In Cybersecurity, Awareness is Key

Well it’s October again, which means Fall is here, Sundays are for football, folks are picking out costumes for Halloween and, of course, people are paying extra close attention to cybersecurity in recognition of National Cyber Security Awareness Month…right…?

Ok, so maybe not everyone is focused on National Cyber Security Awareness Month, but the program, “a Department of Homeland Security-administered campaign held every October,” does provide a great opportunity to raise awareness of cyber threats, especially as we head into the holiday season, a time when cyberthieves tend to get especially aggressive. (Source:, “National Cyber Security Awareness Month, Cyber Security is Everyone’s Responsibility,” October 3, 2016).

“[I]t’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month [ ] is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.”
So, in the spirit of “NCSA month,” here are three things you and your company can do to heighten your cybersecurity awareness towards remaining vigilant, strong and cybersecure:

1. Conduct Awareness Campaigns. Something you can do throughout the year is send e-mails to your team members (or organization-wide) keeping them informed of the latest cyberthreats, including such threats as the latest ransomware variants (“Cry” or “Fantom,” for example). During NCSA month, specifically, consider sending an e-mail once a week to really raise awareness and stress to employees that it’s everyone’s job to keep the company and its employees and customers secure. The Department of Homeland Security has a number of resources to help with these efforts, as do various private sector vendors. For more from the DHS, check out their website at

2. Rehearse a Data Breach. One thing you and your leadership can do to really raise cybersecurity awareness at senior staff levels is to conduct tabletop exercises that simulate an actual data breach or other cybersecurity incident. Not only will these practice sessions help to put the cybersecurity issue front and center for the company’s key players, but, “Going through the motions of an imaginary attack can help prevent executives from making common mistakes and mishaps during times of crisis…It’s one of the best ways to test one’s incident response team and plan ahead.” (Source: Fortune magazine, “The Best Way for Companies to Prepare for Inevitable Data Breaches: Rehearse,” citing Diana Kelley, executive security advisor at IBM, September 27, 2016).

“Script through an attack at your company.”

3. Conduct a training. There is really never a bad time to conduct cybersecurity training in the workplace, but doing so during NCSA month can both increase awareness and help the company resist an attack.  Since, “Increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent,” and, “employees are ‘perhaps the greatest evolving security threat,'” it would seem that National Cyber Security Awareness month would be the perfect time to not only better prepare employees, but also raise their awareness of the cybersecurity threats they and their employers face. (Source: BizTimes, “Reduce cyber security risks with employee training,” citing a 2015 study by Wombat Security Technologies and the Aberdeen Group, March 28, 2016).

This month, National Cyber Security Awareness month, is the perfect time for leaders to make cybersecurity a priority and truly empower employees with knowledge and awareness. Set aside some time, collaborate with your colleagues, and take steps that make sense for you and your organization so that when the next cyber attack does come along, you and your folks will be ready, willing and able to mount a strong defense and help defeat those seeking to do harm to your company, your people and your customers.


Low Tech ‘Social Engineering’ is Often Key to Successful Cyberattacks

You hear about it in the news all the time now. A company has been “hacked,” leading to the exposure of thousands or even millions of consumer or employee records. Inevitably, there is then the follow on credit monitoring, regulatory action, and some forensic look at how the bad guys “got in” and what variant of the latest virus was used to infiltrate the victim company’s systems.

In depth social engineering supported an attack that cost Leoni AG, one of the world’s largest manufacturers of wires and electrical cables, more than $44 million.

These stories are real and important, for sure, but one thing that has been increasingly overlooked in the headlines is the fact that many of these so-called “hacks” don’t begin in a technical manner at all. Many so-called cyberattacks start with nothing more than good old fashioned “casing” or scouting of the victim company and their employees, often through seemingly innocent phones calls placed to company employees or through the review of easily and publicly accessible online social media accounts (think LinkedIn profiles that tell the world who does accounts payable for company ABC).

