Thrive helps businesses across industries find the right infrastructure and cybersecurity solutions to modernize their systems and stay secure. Its solutions are affordable, powerful, and customizable to fit any business environment. The team also partners with clients to ensure all their needs are met. We spoke with Rob Stephenson, CEO of Thrive, about the platform and its unique benefits.
SEC Unveils New Look for Regulation S-P: What Your Organization Needs to KnowThrive is continuously monitoring changes in the regulatory environment to ensure we are prepared to help our clients achieve and maintain compliance. The U.S. Securities and Exchange Commission (SEC) adopted updates to Regulation S-P (Reg S-P) on May 15, 2024, and set the effective compliance deadlines at 18 and 24 months depending on organization size (see Table 3 under Section II.F of the final rule for size definitions). Regulation S-P specifies how covered institutions are required to protect consumer financial and personal information under the Safeguards Rule, and how covered entities should securely dispose of covered information under the Disposal Rule (collectively “Rule(s)” herein). This post provides a synopsis of the key rule elements and corresponding practices and technologies that can enable compliance. The changes are “designed to modernize and enhance the protection of consumer financial information” via three primary updates including:
- Requiring Incident Response Plan (IRP) policies and procedures.
- Mandating “timely” notification to affected individuals after a sensitive information breach.
- Expanding the scope of information and entities covered under the Rule.¹
Many covered entities have already begun adjusting their information security and compliance strategies over the past few years in light of elevated regulatory activity from the SEC which includes multiple proposals specifically focused on addressing information technology and cybersecurity risks. While there aren’t any surprises in the Regulation S-P updates, organizations subject to the rule should now evaluate their current practices to ensure alignment from a policy, technical capability, and operational perspective.
Incident Response Plan (IRP) Requirements
The adopted changes require implementation of an “incident response program for unauthorized access to or use of customer information, including customer notification procedures” that are reasonably designed to “detect, respond to, and recover from” unauthorized access and use of consumer financial information.² A comprehensive incident response program is rooted in an accurately scoped policy, enabled by appropriate technology implementation(s), and maintained by complementary operational processes.
Policy
An IRP is a written document formally approved by management that outlines the types of cyber threats the business is likely to face and what controls are in place for detecting, responding, and recovering from these events. A risk-based approach is important when designing an IRP and organizations should first perform activities such as data classification and business impact analysis to ensure the policy is appropriately scoped.
With respect to Reg S-P specifically, covered entities should identify what type(s) of covered information they collect, where this data is stored, and what data protection and access controls are in place. The updated rules explicitly require a scope that enables assessment of “the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of information that may have been accessed or used without authorization”.² Of course, the IRP should include the entire business entity, but understanding where the critical data and information assets reside is an important precursor to designing an appropriate layered defense model and establishing compliance with the updated regulation.
Technical Implementation
Technical controls supporting the IRP should include detective, preventative, and security measures applied and configured specifically to the organization’s environment. There is no “one size fits all” approach which is why having an accurately defined policy is fundamental to appropriately selecting and deploying technical safeguards. Common deployments include (but aren’t limited to):
- Data Security: encryption (at rest and in transit), access controls, network segmentation, data governance monitoring, and data loss prevention (DLP) mechanisms such as blocking removable media and monitoring outbound communications for unprotected sensitive data. Organizations should also ensure secure data disposal and destruction mechanisms are in place to ensure discarded media does not result in unauthorized access exposure.
- Asset Security: Next-generation asset-based solutions such as Endpoint Detection and Response (EDR) software provide live monitoring on user assets across the environment and proactively detecting, preventing, and alerting on malicious threat vectors. Additionally, hard drive encryption is natively built into many modern operating systems, while agent-based applications can ensure devices remain up to date (e.g., RMM) and restrict the types of connections or applications permitted on managed devices (e.g., URL filtering, restricting local administrative rights, hardening configurations to disable unused ports/protocols).
- Network Security: Networks (including the office(s), data centers, and/or cloud/SaaS environments) must be protected via appropriate threat detection and capabilities. Solutions include Managed Detection and Response (MDR), Extended Detection and Response (XDR), conditional access, Identity and Access Management (IAM), enterprise firewalls, and zero trust architecture (ZTA). Log aggregation and secure storage is also important to enable forensic examination and accurate reporting if a material incident occurs.
