Here at Corsica Technologies, we have the privilege of partnering with Affiliated Distributors (AD), a member-owned trade organization that brings together best-in-class distributors and suppliers to facilitate dynamic business partnerships. We attended AD’s North American Meeting for their PHCP division (Plumbing, HVAC and Pipes, Valves and Fittings). It was great to meet many of you there in person!  

I had the pleasure of introducing renowned cybersecurity expert Rachel Wilson. With her experience as Head of Data Security at Morgan Stanley and Senior Executive at the NSA, Rachel offered AD members an insider view into the state of cybersecurity today. She outlined some of the threats facing manufacturers and distributors—as well as solutions that are more achievable than you might think.  

Here are my top five takeaways from her cybersecurity presentation.  

Key takeaways:

• Cyber resilience is critical, especially with the rise of nation-state threats.
• AI-enabled attacks are on the rise, significantly increasing risk among organizations without dedicated cybersecurity resources.
• A trusted cybersecurity partner can provide the vigilance, expertise, and required toolsets to stop these attacks.

1. The Importance of Cyber Resilience 

The cyber threat landscape is getting more complex all the time, and businesses should assume they’re already compromised. Rachel emphasized the critical need for businesses to build resilience so they can bounce back when—not if—a cyberattack occurs.  

How can organizations do this? Keeping systems fully patched and up to date is a great starting point. But Rachel also stressed the need for a robust backup strategy, recommending the three-two-one backup rule: three copies of your data, in two geographically dispersed locations, one of which is off-network. 

2. Nation-State Threats: North Korea and Iran 

If you think private US organizations are safe from nation-state threats—think again.  

Rachel provided an eye-opening overview of the cyber threats posed by nation-states like North Korea and Iran. She explained how North Korea has made hacking banks a major plank of their national strategy to fund their government, while Iran uses cyberattacks as an asymmetric threat to disrupt Western businesses. Rachel’s insights into the motivations and tactics of these nation-states were both alarming and enlightening. 

For US businesses, the call is clear: Engage an expert cybersecurity partner who stays on top of the latest threats. 

Watch Rachel Wilson’s cybersecurity presentation at the 2024 AD PHCP conference.

3. The Rise of AI-Enabled Cyberattacks 

One of the most captivating parts of Rachel’s presentation was her discussion on the rise of AI-enabled cyberattacks. She provided a detailed example of how hackers can use AI to automate and scale their attacks, making them more sophisticated and harder to defend against. Rachel’s example of an AI-enabled attack involving a botnet of smart refrigerators was particularly striking. 

While the rise of AI attacks is alarming, it’s important to remember that cybersecurity solutions are evolving even faster. AI is now playing a critical role in sophisticated cybersecurity technologies. When you work with a top-tier MSSP (managed cybersecurity services provider), you get protection from the latest solutions on the market.  

4. The Triple Extortion Ransomware Threat 

Rachel highlighted the growing threat of ransomware attacks, describing them as triple extortion scams. She explained how hackers not only demand a ransom to restore systems but also threaten to sell stolen data on the dark web—then offer “protection” against future attacks for a continuous fee.  

While that’s terrifying, Rachel’s advice was clear: Never pay the ransom, as it only encourages more attacks.  

Believe it or not, the best defense against ransomware attacks is cybersecurity training for your employees. You want comprehensive, engaging training, which is what we provide here at Corsica Technologies.  

5. Practical Cybersecurity Expert Tips 

Rachel’s presentation was filled with practical advice for improving cybersecurity. She recommended using password managers to create and store complex passwords securely, avoiding the use of personal checks and paper statements, and ensuring that employees are well-trained in cybersecurity awareness. Rachel’s emphasis on simple, actionable steps resonated with AD’s manufacturing and distributor audience, encouraging everyone to take proactive measures to protect their businesses and personal information. 

The Main Takeaway 

Rachel Wilson’s presentation was a powerful reminder of the ever-evolving cybersecurity threats we face and the importance of staying vigilant. Her experiences and insights provided valuable lessons for all AD members. We’re thankful to Rachel for providing her deep insight and leadership perspective on the current cyber threat landscape.  

Learn more about our cybersecurity and IT services for AD members.

The post Top 5 Takeaways from Cybersecurity Expert Rachel Wilson appeared first on Corsica Technologies.

With cybersecurity threats evolving rapidly, local governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute supply chain attacks by gaining access to one system, then moving upstream to compromise a more sensitive system.

The Government of Canada recognizes how these risks apply to their relationships with suppliers, and they’ve taken steps to develop a cybersecurity standard for defense contractors. This standard, known as the Canadian Program for Cyber Security Certification (CPCSC), is still being developed—but it’s not too early for suppliers to start learning what it will mean for them.

Here’s what we know today about the CPCSC.

Key takeaways:

• The CPCSC will go into effect sometime in the winter of 2025.
• There are three levels of CPCSC compliance, depending on the sensitivity of the information handled.
• You can prepare now by familiarizing your organization with NIST 800-171 and 800-172.

What is the CPCSC?

The CPCSC is a new cybersecurity standard that will apply to suppliers who bid on defense contracts for the Government of Canada. Naturally, it will also apply to organizations that win the contracts and work on them.

Why comply with the CPCSC?

Simply put, if you want to bid on Canadian defense contracts, you’ll need to comply with the CPCSC. That’s a great reason to pursue compliance.

More broadly speaking, adhering to the CPCSC will also make your organization more secure. This means the benefits of compliance go far beyond Canadian defense contracts for organizations that work with multiple customers or other national governments. Simply put, the CPCSC will reduce the attack surface and strengthen the security posture of any organization that strives to comply with it.

When does the CPCSC go into effect?

The Government of Canada’s documentation indicates that the CPCSC will go into effect sometime during the winter of 2025. The Government is not providing a specific date at this point, but we’re guessing that information will come out later this year or early next year.

As of this writing, Public Services and Procurement Canada (PSPC) has conducted a request for information (RFI) process that closed on June 28, 2024. Companies that participated in the RFI process had the opportunity to “significantly influence the development and implementation of the program.”

While it’s too late to participate in the RFI process, the fact that PSPC engaged in it is great news for defense contractors. It means that suppliers had a seat at the table to help shape policy in a way that keeps both their organizations and the Government secure.

Key features of the CPCSC

While the CPCSC is still being created, the Government has released quite a bit of information about their intentions. Here’s what we know so far.  

• The CPCSC will create a new Canadian cybersecurity standard that’s based on the NIST 800-171 and 800-172 standards developed in the US. Basing the CPCSC on these NIST standards will keep Canadian requirements closely aligned with US requirements. This is good news as the two countries and their businesses continue to pursue mutually advantageous relationships.
• The CPCSC will dictate specific cybersecurity controls required for companies that wish to engage in federal contracting with the Government of Canada.
• The CPCSC will provide structure and standards for the secure handling of Controlled Unclassified Information by non-governmental organizations.
• The CPCSC will establish a risk assessment process to allow contracted projects to move forward with the appropriate balance of maximum security and maximum efficiency.
• The CPCSC will establish contractual clauses that will be required in all defense-related RFPs.
• The CPCSC will establish accreditation processes for third-party assessors who will audit organizations to determine their level of compliance with the standard.

CPCSC certification levels

The CPCSC won’t require all organizations to meet the same certification levels. Rather, the standard will allow for the fact that different contractors handle information with different levels of sensitivity. There will be 3 levels of certification.

• Level 1: Requires an annual cybersecurity self-assessment, which the organization can conduct internally.
• Level 2: Requires a cybersecurity assessment conducted by an accredited certification body—basically a cybersecurity audit. 
• Level 3: Requires a cybersecurity assessment conducted directly by the Department of National Defence rather than by a third-party assessor.

