Award-winning email security leader expands best-in-class offerings with gateway-less deployment solution that streamlines security, increases visibility, and enhances efficacy for IT teams.

**LEXINGTON, Mass., November 1, 2022 —** Mimecast Limited (Mimecast), an advanced email and collaboration security company, today announced the launch and general availability of its Email Security, Cloud Integrated solution that will help enable organizations to Work Protected™. This gateway-less solution is designed to optimize protection for Microsoft 365 environments with scalable, best-in-class email and collaboration security. Typically deployed in less than 5 minutes, this solution is ideal for IT teams that need email security delivered the fastest way possible.

Mimecast’s Email Security, Cloud Integrated solution is designed to empower organizations of all sizes to address critical security challenges such as increasingly sophisticated attacks, an expanded hybrid attack surface, a growing skills gap and more. This new gateway-less deployment solution is engineered for organizations that want to secure their M365 environment without adding complexity or burdening overstretched teams.

“Backed by nearly two decades of email security expertise and a rich history of innovation, Mimecast is uniquely positioned to offer a flexible, gateway-less solution that helps organizations proactively enhance their security posture,” said David Raissipour, Mimecast Chief Technology & Product Officer. “With the evolving nature of today’s threat landscape, there isn’t a ‘one-size-fits-all’ email security solution designed to address the unique needs of every enterprise. Scalability is key. Mimecast’s Email Security, Cloud Integrated deployment solution enables us to scale our services so more organizations can Work Protected by securing their business communications, people, and data.”

“Microsoft 365 cloud-delivered email has become core to more than two-thirds of the world’s email communications infrastructure,” said Dave Gruber, Principal ESG Analyst with the Enterprise Strategy Group. “Despite native security and resilience capabilities included within M365, additional layered controls from companies like Mimecast are helping IT and security teams deliver increased levels of security and resiliency needed to support their business operation. This new Mimecast offering carries forward the comprehensive security solution that Mimecast is well known for, now available in a gateway-less deployment model, offering a fast-path to higher levels of security and resiliency.”

A free 30-day trial of Email Security, Cloud Integrated can typically be activated in under 5 minutes and is currently available to new customers located in the United States and the United Kingdom, with availability in additional countries continuing through 2023. To learn more about Email Security, Cloud Integrated and enroll in the free trial, visit https://www.mimecast.com/free-trial/.

**Mimecast: Work Protected™**

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to Work Protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.

Mimecast Unveils Email Security, Cloud Integrated for Optimized Flexibility and Speed

**FOSTER CITY, Calif., Nov. 2, 2022 /PRNewswire/ —** Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced financial results for the third quarter ended September 30, 2022. For the quarter, the Company reported revenues of $125.6 million, net income under United States Generally Accepted Accounting Principles ("U.S. GAAP") of $27.7 million, non-GAAP net income of $36.8 million, Adjusted EBITDA of $54.9 million, GAAP net income per diluted share of $0.71, and non-GAAP net income per diluted share of $0.94.

"In Q3, we delivered another quarter of strong revenue growth and cash flow generation," said Sumedh Thakar, president and CEO. "We believe our extendable cloud-based platform is core to building a durable growth business over the long term. The launch of TotalCloud flexes the power of our platform by enabling cloud-native VMDR with accurate, comprehensive and unrestricted scanning options to uniquely secure cloud and container environments from build to run-time. We believe the Blue Hexagon acquisition allows us to further extend the Qualys Cloud Platform by transforming our massive data lake into a powerful, predictive analytics engine to perform real-time zero-day threat detection while advancing our value proposition and competitive differentiation in the market."

**Third Quarter 2022 Financial Highlights**

Revenues: Revenues for the third quarter of 2022 increased by 20% to $125.6 million compared to $104.9 million for the same quarter in 2021.

