With our footprint of research across the cybersecurity sector over the past decade, we have valued Executive Orders from respective Presidents that strengthen the context for taking required actions to provide protection against cyber threats. Our research several years ago, for example, highlighted the systematic weaknesses across the government sector, with ransomware being the threat of highest concern. On page 11 of our 2021 report, we said in relation to the United States:

The Biden administration is placing increasing emphasis on developing resilience in the face of cybersecurity threats against the government and other industry sectors. Ransomware is a key concern, considering recent disruption to critical infrastructure such as the Colonial Pipeline and JBS attacks. While there is a high focus on better securing government agencies, the administration is also directing American businesses to take cyberthreats and ransomware seriously. Many of the directives parallel what is required of government agencies. Three specific initiatives from the United States government are:

• Executive Order on Improving the Nation’s Cybersecurity
  Issued in May 2021, Executive Order 14028 mandates improved information sharing on cybersecurity between the U.S. government and the private sector, requires stronger cybersecurity standards within the federal government (e.g., widespread adoption of multi-factor authentication, encryption, and zero trust), removes current barriers for service providers to share threat intelligence, elevates the importance of security in the software supply chain (including visibility into software composition), and establishes the Cyber Safety Review Board to analyze significant cyber incidents and make recommendations, among others. The administration is working with private sector organizations to improve the nation’s cybersecurity readiness, has
  secured significant commitments from Apple, Google, Microsoft, and Amazon, and is working with others to address the cybersecurity skills shortage.
• Joint Cyber Defense Collaborative (JCDC)
  Part of the Cybersecurity & Infrastructure Security Agency (CISA), the JCDC was created in 2021 to lead the development of cyber defense plans in the United States to safeguard critical infrastructure and national interests. Its mission includes working with private and public sector organizations.
• StopRansomware.gov
  Multiple federal government agencies, including the Department of Homeland Security and the Department of Justice, launched a one-stop resource for combating ransomware. Released in mid-July 2021, the website consolidates the ransomware resources from all federal government agencies into a single location, replacing the previous approach of resources being distributed across a variety of locations.

While we didn’t state it in these words at the time, we were applauding the actions of the Biden Administration to strengthen the fabric of cybersecurity as it affected government agencies and the private sector.

CISA gets a mention above. CISA wasn’t created by President Biden. That was an action taken by President Trump in November 2018 via the CISA Act, where an existing program inside the Department of Homeland Security was reorganized and rebranded. The leader of the earlier DHS program – Christopher Krebs – was appointed the first director of CISA. Over the next several years, CISA took an activist role in championing for heightened cybersecurity across the United States (and beyond). Our research has referenced the following articles and updates from CISA:

• CISA Launches Campaign to Reduce the Risk of Ransomware
• Alert AA20-345A – Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
• Joint Cyber Defense Collaborative
• Executive Order on Improving the Nation’s Cybersecurity
• Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
• Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• Shields Up
• Selecting a Protective DNS Service
• StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
• CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems
• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
• FY22 Risk and Vulnerability Assessments (RVA) Results
• CISA Releases Analysis of FY22 Risk and Vulnerability Assessments
• CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments

There was a lot more in addition to the above list that CISA did in providing leadership and direction, and as with the actions above from the Biden Administration, we applaud their contributions.

Our hands are not clapping for the recent Presidential Memoranda targeting Christopher Krebs, SentinelOne, and CISA. Christopher Krebs earlier bore the public brunt of President Trump’s ire after disagreeing with the President on the security of the 2020 election, a stance for which he was fired from his director position at CISA via Twitter. Five years later, President Trump appears to seek additional retribution for this stance against Krebs personally, even though the overwhelming weight of evidence after 60 court cases on alleged election fraud backs Krebs not Trump.

This Presidential Memoranda is very bad form, in bad taste, and opens the door to a President throwing the weight of the US Government against a named individual who is perceived as an opponent. This is not behavior consistent with what we want our children to view as appropriate for the President of the United States.

The Presidential Memoranda and all related statements should be rescinded immediately, the consequential active investigation into Christopher Krebs cancelled forthwith, and the sanctions against Krebs and SentinelOne lifted.