How can you prepare now?

While the CPCSC hasn’t been finalized, that doesn’t mean you have to wait to start preparing. Forward-thinking companies can begin evaluating themselves today.

The key is to look at NIST 800-171 and 800-172. These two US standards will form the basis for the CPCSC, which means they can help organizations develop an early picture of how they may stand in relation to the CPCSC.

What does this look like specifically?

An expert cybersecurity partner can help you conduct a compliance audit for NIST 800-171 and/or 800-172. This process will provide specific findings that need to be addressed to align with NIST standards. While it’s not the same thing as a CPCSC assessment, it’s a great way to uncover any of the larger initiatives that may be required to comply with the CPCSC—plus you can increase your security today, before the CPCSC is finalized.

Here at Corsica Technologies, we’re ready to help you take those preliminary steps. Get in touch with us today to chart your path forward.

Want to start your journey toward CPCSC compliance?

Reach out to schedule a consultation with our cybersecurity specialists.

Schedule Now

The post CPCSC For Canadian Defense Contractors: What We Know Today appeared first on Corsica Technologies.

So far, 2024 is consistent with this theme. We’re seeing a mix of familiar trends intensifying alongside startling new developments. From the cybersecurity skills crunch to AI-powered attacks, 2024 is shaping up to be a wild ride.

So which cybersecurity trends matter most?

How can your organization stay on top of them—particularly if you’re not working with a managed cybersecurity services provider?

Here’s everything we’re seeing so far.  

1. It’s almost impossible to hire (and retain) cybersecurity professionals

There’s a significant shortage of skilled professionals working in cybersecurity. The demand for these professionals is simply growing faster than the pool of available talent. As Thomson Reuters explains, 92% of cybersecurity professionals report a gap in skills at their organization—while 54% claim that the gap has gotten worse in the last few years.

Just how fast is this demand growing?

The U.S. Bureau of Labor Statistics projects job growth of 32% for cybersecurity professionals between 2022 and 2032. For reference, that’s 10x more than the average growth rate of all jobs, which is 3%.

How fast are salaries growing?

That’s hard to boil down to a single number. However, check out this Reddit thread in which cybersecurity professionals discuss the raises they’ve been offered—and the new jobs they’ve taken instead. While the evidence here is anecdotal, the stories provide a feel for the state of the cybersecurity job market. Nothing sums it up better than this statement from one of the commenters:

“I got a 100% raise in 2021. I quit my job and changed companies.

That’s the best way to keep up with inflation. Jump companies every few years. I’m not happy about it, but it’s the harsh reality.”

This situation makes it increasingly difficult to hire and retain cybersecurity professionals in-house. Organizations have two options for dealing with this challenge.

• Investing in training their existing IT staff to deal with cybersecurity on a professional level. This may offer a short-term fix, but it can also backfire. Skilled cybersecurity professionals are in high demand, whatever route they take to get there. An IT professional who gains significant cybersecurity experience can likely find a higher-paying job elsewhere.
• Outsourcing cybersecurity services. For many organizations, it simply makes more sense to partner with an MSSP (managed security services provider), or a combined MSP/MSSP who handles both IT and cybersecurity. This provides guaranteed attention from cybersecurity professionals without the challenge of frequent churn among staff hires.   

If we had to pick one trend that’s dominating 2024, this is it. Cybersecurity professionals are just too hard to find when you hire in-house—and you need them more than ever.

2. Generative AI is taking center stage… both for good and evil

No doubt about it, AI is here to stay.

The technology is getting more sophisticated all the time. Unfortunately, this gives cybercriminals all kinds of new ways to mount attacks enabled by AI.

What kind of attacks are we talking about?

So far in 2024, we’re seeing:

• AI-driven phishing attacks. Generative AI gives cybercriminals the ability to send highly convincing phishing messages (more on that below).
• Deepfake social engineering attacks in which cybercriminals use AI to impersonate a real human being, manipulating the victim into taking action. This can take many forms, including AI voice impersonation, video impersonation, and more.
• Automated malware that intelligently adapts to evade detection. We haven’t seen this level of sophistication in malware before. It’s a significant development that’s pushing AI advancement in cybersecurity defenses (more on that in a moment).
• AI-powered password attacks. AI allows cybercriminals to process vast amounts of data. This means they can guess billions of passwords—until they find the one that works.
• AI-powered vulnerability scanning. Just as AI gives cybersecurity professionals an edge in detecting vulnerabilities, it can help criminals find the same vulnerabilities.

This list only scrapes the surface. Almost any type of cyberattack can be executed with AI, whether in whole or in part.

That’s the bad news. Now the good news!

AI gives cybersecurity professionals an incredible advantage in fighting cyberattacks. Specialized AI solutions can detect, evade, and neutralize threats through processes like real-time anomaly detection, smart authentication, and automated incident response.

In other words, AI is becoming central to modern cybersecurity. If this is a game of chess, then AI is the queen, offering powerful strategic advantages to the parties who use it best.

Add this challenge to the staffing challenge, and it’s even harder for midmarket organizations to handle cybersecurity in-house. The good news is that the best MSSPs stay on top of AI developments in cybersecurity, using the most advanced tools to fight emerging threats. As 2024 progresses, we expect this trend will only become more prominent.

3. Phishing attacks are getting more sophisticated

This trend is related to the previous one. Generative AI tools like ChatGPT make it far too easy for hackers to write better messages for phishing and smishing (i.e. phishing via SMS message).

Before the arrival of generative AI, we could train employees to look for misspelled words and obvious grammatical errors as the first way to detect a dangerous message.

ChatGPT and similar tools have changed that forever.

Now cybercriminals can send messages in clear, error-free English—even if they don’t speak or write the language themselves.

But clear communication isn’t the only advantage that phishers are getting from AI.

The most effective forms of phishing are highly personalized, targeting individuals with details drawn from their lives. Personalized messages take more time and energy to create and send. AI acts as a force multiplier in personalized phishing, allowing hackers to produce and send more personalized attacks than they ever could without it.

How can organizations deal with this trend?

Companies should focus on cybersecurity awareness training across the entire organization. Human users are the weakest link in any cybersecurity program, and phishing targets this weakness. Awareness is the answer—but it’s not enough to train people once and move on. Phishing attacks are always evolving, and smart organizations are implementing programs that provide continuous training at regular intervals. This is the only way to stay ahead of phishers—particularly now that they have AI at their disposal.

4. Cybersecurity is getting the attention of the CFO… and the board

Gartner believes that by 2026, “70% of boards will include one member with cybersecurity experience.”

If this is a startling stat, consider how we got here.

• IBM reports that the average cost of a data breach is $4.45M. For midmarket organizations, that’s a devastating loss.
• The University of North Georgia estimates that 54% of companies have experienced at least one cyberattack in the last 12 months.

In other words, cybersecurity has a direct impact on profit and loss—and that impact is becoming more widespread in the market.

In fact, smart companies are treating cybersecurity breaches like loss prevention in retail. Statistics indicate you should assume a certain amount of shrinkage in retail, and that needs to be modeled financially (and accounted for in the budget).

Cybersecurity is no different. CFOs and boards are now starting from the assumption that a breach will happen.

When they do this, they find themselves needing to calculate the ROI (or ROSI, return on security investment) of cybersecurity controls.

When they go to calculate cybersecurity ROSI, they find that estimated loss avoided far outweighs the cost of the controls when those controls are sourced from an MSSP (managed security service provider). Learn more here: FREE Cybersecurity ROSI Calculator.

At a high level, the takeaway is clear. Cybersecurity is now a board-level concern. We expect this trend to only intensify throughout 2024.  