This low tech approach, known as “social engineering,” when done well empowers would-be cyber thieves to learn user names, passwords, job titles, functions, responsibilities and other information that is in turn used to perpetrate the follow-on attack.

This attack method was on full display during a “social engineering contest” at last month’s Def Con hacking conference in Las Vegas. Chris Silvers, who won first prize in that contest, called a company employee and pretended he was “filling in gaps in an internal survey the company had sent out to employees — a real survey he’d found on the company’s website during his pre-contest research.” (Source: USA Today, “A hacker’s best friend is a nice employee,” by Elizabeth Weise, Aug. 15, 2016).

“The staffer who answered her desk phone fell for his ploy hook, line and sinker, no doubt soothed by his southern accent and calm conviction he had every right in the world to be asking his questions. He convinced her to go to a non-existent website to sign up for a $10 Amazon gift card for her trouble. When that — of course — didn’t work, he offered to help her troubleshoot the problem.” (Source: Id.).

Ultimately, during a single phone call that lasted less than 25 minutes, Silvers was able to learn a “treasure trove of information about her company’s computer network, antivirus software and web filtering protocols  — more than enough information for a hacker to easily infiltrate the network.” (Source: Id.).

Chris Silvers, who runs CG Silvers, an independent security consulting firm in Atlanta, won first prize in the social engineering contest held at the DefCon hacker conference in Las Vegas. “You can get everything you need — information about their security, their operating system, what kind of computers they use. Just with a call,” he said.

This same type of social engineering was a key element in a real life multimillion dollar attack just last month on Leoni AG, one of the world’s largest manufacturers of wires and electrical cables. According to media reports, thieves “spoofed emails to look like official payment requests.” The CFO of the targeted Leoni factory then sent more than $44 million (USD) in funds to the thieves after receiving those emails, which were “cloned to look like they came from [the Company’s] German executives.” (Source: Gizmodo, “An Email Scam Cost One of Europe’s Biggest Companies $40 Million,” by Hudson Hongo, Sept. 1, 2016).

Apparently, the Leoni attack was successful largely because of the extent to which the thieves socially engineered their efforts, cloaking their fraud in the appearance of legitimacy.

“Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. ..The [ ] factory was [also] not chosen at random…Leoni has four factories in Romania, and the [targeted] branch is the only one authorized to make money transfers.” (Source: Softpedia, “One of Europe’s Biggest Companies Loses €40 Million in Online Scam,” by Catalin Cimpanu, Aug. 31, 2016).

The lessons here are clear. Training employees is incredibly important in the defense of cybercrime. And, given the evidence of the latest attacks, that training must be broad enough to ensure that companies and their employees are on the lookout for and prepared to rebuff the social engineering tactics employed by cyber thieves. We’ve moved well past the “Nigerian prince” emails, and now live in an increasingly dangerous environment in which the bad guys are smart, cunning and seriously deliberate about who they target and what they’re after. Companies should be equally as committed, deliberate and thorough when it comes to their defenses – those that do will dramatically increase their chances of staying safe and staying out of the cyberattack headlines.

Toddler Trampling Robots, Killer Cars: What to Do When Technology Fails Us

I’m a huge fan of tech, especially cutting-edge tech that holds the promise of saving lives, keeping us safer and helping us to care for our loved ones. Which is one of many reasons why I was incredibly saddened to hear about two recent incidents in which cutting-edge tech failed, allegedly causing the injury of a child in one case and, in another case, contributing to the death of a motorist.

mall robot toddler
“A mother and father watched in horror as a security robot at a mall in California knocked their 16-month-old to the ground and ran over one of his feet.”

