Tag: cybersecurity

Believe In Zero Trust – How a Familiar Yet Uncelebrated Model Can Protect Your Organization from Cyber Attacks | Blog

Given the meteoritic rise in ransomware attacks during the pandemic and persistent cybersecurity challenges, the need for effective measures to protect sensitive data and IT environments from rising assaults is greater than ever. While zero-trust security architecture offers many potential benefits, adoption of this long-talked-about framework has been slow for various reasons. But with even the White House hitting the gas on zero trust, the timing could be right for more widespread implementation. Read on to learn about how your enterprise can overcome the hurdles and move to zero trust.    

Zero trust, a framework for the design and implementation of IT security systems, has been in the market for quite some time now. First coined by Forrester, it gained popularity when Google announced the implementation of the zero-trust network through BeyondCorp after a series of cyber-attacks in 2009. Ever since the National Institute of Standards and Technology (NIST) formalized the approach in late 2020, the computer security approach has become mainstream.

But despite the entire industry being widely familiar with the terminology and underlying principles and architecture, why has enterprise-level adoption lagged when the benefits outweigh the investment? Before we dive deep into the reasons behind this reluctance in the market, let’s explore the core tenets of a zero-trust security approach.

The guiding principle for zero trust is “never trust but always verify” and is built upon the following assertions:

  • Every part of the network is potentially hostile
  • Both external and internal threats always exist on the network
  • Every device, user, and network flow must be authenticated and authorized and should not be trusted by default
  • Limiting excessive user privileges should be the fundamental motto
  • Micro perimeters/micro segmentation should be created around critical data, applications, and services

The key tenets of zero-trust security can be summarized as follows:

Picture1 1

Why hasn’t zero trust been fully embraced?

Even though security leaders across product vendors as well as analyst firms have been preaching the benefits of a zero-trust security approach across enterprise cybersecurity, adoption hasn’t picked up. Among the key enterprise challenges and the apprehensions by security leaders surrounding its wide-scale adoption are:

  • Misconception of zero trust as another technology solution: The most common problem that we have seen in enterprise cybersecurity teams is their belief that any new challenge can be best solved by implementing a new technology or solution. The love for a new solution is so strong that enterprise leaders often forget that zero trust is a concept that does not have a single solution. Enterprises are often lured by the marketing gimmicks of product vendors that provide some aspect of zero-trust security through the solution. This results in either lower or no effect of the promises made by the zero-trust security approach
  • Challenges of network micro segmentation: One of the key aspects of zero-trust security is focused on protecting the networks and the associated recommendations in the network architecture by breaking down the erstwhile monolithic perimeters into micro perimeters to concentrate on granular security controls and access. Given a large number of applications, their dependencies, services, and the users involved, it becomes challenging to implement and maintain micro perimeters. Enterprises with disparate security controls and network products are subsequently unable to provide end-to-end visibility
  • Complexity in brownfield implementations: There is no doubt that zero trust can be best adopted in greenfield security projects, given the existing IT landscapes are so vast and complex. But a single change can cause great havoc and a ripple effect across the enterprise systems if not implemented correctly. While enterprises are expected to take a step-by-step approach rather than a rip-and-replace approach, many organizations that started this journey were left devastated in their approach to rebuild the network by undertaking a massive one-shot effort. The challenge also comes in integrating existing capabilities with new solutions to implement new capabilities to extend zero trust across the enterprise IT
  • Myth that zero trust is for on-premises: Enterprises have been grappling with a long-running myth that the entire concept of zero-trust security is centered around the building blocks of enterprise IT if they are located within enterprise distributed control systems (DCS) as most of the existing research talks about not trusting everything within their corporate networks. Also, some enterprises still do not think of cloud security as a shared responsibility model with the hyperscalers and hence do not plan to extend the zero-trust security approach to the cloud, thus leaving their assets on cloud and multi-cloud architectures at risk

Six Key Considerations for Enterprises Moving Ahead in the Zero Trust Journey

Zero trust can offer many benefits beyond improved data protection and greater compliance, including greater visibility across the enterprise, security for the growing remote workforce post-pandemic, and an improved end-user experience.