5. IoT cyber attacks are getting more sophisticated

The internet of things (IoT) provides an ever-growing opportunity for cybercriminals. With more and more smart devices, vehicles, building systems, machines, and similar objects connected to the internet, IoT represents a significant cybersecurity concern for companies with inadequate controls.

As with every other type of attack, IoT attacks come in numerous forms.

• Malware attacks. IoT devices typically lack the sophisticated security controls of more complex computers. They simply don’t have the storage or processing power needed for such controls. This makes them great targets for malware attacks. This is typically seen in the installation of malware on multiple IoT devices, creating a botnet that attackers can use for things like DDoS attacks (which, by the way, can also happen to IoT devices).
• DDoS (distributed denial of service) attacks. If an IoT device gets overwhelmed with network traffic, it can’t function. DDoS gives hackers an easy way to take down a critical device and hold it for ransom or disrupt operations for a strategic purpose.
• Ransomware attacks. DDoS isn’t the only way hackers can hold an essential device for ransom. With their limited security controls, IoT devices are particularly vulnerable to this type of attack.
• Zero-day attacks. As with any other type of software, the systems that run on IoT devices may contain unknown vulnerabilities. If a hacker discovers a vulnerability before the device vendor does, they can exploit that vulnerability in a zero-day attack.
• Firmware attacks. Firmware controls a device’s hardware, which makes firmware attacks especially dangerous. Hackers can modify firmware to make a device behave outside the scope of the original design—or simply render the device inoperative.

As IoT devices become more and more common, organizations are realizing that they must manage these devices from a cybersecurity perspective. Given the scarcity of professional resources in cybersecurity, that’s getting harder—even as the IoT attack surface grows larger and larger.

Unfortunately, many organizations aren’t prepared for this emerging trend. We expect it to become a more significant issue this year.

6. The conversation is shifting to cyber resilience

As cybersecurity gains greater visibility across the organization, stakeholders are realizing that it’s impossible to create 100% bulletproof security.

The attack surface is so complex—and evolving so fast—that no single system can give you 100% visibility into your cybersecurity status. Likewise, no single tool can prevent attacks.

As we said above, leaders are starting to view cyber breaches like loss prevention. Likewise, the conversation is shifting away from 100% bulletproof security. Rather, leaders are realizing that cyber resilience is far more valuable to pursue—and realistic to achieve.

So what does this mean?

Cyber resilience measures are designed to ensure continuity of operations, even in the wake of a successful breach. The goal is to develop the ability to recover fast, minimizing data loss and downtime in an agile manner.

The focus on cyber resilience is a key trend for 2024. We’re seeing organizations waking up to their need for processes, policies, tools, and professional resources to make them resilient.

7. Less-than-Zero Trust

The Zero Trust framework is fundamental to a modern view of cybersecurity. In its essence, it states that there is no perimeter within which you can assume network activity is safe.

Rather, you should assume every device and every user are unsafe until they’ve verified their identity.

While Zero Trust is nothing new in 2024, it is evolving. Several factors are pushing Zero Trust beyond the bounds of the corporate network.

• Remote work. Whether employees use corporate devices or their own, remote work adds new complexity and risk to Zero Trust initiatives.
• Partnered organizations. The increasing complexity of business relationships, coupled with collaboration and data sharing needs, makes it more difficult than ever to define where the corporate network and datasphere end. This makes Zero Trust more difficult to implement.
• IoT devices. As we covered above, IoT devices come with unique cybersecurity vulnerabilities. A comprehensive approach to Zero Trust must account for these devices.

For all these factors, midmarket organizations sometimes struggle to implement Zero Trust. This is one of many reasons they turn to an MSSP.

8. Cyber warfare and state-sponsored cyberattacks

Russia’s war against Ukraine has exposed the extent to which states are willing and able to deploy cyberattacks against infrastructure targets, whether military or civilian. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) puts it this way:

“Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware.”

Unfortunately, no organization is immune to state-sponsored attacks—and Russia isn’t the only country from which these attacks originate. According to ClearanceJobs, the top 5 nations conducting the most cyberattacks are China, North Korea, Iran, Russia, and—believe it or not—the United States.

While US-based organizations don’t need to worry about US military cyber operations, any American organization can become the target of a state-sponsored attack.

What do these attacks look like? Here are the ones we see the most.

• Phishing attacks designed to gain access to systems for the purpose of disruption and espionage (both political and economic).
• DDoS attacks intended to disable communications, public utilities, transportation, and security infrastructure.
• Attacks on election infrastructure and democratic processes, as countries such as the US, UK, and India will all hold major elections in 2024.

State-sponsored attacks are varied and constantly evolving. All in all, we expect these attacks to remain a significant cybersecurity trend in 2024 as geopolitical tensions continue.

9. Soft skills are becoming increasingly essential for cybersecurity professionals

Cybersecurity has never been an exclusively technical discipline. The need for interpersonal skills, relationship-building, and cultural sensitivity is nothing new. 

However, as cybersecurity gains a higher profile in organizations of all sizes—and as C-suites and boards make it a strategic priority—the execution of cybersecurity is getting more and more complex.

It’s one thing to turn on MFA (multi-factor authentication) for all company email accounts.

It’s another thing to prepare the organization for this transition—and to make sure every email user understands their role in cybersecurity.

Email is only one example. Whenever an organization implements new cybersecurity controls, real people experience an impact in their work. The most skilled cybersecurity professionals seek to understand this impact in the planning phase of an implementation. They also include processes and communication touchpoints for bringing all stakeholders on board and equipping them for success.

In other words, the need for soft skills is emerging as a key trend in 2024.

10. Increasing prominence of cybersecurity regulation

With the general rise in cyberattacks, particularly those sponsored by world governments, calls for cybersecurity regulation are gaining increased attention.

In the UK, businesses have until April 2024 to comply with the Product Security and Telecommunications Act, which sets out the minimum security requirements that networked products must adhere to.

Of course, the US still does not have a single, comprehensive federal law covering cybersecurity and data privacy. However, every organization must still understand the applicable state-level cybersecurity laws that may apply to their operations—as well as industry-specific regulation like HIPAA. All in all, the cybersecurity regulation landscape is getting more complex. It remains a strong factor that influences all cybersecurity trends in 2024.

Moving forward: Staying on top of cybersecurity trends

Every midmarket organization needs to stay on top of evolving cybersecurity trends. But that’s where the challenge arises. IT teams are already strapped—yet the burden of cybersecurity is only increasing.

Companies that struggle with cybersecurity are increasingly turning to MSSPs to get the comprehensive protection they need. The key, though, is to find an MSSP who not only notifies you of incidents but also remediates them. Here at Corsica Technologies, we cover cybersecurity and IT managed services from top to bottom. You get a single team handling all things cyber, IT, and digital transformation—which means security is baked right into every system and technology initiative at your organization. It’s the best way to keep your business secure.

Want to learn more about cybersecurity trends affecting your business?

Reach out to schedule a consultation with our cybersecurity specialists.

Schedule Now

The post 10 Cybersecurity Trends Emerging In 2024 appeared first on Corsica Technologies.

You can’t respond to a cyber attack if you can’t even detect it.

That’s the reason for MDR (managed detection and response). This service is an essential component in cyber security managed services.

But what is MDR? Who provides these services, and what do they look like in real life?

Here’s everything you need to know.

Key takeaways:

• MDR services use sophisticated technology and expert human attention to detect and contain threats.
• The best MSSPs (managed security service providers) don’t just alert clients to threats; they actually stop them too.
• MDR protects against password attacks, malware, vulnerabilities, and many other types of threats.

What is MDR (managed detection and response)?

MDR stands for “managed detection and response.” It’s a combination of two things:

• Endpoint detection software that spots malicious activity on endpoints (devices connected to a network).
• Managed services, including incident triage, containment, remediation, and recommendations to improve security posture, provided by cybersecurity experts (either a services team offered by a software vendor, or an MSSP team—see below).

