Apple, Alphabet, Amazon, Microsoft, and Tesla are considered the five most innovative companies, according to BCG’s analysis of the 50 most innovative companies of 2021.
Abbott Labs, AstraZeneca, Comcast, Mitsubishi, and Moderna join the top 50 most innovative companies for the first time this year.
The fastest movers include Toyota, who jumped from 41st to 21st; Salesforce, who jumped from 35th to 22nd; and Coca-Cola, who jumped from 48th to 28th.
90% of companies that outperform on innovation outcomes demonstrate clear C-suite ownership of the innovation agenda.
These and many other insights are from the Boston Consulting Group’s (BCG) 15th annual report defining the world’s 50 most innovative companies in 2021. BCG surveyed 1,500 global innovation executives and found a 10% point increase, to 75%, in executives reporting that innovation is a top-three priority at their companies today. That’s the most significant year-over-year increase in the 15 global innovation surveys BCG has conducted since 2005. BCG’s Most Innovative Companies 2021: Overcoming the Innovation Readiness Gap is available for download free here (28 pp., PDF). This years’ report methodology focuses on identifying the factors causing a large innovation readiness gap between the world’s most innovative companies and their peers across industries. Please see page 23 of the study for the methodology.
Key insights from BCGs’ most innovative companies of 2020 include the following:
Creating a new COVID-19 vaccine in less than a year, inventing test kits in weeks to protect public health, and redefining online shopping and safe home delivery reflect the versatility of the world’s most innovative companies in 2021. Pzifer, Moderna, and Merck & Company’s innate ability to innovate gave everyone a decade of their lives back. Delivering a vaccine in a year when the initial projection was a decade reflects the innovative efficiency of these companies. 2021 is the first year Abbott Labs, who invented and scaled the production of COVID-19 test kits, is included in the 50 most innovative companies worldwide. Amazon and Walmart’s logistics and e-commerce expertise helped ensure safe online shopping and fast home delivery was available to millions of people under stay-at-home orders.
Five factors most differentiate the most and least innovative companies. The basis of BCG’s methodology to identify the 50 most innovative companies in 2021 centers on their innovation-to-impact (i2i) framework. The framework is designed to help companies measure the readiness of their innovation programs to operate at a consistently high level of efficiency and effectiveness. The BCG i2i scoring system identified five factors that most differentiate innovative company leaders and laggards. The five factors that best indicate how innovative a company has the potential to be are shown in the following graphic:
Lack of collaboration between sales, marketing & R&D is the major obstacle to innovation. 31% of all companies surveyed see poor collaboration between marketing and R&D as the most significant obstacle to improving the return on their innovation investments. According to BCG, the collaboration between marketing, sales, and R&D is the most challenging in the Pharmaceutical industry, where 42% of respondents say it’s the biggest hurdle to achieving more significant returns on innovation.
Digital transformation of the core business is now a top priority for 75% of CEOs, and 65% of firms are doubling down on their plans for transformation with renewed urgency. BCG identified six success factors that together—and only together—flip the odds of digital transformation success from 30% to 80%. Those six success factors are close integration of digital strategy with the business strategy, commitment from the CEO through middle management, a talent core of digital superstars, business-led and flexible technology and data platforms, agile governance, and effective monitoring of progress toward defined outcomes.
Companies that know how to collaborate quickly between customer and R&D teams have an inside edge on being innovation leaders. The world’s most innovative companies also have senior management teams committed to the long-term success of nascent, unproven programs. There’s greater tolerance for risk, more of a focus on customers first and innovating around their needs, and an intuitive sense of how to close innovation gaps that hold other companies back.
The following ten charts will change your perspective of Microsoft Azure’s growth:
Intelligent Cloud delivered the highest operating income of all segments in the 2nd quarter at $6.4 billion or 36% of total consolidated operating income. This quarter, Microsoft’s success with indirect channel sales combined with more enterprise customers accelerating their cloud-first initiatives contributed to Intelligent Cloud leading all segments in operating income. The following is from the Q2, FY21 Earnings Call.
Synergy Research Group’s latest cloud market analysis finds that Amazon and Microsoft are over 50% of the global cloud provider market, with Microsoft reaching 20% worldwide market share for the first time. Q4, 2020 enterprise spending on cloud infrastructure services was just over $37 billion, $4 billion higher than the previous quarter and up 35% from the fourth quarter of 2019. Synergy Research notes that it has taken just nine quarters for the market to double in size.
63% of enterprises are currently running apps on Microsoft Azure, second only to AWS. Azure is narrowing the gap with AWS in both the percentage of enterprises using it and the number of virtual machines (VMs) enterprises are running on it. 6% of enterprises are spending at least $1.2 million annually on Microsoft Azure. Source: Statista and Flexera 2020 State of the Cloud Report, page 50.
2020 total cloud infrastructure services spending grew 33% to $142 billion from $107 billion in 2019, according to Canalys, with Microsoft’s indirect channel business fueling their 20% market share growth. Microsoft’s dominance of indirect selling channels is evident in the level of sales enablement, sales and technical support they provide resellers. Canalys’ Chief Analyst Alastair Edwards says that “organizations are turning to trusted business partners to advise, implement, support and manage their cloud journeys and articulate the real business value of cloud migration.”
19% of enterprises expect to invest significantly more on Microsoft Azure in 2021, leading all other cloud vendors this year. Microsoft Azure leads all vendors when compared to the percentage change in spending this year. It’s noteworthy that 61% of all enterprises interviewed expect to increase their investments in Microsoft Azure this year, second only to Microsoft SaaS software. Source: 2021 Flexera State of Tech Report, January 2021.
Microsoft Azure Stack is the second most-used private cloud platform by enterprises, with 35% of them currently running apps today. Azure Stack also leads all others in experimentation, with one in five enterprises, or 21%, currently in that phase of deployment. 67% of all enterprises interviewed in the 2020 Flexera State of the Cloud Report are either running Azure apps or are considering it.
