Securing

Tomorrow’s Future

HTG is Often Asked, “What Exactly Do You Do?” We Humbly Tell Them, “We Do Amazing Things.”

HTG 360 TO BUNDLE VADE’S NEW OFFICE 365 ANTI-PHISHING TOOL

Vade Secure’s new tool uses Microsoft’s Graph APIs to provide native integration with Office 365 to add layered protection against email phishing.

To help its customers step up protection against phishing attacks, MSSP HTG 360 will offer a new tool from Vade Secure that integrates natively with Office 365, which has become a prime target of intruders.

HTG 360 on Tuesday said it will resell Vade Secure for Office 365, a tool launched at Microsoft’s Inspire partner conference in July, specifically designed to protect Exchange Online environments against phishing attacks.

Vade integrates natively with Office 365 by making use of Microsoft’s Graph APIs. Microsoft released the APIs last year and various ISVs have integrated them in various ways. Adrien Gendre, Vade’s chief solution architect, believes his company’s approach is unique in that it layers on top of the security provided by Microsoft rather than bypass it.

The Vade offering is designed specifically to protect against anti-phishing and social engineering attacks by applying predictive responses based on behavioral analytics, according to Gendre. It’s different than many other anti-phishing solutions in that it doesn’t make changes to the mail extender (MX) domain, he added.

“The only thing the product will do is to enhance the email security of Office 365 with a very unique integration, into the Microsoft Graph API,” Gendre said. “That gives many advantages, but the most important one is we are able to scan emails and to prevent insider attacks.”

Microsoft earlier this year added its own protection against phishing attacks with security options for Office 365 customers through its Microsoft 365 Business. While HTG 360 also offers Microsoft’s Enterprise Mobility and Security (EMS) service, it isn’t enough to protect against the onslaught of attacks, said CEO Chris Ichelson.

“We offer the Microsoft solution, but what we found is it doesn’t bring enough to the table to mitigate the risk from the client through email,” Ichelson said. “Having the Microsoft security or EMS suite enabled brings one layer, but there still needs to be another layer. And that’s where we see Vade Security as a benefit to our clients.”

Because phishing attacks use social engineering to trick a user into clicking on a link designed to provide an intruder with insider access, attacks of ransomware and other malicious activity increasingly have spread.

Ichelson estimates the number of attacks against Office 365 endpoints are three times as many as those targeting Exchange on-premises, though he said that’s not based on any research. After a proof of concept, HTG 360 has deployed it with a client that has 300 employees.

“I found that their ability to funnel out the malicious files and to the fraud emails and scams, is highly effective,” Ichelson said. “It’s a turnkey type of solution that out of the box is going to be effective.”

The company began lining up partners immediately upon introducing the new tool at Inspire. It first went to its core base of partners, internet service providers including BT, Orange and Vodafone. Office 365 aggregators Crayon and Intermedia also have agreed to bundle the solution.

SEC’S NEW CYBERSECURITY GUIDANCE FALLS SHORT

The Securities and Exchange Commission (SEC) issued new guidance in February, urging senior executives and board members to pay closer attention to cybersecurity. However, the recommendations, while more stringent than what was in place before, don’t go far enough, critics say, and, more importantly, lack teeth.

No consequences for failure

In a set of recommendations about disclosures of cybersecurity risks back in 2011, the SEC said that companies need to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

The agency clarified that this did not require businesses to talk about specific technical details of those risks. As a result, the disclosures that companies did make were not particularly useful, according to a 2014 study by PricewaterhouseCoopers and the Investor Responsibility Research Center Institute. Instead, the disclosures “rarely provide differentiated or actionable information for investors.”

In addition, the earlier guidance suggested that the SEC would not enforce any of its cybersecurity recommendations, says Ernest Badway, co-chair of the securities industry practice at Fox Rothschild LLP. Instead, the agency would work with them “to make sure they have protections in place.”

In the future, the SEC would consider enforcement actions if the companies ignored the recommendations, he says, but there was no sign of that enforcement in the new guidance. In fact, Badway says, it doesn’t offer much more than the original 2011 recommendations did.