Here are some recommendations for moving ahead:

  1. Take a step-by-step approach for a long journey: While zero trust adoption can lead to a significant business transformation, framework adoption does not necessarily translate into a radical overhaul of existing cyber capabilities. Enterprises must understand that zero trust needs to be thought of as a journey to implement the strategic changes
  2. Establish the current baseline: Just like other security implementations, understanding what and why is of the utmost importance to see the benefits of following this path. Start by identifying the crown jewels – data and workloads – and create a security policy and control framework. The idea is not to give hackers an opportunity to start an attack
  3. Leverage the existing cybersecurity stack: Reuse the existing investments made for threat detection, identity and access management, network, endpoint, and data security to integrate with the zero-trust security approach. Focus on preventing any cloud misconfigurations and put an end to visibility of data, policy, and communication between apps, infrastructure, network, and other components in the environment
  4. Understand that trust is never guaranteed: Enterprises must understand that trust is not guaranteed by any solution but needs to be verified at policy enforcement points before access is provided
  5. Combine zero trust with the broader digital transformation umbrella: Enterprises can combine zero trust transformation along with their IT digital transformation initiatives (including cloud and data center migration) to extract significant synergies and remove the hurdles of adopting zero trust in brownfield implementations
  6. Embrace the change: The entire journey will only be successful if all the stakeholders in the organization are ready to embrace the new ways of working in a dynamic and adaptive cyber organization with close collaboration between business and technology stakeholders

If the right cybersecurity measures are not implemented, attacks will only become more frequent and successful. Enterprises should put faith in zero trust as a security model that can provide greater protection in today’s high-risk environment.

Follow this space for our continued coverage of cybersecurity. To share your experiences and ask questions, please reach out to [email protected] or [email protected] or [email protected].

IT Supply Chain Attacks Are Rising – What Steps Can You Take To Protect Your Interconnected Enterprise Systems | Blog

As enterprises have worked harder to protect their IT systems throughout COVID-19, saboteurs have gotten more aggressive in their attacks, going after a trusted piece of hardware or software and hijacking an entire supply chain. What steps can you take to prevent these full enterprise cyber assaults? Read on to learn more about why IT supply chain attacks are on the rise and how to take action.

The COVID-19 pandemic opened enterprises’ eyes to the need to secure their IT systems from malicious threat actors, cyberattacks, and ransomware. With a renewed vision on hardening security controls and perimeters, applying least privilege access controls, and transitioning to improved threat detection tools and technologies, the usual entry points for bad actors have become non-existent.

But threat actors haven’t gone away. With the easier routes shut down, they are now targeting entry points like third-party software and hardware that are beyond most enterprise’s scope and control.

If enterprises only needed to think about thwarting attacks by looking at the firewalls, endpoint security solutions, and Identity Access Management (IAM), the task would be much easier. But since enterprise systems are interconnected, the extended enterprise needs to be considered – and defended.

Understanding the supply chain attack ecosystem

A supply chain attack is defined as an attack that occurs when an attacker/malicious threat vector infiltrates the system through an outside partner or provider that has access to critical data and systems.

The key supply chain attacks can be classified across these six broad categories based on the nature of their origination in the software/hardware supply chain shown below:

Picture1 4

Why are supply chain attacks becoming lucrative?

While supply chain attacks have been prevalent for some time, they have been gaining tremendous traction, especially post-pandemic when vendors lost control and a view of key critical vulnerabilities in their existing products.

Among the key reasons for the prevalence of attacks are:

  • Economies of scale: It is important to understand that a supply chain attack is not directly targeted towards a particular organization. The goal is to infect source codes and legitimate apps/firmware and gain entry within an enterprise to potentially access all enterprises using it. With one placed intrusion, cybercriminals create a springboard to the network of suppliers’ customers. It is rewarding for attackers to have continuous access to new targets without investing in a new tool until the threat is revealed
  • Enterprise trust: Improvements in the enterprise security mechanisms have contributed to the increase in supply chain attacks. Enterprises have put strong defense mechanisms in place that cut off the easy routes to infections, thus pushing attackers to find different ways to infiltrate soft targets. Limited security awareness and non-implementation of security best practices have resulted in enterprises blindly trusting their vendors, third-party applications, and open-source codes. Attackers leverage this blind trust to make their way inside enterprises as this offers a path of least resistance
  • Hard to detect: Most of the supply chain attacks that we have heard of involve adding a backdoor to a legitimate certified software or firmware update that is nearly impossible to detect by existing tools and methodologies. Also, detection at the vendor’s end is difficult as they do not anticipate that the code could be targeted during the development stage. By the time the vendor detects an attack at the end of the cycle and quietly fixes it with their next update, the damage is already done

 Best practices to mitigate supply chain attacks

As with other cybersecurity attacks, the old saying, “The broader question now is not about if the organization will get hacked but when it will get hacked,” still holds. As supply chain attacks do not directly infiltrate the enterprise environment, detecting them brings many challenges for enterprises, especially smaller ones with limited awareness and investments.

