We couldn’t go a week without revisiting security.
CISA is planning to ask industry leaders to help shape cybersecurity incident reporting, per comments from Jen Easterly. This reporting framework follows the law from March requiring that critical infrastructure owners and operators report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.
The aviation industry is pushing back on that 24-hour mandate from TSA, and the Record dives into that lobbying effort.
Also following up on a previous thread – software bill of materials. In May 2021, an executive order established them as an initiative for national cybersecurity, and they’re back in the news. The White House’s Office of Management and Budget is likely to soon issue a memo to federal agencies detailing how to go about including SBOMs in the contracting process, per reporting in Protocol.
Apple’s big event was this week – but leading up to it, Apple has indicated that 95% of iCloud users have 2FA enabled ahead of their launch of Passkeys. That feature comes in iOS 16, macOS Ventura, and iPadOS 16.
Good thing, too – MFA is under fire, with researchers outlining a new phishing and compromise campaign against Microsoft 365 accounts protected by MFA.
Generally, phishing attacks abusing SaaS platforms have increased by 1,100% from June 2021 to June 2022. That from Palo Alto Networks Unit 42.
While SaaS spending has surpassed IaaS, SaaS Security is still not a priority. Axonius has released the results of a new research study focused on SaaS usage. The majority of respondents (74%) reported that more than half of their applications are now SaaS-based, and 66% reported spending more on SaaS applications today than a year ago.
But amid rising adoption and increasing costs, most organizations reported that SaaS security lagged in urgency and priority. Of those surveyed, 60% ranked SaaS security fourth or lower on their list of current security priorities, and only 34% cited being worried about the costs associated with rising SaaS-based app usage.
Some data on the need from RMM provider Action1. The 2022 SMB IT Security Needs Report(link is external) finds that more than half of SMB respondents (52%) acknowledge they probably or definitely lack the technology and skills required to defend against modern cyber threats, and 60% admit that their IT security is either “very limited” or “needs improvement.” nearly 6 in 10 organizations (57%) plan to increase their budget for IT security in 2022 by a moderate amount. Almost one-fourth (23%) plan a significant increase. That courtesy of Channel Pro Network.
Why do we care?
I included the data on SMB IT Security to acknowledge the current state of play – this isn’t anything new. What’s more interesting to me is the call for comment from the industry on incident reporting.
Literally a call for help from the industry. Asking for expertise from those with it and understanding its impacts. It’s easy to criticize government without analysis, and I will hold this up as another reason to be open-minded and engaged in the process.
So get out there and comment.