Small and medium-sized businesses (SMBs) are being urged to update their software ahead of Black Friday and Cyber Monday to avoid financial and reputational damage.

The warning comes after the National Cyber Security Centre (NCSC) identified 4,151 online shops that had been compromised using a vulnerability within the e-commerce platform Magento. With 250,000 clients, the Adobe subsidiary is the third-largest e-commerce system globally, after WooCommerce and Shopify.

NCSC alerted the affected retailers of the vulnerability in late September, with Magento issuing a security patch on 12 October. 

All online businesses are being urged to update their software, as the mass shift to e-commerce since the start of the pandemic has caused more customers to shop online than ever before, increasing their risk of falling victim to online scams.

Hence, the NCSC has issued guidance on running a secure website and avoiding threats including skimming, which has been described as “a threat to all retailers” by British Retail Consortium assistant director Graham Wynn.

The trade association has urged “all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end of year period”.

NCSC deputy director for Economy and Society, Sarah Lyons, said that the agency wants “small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period”.

“Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage. It’s important to keep websites as secure as possible and I would urge all business owners to follow our guidance and make sure their software is up to date,” she added.

Last year, Check Point’s security researchers observed a sharp increase in the number of phishing exploits in the run-up to Black Friday and Cyber Monday, with phishing emails having increased by over 13 times in early November 2020. In December 2020, RiskIQ security researchers discovered around 37,000 fake retail websites set up to scam holiday shoppers, with 208 domain infringement events containing only “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas”.

Mozilla has announced that its Firefox Lockwise password manager will reach end-of-life on 13 December.

The final versions of the plug-in will be 1.8.1 for iOS and 4.0.3 for Android, after that it will no longer be available for download or reinstallment. 

Lockwise joins several defunct projects Mozilla has taken down to try and streamline its business and become more profitable. Over the last few years, the company has shut down the team building the operating system for the failed Firefox phone, as well as binning off a file transfer tool and the Thunderbird email platform. There is, however, an Android replacement for the password manager – Firefox 93 for Android – that was released last month. 

Firefox Lockwise was launched in 2018, originally as a small experimental mobile app (named Lockbox at that point) that ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and even desktops. It was later adapted as a Firefox extension, but with only a four-year lifespan.  

In a support article posted by Mozilla, users are advised to continue accessing passwords via the native Firefox browser on desktop and mobile. There is also a note on the support site suggesting that the Firefox iOS app will gain the ability to manage Firefox passwords system-wide later in December. This might mean that Mozilla adopts the features of Lockwise and eventually integrates them into the Firefox browser apps for all platforms. 

Mozilla laid off around 250 people – roughly a quarter of its workforce – in 2020 to refocus its business on projects that make money. CEO Mitchell Baker wrote in a blog post, at the time, that the company’s plans leading up to the outbreak of COVID have become «no longer workable» after it became a pandemic. 

As part of the layoffs, Baker laid out a series of new focuses for Mozilla to set a stronger course for the company, such as building new products that «mitigate harms» and «that people love and want» to use, and also to build out new revenue streams.

Google is facing an internal backlash over its plans to enforce employees to provide vaccination statuses by December. 

«Several hundred» Googlers have signed and circulated a manifesto opposing the plans, according to CNBC, potentially delaying the tech giant’s office return, again. 

Google is following the Biden administration’s orders that all US companies with 100 or more workers have to ensure that all employees are fully vaccinated or regularly tested for Covid-19 by 4 January. According to internal documents, seen by CNBC, the tech giant has asked its 150,000 plus workforce to upload vaccination status to its internal system by 3 December, whether they plan to come into the office or not. This also appears to be the case for employees that work directly or indirectly with US government contracts – also whether they work remotely or not.

«Vaccines are key to our ability to enable a safe return to the office for everyone and minimise the spread of Covid-19 in our communities,» wrote Chris Rackow, Google VP of security, in an email sent near the end of October, CNBC reports.

The manifesto spreading around Google has been signed by at least 600 employees, according to reports. It asks the company’s leaders to retract the vaccine mandate and create a new one that is «inclusive of all Googlers«. It also calls on employees to «oppose the mandate as a matter of principle», informing staff to not let the policy alter their decision if they’ve already opted not to get a vaccine.

«As we’ve stated to all our employees and the author of this document, our vaccination requirements are one of the most important ways we can keep our workforce safe and keep our services running,» a spokesperson for Google said. «We firmly stand behind our vaccination policy.»

Hackers are using ProxyShell and ProxyLogon exploits to break into Microsoft Exchange servers in a new campaign to infect systems with malware, bypassing security measures by replying to pre-existing email chains.