Gross Profit: GAAP gross profit for the third quarter of 2022 increased by 21% to $99.6 million compared to $82.5 million for the same quarter in 2021. GAAP gross margin was 79% for both the third quarter of 2022 and the third quarter of 2021. Non-GAAP gross profit for the third quarter of 2022 increased by 20% to $102.2 million compared to $85.1 million for the same quarter in 2021. Non-GAAP gross margin was 81% for both the third quarter of 2022 and the third quarter of 2021.

Operating Income: GAAP operating income for the third quarter of 2022 was $33.3 million compared to $32.0 million for the same quarter in 2021. As a percentage of revenues, GAAP operating income was 27% for the third quarter of 2022 compared to 30% for the same quarter in 2021. Non-GAAP operating income for the third quarter of 2022 increased by 11% to $48.0 million compared to $43.1 million for the same quarter in 2021. As a percentage of revenues, non-GAAP operating income was 38% for the third quarter of 2022 compared to 41% for the same quarter in 2021.

Net Income: GAAP net income for the third quarter of 2022 was $27.7 million, or $0.71 per diluted share, compared to $27.8 million, or $0.70 per diluted share, for the same quarter in 2021. As a percentage of revenues, GAAP net income was 22% for the third quarter of 2022 compared to 26% for the same quarter in 2021. Non-GAAP net income for the third quarter of 2022 was $36.8 million, or $0.94 per diluted share, compared to $34.2 million, or $0.86 per diluted share, for the same quarter in 2021. As a percentage of revenues, non-GAAP net income was 29% for the third quarter of 2022 compared to 33% for the same quarter in 2021.

Adjusted EBITDA: Adjusted EBITDA (a non-GAAP financial measure) for the third quarter of 2022 increased by 9% to $54.9 million compared to $50.3 million for the same quarter in 2021. As a percentage of revenues, Adjusted EBITDA was 44% for the third quarter of 2022 compared to 48% for the same quarter in 2021.

Operating Cash Flow: Operating cash flow for the third quarter of 2022 decreased by 13% to $42.2 million compared to $48.5 million for the same quarter in 2021. As a percentage of revenues, operating cash flow was 34% for the third quarter of 2022 compared to 46% for the same quarter in 2021.

**Third Quarter 2022 Business Highlights**

*   VMDR received industry recognition as it was named the Best Vulnerability Management solution in the industry-leading SC Awards  
    2022. 
*   Qualys upgrades CyberSecurity Asset Management, adding External Attack Surface Management (EASM) to enable continuous discovery of unknown internet-facing assets and the automatic assessment of an organization's risk posture.
*   In collaboration with IBM, Qualys has made the power of the Qualys Cloud Platform available for IBM zSystems - delivering our award-winning VMDR, policy compliance and asset management capabilities to help protect IBM zSystems environments.
*   At Black Hat 2022, Qualys was once again front and center showing attendees how the powerful Qualys Cloud Platform offers everything they need to tackle threats with automated workflows for rapid response and a clear picture of what it takes to reduce risk in their organizations.

**Financial Performance Outlook**  

Based on information as of today, November 2, 2022, Qualys is issuing the following financial guidance for the fourth quarter and full year fiscal 2022. The Company emphasizes that the guidance is subject to various important cautionary factors referenced in the sections entitled "Legal Notice Regarding Forward-Looking Statements" and "Non-GAAP Financial Measures" below.

Fourth Quarter 2022 Guidance: Management expects revenues for the fourth quarter of 2022 to be in the range of $129.7 million to $130.7 million, representing 18% to 19% growth over the same quarter in 2021. GAAP net income per diluted share is expected to be in the range of $0.52 to $0.54, which assumes an effective income tax rate of 26%. Non-GAAP net income per diluted share is expected to be in the range of $0.89 to $0.91, which assumes a non-GAAP effective income tax rate of 24%. Fourth quarter 2022 net income per diluted share estimates are  
based on approximately 39.0 million weighted average diluted shares outstanding for the quarter.

