Security Roundup: ID Agent, Dell, SkyKick, GDPR, Netsparker, Kaspersky Lab

April 25, 2018

By Edward Gately, Channel Partners

How can MSPs convince SMBs that they are at high risk of breaches, and therefore need to invest more in cybersecurity?

That was a hot topic during a Business Success Symposium presentation at last week’s Channel Partners Conference and Expo. Kevin Lancaster, CEO and co-founder of ID Agent, which provides dark web monitoring and ID theft protection, led the presentation.

The unfortunate reality is that the vast majority of SMBs globally fall below the “cyber poverty line.” he said.

“They can’t comprehend the scale and complexity of today’s cyberthreats and what you have to do to protect them,” he said. “The customers that channel partners represent have no idea how easy it is for us or anybody to exploit them.”

Some of the biggest problems include: availability of easy kits to build viruses, the uncontrollable volume of breaches, and the consolidation of personal and professional lives, especially on mobile devices, Lancaster said. In addition, password hygiene “stinks,” he said.

“Nearly 80 percent of people still use the same or a derivation of the same password on everything,” he said. “If people say they don’t do it, they’re lying; practically everybody does it.”

This information is out there and it’s something that needs to be monitored going forward, Lancaster said. In the meantime, customers are undereducated, see no return on investment in cybersecurity, value convenience over security and think, “We’re too small; it won’t happen to me,” he said.

As a result, they’re not buying what MSPs are selling, such as security information and event management (SEIM), firewalls, 2FA/multifactor authentication, monitoring, training and password management, he said.

After the session, Lancaster told us the MSP has to have these conversations with their customer now.

“Because of the volume of third-party data breaches, the volume of email addresses and passwords that are out there, the fact that all their customers and employees are using those email addresses and passwords, and the same variation of that password across everything that they log into, is making it harder for the MSP to secure their customer,” he said. “So they need to have that confidence to be able to take this data into their customer and say, ‘Look, this is why you need to be doing these things I’m telling you you need to be doing. You need to be investing in security. Otherwise, I hate to say this cliché, but it’s not if, it’s when. It’s when your organization is going to be compromised — and there’s a high probability that it’s going to be compromised through some type of compromised credential.”

MSPs can’t be shy about this anymore, Lancaster said.

“They need to sit down and say, ‘Look, we need to show this data to you; you need to see what’s already out there,” he said. “This has nothing to do with my ability to protect your network because I’m doing a great job of that. This has everything to do with the fact that your employees are using these credentials, using their work email address on these third-party sites, and they’re using that same password on your network or a derivation of that same password on your network. So you can’t be sugarcoating these things, because when some type of exploit happens, the first people they call is their MSP. It doesn’t matter if it’s on network or it’s their Salesforce application, or some other business application, because typically, the MSP is the first person they call, and the MSP is going to be kind of blindsided by that.”

Dell Rolls Out latest Data Guardian and Encryption

Dell has updated its endpoint-security capabilities in commercial PCs with new enhancements to Dell Data Guardian and Dell Encryption.

Brett Hansen, Dell’s vice president of client software and general manager of data security, tells us his company continues to hear from partners that cybersecurity is a hot topic among their clients.

“To address this, Dell data security continues to innovate,” he said. “These new enhancements to Dell Data Guardian and Dell Encryption will enable users to fully secure their data, not only at rest, but also in motion and wherever it goes, starting with a trusted device. We’re enabling our partners to provide added benefits to their customers by offering security solutions alongside the hardware.”

Data Guardian now includes added support for an organization’s existing data-classification structures aimed at delivering enforcement and controls beyond a company’s network. It also protects many file types, including in-house, proprietary applications, in addition to standard office and commonly used file types like PDF.

Dell Encryption is a flexible data-at-rest offering that’s now available in a choice of file-based or full-disk encryption — or both for a dual encryption offering. It also includes enhanced support for the NSA’s Commercial Solutions for Classified (CSfC) Program, which mandates the need for two layers of encryption to address emerging threats posed by quantum computing that can theoretically circumvent traditional AES 256 cryptography.

SkyKick Wants to Help Cloud Partners with GDPR Compliance

SkyKick has completed the necessary steps for compliance with the upcoming General Data Protection Regulation (GDPR) privacy requirements, and says it can provide a critical piece for cloud IT partners racing to meet the May 25 deadline. Specifically, it has put auditing and compliance controls in place to provide a GDPR-compliant data processing agreement for partners.