Microsoft’s centerpiece for their intelligence investment is the Microsoft Intelligent Security Graph, which processes over 630 billion authentications across our cloud services each month. Microsoft relies on the Security Graph to gain insights into normal behavior, including sign-ins and authentications and abnormal behavior, including attempted bypasses to two-factor authentication. Microsoft blocks more than 5 billion distinct malware threats per month, providing a great deal of useful data to analyze endpoints across customers’ networks. Source: Microsoft CISO Workshop 1 – Cybersecurity Briefing.
44.5% of enterprises say Microsoft Azure is their preferred provider for Cloud Business Intelligence (BI). Azure is considered 27% more critical to an enterprises’ Cloud BI requirements and preferences than Amazon Web Services. It’s noteworthy that 96.5% of all enterprises have a preference for Microsoft Azure BI versus its main competitors, including Google Cloud, IBM BlueMix, or Alibaba.
Microsoft Azure is the leading IoT platform worldwide by end-to-end capabilities with a total score of 276 according to Counterpoint Research. According to the methodology Counterpoint used for ranking IoT platforms, Microsoft Azure is considered a global leader in edge data processing, an increasingly important feature of IoT platforms worldwide. The ability to deliver IoT capabilities from the cloud to the edge helped Microsoft’s platform rank high in this category. Source; Statista and CounterPointResearch.com.
Microsoft Azure is the foundation for a Digital Supply Chain Platform that integrates supply chain partner, corporate, data & advanced analytics platforms and supply chain core transaction systems. The ongoing pandemic is putting continued pressure on supply chains. Most manufacturing executives say that employee safety, data security, remote worker access, supply chain visibility and insights visibility are high priorities. In response to these market needs, Microsoft Supply Chain (MSC) was created on the Azure platform. The diagram below explains how Azure is integral to the Digital Supply Chain platform.
Bottom Line: Cyberattacks enter a new era of lethal impact when threat actors are sophisticated enough to compromise SolarWind’s software supply chain with infected binary code while mimicking legitimate protocol traffic to avoid detection.
To gain greater insights into the SolarWinds breach, its implications on cybersecurity strategy in the future and what steps enterprises need to take today, I contacted Andy Smith, Cybersecurity Evangelist and an industry expert with Centrify. He explained the attack’s specifics, referencing the Cybersecurity and Infrastructure Security Agency’s (CISA) Alert AA20-352A, which details how sophisticated the attack is, citing the sobering fact that it is unknown if all attack vectors are identified. Active since at least March 2020, the advanced persistent threat (APT) has been identified by FireEye, SolarWinds, Microsoft and several other cybersecurity firms.
SolarWinds’ Security Advisory lists 18 known products that have been affected by the attack, including their Application Centric Monitor (ACM), Server Configuration Monitor (SCM) and Network Performance Monitor (NPM). Earlier this month, SolarWinds says the malicious code may have been delivered to nearly 18,000 customers.
Insights Into The SolarWinds Hack
Interested in dissecting the hack from a cybersecurity standpoint, I spent some time investigating the SolarWinds hack with Andy, a leading authority on Identity and Access Management (IAM), particularly around securing and managing privileged access credentials. The following is my interview with Andy:
Louis: There have been large-scale breaches before; why is this particular cybersecurity attack getting so much attention? Why is it so enormous?
Andy: What’s interesting about this particular attack is a couple of things. It follows a very traditional cyber-attack kill chain as many attacks, but the start of this one is impressive. Usually, there’s a vulnerability that allows threat actors to get into the network. What’s unique about this is the initial vulnerability is in vendor software, so it’s often now being referred to as a supply chain hack because the vulnerability was embedded as code.
The exposure to federal agencies and the attackers’ focus going after emails is especially troubling. It appears like it’s a nation/state-related incident that always heightens the exposure and is another reason it’s so large in scale. Some tools that FireEye uses for Red Team evaluation of people’s networks got exposed, so now those tools are in the hands of threat actors to do nefarious activities with them.
That’s one aspect of this hack that makes it remarkable, as sophisticated tools from FireEye are in nefarious actors’ hands. That’s one reason it’s enormous: you just gave something that was being used for good to threat actors intent on gathering as much intelligence across a supply chain of customers as they can.
Louis: How are the cyber-attack methods used in the SolarWinds hack particularly unique?
Andy: It follows a very common cyber-attack kill chain we’ve seen at Centrify for years. We ran the Anatomy of a Hack webinar earlier this year and it always starts with that initial vulnerability and getting in. What’s unique was this case is that the initial vulnerability wasn’t just, “Hey, I phished somebody’s password and logged in.” It was a vulnerability in the software build process for SolarWinds. So that’s a bit unique about how that initial vulnerability was there.
Still, once the attackers are in, the breach starts to look very traditional in the sense that they settle in, sit there for a while, scan the network, move laterally in that environment and hunt for privileged access.
All those things happened precisely by the people who investigated and then you find the data you’re going after. In some cases, it’s been software, as is the case with FireEye, or email servers, as is the case with government agencies. Attackers are patient and they wait to extract the data and then cover their tracks.
Louis: You and many others are an advocate of a layered approach to security. What is that and how would it have helped in the SolarWinds case?
Andy: For me, the biggest takeaway of this hack is that a layered approach to security is the way to go in the future in light of this hack’s sophistication. There’s no silver bullet to stop a hack this sophisticated, though. No one strategy or approach could have prevented it.
When you investigate this attack, it is pretty sophisticated and has multiple vectors to it and one has to assume there will be certain threat vectors compromised. That initial vulnerability will be there and you need those layers of security to prevent it, so you need to look at preventive controls, predictive controls and detective controls. All those need to be combined into a single, unified strategy.
For every organization looking at this hack and considering how future attacks of this sophistication will impact them, it’s a good idea to use this event as a way to get your board and executives thinking about a more resilient, hardened multilayer approach and not relying on a single solution to protect you. I see organizations using this opportunity to evaluate how a layered approach will work for their projects when it might not have been feasible to fund in the past.
It’s an extreme attack that shows how vulnerable the exposures are out there. It’s a good time to shore up your defenses. The Federal Information Processing Standard 200, or FIPS 200, the standard offers excellent guidance, including discussing the different types of layers and controls available today. Minimum Security Requirements for Federal Information and Information Systems defines the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs.