- Availability / Recovery: Incidents still can (and will) happen even with best-of-breed security solutions in place and it’s important that the business can efficiently recover when they do. Solutions that enable system availability include backups, geographically diverse disaster recovery (DR) environments, and high availability cloud configurations.
Operational Considerations
Having the right skilled resources in place to design and implement appropriate controls and write policy is where compliance with Reg S-P begins, but ongoing monitoring and response is where the value is continually delivered. Organizations should ensure that resources receiving and monitoring the output of technical detective and preventative systems – whether in house or outsourced – are suitably trained to interpret the data and take corresponding actions when anomalous or malicious activity is detected. Many organizations choose to work with an outsourcing partner (e.g. MSSP) that provides 24×7 Security Operations Center (SOC) monitoring and incident response services.
Breach Notification
The updated regulation also mandates that the incident response programs include mechanisms to notify affected individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization”.² Prominently, the same clause also states that notification is not required if “after a reasonable investigation…the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience”.²
Meeting this requirement requires careful analysis from multiple stakeholders, including legal, operations, and information technology; however, organizations must have foundational elements referenced above – specifically mechanisms/products such as data classification, data governance, data protections, and security monitoring/logging/reporting – in place to analyze in the first place. A gap or weakness in any of these areas may preclude an organization from justifying a reporting exemption or providing an accurate disclosure of events. If an organization cannot validate which system and data assets were impacted by a cyber incident, they may need to provide a breach notification to all (current and former) customers.
Breach Notification Timeline
The updated regulation will also require a “clear and conspicuous notice to affected individuals” by means “designed to ensure that the individual can reasonably be expected to receive actual notice in writing”.² Importantly, there is now a 30-day shot clock on providing the notification with exceptions only if the U.S. Attorney General has determined that providing such a notice would “pose a substantial risk to national security or public safety”.² There are also specific notice standards (Section II.A.3a in the Final Rule) that organizations should be aware of with regard to determining if a notice is required and methods for complying with the notification mandate under various circumstances. Sections II.A.3b&c also provide additional clarity with respect to defining “sensitive customer information” and “substantial harm or inconvenience” respectively that should be reviewed when developing mechanisms for analyzing if a notification is required under the organization’s IRP.
Scope Adjustments
The final Rule also includes adjustments that broaden both the scope of entities covered under required activities and the scope of data assets.
Service Providers
Of course, service providers are not brought under the SEC’s regulatory jurisdiction via the updated Rules (with respect to those that are not already covered entities). However, the Reg S-P update does incorporate requirements with respect to the covered organization’s IRP development to include:
a. appropriate measures for ensuring service providers are protecting covered information,
b. and for covered organizations to establish mechanisms for receiving notifications from service providers if the service provider experiences a breach impacting covered information.
The maximum allowable timeframe for service providers to provide notification is defined as 72-hours in the updated final text. Covered organizations should work with service providers to determine appropriate mechanisms designed to ensure receipt of such notifications within the compliance time limit. This mandate again highlights the critical importance of conducting thorough data classification and related analysis which enable organizations to easily map which third parties are in scope when it comes to covered information. Additionally, receipt of a service provider notification should automatically trigger the covered organization’s IRP including analysis of whether client notification is required.
Definitions of Covered Information and Covered Entities
The updated regulation broadens the scope of protected information to include a new term of “customer information” (replacing the term “customer records and information”) which is defined as “any record containing nonpublic personal information as defined in Section 248.3I3 about a customer of a financial institution, whether in paper, electronic, or other form”.² These records apply to any “information that a covered institution maintains or otherwise possesses for a business purpose” – businesses subject to the regulation should ensure the scope of their data classification exercises is appropriately adjusted to include all such information that may fit into this category. The broadened scope now applies to information the organization may have obtained about customers and non-customers that the organization may have been provided through the course of other business relationships. This change is intended to provide additional consistency with the Gramm-Leach-Bliley Act (GLBA) which imposes similar and overlapping requirements in some situations. Importantly, the SEC notes that these obligations of protection extend throughout the lifecycle of the information and include secure disposal, further underscoring the importance of a well-defined secure destruction and disposal process.
In addition to the information scope changes, the update extends applicability of Regulation S-P to include transfer agents since they maintain detailed covered information related to securities holders.