On one point, however, we do agree with a statement in the Presidential Memoranda, albeit with a wording change. The directive to “do a comprehensive evaluation of all of CISA’s activities over the last 6 years” is a worthwhile activity. The wording change, however, is that it should not focus on points where conduct “appears to have been contrary to the purposes and policies in Executive Order 14149.” A much better standard would be alignment with the major cybersecurity challenges facing the United States over the next 20 years, which includes election security and countering the proliferation of disinformation and misinformation that undermine election integrity. This would position the agency for ongoing relevance over the long-term, not one that is weakened by short-term partisan vendettas.

The Office of the Comptroller of the Currency (OCC), part of the US Treasury Department, recently disclosed a breach of its Microsoft 365 tenant, with 103 email accounts caught up in the compromise. After carrying out an investigation, the OCC notified the US Congress, stating the breach met the criteria for a “major information security incident.”

In recent years, organizations facing such incidents usually sheepishly say in effect, “mea culpa; now we’ll implement multi-factor authentication to prevent this type of incident in the future.” While a lack of multi-factor authentication is part of this story, it’s much more nuanced than a blanket oversight.

Key details:

• In May 2023, hackers compromised a service account in its Microsoft 365 tenant that had administrative-level privileges.
• Multi-factor authentication was not enabled on the breached service account.
• Microsoft discovered the breach in early February 2025 (some 20 months later) and alerted the OCC. The discovery was based on observing unexpected behavior.
• The OCC made an initial disclosure on February 26, 2025. At that point, the extent of the incident was noted as “an administrative account in the OCC email system” and that “a limited number of affected email accounts that have since been disabled.”
• The OCC engaged Mandiant and CrowdStrike to investigate.
• Over the course of the 20 months of access, the hackers appear to have leveraged their initial foothold to gain access to other Microsoft 365 mailboxes, including those of senior deputy comptrollers, international banking supervisors, and other staff. This provided access to around 150,000 emails – although “access to” is different to “they actively read.” Quantifying the latter remains under investigation.
• On April 8, 2025, the OCC notified Congress of the incident. In its public notice of doing so, the OCC said: “The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

As a result of its investigation, the OCC asserts that “there is no evidence of impact on the financial sector,” (per SecurityWeek), although in its letter to Congress, the OCC said it is likely to “result in demonstrable harm to public confidence” (per Bloomberg).

What appears particularly galling about this breach is that the OCC has for years talked the talk and walked the walk on multi-factor authentication and embracing strong authentication. As a matter of policy, it has required the use of multi-factor authentication for two decades – since 2005. It has championed for wider adoption of multi-factor authentication in the financial sector. For example, in an August 2022 speech to the joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, the then Acting Comptroller of the Currency (Michael Hsu) said:

The first line of defense against malicious cyber actors is the implementation of strong preventative controls to protect against unauthorized access. Last August [2021], through the FFIEC, we updated our authentication guidance to highlight how the base layer security approach of multifactor authentication, or controls of equivalent strength, can significantly strengthen controls to mitigate unauthorized access to systems and data. All financial institutions should implement effective multifactor authentication controls for access to all nonpublic systems, as even basic network systems can be entry points for malicious activity.

With a policy framework of using MFA and public statements to spread that policy more broadly, why would a critical Microsoft 365 account not have MFA enabled? In its coverage of the incident, Bloomberg spoke with an ex-special counsel for enforcement at OCC. His response – “it is shocking that they did not have it [MFA] enabled for this administrative account.”

The OCC is not a client of Osterman Research. We do not have access to inside information. We can only see what is being reported in key media outlets. Our hypothesis, on the evidence we’ve seen, is that this was a shocking blindsided incident to the OCC that was completely unexpected. The initial administrative’s account was overlooked or not seen by the IT and security teams when MFA controls were put in place, and the OCC did not have the optics, visibility, or reporting to highlight where their policy was not being followed – initially, or subsequently. Newer identity security solutions, especially in the identity security posture management area, could have prevented this incident at the OCC. Such solutions add an independent assessment and enforcement engine for authentication policies, highlighting, for example, where accounts – service and user – don’t have MFA enabled.

