Cloud 9 Advisers - News , Cybersecurity

CMMC: 6 Key Takeaways

Mon, 20 Oct 2025 09:49:47 -0500

What Everyone Gets Wrong About CMMC: 6 Key Takeaways from the Final Rule

The Cybersecurity Maturity Model Certification (CMMC) final rule is here, and it challenges everything the Defense Industrial Base (DIB) thought it knew about compliance, cost, and contract eligibility.

Unlocking clarity in the complex world of CMMC compliance.

The CMMC Final Rule: What You Thought You Knew Just Changed

For government contractors, the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program has been a source of complexity, cost, and considerable anxiety. Since its inception, the regulation has evolved, leaving many in the Defense Industrial Base (DIB) struggling to keep up with its requirements and implications. The goal is clear: to secure the DIB against evolving cybersecurity threats and protect sensitive government information.

Beneath the dense regulatory language of the final rule, however, are several surprising, counter-intuitive, and impactful realities that every business in the DIB needs to understand. These aren't minor details; they are fundamental aspects of the program that challenge common assumptions and have significant strategic implications for contract bidding, IT investment, and risk management.

This article distills the official CMMC rule documents into a clear, scannable list of the most critical takeaways. It cuts through the noise to reveal what the Pentagon’s new cybersecurity rules really say and what they mean for your business. Our goal is to give you clarity and confidence to make quick, informed decisions.

Takeaway 1: "Self-Attestation" Isn't Dead—It Just Evolved

A core motivation behind the original CMMC program was to move the DIB away from the "self-attestation" model of security that the DoD had previously relied on for NIST SP 800-171 compliance. The perception was that self-reporting wasn't effective enough, necessitating a shift toward third-party verification.

The surprising twist is that the revised CMMC Program (often called CMMC 2.0) streamlined the model and reintroduced self-assessments as a valid compliance pathway. The final rule confirms that companies at Level 1 and a subset of companies at Level 2 are allowed to demonstrate compliance through annual self-assessments rather than a mandatory third-party audit.

This is a significant and pragmatic change that alleviates the immediate, immense cost and logistical burden a universal audit requirement would have placed on the DIB, especially on small businesses. This evolution represents a calculated, risk-based decision by the DoD, which has determined that for contracts involving less sensitive information, the risk of unverified compliance is acceptable when weighed against the practical realities and costs imposed on the defense industrial marketplace.

Takeaway 2: Perfection Isn't Required to Win a Contract

A common misconception about CMMC is that a contractor must have a perfect cybersecurity assessment score to be eligible for a contract award. This assumption has been a major source of stress for companies working toward compliance, as achieving 100% implementation of all security controls is a formidable task.

The final rule clarifies that this is not the case. An organization can be awarded a contract by achieving a "Conditional Level 2" or "Conditional Level 3" CMMC status. To qualify, a company must achieve a minimum score equal to 80% of the maximum score on a CMMC Level 2 or Level 3 assessment. All unmet requirements must be documented in a Plan of Action and Milestones (POA&M).

Critically, the organization has a 180-day deadline from the date of the conditional assessment to close out the POA&M and meet all remaining requirements. This is a significant and practical concession from the DoD, allowing companies to win business while still finalizing their compliance efforts.

Takeaway 3: The Government Won't Tell You Exactly What to Protect

One of the most persistent areas of confusion for contractors is determining what information, exactly, constitutes Controlled Unclassified Information (CUI). Many have asked the government for clearer definitions, guidance, and contract-specific lists to help define the scope of their CMMC efforts.

The counter-intuitive reality is that the DoD has officially stated this is outside the scope of the CMMC rule, placing the primary responsibility for identifying CUI squarely on the contractor. The rule's commentary includes a direct and unambiguous response to industry requests for guidance:

The CMMC Program will not provide CUI guidance materials to industry as it is outside the scope of this CMMC rule.

The document further clarifies that official DoD policy states, "The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category." This places a significant burden on contractors, who must become experts in data classification to accurately define the scope of their own CMMC assessments.

Takeaway 4: The Biggest Costs of CMMC Aren't Considered "CMMC Costs"

The high cost of CMMC compliance is a major concern across the DIB. However, the DoD's official position on what constitutes a "CMMC cost" may come as a surprise. The costs to implement the required security controls for Level 1 (from FAR 52.204-21) and Level 2 (from NIST SP 800-171) are not considered costs attributable to the CMMC rule.

The government's rationale is that these implementation requirements were mandated years earlier, with a deadline to implement the NIST SP 800-171 controls set back in December 2017. Therefore, from the DoD's perspective, companies should have already incurred these implementation costs. The only new costs officially attributed to CMMC Levels 1 and 2 are for the assessment and affirmation activities required to verify that those pre-existing requirements have been met. The DoD reinforces its perspective on the necessity of these costs with a powerful statement:

The cost of lost technological advantage over potential adversaries is greater than the costs of such enforcement.

