Our First AI Warning: Why Using AI Services Can Breach Your Contracts

/in ,

We recently received our first AI Warning. This was not a a general warning such as, “anything built for good can be use for evil” or “AI can replace you.” We received a direct warning about specific uses of artificial intelligence services and our contracts. The warning we received applies to you as well.

Some Background About this AI Warning

Cumulus Global is known for our professional services, including our ability to successfully manage cloud migrations from a variety of local environments. We often provide these services to other technology firms that need our expertise and experience to solve specific client needs. We have standing partnership agreements with several of these firms.

The AI Warning came from one of our partners.

The AI Warning

The warning we received centered on our potential use of AI services and the implication for confidential information belonging to our partner and their clients. The warning stated that providing this data to any AI system or tool is a likely violation of our contract, confidentiality, and non-disclosure agreements.

Specifically:

  • Providing confidential information to any AI system or tool is an authorized disclosure unless we have a contractual agreement in place with the AI vendor that ensures all data remains private and confidential.
  • The use of any confidential information for feeding or training AI system or tool is considered an authorized disclosure. Even if the AI system or tool is private the confidential information will be used outside the scope of any project, work, or need.

In addition to clearly defining limits on the use of their data with AI services, the warning included the company’s intent to pursue any and all contractual and legal methods to prevent, or in response to, disclosures.

Bigger Context

While this AI warning was specific to one business relationship, we see a bigger context. The current flood of AI services is exciting, and the potential uses and benefits are great. If we want to engage, however, we need to be careful. Whether we are deliberately training an AI system or creating prompts and providing feedback to refine answers, we are placing information in the hands of others. Unless we take explicit steps to ensure privacy with AI tools, our expectation must be that the information we provide will be used train the AI service, effectively placing the information in the public domain.

We must also recognize that the generative nature of AI increases the risk of improper disclosure. While we may not intend to disclose information, AI engines can recognize and correlate information. In other words, AI services can piece together data to create and share  information that should be private.

Your Action Plan to Prevent AI Issues

Take a step back and plan your approach to AI.

  • Consider how and when you want to use AI in your business
  • Make sure you, and your team, understand your contractual and regulatory responsibilities with respect to information privacy
  • Assess the AI tools and services you plan to use;
    • Understand their data privacy commitments
    • Match privacy polices and commitments against your business and legal requirements
    • Opt-in to agreements, even if it requires paying for the service, that ensure data privacy

With an understanding of your requirements and AI services, AI can add value to your business without introducing significant avoidable risk.

We Can Help

To discuss your technology service needs and plans, click here to schedule a call with a Cloud Advisor or send us an email.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

2023 OpenText Cybersecurity Email Threat Report

/in ,

eBook | Source: OpenText Security — Attackers persistently adapted their email-based techniques throughout 2022, introducing more nuances into their methods. This eBook shares current information about Phishing, Business Email Compromise, Cryptocurrency Scams; and the Top Malware Threats. The report provides examples of attacks as a learning tool for understanding attacks, how to prevent them, and how to respond.

Read more

Cloud Cover: Strategies for Small Businesses

/in ,

(04/18/2023) – As small businesses, we can do more with the cloud then Microsoft 365 and Google Workspace. But if we want to take advantage of the benefits of managed cloud services, we need better cloud strategies.

Read more

Cyber Security: 3 Questions and Shared Responsibility

/in ,

(03/21/2023) – The cloud’s Shared Responsibility Model places most of the security and data protection burden on you. Our webcast explores 3 key questions and the shared responsibility model to help you plan, deploy, and manage effective, and cost-effective, security..

Read more

Hybrid IT for SMBs

/in ,

(02/21/2023) – A sound Hybrid IT strategy creates better collaboration, cost efficiencies, security, and resiliency. Review your hybrid business strategy and supporting IT services. Address your business, technology, security, and cost challenges.

Read more

Security CPR®

/in ,

(01/24/2022) – Cybersecurity requires policies, procedures, supporting technologies, and a culture of awareness. This webcast is a deep dive into our Security CPR® model for preventing and surviving cyber attacks.

Read more

Lessons from the Rackspace Attack

/in ,
ransomware

Cyber Security Ransomware Email Phishing Encrypted Technology, Digital Information Protected Secured

On December 2, 2022, a ransomware attack on Rackspace disrupted email services for thousands of businesses.  The attack encrypted files throughout Rackspace’s Hosted Exchange environment, one of the largest in the world.  The outage impacts mostly small and midsize businesses (SMBs).  While Hosted Exchange is only 1% of Rackspace revenue, the incident was large enough to warrant a filing with the Securities and Exchange Commission. We can all learn lessons from the Rackspace attack with respect to cybersecurity and response.