Here at Corsica Technologies, we use CrowdStrike Falcon® Complete MDR for all our clients. It’s the leading MDR software on the market, and our team swears by it.

Along with a managed SIEM solution, MDR forms the bedrock of a strong cybersecurity practice. It’s essential to protect your data, systems, and users in today’s fast-changing threat environment.

Do MSSPs (managed security service providers) offer MDR services?

That depends on the MSSP.

Some MSSPs provide nothing but alerts to the client. Their model covers the “detection” portion of MDR, but it doesn’t cover the “response” portion. Rather, it leaves all remediation to the client or another third-party provider.

In contrast, a full-service MSSP becomes part of your team. Here at Corsica Technologies, our analysts gain familiarity with your network and develop a strong sense of what’s suspicious and what isn’t. We can even tell when something that looks suspicious is a false positive. This discernment allows us to concentrate on true threats.

A full-service MSSP will also conduct threat hunting in your environment, looking for unusual activity and/or processes that may indicate a threat that has yet to be detected by our security software. CrowdStrike Falcon plays a significant role in this endeavor—and the software also comes with CrowdStrike’s own analysts watching things behind the scenes. Essentially, you get two levels of expert human attention monitoring your network.

This is why you should look for a full-service MSSP who includes MDR in their offerings. You want a managed partner who not only detects issues but also responds and remediates them. This is the best way to protect your business and keep your IT team focused on their core responsibilities.

But what does MDR look like in real life?

Glad you asked. Here are 4 scenarios in which MDR has saved the day (or can save it).

1. MDR services protected a local government from a weak VPN password attack

Unfortunately, smaller organizations make great targets for threat actors. These organizations have limited resources to detect and respond to threats—which makes them easier to breach. This is especially true of local governments.

Here at Corsica Technologies, we have numerous clients in the local government space. One of these organizations suffered an attack when threat actors got into their network through a weak VPN password. Once the hackers got in, they easily accessed other machines, moving laterally within the network.

The hackers tried to deploy ransomware, but the client’s CrowdStrike MDR solution (managed by Corsica Technologies) blocked the software. A few non-critical files got encrypted, but they didn’t affect business functionality. Due to the power of CrowdStrike MDR and Corsica’s fast response and remediation, the attack didn’t turn into a major incident. Our analysts were thankful to have a powerful tool like CrowdStrike at their disposal.

Detection and response process for this VPN password attack:

• CrowdStrike detected the intrusion and created an alert with a status of “critical” (on a scale of low to critical). This automatically created a ticket in our cybersecurity monitoring systems.
• Our SOC (secure operations center) analysts received the alert instantly.
• Our analysts checked to make sure the alert wasn’t a false positive, then escalated it.
• Our analysts immediately isolated the affected machine so it could no longer connect to the internet or any other machines. (Note that CrowdStrike allows analysts to retain their contact with the machine while isolating it completely. CrowdStrike really is incredible.)
• We alerted the client that we had isolated the machine, and that it would remain isolated while we investigated.
• We inspected the extent of the damage. We found that the attack had encrypted a few non-critical files, but CrowdStrike had shut it down before it could do major damage.
• We recommended wiping the affected workstation remotely. The client agreed, and we wiped and reimaged the machine for them.
• We provided specific recommendations for strengthening VPN passwords to prevent similar attacks in the future.

2. MDR services protected a local business employee who accidentally downloaded malware

Not all employees have received cybersecurity awareness training. Even those who’ve had it in the past may not know about the latest threats.

In this case, our client, a local business, nearly got breached through an employee’s internet browsing. The employee unwittingly clicked on a link that executed malicious JavaScript on their machine. While the code didn’t actually install a virus, it covered their screen in popups that said they had a virus. The popups told the employee to contact IT through a specific phone number.

Unfortunately, the employee didn’t realize this wasn’t their actual IT support department. They called the number, followed the instructions, and downloaded a remote desktop control program to their computer. This new software would’ve given the hackers total control of the workstation—but CrowdStrike detected it and blocked the execution of the downloaded file. CrowdStrike really is amazing!

Detection and response process for this malware attack:

• CrowdStrike detected the malicious software and sent an alert, which created a ticket in our cybersecurity monitoring systems.
• Our SOC analysts checked for a false positive, then escalated the incident.
• Our analysts isolated the affected machine and alerted the client.
• We investigated the extent of the damage. In this case, CrowdStrike had already blocked the remote desktop control software, and we found no evidence of actual damage. After ensuring the malware was deleted, we advised the client that it wasn’t necessary to wipe the device. However, we let them know we wanted to monitor the machine for a few days to be sure.
• We provided specific recommendations for training employees on safe internet browsing.

3. MDR services can stop attacks on internet-exposed servers (like Microsoft Exchange)

In 2021, attacks that exploited four unpatched vulnerabilities were discovered in on-premises Microsoft Exchange servers. Microsoft attributed the attacks to the Hafnium group, which has been associated with Chinese state-sponsored hacking.

This attack was ingenious. The threat actors sent a specially crafted packet to an internet-exposed Exchange server, then uploaded a file to a public Exchange directory. From there, they executed the file, which gave them a backdoor into the Exchange server.

These specific vulnerabilities have been patched, but any type of server exposed to the internet can experience a zero-day (unknown and unpatched) vulnerability.

In fact, the structure of this attack is similar to the MOVEit attacks that happened in 2023. MOVEit is a file transfer solution that allows users to exchange files over the internet. In this case, attackers discovered a vulnerability on MOVEit’s servers and used that vulnerability to steal data from organizations using the service.

In both cases, hackers exploited zero-day vulnerabilities in servers connected to the internet. Once a hacker gains this type of access, it’s easy for them to move laterally through the network and install ransomware.

A managed detection and response solution can spot these attacks in real time. It also empowers cyber analysts to shut down the attacks as they happen. Without MDR services in place, it’s very difficult to detect zero-day vulnerabilities—let alone respond—before criminals fully exploit those vulnerabilities.

Detection and response process for attacks on internet-exposed servers:

• CrowdStrike detects the uploading of malicious files and creates an alert. This automatically creates a ticket in our cybersecurity monitoring systems.
• Our analysts verify that the alert isn’t a false positive, then escalate it.
• Our team isolates the affected server so it can no longer connect to the internet or any other machines. We also alert the client.
• We probe the extent of the damage, looking for signs of data exfiltration. If there are no signs of damage or data exfiltration, we’ll clear the server, then recommend keeping it online in a temporary high-surveillance state rather than wiping it. No one wants to wipe a server!
• If there are signs of damage, we may have to recommend wiping the server.
• We’ll provide tailored recommendations to adjust server configurations and patch any vulnerabilities (if patches are available).

4. MDR services can block downloaded attachments from executing malicious code

When it comes to phishing emails, Microsoft 365 and Google are decent at blocking them—though we still recommend Corsica Email Protection to stop 99.9% of all malicious emails.

That said, what happens when a phishing email does slip through—and an employee downloads an attachment?

Malicious files may try to execute a PowerShell command or a script command. From there, things get ugly fast.

The good news is that MDR can detect these executable files. The solution also empowers analysts to respond in real time before the unthinkable happens.

Detection and response process for malicious executable files:

• CrowdStrike detects the attempted execution of the command and sends an alert. This automatically creates a ticket in our monitoring systems.
• Our SOC analysts see the alert, check for a false positive, and escalate the incident.
• Our analysts immediately isolate the affected workstation so it can no longer connect to the internet or any other machines.
• We alert the client that we’ve isolated the workstation, and that it will stay that way until we’ve finished our investigation.
• We investigate the extent of the damage. Depending on the results, we may recommend wiping the computer.
• If the computer doesn’t need to be wiped, we’ll continue to monitor it for any signs of trouble.
• We’ll provide detailed recommendations to harden workstation security and teach employees how to detect phishing emails.