Full Year 2022 Guidance: Management now expects revenues for the full year of 2022 to be in the range of $488.6 million to $489.6 million, representing 19% growth over 2021, up from the previous guidance range of $488.0 million to $489.5 million. GAAP net income per diluted share is expected to be in the range of $2.52 to $2.54, up from the previous guidance range of $2.39 to $2.44. This assumes an effective income tax rate of 22%. Non-GAAP net income per diluted share is expected to be in the range of $3.60 to $3.62, up from the previous guidance range of $3.50 to $3.55. This assumes a non-GAAP effective income tax rate of 24%. Full year 2022 net income per diluted share estimates are based on approximately 39.5 million weighted average diluted shares outstanding.

**Investor Conference Call**

Qualys will host a conference call and live webcast to discuss its third quarter financial results at 5:00 p.m. Eastern Time (2:00 p.m. Pacific Time) on Wednesday, November 2, 2022. To access the conference call by phone, please register here and you will be provided with dial in details. A live webcast of the earnings conference call, investor presentation and prepared remarks can be accessed at https://investor.qualys.com/events-presentations. A replay of the conference call will be available through the same webcast link following the end of the call.

Qualys Announces Third Quarter 2022 Financial Results

With Microsoft’s announcement on Nov. 2 of its support for Azure AD Certificate-based authentication (CBA) for both iOS and Android devices, Yubico is excited to share that the YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.

Yubico worked closely with Microsoft to ensure CBA on mobile became a reality.

Microsoft’s new support provides users with the same convenient smart card authentication method on mobile devices that they have on their desktops. CBA has been a staple of governments and high security environments for decades, long before the invention of FIDO U2F and FIDO2, mostly due to its reliability and effectiveness in physical environments. With Executive Order 14028 on Improving the Nation's Cybersecurity, the adoption of CBA and other phishing-resistant multi-factor authentication methods are mandated for civilian federal agencies in the US.

CBA is widely deployed across many industries, and remains a favorite amongst security experts. For some organizations, it is the logical choice from the available Azure offerings. With this announcement, customers can now use CBA on their mobile devices using native Azure AD CBA. When using native Azure AD CBA, organizations can reduce their existing infrastructure and move it into the cloud. Azure AD CBA capabilities can also be combined with Conditional Access policies so admins can enforce phishing-resistant sign-in methods.

CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt.

“Yubico has been a driving force in working with our teams to build this solution that allows Microsoft customers to securely log into their Microsoft accounts on their iPhone or Android mobile device. This is a big win for us, Yubico, and most importantly our federal government customers,” said Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS. The PIV credential must be set up independently from the Azure solution. Your existing YubiKey PIV/smart card issuance process does not need to change.

Also, with the new Conditional Access authentication strength policies, you can enforce CBA as the required sign-in mechanism.

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards.

**Learn more**

Microsoft's mobile certificate-based solution coupled with the YubiKey is a simple, convenient, FIPS certified phishing-resistant MFA methods for organizations, and we’re excited to share additional details and best practices during our upcoming webinar, _New solutions to prevent phishing with Azure AD and YubiKeys_ on November 3rd at 9 am PT, register here to attend.

Certificate-Based Authentication With YubiKeys for Microsoft, Third-Party, and Web Applications Now Available on iOS and Android

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

An attack campaign using phishing attacks gives threat actors access to internal Dropbox code repositories, the latest in a series of attacks targeting developers through their GitHub accounts.

A massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and a two-factor authentication code, leading to the theft of at least 130 software code repositories.

According to a Dropbox advisory on Nov. 1, the mid-October attack consisted of emails that appeared to be from CircleCI, a popular DevOps platform, and directed Dropbox employees to go to a fake login page, enter in their GitHub credentials, and then enter in the one-time password created by a hardware key. 

The attacker eventually succeeded with at least one target, gaining access to and copying 130 code repositories, which included customized versions of third-party libraries, prototypes of internal software projects, and a collection of tools and configuration files maintained by the Dropbox security team.

The attackers did not gain access to the company's core software or the files used to configure and operate its infrastructure, Dropbox said in its advisory.

"Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data — if any — was accessed or stolen," the company stated. "We also reviewed our logs, and found no evidence of successful abuse."