Lessons from the Rackspace Attack

1 Incident Response Must Be Quick

In their SEC filing, Rackspace noted that their “… information security team had strong incident response protocols in place that led to the quick containment of the ransomware attack.”  They were able to limit the damage to the Hosted Exchange service, protecting other aspects of the company’s operations and other services.

For SMBs like ours, speed is also necessary. Quickly identifying an attack and isolating effected devices is critical. An infected laptop can spread the infection to servers and through files sync’d into cloud storage (ie, OneDrive, Google Drive, Dropbox). From there, every connected device is vulnerable.

2 Recovery is Not a Sure Thing

Rackspace is NOT recovering customers’ Hosted Exchange service. The company is moving these customers to Microsoft 365.

Paying the ransom is not always possible. Paying a ransom does not guarantee that your get your data back.

3 Recovery is Difficult

As of December 12, 2022 — a full 10 days after the attack, Rackspace disclosed that about two thirds of its customers have been transitioned to Microsoft 365. Nearly one third of customers remain without email service. Rackspace is effectively abandoning its Hosted Exchange service.

The logistics of identifying recoverable data and understanding interdependencies is complex. Managing data restoration across multiple devices, systems, and data sets is challenging. Some data will be lost. Understanding which data, and how much data, has been lost is challenging.

4 Recovery is Big and Slow

Rackspace has hired staff and contracted with many Microsoft Fast Track service providers.  Even so, call wait times are still averaging about 30 minutes.  Rackspace is setting expectations, repeatedly telling customers that data recover will “necessarily take significant time”.

Starting with a clean system gets your systems up and running. How effectively can your run your business without your data?  Data recovery takes time, even from backups. While emails may be relatively easy to live without, what is the impact if your accounting system is unavailable for days or weeks?

5 Recovery needs Expertise

While Rackspace is a leading technology firm, they have hired outside firms to investigate the attack and remediate the incident.

Most IT firms servicing SMBs do not have the expertise or staff to respond to a cyber attack. Expertise and resources will be needed for investigations and forensics, data recovery, systems restoration, communications, regulatory reporting and compliance, and customer service.

6 Recovery is Expensive

Rackspace is actively promoting that it maintains sufficient cybersecurity insurance to cover the costs of the incident. Their SEC filing, however, does not indicate if or how they plan to compensate customer for their losses.

You will spend money … lots of money … beyond the cost of getting your data back, your systems restores, and your business back up and running. Regulatory filings, communication, legal services, and litigation can be a crushing burden that threatens. More than half of SMBs fail within six months of a significant cyber attack.

Steps You Can Take

Looking at the lessons from the Rackspace Attack informs how we should think about protecting our businesses and ensuring we can return to normal operations quickly and efficiently. Here are resources for you to learn more.

Earlier this year, we blogged about how Streamlining Security for SMBs can protect you from the most common and the most expensive types of cyber attacks without breaking your budget.  We held a webinar on the same subject.

Our Security CPR® managed security service model outlines the three critical aspects of cyber security communication/education, protection/prevention, and recovery/response.  Our eBook, 15 Best Practices for Cyber Protection, dives into the model.

To discuss your security footprint, risks, and options, contact us by email, via our website, or by scheduling time directly with one of our Cloud Advisors.

Responding to Ransomware: Police, Pay, or Panic?

/in ,

ransomware response plan In today’s digital landscape, the threat of ransomware looms large, posing a significant risk to businesses and organizations of all sizes. Ransomware, a malicious form of cyber attack, can swiftly encrypt critical data and hold it hostage until a ransom is paid. These attacks can disrupt operations, compromise sensitive information, and inflict financial losses. In the face of this evolving threat, having a robust ransomware response plan is imperative.

At Cumulus, we understand that responding to ransomware is complicated.  With the continuing increase of successful cyber attacks against small businesses, we hear a lot of debate on two aspects of your ransomware response to a successful attack.

  • Should you contact law enforcement?
  • Should you pay the ransom?

Both of these questions have pros and cons. How and when you answer these questions can have a long-lasting impact on you and your business. Read on to learn about top ransomware response plans, how to prevent a ransomware attack, and other vital information to keep you and your business safe.

Ransomware Incident Response Strategies

Involving Law Enforcement

The debate about if and when to contact law enforcement often centers around what happens after law enforcement gets involved.  Typically, you would contact your local police department which, in turn, would contact the cyber crimes unit of your state police (if your state has one) and/or the FBI. You can also report a ransomware attack directly to the FBI or the Cybersecurity and Infrastructure Security Agency (CISA).

