Forrester

S3NS, established three years ago, is a cloud hosting company that aims to deliver a sovereign and secure cloud solution for the French market. Formed as a joint venture between Google and Thales, S3NS adheres to strict governance rules to ensure compliance with French sovereignty requirements. SecNumCloud regulations cap Google’s participation in S3NS to ensure compliance with sovereignty requirements. Under these rules, Google cannot hold more than 24% of share capital or voting rights individually nor exceed 39% collectively as a non-EU company. This governance structure places S3NS firmly under French jurisdiction, enabling it to prioritize local legislation and data security. As Cyprien Falque, CEO of S3NS, states, the company’s mission is clear: “empowering businesses and institutions to transform with trust by delivering cutting-edge technology and ensuring native control of data, operations, and infrastructure.” SecNumCloud Certification: The Gold Standard For Security S3NS is in the final stages of obtaining SecNumCloud 3.2 certification, the most rigorous cloud security framework available. With 276 requirements spanning operations, technology, and legal compliance, SecNumCloud sets the benchmark for secure cloud hosting. At the design level, S3NS adheres to strict security protocols, including complete disconnection from the internet or public cloud and encryption at rest and in transit. The company also leverages advanced Google Cloud Platform features, albeit with a slight delay to ensure that these features meet certification standards. At the operational level, S3NS data centers are strategically located in the Paris region, ensuring high reliability and security. The joint venture’s operators are selected with exceptional scrutiny to uphold these stringent standards. Certification approval, expected by September 2025, will allow S3NS to officially welcome customers who demand robust protection against data breaches, espionage, or leaks. Serving Diverse Industries With French Governance Fully operated in France and governed by local laws, S3NS ensures that both Thales and Google maintain observer roles without voting rights in the joint venture’s governance. The company already serves dozens of customers across various industries, including insurance, the public sector, medical technology, fintech, defense, energy, and utilities. S3NS also integrates with independent software vendors in areas such as infrastructure modernization, data and AI, security, and business applications. Its partnerships with leading consulting, strategy, and systems integration firms further enhance its offerings. Positioning For European Leadership While S3NS currently focuses on France, its ambitions extend to Europe, where the SecNumCloud standards exceed those of the EUCS framework for now. This positions S3NS as a strong contender to become a major European cloud provider that meets the region’s stringent security and sovereignty requirements. With its trusted cloud solutions and commitment to sovereignty, S3NS is paving the way for secure digital transformation across Europe. source

No one can deny the impact that AI is having on software development … and we are just getting started. Generative AI (genAI) has already made a tremendous splash, and new AI agent technologies hold promise. These will take AI-enhanced development to a new level and deliver complete, autonomous capabilities for creating, testing, and delivering applications. There’s just too much innovation happening all at once to be casually monitoring this market — I need to be all in. That’s why, starting now, I’ll be devoting a significant amount of time to researching genAI and AI agents — specifically their impact on the software development lifecycle. This is an area of research that Forrester refers to as TuringBots. I will be partnering with multiple Forrester colleagues, chiefly VP and principal analyst Diego Lo Giudice, who has already laid the groundwork for how TuringBots will revolutionize software engineering with a series of reports such as The State Of TuringBots and The Future Of TuringBots. What’s next: Diego and I will participate in a joint TuringBot Landscape that addresses the coding part of the software development lifecycle. In this Landscape, we will be conducting research to uncover the core and extended use cases for coding TuringBots, as well as their core functional capabilities. This is scheduled for Q4 2025. I will be reaching out to vendors of autonomous coding solutions in the coming months. Other vendors are encouraged to brief me on their product offerings related to coding or additional areas where they are investing in AI capabilities, such as planning, backlog management, and testing. Clients are welcome to reach out and request inquiry or guidance sessions to understand how this research will benefit them. source

IT services firms recently reported their January–March 2025 quarterly numbers, and the results weren’t pretty. Most firms not only reported slower growth for the quarter but also lowered their forecasts for the next financial year. I dug into the details of what’s at play behind this mellow performance, and here’s what I found. To begin with, let’s go back to the final quarter of 2024 — back then, things had started to look up. The Federal Reserve had just cut interest rates, and AI was driving a surge in enterprise IT spending. Most IT services firms had a robust pipeline of large IT deals. In fact, 2023 and 2024 were the years with the highest number of large deals (of over $100 million in annual spend). And then came January 24. Tariffs Have Both Direct And Indirect Consequences On Services Businesses The US government imposed tariffs across a broad spectrum of goods