Security researchers at Trend Micro said investigations into several intrusions related to Squirrelwaffle led to a deeper examination into the initial access of these attacks, according to a blog post.

Researchers said that Squirrelwaffle first emerged as a new loader spreading through spam campaigns in September. The malware is known for sending its malicious emails as replies to pre-existing email chains.

The intrusions observed by researchers originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. According to researchers, there was evidence of the exploits on the vulnerabilities CVE-2021-26855, CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.

“The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in March; those who have applied the May or July updates are protected from ProxyShell vulnerabilities,” said researchers.

In one case, all the internal users in the affected network received spam emails sent as legitimate replies to existing email threads.

“All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” they said.

In the same intrusion, researchers analyzed the email headers for the received malicious emails and found that the mail path was internal, indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).

“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,” they added.

Researchers said that the hackers also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers in order to avoid detection. Additionally, no malware was executed on the Exchange servers to avoid triggering alerts before the malicious email could be spread across the environment.

According to researchers, the recent Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files.

“Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,” they warned.

Amazon Web Services (AWS) has won a contract to provide sports clothing brand Adidas with a cloud environment for hosting its SAP workloads.

German-based multinational Adidas AG also intends to develop a modern SAP S/4HANA platform using AWS, according to the deal.

By integrating SAP into its enterprise resource planning (ERP) system, Adidas aims to connect data across its global operations, while also tapping into AWS‘ SAP expertise to support advanced analytics, data science, and enterprise reporting, the company said in a release.

Utilizing AWS’ machine learning solutions, including Amazon SageMaker, Adidas’ data scientists can forecast seasonal demand for goods. This ensures the right product arrives at a warehouse or retail store at the right time, increasing customer satisfaction.

Through a cloud-based data lake on AWS, Adidas can also gain visibility into both internal and outbound operations, while AWS Sustainability programmes will also assist Adidas in reducing the environmental impact of its cloud operations.

Adidas said the deal will allow it to offer customers discounts and early access to new releases, priority services, and personalized offers.

“We want to drive innovation across our business, which includes everything from how we design our products to how we engage with the consumers who buy them. By committing to cloud infrastructure, we have the scalability and elasticity we need to handle the seasonality of our business during peak demand, and support the projected growth in our e-commerce business in the years to come,” explained Markus Rautert, senior vice president of technology enablement at Adidas AG.

“Deploying SAP environments on AWS isn’t just about transforming our technology—it’s about transforming business opportunities and using AWS’ wide range of cloud capabilities to create efficiencies and bring us closer to consumers,” he added.

Hosting company GoDaddy has said that around 1.2 million users have been affected by a data breach on its managed WordPress hosting service.

The hack is said to have exposed email addresses, customer numbers, administrative login credentials, and in some cases SSL private keys.

The hosting company discovered that an intruder had gained access to its managed WordPress hosting environment on Nov 17, it said in a filing with the SEC. The intruder used a stolen password to access the provisioning system for the service.

Up to 1.2 million active and former users of the company’s managed service had their email addresses and customer numbers exposed, the company said, raising the possibility of further phishing attacks to come. The original administrative passwords for the managed WordPress accounts were also available to the hacker, putting the accounts themselves at risk if the credentials were still in use.

Also exposed were sFTP and database usernames and passwords, and an undisclosed number of users also had their SSL private keys exposed.

GoDaddy discovered that the intruder had been inside the system since September 6, meaning that the hacker has had access to the data for over two months. It worked with a forensics company upon discovering the incident, and has taken steps to safeguard its systems, including changing original administrative passwords that were still in use, resetting sFTP and database passwords, and installing new digital certificates for affected customers.

«We are sincerely sorry for this incident and the concern it causes for our customers,» the company said in its filing. «We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.»

In 2017, the company revoked thousands of SSL certificates after issuing them without proper checks and authorization. In January 2019, an independent researcher found a vulnerability in its process for handling DNS change requests that enabled hackers to hijack domains and create phishing campaigns. It also notified customers of a hack that exposed SSH login details in the same year.

Schwarz Group has announced the acquisition of a majority stake in Israeli cloud cyber security startup XM Cyber for a reported $700 million, as the EU retail giant looks to grow its digital business.

Headquartered in Tel Aviv, XM Cyber specialises in proactive prevention of cyber-attacks using the attacker’s perspective. By discovering critical attack paths across on-premises and multi-cloud networks, the firm’s solutions aim to help organisations close security gaps before systems are compromised.