On May 7, an Ohio man was killed in a car crash in which his Tesla Model S, operating in “autopilot mode,” ran into and underneath a tractor trailer. (Source: The Verge, “Tesla driver killed in crash with Autopilot active, NHTSA investigating,” by Jordan Golson, June 30, 2016). This was the first known fatality in a Tesla where Autopilot was active. (Id). It also appears to have been, “the first known death caused by a self-driving car… Against a bright spring sky, the car’s sensors system failed to distinguish a large white 18-wheel truck and trailer crossing the highway…” (Source: The Guardian, “Tesla driver dies in first fatal crash while using autopilot mode,” by Danny Yadron and Dan Tynan, June 30, 2016). The NHTSA notified Tesla it is investigating.

And earlier this month, a 300-lb robot security ‘guard’ on patrol at a mall in California allegedly “ran over” a toddler. The 16-month old boy’s mother said the robot “ran directly into her son — striking him in the head and knocking him to the ground. The robot continued forward, running over the boy’s right foot.” (Source: CNNMoney, “300-pound mall robot runs over toddler,” by Matt McFarland, July 14, 2016). Thankfully, the child was not seriously hurt. “X-rays taken after the incident were negative. The toddler has a scrape on the back of one of his knees.” (Id.).

no new tech
Source: INKCINCT — June 4, 2007

The harsh reality is that technology (especially leading edge tech) will never be “perfect.” Technological advances often require many iterations before realizing their full potential and certainly before  meeting consumer expectations and attaining mainstream acceptance. Even then, no technology is perfect. In ten years, self-driving cars will still be involved in accidents.

The question is not, however, one of “perfection,” but of advancement. Are we better off with significantly fewer accidents on the road (and thousands of lives saved), or are we so outraged when technology fails us that we reject advancement and regulate progress away? Do we value a drop in crime that results from automated robots patrolling a mall, or are we so incensed at the injury of a child (and rightly so) that we take all the robots “offline?”

I respectfully suggest that the answer is, “both.” (taking my cue from my three and half year old son who tells me it’s not “or” daddy, it’s “and,” when I ask him to make a choice he doesn’t like, either). Consumers and companies alike must reject the false choice of wholeheartedly embracing tech or rejecting it outright. We should be angered when tech fails us, and we should value and support the advances that the same tech has produced and enjoy the improved safety it provides. (See this July 21 report of a Tesla Model S’ Automatic Emergency Braking system reportedly saving the life of a pedestrian in Washington, D.C.). There will never be a time when technology is 100% fool proof. But if we can be deliberate and thoughtful about our approach to tech, if we can embrace the advances and manage the setbacks as they inevitably occur, we may then be able to improve our world, improve our lives and improve our communities through technological advancement without sacrificing who we are or what we value. Companies and organizations that understand, acknowledge and evangelize that truth will inevitably come out on top.

Nationwide IoT is Here! (Disclaimer: Not available in the U.S.)

The race to develop, implement and roll out a nationwide Internet of Things (IoT) connected devices network is over, and two countries are laying claim to the “we were first” trophy.

Earlier this week, both South Korea and the Netherlands announced that they had switched on their own respective national IoT networks, which in the case of the Netherlands “reportedly covers the entire country and will be used to connect millions of devices.” (Source: Gizmag, “Netherlands rolls out world-first nationwide Internet of Things network,” by Michael Irving, July 1, 2016). South Korea did the same, launching “its first commercial, low-cost Internet of Things (IoT) network [that will]  allow smart devices to talk to each other via the network.” (Source: BBC News, “South Korea launches first Internet of Things network,” July 5, 2016).

Korea IoT pic
“South Korea has launched its first commercial, low-cost Internet of Things (IoT) network aimed at making the country even more connected.”

According to reports, the South Korea IoT nationwide network will:

  • allow smart devices to “talk to each other via the network [using] technology that will allow it to reach 99% of the country’s population.”
  • provide services viewed as a way to “ease the cost burden of startups and small and medium enterprises.”
  • on the consumer side, “help appliances like fridges or printers tell its owners when it needs to be refilled, help customers locate lost smartphones and even monitor pets.” (Source: Id.)

The South Korean IoT network provider (SK Telecom) is investing “up to 100 billion won by the end of next year to further develop the infrastructure…” (Source: Id.)