“It’s quite well and good to point out all these issues,” Badway says. “However, what they’re not doing is saying what happens when a company failed to meet these regulations. There’s no bite. All it really says is that everyone knows it’s important to have policies, procedures, and a plan in place for when something goes wrong, and that people shouldn’t be trading on information if they know it’s been a hack.”

By comparison, other cybersecurity regulations have significant enforcement power behind them. Breach notification laws, for example, are in place in 48 states, Washington, DC, and Puerto Rico, according to the law firm Perkins Coie.

A year ago, New York began requiring comprehensive cybersecurity assessments from financial services companies in the state. This May, the European Union’s General Data Protection Regulation (GDPR) goes into effect with fines of up to 20 million euros or 4 percent of annual global revenues, whichever is higher.

This new SEC guidance doesn’t compare to that, says Badway. “Not even close.” As a result, he says, he doesn’t see corporations rushing out to improve their cybersecurity processes in response to the new SEC guidance. They might be more motivated to improve by shareholder lawsuits, he adds, but the new guidance isn’t likely to provide more fuel for the plaintiffs. “The criteria are the same,” he says. “I don’t think anything has changed.”

Ironically, the new SEC guidance does mention both the New York State regulations and the EU’s GDPR, but only in the context of the potential litigation and legal risks of failure to comply with those requirements.

The SEC voted unanimously to approve the new guidance on February 20, but not all the commissions were equally enthused by the final product. “I am disappointed with the Commission’s limited action,” said commissioner Kara Stein in a statement. “Should we be, in effect, re-issuing staff guidance solely to lend it a Commission imprimatur?” she asked. “Will companies, their general counsels, and their boards suddenly take notice of their cyber-related disclosure obligations because of the Commission’s new endorsement?”

Instead of recycling old advice, she said, the commission could have examined what it’s learned since 2011 from reviews of hundreds of public company filings every year. It could have looked at recent advances in technology used in cyberattacks. “The list goes on,” she wrote. “In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest changes to the 2011 staff guidance.”

Since that guidance was first released, there’s been no significant changes in companies’ disclosures, she said — a sign that guidance alone is not enough. Meanwhile, the risks and costs of cyber attacks are going up, Stein said. For example, the SEC could have considered more stringent disclosure requirements, as well as going beyond just disclosures to setting minimum cybersecurity standards and procedures. Instead, the guidance that was released “may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” she said.

Stein wasn’t alone. “The guidance essentially reiterates years-old staff-level views on this issue,” said SEC commissioner Robert Jackson in a statement. “But economists of all stripes agree that much more needs to be done.” Without adequate regulation, companies will under-invest in cybersecurity, he said, citing a report released in February by the Council of Economic Advisers. “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy,” he said.

Focus on insider trading, new risks

The biggest takeaway for many experts from the new guidance is the attention paid to the problem of insider trading in connection to undisclosed cybersecurity problems. In one high profile case last year, the SEC and the US Department of Justice investigated the questionable sale of $1.8 million worth of stock by three Equifax executives after the company learned of a breach of 143 million records, but before the breach was disclosed to the public.

“While these undisclosed investigations are being conducted to determine the extent and potential impact of an attack, it’s simply reckless and inappropriate for executives to trade equities, even if they’re on an automated plan,” says Bill Conner, CEO at SonicWall, a cybersecurity vendor based in Milpitas, Calif. “There’s more to be done by the SEC with respect to cyber guidelines on disclosure and insider trading rules, but this is a solid step in the right direction.”

The new SEC guidance also draws additional attention to specific cybersecurity risks, experts say. For example, it specifically mentions ransomware, phishing, SQL injection attacks, and DDoS attacks. In the case of DDoS attacks, the SEC warns companies that if they’ve had a DDoS attack previously, it’s not enough to inform investors that such an attack might occur. Instead, they may need to discuss the previous incident and its consequences. “This welcome clarification will lead to a better understanding of the true costs of DDoS attacks,” says Ashley Stephenson, CEO.