A Note on Recordkeeping
Reg S-P updates also incorporate new recordkeeping requirements pertaining to “written records documenting compliance with the requirements of the safeguards rule and of the disposal rule”.² The timeframes vary for different entity types, and covered organizations should review Table 1 under Section II.C of the final rule for information relevant to their entity designation.
How Can Thrive Help?
Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com.
Disclaimer: Nothing herein shall constitute legal advice, compliance directives, or otherwise. Covered entities should consult an attorney and/or other compliance professional regarding their organizations’ compliance obligations, including, without limitation, the regulations described herein.
Source Information:
1 – https://www.sec.gov/files/34-100155-fact-sheet.pdf
2 – https://www.sec.gov/files/rules/final/2024/34-100155.pdf
How IT outsourcing allows Hedge Funds to maintain top performance for their funds and their investorsWhile the performance in 2024 has been moderately positive year-to-date, the hedge fund industry faces the challenge of safeguarding these gains against a multitude of domestic and international factors that remain at play for both your Prime Broker (PB) and IT provider. Both are aligned with your success in risk mitigation and their mutual cooperation couldn’t be more important. As the only global IT provider from the HF industry, Thrive recognizes the cooperative roles each entity plays in ensuring the safety of a well-performing fund for the benefit of your investors.
Alignment for Better Business Outcomes
At the core of any risk strategy lies the identification and assessment of risks. For your PB, real-time consideration of portfolio risks and periodic reviews of operational risks is essential. Since leverage has plateaued since 2008 (affecting fee generation), managing risk is pivotal for a healthy PB relationship. Balancing the quality of your portfolio to allow for an optimized margin balance will be something everyone wants and will be based on a number of factors you can evaluate such as correlation risk, historic sharpe ratio, derivative pricing confidence, collateral quality, counterparty credit worthiness among others. This falls largely on the COO or CFO, and their operations team to ensure the most beneficial and accurate treatment is being extended to the firm. Meanwhile, consider that your IT provider is similarly aligned with your fund’s success, of course farther removed from your portfolio details, while being intimate with the tools, connectivity, and counterparties that you depend on.
Qualification of a Managed Security Services Provider (MSSP)
In today’s landscape, IT providers must resemble cybersecurity businesses (MSSPs) to succeed. Most platforms default to convenient configurations rather than secure ones, prompting the SEC to mandate inventorying these data points from an IT risk perspective. While your engagement policies may appear as checkboxes to auditors, real-time anomaly reporting against these policies is fundamental for responsible competition and scaling in the multi-cloud environment. Over the years, top IT providers like Thrive (through its acquisition of Edge Technology) and premier PBs have collaborated to set reasonable standards that protect market interests. Prior to the pandemic, we led a campaign together with a global prime broker to enforce encrypted communication via TLS across common client mail systems, as this was a standard practice we encouraged with most clients. Together that raised an important awareness and potentially thwarted some amount of phishing while people learned to become better trained.
However, the recurrent nature of the cybersecurity topic now verges dangerously close to echoing a broken record, even as its significance remains paramount. We observe a shift from ransom-focused malware to outright wipe-ware, emphasizing the need for robust security measures as motivations go from ransom to outright harmful intent by coordinated state-actors. At Thrive, we advocate for a mesh of security services that provide real-time event generation and response, extending network and domain policies beyond office boundaries to multi-cloud services using Secure Web Gateways. Today’s rate of easy adoption of many young emerging technologies is both promising and eerily similar to showing the same weaknesses of the earlier industry. Wrapping a mesh of security around these younger offerings enables the same balancing act can be achieved and a competitive fund can leverage newer technologies with more confidence. While technology lacks a UL listing, a balanced practitioner’s approach can maintain top performance for you and your investors.
Feel free to reach out if you would like to learn more about technology outsourcing for financial services. Our team of subject matter experts are ready to help you meet your desired business outcomes.
Thrive Spotlight: Maria Carina Wenceslao, Human Resources Manager – PhilippinesWelcome back to another installment of our “Thrive Spotlight” blog series.
Our featured employee is Maria Carina Wenceslao, Human Resources Manager – Philippines. Maria Carina’s primary focus is to ensure employees have a positive and enriching experience throughout their time at Thrive and prioritize overall well-being within the organization. She works on the onboarding process, enhancing benefits packages, and makes sure the employee experience aligns with Thrive’s values and objectives.