Here are best practices enterprises can adopt that can potentially mitigate some of these attacks:

  • Understand the enterprise IT supply chain – The first step for any successful attack mitigation strategy should start with a comprehensive and holistic understanding of the supply chain. It should provide a view of the vendors, open-source projects, IT and cloud services, inventory of all third-party tools and services, and software dependencies hiding inside an organization and their security and licensing issues
  • Trust no one – Similar to the zero trust principles that urge enterprises not to trust but verify; enterprises should stop blindly trusting their third-party vendors. Enterprises need to understand that the severity and diversity of threats challenging them to apply equally to vendors as well. Any small error on the vendor’s part can be devastating for the enterprise not only in financial drains but also on the reputation and trust of stakeholders
  • Limit access to sensitive data – Enterprises must have a properly detailed mapping of data being shared with third-party systems, the privileged users, uses of the data, and key security controls. Limiting access to privileged resources, including access to core data, reduces the chances of the impact from attacks originating at the vendor’s end
  • Ensure vendor assessment and controls – When choosing vendors, enterprises need to conduct a detailed evaluation and due diligence of the existing cybersecurity framework and adjust accordingly what data needs to be shared, with whom, and the communication mechanism. Apart from rigorous assessments, enterprises should implement strong perimeter controls for vendor access such as multi-factor identification and network segmentation, and ensure that the access of data and systems is there until it is required
  • Focus on development pipeline risks – Developer workstations with rights to create, modify, and commit code have been key targets for attackers. Enterprises need to think about shifting the security left, securing their continuous integration and continuous delivery pipelines, and using Endpoint Detection and Response (EDR) to detect endpoint anomalies. By bringing security into the development lifecycle earlier, developers can detect and fix vulnerabilities, thereby ensuring that security is baked into the product rather than being a bolt-on
  • Protect from insider threats – Shadow IT has been a key cause of concern for most enterprises. Not only do enterprises lack a view of the unauthorized software and tools used by enterprises, but they also don’t have proper control mechanisms to check the usage. Employees also represent a significant insider threat to security and, as a result, targeted phishing or social engineering campaigns have become widespread. Thus, enterprises need to put in appropriate controls to mitigate the risk from insider threats
  • Plan your incident response – Taking initiatives to prevent supply chain attacks does not negate the possibility of them occurring. Threat actors can permeate enterprise systems through paths and backdoors that often get unnoticed and undetected, making it necessary for enterprises to also focus on response and remediation. By planning for the worst, enterprises can understand what is happening during a breach, how to engage with suppliers, and work together to mitigate the damage faster

Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] or [email protected] to share your experiences and ask any questions.

Cybersecurity Risk Management in a Post-pandemic Era | Blog

The intensity and severity of cyber events has accelerated during the COVID-19 pandemic as more and more people are working remotely and from home. This increasing frequency of cyberattacks has brought volatility to the already spiking claims losses causing many to wonder how enterprises and insurers can manage cyber risks in this new era. Our three-part blog series will explore this as well as initiatives to deal with cyber insurance challenges and what the future may hold for the cyber insurance market and its impact on enterprises.

The global cyber insurance market currently stands at nearly US$7.8 billion and is expected to grow at more than 20 percent CAGR over 2020-25, driven by the increasing number of cyber-attacks, the increasing need for IT compliance and regulations, and massive financial and non-financial losses (such as reputational loss system downtime, reduced efficiency, etc.). McAfee has reported that in 2020 these losses reached nearly US$1 trillion, increasing about 50 percent from 2018. To put this in perspective, the losses account for nearly 16 percent of the global insurance premium volume.

