Knowing (and patching) the open-source components of applications is a critical security step—as long as you know where your applications are.

Organizations deploy an average of 89 apps, according to a 2022 Businesses at Work survey from identity and access management provider Okta. Companies with 2,000 employees or more deploy 187.

In addition to familiar workplace tools like Microsoft 365, Slack, or Monday, there are ones that employees build quickly to solve their problems. A security pro may write up a script to test controls, or an employee in media may create code to get videos published quickly.

As the application count increases, the index gets increasingly difficult to track—but inventory tools and surveys can help to provide a clearer picture of an organization’s many assets.

“We deal with these larger organizations where the security team may not even be aware of all of the applications that are out in their portfolio,” said Kristen Bell, director of application-security engineering at the IT services firm GuidePoint Security.

Employers see their shadow. In a June 2022 survey conducted by Osterman Research and the app-security platform provider Cerby, 51% of respondent employees and managers continue to use preferred applications, even if their organization prohibits their use.

Some organizations end up with two sets of tools: a defined group of acceptable services and a group that’s more…shadowy.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

2022 will be remembered in the IT and tech worlds as a year of ups and downs, boom and bust, hires and layoffs. It will also be remembered for a spike in ransomware attacks and a corresponding rise in cyber insurance premiums, as the realities of managing risk finally hit home.

A report from British security firm Panaseer reported that 82% of surveyed cyber insurance analysts expect prices to continue to rise for the next two years. The rise in premiums corresponds to a rise in ransomware attacks. US banks flagged ransomware transactions rising in 2021 to over $1.2 billion, up from less than $500 million a year before. That increased risk has inspired a search for answers from companies desperate to avoid a level of risk that has the potential to put them permanently in the red.

Mark Brown, global managing director of digital trust consulting at the British Standards Institution, told IT Brew that the growth in cyber insurance over the past decade is something people 20 years ago would barely have conceived of. But since 2013–2014, Brown has watched as the market has evolved. That change motivated the impulse to diffuse the risk of attacks at the lowest cost possible.

“Many organizations—unless they were being driven by regulation or sectoral license to actually put in place evidence-based cybersecurity programs—were saying, ‘Well, what’s cheaper? Is it cheaper to not fix the cybersecurity and just have a clause in an insurance policy for cyber disruption?’” Brown said.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 10%. That’s the share of global revenue Amazon almost had to fork over to the EU for breaking the bloc’s antitrust laws. (Ars Technica)

Quote: “Normal, legitimate administration activity often looks exactly like hacking because attackers are going for the highest level of privileges.”—Jeff Bollinger, LinkedIn’s director of incident response and detection engineering, on what the company’s security teams look for to protect against attacks (ZDNet)

Read: Three Brooklyn hospitals had to revert to using paper charts for weeks after a cyberattack in November knocked them offline. (CNN)

Shoot for Zero: In this white paper from Axonius, learn why implementing a Zero Trust strategy (aka risk-driven and context-aware) is key to strengthening your cybersecurity. Take the first step here.*

^{*This is sponsored advertising content.}