Maria Carina lives in Clark, Pampanga and works out of our Philippine office in Clark Global City, Clark Pampanga. Two years ago, Maria Carina moved from Manila to Clark Pampanga and enjoys exploring the beauty of the city outside of work. She also loves spending time with her family, especially her 7-year-old daughter who is a liver transplant warrior.
Hi Maria Carina! Can you tell us about your background and how you came to Thrive?
I have been working in the Human Resources space for 17 years, specializing in recruitment. Identifying and securing top talent has always been a passion of mine. In 2022, I was thrilled to learn about an open position at Thrive and become one of the first employees in the Philippines. The opportunity to build a team from the ground up was exciting. There is something uniquely rewarding about selecting and nurturing the best talent to establish a strong foundation for a new venture.
Where did you go to school or get training?
I attended Centro Escolar University in Manila, Philippines. I have my Bachelor of Science degree in Psychology.
What do you most enjoy about working for Thrive?
I love the collaborative nature of our work environment. I am particularly grateful for the accommodating and nurturing leadership within the company. Their dedication to cultivating a supportive culture and prioritizing the well-bring and growth of employees is evident in every interaction with leaders. This creates a sense of trust and empowerment that allows everyone to THRIVE professionally and personally.
I am immensely proud to be thriving at Thrive. It is truly empowering to be a successful working mom, knowing that I am supported in both my career and personal life.
Are there any recent exciting projects at Thrive you can tell us about?
We have been rapidly growing and strengthening our team in the Philippines, making sure our global objectives and goals are inline. I love seeing a collaborative effort of teams across different regions working together towards a common goal.
Are you interested in learning more about Thrive? Click here!
Don’t forget to follow us on Twitter and LinkedIn for the latest news, and continue checking our blog for more in our “Thrive Employee Spotlight” series. Until next time…
Is your organization prepared for NIST 800.171 Certifications (CMMC)?The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s (Department of Defense) information security requirements for DIB (Defense Industrial Base) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors (Organization Seeking Certification – OSC). The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
Under CMMC guidelines non-federal organizations will be required to follow the proper security standards for overseeing the following.
- Federal Contracted Information (FCI)
- Controlled Unclassified Information (CUI)
If your organization is not awarded a Level 1 or Level 2 CMMC Certification prior to the awarding of a contract, that contract will be denied.
The current certification processes are directed by CMMC Revision 2.0. There are three distinct levels that make up the certification process. A level determination for a client will be set by a DOD Contracting Officer.
Level 1: Is Foundational (basic safeguarding) of Federal Contracted Information (FCI) which consists of six domains covering seventeen practices
Level 2: Is Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) which consists of fourteen domains covering 110 practices.
Level 3: Is Expert which covers Controlled Unclassified Information (CUI) with a focus around (DIB) partners managing highly classified information. This level includes the current Level 2 practices and domain, including an additional set of controls not yet specified. The DoD estimates that less than .1% of active DIB Partners (about 160 companies) will require Level 3 Certifications.
Please note: Current certification is based upon Revision 2.0. As new revisions of the certification are released, many of the practices, while not being removed, may be reworked and adjusted to define the proper levels of certification.
How are CMMC Audits Performed?
Under the current guidelines of Revision 2.0 of CMMC with assignment from a DoD, a Contracting Officer to the Organization Seeking Certification (OSC) will dictate your certification Level requirements.
Level 1: – Foundational (Basic Safeguarding) of Federal Contracted Information (FCI) will require the OSC to fulfill all six domains and seventeen practices to achieve a certification. Level 1 Certifications will require the OSC to submit a self-assessment to the Suppliers Performance Risk System (SPRS). Level 1 Certifications, upon awarding of a contract, are good for annual certifications and will require submission of the self-assessment yearly. The DoD can conduct a full audit on the OSC seeking Level 1 Certification if there are any discrepancy concerns within the self-assessment submission.
Level 2: – Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) will require the OSC to fulfill all fourteen domain and 110 controls to achieve a certification. Level 2 Certifications will require the OSC to reach out to the Cyber-AB Marketplace (HTTPS://cyberab.org) and contact a C3PAO (CMMC Third Party Assessment Organization) in order to conduct a physical audit of the organization in order to receive certification. Level 2 Certification, upon awarding of a contract, are good for three years before re-certification is required by a C3PAO.