Pandemic forces change

The pandemic has forced enterprises to rapidly shift to a remote/work-from-home format, compelling them to re-think their cybersecurity strategies, reassess their cyber threat exposures, and develop cyber policy plans that can adequately manage any potential threats.

Enterprises are not alone. Insurers have been significantly impacted by the rapid growth of cyber-attacks and burdened with the dramatic increase in claims losses from the policies sold. In 2020, the insurance industry is estimated to have faced more than a 27 percent increase in the number of claims, primarily driven by the increasing intensity of ransomware and phishing attacks, according to a report by insurance company Allianz. As these threats evolve and their severity increases, insurers are constantly facing the challenge of controlling these claims losses.

While the global pandemic has accelerated technology adoption, at the same time, it exposed cyber vulnerabilities and under-preparedness in enterprises, an analysis of the World Economic Forum’s Global Risks Report 2021 found. As the adoption of complex technologies such as AI/ML (artificial intelligence/machine learning) tools, IoT (Internet of Things) devices, and cloud infrastructure has increased, so too has the complexity of cyber-attacks. While cyber-threats such as phishing, ransomware, trojans, and botnets have remained prevalent, risks exist for more evolved and unknown strikes such as industrialized social engineering attacks.

With the growing sophistication of cyber-attacks, the average cost per attack for firms has also gone up. According to a survey conducted by McAfee, 67 percent of the surveyed companies reported that the average cost per attack was more than US$500k. Addressing the threat of cyber risk and plugging these losses is a critical priority for business leaders. However, efforts to back up IT resources and data and set broader cyber response plans have been limited due to a lack of expertise.

Cyber risk measurement and analytics needed

Today, we are observing an increase in demand for cyber risk measurement and analytics capabilities as organizations look for the right cybersecurity talent and technologies to help address these challenges. Insurers are trying to provide enterprises with the right cyber insurance policies to help curb these losses. However, they face their own set of challenges, including the underwriting of cyber insurance policies. A lack of historical data limiting their ability to accurately model risks, drive precision in pricing risks, and create coverage loss limits. Some cyber events go unreported, challenging insurers to get adequate information on cyber-attacks. Without an accurate cyber risk assessment, these policies may be ineffective, exposing insurers to significant losses in a major cyber event.

Another key challenge for insurers while underwriting cyber risk is ‘accumulation risk.’ While dealing with cyber risk, insurers must be aware of the increasing interconnectedness within networks that lead to dependent vulnerabilities of the commonly used systems that may translate into an untargeted spread of the attack to the adjacent networks. This adds a layer of complexity to underwriting, taking into consideration an unplanned impact on a larger number of clients.

Mounting claim losses raises concern

Growing claims losses due to increasing frequency and severity of attacks is another key concern for insurers. In mid-2020, an American GPS and fitness tracking company was a victim of a ransomware attack where a demand was made for US$10 million to get its systems back online. Similarly, in other cases companies have faced large monetary and non-monetary losses that translated into an increasing loss ratio for insurers. In the US, the average loss ratio for the top 20 insurers (who offer standalone cyber insurance policies) by Direct Written Premium in 2019 increased to 48.2 percent from 34.5 percent the prior year, according to a report on the US cybersecurity insurance market. For 2020, these loss ratios are expected to shoot up dramatically, given that the industry has already started calling 2020 a loss-making year for cyber coverages.

Managing cybersecurity risk is all about anticipating loss and building a sound strategy and plan to both prevent and quickly respond to threats by taking these actions:

  • Enterprises must beef up cybersecurity capabilities and invest in the right set of technology and talent levers to bolster cyber risk assessment capabilities
  • Insurers must identify the full set of dependencies to assess the complete severity of the attack

Failure to embrace cyber risk management could have severe consequences and leave organizations so far behind that they may be unable to catch up. To address these challenges, enterprises and insurers must proactively work together to mitigate cybersecurity risk.

Next in this three-part series is Cyber Insurance Market Dynamics, where we will discuss the measures taken by both enterprises and insurers to address these challenges. While enterprises are investing in Identity and Access Management (IAM) software, endpoint encryption, and other technologies, insurers are putting their money into bolstering underwriting efforts to model cyber risks more accurately.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Supratim Nandi ([email protected]), Mehul Khera ([email protected]), or Barbara Beller ([email protected]).

.