In the Netherlands, Dutch telecommunications company KPN technicians “fitted hundreds of existing mobile transmission towers with LoRa (Long Range) gateways and antennas, to create a new public network dedicated to IoT devices. Sections first went online in Rotterdam and The Hague in November 2015, before work ramped up earlier this year in response to customer interest.” (Source: Gizmag).

KPN reportedly has contracts for 1.5 million devices to utilize the network, already. Id. “Baggage handling at Schiphol Airport, depth sounders in the port of Rotterdam and rail switches at Utrecht Central Station are all currently being handled by smart connected devices, with plenty more expected to join the party as KPN continues to optimize and add functionality to the system.” Id.

dutch IoT
“…technicians fitted hundreds of existing mobile transmission towers with [ ] gateways and antennas, to create a new public network dedicated to IoT devices.”
The United States is a much larger country, of course, than both South Korean and the Netherlands, but even so there does not appear to be any significant movement here in the U.S. to develop and launch a similar IoT network. The most ‘movement’ that can be seen – if you can call it that – is related to legislation, not infrastructure. In April, a Senate committee voted to approve the DIGIT Act, which would “require the Federal Communications Commission to report on the spectrum required to support a network of billions of devices. It would also convene working groups [ ] to advise Congress on Internet of Things-related policy.”  (Source: NextGov, “Senate Committee Approves Bill to Create National Internet of Things Strategy, By Mohana Ravindranath, April 27, 2016). Roughly a year earlier, the Senate passed an Internet of Things resolution calling for a “national strategy on the topic.” Id.

So, while we in the U.S. take committee votes and issue calls for strategies and reports, countries elsewhere (including Mexico, now, which is working towards a 2017 nationwide IoT rollout) are forging ahead, launching 21st century infrastructure initiatives designed to empower industry, facilitate commerce and drive economic development and growth. Surely we’ll see a U.S. IoT nationwide network effort at some point; the question is, however, when? And until then, how many more countries will launch their own IoT networks and realize the benefits of connected device systems before we do?

Data Breach Costs are Up (Again), But Some Companies Know Just What to Do…

The Ponemon Institute, in collaboration with IBM, has released its annual study on the costs of data breaches globally and here in the United States. The “2016 Cost of Data Breach Study:
Global Analysis,” was published last week, and it contains some important findings to take note of, most of which reveal the rising costs associated with a data breach.

rising costs IBM release
“Slow Response and Lack of Planning Cost Companies Millions”

Among the study’s findings:

Although these statistics are sure to garner headlines, perhaps the most valuable findings from the report concern factors that can actually decrease the costs of a data breach. According to the study (page 14 of the Report), there are ten (10) actions that, when taken, are associated with lower data breach costs. They include:

  • Maintaining an incident response team ($16 per capita)
  • Extensive use of encryption ($13)
  • Training employees ($9)
  • Participating in sharing of threat information ($9)
  • Having a company’s board involved ($6)
Data breach costs saving efforts
“…an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of data breach.”

This latest Ponemon study confirms the continuing trend of rising costs associated with data breaches, both globally and in the United States. It offers some hope, however, as well. It is now increasingly clear that while data security incidents might well be an inevitable part of doing business, there are concrete actions that smart organizations can take  – and some that they can avoid taking – which can lower risks and resulting costs associated with those incidents. Cyber-savvy organizations will train their employees, maintain an IR team and involve their boards as they consider, plan and prepare for cybersecurity incidents. These actions and others will propel these organizations forward and add to their competitive edge in the marketplace.

Recipe for Disaster: as Phishing & Ransomware Attacks Spike, Companies “Turn a Blind Eye”

According to a recent report by the the Anti-Phishing Working Group (APWG), phishing activity is at an all time high. APWG “observed more phishing attacks in the first quarter of 2016 than at any other time in history…the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.” (Source: Phishing Activity Trends Report, 1st Quarter 2016, May 23, 2016).