Last month we published CISO and CIO Investment Priorities for Cybersecurity in 2025, which includes a deep dive on investment priorities for identities. See pages 24-27 for more. Non-human identities (which includes service accounts) gets a specific call out on page 27:

Protecting against identity attacks that seek to compromise non-human identities is the only issue across all four areas where the security priority in 2025 is higher among those not managing risks well compared to those who are. This is an unaddressed issue for too many organizations, and the warning bells are sounding.

Don’t be the next OCC.

The most common data security incident reported to the Information Commissioner’s Office (UK) for October to December 2024 was … unsurprisingly, misdirected emails. The frequency of using email for communicating with others, the ease of stumbling when using type-ahead addressing in Outlook and other email clients, and the frenetic pace of much office work means that it’s just too easy to choose the wrong person. Of the total incident count reported to the ICO, 21% were of this type.

There are email security add-ins that will alert users that something doesn’t add up in their communication, some of which we’ve written about in recent years. There should also be a necessary emphasis on training users to check and double check when adding someone to an email message or distribution list, but that’s not guaranteed to work in all instances.

The cost of getting it wrong is reputational mainly, although the extent of that cost and ancillary costs will depend enormously on the contents of the misdirected communication. Banal stuff … not so much. Corporate IP, confidential data, and data subject to privacy regulations … much more so. Excel spreadsheets with customer information – yes, that’s a problem. Mitigation wise, it depends on the nature of the information that people are sending and receiving, and the personal / corporate / national implications of getting it wrong. The higher the risk, the more layered a mitigation approach should be. And for very high risk situations, choose your tools extremely carefully.

On Tuesday March 18, we spoke with Eric Schwake, Head of Product Marketing at Salt Security, about the research. The webinar is entitled – API and Application Security: A Critical Investment for Protecting Your Organization in 2025.

Click below to watch the recording.

On Tuesday December 10, we will be talking with John Gunn (CEO at Token) about securing user identities. You can attend the webinar with us – How to Unlock the Future of Identity Security by Stopping Phishing and Ransomware.

The key topics for our conversation include:

• Identity Security in Crisis: 79% of organizations have suffered from identity attacks in the last year. Discover why traditional MFA is no longer enough to stop phishing and ransomware.
• Phishing-Resistant MFA: Learn about cutting-edge innovations like biometric and hardware token-based MFA that block even the most sophisticated attacks.
• Real-World Solutions: Practical steps for upgrading your identity security, stopping account takeovers, and ensuring compliance with the latest standards.

We hope to see you on Tuesday December 10.

If you’ve read any of our reports – and there’s quite a collection of them across a wide range of topics – you’ll notice that [1] they aren’t short, and [2] we try to dig into the details. Our latest report is no exception … with a hype-busting and bluster-disabusing examination into the role of AI in enhancing defensive cybersecurity. You can get a copy from our portfolio.

To gather the data, we surveyed organizations in the United States on the front lines of cybersecurity attacks. To take the survey, the respondent had to work at an organization with at least 500 employees and/or at least 50 people on their security team. We wanted to get a sense of what they were seeing in terms of changing dynamics with cybersecurity attacks, particularly the impact of offensive AI. And equally, we wanted to get a read on how they were responding to these changing attack dynamics.

We reached four key conclusions in the research:

• Attackers have the early advantage in generative AI and GANs
  Generative AI and GANs are tipping the scales in favor of attackers, but defensive AI tools are catching up, especially in behavioral AI and supervised machine learning.
• Integrate AI strategically into cybersecurity frameworks. Strategic integration of AI into cybersecurity frameworks is essential to fully
  leverage the technology’s potential. Organizations should focus on aligning AI investments with core business objectives and risk management practices.
• AI is a force multiplier for cybersecurity teams. AI enables cybersecurity teams to focus on high-impact activities. However, this requires appropriate training, organizational alignment, and investment in the right tools.
• The time for embracing AI in defensive cybersecurity is now. As AI reshapes both offensive and defensive cybersecurity, organizations must act swiftly to secure their infrastructures, adopt AI-powered defenses, and prepare their teams for the next generation of AI-enabled threats.

Do these conclusions echo what you’re seeing at your organization? Get your copy of the report if so.

This research was sponsored by Abnormal Security, IRONSCALES, and OpenText.