Taking a Value Chain-led View to Secure Healthcare Enterprises | Blog

Between 2018 and 2019, the US healthcare industry experienced a five-fold increase in patient data breaches, with hacking accounting for more than 88 percent of them. More than half of the targeted entities were healthcare providers, primarily due to inadequate investments in cybersecurity and the negligence of unsuspecting employees.

Patient data is sacrosanct for the healthcare industry given its highly sensitive nature. In fact, patient Electronic Health Records (EHRs) are priced 10 times higher than credit card information on the dark web. Given that healthcare data is a lucrative target for cyber attackers, healthcare CXOs need a guided approach to secure their patients and enterprises against cybersecurity threats.

A value chain-led view of cybersecurity

Healthcare enterprises are becoming increasingly vulnerable to attacks as patient-centric care takes center stage and care delivery models such as mHealth and remote monitoring become commonplace. So, they must identify their crown jewels – patient data, care delivery applications, and medical devices, among others – across the value chain and allocate their cybersecurity investments accordingly. To do so, they need to contextualize threat intelligence, understand attackers’ behavior and intent, and make appropriate investments in cybersecurity to increase preparedness and reduce response time in the event of a breach.

Stress-testing the value chain-led view

To hack-proof their estates, healthcare enterprises need to adopt a value chain-led view to identify and alleviate cybersecurity concerns across four areas:

  • Patient engagement: Patient care starts as soon as a patient is made aware of a health condition. To prevent any patient data leaks, healthcare applications must be HIPAA-compliant, designed with patient privacy at the center, and have strong identity and access management controls.
  • Care/case management: The primary activities in care/case management are appointment scheduling, remote consultations, and mHealth application use, for which physicians need access to sensitive EHR data. It’s important to incorporate patient identity verification and data security layers for EHR access, as well as to build in network and endpoint security protocols to protect EHRs and devices connected to them.
  • Diagnostics, treatment, and monitoring: As medical devices increasingly connect to the provider network, malware attacks aimed at halting care operations threaten to disrupt hospital functioning. Healthcare enterprises can strengthen their endpoints by adopting malware protection, endpoint detection and response solutions, and device management software. Additionally, providers need to prevent unauthorized access to their systems.
  • Financials and network management: Providers should also invest in data and network security to make sure all patients’, payers’, and banks’ financial transactions are safe and secure.

Here’s an example of how a healthcare provider can prioritize its IT security investments in accordance with its business priorities by taking a value-chain view.

digital healthcare provider enterprise

Setting the wheels in motion

Once healthcare enterprises have identified what to do to bolster security across the value chain, they need to think about how to do it. We recommend a three-phased approach:

  • Prioritize: Enterprises need to prioritize their investments and chart out a strategic and technical implementation roadmap. Having a cyber architecture in place, along with a future security plan, will aid implementation.
  • Evangelize: Once implementation begins, providers should address internal risks and change management by combining a consultative approach with a sharp focus on managed services. They should ensure that all business units across the value chain are involved for a harmonized security view.
  • Protect at scale: They should also invest in talent, short-term detection, and long-term threat investigation capabilities across the value chain, as well as solutions contextualized for threat management.

A real-life example of the value chain-led approach in action

US-based Trinity Health adopted an enterprise-wide data security strategy in the aftermath of the WannaCry ransomware attack in 2017. It implemented an asset management plan to govern its connected devices and networks to improve its response to adverse events. It also instituted an event response team to isolate, contain, and deploy patches when threats were identified. Realizing that its employees could also be vulnerable targets, Trinity Health initiated exercises to help them recognize and respond to cybersecurity threats. And that’s not all; it also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework to redesign its procurement process, technology and security assessments, and supplier evaluation responsibilities to recover in case of actual emergencies.

In an industry committed to digital transformation and increasingly embracing patient-centric care, healthcare providers must devise a well-thought-out cybersecurity strategy to protect their crown jewels across the value chain. This is the only way they’ll retain patients’ trust, drive brand value, and ensure better outcomes for all stakeholders involved.

Protect Yourself from Cyber-breaches: Digital Forensics and Incident Response | Blog

According to the Identity Theft Resource Center, a staggering 1,200+ breaches were reported in 2018. A breach can wreak havoc on a business, including – but not limited to – loss of revenue and reputational harm. And poor incident response can compound that damage, as demonstrated by breaches at Deloitte, Equifax, Uber, and Yahoo.