If you dig into the National Institute of Standards and Technology (NIST) Special Publication 800-53, that gets a little deeper into the particular cyber controls you have in place. There is guidance available. You’re not out there on your own about what the layers should be and you can evaluate yourself against these standards.
Louis: What are some layers specific to privileged access management? Are there any particular PAM best practices that enterprises should be thinking about right now?
Andy: Absolutely and I’ll start with Privileged Access Management (PAM), which is one of the core layers. Investigations into this hack found specific evidence where they got in and created new accounts with elevated privileges to access data. It’s all over this.
We typically state the Forrester stat that 80% of hacks involve compromised privileged access. This SolarWinds example is no exception: that’s what happened.
Additional points to keep in mind include the following:
Before our interview, we talked about how vulnerable passwords are and how using the company’s name, followed by 123, is not a good idea – that ties into going pro with preventive controls rather than just relying on a password. That’s a perfect example of what not to do. Organizations can design preventive privileged access controls and detective controls and both are typically provided in Privileged Access Management solutions. Best practices call for multiple preventive controls – strong passwords, multi-factor authentication, password rotation, maybe use a federated credential and have privileged users log in as themselves for better auditing and accountability.
Rethink enterprise cybersecurity from a preventive control perspective that includes least privileged access. Simplistic preventive controls aren’t enough, as the sophistication of this hack shows. Preventive controls need to be strengthened with least privilege. The account creation process needs to provide as little privilege as possible to the server level. Workflows to request additional access need to be used to provide resources for a predefined period. If these types of controls had been in place, malicious code disguised in executable files and dynamic linked libraries would not have traveled as far down the supply chain.
Lastly, even if threat actors get through or you don’t have enough of those layers in place, you want detective controls. PAM solutions should have audit capabilities that watch what privileged users do. In the financial markets, there are things like the “four-eye principle,” where people are watching what other people are doing and so you can watch a privileged session in real-time and verify what users are doing. Of course, all that’s audited in the recording. You can send that information off to a SIEM to be correlated with other data to look for compromise indicators. Recent articles I’ve read pointed out the attackers were in the FireEye network for months before being detected. FireEye detected that they had been attacked thanks to detective controls.
Louis: The SolarWinds attack seems to have rejuvenated the case for Zero Trust. How can companies adopt a Zero Trust mindset and take stock of their security layers today?
Andy: Definitely and I see organizations accelerate their Zero Trust initiatives today. Organizations can get started on their Zero Trust frameworks by reviewing the FIPS and NIST publications. Review the layers of your security stack with a Zero Trust mindset. Don’t configure your network to trust someone just because they gained access. That’s how these attackers got in, laying in the network for plenty of time. Zero Trust says, “Don’t trust that authenticated network access. That could still be a compromised credential or a threat actor,” and this is a perfect example of that. This is why Zero Trust is critical: just because they’re on your network doesn’t mean they’re trustworthy.
The concept of least privilege, of authenticating at each step, introduces segmentation. When I give access, it’s just to that machine or that service that I need access to and not broad access across the network a network segment. That’s how you prevent that lateral movement. A Zero Trust mindset that Zero Trust philosophy of security is critical in this case.
Louis: What do you think will happen from the perspective of micro-segmentation and how does this hack change the balance of security relative to ongoing operations of a business?
Andy: I think it’s another evidence of our current breach culture and brings forth more awareness. More and more, events like this will make cybersecurity a higher priority in an organization – one essential to excel at to keep a business operating. So from that perspective, it is a business enabler.
If you do it right, you can start to do things like moving to the cloud and start to do things that make you more agile. The more we can think of security as a business enabler instead of a business blocker, the better we are. Taking the lessons learned from this hack and using them to create a more resilient, hardened organization is a start.
80% of hacks involve the use of compromised privileged credentials and this one is no exception. An important layer of control is Privileged Access Management (PAM) solutions such as Centrify, which typically involve predictive, preventive and detective controls.
In the end, it is security layers and vigilance that make the difference in minimizing the impact of a breach. NIST’s guidance can be constructive in cybersecurity planning, which can also be informed by Zero Trust’s principles. Remember, it’s not a question of if you will be hacked. It’s a matter of when and what you can do to limit the impact through layers.
Mobile devices are popular with hackers because they’re designed for quick responses based on minimal contextual information. Verizon’s 2020 Data Breach Investigations Report (DBIR) found that hackers are succeeding with integrated email, SMS and link-based attacks across social media aimed at stealing passwords and privileged access credentials. And with a growing number of breaches originating on mobile devices according to Verizon’s Mobile Security Index 2020, combined with 83% of all social media visits in the United States are on mobile devices according to Merkle’s Digital Marketing Report Q4 2019, applying machine learning to harden mobile threat defense deserves to be on any CISOs’ priority list today.
How Machine Learning Is Helping To Thwart Phishing Attacks
42% of the U.S. labor force is now working from home, according to a recent study by the Stanford Institute for Economic Policy Research (SIEPR). The majority of those working from home are in professional, technical and managerial roles who rely on multiple mobile devices to get their work done. The proliferating number of threat surfaces all businesses have to contend with today is the perfect use case for thwarting phishing attempts at scale.
What’s needed is a machine learning engine capable of analyzing and interpreting system data in real-time to identify malicious behavior. Using supervised machine learning algorithms that factor in device detection, location, user behavior patterns and more to anticipate and thwart phishing attacks is what’s needed today. It’s a given that any machine learning engine and its supporting platform needs to be cloud-based, capable of scaling to analyze millions of data points. Building the cloud platform on high-performing computing clusters is a must-have, as is the ability to iterative machine learning models on the fly, in milliseconds, to keep learning new patterns of potential phishing breaches. The resulting architecture would be able to learn over time and reside on the device recursively. Protecting every endpoint if it’s connected to WiFi or a network or not is a key design goal that needs to be accomplished as well. MobileIron recently launched one of the most forward-thinking approaches to solving this challenge and its architecture is shown below:
Five Ways Machine Learning Can Thwart Phishing Attacks
The one point of failure machine learning-based anti-phishing apps continue to have is lack of adoption. CIOs and CISOs I’ve spoken with know there is a gap between endpoints secured and the total endpoint population. No one knows for sure how big that gap is because new mobile endpoints get added daily. The best solution to closing the gap is by enabling on-device machine learning protection. The following are five ways machine learning can thwart phishing attacks using an on-device approach:
2. Using machine learning to glean new insights out of the massive amount of data and organizations’ entire population of mobile devices creates a must-have. There are machine learning-based systems capable of scanning across an enterprise of connected endpoints today. What’s needed is an enterprise-level approach to seeing all devices, even those disconnected from the network.
