards a zero-trust architecture. The goal is to improve data security while enabling access to support the mission and providing security.

[00:08:51] CISA has also led its first table-tie-up exercise for AI cybersecurity, bringing together partners from the U.S. and abroad. The exercise focused on understanding AI-related cybersecurity incidents, information sharing, and collaboration between industry and government. CISA is developing an AI Security Incident Collaboration Playbook,

[00:09:10] set to be released by the end of the year, to enhance incident response coordination. The exercise involved major technology companies, international cyber defense agencies, and U.S. government partners. And the State Department is actively engaging the private sector in cyber diplomacy efforts

[00:09:27] as part of the Biden Administration's cybersecurity agenda. The Department is working on crystallizing its private sector engagement and collaborating to understand international tech regulations and expand Internet connectivity. The Department is also figuring out how to allocate a new $50 million fund

[00:09:44] to help allied nations respond to hacks and expand Internet access. Why do we care? There's a lot of resources and regulatory compliance to be aware of. Organizations, especially in the public sector, should follow CISA's lead in implementing those zero-trust architectures.

[00:10:01] It includes appointing data stewards and enhancing data governance to secure sensitive information. I'm increasingly focused on that offering as valuable, particularly with its AI applications. From a planning perspective, one can consider that AI incident report changes will be a 2024 project based on CISA's work this year.

[00:10:24] SAS Alerts has extended its Respond module to provide automated remediation capabilities for Google Workspace, allowing managed services providers to detect and stop unauthorized activity in client SAS applications. Respond for Google Workspace is the first software solution developed exclusively for MSPs

[00:10:43] to detect and remediate SAS security threats in Google Workspace applications. SAS Alerts processed and alerted MSPs to over 3.5 billion SAS events last year, stopping nearly 7,900 security incidents. The Respond module allows MSPs to configure rules that automatically take action when certain behaviors are detected,

[00:11:04] reducing reaction time and enabling swift responses to security events. Respond for Google Workspace is immediately available worldwide as part of a SAS Alert subscription. And Amazon Web Services has introduced FIDO2 passkeys as a new method for multi-factor authentication to enhance account security for usability.

[00:11:25] Root AWS accounts must enable MFA by the end of July 2024. Passkeys are resistant to phishing and man-in-the-middle attacks, and Amazon recommends their use for accessing AWS consoles. Mandatory MFA usage will begin with standalone root accounts, gradually expanding to other user categories.

[00:11:44] Amazon is actively working towards enhancing MFA adoption. Why do we care? I mentioned that increase in spending on SAS security, both today and yesterday. That's what players like SAS Alerts are counting on. AWS users implement passkeys. That's an obvious one, and I'm very pro-passkeys.

[00:12:06] Today's episode is supported by CoreView. Your customers need your Microsoft 365 expertise, and CoreView has the only M365 management platform designed for MSPs. Manage hundreds of tenants, automate manual tasks and monitor compliance, all while intelligently comparing to the baseline. With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration.

[00:12:32] This powerful platform enables automatic reporting and remediation, ensuring optimal performance and security. The best part? You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency.

[00:12:48] Want to know more? Visit coreview.com slash MSP and find out more. Thanks for listening. Today, National Catfish Day. The fish, not the online predator. Have a question you want answered? We talk lists in our questions.

[00:13:05] Send them in, ideally as a voice memo or video, to question at msbradio.com. I'll answer them Wednesday on our live show, 3 p.m. Eastern.

[00:13:12] And if you have a comment or a thought, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. Talk to you twice tomorrow. And if you're interested in advertising on this show, visit msbradio.com slash engage.

[00:13:46] Or buy our Why Do We Care merch at businessof.tech. Finally, if you're interested in advertising on this show, visit msbradio.com slash engage. Once again, thanks for listening to me. I'll talk to you again on our next episode of the Business of Tech. Thanks for listening.