Too often, DDoS attacks are not disclosed, Stephenson says. While the current guidance doesn’t specifically address the question of consequences, that might change. “Given the prevalence of DDoS attacks, it is unlikely that the defense of ‘plausible deniability prior to the first disclosable attack’ will be tolerated by the SEC for very long,” he says.

What’s surprising is that the SEC didn’t address the issue of privacy anywhere in its guidance document, says Willy Leichter, VP of marketing at cybersecurity vendor Virsec. “Granted, data privacy may not be in the SEC’s purview, but these incidents most commonly involve breaches of customer data and ensuing loss of privacy, confidence and customer trust,” he says.

More implementation details to come?

We might yet see more details about the implementation of these guidelines this year, says Eldon Sprickerhoff, founder and chief security strategist at eSentire, including new rules for timely breach notifications, and a blackout period following the discovery of a cybersecurity event to prevent insider trading. “There is no doubt that with the combination of incoming GDPR implementation and the Equifax event last year, the SEC will increase the spotlight on incident response preparedness,” he says.

It will take more work to achieve true “security in sunshine,” says Jeff Williams, CTO and cofounder at Contrast Security, “but this reaffirmation is a good step forward.”

There is a great deal of information that companies can disclose that won’t create additional security risks, he says. “That includes both vulnerability, breach, and risk management process information. Look for the SEC to go after companies that don’t disclose these risks and are breached in a way that harms consumers or investors.”

SEC chairman Jay Clayton said in a statement that more action might be coming. “We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.”

IF I WERE LAUNCHING AN MSP NOW: “MIND YOUR BUSINESS,” HTG 360 CEO TELLS…

We sat down with industry-leading MSP Chris Ichelson this week to talk about his history in the channel, what he’s seeing in the space today and his biggest takeaways and tips for folks just starting out.
In an industry where everything is continuously changing and evolving, Chris has one pretty simple, practical business rule of thumb: CYA. Or, if you prefer the PG version, CYB (cover your bases). Yes, we’ve made this a thing.

This encompasses myriad points, but Chris focuses on three main ideas: develop a marketing strategy, build in business processes and know when to let go.

Here are Chris’s three tips. Hold on to your … bases.

1. Invest in marketing.

Marketing needs to be pretty high up there on your list of “must-haves.” Some business owners and MSPs completely bypass this component or put it too far down on their list of priorities because it can be a rather big pain point.

What providers need to realize early on is that marketing is critical to the success of their business. Investing in marketing will give you a competitive edge and will put you several steps ahead of those who don’t deem it necessary.

Develop a marketing strategy and stick with it. Put aside a budget and aim it at securing the right opportunities to get your message out. The world needs to know you exist.

2. Make the business your business.

Make sure you have a grasp on your behind-the-scenes operations. It is vital to build in business processes for greater operational efficiency. You need people in place who can help manage and build the business from the back end while you’re out driving sales.

“One of the smartest things we did was bring in an operations leader from the financial services side of things,” says Chris. “You need someone who can tell you how much you can put toward, say, marketing, look for and fix inefficiencies, track progress and keep an eye on profit.”

3. Know when to let go.

At some point, you have to release your grasp. Get to the point where you let go of the business enough so that you can focus on your highest value spot in the business.

It’s not easy. In fact, that’s one of the hardest things to do — to relinquish control of all the moving pieces. But you need to be able to delegate so that you can turn your attention to the bigger picture.

Chris Ichelson, CEO of HTG 360, is a Certified Network and Security Professional with a wide expertise in IT process, IT transformation, business process improvement, security, cloud, network, telecom, infrastructure, design and emerging technologies. He brings business consulting services to clients of all shapes and sizes and has consulted for many companies including Fortune 500 & Global 5000 companies Thyssenkrupp, Berkshire Hathaway and Department of Veteran Affairs. He has an extensive background that enables his clients to gain superior returns on technology investments. He has more than 10 years of experience in his field and comes widely recommended from many C-level executives nationwide.