3. Machine learning algorithms can help strengthen the security on every mobile device, making them suitable as employees’ IDs, alleviating the need for easily-hackable passwords. According to Verizon, stolen passwords cause 81% of data breaches and 86% of security leaders would do away with passwords, if they could, according to a recent IDG Research survey. Hardening endpoint security to the mobile device level needs to be part of any organizations’ Zero Trust Security initiative today. The good news is machine learning algorithms can thwart hacking attempts that get in the way making mobile devise employees’ IDs, streamlining system access to the resources they need to get work done while staying secure.
4. Keeping enterprise-wide cybersecurity efforts focused takes more than after-the-fact analytics and metrics; what’s needed is look-ahead predictive modeling based machine learning data captured at the device endpoint. The future of endpoint resiliency and cybersecurity needs to start at the device level. Capturing data at the device level in real-time and using it to train algorithms, combined with phishing URL lookup, and Zero Sign-On (ZSO) and a designed-in Zero Trust approach to security are essential for thwarting the increasingly sophisticated breach attempts happening today.
5. Cybersecurity strategies and the CISOs leading them will increasingly be evaluated on how well they anticipate and excel at compliance and threat deterrence, making machine learning indispensable to accomplishing these tasks. CISOs and their teams say compliance is another area of unknowns they need greater predictive, quantified insights into. No one wants to do a compliance or security audit manually today as the lack of staff due to stay-at-home orders makes it nearly impossible and no one wants to jeopardize employee’s health to get it done. CISOs and teams of security architects also need to put as many impediments in front of threat actors as possible to deter them, because the threat actor only has to be successful one time, while the CISO/security architect have to be correct 100% of the time. The answer is to combine real-time endpoint monitoring and machine learning to thwart threat actors while achieving greater compliance.
For machine learning to reach its full potential at blocking phishing attempts today and more advanced threats tomorrow, every device needs to have the ability to know if an email, text or SMS message, instant message, or social media post is a phishing attempt or not. Achieving this at the device level is possible today, as MobileIron’s recently announced cloud-based Mobile Threat Defense architecture illustrates. What’s needed is a further build-out of machine learning-based platforms that can adapt fast to new threats while protecting devices that are sporadically connected to a company’s network.
Machine learning has long been able to provide threat assessment scores as well. What’s needed today is greater insights into how risk scores relate to compliance. Also, there needs to be a greater focus on how machine learning, risk scores, IT infrastructure and the always-growing base of mobile devices can be audited. A key goal that needs to be achieved is having compliance actions and threat notifications performed on the device to shorten the “kill chain” and improve data loss prevention.
Bottom Line: Excelling at compliance doesn’t protect any business from being hacked, yet pursuing a continuous risk management strategy helps.
With a few exceptions (such as spearphishing), cyberattacks are, by nature, brutally opportunistic and random. They are driven to disrupt operations at best and steal funds, records, and privileged access credentials at worst. Conversely, the most important compliance event of all, audits, are planned for, often months in advance. Governance, Risk, and Compliance (GRC) teams go to Herculean efforts to meet and exceed audit prep timelines working evenings and weekends.
Wanting to learn more about the relationship between GRC and cybersecurity strategy, I searched for webinars on the topic. I found Improve Your Compliance Posture with Identity-Centric PAM, a recent webinar-on-demand offered by Centrify. The webinar brought up several interesting insights, including shared pains companies experience with compliance and cybersecurity, yet require drastically different approaches to solving them.
Rationalizing Compliance Spending with Cybersecurity
The truth is organizations are attempting to rationalize the high costs of compliance by looking for how GRC spend can also improve cybersecurity. This is a dangerous assumption, as Marriott’s third breach indicates. Marriott is an excellently managed business and sets standards in compliance. Unfortunately, that hasn’t thwarted three breaches they’ve experienced.
Why are organizations assuming GRC spending will improve cybersecurity? It’s because both areas share a common series of pains that require different solutions, according to the webinar. These pains include:
Updates to regulations are exponentially increasing today, averaging 200 or more per day from approximately 900 oversight agencies worldwide, leading to a quickly changing, heterogeneous landscape. Dr. Torsten George, Cybersecurity Evangelist at Centrify, said that when he worked in the GRC space, the midsize clients he worked with had to deal with 17 different regulations. Larger organizations that operate on a global basis are dealing with, on average, 70 or more regulations they need to stay in compliance with. Dr. George provided an overview of the compliance landscape, differentiating between the levels compliance requirements every organization needs to abide by, which is shown below:
Compliance is, by nature, reactive to a known event (audit), while cybersecurity is also entirely reactive to random events (cyberattacks). GRC teams need to ramp up their staff and equip them with the apps and tools they need at least six months before an audit. For cybersecurity, the threat is random and will most likely be more severe in terms of financial loss. Preparing for each takes entirely different strategies.
The lack of continuous risk monitoring by GRC teams and identity management by IT cybersecurity leads to systemic failures in achieving compliance and securing an organization. The webinar makes an excellent point that for compliance to succeed, it needs to be based on continuous risk management, not just checking off the boxes or categories of a given GRC approach. The same holds for cybersecurity. Identity-Centric Privileged Access Management (PAM) provides GRC and IT professionals mutual benefits when it comes to achieving the mission of being and staying compliant, and shows how securing enterprises drive better compliance, not vice versa.