Takeaway 5: Your Cloud Provider Is Part of Your Audit

A company’s CMMC compliance boundary does not end with its own on-premises servers and workstations. If an organization uses an external Cloud Service Provider (CSP) to process, store, or transmit CUI, that CSP is unequivocally part of the CMMC assessment scope.

The final rule specifies a clear and impactful requirement for these providers: the CSP must meet the FedRAMP Moderate baseline or an equivalent standard. The rule documents are explicit on this point, stating the following:

...the DoD is not willing to assume all the risk of non-FedRAMP Moderate Equivalent CSOs when the CSO is used to process, store, or transmit CUI.

This effectively makes vendor selection a compliance decision, not just an IT one. The contractor is ultimately responsible for ensuring its entire CUI data chain—including services provided by third parties—meets DoD's stringent security standards.

Takeaway 6: The "COTS Exception" Is Narrower Than You Think

The CMMC rule provides a well-known exemption for contracts that are solely for the acquisition of Commercially Available Off-the-Shelf (COTS) items. This has led some to believe that if they sell COTS products, they are exempt from CMMC entirely.

However, there is a critical and surprising nuance in this rule. The source text clarifies: "The exemption does not apply to a contractor's use of COTS products within its information systems that process, store, or transmit CUI."

A simple example illustrates this crucial distinction:

A company whose contract is solely to sell COTS laptops directly to the DoD might be exempt from CMMC for that specific contract.
However, if that same company uses those same COTS laptops in its own corporate network to perform work on a different DoD contract that involves CUI, then its network is subject to CMMC requirements.

The exemption applies to what is being sold, not to what is being used to perform contract work involving sensitive data. This is a crucial detail that could easily lead to a failed assessment if misinterpreted.

Conclusion: A New Era of Accountability and Pragmatism

The Cybersecurity Maturity Model Certification program represents a fundamental shift in the DoD's approach to securing its supply chain. It moves the DIB from a model based on trust and self-attestation to one centered on verification and accountability. Yet, as these takeaways reveal, the final rule is not a rigid, one-size-fits-all mandate. It includes pragmatic allowances—such as self-assessments and conditional certifications—that acknowledge the business realities faced by the thousands of companies that support the U.S. warfighter.

The rules are now set, and the phased implementation is underway. With this new era of accountability beginning, the true test now begins: will this landmark regulation successfully raise the DIB's security baseline to protect against advanced threats, or will it create unforeseen obstacles for the very innovators the DoD relies on? The path forward requires clarity, and recognizing these six realities is the first step toward confident compliance.

3rd-Party Assessments

Initial Evaluation

SMEs can't keep up

Fri, 20 Jun 2025 20:19:37 -0500

Smaller organizations reach security breaking point

From out friends at Computerworld and CSO Magazine

by John Leyden

Senior Writer

Jun 12, 20259 mins (a must read)

Strained budgets, overstretched teams, and a rise in sophisticated threats is leading to plummeting security confidence among SMEs as cybercriminals increasingly target them in supply chain attacks.

Limited budgets, overstretched IT teams, and a rapidly evolving threat landscape mean smaller organizations are approaching a “cybersecurity tipping point.”

The World Economic Forum’s (WEF) Global Cybersecurity Outlook 2025 report noted that “71% of cyber leaders say small organizations have already reached a critical tipping point where they can no longer adequately secure themselves against growing complexity of cyber risks.”

More than a third (35%) of small organizations believe their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022.

By contrast, the share of large organizations reporting insufficient cyber resilience has nearly halved over the same period.

Skills gap leading to deteriorating security outlook

Experts quizzed by CSO said that the rapid adoption of emerging technologies — which comes with the downside of fresh vulnerabilities that cybercriminals can exploit — together with a widening skills gap is contributing to a deteriorating security outlook for small and midsize businesses (SMBs).

“Cyber skills gaps are prevalent in SMBs largely due to a lack of resources and specialized knowledge,” says Tom Exelby, head of cybersecurity at managed security services firm Red Helix. “Many SMBs don’t have dedicated cybersecurity teams, and those in charge of security can lack the confidence to perform even basic cyber tasks.”

Small and medium enteprises (SMEs) that do have budget to hire specialists often struggle to attract and retain skilled professionals due to the lack of variation in the role. Burnout is also a growing issue for the understaffed, underqualified IT teams common in small business.

“With limited resource in the business, employees are often wearing multiple hats and the pressure to manage cybersecurity on top of their regular duties can lead to fatigue, missed threats, and higher turnover,” Exelby says.

WEF’s report estimates that the cyber skills gap has increased by 8%, with two out of three organizations reporting moderate-to-critical skills gaps, including a lack of essential talent and skills to meet their security requirements. WEF’s findings are based on a survey of 321 qualified participants supplemented by 43 one-to-one interviews.

Resource constraints common in smaller businesses make maintaining even basic security posture an uphill struggle.

Steven Wood, director of solution consulting for EMEA at OpenText Cybersecurity, tells CSO: “Implementing and maintaining even basic defenses require strategies at multiple levels — user training, email threat detection, endpoint protection, DNS layer filtering, proper authentication, patch management, event monitoring, backups and drills — which can overwhelm small IT teams with limited budgets and headcount.”