Christian Müller, chief information officer of Schwarz Group, said the addition of XM Cyber adds a “deep technical understanding and innovation” that will compliment Schwarz’ existing portfolio for advanced cybersecurity services.

“Finding and closing security gaps from an attacker’s perspective is a disruptive approach to the way organisations can proactively protect their networks,” he said. “XM Cyber’s solution builds on our strong IT security to further protect our customers, partners, and ourselves as a company.“

Headquartered in Germany, Schwarz Group has become one of the world’s largest retailers, known particularly for its ownership of EU staples such as Lidl and Kaufland supermarkets.

The group said XM Cyber’s comprehensive knowledge in securing complex hybrid cloud networks was a driving factor behind the acquisition, with the startup set to boost the groups expanding digital venture.

Upon completion of the acquisition, XM Cyber will continue to operate independently with its current branding, full suite of products, and support structure, it added.

Noam Erez, co-founder and CEO of XM Cyber, says the move will provide its business with “immense potential” to further expand and develop its business model.

“We are thrilled to become part of the Schwarz Group,” he said. “With the backing and international footprint of the largest European retailer, we can accelerate innovation and growth and further strengthen our position in the global cybersecurity market.”

Many organisations have now adopted a hybrid cloud strategy to ensure their workloads run as efficiently as possible and reside where it makes the most sense. Indeed, according to Flexera research, 82% of enterprises have a hybrid cloud strategy, while businesses are increasing their spending with vendors across the board.

Having workloads and applications running in either the public cloud or private presents challenges, however. One of the biggest is how to manage hybrid cloud environments efficiently and to ensure these configurations are as optimised as possible to ensure value for money, and maintain cyber security. To optimise hybrid cloud infrastructure, the right foundations must be in place.

What causes hybrid cloud inefficiency?

If you were starting a business from scratch in today’s age, you’d probably opt to design it to be cloud-native and compatible with the public cloud. This is alongside including lightweight apps, scalable systems and the security and compliance that now comes as standard from the hyperscalers like AWS.

Most companies, however, particularly in regulated industries, are dealing with heavy, legacy, mainframe-based systems, according to Anthony Drake, operations director for North Europe with research and advisory firm ISG. In some cases, these environments host thousands of applications that are completely bespoke to that business. They might have been designed decades ago, and simply aren’t built to be suitable for public cloud environments, he says.

“Companies want the advantages that come from public cloud environments: the ability to scale; the shift from CapEx to OpEx and the ability to manage costs; testing new apps; and the potential benefits that the hyperscalers might bring to growing areas like edge computing,” he explains. “They, therefore, opt for a hybrid environment, putting some workloads into public cloud and retaining private cloud for legacy systems.”

By its nature, a hybrid cloud environment is going to be complex as you get, with public and private cloud environments talking to each other, transferring data, and demanding a level of interoperability that needs to be managed. “A big bang approach of moving everything to the cloud won’t work,” he adds. “It’s a gradual process, split into phases.”

Building suitable hybrid cloud resources 

Establishing the right foundations for hybrid cloud management is essential to optimising operations. There are two main issues that could come into play if businesses fail to do so, according to Guy Warren, CEO of ITRS Group. “You could end up paying excessively for your cloud estate, or you could underestimate your capacity needs and throttle the throughput on that application,” he says. “Securing the foundations requires knowing what size to buy, which, with the complexity of systems today, can only be achieved with effective analysis by a capacity management tool.”

Working to a cloud adoption framework gives a clear line of the best practice, taking into consideration the service infrastructure that’s trying to be replicated into the cloud environment. Each cloud platform has its own framework of excellence and is consumed in different ways, which demands a review of the reasons why a business is moving to the cloud in the first place.

Performing a detailed cost-benefit analysis is key to deciding whether an application would be better in a cloud environment, or situated on-premise, according to George McKenna, head of cloud sales at Ultima Business Solutions. “For example,” he asks, “do the desired benefits come down to revenue generation, internal infrastructure, employee productivity or another reason? It’s the ecosystem of the platform that differentiates where you place the workload.”

Managing director at BCG Platinion, Andreas Rindler, meanwhile, says businesses should be developing the skill, talent and IT organisations that will build “critical mass» to enable a multi-cloud journey. “A company’s ability to build a critical mass of skill for each cloud service provider may impact its multi-cloud strategy,” he continues. “Firms should initially centralise all key scarce competencies in a ‘Cloud CoE’ to maximise efficiency and efficacy. Multi-cloud requires investment in cloud engineering, containerisation, and DevOps tooling to ensure application portability and to avoid vendor lock-in. Many challenges come with this due to the digital skills shortage.”