Gerard Doeswijk, SkyKick’s director of technical engagements for EMEA and data protection officer for the European Union and European Economic Area, tells us the company started its compliance journey in January 2017 and quickly concluded that “we wanted to build privacy into the core of our systems, and not just work toward ‘checking a box’ for GDPR compliance.”

“We started the design process by thinking about how our partners and their customers are at the heart of our systems,” he said. “By so doing, data flow and privacy become a core topic of ideation and discussion in even the very first

envisioning and design conversations about the product and features. We call this ‘privacy by design’ — and it made it easier to construct a clear understanding of data we are collecting and improve our ability to trace all that data through our systems. For instance, by providing a partner with a real identity and persona within our systems, we were able to more effectively capture the interactions with SkyKick — and we improved our ability to track, trace and audit customer interactions.”

As the data processor, SkyKick takes on the “lion’s share” of the compliance burden, so cloud IT partners wrestling with their own GDPR compliance have one less thing to worry about, Doeswijk said. Instead, they can focus on building a more profitable cloud business, he said.

SkyKick found and evaluated several vendors offering consultancy, and in certain cases certification products, on how best to implement and get ready for GDPR, he said.

“Those that took the time to listen and evaluate our compliance program unanimously confirmed that the incremental approach we chose to adopt was the only way to get to a state of readiness,” Doeswijk said. “And our suspicion, that there is no true certification for GDPR just yet, was also confirmed. So we used valuable external resources where available – e.g. the Microsoft GDPR readiness framework – and then applied our own strong and longstanding privacy thinking and lean-agile processes to get to concrete action.”

GDPR Takes Heavy Financial Toll

Companies seem to be taking GDPR very seriously, according to a new survey by Netsparker. While many still aren’t compliant with other security regulations, almost all of the security executives surveyed said their organizations are actively involved in the process to become GDPR-compliant.

And the cost of GDPR is steep: While 80 percent of those in a micro company (one to nine employees) expect GDPR compliance to cost their business under $50,000, 92 percent of those working at an enterprise with more than 1,000 employees expect their cost to exceed $50,000. Additionally, one in 10 says GDPR compliance will cost their business less than $10,000, while about two-thirds will spend $50,000-100,000, about one-quarter will spend between $100,000 and $1 million, and one in 10 says it will cost their business more than $1 million.

“People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years,” said Ferruh Mavituna, Netsparker’s CEO. “In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity. As of May 25, businesses are responsible for data breaches. As a result, companies will have to restructure how they handle data, and, if they don’t have a sound IT infrastructure, they will have to rebuild from the ground up. It’s heartening to see that so many companies are taking themselves to task.”

Although 82 percent of companies currently have a data privacy officer (DPO) on staff, more than three in four (77 percent) plan to hire a new, replacement DPO prior to GDPR going into effect. More than two-thirds of businesses have had to hire at least six new employees to achieve GDPR compliance, and almost one in five has had to hire at least 10.

Kaspersky Lab Updates Flagship Product

Kaspersky Lab‘s Endpoint Security For Business now includes next-generation detection through machine learning, increased visibility and granular security controls, including vulnerability management, credentials protection and integration with endpoint detection and response (EDR).

Andrey Pozhogin, Kaspersky Lab cybersecurity expert, tells us the new version packs a “significant number of improvements to the management console that enables scenario oriented operations.” Additionally, integrations with technology partners such as AirWatch make for a “seamless environment with easier management and improved visibillity,” he said.

A variety of broader security controls is supplemented with new capabilities designed to help protect businesses from trending cyberthreats such as WannaMine, that hijack computers and use their resources to mine cryptocurrencies.

Pozhogin said examples of how the new version creates opportunities for partners include: native integration with EDR that enables enterprise solution selling, easier deployment and simplified management; and a 30-50 percent reduction in resource use makes an appealing case of lower footprint, less resource usage and more satisfied users.

“Given 300,000-plus new samples of malware are detected every day, even 1 percent of a difference in efficacy can have a huge impact on overall total cost of ownership (TCO), user satisfaction and support interactions,” he said.

The product is available globally under Kaspersky Lab’s standard subscription licensing model.