HTG 360 HIRES NATIONAL CHANNEL MANAGER AND PROMOTES MATT ATKINSON

The master agent launched its UCaaS Matrix resource in 2016 but announced an upgrade at this year’s partner conference. The website, available on the Telarus back office, lets partners narrow down a long list of vendors based on attributes and competencies and make head-to-head comparisons. Telarus has also added matrices for SD-WAN, security, cloud and call center.

Telarus Co-Founder Patrick Oborn said the upgraded tool will make partners look like geniuses in front of their customers.

“This is your trick in your back pocket,” Oborn said. “This is why working with Telarus is going to make you smarter than working with the other masters. Because we want you to win, and we’re going to invest in tools for you to do this.”

The Matrix is available only to agents with a login, but Telarus has made some vendor information publicly available. Oborn announced that the Matrix is already available on the Telarus Partner App.

“Not only do we want you to be the best. We want you to be the best on your phone. You are literally a mobile agent; you can go anywhere you want with that phone, and you will be able to give Gartner-level advice to any of your clients,” he said.

Telarus does a technology (usually software) reveal every year at its partner event. Last year the new tool was MoonRize, which expands order visibility for partners.

This year’s partner conference moved to Boca Raton, Florida after several years in Utah. It’s also the first conference after the merger of Telarus and competitor master agent CarrierSales. Telarus CEO Adam Edwards spoke yesterday about the synergies between the two companies.

HTG 360 CEO Chris Ichelson says both companies and their respective employees are unified under the same brand.

“The two companies have gone through a massive combining of two very separate companies,” Ichelson said. “They’ve done an awesome job at it. From a partner perspective, I do not hear of any restriction in the space.”

He reiterated Telarus CEO Adam Edwards’ sentiment that CarrierSales brought several new specializations to the combined company, including contact center and security. Ichelson says the overall result is Telarus obtaining more resources and more diverse perspectives. The company said last year that it would become the second largest master agent as a result of the transaction, vying for supremacy against Intelisys.

“If you have one big organization in a space, a lot of times the competitors need to combine resources and combine talent,” Ichelson said. “If not, the road to get there is…

…too long. And I think this was probably the best move they could have made.”

HTG 360’s Two Hires

I chatted with Ichelson, whose company recently expanded its channel team. HTG works as an exclusive security and compliance vendor with Telarus.

HTG 360 hired Fred Hamilton as its national channel manager. Hamilton, who previously worked with Comcast as a regional channel manager, will lead the overall channel direction of the company.

“We felt that having somebody sit as the national channel manger builds a conduit for the channel that can help them transition their business from an education standpoint, from a relationship standpoint and give them a conduit that they can bounce ideas off,” Ichelson said. “Then they can bring in the experts, which are our engineering staff and our executive staff at HTG.”

The company also promoted Matt Atkinson from channel intern to channel account manager.

“His goal and his job is facilitate the path between the agent, the end user and us internally in order to drive successful sales engagements or partner engagements throughout the end user community.”

Atkinson’s promotion is a major step for a channel industry that’s trying to bring young talent onboard. It’s a well-documented reality that our industry is retiring more personnel than hiring new faces. The niche nature of the indirect IT/telecom sales channel makes it very difficult to draw college graduates who have never heard of the industry.

Atkinson currently studying business and criminology but signed on as an intern after Ichelson explained the channel. Ichelson says the industry has its parallels to insurance – a field where Atkinson’s mother works.

Atkinson’s first experience in the channel was attending the Channel Partners Conference two months ago. He wrote about the event on LinkedIn.

Ichelson says his company’s internship program brings major value and is worth expanding.

“We learned from working with him as an intern is that the millennials are going to be what drives the channel going forward,” Ichelson said. And in order to get the millennials to drive the channel – which we need from any organization in the channel – is that we need to be able to have a path for them. Whether that’s a path to direct or a path to the channel, they need the help. They need the mentors.”