Level 3: – Expert will be required to fulfill all requirements for Level 2: (14 domain and 110 controls) plus an additional set of practices not yet defined. Level 3 Certifications will require a physical audit. However, due to the security nature of the organization seeking certification, the audit will be directly conducted by the DOD DIBCAC (Department of Defense – Defense Industrial Base Cyber Assessment Center). Level 3 Certification, upon awarding of a contract, are good for three years before re-certification is required by a DOD DIBCAC.
How does an Organization Seeking Certification (OSC) look to prepare themselves?
As Organizations prepare for their certifications, below are some key operations to start thinking about.
- Proper organization and operational documents and policies aligning with physical, technical, and security operations.
- Governance and Risk Compliance Operations and Programs
- Technology and Security Operations:
- Security Awareness and Anti-Malware Training Programs for end-users
- Endpoint and infrastructure security operations
- Mobile Device Management (MDM)
- Email Filtering and Security Monitoring
- Event Detection and Response (EDR)
- Endpoint DNS Filtering
- Vulnerability Operations
- Two-Factor Authorization
- Penetration Testing
- Vulnerability Scanning
- FedRAMP Compliant Services
Time is running out because organizations will be required to achieve a proper CMMC Certification to be awarded a contract. Organizations should reach out to a Registered Practitioner (RP) or Registered Practitioner Organization (RPO), which are individuals, or organizations certified by the Cyber-AB, to help with readiness for Level 1 and Level 2 Certification needs. Organizations can find this certified individual or group through the Cyber-AB Marketplace.
Contact Thrive today to learn more about how we can help you achieve proper CMMC Certification. Thrive has Certified RPs ready to help with readiness and planning.
Balancing the rewards and risks of AI toolsAI’s promise of time and money saved has captivated employees and business leaders alike. But the real question is… is it too good to be true? As enticing as these rewards may be, the risks of this new technology must also be seriously considered.
Three Strategies to Help You Solve Your IT Skills GapIn today’s world, technological advancements are progressing at an unprecedented pace, creating vast opportunities for individuals and organizations. However, the rapid growth has also led to a significant demand for skilled professionals with the right competencies to meet this ever-increasing need. One area where this demand is particularly critical is cybersecurity, where the shortage of skilled professionals has become a significant concern. Even with technology outsourcing, having strong IT leaders is critical to managing and securing your business today and tomorrow.
Empowering Education: How Thrive Fortified CBT Technical Institute’s IT Infrastructure Download Now
CBT Technical Institute offers technical training and certification programs in various fields, such as information technology, cybersecurity, network administration, and more. The institute sought a partner to fill IT gaps, provide strategic solutions to bolster cybersecurity resilience, and optimize operations across its three campuses. This case study details how Thrive fortified CBT’s IT infrastructure and provided essential support, enabling seamless operations and proactive cybersecurity measures.
CBT Technical Institute faced a significant challenge when its IT supervisor departed for another company, leaving a critical void in managing its websites and servers. The workload became overwhelming with only a small team of three IT support specialists, as their focus was divided among various tasks. Realizing the need for additional support and contingency planning, CBT turned to Thrive to provide essential protection and strategic direction for its technology solutions. Thrive’s security services and ThriveCloud platform complement their internal team, ensuring comprehensive coverage and preparedness for potential disruptions.
Why Thrive Was Chosen
CBT Technical Institute chose Thrive because of its comprehensive suite of services and Thrive’s commitment to a genuine partnership. When evaluating potential partners, Thrive stood out for its adept management of services and software and robust security measures that alleviate the burden of maintaining CBT Technical Institute’s infrastructure and data security.
Thrive’s Robust Solution Offering and Collaborative Approach
Thrive’s comprehensive solution included Endpoint Detection and Response (EDR) for endpoint protection, server management, and Microsoft 365 email and Exchange management and monitoring. Facing expertise gaps, CBT Technical Institute turned to Thrive for comprehensive security services, leveraging ThriveCloud. Outsourcing these services marked the beginning of the partnership, with Thrive guiding CBT through onboarding and offering expertise and support. Through collaborative efforts, Thrive ensured a seamless transition, empowering CBT to navigate its technology confidently.