**GitHub Developers: In the Cyber-Crosshairs**

Dropbox programmers were not the only developers targeted by the attackers. In September, GitHub warned that a threat group had begun targeting the service's users with the same tactic: phishing emails that purported to be from CircleCI, with the goal of harvesting user credentials and the one-time passwords used by developers as a second factor of authentication.

The stakes are high: An attacker who successfully steals a developer's credentials can then download code from any private repository to which the compromised account has access and use a variety of techniques — such as creating personal access tokens, adding SSH keys, and authorizing applications using OAuth — to maintain persistence of access, GitHub stated in a September advisory.

"While GitHub itself was not affected, the campaign has impacted many victim organizations," the advisory stated.

**Cyber-Risks to Dropbox Customers "Minimal"**

The attack on the Dropbox developer allowed the attackers to nab a "few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," Dropbox noted, adding that it has more than 700 million registered users. Despite this, the privacy risks to customers, partners and employees are "minimal," Dropbox maintained.

"At no point did this threat actor have access to the contents of anyone's Dropbox account, their password, or their payment information," Dropbox said in its statement. "To date, our investigation has found that the code accessed by this threat actor contained some credentials — primarily, API keys — used by Dropbox developers."

Developers have become an increasingly popular target of attackers. Stolen Slack credentials, for example, have allowed the compromise of developer accounts at software and game makers, including Take-Two Interactive's Rockstar Games.

Like most security experts, Dropbox stressed that humans — even the most technical and knowledgeable users — are fallible, and for that reason, technical controls continue to be important.

"Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time," the company said. "This is precisely why phishing remains so effective — and why technical controls remain the best protection against these kinds of attacks."

**How to Adopt Phishing-Resistant Infrastructure**

Multifactor authentication (MFA) makes phishing for credentials much more difficult, but not impossible. Attackers have found ways around time-based one-time passwords (TOTPs), Javvad Malik, an evangelist at security awareness and training provider KnowBe4, said in a statement sent to Dark Reading.

"As MFA adoption increases in popularity, we see criminals adapt their methods to bypass MFA controls by tricking the users in increasingly sophisticated ways," he said. "This is why phishing-resistant MFA is strongly advised so that social engineering attacks have less likelihood of succeeding."

In its advisory, GitHub stressed that companies should move instead to hardware security keys, the codes for which a user cannot inadvertently hand over to an attacker, or WebAuthn, a standards-based way to use hardware keys for two-factor authentication.

Dropbox has already embarked on the latter path, the company said.

"Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication," Dropbox stated in its advisory. "Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors."

Dropbox Code Repositories Stolen in Cyberattack on GitHub-Based Developers

Vulnerable people are lured by Facebook ads promising high-paying jobs, but instead they're held captive and put to work in Cambodia running cyber scams.

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cybercrime campaigns. 

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cybercrime operations using human trafficked labor without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatized victims rescued from cybercrime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

"Instead of getting fired for poor performance, you get physical punishments — forced push-ups and squats, tased, beaten, deprived of food, locked up in dark rooms or worse," Jacob Sims, country director for International Justice Mission Cambodia, a rights group that has rescued many of these victims, told the LA Times. “On the other hand, those who consistently meet or surpass their targets are rewarded with more freedoms, food, money, and control over other victims.”

International scrutiny has ramped up in the last few months on the operations, with the US recently downgrading Cambodia to the lowest tier on its human trafficking index.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Chinese Mob Has 100K Slaves Working in Cambodian Cybercrime Mills

The renowned security researcher, ethical hacker, and cybersecurity phenom was found Wednesday by the US Coast Guard.

Vitali Kremez, chairman and CEO of AdvIntel, has been found dead after going missing on Oct. 30. He was 36 years old.

The US Coast Guard announced on Wednesday that the body of the longtime security researcher and ethical hacker had been recovered from the sea, after days of searching along the Florida coast. He was last seen "wearing a black wetsuit and scuba tank while diving near Hollywood Beach, Fla.," according to the Coast Guard.

According to local reports, he went into the water around 9 a.m. EDT on Sunday, and did not return.

