Marriott was issued a hefty $52 million fine following major data breaches that compromised the personal information of over 344 million customers. The Federal Trade Commission (FTC) settlement mandates that Marriott enhance its security measures, including implementing multi-factor authentication and allowing customers to request data deletion. Host Dave Sobel emphasizes the long-term implications of such breaches, particularly for small and medium-sized businesses (SMBs) that may not have the financial resilience to recover from operational damage.
The episode also highlights the growing concerns surrounding iPhone mirroring at work, which can inadvertently expose personal app lists to employers, raising privacy risks. Experts warn that organizations should inform employees to avoid using this feature until Apple addresses the issue. Additionally, Microsoft has issued warnings about increasing cyberattack campaigns that exploit legitimate file hosting services, using phishing tactics to compromise user credentials. Sobel underscores the importance of proactive security strategies to mitigate these risks.
Sobel further explores the evolving landscape of artificial intelligence and its implications for cybersecurity. OpenAI's report reveals a rise in AI-generated misinformation, particularly in the context of elections, raising alarms about the potential for disruption. Dr. Sheetwa Singh expresses concerns about OpenAI's new reasoning model, Strawberry, which could facilitate deception and manipulation. The episode stresses the need for robust regulatory frameworks to ensure the ethical use of AI technologies and protect against emerging threats.
Finally, Sobel discusses recent updates from major tech companies, including enhancements to Microsoft's OneDrive, LinkedIn's user agreement changes regarding AI-generated content, and Atlassian's integration of its Jira software. These developments reflect a broader trend of incorporating AI into various platforms, prompting service providers to help clients navigate the associated risks and limitations. The episode concludes with a reminder that cybersecurity is not solely about technology but also requires human expertise to effectively respond to complex threats.
Three things to know today
00:00 Marriott Fined $52M After Major Data Breaches: A Warning to SMBs on Cyber Preparedness
04:10 Experts Warn: iPhone Mirroring, AI-Generated Misinformation, and Phishing Attacks Demand New Security Policies
07:18 Microsoft OneDrive Enhancements, LinkedIn Policy Overhaul, and Atlassian's Jira Revamp
Supported by: https://www.coreview.com/msp
https://www.huntress.com/mspradio/
Event: www.smbTechFest.com/Go/Sobel
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] It's Thursday, October 10th, 2024, and I'm Dave Sobel. Three things to know today. Marriott fined $52 million after their major data breaches, a warning to S&Bs on cyber preparedness. Experts warn on iPhone monitoring, AI-generated misinformation, and phishing attacks demanding new security policies. And Microsoft OneDrive enhancements, LinkedIn policy overhaul, and Atlassian's Jira revamp. This is the business of tech.
[00:00:31] I often cite Marriott as a company that took a big security hit and it didn't cost them when my lens is that of stock price. Well, Marriott International and Starwood Hotels must pay $52 million and enhance their information security following those three major data breaches affecting over 344 million customers.
[00:00:54] The FTC settlement mandates improved security measures, including customer data deletion requests and biennial independent assessments. The breaches between 2014 and 2020 involved inadequate security practices leading to unauthorized access to sensitive customer information. As part of a settlement, Marriott must delete personal data upon request, restore lost loyalty points, and implement a comprehensive security program, including multi-factor authentication.
[00:01:25] Of course, venture beat reigns on my parade a little bit here, focusing on how multi-factor authentication is no longer sufficient to protect against sophisticated cyber threats. Traditional methods are vulnerable to attacks, including social engineering and man-in-the-middle tactics. Enterprises are encouraged to adopt stronger authentication methods, such as passwordless solutions and advanced analytics, while recognizing that MFA remains a fundamental security component.
[00:01:52] And speaking of stronger authentication methods, Microsoft is enhancing passkey support in Windows 11 with a redesigned Windows Hello experience that allows users to sync passkeys to their Microsoft account or store them with services like 1Password.
[00:02:07] A new API will enable third-party password managers to integrate directly, improving authentication across devices.
[00:02:15] The updated Windows Hello prompt will facilitate passkey setup and usage via facial recognition, fingerprint, or PIN.
[00:02:23] These features will first be available to Windows insiders in the coming months, with more details expected at the Authenticate 2024 conference.