At the same time, ransomware attacks have also spiked. “Kevin Haley, the director of product management at Symantec Security Response, said his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over the approximately 1,000 attacks per day in 2015…” Ransomware attacks in the first quarter of 2016 are “coming at quadruple the rate seen last year…” according to figures from the group. (Source: fedscoop, “Ransomware attacks quadrupled in Q1 2016,” by By Greg Otto, April 29, 2016).

ransomware trends
Ransomware activity has spiked in the first half of 2016.

So are companies responding, training their people and prioritizing cybersecurity as one might hope? Apparently not, at least according to a newly published study by Experian Data Breach Resolution and Ponemon Institute.

The study, entitled “Managing Insider Risk Through Training & Culture,” found that 60% of companies surveyed believe that their employees are “not knowledgeable or have no knowledge of the company’s security risks…Additionally, the study showed a lack of concern by C-suite executives. Only 35% of respondents said that senior management sees it as a priority that employees are knowledgeable about how data security risks affect their organization.” (Source: info security magazine, “Orgs Turn Blind Eye to Risky Employee Behavior,” by Tara Seals, May 23, 2016).

blind eye
“While employee-related security risks are the No.1 concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.”

According to Info Security Magazine which reported on the study, other findings of concern revealed that:

  • less than half (46%) of surveyed companies make training mandatory for all employees;
  • 60% of companies do not require employees to retake security training courses following a data breach, “missing a key opportunity to emphasize security best practices;”
  • about 43% of companies provide only one basic course for all employees;
  • phishing and social engineering attacks are covered in less than half of basic programs; mobile device security in 38%; and using cloud services safely is covered in less than a third (29%);
  • 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues; and,
  • only 29% mention security in performance reviews. (Source: Id.)

These findings are a real concern. They make clear that despite increasing cyberattacks, especially those like phishing and ransomware directed at employees, organizations are not taking the steps necessary to prepare those employees to defend themselves and their company. We can only expect employees to ‘play their part’ in cyberdefense if and when we train them and make them aware of the dangers. Successful, savvy business leaders will do that, and they will make cybersecurity a priority in the months and years to come.

The Internet of Things is Dead, Long Live the Internet of Things. Who’s Right?

Disclaimer: I don’t like naysayers very much. Or skeptics, for that matter. I understand and acknowledge their value, of course, in terms of ‘keeping us honest’ and ensuring we don’t ‘get ahead of ourselves’ with exuberance, excitement, enthusiasm and all that other stuff that makes life worth living. But I don’t like them, in truth, and I probably never will.

That’s why when I see articles calling  the Internet of Things (IoT) a “dead end” (Barron’s), or asking if the Internet of Things is “Just a Hype,” (Huffington Post), I do a double-take. Are the naysayers right? Is this “3rd wave of the Internet” (Goldman Sachs), touted as so revolutionary by so many (including me), really just another passing trend?

CRN article
“Intel has been hitting the Internet of Things fast and hard.”

Since this is truly one of those things in which ‘only time will tell,’ (sorry, no definitive answers here), we’re compelled to look for guidance in the marketplace, which often provides good (albeit admittedly not fool-proof) evidence of what is our best guess going forward on IoT.

And in the marketplace there is plenty to suggest that the IoT is in fact not dead, not a ‘dead end’ and, more likely than not, not ‘just hype’ (although uber-hyped might be right, at the moment). Consider the following recent headlines about corporate moves pertaining to IoT:

WSJ IoT HP article
“Hewlett Packard Enterprise Co. is joining a crowded race to help companies get a leg up on one of tech’s hottest trends, the Internet of Things.”

According to these recent stories, Intel, Amazon, HP, Vodacom, Microsoft and Nokia (estimated aggregate total market capitalization of just short of 3/4 of a trillion dollars) are all positioning themselves to win in the Internet of Things. They are buying other companies, investing in technologies, setting long term corporate strategies, all with the goal of succeeding in the age of the IoT.