The biggest risks to involving law enforcement are the effects of a criminal investigation. You may not be able to repair and rebuild your systems until a forensic investigation is complete. In some cases, your computers may be considered evidence as part of a criminal investigation. By delaying your access to your computers, these actions can disrupt your ability to recover those systems.

The biggest advantages to involving law enforcement is the assistance the cyber security agencies can provide during the investigation and recovery. The FBI Cyber Division, CISA, and the National Cyber Investigative Joint Task Force can help identify the specific attack. For known variants, they often have valid decryption keys.  If involved quickly enough, the FBI and other agencies have a history of recovering at least some ransoms and thefts (e.g. the Colonial Pipeline incident).

If you have cyber insurance, you may not have a choice about reporting the attack to law enforcement.  Your carrier may require you to involve law enforcement as a condition for processing your claim. Your insurer may also mandate a forensic analysis to fully understand the scope of the attack and the necessary steps to recovery.

Paying the Ransom

Responding to ransomware, you want to move quickly and correctly. Wiping and rebuilding systems, restoring your data from backups, and recreating missing or damaged data takes time and money. Decrypting the data can be faster and easier.  Paying the ransom is tempting. Your insurance carrier may also pressure you to pay the ransom to lower the cost of the claim.

Before you pay a ransom, consider the following:

  • As noted above, law enforcement may already have decryption key;
  • It is a funding mechanism for hackers to carry out future and repeated attacks;
  • Paying a ransom does not guarantee you will receive a decryption key;
  • Even with the decryption key, you may not be able to recover all of your data;
  • Attackers will often demand additional payments to prevent the release of stolen information; and
  • Paying the ransom is likely to be a federal crime as it may be funding hostile nations, terrorism, human tracking, or child exploitation.

To the latter point, paying ransom to an organization or government on a sanctions list, including those tied to terrorist activities, violates US law (18 USC 2339A, 2339B, 2339C). In October of 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a warning that “Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests” and could result in civil and criminal actions.

Recommended Actions For a Ransomware Response

When responding to ransomware, you will need to work with your cyber insurance carrier. Contacting law enforcement early is more likely to help your recovery than hinder it.

  • Additional expertise
  • Simultaneous investigation/forensics with your insurer
  • The possibility of known decryption keys for your ransomware variant
  • The ability to cover lost or stolen funds
  • The potential identification of the source of the attack

These benefits can mitigate the damage and help speed recovery.

Paying the ransom should always be a last resort. To avoid violating US law and facing the risk of criminal charges or civil sanctions, paying a ransom should not be done without consulting law enforcement.

For more information about cyber security and protecting your business, visit our Resource Center, or schedule an introductory call with one of our Cloud Advisors.

 

Debunking 5 Cyber Security Myths for SMBs

/in ,

Data Protection & SecurityAs owners and leaders of small and midsize businesses (SMBs), we have limited resources for IT and cybersecurity.  We should not be surprised, therefore, that SMBs face the biggest threat from ransomware and other cyber attacks.  Beyond the cost and risk of ransomware and encryption attacks, SMBs face business email compromise (BEC) attacks and threats to disclose regulated information.  Recovery costs, fines, and legal actions resulting from a successful attack can destroy your business. And yet, many SMBs remain unaware of the risk and/or lacking reasonable data protections and security.  This post intends to debunk five (5) cyber security myths for SMBs.

1My company is too
small to be a target

While note every attack is successful, one global report states that 86% of SMBs have been hit by ransomware attacks, with 20% attacked more than six times. With fewer resources and less focus on cyber security, SMBs represent an attractive target for attackers.  The increase in remote work and use of remote desktop protocols creates additional opportunities for attackers. Securing and managing these services requires time and attention.

The impact of a successful ransomware attack continues to increase.  According to Verizon’s 2020 Data Breach Investigations Report, the average cost of a successful ransomware attack grew from an average of $34,000 to just under $200,000.

2I cannot afford to protect
against cyber attacks

Cyber attacks are inevitable. Protecting your business does not require expensive solutions.  Your cost for endpoint protection for your devices, advanced threat protection for email, and security awareness training is pennies per day per person.  You can deploy multi-factor authentication (MFA), local disk encryption, and the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols for free. You can deploy cloud-based business continuity and disaster recovery (BCDR) for less than traditional backup/recovery solutions.

3I have backups,
so I am safe

Not all backup solutions are equal.  Many backup/recovery solutions for SMBs run on the same servers and networks as your business systems. Ransomware and other cyber attacks will seek out and encrypt/damage backup servers to render your backups useless.  Your backup/recovery solutions should be segregated from your production network and systems to shield them from attack.  Business Continuity/DR solutions offer the additional ability to bring systems back on line in an alternate cloud data center while you recover your primary systems.