Peers, supporters, and admirers began offering condolences on Wednesday. "This is an incredibly heart-breaking loss for the world," tweeted Danny Aga, vice president at managed security provider Solis Security. "VK was a superhero and will be missed by many."

    

Vitali Kremez. Source: LinkedIn.

Kremez's career has been a storied one, with wunderkind overtones. After graduating _summa cum laude_ from John Jay College of Criminal Justice at the City University of New York (CUNY), he enjoyed a successful career as a cybercrime investigative analyst for the New York County District Attorney’s Office. There, he partnered with federal and international law enforcement on a range of cybercrime busts, including prosecuting intrusions at American Express, Goldman Sachs, Saks Fifth Avenue, and StubHub.

He then quickly catapulted into a range of top-tier industry positions, including as head of SentinelLabs at SentinelOne, and director of advanced research at Flashpoint. In 2020, Kremez took the helm at Advanced Intelligence (AdvIntel), where he led an elite threat intelligence team and guided technology development to support proactive cyber-threat disruptions. Throughout it all, he has devoted himself to ethical hacking efforts, information-sharing, and malware research.

Kremez was also a prolific blogger and industry columnist (contributing articles to Dark Reading, BusinessReview, and Infosecurity Magazine, among others), and a go-to industry commentator on cybercrime, hacking incidents, and policy. He also delivered keynote presentations at NATO's 2018 summit and to the United Nations, and spoke regularly at cybersecurity industry events.

"My heart is broken for his family and for the great future he had," tweeted Gate 15 risk management analyst and podcaster Andy Jabbour. "He \[was\] such an incredibly smart and amazing person."

Vitali Kremez Found Dead After Apparent Scuba Diving Accident

We can bridge that gap by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

Cybercrime seems to be in the headlines every day, as ransomware demands escalate and distributed denial-of-service (DDoS) attacks and other assaults paralyze and damage enterprises of all types and sizes. In 2021, the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) received 847,376 reports of cyberattacks, up 7% from 2020, with a growing focus on critical infrastructure and the supply chain. The costs of cybercrime are astronomical, approaching $7 billion, according to FBI statistics.

Hoping to remediate, or preferably prevent, such attacks, companies work daily to bolster their cybersecurity measures. The federal Cybersecurity and Infrastructure Security Agency launched its Shields Up campaign this year to encourage proactive defenses against potential cyberattacks prompted by US sanctions placed on Russia. Insurance companies, meanwhile, are raising premiums and limiting coverage for organizations with inadequate cyber protection.

As willing as employers may be to comply, one of the biggest challenges is finding the staff to implement stronger defenses. In the US alone, there are currently more than 700,000 openings in cybersecurity, a 43% increase over last year, according to CyberSeek. Demand isn't confined to the tech industry; it's growing in sectors such as finance, as well. Employers are struggling to fill these critical posts now but can't find enough applicants, never mind being able to meet future demand.

**Misconceptions and Missed Potential**

One of the major reasons for the severe shortage is the common misconception that it's necessary to have a STEM or security-related degree to work in cybersecurity. This is not the case. Self-motivated individuals with some level of technical skill and problem-solving experience are great candidates. The challenge is to communicate the opportunity and actual requirements so we can begin tapping this potential pool of talent.

Obviously, some familiarity with technology is a must, as it would be difficult to bring in someone with no technical background at all. But that background does not need to be specific to cybersecurity, because many job skills are readily transferable. For example, IT system admins accustomed to patching systems and investigating suspicious or unusual events will find their experience useful in cybersecurity. When I was a systems admin, I was often in meetings with the security team. I learned about vulnerabilities, and it was my responsibility to patch them. That kind of experience is invaluable for anyone considering a cybersecurity career.

We need to search out people with the innate ability to recognize what's normal and investigate deviations from that norm. If they've been involved in troubleshooting, that's a plus. Even seemingly unrelated backgrounds can come in handy. For instance, self-taught techies who love to tinker and have figured out how to build their own systems and solve problems in the process could have a future in the cybersecurity field.