[00:02:32] Why do we care?
[00:02:33] Time frame appears to be the change.
[00:02:36] A significant breach can impact.
[00:02:38] The impact will be a slightly longer time frame.
[00:02:42] While enterprises may weather breaches financially, those SMBs can often afford the operational damage, so helping clients implement proactive security strategies like passwordless solutions can be a major differentiator.
[00:02:55] Marriott's case might illustrate how companies can survive breaches without significant financial fallout in the short term, but even that does seem to catch up.
[00:03:04] I bet $52 million would have bought a lot of cyber preparedness.
[00:03:09] I'm also going to note how many of your vendors are using passwordless authentication to protect the incredibly powerful systems they offer.
[00:03:20] Today's episode is supported by CoreView.
[00:03:24] Your customers need your Microsoft 365 expertise, and CoreView has the only M365 management platform designed for MSPs.
[00:03:33] Manage hundreds of tenants, automate manual tasks, and monitor compliance, all while intelligently comparing to the baseline.
[00:03:40] With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration.
[00:03:46] This powerful platform enables automatic reporting and remediation, ensuring optimal performance and security.
[00:03:53] The best part?
[00:03:55] You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency.
[00:04:03] Want to know more?
[00:04:04] Visit CoreView.com slash MSP and find out more.
[00:04:11] Let's do some experts warn.
[00:04:14] Experts warn against using iPhone mirroring at work due to privacy risks.
[00:04:20] It can expose personal app lists to employers, potentially revealing sensitive information.
[00:04:26] This issue poses a liability for organizations and could lead to privacy law violations.
[00:04:31] Apple is aware of the problem and is working on a fix, while companies are advised to inform employees and avoid using the feature until it's resolved.
[00:04:39] Microsoft warns of increasing cyber attack campaigns, leveraging legitimate file hosting services like SharePoint, OneDrive, and Dropbox for business email compromise attacks.
[00:04:51] These attacks exploit user trust and involve phishing tactics that require recipients to authenticate via one-time passwords to access view-only files,
[00:05:00] ultimately redirecting them to adversary in-the-middle phishing pages to steal credentials.
[00:05:06] OpenAI reports an increase in cyber actors using its platform to disrupt elections globally, having disrupted over 20 deceptive operations.
[00:05:15] The report highlights concerns over AI-generated misinformation, particularly in upcoming elections, affecting billions.
[00:05:22] Despite the rise in AI-generated content, most identified posts received minimal engagement.
[00:05:27] The report emphasizes the need for awareness and discussion regarding AI's role in the evolving threat landscape of election-related misinformation.
[00:05:36] And Dr. Sheetwa Singh raises concerns about OpenAI's new reasoning model, Strawberry, highlighting risks of deception and manipulation.
[00:05:44] The model is rated as medium risk for assisting in the operational planning of biological threats and for its persuasive capabilities.
[00:05:52] Singh argues that releasing such models without stringent scrutiny is misguided and calls for robust regulatory frameworks to ensure human safety and ethical use of AI technologies.
[00:06:04] And if you want a big expert's warn, Unit 42 at Palo Alto did a fascinating walkthrough of phishing-as-a-service platform SniperDZ, linked to over 140,000 phishing websites targeting social media and online services.
[00:06:20] SniperDZ offers a free admin panel for phishing pages, utilizing public proxy servers to evade detection.
[00:06:29] The platform collects stolen credentials through a centralized infrastructure and tracks victims using embedded scripts.
[00:06:36] It exploits legitimate SaaS platforms for hosting and employs deceptive tactics to lure in victims.
[00:06:43] Why do we care?
[00:06:44] Maybe I should make this a segment, experts warn.
[00:06:47] IT service providers need to synthesize expert advice and help mold it into policies for their customers.
[00:06:55] Companies should advise employees to avoid iPhone mirroring at work until Apple resolves this issue.
[00:07:00] As this is a good example, the lines between personal device use and work environments are increasingly blurred.
[00:07:06] This creates new security and privacy challenges for businesses.
[00:07:09] Service providers need to help clients navigate these risks with clearer policies, stronger device management, and up-to-date security practices.
[00:07:23] Microsoft's OneDrive is set to enhance its service with an improved search experience, a new mobile app for iOS and Android, and the introduction of colored folders in File Explorer.