Wood adds: “Given the scope of this list, it can be difficult for organizations to keep up with even baseline best practices for security.”

SMEs targeted by supply chain attacks

SMEs often mistakenly believe that cyber attackers only target larger organizations, but that’s often not the case — particularly because small business partners of larger companies are often deliberately targeted as part of supply chain attacks.

“Threats are becoming more advanced but their resources aren’t keeping pace,” says Kristian Torode, director and co-founder of Crystaline, a specialist in SME cybersecurity. “Many SMEs are still relying on outdated systems or don’t have dedicated security teams in place, making them an easy target.”

Torode adds: “They’re also seen by cybercriminals as an exploitable link in the supply chain, since they often work with larger enterprises.”

“SMEs have traditionally been low-hanging fruit — with limited resources for cybersecurity training, advanced tools, or dedicated security teams,” Adam Casey, director of cybersecurity and CISO at cloud security firm Qodea, tells CSO. “More often than not, cybersecurity is left to overstretched IT departments already juggling multiple responsibilities.”

Training shortcomings and regulatory headaches

Cyber training is another area where smaller firms are falling behind.

“Annual training modules are no longer fit for purpose given the rate of change,” says Dr. Rick Goud, CIO and cofounder of secure email vendor Zivver. “What is needed is more dynamic, context-aware education that is delivered when and where employees are most likely to make mistakes.”

In addition to challenges keeping up with the latest training, the proliferation of regulatory requirements around the world is also adding a significant compliance burden for smaller organizations.

“As regulations like NIS2 and GDPR become stricter, compliance is often left to senior leadership teams who are already juggling multiple roles,” Goud says. “Without a dedicated data protection officer or team, it’s easy for things to fall through the cracks, especially when third-party suppliers are involved.”

Worse, the need to comply with NIS2 in the EMEA region is eating into IT budgets, placing further strain on smaller organizations. Moreover, regulations like NIS2 and DORA are placing even greater pressure on talent markets and skills gaps.

Growing threats

Smaller teams, already struggling with limited cyber skills, are often ill-equipped to manage a growing array of threats. This is contributing to a widening gap in security maturity between larger and smaller organizations.

“Unlike large enterprises, SMEs often lack the budget and specialized personnel to secure a sprawling IT stack, especially as hybrid work and cloud adoption expand their attack surface,” says Robert Phan, CISO at cloud-based directory services firm JumpCloud.

Martin Greenfield, chief executive at Quod Orbis, also sees the shift to cloud and hybrid work environments challenging SMEs at a time when “threat actors have become faster, smarter, and better resourced,” he says.

Moreover, a small business monoculture of similar (cheap) security tools and much the same IT equipment — often set up in default (insecure) configurations — makes it possible for cybercriminals to automate attacks against SMEs at scale, notes Richard Werner, cybersecurity platform lead for Europe at Trend Micro.

As a result, security threats are evolving and growing faster than most SMEs can track let alone remediate. For example:

Generative AI is supercharging phishing and BEC social engineering: Attackers are using AI to craft highly personalized, fluent phishing lures — making messages harder to spot and massively increasing overall volume.
Ransomware-as-a-service has professionalized: Today’s RaaS platforms offer affiliate dashboards, playbooks, negotiation support, and multi-extortion (combining encryption, data theft, and public shaming), raising both the technical sophistication and reputational pressure on victims.

New attack surfaces are rising around cloud and identity: “Poor IAM and exposed remote-access services have driven a surge in cloud-focused ransomware and account-takeover attacks,” according to OpenText Cybersecurity. “In 2024 alone, cloud ransomware incidents spiked as attackers moved beyond endpoints to steal API keys or abuse services like Okta and Azure AD.”

“Security threats are evolving faster than most SMEs can track,” Zivver’s Goud says. “AI-driven phishing, deepfake scams, and automated exploitation are all on the rise, but most organizations do not have the internal capability to monitor or respond to them. That gap is growing and so are the risks.”

Vulnerability surge

Small business IT teams have always struggled to prioritize and triage security problems — a problem that has only grown more acute in recent years as the volume of vulnerabilities has increased.

According to the Verizon Data Breach Investigation Report for 2025, vulnerabilities grew as an attack vector by 180% over the year prior. Looking at the number of software vulnerabilities reported, that number has gone up as well — from 25,059 in 2022 and 28,961 in 2023 to 40,077 in 2024.

“When you are a small team, that number of issues is just impossible to track,” Matt Middleton-Leal, managing director for EMEA at Qualys, tells CSO. “The right approach here is to grade potential issues for severity and then spend time on what matters. This can help every small team have a big business impact.”

Business dynamics also have a part to play in the increasing security problems faced by SMEs.

“SMEs have accelerated digital transformation to remain competitive or simply to stay operational during the pandemic,” Qodea’s Casey points out. “Yet many still lack the internal expertise to properly assess or address the security implications of this shift."

Mitigation

While a wealth of information is available, such as the UK NCSC’s small business security guide, small businesses often find it difficult to find actionable guidance.