Impact and Results
Thrive’s intervention at CBT Technical Institute resulted in notable efficiencies and operational improvements. Migrating servers to the Cloud and deploying new infrastructure addressed challenges linked to outdated hardware, which enhanced server management and performance. Users experienced significant improvements in service responsiveness, while Thrive’s cost-effective solutions remained within CBT’s budgetary limits. With Thrive hosting its database, the institute’s data security and resilience were fortified, ensuring robust protection and rapid recovery from disruptions, underscoring CBT’s commitment to safeguarding sensitive educational information.
Exceeding Expectations
Thrive consistently exceeds expectations, with its team going above and beyond to meet CBT’s needs. From dedicated engineers like Nick, who assist outside regular hours, to responsive project managers, CBT praises Thrive for its unwavering dedication, collaborative approach, and exceptional support. “Thrive provides a virtual solution for any company that needs protection and lacks the resources to keep moving forward. If a company doesn’t have an IT department or support to assist users, maintain servers, and ensure security, Thrive is the one that can provide that,” said Roosevelt McCullough, Database Administrator for CBT Technical Institute.
“Unlike other cloud and third-party providers that offer temporary fixes, Thrive provides a long-term solution, enabling our company to evolve and access resources and support as needed.” ~ Roosevelt McCullough, Database Administrator for CBT Technical Institute
About Thrive
Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com or follow us on LinkedIn.
AI-generated Cyber-attacks: A New Emerging ThreatAs AI technology continues to advance at an unprecedented rate, UK businesses face a new and formidable challenge in cybersecurity. A new wave of threats has arisen, posing substantial risks to companies of all sizes. In this article, we’ll explore the emerging AI-generated threats, their devastating impact, and how they mainly affect companies like yours.
What does the NCSC have to say?
In its January 2024 assessment, the NCSC stated that AI will almost certainly impact cyber-attacks, and here’s how. The organisation shows that, in the near term, AI will mainly provide malicious actors with the capability to scale up their social engineering tactics, communicating directly with victims to manipulate them into handing over details or funds. This includes creating “lure documents” without the grammatical translation faults that often ring alarm bells in the victim. They also state this will likely increase over the next two years as models become popular.
AI’s capacity for rapid data summation will also enable cybercriminals to identify businesses’ high-yield assets, which will likely enhance the impact of their crimes. According to this report, hackers (including ransomware) have already been using AI to increase the efficiency and impact of their attacks. Attackers can go deeper into networks with the help of AI-enhanced lateral movement, assisting with malware and exploit development.
However, for the next 12 months or so, human expertise will continue to be needed in these areas, meaning that any small uptake in this threat will be limited to very skilled hackers. Beyond this, experts envisage that malware will even be AI-generated to circumvent current security filters in place. It’s also very realistic that highly capable State Actors have repositories substantial enough to train an AI model for this.
As we enter 2025, large language models (LLMs) and GenAI will make it extremely difficult for any businessperson, regardless of your cybersecurity understanding, to spot spoofs, phishing, or social engineering attempts. We can already tell from this report that the time between security updates being released and hackers exploiting unpatched software is steadily decreasing. The NCSC warns that these changes will “highly likely intensify UK cyber resilience challenges in the near term for the UK government and the private sector.”
Potentially catastrophic results
Time and again, we see how more sophisticated attacks are storming even Britain’s most protected infrastructures. Just last year, as previously reported, hackers accessed sensitive UK military and defence information and published it on the dark web. Thousands of pages of sensitive details regarding max-security prisons, Clyde submarine base, Porton Down chemical weapons lab, GCHQ listening posts and military site keys were revealed to criminals, gravely compromising critical infrastructure.
In the same period, we saw cyber-criminals strike the NHS, revealing details of more than a million patients across 200 hospitals, including NHS numbers, parts of postcodes, records of primary trauma patients and terror attack victims across the country. The actors responsible are still unknown despite extensive specialist analysis. This is similar to the previous year’s attack, leaving the NHS with a devastating software outage, impairing NHS 111, community hospitals, a dozen mental health trusts, and out-of-hours GP services. This incurred considerable safety risks for the British public,
such as incorrect prescriptions and the inability of mentally unwell patients to be correctly and professionally assessed.
In January this year, the UK government released a policy paper introducing the “AI Safety Institute” concept. This paper mentions AI being misused in sophisticated cyber-attacks, generating misinformation and helping to develop chemical weapons. It also mentions experts being concerned with the possibility of losing control of advanced systems, with potentially “catastrophic and permanent consequences.”