What to look for in a managed detection and response provider

As we mentioned above, not all MSSPs do a great job with managed detection and response services. Some only provide alerting—without remediation.

You can get MDR services from software vendors, i.e. those companies that build and maintain MDR software. But these companies may not offer comprehensive cybersecurity services—only those related to MDR.

It’s best to choose a single partner who handles all things cybersecurity (including a comprehensive approach to MDR).

Here’s everything your MSSP/MDR provider should offer.

• Compliance gap assessments. What’s your standing with applicable cybersecurity law? The right partner can take you through the compliance gap assessment process, which includes detailed recommendations to get your organization on track.
• Cybersecurity risk assessments. While risk assessments are similar to gap assessments, they’re different as well. A risk assessment gives you a well-defined framework and a concrete process for analyzing risk against thresholds of acceptability.
• Managed security services. Here’s where managed detection and response comes into play—but it’s not the only piece of the puzzle. You’ll also need a SIEM solution and a team watching it for trouble. It’s also a good idea to add dark web monitoring, security awareness training, protection for email and browsers, and more.
• Managed services for network and server security. Firewalls, switches, wireless access points, servers, and other network gear all require cybersecurity controls. Ideally, you want one team managing the cybersecurity side as well as the network support side.
• End user security services. If you don’t have centralized workstation management today, you need it! This provides greater workstation security and reduces the cost of repairs and reimaging.
• Expert cybersecurity consulting. Look for a partner who offers consulting from a vCIO (virtual CIO) and/or vCISO. The best MSSPs give you a vCIO/vCISO who functions like a member of your executive team. These experts can help with security policy development as well as defining and maintaining your 3-year technology roadmap.
• User-friendly client portal. Look for a partner who practices full transparency with you. They should offer a self-service portal where you can see everything related to cybersecurity and IT—in real time.

Hint: Here at Corsica Technologies, we provide all this and more. MDR is only one piece of the puzzle, and we believe organizations do best when they get all the cybersecurity services they need from a single partner.

Want to learn more about MDR?

Reach out to schedule a consultation with our security specialists.

Schedule Now

The post 4 Times Managed Detection And Response Saved The Day appeared first on Corsica Technologies.

💡 FREE Resource: 

CJIS Compliance Checklist

Download Now

3 Essential CJIS Certifications for a Third-Party Vendor

• Corsica Technologies
• January 9, 2024
• CJIS, Cybersecurity, Government IT Services

Originally published Sept 22, 2017. Last updated February 16, 2026.

Aligning your organization’s practices with CJIS standards presents continual challenges. Time, resources, and budget approval are just a few difficulties you may encounter as you prepare for your next CJIS audit.

How do you prepare for your CJIS audit? 

How do you find a qualified vendor to help?

We’ve got all the answers in this post.

Here are the 3 essential qualifications of a CJIS vendor:

• Auditors know CJIS policy intimately
• Employees meet requirements in Section 5.12.1
• Solutions are FICAM- or FedRamp-certified.

Let’s unpack these in detail.

3 Essential Qualifications for CJIS Certification

Vendors must maintain compliance to the 13 areas of the FBI’s CJIS Security Policy to be qualified to handle Criminal Justice Information (CJI).

If your prospective IT and/or cyber security partner has communicated that they are CJIS Compliant, here are the 3 essential qualifications to look for. (You should be able to verify these quickly, but we’ve also provided a shortcut at the end of this article to help you speed up the process.)

1. Their Auditors Have an Intimate Knowledge of CJIS Policy

This is an obvious one but the most difficult to verify. The fact that third-party auditors do not need access to CJI information (and therefore do not require fingerprint-based background checks) throws additional confusion into the mix.

Though auditing staff ideally do have a background check in place, the essential qualification for this role is a deep understanding of CJIS Policy—they must know how a federal auditor would assess your security landscape and be able to replicate that process to uncover any gaps that may be exposed during the “real” audit.

Because there is no test or certification to verify CJIS knowledge, look instead for these similar certifications: CISSP, CISA, CISM, and GSNA credentials, which are 8570 IA Baseline Certifications for the DOD and as stated by ISACA. (The U.S. Department of Defense (DoD) 8570.01-M. Information Assurance Workforce Improvement Program)

2. Their Employees Have Met the Requirements Set Forth in Section 5.12.1

After a third-party audit or assessment, you may identify areas of weakness, such as employee security training or data encryption, that you wish to partner with an outside team to solve.

The minimum screening requirement for any individuals with access to CJI is a fingerprint-based background check performed at the state level. Each employee of the vendor with access to CJI at any touch point must have documentation of a passed background check.

Vendor employees from out of your state must undergo the background check for the state in which you are located.

3. Their Solutions Have Undergone the FICAM or FedRamp Certification Process

The government sets program and procedure standards through the Federal Risk and Authorization Management Program (FedRAMP). Security assessments, authorization, and continuous monitoring, among other SaaS solutions, should be FedRamp ready.

Why engage an outside vendor in your CJIS audit preparations?

Budgets are tight in today’s economic environment. It’s rare that an organization has the internal resources it needs to cover all preparations for a CJIS audit.

A third-party vendor brings in the firepower you need to get this done. Specifically, a vendor can help:

• Assess your current security stance against CJIS standards
• Formulate an airtight game plan for closing gaps
• Supplement your processes with services provided by CJIS-compliant vendors

Is there such a thing as Federal CJIS Certification?

Unfortunately, no.

Just as there is no CJIS certification for criminal justice organizations (it’s either pass or fail the tri-annual audit), there is no federal CJIS certification for vendors.

Stephen Exley, information security analyst within the CJIS Information Security Officer Program, says, “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS…are in regard to facial recognition and fingerprint capture standards…We do not certify, nor endorse any product, solution, or vendor.”

It’s a red flag when any vendor claims to be “CJIS Certified”—unless the state in which you reside uses the term “certified” to recognize vetted vendors.

Download our CJIS Compliance Checklist >>

That said, finding a CJIS vendor doesn’t have to be hard.

The quickest way to find a qualified vendor: Ask the FBI!

Many states have established a list of approved and verified vendors to help you pass your federal CJIS compliance audits. The easiest way to engage a qualified vendor is to request a list from your state’s branch of the FBI. This can greatly shorten the process of identifying an affordable, reliable vendor.

Here at Corsica Technologies, we’ve helped numerous organizations achieve CJIS compliance. 

Contact us today to get started. 

• About Corsica Technologies

Corsica Technologies is a strategic technology partner specializing in consulting and managed services. With an integrated team of experts in cybersecurity, IT services, AI solutions, digital transformation, EDI, and data integration, Corsica offers comprehensive coverage and unlimited service consumption for one predictable monthly price—whether fully managed or co-managed.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 FREE Resource: 

CJIS Compliance Checklist

Download Now

The post 3 Essential CJIS Certifications for a Third-Party Vendor appeared first on Corsica Technologies.

Local governments are in the crosshairs.

As larger organizations harden their cybersecurity defenses, criminals are turning to softer targets. Recent incidents like the hacking of Hendersonville, NC, or the cyberattack on the Kansas state court system only reinforce a trend that’s been growing for years.

Unfortunately, local governments are often ripe for the picking. With limited resources and aging technology infrastructure, they’re perfect targets for threat actors—both domestic and foreign.

How can you protect your systems, data, employees, and citizens?

While there’s no magic bullet for cybersecurity management, local governments can take steps to improve their security posture today. Here are 10 keys to doing so.