Manually updating compliance mapping tables showing the interrelationships of requirements by industry is not scaling – and leaving gaps in GRC coverage. The more regulated a business is, for example manufacturing medical products, the more important it is to automate every aspect of compliance. A great place to start is automating the process of creating mapping tables. Taking a manual approach to creating mapping tables comparing standards often leads to errors and gaps. And in highly regulated industries like medical products manufacturing, the accuracy, speed, and scale of staying compliant can be turned into a competitive advantage, leading to more sales.
How To Resolve The Conflict Between GRC and Cybersecurity Spending
According to the webinar, 80% of today’s data breaches are caused by default, weak, stolen, or otherwise compromised credentials. GRC and cybersecurity strategies’ best efforts need to be put on securing privileged access first. The webinar makes a strong argument for prioritizing privileged access security as the initiative that can unify GRC and cybersecurity strategies.
Key insights from the webinar include the following:
Industry standards and government regulations are calling for identity and access management as a requirement, with several specifically naming privilege access controls.
Identity-Centric Privileged Access Management (PAM) approaches help meet compliance mandates, while at the same time hardening cybersecurity to the threat surface level.
Attaining greater compliance by taking an Identity-Centric PAM approach ensures machines have secured identities as well, and the use of anonymous access accounts is limited to break-glass scenarios only, while organizations should otherwise be leveraging enterprise directory identities for the authentication and authorization process.
Improving accountability and segmentation by establishing granular security controls and auditing everything helps bridge the gap between GRC and cybersecurity initiatives.
Continuous risk management is key to excelling at compliance, just as securing privileged access credentials is foundational to an effective cybersecurity strategy. Dr. Torsten George ended the webinar saying, “In the long term, I believe that the current situation that we’re dealing with and its associated spike of cyber-attacks will lead to even stricter compliance mandates; especially when it comes to secure remote access by key IT stakeholders and outsourced IT.” The bottom line is that compliance and cybersecurity must share the common goal of protecting their organizations’ privileged access credentials using adaptive approaches and technologies if both are going to succeed.
Bottom Line: Endpoint security business cases do much more than just quantify costs and benefits; they uncover gaps in endpoint and cyber protection that need urgent attention to avert a breach.
Bad actors and hackers prefer to attack threat surfaces that are isolated, vulnerable with out-of-date security patches, yet integrated into a corporate network to provide access. For these reasons and more, endpoints are now the popular choice for hacking attempts. Ponemon Institute’s Third Annual Study on the State of Endpoint Security Risk published in January of this year found that 68% of organizations were victims of successful endpoint attacks in 2019 that compromised data assets and IT infrastructure. Since 2017, successful endpoint attacks have spiked by 26 percent. The Ponemon study also found that it takes the typical organization 97 days to test and deploy patches to each endpoint. When the average endpoint is three months behind on updates, it’s understandable why breaches are increasing. In 2019 the average endpoint breach inflicted $8.94M in losses. The following graphic compares the escalating number of breaches and economic losses for the last three years:
Exploring Endpoint Security’s Many Benefits
Think of building a business case for endpoint security as the checkup every company needs to examine and identify and every threat surface that can be improved. Just as all efforts to preserve every person’s health is priceless today, organizations can’t let their guard down when it comes to keeping endpoint security strong.
The economic fallout of COVID-19 is hitting IT budgets hard. That’s why now is the time to build a business case for endpoint security. CIOs and CISOs have to make budget cuts due to revenue shortfalls. One area no one wants to compromise on, however, is allowing endpoint agents to degrade over time. Absolute Software’s Endpoint Security Trends Report found that the more complex and layered the endpoint protection, the greater the risk of a breach. Overloading every endpoint with multiple agents is counterproductive and leaves endpoints less secure than if fewer agents were installed. Additionally, Absolute just launched a Remote Work and Distance Learning Insights Center, providing insights into the impact of COVID-19 on IT and security controls. An example of the dashboard shown below:
Business Case Benefits Need To Apply To IT and Operations
Absolute and Ponemon’s studies suggest that autonomous endpoints are the future of endpoint security. Activating security at the endpoint and having an undeletable tether to every device solves many of the challenges every business’s IT and Operations teams face. And with the urgency to make IT and Operations as virtual as possible with budgets impacted by COVID-19’s economic fallout, team leaders in each area are focusing on the following shared challenges. COVID-19’s quarantine requirements make hybrid workforces instantly appear and make the budgets needed to support them vanish at the same time. The following are the shared benefits for IT and Operations that need to anchor any endpoint security business case:
The most urgent need is for greater IT Help Desk efficiency. While this is primarily an IT metric, the lack of real-time availability of resources is slowing down remote Operations teams from getting their work done.
Both IT and Operations share asset utilization, loss reduction, and lifecycle optimization ownership in many organizations today. Having a persistent, undeletable tether to every device at the hardware level is proving to be an effective approach IT, and Operations teams are relying on to track and improve these metrics. The Absolute and Ponemon studies suggest that the more resilient the endpoint, the better the asset efficiency and lifecycle optimization. Autonomous endpoints can self-heal and regenerate themselves, further improving shared metric performance for IT and Operations.
The more autonomous endpoints an organization has, the quicker Operations and IT can work together to pivot into new business models that require virtual operations. Education, Healthcare, Financial Services, Government, and Professional Services are all moving to hybrid remote workplaces and virtual operations as fast as they can. Using the business case for endpoint security as a roadmap to see where threat surfaces need to be improved for new growth is key.
Endpoint Security Benefits
The following are the benefits that need to be included in creating a business case for endpoint security:
Reduce and eventually eliminate IT Help Desk backlogs by keeping endpoints up-to-date. Reducing the call volume on IT Help Desks can potentially save over $45K a year, assuming a typical call takes 10 minutes and the cumulative time savings in 1,260 hours saved by the IT help desk annually.
Reduce Security Operations staff interruptions and emergency security projects that require IT’s time to run analytics reports and analyses. Solving complex endpoint security problems burns thousands of dollars and hours over a year between Security, IT, and Operations. Having a persistent, unbreakable connection to every endpoint provides the device visibility teams need to troubleshoot problems. Assuming the 2,520 hours IT Security teams alone spend on emergency endpoint security problems could be reduced, organizations could save approximately $130K a year.