Drake adds that migration isn’t the end of the hybrid cloud journey, suggesting you need people who can support you as you scale and can take advantage of different features that are introduced by the cloud provider. “Think about how you want to do that,” he says. “Do you want to build a 30-person team in-house with limited career progression, for example?”

Overcoming pitfalls of hybrid cloud optimisation

Managing cloud environments consistently is a complex task. Rindler says that as enterprises continue to migrate apps to multiple clouds, a growing challenge is to manage and understand how company assets are being deployed, used, or exploited. 

“This calls on creating a central portal to view and manage our multi-cloud environment – an agnostic single pane of glass into the various clouds,” he says. “Organisations can also consider implementing a hybrid and multi-cloud management platform.”

Another pain point is portability between clouds. Applications can be migrated following a value-based approach, while maximally leveraging open source technologies can also help to enhance the portability of applications, Rindler continues.

How would your business know, however, when its hybrid cloud management is fully optimised? For Drake, one indication is probably when your business resides exclusively in the public cloud. “The use of private cloud will decrease in the future,” he projects. “The more organisations move to the public cloud, the more they can take advantage of the benefits brought by developing technologies such as 5G, the Internet of Things (IoT), and artificial intelligence (AI),” he adds.

For Rindler, meanwhile, it’s down to the IT leadership to decide if the benefits of multi-cloud configurations outweigh the costs and risks. “The benefits are simple and very effective; access to best-in-class offerings (and faster time-to-market as a result), reduced vendor lock-in and cost optimisation of workload placement and resiliency across multiple cloud platforms,” he says. However, he adds, with that comes the very real threat of a step-change in the complexity of processes and governance related to cloud, ongoing investments, increased risks and longer roadmaps to get them right.

What does your workstation look like; three monitors powered by a laptop, a desktop surrounded by the latest mic and cameras, or perhaps just a laptop with an external mouse and keyboard? Regardless of how you work, I’ll hedge my bets and say the way you complete your daily tasks has changed somewhat since 2019. 

Without leading us down the well-trodden path of how the pandemic has changed the way we work, it’s important to establish how the effects of COVID-19 on the workplace still manifest. The rise of cloud platforms and portals businesses were forced to adopt to continue functioning during lockdowns is arguably the biggest impact we’ve seen. This is exemplified by the fact a quarter of a billion people now use Microsoft Teams on a monthly basis. 

Even 250 million active monthly users, however, doesn’t translate into total market domination. In fact, over the past year, businesses have increasingly bought into an emerging trend of choosing different collaboration platforms for different types of workplace communication. Companies such as BT and Vodafone, for example, are using Facebook Workplace to offer employees a pseudo-social media experience. There’s a risk, however, that piling yet more digital systems onto the shoulders of already digitally stretched workers might inadvertently lead to a loss of productivity and disillusionment.

No plan is an island

Using such platforms in this way isn’t a new phenomenon, Meike Escherich, associate research director for the future of work at IDC, points out. Indeed, communicating with a distributed workforce means businesses need to upgrade their communications methods, with emailed newsletters and bulletins often ending up in spam folders too. 

“The biggest issue is that staff can be given all they need to do their job in a remote setting, but they’re missing the culture of the company,” Escherich says. “That sense of community, building loyalty, and support from superiors have all gone down the drain over the last year or so because businesses haven’t worked out how they communicate, how often they communicate, and what they communicate. This is a big issue for businesses to tackle.”

Although the intention to supplement workplace culture might be there, introducing yet another digital platform can also take its toll. Depending on their department, employees will have to log into a range of systems at once, which inevitably has a knock-on effect on productivity. In fact, RingCentral found roughly two-thirds of employees are losing over a month of their time per year just switching between different platforms. Its research also found that a large portion of employees found navigating these different platforms more annoying than spam and junk emails (45%), paying bills (52%) and even trying to lose weight (50%).

“Generally, the industry needs to recognise that none of these tools can be an island anymore,” says principal analyst for workplace transformation at CCS Insights, Angela Ashenden. “These platform providers need to look at how they fit within the ecosystem. If you’re going to enable productivity and enable people to be effective it has to tie in with all the other processes and happen wherever those processes take place. Therefore, there’s a focus around integration and how to streamline workflows across multiple tools.”

That is where collaboration platforms come in. Microsoft, for example, wants Teams to serve as a user interface window, senior analyst with Cavell Group Patrick Watson, says. Employees will, effectively, use Teams as a window into their applications, with integrations getting much better. If various providers integrate into Teams or Slack, he adds, users won’t feel bombarded by different apps because they’re effectively using one interface.