4Technology alone
will save me

As with most security protocols, people are your first line of defense.  As many as 93% of cyber attacks begin with a phishing attack. People click on links, unwittingly downloading malware or sharing usernames and passwords.

Security awareness training should be a standard practice within your business.  The training is a proven way to reduce risk, decrease infections and help desk requests, reduce the chances of a security breach and strengthen the overall security posture.

5Cyber resiliency is
too hard to achieve

Cyber Resilience is the ability to withstand security attacks and land on your feet, no matter what happens. Cyber resilience protects your business, customers, and employees from ransomware, business email compromise, and other potential issues and attacks.

While some gaps in security will always remain, you can affordably improve your cyber resiliency.

To overcome these 5 small business cyber security myths, review your security footprint, and improve your resilience, please contact us by email, via our website, or by scheduling time directly with one of our Cloud advisors, with any questions or concerns regarding this service update.

Change Management in Cyber Security

/in ,

Security, Privacy, & ComplianceCyber Security Will Change Companies

IT change management is a structured process for evaluating proposed IT system or service changes. This procedure is carried out prior to implementing the requested change on an organization’s network, reducing or eliminating network outages.

At a recent security and risk management summit, Gartner shared their views of how cyber security will change companies.  While Gartner’s predictions focus on larger enterprise, several of their observations will likely hold true for small and midsize businesses (SMBs) when it comes to change management in cyber security processes.

Here are some observations and our view of how they will impact small and midsize businesses.

Impacts of Cyber Security Change Management

Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.

Privacy regulations will continue to expand as more nations pass legislation establishing privacy requirements.  Within the US, we expect more states to follow California, New York, and Massachusetts with varying levels of regulations. Along with the regulations come the potential for fines and increase civil litigation, making it vital to pursue cyber security change management. In many of the statues, the protection is afforded the customer based on the customer’s location, not the location of the business.

For SMBs, establishing and maintaining a sound change management cyber security footprint is essential. Beyond the cloud infrastructure technology tools, businesses need to educate employees and have the policies and procedures in place. These policies and procedures should define expectations for employees and for how the business will respond to an incident.

By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE (Security service edge) platform.

Protecting access to systems is more challenging as the proliferation of usernames and passwords continue.  As the human element can be the greatest security challenge, Identity and Access Management (IAM) solutions will become the norm.

For SMBs, Single Sign-On (SSO), centralized identity/password vaults, and other tools are available and are, generally affordable.  Many SMBs current hesitate given the incremental cost per user per month. As the cost and risk of missing becomes greater, we expect SMBs will see value of Identity and Access Management solutions. These solutions will become the norm within a cyber security strategy, not an add-on.

By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

With increased concern and scrutiny from customers, consumers, and regulators, businesses are under increasing pressure to monitor and protect against third-party cyber security risks.  This trend will impact SMBs in two ways.

  1. Given the prevalent use of business email addresses as identities for third party applications and services, SMBs will monitor for reported breaches. Third party breaches give cyber criminals an attack vector.
  2. Larger enterprises will see businesses in their supply chains as potential security risks. They will increasing include cyber security requirement in vendor authorization process and in contracts.

SMBs need to be ready to meet the security and risk management demands — people, process, and technology — of their customers.

By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.

As businesses adapted to the COVID-19 pandemic, the inability of most businesses to respond to large scale disruptions exposed flaws in traditional business continuity planning. The pandemic put a spotlight on the need for business resiliency and continuity plans for businesses that had not yet considered continuity to be a priority.  The level of planning to address the threats from cybercrime will need to be the same as the planning for other disasters and business disruptions.

For SMBs, leveraging cloud solutions will remain the most cost-effective business continuity option.  Moving systems and applications into cloud services increases security, adds redundancy, provides geographic diversity, and provides better remote access than on-premise systems.  SMBs are at greatest risk from local or regional issues. Managed cloud services … even if only a “lift and shift” of existing servers and applications … will be accepted as a cost-effective way to improve cyber security processes, security and resiliency.

Final Thoughts on Change Management in Cyber Security

We expect small and midsize businesses will need to expand and change their cyber security footprint and processes. They will need to improve resiliency.  Appropriate solutions such as cyber insurance and breach response are available and are affordable.  Businesses can meet their security, resiliency, continuity, and operational needs effectively and affordably. The inherit advantages of cloud services and solutions make this possible.

To evaluate your requirements and readiness for better security and resilience against cyber attacks and other business disruptions, contact us for a consultation, or book some time with a Cloud Advisor.  The consultation is free and without obligation.