Autonomous endpoints with an undeletable tether improve compliance, control, and visibility and is a must-have in the new hybrid remote workplace. For endpoint security to scale across every threat surface, having an undeletable tether to every device is a must-have for scalable remote work and hybrid remote work programs in the enterprise. They also contribute to lowering compliance costs and improve every aspect of asset management from keeping applications current to ensuring autonomous endpoints can continue to self-heal.
Reducing IT asset loss, knowing asset utilization, and system-level software installed by every device can save a typical organization over $300K a year. Autonomous endpoints that can heal themselves and provide a constant hardware connection deliver the data in real-time to have accurate IT asset management and security data teams need to keep software configurations up to date. It’s invaluable for IT teams to have this level of data, as it averts having endpoint patches conflict with one another and leave an endpoint vulnerable to breach.
Accurate asset lifecycle planning based on solid data from every device becomes possible. Having autonomous endpoints based on a hardware connection delivers the data needed to increase the accuracy of asset life cycle planning and resource allocation, giving IT and Operations the visibility they need to the device level. IT and Operations teams look to see how they can extend the lifecycle of every device in the field. Cost savings vary by the number of devices in the field and their specific software configurations. The time savings alone is approximately $140K per year in a mid-size financial services firm.
The more autonomous and connected an endpoint is, the more automated audit and compliance reporting can become. A key part of staying in compliance is automating the audit process to save valuable time. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) all require ongoing audits. The time and cost savings of automating audits by organizations vary significantly. It’s a reasonable assumption to budget at least a $67K savings per year in audit preparation costs alone.
Evaluating Endpoint Security Costs
The following are the endpoint security costs that need to be included in the business case:
Annual, often multi-year endpoint security licensing costs. Endpoint security providers vary significantly in their pricing models, costs, and fees. Autonomous endpoint security platforms can range in licensing costs from $750K to over $1,2M, depending on the size of the organization and the number of devices.
Change management, implementation, and integration costs increase with the complexity of IT security, Operations, and IT Service Management (ITSM) integration. Expect to see an average price of between $40K to over $100K to integrate endpoint security platforms with existing ITSM and security information and event management (SIEM) systems.
Creating A Compelling Business Case For Endpoint Security
The best endpoint security business cases provide a 360-degree view of costs, benefits, and why taking action now is needed.
Knowing the initial software and services costs to acquire and integrate endpoint security across your organization, training and change management costs, and ongoing support costs are essential. Many include the following equation in their business cases to provide an ROI estimate. The Return on Investment (ROI) for endpoint security initiative is calculated as follows:
ROI on Endpoint Security (ES) = (ES Initiative Benefits – ES Initiative Costs)/ES Initiative Costs x 100.
A financial services company recently calculated their annual benefits of ES initiative will be $475,000, and the costs, $65,000, will yield a net return of $6.30 for every $1 invested.
Additional factors to keep in mind when building a business case for endpoint security:
The penalties for non-compliance to industry-specific laws can be quite steep, with repeated offenses leading to $1M or more in fines and long-term loss of customer trust and revenue. Building a business case for endpoint security needs to factor in the potential non-compliance fees, and penalties companies face for not having autonomous endpoint security. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), California Consumer Privacy Act (CCPA), and other laws require audit reporting based on accurate endpoint security data.
Endpoint Security ROI estimates fluctuate, and it’s best to get started with a pilot to capture live data with budgets available at the end of a quarter. Typically organizations will allocate the remaining amounts of IT security budgets at the end of a quarter to endpoint security initiatives.
Succinctly define the benefits and costs and gain C-level support to streamline the funding process. It’s often the CISOs who are the most driven to achieve greater endpoint security the quickest they can. Today with every business having their entire workforces virtual, there’s added urgency to get endpoint security accomplished.
Define and measure endpoint security initiatives’ progress using a digitally-enabled dashboard that can be shared across any device, anytime. Enabling everyone supporting and involved in endpoint security initiatives needs to know what success looks like. Having a digitally-enabled dashboard that clearly shows each goal or objective and the company’s progress toward them is critical to success.
The hard economic reset COVID-19 created has put many IT budgets into freefall at a time when CIOs and CISOs need more funding to protect proliferating hybrid remote workforces. Endpoint security business cases need to factor in how they can create an undeletable resilient defense for every device across their global fleets. And just as every nation on the planet isn’t letting its guard down against the COVID-19 virus, every IT and cybersecurity team can’t let theirs down either when it comes to protecting every endpoint.
Autonomous endpoints that can self-heal and regenerate operating systems and configurations are the future of endpoint security management. The race to be an entirely virtual enterprise is on, and the most autonomous endpoints can be, the more cost-effective and valuable they are. The best business cases bridge the gap between IT and Operations needs. CIOs need endpoint security solutions to be low-cost, low maintenance, reliable yet agile. Operations want an endpoint solution that has a low cost of support, minimal if any impact of IT Service Help Desks, and always-on monitoring. Building a business case for endpoint security gives IT and Operations the insights they need to protect the constantly changing parameters of their businesses.
Bottom Line: Phishing is the leading cause of all breaches, succeeding because impersonation, redirection, and social engineering methods are always improving. And, phishing is only one way e-mails are used in fraud. Businesses need to understand if an e-mail address can be trusted before moving forward with a transaction.
Phishers’ Favorite Trojan Horse Is Office365 Followed By Cybersecurity Companies
Phishers are hiding malicious links, scripts and, in some cases, mutated software code behind legitimate Microsoft files and code to evade detection. Using legitimate code and links as a Trojan Horse to successfully launch a phishing campaign became very popular in 2019 and continues today. Cybercriminals and state-sponsored hackers have been mutating legitimate code and applications for years attempting to exfiltrate priceless data from enterprises and governments globally. Office365 is the phisher’s Trojan Horse of choice, closely followed dozens of cybersecurity companies that have seen hackers attempt to impersonate their products. Cybersecurity companies targeted include Citrix, Comodo, Imperva, Kaspersky, LastPass, Microsoft, BitDefender, CyberRoam, and others.