Dispelling the threat of shadow IT 

Although the likes of Vodafone and BT may well have good reasons for investing in Workplace, Escherich says she doesn’t think the trend of using more than one collaboration platform will be picked up by smaller businesses. The priority, for them, is to protect their IT teams, who would be burdened with a greater workload. “When we ask our clients about digital transformation and what is needed in-house to enable a hybrid workplace, the key issue is IT support,” she says. “It’s a big issue for business and even outstrips things like security or employee experience.”

Making such a decision may not be as simple as protecting IT teams, though, with shadow IT highly prevalent in regulated industries such as finance, legal and the public sector. As Watson outlines, establishing places for employees to go for both professional and social interactions is likely an attempt to control the realm of all employee interactions, as they may not currently know what’s being shared, how, and when. According to data Watson shares, 39% of executives in charge of technology know their business is currently using Facebook Messenger, 58% are using WhatsApp, with 10% using Signal and 20% using Telegram. 

“As you can see, there’s a large uptake of the consumer applications from employees, but those are just the ones the business owner or the technology executive knows about,” he adds. “These executives won’t necessarily have a clue about these sorts of shadow IT issues, such as the warehouse with its own private Whatsapp group. Within those groups, too, employees could be talking about orders and potentially sharing customer data, which is a dangerous area for businesses. That’s why we have seen a ban of applications like WhatsApp and Telegram, particularly compliance industries.”

Although there may be an appetite to phase out messaging platforms in the workplace, according to data from CCS Insights, WhatsApp is the third most popular collaboration platform after Teams and Zoom. Ashenden concludes that, by separating the social and professional aspects of the office, businesses are shepherding their employees away from private messaging platforms towards mobile-friendly solutions. 

“Teams, Slack, Workplace all provide a simple chat messaging capability within a managed environment, which is why the likes of Microsoft, Facebook and Google are investing in mobile apps and that lightweight chat. The high-turnover workforce isn’t going to buy into a productivity platform, but they might use an app if it’s easy and they can use it on their personal phone. That’s definitely one of the key pieces to this puzzle.”

HP has launched a subscription management service to make it easier for SMBs to manage Microsoft cloud-based licensing, following the release of Windows 365 earlier this year.

HP Subscription Management Service is designed for small and medium-sized companies to make software investment decisions based on reliable workforce intelligence. The service provides license management of Microsoft 365 as well as the full list of Microsoft cloud subscription services.

The product displays online visibility of software analytics and usage trending by user, department, or geography, helping IT teams to easily shift and scale their subscriptions as needed, said HP.

For channel partners, the new service offers a one-stop cloud-based product that allows them to sell Microsoft 365 and the full Microsoft cloud subscription library to their customers, along with HP’s licensing analytics and its premier partner support.

The company said there are additional features to help companies reduce costs and administration overheads too, while increasing security and compliance. HP customers can flex licenses up or down through pay-as-you-go subscription options, ensuring software spend is the right size as business needs change.

Through HP Subscription Management, companies can also secure their workforce from wherever they work with cloud security health checks optimised for the hybrid workplace.

“While IT leaders see managing costs and usage of SaaS applications as a top business priority, more than half still rely on dated internal tools and manual spreadsheets to track and monitor their subscriptions and renewals,” said Sumeer Chandra, global head and general manager of personal systems services at HP.

“As a result, it’s challenging for IT to know when renewals are happening, or how much is being spent on software licenses.”

The HP Subscription Management Service is expected to be available in the UK, France, Germany, and Chile by the end of 2021, whereas the US and additional countries will have to wait until the first quarter of 2022.

As part of the announcement, HP is also launching an Enablement Service for Windows Autopilot to help automate new device setup across the internet with little or no need to touch the device, a simpler and faster way for SMBs to provision new Windows 10 or Windows 11 hardware.

Additionally, it’s releasing HP Proactive Insights Experience Management to make it easy for IT teams to gauge employee sentiment and perceptions in the context of their IT environment.

Lastly, it revealed its Enhancement to HP Proactive Insights, providing advanced remediation capabilities like new security, system stability, and performance optimisations through automatic updates.

The launch of HP’s products follows the release of Windows 365 in August, Microsoft’s PC as a service offering, offering benefits like remote access to virtual endpoints, apps, and data from any device registered with Microsoft Cloud. This reduces the need for businesses to invest in virtual desktop infrastructure, cuts hardware costs, and makes patch management simpler for IT teams.