It’s possible these corporate giants (and others) are wrong. That IoT doesn’t have sustaining value. That it won’t change our lives as we know it. But that’s not what the market is telling us, is it?

All of this IoT-inspired corporate activity sends me toward a different conclusion, one which reminds me of a movie quote from the 1997 sci-fi flick Contact, in which billionaire investor H.R. Hadden tells Dr. Arroway, “The powers that be have been very busy lately, falling over each other to position themselves for the game of the millennium.”

I don’t know for sure that the Internet of Things is the game of the millenium, but it sure looks a lot more like that than hype to me. Smart companies, organizations with a desire to be successful and relevant in the years to come, all will want to position themselves and their business with an eye towards IoT, at least based on what we’re seeing right now. Develop an IoT strategy, view your products and services through the lens of IoT, all as a contextual environment for the future.

Perhaps H.R. Hadden posed the question best when he asked, “Wanna take a ride?” So, do you?

Small Texas Law Firm Used in International Cyberattack

It started a couple of days ago. The folks at the James Shelton law firm in Clarendon, Texas, about 60 miles east of Amarillo, began receiving calls. Thousands of calls from all over the place, including Canada and the U.K.

According to what’s known so far, cybercriminals apparently gained access to and used a law firm email account to email an unknown number of recipients with the subject “lawsuit subpoena.” The subject is company specific, and it asks if the “legal department” has received it yet. The email says the matter is, of course, “urgent,” and it includes a Word document attachment.

Actual email used in the cyberattack, intended to deceive recipients into clicking the attachment and downloading a malware infected payload.

In fact, the email (one was sent to our company here in Dallas) contains malware that is, according to sources, “a variant of Dridex… [It is a] virus [that] relies on macros in MS Office to propagate.”  “Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.” (emphasis added) (Source: Webopedia).

The law firm’s website now displays a warning banner about the cyberattack.

I spoke with Jim Shelton in Clarendon late this afternoon, who confirmed the attack. Working with his provider, they have disabled the email account and placed a bright red warning  banner on their website directing folks “not to click any links or download any attachments.” Jim told me he was also contacted by the State Bar of Texas, which had received calls about the email.

This attack is a serious one with the potential to cause significant damage and harm to folks who receive it and the companies they work for. If you or anyone you know receives an email like the one posted above, please do not open it and do not click on any attachments. Please do pass along word of this attack so that others might be made aware of and avoid it at all costs.

People are Worried about IoT, and that’s a Good Thing….

Apparently not everyone is super jazzed about the Internet of Things (IoT), a world in which billions of devices are ‘talking’ to one another, autonomously, silently, in the hidden background of our everyday lives.

Consumers dont trust IoT
“Even though consumers see tangible benefits of the Internet of Things (IoT) adoption, many have their doubts regarding security, trust and safety…”

According to a recently released study, “60 percent of consumers [globally] are worried about [the Internet of Things]…The biggest concerns are [privacy] (62 percent) and security (54 percent), followed by physical safety (27 percent), and not being able to fix the technology (24 percent).” (Source: betanews, “Consumers do not trust Internet of Things,” by Sead Fadilpašić, April 8, 2016, citing Mobile Ecosystem Forum (MEF)’ study entitled, “The Global Consumer Survey.”)

In the United States, the percentage of those concerned about the IoT is even higher than the global average, at 63%.