Using Trojan Horses To Hijack Search Results
In 2019 Microsoft discovered a sophisticated phishing attack that combined impersonation, redirection, and social engineering methods. The phishing attack relied on using links to Google search results as a Trojan Horse to deliver URLs that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to the phishing page. Microsoft discovered that a traffic generator ensured that the redirector page was the top result for specific keywords. The following graphic explains how the phishing attack was used to poison search results:
Using this workflow, phishers attempted to send phishing e-mails that relied on legitimate URLs as their Trojan Horses from legitimate domains to take advantage of the recipient’s trust. Knowing which e-mails to trust or not is becoming foundational to stopping fraud and phishing attacks.
How Kount Is Battling Sophisticated Attacks
Meanwhile, e-mail addresses can be a valuable source of information for businesses looking to prevent digital fraud. Misplaced trust can lead to chargebacks, manual reviews, and other undesirable outcomes. But, Kount’s Real-Time Identity Trust Network calculates Identity Trust Levels in milliseconds, reducing friction, blocking fraud, and delivering improved user experiences. Kount discovered that e-mail age is one of the most reliable identity trust signals there are for identifying and stopping automated fraudulent activity.
Based on their research and product development, Kount announced Email First Seen capabilities as part of its AI-powered Identity Trust Global Network. Email First Seen applies throughout the customer journey, from payments to account login to account creation. The Identity Trust Global Network consists of fraud and trust signals from over half a billion e-mail addresses. It also spans 32 billion annual interactions and 17.5 billion devices across 75 business sectors and 50-plus payment providers and card networks. The network is linked by Kount’s next-generation artificial intelligence (AI) and works to establish real-time trust for each identity behind a payment transaction, log in or account creation
E-mail Age Is Proving To Be A Reliable Indicator Of Trust
A favorite tactic of cybercriminals is to create as many new e-mail aliases as they need to deceive online businesses and defraud them of merchandise and payments. Kount is finding that when businesses can identify the age of an e-mail address, they can more accurately determine identity trust. Kount’s expertise is in fraud prevention effectiveness, relying on a combination of fraud and risk signals to generate a complete picture of authentication details. The following graphic illustrates what a Kount customer using Email First Seen will see in every e-mail they receive.
Kount’s Identity Trust Global Network relies on AI-based algorithms that can analyze all available identifiers or data points to establish real-time links between identity elements, and return identity trust decisions in real-time. Kount’s unique approach to using AI to improve customer experiences by reducing friction while blocking fraud reflects the future of fraud detection. Also, Kount’s AI can discern if additional authentication is needed to verify the identity behind the transaction and relies on half a billion e-mail addresses that are integral to AI-based analysis and risk scoring algorithms. Kount is making Email First Seen available to all existing customers for no charge. It’s been designed to be native on the Kount platform, allowing the information to be accessible in real-time to inform fraud and trust decisions.
In 2020 phishing attempts will increasingly rely on legitimate code, links, and executables as Trojan Horses to evade detection and launch phishing attacks at specific targets. Microsoft’s research and continued monitoring of phishing attempts uncovered architecturally sophisticated approaches to misdirecting victims through impersonation and social engineering.
Microsoft, Apple, and IBM lead the world in hardware & software patent innovation according to PatentSight.
Samsung, Johnson & Johnson, LG Electronics. Alphabet, Qualcomm, Ford, Intel, Microsoft, Sony, and VW are the ten most innovative companies in the world, according to PatentSight’s patent analytics research.
Ford leads the global automotive industry in patent innovation, due in large part to successful R&D efforts in autonomous driving.
These and many other fascinating insights are from Swiss consulting firm EconSight’s patent analytics research that first identified all the patents that are supposed to protect particularly relevant innovations – in this case, defined as innovations for the digitization of applied technologies – using the PatentSight database. Companies not only have to maintain their innovative strength; they also have to continue to expand in comparison to previous years to take a leading position in the ranking. For additional details on the methodology and to request the rank of your company, please visit the PatentSight Innovation Ranking 2019 site here.
Key insights from EconSight’s patent analytics research defining the most innovative companies globally include the following:
38 of the most innovative companies in the world are based in the U.S, 21 in China, and 15 from Europe. Chinese followed by Japanese-based companies lead the world in electronics innovation as measured by the uniqueness of patents produced. U.S. companies lead the world in medical technology patent innovation. The following graphic compares the number of companies within the global top 100 ranking by country and industry for 2019.
In the U.S., tech companies dominate the top 10 most innovative companies in 2019. Alphabet, Qualcomm, Intel, Microsoft, Honeywell, Apple, and GE are producing the most unique, differentiated and value-adding patents based on EconSight’s methodology. Medical technology companies show the greatest growth in innovative patent production as the graphic below illustrates:
The world’s most innovative medical technology companies’ patent focus is on biosensors, surgical robotics, shortening the time-to-market for pharmaceutical drugs, and funding startup incubators that yield new patents. Johnson & Johnson’s (J&J) multifaceted innovation strategy reflects the broader strategic vision of every medical technology company pursuing new intellectual property (IP) that leads to patent leadership. J&J acquired Auris Health and Verb Surgical, which is managed as a joint venture with Alphabet’s Verily medical division, which gives them a patent portfolio in healthcare intelligence. J&J has in total acquired over 300 companies in the medical technology industry according to PatentSight’s analysis. These acquisitions have moved them into biosensors, surgical robotics, and startups performing drug research.
Japanese robotics manufacturer Fanuc is the world’s most innovative automation technology company based on patent analysis. Since 2019 Fanuc has jumped 42 places in the ranking, from 61st to 19th. The global labor shortage in manufacturing is a contributing factor to the strong market demand Fanuc is seeing for all its robotics products and systems. The following are the top 25 robotics companies of 2019:
Ford leads the global automotive industry in patent innovation, while Volkswagen doubles down on patents over the last two years. Ford leads the world in patent innovation due to its rapid advances in autonomous vehicle development. Volkswagen’s rapid ascent in the automotive industry rankings has made them the most innovative company in Germany based on patent analytics this year. VW is investing in autonomous vehicles, and the networking of mobility participants, setting a solid foundation for future vehicle models today.