for practically every trading partner. While there was no tariff on services, the IT spend momentum that had started to build suddenly stopped in its tracks. The resulting massive uncertainty in the business environment impacts two fronts: First, there’s the direct impact of tariffs on IT services business, which is not significant other than the rising prices of technology infrastructure that is used to deliver services. A tariff on imports of services would have had a higher impact, which fortunately is not the case and is also less likely to happen (or at least not be initiated by the US, as it is a significant exporter of services). For example, just for Europe, cloud and marketing services (think Meta or Google Ads) represent $100 billion business for US firms. We cannot completely rule out the possibility of such tariffs being on the table in the future, however. Next come the second- and third-order effects. These are the key sources of uncertainty right now. We don’t know what the final tariff situation is going to be and when we will reach that normality. This level of uncertainty is not good for any business. Firms are already rethinking their budget allocations. As a result, we are hearing of a lot of discretionary spend getting delayed or canceled. Large Deals Have Vanished As Clients Take Cautious Steps Tata Consultancy Services, in its annual results announcement, acknowledged the absence of mega deals during fiscal year 2024–’25. CEO K. Krithivasan, while lauding the firm’s annual result, stated, “This impressive performance stands out in the absence of mega deals.” Meanwhile, Infosys took a more cautious stance, slashing its FY 2026 growth forecast to a modest 0–3%. CEO Salil Parekh attributed the subdued outlook to prevailing uncertainty, saying “The environment is uncertain, and we will execute our plans with agility while keeping a close watch on events as they unfold.” We are seeing fewer large deals. As clients gravitate toward smaller, targeted investments, market dynamics increasingly favor nimble, adaptive companies that can respond swiftly to evolving needs. This shift has brought medium-sized firms such as Coforge, Hexaware Technologies, and Persistent Systems into the spotlight. These players outperformed their larger peers in year-on-year growth, a clear sign that agility is the new currency in an uncertain business landscape. Post-Uncertainty, We Expect The Financials To Recover We believe that this halt in IT spend momentum is going to be temporary. AI stands to be a significant catalyst for increased IT spending, assuming stable economic conditions. Some providers such as Cognizant appear to hold this view: The firm provided FY ’25 revenue growth guidance of 3.5–6%. Our earlier analysis, conducted in late 2024/early 2025, also indicated a positive outlook for tech expenditure, primarily due to the strong correlation between overall tech spending growth and GDP growth. This relationship holds even as mature economies allocate a larger percentage of their GDP to technology. Given the projected healthy GDP growth in key markets like the US and most of APAC, we anticipate a rise in overall tech spending. Furthermore, AI’s influence on IT purchases is twofold. While it directly prompts budget shifts from existing programs to AI initiatives, it also indirectly fuels broader tech investments across various sectors. Cognizant CEO Ravi Kumar S opined during the company’s latest quarterly earnings call that “the future of IT services will be powered by the double-engine transformation of AI technologies, both for hyper productivity and innovation-led opportunities.” We similarly believe that a return to economic normalcy would likely unlock substantial IT spending growth. While it will be aligned to the underlying strength of respective economies, it will also be significantly amplified by the pervasive impact of AI. source

In today’s fast-paced digital landscape and volatile economic atmosphere, businesses are increasingly relying on advanced technologies to stay competitive. Artificial intelligence for IT operations (AIOps) is one of the core technologies that tech leaders are using to revolutionize their IT organizations to help their enterprises survive today and be ready for tomorrow. The Forrester report The Future Is Now With AIOps delves into how AIOps is reshaping IT operations to meet the demands of modern business environments. Data-Driven Decisions The importance of data-driven decisions in IT operations cannot be understated. With the proliferation of data, traditional methods of managing IT operations have become obsolete. AIOps leverages advanced analytics and machine learning to process vast amounts of data, providing actionable insights that enhance decision-making processes. Enhancing IT Resilience AIOps plays a crucial role in improving IT resilience. By automating routine tasks and proactively identifying potential issues, AIOps enables IT teams to respond swiftly to disruptions. This proactive approach not only minimizes downtime but also ensures continuous business operations while driving down costs. Customer Experience Integration Modern businesses prioritize customer experience (CX), and IT operations must align with this principle. AIOps integrates CX metrics into IT workflows, ensuring that IT services are tailored to meet customer needs. This integration helps businesses deliver superior customer experiences, fostering loyalty and satisfaction. Adaptive And Fast-Paced Operations The report highlights the need for adaptive and fast-paced IT operations. AIOps enables IT teams to quickly adapt to changing business requirements and market dynamics. By automating processes and providing real-time insights, AIOps ensures that IT operations are