[00:07:32] The updated search will feature better filter controls and faster performance, while the mobile app will focus on photo organization and AI-powered search capabilities.
[00:07:42] Additionally, Copilot will be available for all commercial users, and further improvements to the document library experience are planned for mid-2025.
[00:07:49] Future updates will include personalized views and AI actions integrated into File Explorer and macOS's Finder.
[00:07:57] LinkedIn will update its user agreement to clarify that users may encounter inaccurate or misleading generative AI content.
[00:08:04] Users will be held responsible for sharing any misinformation its AI's tools produce.
[00:08:09] Effective November 20, 2024, this policy emphasizes that users must review and correct any false information before sharing.
[00:08:17] LinkedIn's approach has drawn criticism, particularly regarding its data usage for AI training without prior consent, leading to regulatory scrutiny in the UK and EU.
[00:08:29] Atlassian is merging its Jira software and Jira work management tools into a single product to enhance collaboration between developers and business teams.
[00:08:38] The new Jira will allow users to customize what they call their work items, moving away from the term issues.
[00:08:45] It will feature simplified navigation, customizable backgrounds, program boards for program managers, and project templates for scaling processes.
[00:08:54] New AI features will also include automatic work item generation from video transcripts and breaking down larger tasks into subtasks.
[00:09:03] EasyDMark is integrated with ConnectWise, enhancing email security for MSPs by simplifying DMARC management.
[00:09:09] And Connect Secure has launched a new Microsoft 365 assessment module to enhance vulnerability management for MSPs.
[00:09:17] The module offers features such as M365 scans for configuration vulnerabilities, detailed key findings reports, and scheduled scans for ongoing monitoring.
[00:09:27] The module is in beta and will be available in Q4 2024 as part of Connect Secure's Vulnerability and Compliance Manager Premium Package or as a standalone product.
[00:09:37] Why do we care?
[00:09:39] AI is becoming a core component across platforms.
[00:09:42] OneDrive's search capabilities to Jira's AI task breakdown and LinkedIn's AI-generated content policies.
[00:09:49] Providers should focus on helping clients integrate AI in secure ways and add value while educating them on the limitations and risks of AI-generated content.
[00:10:00] With as many breaches and security concerns as I report on this show, it should be obvious that cybersecurity is not just about technology, but also the human expertise needed to interpret and respond to complex threats.
[00:10:14] Huntress is focused on elevating SMBs and MSPs around the world.
[00:10:18] Huntress has a suite of fully managed cybersecurity solutions powered by a 24x7 human-led SOC dedicated to continuous monitoring, expert investigation, and rapid response.
[00:10:31] And the proof is the execution.
[00:10:33] Huntress is the number one rated EDR for SMBs on G2.
[00:10:39] Want to know more about the platform?
[00:10:41] Visit Huntress.com slash MSP Radio to learn more.
[00:10:45] Thanks for listening.
[00:10:49] Today is World Mental Health Day and also National Depression Screening Day.
[00:10:53] Two important ones to focus on.
[00:10:55] You don't only want to be serious, but I'll recognize it's also National Angel Food Cake Day.
[00:11:01] I'll be doing two live broadcasts as part of SMB Tech Fest on October 17th and 18th, so make sure to sign up and join the event.
[00:11:08] SMBTechFest.com slash go slash sobel link in the show notes.
[00:11:13] And I got a comment or a thought on a story?
[00:11:15] Put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast.
[00:11:20] The number one thing you can do to help?
[00:11:22] Share the show with someone you know.
[00:11:24] I will talk to you again tomorrow.
[00:11:28] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.
[00:11:36] If you like the content, please make sure to hit that like button, follow or subscribe.
[00:11:41] It's free and easy and the best way to support the show and help us grow.
[00:11:45] You can also check out our Patreon, where you can join the Business of Tech community at patreon.com slash MSP Radio or buy our Why Do We Care merch at businessof.tech.
[00:11:59] Finally, if you're interested in advertising on this show, visit MSP Radio dot com slash engage.
[00:12:05] Once again, thanks for listening to me.
[00:12:08] I'll talk to you again on our next episode of the Business of Tech.
[00:12:15] Part of the MSP Radio Network.