AI development out of control
It also admits that “At present, our ability to develop powerful systems outpaces our ability to make them safe.”, adding to already existing concern for the safety of AI. While it pledges to develop and conduct evaluations on AI systems to minimise existing harms caused by current systems, this still needs to take away from the need to be vigilant regarding this ever-evolving new technology. Another government paper, “Safety and Security Risks of Generative Artificial Intelligence to 2025,”lists the most significant AI risks for 2025 are cyber-attacks (more effective and more substantial scale as previously mentioned, using enhanced phishing and malware); increased digital vulnerabilities as GenAI integrates into the critical infrastructure and brings forth the possibility of corrupting training data or ‘data poisoning’; and erosion of trust in information as GenAI can create hyper-realistic bots and synthetic media or ‘deep fakes.’ The government assesses that by 2026, synthetic media could make up a substantial portion of content online and risks eroding public trust in media outlets and governments. This issue needs to be solved by any means.
How UK businesses are affected
For a business, the uncontrolled development and use of AI systems raise concerns about access security to company systems, data integrity and protection of IP, patents and brand image. Medium-sized SMEs often operate with tighter budgets and leaner IT teams, making it a challenge to invest in comprehensive cyber solutions or know where to start. According to the NCSC, “SMEs are often less resilient to cyber-attacks due to a lack of resources, skills and knowledge.”
Cyber-criminals are wise to this and target businesses of this size with tailored attacks such as AI-enhanced phishing correspondence. In fact, according to the 2024 Sophos Threat Report, over 75% of customer incidents handled were for small businesses. Data collected from SME business protection software indicates that SMEs are targeted (mostly with malware) daily.
Fortunately, hackers’ use of AI is still at an early stage and is bound to become increasingly sophisticated as it continues to develop at its current rapid speed. There is still time to protect you and your business, and the Thrive team is highly experienced in guiding and supporting SME businesses every step of the way. Contact us today.
Thrive Spotlight: David Bloomer – Director, Technical Advisory Services – New York Financial ServicesWelcome back to another installment of our “Thrive Spotlight” blog series.
Our featured employee is David Bloomer, Director, Technical Advisory Service – New York Financial Services. In his position, he leads a team of Virtual Chief Information Officers who provide services to our clients. He also works directly with clients to provide strategic advisory guidance, technology business reviews, and technology executive leadership. In addition, David works closely with the Thrive Advisory Services leadership team to shape and improve our Advisory Services practice.
He lives just outside of New York City in Union County, New Jersey and works out of our Mid-Town NYC office. David has been married to his wife for 17 years and they have three children, ages 7,10, and 12, and one dog named Charlie. They love sports and all his children are on competitive swim teams, so outside of work he spends a lot of time at swim meets.
Hi David! Can you tell us about your background and how you came to Thrive?
I have always been interested in technology and knew from an early age that I wanted to work in that field. I started working for Precision IT, a small MSP in New York City shortly after graduating from college. Starting at a smaller company provided me with an opportunity to learn about multiple roles within a company and I was able to develop my technology and business skills quickly. I also quickly learned the importance of mentorship within my career. I have been working as a Technology Consultant in New York City for nearly 20 years and have held many roles in engineering, networking, solution design, IT service management, account management, project management, security, and executive functions. Thrive acquired Precision IT 6 years ago and I have continued with the company since the acquisition.
Where did you go to school or get training?
I got a Bachelor of Science degree with a focus on Computer Information Systems from Roger Williams University. After college, I continued technology training, earning multiple certifications. One of the highlights in my college career was having the opportunity to study abroad in Florence, Italy for a semester. I love history and it was great spending an entire semester learning about the Italian Renaissance.
What do you most enjoy about working for Thrive?
I enjoy the people I get to work with and the clients I get to help. I have worked with some of my coworkers and clients for nearly 20 years and have built great relationships with them. It is great getting to meet our clients and learn more about their company. I also enjoy following and learning about the latest technology and technology trends.
Are there any recent exciting projects at Thrive you can tell us about?
Throughout the last year, I have worked on several challenging and successful projects. I have helped clients improve their security, upgrading their remote access solution, implementing a new support model, office expansion and relocation projects, and Cloud upgrade and migration projects.
Are you interested in learning more about Thrive? Click here!
Don’t forget to follow us on Twitter and LinkedIn for the latest news, and continue checking our blog for more in our “Thrive Employee Spotlight” series. Until next time…