During a session at the Infosecurity Europe conference earlier this month, representatives of the CyCOS project explained how they were offering a community-based approach to support small business in becoming more secure.

CyCOS is a collaboration between three UK universities (Nottingham, Queen Mary, and Kent), and is supported by a variety of partners, including the Home Office, National Cyber Security Centre (NCSC), ISC2, the Chartered Institute of Information Security (CIISEC), and three regional Cyber Resilience Centres.

During the panel, Professor Steven Furnell, a CIISEC board member, pointed out that “SMEs have the security guidance but they don’t know how to take it forward by building communities, so that small businesses have someone to talk to apart from consultants.”

Industry experts argue that use of managed security services can help small businesses to become more resilient.

“In the short term, SMBs can solve the problem by partnering with a managed security services provider who can not only better protect them and respond to threats but also advise them away from overinvesting in security tech that they really don’t need,” says Red Helix’s Exelby. “To fix the long-term skills gap issue impacting the entire sector, education is a key alongside greater diversity.”

Automation is another vital security strategy for helping SMBs mind the gaps.

“Most small IT teams can’t manage the constant churn of alerts, patches, and manual controls — that’s why automation is essential,” says Albert Estevez, field CTO at Zero Networks. “By automating segmentation and access control, organizations can reduce risk and contain threats — without needing enterprise-sized security teams.”

Link to original CSO article: https://www.csoonline.com/article/4003892/smaller-organizations-nearing-cybersecurity-breaking-point.html

Let Cloud 9 introduce you to:

Get Started Now

CrowdStrike and Microsoft

Fri, 09 Aug 2024 14:22:27 -0500

CrowdStrike and Microsoft Outage: Next Steps

The CrowdStrike and Microsoft Outage Aftermath: Next Steps by Jeff Hathcote, Solution Architect – Security

CrowdStrike and Microsoft: Hard at work

While unintentional in nature, the recent CrowdStrike outage caused disruptions that reverberated throughout the globe. While CrowdStrike and Microsoft are hard at work to rectify an estimated 8.5 million computers affected worldwide, guess who’s hard at play taking advantage of the situation? The bad guys and their phishing schemes.

Now is the time to work with Cloud 9 to help you understand the implications of the outage, and the importance of prioritizing your resiliency plans.

The vital role of Cloud 9 Advisers and Essential Discussion Points:

In the aftermath of the CrowdStrike outage, Cloud 9 has a critical role to play as your trusted adviser. We can help with guidance on navigating this crisis in two ways: 1) Helping you comprehend the situation, and 2) Advising you on how to strengthen your defenses to avoid a similar disaster from impacting your organization (any sized company is vulnerable to modern cyber threats.)

1. Understanding the Outage

It is important to note that the CrowdStrike/Microsoft outage was NOT a cyberattack. The incident began with a software update. As part of its ongoing threat protection, CrowdStrike regularly updates its sensor with the latest threat data. In this instance, the update violated a protected memory address within the Microsoft Windows environment, causing the operating system to encounter a critical error, resulting in the ubiquitous “blue screen of death” where an affected device is unable to recover on its own.

The workaround to the issue involved a very manual process, requiring users/admins to log in to each machine under “safe mode” and remove the registry key that contains the faulty code. This event shows just how connected technology products are within our ecosystem, and one failure can cause a cascade of devastating impact on an entire infrastructure.

While both CrowdStrike and Microsoft are working diligently to assist in recovery efforts, we all need to be aware of the potential for secondary attacks from cybercriminals based on information collected via a phishing attack.

Learning from the Incident: How to Outsmart the Bad Guys

Within hours of the incident on July 19, 2024 CrowdStrike warned of malicious activity trying to exploit the outage. One primary method that cybercriminals are using is to send phishing emails purportedly from CrowdStrike (or Microsoft) using “spoofed” addresses (i.e., somebody@crowdstrikeoutage.com) with malicious attachments or simply to gather information for a later compromise.

CrowdStrike and Microsoft are working around the clock to provide guidance as well as potential tools to assist with recovery. Some good, free advice: DO NOT OPEN any emails from unofficial addresses posing as CrowdStrike or Microsoft support and thoroughly questioning any potential phone calls you may get from CrowdStrike staff; they are likely impersonators.

Additionally, this unfortunate incident opens up the conversation for developing (or revisiting) a robust cybersecurity prevention and recovery plan. With access to a breadth of cybersecurity providers, solution architects, and managed services, Cloud 9 has the opportunity to help you with your entire strategy – from organization-wide cyber training, to IT outage response plans, to infrastructure automation for disaster recovery, to third-party risk management and consulting programs.

Or, if you’re a maverick and really want to stir the pot, we can even help you switch it all over to Google and Chromebooks!