Some enterprises are recognizing the importance of being prepared and able to respond to attacks: 22 percent of respondents to a 2018 Everest Group survey rated “reduction in time/effort to detect, respond, and recover from breaches” as their top strategic priority in next 12-24 months.

But given the dangers, 100 percent of enterprises need to think through and create an effective risk mitigation strategy. This is where Digital Forensics and Incident Response (DFIR) can be essential. Combining incident response with deep forensic analysis to collect and examine digital evidence on electronic devices, an effective DFIR strategy can help mitigate business risks in the early stages of an attack.

Twin Forces Driving DFIR adoption

Starting on the DFIR journey: an enterprise perspective

The first step in the journey is establishing forensic analysis and incident response teams responsible for reporting, incident handling, and monitoring when a breach is detected.

The incident response team should have specific training in areas such as file systems and operating system design, and have knowledge of possible network and host attack vectors.

After a breach is detected, the forensic analysts must work closely with the incident response team to address several issues, such as isolating affected systems and making containment decisions, based on existing device, access, and data security policies. Enterprises must also update their policies regularly to stay ahead of attackers.

Putting DFIR into action

An effective incident response plan should include the following components:

Enterprise action items following breach detection

A guided approach to creating a DFIR strategy

Enterprises without a cyber-attack incident response plan leave themselves open to potentially insurmountable losses. Despite the danger, they often face significant challenges in creating a plan. These challenges include:

  • Limited budget for plan development and forensic analysis
  • Lack of built-in approval systems to kick off incident response
  • Lack of support for cyber insurance policies
  • Lack of adequate skill sets to perform forensic analysis.

Our guided approach to developing a DFIR strategy can help enterprises evaluate and onboard digital forensics as part of their overall cybersecurity strategy.

DFIR strategy for enterprises

Specialist DFIR offerings can help

As many enterprises aren’t equipped to improve their security posture and reduce incident response times on their own, specialist DFIR vendors – such as CrowdStrike, Cylance, and Mandiant – can assist with suites of holistic offerings. In contrast with managed security services (MSS) players, specialist DFIR vendors lead with localization as their core value proposition. Their product-centric service offerings, localization, and a guided approach help enterprises build resilient business are valuable resources for enterprises.

In fact, DFIR capabilities are becoming a deal clincher/breaker in large security transformation deals between enterprises and MSS providers. Enterprises need to carefully analyze the value proposition of their current/potential MSS partners serving as their DFIR vendor. The following checklist can help enterprises determine if their MSS providers can provide DFIR services.

Enterprises MSS Partner checklist for DFIR capabilities

Approaching DFIR in the digital world

Today’s business environment has dramatically changed the way enterprises need to address DFIR. Adoption of digital technologies such as cloud, IoT, mobility, software defined everything (SDX), etc., has made traditional forensics techniques obsolete. And issues such as evidence acquisition, validation, and cataloging are just the tip of the iceberg.

The following new approach can help enterprises effectively protect themselves against cyber attacks in the digital world.

The new approach to DFIR

Given what’s at stake, enterprises must understand that remaining in the dark about potential breaches can prove significantly more devastating than the time and resources required to build or onboard competent digital forensics capabilities. DFIR can be a challenge, but it’s worth it.

Please reach out to us at [email protected] and [email protected] if you are interested in exploring DFIR in further detail.

Why Shadow IT is the Next Looming Cybersecurity Threat | In the News

Shadow IT is an issue that just about every organization faces on some level, but when I speak to executives and IT leaders, it’s simply not a topic that comes up. When I do bring it up, it quickly becomes clear that the tech industry as a whole underestimates the size and scope of the issue. And that lack of awareness and understanding is posing an ever-increasing threat to data protection and cybersecurity.

Some executives I speak with haven’t even heard the term “shadow IT,” which refers to systems, software, or applications that individuals in an organization use on a regular basis without the knowledge of executive leadership or the IT department. And when I tell them that recent research by the Everest Group found that upwards of 50 percent of technology spend in organizations lurks in the shadows, I can see their jaws drop. This means that half their budgets are being spent on software that teams, groups, and business units are purchasing (and using) without the IT department’s knowledge.

Read more in TNW

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.