Other study findings revealed that:

  • Women are more concerned about the IoT then men (64% of women are concerned about a world where everyday objects are connected to each other and the Internet, compared to 57% of men concerned about the same);
  • Privacy is the biggest concern among those polled in the United States (70%, compared to a global average of 62%); and,
  • Of all the IoT connected devices, the smart home was of most concern to those polled (30% were concerned about connected home security and 15% about connected house doors, followed by cars, tv’s and ‘smart’ irons, 3rd – 5th on the list of concerns).
IoT Journal
“Consumers are increasingly aware of the value of the personal data they share via smart-home devices and platforms, and are wary of the security robustness of those systems…”

Another recent study seems to support these findings of consumer concern and mistrust of the IoT. “In July 2015, Intel Security hired Vanson Bourne, an independent market research provider specializing in the technology sector, to interview 9,000 consumers,” including 2,500 from the United States, regarding topics related to smart-home technology. “66 percent said they were very concerned about the security of their home being compromised by cybercriminals, while 92 percent said they are concerned about the security of their personal data that is collected and shared via smart-home platforms.” (Source: IoT Journal, “Smart Homes, Cybersecurity and Personal Data: What Consumers Care About,” by Mary Catherine O’Connor, March 31, 2016).

While it’s clear that concern about and mistrust of the Internet of Things is real and may slow adoption of the technology, that may well be a good thing, as more and more cybersecurity professionals and privacy advocates warn that the growth in IoT tech is far outpacing the security and regulation of the same. For only if we are all deliberate and careful going forward can we be sure to realize the many valuable and even life-saving solutions a world of connected devices (see connected cars, by way of example) has to offer without, at the same time, creating a vast platform for those seeking to abuse it.

Here Come the Feds: DIGIT Act, CFPB No-Breach Enforcement Order a Sign of Things to Come

Federal regulators and legislators have been promising for some time now that additional, formal action would be coming on the Internet of Things (IoT) and in the realm of cybersecurity enforcement. Last week, both the United States Senate and the Consumer Financial Protection Bureau (CFPB) made good on those promises.

On the IoT front, a bipartisan group of Senators including Sens. Deb Fischer, R-Neb., Cory Booker, D-N.J., Kelly Ayotte, R-N.H., and Brian Schatz., D-Hawaii, introduced the Developing Innovation and Growing the Internet of Things Act, or the DIGIT Act.

nextgov on DIGIT ACT
“The DIGIT Act is one of many recent congressional actions related to the Internet of Things.”

According to news reports, the new bill introduced on March 1, “directs the Federal Communications Commission to report on the spectrum required to support the Internet of Things. It also proposes creating a working group, made up of public and private sector representatives, to advise Congress on planning for and encouraging the growth of that network as well as how the federal government can adopt the Internet of Things.” (Source:, Senators Introduce Another Internet of Things Bill, March 1, 2016 by Mohana Ravindranath).

“The bill proposes that the working group examine topics such as spectrum needs, federal technology grants, consumer protection, and privacy and security. The FCC study would address spectrum issues, such as the role of licensed and unlicensed spectrum in a highly connected world, according to the bill.” Id, emphasis added.

The findings and recommendations of both the FCC and the working group would be required to be submitted to the appropriate committees of Congress within one year of the bill’s enactment.  (Source: National Law Review, “Internet of Things Bill Introduced,” March 9, 2016).

On the cybersecurity side of things, this past week saw the first data security enforcement action from the Consumer Financial Protection Bureau (CFPB), a governmental agency created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

CFPB Dwolla enforcement action
“Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws.”

According to the CFPB press release accompanying its consent order, “The Consumer Financial Protection Bureau [ ] took action against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.” (Source:, “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices,” March 2, 2016).

Although there was apparently no breach of Dwolla’s data security or systems, the CFPB nonetheless found that Dwolla had, “misrepresented its data-security practices by:

  •  falsely claiming its data security practices “exceed[ed]” or “surpass[ed]” industry security standards; and
  • falsely claiming its “information [was] securely encrypted and stored.” Id.

Both the bipartisan DIGIT Act and the CFPB’s no-breach enforcement action against Dwolla presage additional federal engagement on the Internet of Things and in corporate cybersecurity, more broadly. As a result, organizations of all shapes and sizes, for profit and not, are encouraged to actively monitor such developments and, more importantly, to continue to invest in robust cybersecurity efforts, including but not limited to employee training and vendor screening and management.

John Ansbach on IoT, Cybersecurity & the Technology Trends of Tomorrow