Final Thoughts

“This high-impact event emphasizes the urgency to keep resiliency plans current, communicated, and understood within the organization to avoid the types of customer disruptions experienced since July 19. Like other industry disruptions this year, this event creates conversational opportunities about how to best prepare organizations for these inevitabilities.” – Koby Phillips, VP of Advanced Solutions

While the CrowdStrike outage presents significant challenges, Cloud 9 is ready, willing, and able to offer expert guidance. We can assist you in navigating this crisis and help you emerge stronger and more resilient. To that end I ask: Which components or upstream service providers in your environment are you dependent on? Are you considering additional resiliency around your mission critical vendors?

Get Started Now

Microsoft Down!

Fri, 19 Jul 2024 09:31:16 -0500

CrowdStrike Issues Cause Global Microsoft Outages

Elon Musk suggests this could be the biggest IT failure ever. Is he right?

Note: We are not reporters, regardless we thought this story important enough to share. We've pieced together this article from a few other (hopefully) reputable stories, sources, and reports. We'll try to keep things updated appropriately

Microsoft's Global Outage Linked to CrowdStrike:

In an unexpected turn of events, Microsoft's global outage has been traced back to a disruption caused by CrowdStrike. This incident has rippled across the globe hitting numerous industries, affecting countless users, and raising significant concerns about security and operational resilience. Here's a comprehensive look at the situation, drawing insights from multiple sources to provide a detailed understanding.

The Outage and Its Immediate Impact

Starting Thursday evening July 18, 2024 and coming to a head on Friday, Microsoft experienced a significant global outage, affecting services such as Office 365, Azure, and Teams - but seemingly and mostly attributed to Microsoft Windows. This disruption impacted businesses worldwide, halting operations and causing widespread frustration among users and consumers alike. According to Wired, the root cause of the outage was identified as an issue linked to CrowdStrike's security software, which is integrated into Microsoft's infrastructure for enhanced cybersecurity measures

https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/

What Happened?

Initial investigations revealed that a recent update to CrowdStrike's Falcon platform inadvertently triggered a cascade of failures within Microsoft's systems. This apparently routine update, meant to enhance security features, instead led to serious unexpected system incompatibilities and undesired behavior. The BBC reports that the issue was severe enough to cause cascading failures across Microsoft's global network, demonstrating the interconnected nature of modern IT ecosystems

https://www.bbc.com/news/live/cnk4jdwp49et

Response and Mitigation

Microsoft's response to the outage was swift but challenging. The company's IT teams worked around the clock to isolate the issue and restore services. As detailed by Reuters, Frontier and many other smaller and major airline were significantly affected by the outage. Airline operations around the world were disrupted, highlighting the broad impact of Microsoft's downtime on various sectors.

To address the problem, Microsoft collaborated closely with CrowdStrike to roll back the problematic update and implement fixes. This process involved complex troubleshooting and coordination to ensure that services could be safely restored without further disruptions

According to https://admin.microsoft.com/servicestatus as of now Microsoft reports "We're all good".

Implications for Businesses

This incident underscores the critical importance of robust operational and cybersecurity measures and the need for careful management of third-party integrations. It's so often the little things being overlooked that get us in the end.

Businesses that rely heavily on cloud services and interconnected IT solutions must consider the potential risks associated with such dependencies. The Microsoft-CrowdStrike outage serves as a stark reminder that even the biggest and best trusted providers can pose risks if not managed correctly.

Moving Forward

As Microsoft and CrowdStrike work to fully resolve the fallout from this outage, businesses should take this opportunity to reassess their own IT strategies and preparedness. Ensuring that your organization is resilient against similar disruptions is crucial in today's interconnected digital landscape.

For more information on the current status of Microsoft's services, please visit the Microsoft Service Status page

At Cloud 9 Advisers, we specialize in helping businesses navigate the complex landscape of IT solutions. Our extensive portfolio of top-tier technology providers ensures that you find the right partners to build a resilient and secure IT infrastructure. Whether you're looking to enhance your cybersecurity posture, streamline your operations, or ensure business continuity, our expert advisers are here to guide you every step of the way.

Don't let unexpected disruptions catch you off guard. Contact Cloud 9 Advisers today and discover how we can help your business stay ahead in the ever-evolving digital world.

Google: an alternative

Mon, 17 Jun 2024 16:13:10 -0500

Google Raises Concern's about Microsoft Security: New Whitepaper shows

The Department of Homeland Security’s Cyber Safety Review Board (CSRB) found that repeated security breaches against the federal government were due to a cascade of security failures at Microsoft, as well as a corporate culture that deprioritized cybersecurity.
Google proposes a safer alternative.

View and download Google's whitepaper

Following several high-profile cybersecurity incidents, Microsoft faces scrutiny. Google's new white paper, "A More Secure Alternative," highlights its own security practices while referencing a Department of Homeland Security's Cyber Safety Review Board (CSRB) report that identified security failures and poor cybersecurity culture and focus within Microsoft. This report may influence customer decisions: Google or Microsoft?

Scathing report from DHS

Microsoft's security vulnerabilities reached a critical point recently, exposing U.S. and U.K. government customers in a series of high-profile attacks. Notably, a 2023 incident by Storm-0558 compromised sensitive government accounts across 22 organizations, impacting over 500 individuals and tens of thousands of emails. This breach triggered a scathing report from the Department of Homeland Security's Cyber Safety Review Board (CSRB). The report exposed a chain reaction of security failures and a corporate culture that downplayed both enterprise security investments and rigorous risk management.