agile and responsive. Building A Proactive IT Organization To fully leverage the benefits of AIOps, tech leaders must focus on building a proactive IT organization. This involves: Obsessing over data. IT teams should prioritize data collection and analysis to drive informed decisions. By focusing relentlessly on data, IT operations can become a turbocharger for business growth. Improving the velocity and quality of actions. AIOps enhances the speed and accuracy of IT actions. Tech leaders should aim to achieve near-real-time corrective actions and long-term preventive measures to ensure sustainable IT operations. Infusing principles of customer experience. Integrating CX metrics into IT workflows ensures that IT services are aligned with business goals. This approach helps businesses deliver exceptional customer experiences. Conclusion The Forrester report The Future Is Now With AIOps provides valuable insights into how AIOps is transforming IT operations. By leveraging data-driven decisions, enhancing IT resilience, integrating customer experience, and building adaptive operations, businesses can stay ahead in the competitive landscape. Tech leaders must focus on creating a proactive IT organization to fully harness the power of AIOps and drive business growth. Additionally, explore related content on AIOps, such as the blog Hear Ye, Hear Ye … Get Your New AIOps Reports Here! which identifies and summarizes several Forrester reports on AIOps. Join The Conversation I invite you to reach out to me through social media if you want to provide general feedback. If you prefer more formal or private discussions, email [email protected] to set up a meeting! Click Carlos at Forrester.com to follow my research and continue the discussion. source

Forrester was invited to Eaton’s Solutions by the Sea data center vision and partner conference, where Eaton spoke about the impact of generative AI, how this changes global energy production, and what it means to the data center. There were a number of sessions at the event, covering topics such as: Factoring the impact of the chip evolution into rack design Exploring the convergence of networking, power, cooling, and racks, along with how the densification of chips impacts it all How to handle bursting genAI loads The impact of genAI workloads in the data center and the grid and how to protect the health of your systems Battery technology and sustainability How to meet sustainability goals with battery energy storage solutions as a critical component of your data center ecosystem The electrification of everything Electric utility trends and the new power landscape Maintaining and modernizing data centers A panel discussion about aging data centers and the need to maintain and modernize power equipment How Eaton can help you with your data center How Eaton enables digitalization (enhancing processes through decisions) to manage and reduce outage risks Key Differentiators At the event, we saw a few key differentiators from others in the market: During all of its sessions, Eaton provided a wealth of market statistics that validated its corporate direction and product positioning. Eaton also had its products on display at the event, with staff to show off their capabilities and engage in discussions to answer any questions. If you have any questions about Eaton or how its solutions address data centers and sustainability, please submit an inquiry request or reach out to your account team. source

Software composition analysis (SCA) stepped out from behind the long shadow of static application security testing (SAST)/dynamic application security testing to prove its worth years ago. And thanks to ambitious bad actors, the complex software supply chain, and generative AI (genAI) coding assistants accelerating overall code volume, SCA solutions are essential to clean up the supply chain and bolster application security. SCA is also an application security (AppSec) darling for its ability to generate a software bill of materials (SBOM). With the EU’s Cyber Resilience Act finalized, the proposed US Department of Defense Software Fast Track Initiative requiring SBOMs, and governments such as Australia releasing guidelines for software development that include SBOMs, more software suppliers around the world will need to provide SBOMs to win and maintain business. Advanced SCA tools go beyond just generating an SBOM; they continuously monitor for newly disclosed vulnerabilities for proactive alerts and will ingest third-party SBOMs to identify the risk of incorporating a third-party component. Opportunistic attacks that take advantage of newly introduced vulnerabilities and unpatched software require patience and timing. But attackers can be proactive by directly poisoning open-source and third-party components. These types of attacks, such as dependency confusion and typo squatting, were already on the rise. But now, “slopsquatting” happens when AI hallucinates package names that developers must add. Additionally, bad actors willing to play the long game, typically affiliated with nation states, will bully their way into maintaining obscure but widely used open-source software dependencies such as XZ Utils to bury malicious code and target downstream recipients. SCA solutions provide insight into open-source component health during selection and actively block malicious packages from being downloaded. Clearly, SCA is the AppSec hero we need. Enterprises have been eager to embed and utilize AI in the customer-facing applications that they build. In Forrester’s 2024 survey of business and technology professionals, 33% reported using genAI in production applications. This means a whole new world of application dependencies consisting of AI models, third-party APIs, and