If your firm provides AI-powered cybersecurity solutions to offer protections against AI-enabled attacks AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.

While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.

Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.

We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.

Next week on Thursday October 17, we will be talking with Brian Contos (Chief Strategy Officer at Sevco) about SOC efficiency research. You can attend the live webinar with us – Overwhelmed With Alerts? Best Practices for Improving SOC Efficiency and Effectiveness

The key topics for our conversation are:

• Addressing the growth of backlogged alerts
• Trends impacting the SOC over the next 24 months
• Insufficient visibility into current and emerging threats across many systems
• Strategies to drive more proactive approach to security threats

As background, we had a briefing with Sevco in August. There were several highlights for us from that conversation related to making the SOC more efficient:

• Sevco’s emphasis on aggregating data signals from many different sources. Leveraging what exists via collection agents to pull everything together and provide the data for making decisions is a very clever play.
• Sevco’s ability to empower the SOC to make decisions on escalations, policies, and procedures. Integration of everything for a comprehensive inventory means the SOC can minimize time spent doing data collection and triangulation, and instead use what Sevco makes available for such processes.

Hope you can join us next Thursday.

Our latest research agenda program fits in the latter category. When we were looking at possibilities for 2024, a client suggested:

Something around how the security industry is evolving to make the SOC more efficient and reduce stress and burnout would be good. For example, the H/M/L prioritization of alerts didn’t really do much. What are vendors doing that works, and what doesn’t work? (There could be a little AI in here, but it would be good to go beyond that.)

That nudge (thanks, Bob!) became the origin point for our latest report, Making the SOC More Efficient (available on the main Osterman Research site). It’s a long paper (26 pages) that attempts to deal thoughtfully and in-depth with the topic, exploring the data points we captured through the survey and advocating a way forward. There is more than “a little AI” in the report, though, as this has become both the greatest threat (82.4% of security leaders said that “the use of AI by cyberthreat actors in cyberattacks” was “very impactful” or “extremely impactful” – the highest-rated trend in this research) and one of the greatest tools for defenders (via the rise of AI-enabled cybersecurity solutions).

Some of the key takeaways from the research:

• Current SOC approaches have hit the wall
  Confidence in the ability of the SOC to protect against the threats detected by their security tools has dramatically increased during the past two years, but this increase in confidence is expected to rapidly crater. The innovations that drove increased SOC performance over the past two years do not contain the necessary ingredients to continue driving performance over the next two.
• Specialized threat intelligence to eliminate false positives, AI for behavioral analysis, and autonomous remediation seen as top innovations
  The three innovations seen as most likely to drive SOC efficiency and reduce stress and burnout among SOC analysts are the use of specialized threat intelligence to eliminate false positives; using AI for behavioral analysis in investigating alerts and autonomously creating or updating detection rules; and autonomously remediating incidents without SOC analyst intervention. Almost half of respondents gave two AI-powered defensive innovations the highest rating.
• New innovations improve SOC metrics by a composite average of 35%
  All organizations in this research are already experimenting with at least one new approach to improving the efficiency of their SOC. The most impactful innovations on key SOC metrics (time to begin working on an issue, time to close an incident, and number of false positives) are AI behavior analysis with autonomous rule creation/updating, AI behavioral modeling for detecting baseline deviations, and autonomous remediation of incidents.

If SOC efficiency is in your wheelhouse, we’d love you to get a copy.

This program was sponsored by Dropzone AI, HYAS Infosec, Radiant Security, and Sevco Security.

This is the eleventh year that Scale has produced this research (in collaboration with Everclear Marketing, we’ve helped over the past three years). The survey and report look at evolving threats and solutions, investment priorities for cybersecurity technologies and strategies (make sure you see the top 10 chart for this year and the changes from last year), and funding and buying patterns. The data is from senior-level decision-makers at organizations with 500 or more employees. AI has an increasing focus in this year’s research – as you would expect. 

Key findings:

• Data breaches increased, led by phishing and third-party attacks.
• CISOs prioritised cloud infrastructure and data center security.
• Attackers targeted AI models while security played catch up.
• Security budget growth showed signs of slowing.
• Market gaps found in software supply chain security and ADX. 

For details on how to get yourself a copy, please check out our portfolio.