**Resources for the Resourceful**

Let's make it clear that a college degree, specifically in cybersecurity, isn't the only way into this field. There are many training resources available for potential candidates who want to improve their qualifications. Self-learners can take free or low-cost online courses in cybersecurity and networking. Completing this type of training will strengthen a candidate's resume and open up more opportunities.

CyberSeek is a terrific organization dedicated to closing the cybersecurity talent gap. It offers information and resources for students, job seekers, employers, educators, and more. Among its offerings is a list of cybersecurity training available at little or no cost.

(ISC)2 is an excellent resource for experienced IT professionals as well as those just starting out in the field. It offers a range of certifications for everyone from students and entry-level candidates without a technical background to those with years of experience who want to expand or update their knowledge. Its high-level certified information systems security professional (CISSP) certification takes commitment but is considered one of the best in the industry.

There are other less demanding options that might be a good starting point, including Pluralsight's boot camps for coding. Security BSides (often called just BSides) is a nonprofit organization that hosts conferences to share knowledge on information security and provide networking opportunities. TryHackMe bills itself as "a fun way" to learn about cybersecurity through interactive, real-world scenarios suitable for all skill levels. Additionally, Amazon, IBM, and Microsoft each have a variety of free courses that prepare candidates for a career in the field.

**Talk About Rewards**

There's ample reason to hope the public will respond to our compelling message. A CISSP earns $131,030 a year, according to (ISC)2. Yet there are benefits beyond a healthy salary and job availability — protecting against cyber threats can be fulfilling in so many more ways.

For example, those with a military or law enforcement background might find cybersecurity particularly rewarding because it gives them the chance to continue performing meaningful work that protects society at large.

It's clear we must do all we can to attract desperately needed talent into the security industry. We can do that by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

How to Narrow the Talent Gap in Cybersecurity

A well-crafted — and tested — disaster recovery plan can minimize downtime and is a key component of business continuity plans.

**CAMBRIDGE, Mass., Nov. 2, 2022 /PRNewswire/** — A new report by MIT Technology Review Insights explores why cybersecurity attacks pose an existential risk to small and midsize enterprises (SMEs) and how they can plan for disaster recovery in case of an attack.

The report, "A new age of disaster recovery planning for SMEs," is produced in association with OVHcloud and draws on in-depth interviews with cybersecurity experts from technology firms including VMware, Fortalice Solutions, and 451 Research. The findings are as follows:

**Cyberattacks have grown more frequent and sophisticated, and SMEs are in the firing line.** The data tells a worrying story. With the pandemic, along with geopolitical factors, causing shifts in how we live and work, the case for disaster recovery planning has never been more urgent. According to one cross-industry study, midsize companies were almost 500% more likely to be targeted by the end of 2021 than two years ago.

**A well-built disaster recovery plan can significantly minimize and even eliminate downtime.** Disaster recovery plans are a key component of business continuity plans. While business continuity focuses on overall strategy, including policies and procedures for recovery following an incident, disaster recovery focuses on IT infrastructure, data, and applications. A well-crafted disaster recovery plan includes clear definitions of recovery time objective (RTO) and recovery point objective (RPO).

**Backups and replication of data are essential for disaster recovery.** With cybercriminals spending over 200 days in companies' systems before being noticed and corrupting backups, SMEs need to store their data in multiple formats on different systems or look toward a data replication solution to ensure near-instantaneous recovery.

**An unexamined disaster recovery plan could bring enterprises back to square one.** Disaster recovery plans are essentially pointless without regular practice runs—and how often this practice should be done depends on how fast an organization is growing or adopting new technologies. Experts say such plans should be updated and tested at least annually, and ideally every quarter.

"Today's data is generated and distributed across highly complex ecosystems—multicloud, hybrid cloud, edge, and internet of things," says Kwee Chuan Yeo, editor of the report. "Enterprises' surface exposure to risks has ballooned. It's not just big corporations that are at risk. Smaller, less sophisticated companies are easier targets due to their lack of resources and expertise."