open-source dependencies. Python is a popular language for AI applications, as is the PyPI package manager for open-source dependencies. Bad actors did not waste any time in uploading legitimate-looking but malicious packages that were downloaded hundreds of times by developers building AI applications. Poisoned AI models could be pulled down from Hugging Face and other public repositories. At the time of The Forrester Wave™: Software Composition Analysis Software, Q4 2024 evaluation, only a few SCA vendors were scanning AI models or creating AI bills of materials, but this functionality is needed broadly and quickly. When thinking about purchasing or upgrading your SCA software, consider key insights we gathered from talking with SCA vendor customers to get the tool you not only deserve but also need: Evaluate more than one vendor. This may seem obvious, but SCA software differs in functionality and the quality of output. Some software is primarily focused on open-source components, while others go beyond and assess third-party components and even inner-source components (those shared components written by your organization). The quality of the results also differs based on language and ability to detect vulnerabilities in transitive dependencies. Most reference customers evaluated three vendors’ software as part of the purchasing process (see figure below). Don’t settle. You’re going to be in it for the long haul. Customer references have been with their vendor on average for over 3.5 years. And they are happy! Twenty-two of 28 references rate their vendor at a nine or 10. If you have an SCA solution and you are not satisfied, it’s worth your time to revisit this at the next renewal period. Keep an eye out for the extras. SCA software vendors have expanded their offering to cover more of the software supply chain, such as offering malicious package detection and package firewall protection, infrastructure as code and container image scanning, and secrets detection. Depending on the vendor and its pricing and packaging model, these capabilities could be add-ons to the base price. Static reachability (the ability to determine whether the vulnerable function is called by the first-party code) should be table stakes for SCA solutions, but some vendors require you to also purchase their static SAST solution to get this level of insight.   Be your company’s hero and select an SCA software solution that helps secure your software supply chain by utilizing Forrester’s Buyer’s Guide: Software Composition Analysis Software, 2025, and The Forrester Wave™: Software Composition Analysis Software, Q4 2024. For more insights, schedule a guidance session or inquiry with me. Protecting your brand, your customers’ data, and your revenue is worth the effort. source

Attention, all B2B leaders! The stage is set, and the spotlight is on you. The B2B Summit APAC Awards are calling for entries — this is your golden opportunity to showcase your extraordinary achievements. Have you driven remarkable milestones with a customer-obsessed growth strategy, process, or initiative? Have you been the catalyst behind your company’s marketing, sales, or product strategy driving phenomenal growth? If so, we want to hear your story! Submit your entries by August 28, 2025, and let your success shine. We are on the lookout for programs developed by leaders and teams based in the APAC region that show strong cross-functional alignment or exceptional results from a single function that make a significant impact on company performance and growth. Winners will be unveiled just before Forrester’s B2B Summit APAC on November 6, 2025 in Singapore. Imagine receiving complimentary tickets to the Summit and sharing your inspiring journey on the event mainstage. But that’s not all! Both the winners and finalists can bask in the limelight by featuring in Forrester reports, videos, social media posts, and other prominent channels, celebrating your success far and wide. Join the elite ranks of previous winners — such as Autodesk, Cisco, Dell Technologies, F5, Fujitsu Asia Pacific, Grant Thornton Australia, Red Hat, and UiPath — that have earned their place in our prestigious hall of fame. Now it’s your turn to step into the spotlight. Start crafting your entry and let your achievements shine. Navigate to the awards page on our B2B Summit APAC site for an FAQ section, and access the entry form to get started. Remember, the deadline is August 28, 2025 — don’t miss your chance! source

US state and local governments lean on public cloud to: 1) enable citizen services delivery and business agility; 2) fulfill scalability requirements; 3) drive down labor and infrastructure cost; and 4) resolve compliance and audit pressures. Most recently, it has been used to power smart city, AI, and open data platforms. Today, there are no shortages of state and local examples: Delaware, Texas, California, Iowa, Michigan, Massachusetts, New York, North Carolina, San Francisco, Houston, Baltimore, New York City Cyber Command, etc. A central theme in most state and local government (SLG) cloud strategies is security and governance to ensure protection of data and resilience of critical systems. While many of the drivers for state and local cloud security and governance match or overlap federal ones listed in our Tackling Cloud Security: US Federal Edition blog, state and local govt. presents unique challenges in the following areas: SLG certification requirements go beyond federal ones. There are security certifications by state that often go above and beyond FedRAMP. Many states need to certify across every individual service enabled (for example, Amazon S3 and EBS). There are also requirements for third-party monitoring (e.g., the New York Department of