Further amplifying concerns, a separate high-profile incident involved state-backed cyber actors known as Midnight Blizzard. This group successfully compromised Microsoft corporate email accounts, enabling them to steal email exchanges between Federal Civilian Executive Branch (FCEB) agencies and Microsoft. This critical breach prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue Emergency Directive ED 24-02.

What is the real target?

It's pretty obvious now that government agencies are a prime target for cyberattacks due to their sensitive data and many other factors. Most agencies heavily rely on Microsoft products. In a 2022 Google survey, 84% of all Washington, D.C. metro area employees use Microsoft products. Furthermore a broader survey from Omdia found 85% of all federal government employees use Microsoft.

Google Workspace has sizable market share in the business, education, and healthcare sectors - largely due to its ease of use, simple and intuitive interface, comprehensive billing, and most importantly advanced cybersecurity protections built-in.

Does that mean bad actors are targeting customers of Microsoft or going after specific targets of interest? That remains to be seen but likely a little of both. If the target is interesting enough it doesn't matter what platform or systems are used.

Another important question might be: if the tables were turned, Google happened to have higher market share in government, would the "scathing report" be about them? Of course Google doesn't think so.

Things to consider

No one is suggesting you haul off and switch you entire business or government agency from Microsoft to Google (oh, wait... no, that is exactly what Google is hoping for!) but, it might be a good opportunity for a deeper inspection and even a thorough evaluation/comparison of the two. At the least to see what the other has to offer. At least the whitepaper is compelling enough for customers to probe for more.

Considering such a decision is so big and impactful for everyone involved, consider outside help. A technology adviser or IT consultant can guide you through the process and introduce you to the right experts and partners.

Not all is lost

Google is certainly an option, and a pretty good one at that. Microsoft has made announcements addressing some of the concerns outlined in the report. They are making efforts to change the behavior and culture within Microsoft ranks. A recent Dark Reading article reports that at least a portion of executive compensation will be tied to meeting security goals.

Get Started Now

About Cloud 9

Our advice always has been and remains: get the right partner in place. Having the right Microsoft or Google partner will have profound impact on your experience with either platform. Consider Cloud 9 your partner finder! That's all we do - connect our clients with the right partners, vendors, suppliers and service providers for Cybersecurity, Communications, Connectivity, and Cloud.

Key security Concepts, 1

Mon, 13 May 2024 05:42:00 -0500

Confidentiality. Integrity. Availability.

A cybersecurity framework is a set of practices, policies, and procedures that help an organization to create an effective security program. Key concepts for Cybersecurity is starting with a framework. There are plenty of pre-built frameworks available to guide you based on your industry, like NIST, PCI, HIPAA, ISO and more. But before you go there, and maybe before you even pick one, you should start with the Three Rules or Three. The first set starts with Confidentiality, Availability, and Integrity. This is the fine balancing act for Cybersecurity, also known as the “bedrock principle for Cybersecurity.” There’s no such thing as perfect security, you can’t spend all resources on all three areas - so focusing on your specific business needs, and identifying which of these are most important to your business and the separate business units helps properly align Cybersecurity solutions with business outcomes.

If your an accounting firm integrity of data might be most important to you. If your an e-commerce company, then availability is critical. If you're in healthcare, confidentiality may be paramount. Start with the overall needs of the business as a whole, then drill down to the specific needs of each department or business unit. Striking the balance is also important from department to department.

Get Started Now

How to truly go Passwordless

Fri, 26 Apr 2024 17:08:43 -0500

Go beyond the Passwordless hype

Replace dreaded passwords with an intelligent authentication system that learns how people work and keeps them more secure.

Enterprises need better security.

We all know human error is still the largest security "threat". Fortunately, awareness and training are starting to chip away at the problem. However, at the root of some 81% of data breaches, compromised identity and credentials are the biggest attack vector in the modern enterprise. $16B was spent on Identity and Access Management (IAM) solutions in 2020 yet the problem is only getting worse. Existing solutions are simply not sufficient. Enterprises need better security.

Are you and your users tired of being bombed with MFA requests?

Reach out to your Cloud 9 solutions specialist for an introduction to one of our newest, exclusive cybersecurity providers. They combine the strongest identity proofing, presence, biometrics, and behavioral markers in one continuous engine to deliver the most comprehensive passwordless solution on the planet (a little poetic license, but we’re pretty sure that is Tru).

Patented AI technology provides the strongest end-to-end identity verification authentication and continuous risk management for human and machine identities. In combination with your current or a new Security Awareness Training program it will help companies eliminate the most significant causes of data breaches - social engineering attacks, human errors, and misuse.