1. Don’t expect a hardworking IT department to handle cybersecurity

If you work in local government, you know how challenging it can be for IT to support the organization. There’s always another laptop dying, a network issue, or a problem with Active Directory. With capabilities limited by budget, IT has to make tough decisions every day when deciding what to work on.

An IT team that’s already in overdrive doesn’t have the bandwidth to handle cybersecurity. It takes multiple experts in specific cybersecurity disciplines to implement and maintain the necessary controls. These professionals command high salaries, which makes it challenging for local governments to hire and retain them. In fact, affordable access to experts is one of the biggest reasons that governments typically hire a partner for cyber security managed services.

2. Conduct a compliance gap assessment every year (at least)

Are there cybersecurity regulations that apply to you as a local government entity? If so, you should conduct a gap assessment at least once a year.

Regulations or frameworks that may apply include:

• NIST Cybersecurity Framework—This is a standard developed by the US National Institute of Standards and Technology to empower organizations to assess and address their cybersecurity risks.
• CMMC (Cybersecurity Maturity Model Certification)—This cybersecurity certification was developed by the Department of Defense for its upstream contractors. It’s a useful standard for any government organization.
• PCI-DSS (Payment Card Industry Data Security Standard)—This certification provides a stamp of approval for organizations that handle credit card data. Corsica can assist with PCI-DSS compliance services.
• CJIS (Criminal Justice Information Services)—This compliance standard applies to organizations that handle criminal justice data.
• State-level cybersecurity regulation—Your state may have cybersecurity regulation that applies at the local government level. See this list of recent state-level cybersecurity laws to get started.

Even if your organization isn’t legally required to comply with regulation, standards like the NIST Cybersecurity Framework can provide the structure and guidance you need to achieve a stronger security posture. At the very least, every organization should consider doing a NIST gap assessment once a year. A cybersecurity managed services provider (like Corsica Technologies) can assist with this process.  

3. Conduct a cybersecurity risk assessment every year (at least)

This sounds a lot like a gap assessment, but it’s actually quite different.

A gap assessment reveals gaps in compliance with a given standard. This can make it seem like a local government must completely close all gaps—which may be impossible due to 1) cost, or 2) the operational friction that would result.

A risk assessment isn’t about closing all gaps, but rather mitigating risk sufficiently. The risk assessment process offers a methodology for assessing risks—plus quantifying them and defining acceptable risk levels.

Ideally, you’ll want to perform compliance gap assessments and risk assessments side by side. This way, they can together to strengthen your security posture.

4. Train your employees every 6 months

Say one of your employees gets an “urgent email” from a county commissioner with a well-known name. The message has an alarming subject line, and it asks your employee to contact the commissioner immediately at a certain phone number.

Is this a legitimate email, or some type of phishing scam?

Without proper training, your employees won’t be able to tell. Depending on the type of attack, replying to the email, clicking a link, downloading an attachment, or calling the phone number may be enough to compromise your security.

Your employees need cybersecurity training. Ideally, local governments should repeat this training every 6 months.

Why?

Because trends in cybercrime really do evolve that fast. Yesterday’s attack strategy quickly becomes outdated as more and more people learn how to spot it. You have to stay one step ahead of cybercriminals by conducting regular cybersecurity awareness training.

5. Level up your email security

Do you have MFA (multi-factor authentication) enforced on all email accounts?

MFA requires an email user to verify their identity two ways (or more) before gaining access to their account. For example, a user may have to enter their password, then input a code in an authenticator app on their mobile device to finish authenticating.

MFA is a huge improvement over password-only access. If your email configuration doesn’t require strong passwords, you may have a few employees using “password” or other insecure phrases to log in. The sooner you implement MFA + strong passwords, the better.

6. Start moving toward Zero Trust

The idea behind Zero Trust is simple. You should never trust a user or device by default. Rather, you should require every user and every device to authenticate separately to any system they try to access.

Likewise, you should limit user and device permissions using the principle of least privilege—i.e. granting only those permissions that are necessary for the person in question to do their job.

The Zero Trust Maturity Model was developed by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). The agency’s whitepaper helps Federal Civilian Executive Branch agencies implement Zero Trust architecture—but Zero Trust is useful for organizations at all levels of government. Learn more here: Zero Trust for Smaller Organizations.

7. Get a SIEM solution

Do you have a single application that shows you everything related to cybersecurity—in real time?

That’s the thinking behind SIEM (security information and event management) software. This type of application pulls together data from a wide range of sources to show you all things cybersecurity in a single interface.

SIEM is essential for local governments—yet your IT team probably has enough on their plates already. They may not be able to monitor your SIEM or respond to incidents. That’s why local governments typically hire a managed SIEM provider.

8. Get an MDR solution

Can you detect intrusions on your network via specific endpoints (connected physical devices)?

If not, you need a solution for EDR (endpoint detection and response) or XDR (extended detection and response).

For local governments, there’s only one problem. Monitoring this type of software and responding to incidents takes up too much bandwidth—and IT already has their hands full.

This is where MDR (managed detection and response) comes into play. You get a team of cybersecurity experts who implement and monitor your detection and response software. (Hint: Your provider should also be able to remediate any incidents they detect, which is what we do here at Corsica Technologies.)

9. Integrate cybersecurity and IT operations

Chances are, you already have an MSP (managed service provider) who either handles all your IT needs or works alongside your IT staff.

This is great, as you can cover your IT needs—but there’s only one problem. Legacy IT operations (and legacy MSPs) may not take an integrated approach to cybersecurity. In particular, legacy MSPs are notorious for IT outsourcing services and cybersecurity to a third party.

Under this arrangement, the cybersecurity subcontractor notifies your MSP of cyber incidents—but they can’t do anything to remediate the situation.

And since that MSP doesn’t have domain expertise in cybersecurity, they can’t properly integrate cybersecurity into every aspect of your IT systems and operations.

It’s better to choose a combined MSP/MSSP (managed security services provider). This way, you get a single partner who weaves cybersecurity into all things IT. When things go bump in the night, you have one partner who not only designed, implemented, and supports the system—but also knows the relevant cybersecurity controls from top to bottom.

For local governments, integrated IT and cybersecurity is a no-brainer.

10. Choose your combined MSP/MSSP carefully

Corsica Technologies isn’t the only combined MSP/MSSP in the world. However, you’ll want to choose your partner carefully, as combined MSP/MSSPs aren’t created equal. Here’s what you should look for.

• A provider who not only notifies you of incidents but remediates them.
• A provider who’s familiar with any applicable regulation.
• A provider who’s worked with other local governments.
• A provider with a great reputation and excellent reviews.
• A provider who can fill gaps in your IT staff without taking over.
• A provider who offers vCIO consulting, including a 3-year technology roadmap.
• A provider who offers a Service Guarantee covering any financial losses from cybersecurity incidents.

Keep these criteria in mind as you evaluate providers. They’ll help you find the very best MSP/MSSP for your local government needs.

Want to learn more about TOPIC?

Reach out to schedule a consultation with our security specialists.

Schedule Now

The post 10 Keys To Cybersecurity For Local Government appeared first on Corsica Technologies.

The post How Network Penetration Testing Can Boost Your Cybersecurity appeared first on Corsica Technologies.

The post 4 Sobering Lessons From The SEC’s Suit Against SolarWinds appeared first on Corsica Technologies.

The post Zero Trust For Small Business appeared first on Corsica Technologies.

Cybersecurity Risk Assessments: Uncovering and Mitigating Risk

• Ross Filipek
• October 10, 2023
• cyber security in banking, Cybersecurity, Government IT Services

Last updated August 27, 2025.

Cybersecurity risk assessments are essential in today’s threat landscape. But it’s challenging to assess risk, particularly if you don’t have cyber security managed services. Without that expertise, it’s tough to know where to start.  

Here’s everything you need to know about cybersecurity risk assessments.  