Financial Services’ NYCRR 500 for third-party risk management and monitoring). Often, these monitoring requirements extend to employees who may also be subject to other states’ regulations. Agencies must harmonize state, federal, and foreign security controls. Data privacy has significant impacts on cloud security controls — especially in data protection. How you handle and protect subjects’ data in your state and how you handle subjects that are out of state may be governed by different regulations. Reconciling different states’ regulatory and data privacy requirements with one another and federal/foreign jurisdictions’ mandates (for example, California’s CCPA with Illinois’ BIPA act or Massachusetts’ MIPSA law, sprinkled in with the EU’s GDPR) when agencies deal with multistate business partners or organizational clients/subjects is nontrivial. Agencies must overcome higher levels of technical debt in state infrastructure. Based on anecdotal evidence, Forrester expects that security-related technical IT debt is generally higher with SLGs than at the federal level. Overcoming this debt — especially in light of the above harmonization requirements — is expensive and time-consuming. Talent pressures are even greater than in the federal level. Not only may SLGs have lower budgets to staff IT management and cloud security operations, but often, the talent pool they can use is much smaller — because of employee residency and physical-office presence requirements — than it is for federal agencies. Many state and local groups also struggle with unions, unified titles that fail to describe the work, and pay-grade limitations. To overcome the above challenges, Forrester recommends that SLGs: Factor in unique locally applicable requirements into their cloud security strategy. Unique aspects of talent pool size, connectivity bandwidth restrictions, and point-of-presence availability of major cloud service providers’ government zones all define SLGs’ cloud security strategies. An SLG has to tailor its cloud adoption, governance, and security strategies to meet state-specific compliance requirements while continually performing a reality check in budgeting and operations. Use locally available vendor and service provider services. SLGs should opt to work with service providers that have a proven track record of meeting state-specific regulatory requirements by offering products and services that do not excessively depend on out-of-state labor. Many cloud providers are certified on the state requirements for large states such as California and Texas, but you may find the list of precertified services more limited in smaller states. Build on federal government-specific certifications. To the greatest extent possible, SLG should not reinvent the wheel when it comes to new certifications. Find ways to build on and harmonize with federal (FedRAMP, NIST) as well as industry requirements (HIPAA, PCI-DSS, ISO 27001, SOC 2 Type 2/3) to meet state and local security, data protection, and privacy mandates. This will keep your contracting and tech state options more open so that you can focus on what you’re doing with the technology or how your team is securing applications in the cloud. Collaborate across jurisdictions. We have seen interagency collaboration in federal government overcome resource constraints. In some creative instances, open-source communities provide an avenue for collaboration between jurisdictions absent of political and bureaucratic hurdles. SLGs should engage with both peer governments and the broader open-source ecosystem to share best practices, collectively address vulnerabilities, and implement proven, SLG-ready solutions without large capital expenditures. source

Forrester was invited to Eaton’s Solutions by the Sea data center vision and partner conference, where Eaton spoke about the impact of generative AI, how this changes global energy production, and what it means to the data center. There were a number of sessions at the event, covering topics such as: Factoring the impact of the chip evolution into rack design Exploring the convergence of networking, power, cooling, and racks, along with how the densification of chips impacts it all How to handle bursting genAI loads The impact of genAI workloads in the data center and the grid and how to protect the health of your systems Battery technology and sustainability How to meet sustainability goals with battery energy storage solutions as a critical component of your data center ecosystem The electrification of everything Electric utility trends and the new power landscape Maintaining and modernizing data centers A panel discussion about aging data centers and the need to maintain and modernize power equipment How Eaton can help you with your data center How Eaton enables digitalization (enhancing processes through decisions) to manage and reduce outage risks Key Differentiators At the event, we saw a few key differentiators from others in the market: During all of its sessions, Eaton provided a wealth of market statistics that validated its corporate direction and product positioning. Eaton also had its products on display at the event, with staff to show off their capabilities and engage in discussions to answer any questions. If you have any questions about Eaton or how its solutions address data centers and sustainability, please submit an inquiry request or reach out to your account team. source