Passwordless - eliminate passwords as a means of authentication and enable clever and usable biometrics for authentication instead–without new hardware and systems

Continuous Adaptive Trust / Continuous Authentication (CAT) - Extend passwordless access beyond just point-in-time authentication, provide identity device and environmental risk assessment at multiple points in time during user sessions. Using patented ML and AI based learning systems that fuse biometrics, behavioral, device, and environmental signals to determine true identity continuously, in a globally compliant manner.

Converged - merge the digital and physical world by enabling trusted physical access to buildings, server rooms, restricted physical areas, and all integrated with Passwordless and CAT solutions.

COMPLETE

Cover all work scenarios with support for Windows, Mac, Linux, and servers; web and native mobile apps; and passwordless VDI and network access (VPN, wireless)

CONTINUOUS

Go beyond point-in-time initial authentication and extend security within the working session, continuously learning and assessing behavioral risk

CONNECTED

Easy to deploy into any environment with rich, standards-based, pre-built integrations

COORDINATED

Enjoy workflow and policy-driven self-service identity proofing, onboarding, and account recovery

CONVERGED

Unify physical and digital security into the same solution, allowing for greater flexibility in workplace design and management

Get Started Now

Cloud 9

Cloud 9 Advisers exists to help organizations make smart IT decisions quickly and confidently. We work with leadership and understaffed IT teams who are embarking on projects outside their wheelhouse and help to rationalize IT spend. We are objective, impartial, and unbiased technology sourcing experts with vendor-neutral engineering teams that focus on four critical segments: Cybersecurity, Communications, Connectivity, and Cloud. We do not sell solutions, we work with you to identify and research solutions. We are not another vendor, we are your partner helping you evaluate and compare vendors; so you can solve problems and achieve business outcomes, fast.

Gone Phishin'

Mon, 04 Dec 2023 11:53:38 -0500

SATs plus Phishing Simulation, A No-Brainer

Arm yourself with knowledge and enhance your organization's cyber resilience. Any Security Awareness Training (SAT) program worth it's salt should have phishing simulation built in. Uncover the power of testing your team's resilience against the ever-evolving threat of phishing attacks.

Strengthening Cyber Defenses

In the ever-evolving landscape of cybersecurity, where human error remains the leading cause of incidents, the significance of robust Security Awareness Training (SAT) cannot be overstated. A recent study by IBM revealed that a staggering 95% of cybersecurity breaches stem from human error, emphasizing the critical need for proactive measures. In our previous exploration of SAT, we delved into the pivotal role it plays in mitigating these errors. Now, let's journey further into the realm of cyber resilience and focus on a key augmentation to SAT – the indispensable Phishing Simulation.

The Power of Security Awareness Training:

Security Awareness Training (SAT) acts as a shield against the inadvertent actions and decisions that can lead to security breaches. It equips your staff with the knowledge to navigate the intricate web of scams, tactics, and evolving security threats. This empowerment, in turn, aids in fostering a security-conscious culture within the organization, reducing the exposure to potential risks.

Enter Phishing Simulation:

While SAT lays the groundwork for understanding security principles, the integration of phishing simulation takes your cybersecurity strategy to the next level. It serves as the litmus test for your employees' comprehension of security threats, specifically their ability to identify and thwart phishing attempts.

Putting Knowledge to the Test:

Phishing simulation operates on the premise of realism. By deploying lifelike phishing scenarios, organizations can gauge the reactions of their employees in real-time. Do they recognize the subtle signs of a phishing email, or do they inadvertently open the door to potential threats? The simulation provides invaluable insights into the efficacy of your SAT program and identifies areas that may require additional attention.

Creating a Cyber-Resilient Workforce:

The true value of phishing simulation lies in its ability to fortify your workforce against the ever-persistent threat of phishing attacks. It goes beyond theoretical knowledge, allowing employees to apply their learning in a practical setting. As they face simulated phishing attempts, the training becomes a dynamic experience, honing their instincts and enhancing their ability to make informed decisions.

Strategic Benefits of Phishing Simulation:

Measuring Security Awareness: Phishing simulation becomes a litmus test for your employees' security awareness. Identify those who may be more susceptible to falling victim to a phishing attack, enabling a targeted and effective SAT program.
Enhancing Phishing Identification Skills: Practical exposure to realistic phishing emails sharpens your team's ability to discern the telltale signs of a scam. This, in turn, empowers them to avoid clicking on malicious links or opening potentially harmful attachments.
Fostering a Culture of Security: Beyond individual training, phishing simulation contributes to creating a broader culture of security within your organization. When employees witness the organization's commitment to rigorous testing, they are more likely to embrace and adhere to security precautions.
Reducing the Risk of Data Breaches By reducing the number of employees susceptible to phishing attacks, organizations can significantly lower the risk of data breaches. This proactive approach safeguards against financial losses, reputational damage, and potential regulatory fines.

In the intricate dance between cybersecurity and human behavior, the synergy between SAT and phishing simulation emerges as a formidable defense. Together, they empower your workforce to navigate the digital landscape with confidence and resilience. As we continue to unravel the layers of cyber resilience, the integration of these two components stands as a testament to the proactive measures organizations can take to secure their digital future.