Key points:

• Cybersecurity risk assessments help you define an acceptable level of risk.
• Risk assessments also provide a clear plan for mitigating risks.
• CIS RAM is the leading framework for risk assessment, and it's what we use here at Corsica Technologies.
• If it's 12+ months since your last risk assessment, you should consider getting another assessment.

1. What is a cybersecurity risk assessment?

A cybersecurity risk assessment is the process of identifying, evaluating, and prioritizing potential threats to an organization’s digital assets. It involves analyzing vulnerabilities, the likelihood of exploitation, and the potential impact of security breaches. The goal is to inform leadership on risk mitigation strategies. This helps ensure data integrity, confidentiality, and system availability.

Frameworks like NIST 800-171, ISO 27001:2013, and CIS RAM all offer robust protocols for identifying and quantifying risks, but many organizations encounter a unique challenge here. Traditional gap assessments can make it appear that the organization must mitigate all risks completely. This is often impossible due to 1) limited resources, and 2) the excessive friction that this would introduce to business processes. 

Clearly, businesses need practical methods of assessing and mitigating cybersecurity risk. Ideally, these methods would define and allow acceptable risk while providing sufficient security. They should do so without forcing the organization to over-invest—and without creating extreme roadblocks for business processes. 

That’s the thinking behind CIS RAM, the Risk Assessment Method jointly developed by CIS (Center for Internet Security) and HALOCK Security Labs. It’s an excellent methodology for assessing cybersecurity risk, and it’s what we recommend here at Corsica Technologies.  

“The internet is a bit of wild, wild west. Corsica serves as our eyes on cybersecurity and ensures our staff are educated.”

—Sharon Pohly, CEO | Girl Scouts of Northern Indiana-Michiana

See case study →

2. What are the benefits of a cybersecurity risk assessment?

Cybersecurity risk assessments provide numerous benefits, such as enterprise-level knowledge of risk, a methodology for defining acceptable risk, and a plan for mitigating risk. 

Here’s what each of these looks like in detail.

Enterprise-level knowledge of risk 

Small businesses typically can’t afford to hire cybersecurity experts on staff. This puts them at a significant disadvantage in comparison to enterprises.  

You might think a large company is more likely to be a target. Unfortunately, it’s exactly the opposite. Enterprise-class organizations have hardened their systems so well that cyber criminals are turning to softer targets. That means local manufacturers, regional banks, medical practices, county governments—even local schools.   

Every organization needs enterprise-level knowledge of their cybersecurity risks. An assessment from experts provides deep insight that a smaller organization can’t get any other way.  

A methodology for defining the threshold of acceptable risk 

100% bulletproof security is actually impossible to attain. You don’t know what you don’t know about evolving cyberthreats. Even if it was possible, SMBs would struggle to allocate resources to maintain this security. They would also experience prohibitive friction in their daily operations.  

A cybersecurity assessment provides a rubric for defining the threshold of acceptable risk. To do so, it provides a framework for quantifying risk, which makes it easier to communicate both findings and mitigation plans to stakeholders.  

A clear plan for mitigating risks to acceptable levels 

Since a cybersecurity assessment measures risk against a well-defined threshold of acceptability, it also helps give structure to plans for mitigating risks to acceptable levels. It really isn’t possible to do this without an assessment, since the assessment process determines both the threshold of acceptable risk and the actual quantified risk in any particular area.  

A clear plan for implementing “just enough” security 

Not enough security, and an organization maintains unacceptable levels of risk.  

Too much security, and the organization can’t function due to the friction introduced by excessive measures.  

The key, then, is to implement “just enough” security—which a risk assessment helps define. This prevents the organization from spending too much on cybersecurity or introducing too much friction to their operations.  

3. What are the dangers of not assessing cyber risks?

There are numerous dangers associated with lack of visibility into cybersecurity risks. Sensitive data leaks through AI tools, phishing emails, weak passwords, and unpatched systems are just a few of these risks.

Here are all the details.

Sensitive information can leak out in a ChatGPT prompt

Believe it or not, ChatGPT is a cybersecurity risk. 

Anything entered in a verbal prompt can be used to train the AI further. This means it can also leak out in the AI’s output. 

This is why we recommend Microsoft Copilot rather than ChatGPT. Copilot works within your Microsoft 365 environment and rigorously protects your data (and anything entered in prompts). Read more here: Microsoft Copilot vs. ChatGPT. 

Phishing emails can trick untrained employees

A phishing email is one that comes from a rogue actor while appearing to be legitimate. Phishers use techniques of social engineering to create a sense of urgency and panic—so the employee reacts and clicks a link (or downloads an attachment) before thinking critically.  

For example, a phishing email might claim to be from HR, saying you need to click a link to enter banking details, or you won’t get paid.  

Whatever the strategy, phishing emails are incredibly dangerous.  

But they also have telltale signs that employees can learn to recognize. Things like strange “from” addresses and odd URLs linked in buttons are dead ringers.  

A cybersecurity risk assessment can help you uncover weaknesses in email security, as well as gaps in employee awareness. It’s the first step in mitigating the ever-present threat of phishing emails.  

Weak passwords make it easy for hackers to get in

For legacy organizations, passwords can represent a massive liability. The older the system, the more likely it is to have a highly unsecured password and no MFA (multi-factor authentication).  

How real is this threat? Consider the top 5 most common passwords in 2022, according to NordPass: 

• password
• 123456
• 123456789
• guest
• qwerty

Even if an employee isn’t using such dangerous passwords, they may have one password that they use across all systems. Your organization may even have a single password that many employees use to access many different systems.  

All it takes is a single breach for hackers to install ransomware or malware. Consider that the average ransomware demand hit $4.74 million in 2022 ($13.2 million for businesses). Clearly, weak passwords are one of the greatest dangers any organization faces.  

Luckily, a cybersecurity risk assessment will uncover just how much risk you face here—and how you can mitigate it without making operations impossible.  

Unpatched systems create serious vulnerabilities 

This is a significant liability for legacy organizations using on-premises servers. However, even companies with cloud-based services can fall prey to missed patches if they don’t have an MSP (managed services provider) or MSSP (managed security services provider) who’s responsible for all patches.  

If your team doesn’t patch a vulnerability, hackers can easily install malware on the unsecured system. This can empower them to exfiltrate data, direct website users to malicious IPs, and more.  

A cybersecurity risk assessment can uncover the unpatched systems you didn’t know about. It’s crucial to preventing this type of attack.  

4. How do you get the most out of a risk assessment?

Not all cybersecurity risk assessments are created equal. Some vendors will provide only the assessment findings, with no recommended action plan to mitigate risks. 

This may work for your organization if you have a dedicated cyber team. However, most organizations need a plan for mitigating risks in addition to the assessment.  

This is why most companies should look for comprehensive assessments. Make sure you ask for recommendations and an action plan in addition to the assessment itself.  

Hint: That’s what we offer here at Corsica Technologies.  

5. What is the process of cybersecurity risk assessment? 

Here at Corsica Technologies, we use CIS RAM to conduct cybersecurity risk assessments. Here’s what the process typically looks like.  

1. Develop criteria for both risk assessment and risk acceptance.
2. Model risks by evaluating the existing implementation of the relevant CIS Safeguards.
3. Evaluate risks. Estimate the expectancy and impact of a breach to arrive at a quantified score for each risk.
4. Propose implementation of CIS Safeguards that will reduce unacceptable risks.
5. Analyze the proposed CIS Safeguards to make sure they will reduce risk to acceptable levels without introducing unacceptable friction to operations.

Risks may be modeled differently depending on how advanced your existing controls are. The sophistication of your existing controls is defined by CIS’s Critical Security Controls Implementation Groups, and CIS provides specific guidance on how to model risks for each implementation group (IG) which they define. A qualified cybersecurity risk assessor will determine your IG, and thus how your risks should be modeled.  