In a recent example of why managing insider risk is critical, cryptocurrency exchange Coinbase announced that it was the target of an extortion scheme enabled by insiders. Coinbase published a blog indicating that malicious actors recruited overseas contractors who were support agents for the firm to gain access. The cybercriminals then attempted to extort the company for $20 million to cover up the data breach. Earlier this year in Forrester’s The Top Cybersecurity Threats In 2025 report, Forrester called out a higher risk of insider threats due to disgruntlement, financial distress, and geopolitical conflict. According to a video from Coinbase CEO Brian Armstrong, cybercriminals were able to access personal information on less than 1% of the company’s monthly transacting users (MTUs). An 8-K filing indicates that cybercriminals accessed company and customer data, including: Name, address, phone, and email Masked Social Security numbers (last 4 digits only) Masked bank account numbers and some bank account identifiers Government‑ID images (e.g., driver’s license, passport) Account data (balance snapshots and transaction history) Limited corporate data (including documents, training material, and communications available to support) The company said that the attackers weren’t able to access any user passwords, private keys, or funds. Instead, the cybercriminals used the data accessed to socially engineer Coinbase clients. Coinbase dismissed the insiders involved in the incident and is pursuing criminal charges against them through international law enforcement entities. Estimating The Impact Coinbase provided a preliminary estimate of expenses related to the incident that range from $180–$400 million, including remediation costs, customer reimbursements, and other potential costs. The actual total could be lower based on insurance claims. Breaches, however, do have a long tail, so once litigation begins, the number could just as easily increase in the years ahead. Flipping The Coin (Script) On The Extortionists In a bold and unexpected move, Coinbase has opted to throw the ransom request back in the face of the attackers — instead of paying up for the ransom demand, they are putting the $20 million toward a bounty for information leading to the arrest and conviction of the attackers. This seems to be a first — governments, such as the FBI and the US State Department through Rewards For Justice, have offered bounties before, but no private-sector companies seem to have taken this approach previously. Rebuilding Customer Trust The old adage “It’s not the crime; it’s the cover-up” applies to breaches. In this scenario, Coinbase provided remarkably clear, specific, and transparent details about the incident and its impact. This ranges from its public statements and the video from its CEO to the bounty leading to the arrest of the individuals/groups involved and its required 8-K filing. The response was human and helpful. Coinbase directly addressed customer concerns (such as reimbursements for those tricked into sending funds to attackers), highlighted how customers can stay safe, and outlined actions that Coinbase is taking next. In the blog post, Coinbase points out that “crypto adoption depends on trust.” The seven levers of trust in Forrester’s trust imperative research include accountability, competence, transparency, and empathy. Coinbase touched on each of these in its announcements and communications about the incident so far. Its behavior, in the short term, demonstrates its commitment to rebuilding customer trust. Beware Of Low-Cost International Expansion Coinbase’s announcement includes a warning of which every business needs to take note. Economic volatility puts pressure on businesses to cut costs in various ways, including offshoring. But international expansion brings with it cultural challenges, law enforcement differences, and stark contrasts in employee-to-employer loyalty. Coinbase experienced this firsthand. For those thinking that a combination of guardrails, agentic AI, and AI agents will solve this problem … well … generative AI is not immune to bribes either. Thwarting Future Social Engineering Attempts The Coinbase breach was a combination of multiple human-element breach types that resulted in the social engineering of its customers. In addition to the transparency around the breach itself, Coinbase provided all customers with best practices for keeping data and funds safe. Coinbase clearly states that it will never ask for passwords or two-factor authentication codes and won’t call or text customers to provide information. It states, “If you receive this call, hang up the phone.” Encouraging customers, partners, and employees to pause and ask questions in the face of novelty, authority, and/or urgency is critical to disrupting social engineering attempts. It’s equally important to communicate exactly how you will and will not communicate with them — from the CEO to the HR department to the help desk. If you haven’t already, develop and socialize these messages throughout your organization and ecosystem. Managing Insider Risk Forrester data shows that approximately 23% of data breaches were the result of insider incidents. Half of those incidents were the result of malicious insiders. Cybercriminals and other malicious actors are also targeting insiders (like what happened in the Coinbase incident) to gain access to sensitive data and systems. Managing insider risk requires dedicated focus that starts with the insiders themselves (employees, contractors, and partners) in addition to defined processes and technology. Part of managing insider risk is understanding insider motivations, which include financial distress, disgruntlement, outside influence (again, see the Coinbase example), and others. Our report, Best Practices: Insider Risk Management, provides best practices for managing insider risk and 10 steps for establishing an insider risk management program. Let’s Connect Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk and learn how to start their own insider risk management program. source