PatentSight – A Lexis Nexis company– specializes in cleaning and refining patent data and providing advanced patent analytics. Publicly available patent data simply cannot be used without qualitative preparation and correction. Due to the sheer mass (about 3.3 million new registrations in 2018 alone), all available patents cannot be viewed manually. Publications in many different languages and often very abstract contents make a manual review and evaluation difficult not only for laymen but also for experts. A further challenge is to level out the widely differing citation practices of national patent offices or to document the legal status of patents.
PatentSight, through manually supervised and scientifically developed algorithms, has best-in-class information on ownership data, going far beyond the testing standards recommended by the World Intellectual Property Organization (WIPO).
Moreover, PatentSight‘s proprietary patent valuation metrics reveal which patents are key, and which are superfluous. Based on citations, global protection, and several correction factors, EconSight leveraged these metrics to determine the most innovative companies.
Cloud-based endpoint protection platforms (EPP) are proliferating across enterprises today as CIOs and CISOs prioritize greater resiliency in their endpoint security strategies going into 2020.
Gartner predicts that Global Information Security and Risk Management end-user spending is forecast to grow at a five-year CAGR of 9.2% to reach $174.5 billion in 2022, with approximately $50B spent on endpoint security.
Endpoint security tools are 24% of all IT security spending, and by 2020 global IT security spending will reach $128B according to Morgan Stanley Research.
70% of all breaches still originate at endpoints, despite the increased IT spending on this threat surface, according to IDC.
There’s a surge of activity happening right now in enterprises that are prioritizing more resiliency in their endpoint security strategies going into 2020. The factors motivating CIOs, CISOs, IT, and Practice Directors to prioritize endpoint resiliency include more effective asset management based on real-time data while securing and ensuring every endpoint can heal itself using designed-in regenerative software at the BIOS level of every device. CIOs say the real-time monitoring helps reduce asset management operating expense, a big plus many of them appreciate give their tight budgets. Sean Maxwell, Chief Commercial Officer at Absolute, says, “Trust is at the center of every endpoint discussion today as CIOs, CISOs and their teams want the assurance every endpoint will be able to heal itself and keep functioning.”
The Endpoint Market Is Heating Up Going Into 2020
Over thirty vendors are competing in the endpoint security market right now. A few of the most interesting are Absolute Software, Microsoft,Palo Alto Networks, and others who are seeing a surge of activity from enterprises based on discussions with CIOs and CISOs. Absolute Software’s Persistence self-healing endpoint security technology is embedded in the firmware of more than 500 million devices and gives CIOs, CISOs and their team’s complete visibility and control over devices and data. Absolute is the leading visibility and control platform that provides enterprises with tamper-proof resilience and protection of all devices, data, and applications.
Like Absolute, Microsoft is unique in how they are the only vendor to provide built-in endpoint protection at the device level, with the core focus being on the OS. Windows 10 has Windows Defender Antivirus now integrated at the OS level, the same System Center Endpoint Protection delivers in Windows 7 and 8 OS. Microsoft Defender Advanced Threat Protection (ATP) incident response console aggregates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP, and Active Directory, in addition to Azure.
Further evidence of how enterprise customers are placing a high priority on endpoint security is the increase in valuations of key providers in this market, including Absolute Software(TSE: ABT) and others. Absolute’s stock price has jumped 13% in just a month, following their latest earnings announcement on November 12th with a transcript of their earnings call here. Absolute’s CEO Christy Wyatt commented during the company’s most recent earnings call that, “The ability to utilize near real-time data from the endpoint to… to deliver actionable insights to IT about where controls are failing and the ability to apply resilience to self-heal and reinforce those security controls will become a critical skill for every one of our customers. This is the essence of Absolute’s platform, which adds resiliency to our customer’s operations.” It’s evident from what CIOs and CISOs are saying that resiliency is transforming endpoint security today and will accelerate in 2020.
Key Takeaways From Conversations With Enterprise Cybersecurity Leaders
The conversations with CIOs, CISOs, and IT Directors provided valuable insights into why resiliency is becoming a high priority for endpoint security strategies today. The following are key takeaways from the conversations:
Known humorously as the “fun button” cybersecurity teams enjoy being able to brick any device any time while monitoring the activity happening on it in real-time. One CIO told the story of how their laptops had been given to a service provider who was supposed to destroy them to stay in compliance with the Health Insurance Portability and Accountability Act (HIPAA), and one had been resold on the back market, ending up in a 3rd world nation. As the hacker attempted to rebuild the machine, the security team watched as each new image was loaded, at which time they would promptly brick the machine. After 19 tries, the hacker gave up and called the image re-build “brick me.”
IT budgets for 2020 are flat or slightly up, with many CIOs being given the goal of reducing asset management operating expenses, making resiliency ideal for better managing device costs. The more effectively assets are managed, the more secure an organization becomes. That’s another motivating factor motivating enterprises to adopt resiliency as a core part of the endpoint security strategies.
One CIO was adamant they had nine software agents on every endpoint, but Absolute’s Resilience platform found 16, saving the enterprise from potential security gaps. The gold image an enterprise IT team was using had inadvertently captured only a subset of the total number of software endpoints active on their networks. Absolute’s Resilience offering and Persistence technology enabled the CIO to discover gaps in endpoint security the team didn’t know existed before.
Endpoints enabled with Resiliency have proven their ability to autonomously self-heal themselves, earning the trust of CIOs and CISOs, who are adopting Absolute to alleviate costly network interruptions and potential breaches in the process. 19% of endpoints across a typical IT network require at least one client or patch management repair monthly, according to Absolute’s 2019 Endpoint Security Trends Report. The report also found that increasing security spending on protecting endpoints doesn’t increase an organizations’ safety – and in some instances, reduces it. Having a systematic, design-in solution to these challenges gives CIOs, CISO, and their teams greater peace of mind and reduces expensive interruptions and potential breaches that impede their organizations’ growth.
Forbes readers’ most frequent requests center on which companies are the best to work for in emerging technology fields, including IoT. The Computer Reseller News’ Internet of Things 50, 2019 list of companies is used to complete the analysis as it is an impartial, independent list created by CRN. Using the CRN list as a foundation, the following analysis captures the best companies in their respective areas today.