6. What are the deliverables of a risk assessment?

Here are the deliverables you receive from a comprehensive risk assessment with Corsica Technologies: 

• Report evaluating your current cyber risks against the relevant standards 
• In-depth analysis of the report 
• In-depth consultation regarding our findings with our CISO, Ross Filipek 
• Detailed plan of recommended mitigation strategies based on our findings 

As we mentioned above, not every company provides a comprehensive risk assessment—i.e., one that goes beyond a mere description of the problem and provides a plan for mitigation. When working with Corsica, you don’t only get the results of our assessment. You get our recommendations, too.  

Ready to assess your cybersecurity risks?

Contact us today to start the process of improving your security posture.

Contact Us Now →

In this article:

1. Cybersecurity risk assessment 101

2. What are the benefits?

3. Dangers of not assessing risks

4. Getting the most out your assessment

5. Risk assessment process

6. Risk assessment deliverables

💡Ready to assess your risks?

Contact Us

The post Cybersecurity Risk Assessments: Uncovering and Mitigating Risk appeared first on Corsica Technologies.

And when it comes to cybersecurity, the employees in your organization tend to be the weakest link in your defense, so ensuring that everyone is working with—rather than against—your security controls is critical. All employees should receive security awareness training on a frequent, recurring basis. Security awareness training programs are designed to help users and employers understand the role they play in helping to combat security breaches.

Employee Training

From regulatory compliance to phishing awareness and general cybersecurity best practices, awareness training helps employees keep your organization—and its data—safe. An awareness program also allows you to keep track of which employees have completed training, which new staff need to get up to speed and which users need a refresher course.

Many vendors provide short, video-based training modules about such timely security-awareness topics as using secure authentication methods, identifying social engineering (phishing) attacks, safe handling of sensitive data, causes of unintentional data exposure and the proper way to identify and report potential security incidents. Upon conclusion of a training module, participants are typically required to pass some type of quiz to gauge comprehension and retention of the material. These videos are a great way to get your team started on the road to security awareness.

You can supplement these training efforts with recurring tests such as internal phishing training. These serve as a practical demonstration that employees’ security awareness is improving, and a way to keep employees sharp when it comes to spotting suspicious activity. Your initial test results will likely be substandard, but as employees become accustomed to being on the lookout for phishing, results should dramatically improve. Many organizations have fostered an environment of security awareness through positive, public recognition of employees who score well on their phishing tests.

When Incidents Do Occur

To properly protect your business—and your data—you need to develop and document a process that defines standard procedures, roles, duties, and key management personnel with decision-making authority.

• Define organization-wide standards for employees to report suspicious events to the incident response team, the approved methods for such reporting and the kind of information that should be included in the report.
• Document third-party contact information to be used to report a security incident, such as law enforcement, relevant government departments, vendors and Information Sharing and Analysis Center (ISAC) partners.
• Incorporate the incident-response process into your security awareness training program so that all employees are familiar with it.

To keep employees vigilant and aware of new security threats, conduct recurring mock incident response exercises the same way you would with phishing or email security penetration testing. These can be conducted as tabletop exercises for hypothetical scenarios and should help participants maintain awareness and comfort in responding to real-world threats. Exercises should test communication channels, decision making and the incident responders’ technical capabilities using the tools and data available to them. Practicing incident response in this manner is a great way to keep your employees sharp and ready to jump into action should a real security incident materialize.

Security gaps? We’ve got you covered.

Don’t know where you stand when it comes to security? We’ve got you covered. Our security experts have the knowledge and experience to help organizations like yours reach and maintain full compliance. We perform a comprehensive analysis of your technology and cybersecurity environment, a review of potential cybersecurity gaps and compliance risks and then help you build a plan customized for your organization with actionable steps to help mitigate risks and protect employees and your data.

Increase security and peace of mind with Corsica. Schedule your personal consultation today.

The post Establish a Vigilant Culture with a Human-Centric Approach to Cybersecurity appeared first on Corsica Technologies.

Cybersecurity laws and regulations like NIST 800-171, ITAR, and CMMC are put in place to ensure that organizations are taking the right steps to protect sensitive federal data. But what makes CMMC significant?

In this blog, we’re answering five of the most frequently asked questions about the CMMC framework.

What’s the Difference Between the NIST 800-171 Assessment and CMMC Framework?

While NIST 800-171 and CMMC compliance requirements both deal with CUI and are fairly similar in rigor (with Level 3 CMMC requirements covering all NIST 800-171 requirements with an additional layer of controls), the frameworks differ in their scope and assessment standards.

The main difference between the NIST 800-171 assessment and CMMC certification is that for NIST 800-171, companies can set and execute their own cybersecurity framework and declare themselves compliant with the NIST standards.

On the other hand, to obtain a CMMC certification, your organization must be certified by a CMMC Third-Party Assessment Organization (C3PAO). These organizations conduct audits to certify that companies in the Defense Industrial Base (DIB) meet a specified level of CMMC cyber hygiene. C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB), which is the only entity charged by the Department of Defense (DoD) with accrediting, licensing, and managing the CMMC ecosystem.

Additionally, the scope of NIST 800-171 covers Non-Federal Organization (NFO) controls, while the CMMC framework does not.

Do DoD Subcontractors Also Have to Be CMMC Certified?

Effective October 1, 2025, all DoD contractors and subcontractors will need to be CMMC compliant. By then, fiscal year 2026, all DoD solicitations and contracts will be required to incorporate at least minimal compliance requirements. The DoD estimates the roll-out of CMMC standards will affect 300,000 companies.

In the meantime, organizations will need to discuss this matter with their Contract Officers, because if a subcontractor does not meet the minimum NIST 800-171 cybersecurity hygiene standards, contractors cannot process, store, or deliver CUI through that organization.

If a company is not currently CMMC certified but are in proposal for a contract with the DoD that requires CMMC certification, when do they have to be certified?

If entering a contract that requires CMMC certification, the organization must be fully certified by the time the contract goes into effect. For this reason, the government and C3PAOs are prioritizing organizations in the process of securing a contract with the DoD that requires CMMC certification.

Can a Company Be CMMC Certified at Any Time?

At this time, C3PAOs are strictly certifying companies that already have contracts requiring CMMC. As the framework becomes more ubiquitous, that will change and companies should be able to approach C3PAOs with a desired level of certification and meet the audit needs. The DoD is aiming to have 1,500 CMMC certified contractors by 2021 and 48,000 by 2025.

What does this mean for your company?

If your organization is looking to enter a contract with the DoD or anyone in the defense contract supply chain, you will eventually need to achieve the CMMC certification. If your organization is not one of the select organizations in the implementation phase prior to 2025, you can begin preparing for an eventual audit now.

Companies seeking a CMMC certification will first need to identify the desired maturity level (1-5) they want to be audited for compliance. The company will then need to hire a C3PAO to schedule the assessment with the certified independent assessor.

When performing the assessment, the independent assessor will evaluate security gaps and weaknesses and determine if the company’s environment meets the CMMC requirements necessary for that specific level. Companies will have up to 90 days to resolve any issues and close any gaps with the C3PAO.

Are you looking to be CMMC certified eventually? You can get ahead start by downloading our CMMC Level 3 Compliance Checklist here.

What Does a CMMC Certification Cost?

The short answer is: it depends on the desired maturity level and the size of the company.

And the good news? The cost of the certification is said to be an allowable, reimbursable cost and will be valid for three years.

If you’re a DoD contractor or subcontractor looking to enter a federal contract in or before 2025, you probably have some questions on your path to compliance. You’re not alone.

The post Five Frequently Asked Questions About CMMC appeared first on Corsica Technologies.