Cloud 9 Advisers

Let us help you find the right SAT and Phishing simulation solutions and providers. Our only job in this world is to help organizations buy "cool" and important stuff: i.e. cybersecurity.

Always-On Endpoint Management

Tue, 14 Nov 2023 13:06:11 -0500

Always-on endpoint management is a must-have

Always-on endpoint management is a must-have for enterprises today.

In a world where employees are increasingly working from anywhere and on any device, it's more important than ever to have a solution in place that can manage and protect all endpoints at all times.

Here are just a few of the benefits of always-on endpoint management:

Improved security: Always-on endpoint management can help to protect your organization from cyber threats by providing real-time visibility and control over all endpoints.
Reduced downtime: By proactively monitoring and managing endpoints, always-on endpoint management can help to reduce downtime and keep your employees productive.
Increased compliance: Always-on endpoint management can help you to comply with industry regulations by ensuring that all endpoints are configured and patched correctly.

If you're not already using an always-on endpoint management solution, here are a few things to consider when choosing one:

Comprehensive endpoint visibility: Make sure that the solution you choose provides comprehensive visibility into all endpoints, including laptops, desktops, mobile devices, and IoT devices.
Real-time monitoring and control: The solution should also be able to monitor and control endpoints in real time, so that you can quickly respond to threats and incidents.
Security automation: The solution should be able to automate many common security tasks, such as patch management and vulnerability scanning.
Compliance reporting: The solution should also be able to generate reports that can help you to comply with industry regulations.

Cyber Readiness

Click the button below to schedule your appointment and learn more about our Cybersecurity Readiness Report - custom tailored recommendations and roadmap for your business and your needs

Book now

Technology Sourcing

Cybersecurity can be complex, but getting the right strategy and solutions in place doesn’t have to be. Cloud 9 Advisers will provide you clarity so you can make quick and confident IT buying decisions. We help decision-makers make smart IT investments.

Get Started Now

The new SATs

Fri, 03 Nov 2023 15:20:08 -0500

Have you taken your SATs?

A well orchestrated Security Awareness Training (SAT) program for every single person in your company is perhaps the single most important cybersecurity tool, feature, element, solution, or service one could implement.

Knowledge is power

Human error is the number one reason for cybersecurity incidents. Security Awareness Training (SAT) is critically important for your staff and the integrity of your business - arguably more so than perhaps any other single cybersecurity solution or service. It helps to protect your organization from cyberattacks, breaches, data loss, and "silly" mistakes.

By training your staff on the latest security threats and best practices, you can help them to make more informed decisions about their behavior both online and while using company IT resources, reducing risk and exposure.

6 Reasons why

Human error is a major security risk: Studies have shown that a significant number of security breaches and data incidents occur due to human error. Employees may unknowingly fall victim to phishing attacks, click on malicious links, use weak passwords, or mishandle sensitive data. SAT helps educate and train staff members to recognize and avoid these common pitfalls, reducing the risk of security incidents caused by human error.
Protection against social engineering attacks: Social engineering attacks, such as phishing or impersonation, rely on manipulating individuals to gain unauthorized access or sensitive information. SAT teaches employees to identify and respond appropriately to these tactics, enhancing their ability to detect and report suspicious activities. By raising awareness of social engineering techniques, SAT helps create a more vigilant and security-conscious workforce.
Compliance with regulations and standards: Many industries are subject to specific regulations and standards regarding data protection and privacy, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Security awareness training ensures that employees understand these requirements and their role in maintaining compliance. Failure to comply with these regulations can result in severe penalties and reputational damage.
Reinforcing security policies and procedures: SAT serves as a platform to communicate and reinforce security policies, procedures, and best practices within an organization. It helps employees understand the importance of adhering to security guidelines and provides them with practical knowledge on how to handle sensitive data, use secure communication channels, and protect their devices. Regular training sessions help keep security at the forefront of employees' minds and foster a culture of security within the organization.
Mitigating insider threats: While most employees are trustworthy, insider threats can still occur. Security awareness training educates staff about the potential risks associated with insider threats, such as unauthorized data access or data theft. By raising awareness, organizations can encourage employees to report suspicious activities and create a sense of accountability within the workforce.
Reducing the impact of cyberattacks: In the event of a cyberattack, well-trained employees can significantly reduce the impact and help mitigate the damage. SAT equips staff with the knowledge and skills to respond effectively, report incidents promptly, and follow incident response protocols. Their ability to recognize and respond to security incidents promptly can help contain threats and minimize the potential harm to the organization.

Overall, Security Awareness Training is an important investment for any organization that wants to protect its data, resources, and IT assets from cyberattacks. By training your staff on the latest security threats and best practices, you can help to reduce the risk of security incidents and protect your organization's reputation and bottom line.

Cloud 9 Advisers can help

There are many problems faced when buying IT services and solutions. Two big ones are the pace of change and too many choices. Cloud 9 solves decision paralysis with our IT decision-making platform. You get an expert, one-on-one, that will guide you through the entire process. We'll help you identify and research proper solutions then evaluate and compare the multitude of security awareness training solutions available today.

Get Started Now