"While having the right disaster recovery plan for your business needs is critical to your business continuity, it's just as important that sufficient measures are taken to ensure IT resilience can be achieved at both the software and infrastructure level," says Jeffrey Gregor, OVHcloud US General Manager. "Distributed data protection, as the name implies, is when your data is distributed across multiple geographical locations. Making your data available in more than one place helps achieve a more robust disaster recovery plan in the event one location is compromised."

**To download the report, click here.**

**About MIT Technology Review Insights**

MIT Technology Review Insights is the custom publishing division of MIT Technology Review, the world's longest-running technology magazine, backed by the world's foremost technology institution—producing live events and research on the leading technology and business challenges of the day. Insights conducts qualitative and quantitative research and analysis in the US and abroad and publishes a wide variety of content, including articles, reports, infographics, videos, and podcasts. And through its growing MIT Technology Review Global Insights Panel, Insights has unparalleled access to senior-level executives, innovators, and entrepreneurs worldwide for surveys and in-depth interviews.

**SOURCE:** MIT Technology Review Insights

SMEs Must Plan for Recovery from Cybersecurity Attacks Amid Shifting Threats, Says MIT Technology Review Insights

Cybersecurity concerns and education have not mitigated the overuse of the same passwords in 2022.

**BOSTON, Nov. 1, 2022** **—** LastPass today released findings from its fifth annual Psychology of Password findings, which revealed even with cybersecurity education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviors across the board. In addition, LastPass found that while 65% of all respondents have some form of cybersecurity education — through school, work, social media, books or courses via Coursera or edX — the reality is that 62% almost always or mostly use the same or variation of a password.

The goal of the LastPass Psychology of Passwords research is to showcase how password management education and use can secure users' online life, transforming unpredictable behavior into real and secure password competence. The survey, which explored the password security behaviors of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviors surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behavior and can create a detrimental false sense of safety.

**Key findings from the research include:**

*   **Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.** As the generation who has lived most of their lives online, Gen Z (1997 – 2012) believes their password methods to be “very safe.” They are the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations.
    
    However, Gen Z is also more likely to recognize that using the same or similar password for multiple logins is a risk, but they use a variation of a single password 69% of the time, alongside Millennials (1981 –1996) who do this 66% of the time. On the other hand, Gen Z is the generation most likely to use memorization to keep track of their passwords by 51%, with Boomers (1946 – 1964) the least likely to memorize their passwords at 38%.
    
*   **Cybersecurity education doesn’t necessarily translate to action.** With 65% of those surveyed claiming to have some type of cybersecurity education, the majority (79%) found their education to be effective, whether formal or informal. But of those who received cybersecurity education, only 31% stopped reusing passwords. And only 25% started using a password manager.
*   **Confidence creates a false sense of password security.** While 89% of respondents acknowledged that using the same password or variation is a risk, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation. To add to that, compared to last year, people are now increasingly using variations of the same password, with 41% in 2022 vs. 36% in 2021.

“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer for LastPass. “The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons. For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.”

For more information and to download the full Psychology of Passwords research findings, please click here.

**Survey Methodology**

LastPass commissioned the market research firm Lab42 to reveal the current state of password behaviors in the new era of remote work. The responses were generated from a survey of 3,750 professionals at organizations across a variety of industries in the United States, United Kingdom, Germany, Australia, Singapore, and Brazil. The survey asked the professionals surveyed about their feelings and behaviors regarding online security. The result? An increase in time spent online with continued poor password behavior and cognitive dissonance.

**About LastPass**

LastPass is an award-winning password manager which has helped more than 33 million registered users organize and protect their online lives. For more than 100,000 businesses of all sizes, LastPass provides password and identity management solutions that are convenient, easy to manage and effortless to use. From enterprise password management and single sign-on to adaptive multifactor authentication, LastPass for Business gives superior control to IT and frictionless access to users. For more information, visit https://www.lastpass.com. LastPass is trademarked in the U.S. and other countries.

Source

DARKReading