To Resist Top Business Cyberthreat Ransomware, it’s all about Prevention

Well, the results are in and we have a winner…ransomware wins first place for the top global cybersecurity threat of 2016.

According to a recent report by cybersecurity company SonicWall, ransomware attacks (malware that prevents or limits users from accessing their system or data unless a ransom is paid) soared in 2016, up 167 times the number recorded in 2015. (Source: Computerworld, “Ransomware soars in 2016, while malware declines,” by Matt Hamblen, February 7, 2017, citing the SonicWall report). “Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016…SonicWall theorized that ransomware was easier to obtain in 2016 and that criminals faced a low risk of getting caught or punished…Ransomware was the ‘payload of choice for malicious email campaigns and exploits,’ SonicWall said.” (Source: Id).

“…ransomware attacks soared, up 167 times the number recorded in 2015.”

The report concluded that in 2016, “the most popular malicious email campaigns were based on ransomware [ ] which was deployed in more than 500 million total attacks throughout the year.” It also indicated that, “No industry was spared: the mechanical and industrial engineering industry got 15% of the ransomware hits, while pharmaceuticals and financial services companies each got 13%, while real estate companies got 12%.” (Source: Id.).

So, if you are a business leader in one of these (or any other) sectors, what can you do to resist the onslaught of ransomware cyberattacks? Focus on prevention. “Most security experts agree that it is almost impossible to recover data that might have been encrypted in a ransomware attack without access to the decryption keys, or to a backup copy of the affected data. So the focus has to be on prevention.” (Source: DARKReading, “Here’s How To Protect Against A Ransomware Attack,” by Jai Vijayan, February 4, 2016).

According to experts, there are a good number of actions (technical and non technical) leaders can take to prevent ransomware. Here are my top three:

  • Have Backup. “Having a robust data backup process can go a long way in blunting the threat posed by ransomware. In fact, it is often the only way to recover data if you are unwilling to pay the ransom demanded by an extortionist.” (Source: Id.)
“Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach.”
  • Develop a Response Plan. “Time is critical for an organization faced with a ransomware deadline. Online extortionists typically give organizations a very specific time limit within which to pay…They deliberately don’t give enough time for an organization to figure out if it can try and unlock the data without paying any ransom. So it is important to have a plan in place describing what needs to happen in the event of a ransomware attack. ‘The last thing you want is to be doing a Google search for a local forensics experts at 2am on a Saturday morning.’” (Source: Id.)
  • Train (Test and Re-Train) Employees. There may be no better non-technical defense against ransomware than training and empowering employees to recognize and resist emails used to deliver ransomware malware. But ‘train, fire and forget’ won’t cut it. “Raising awareness about ransomware by educating staff about the dangers of clicking on attachments or links in emails is clearly important as a baseline security measure. But it only takes one employee to lower their guard on one occasion for an organization to be compromised…companies such as PhishMe provide technology to help keep employees on their toes by sending them simulated malicious emails on an ongoing basis; if an employee clicks on a simulated malicious link, they get feedback to help ensure that they don’t fall victim to a similar email again.” (Source: eSecurity Planet, “How to Stop Ransomware,” by Paul Rubens, January 31, 2017).

Ransomware has clearly been the chief cyberthreat for business in the last year, and if the first month or so of 2017 is any indication, this year will be no different. (See, “Ransomware expected to dominate in 2017,” ComputerWeekly.com, by Warwick Ashford
January 6, 2017). Business leaders will have to face the ransomware cybersecurity threat head on, and do so deliberately, methodically and purposefully. Only by taking this threat seriously, and preparing a business and its employees accordingly, will leaders prevail in this fight. And only then, when an organization can access and protect its information and that of its customers, will leaders be able to focus on the myriad of other day-to-day efforts to make their business truly great.

For a more complete list of action items and methods that can be used to combat and resist ransomware, both technical and non-technical, check out the DARKReading.com article, as well as the eSecurity Planet article.

Could “Russian hacking” actually make Americans care less about Cybersecurity?

Trump. Russians. Hacking.

Over the last few months, cybersecurity (and specifically “hacking”) has been at the epicenter of the national conversation. These issues have been in the news now more than ever primarily as a result of our recent presidential election and allegations by intelligence officials and others that Russian hacking of the Democratic National Committee (DNC) (and others) altered (or tried to alter) the outcome of our presidential election. It seems like almost every day, especially in late December and early January, there was an article, update or new revelation about Russian hacking, the DNC, calls for congressional hearings, Fancy Bear or sanctions.

The President Elect has tweeted repeatedly about Russian hacking, keeping the cybersecurity issue front and center in the minds of Americans.

Now usually, when there is a major cybersecurity story in the news (think Target, Home Depot, Yahoo!) cybersecurity professionals welcome the exposure (if not the incident), because the result of the attendant media attention often drives cybersecurity awareness leading to folks to be more concerned about how to protect themselves and their companies, as they should be.

The allegations of Russian hacking of our elections might mark a significant departure from this typical, cybersecurity incident silver lining, however. Here’s two reasons why:

  1. Politicization. According to a new CNN/ORC poll, while nearly 2 in 3 democrats believe Russian hacking “ruined Democratic candidate Hillary Clinton’s chances,” only 10 percent of Republicans agree.  (Source: theblaze, “Poll: Majority of Americans believe Russian hacking did not impact election outcome,” January 17, 2017, citing CNN/ORC poll).  Party affiliation is influencing views on this particular cybersecurity incident. Republicans want to “move on” and blame the DNC for operating insecurely. Democrats want hearings and sanctions. Ultimately, a cyberattack is a criminal action. What we want in a post attack “lessons learned” analysis is an open discussion about how to prevent such attacks in the future. With Americans so divided over the Russian cyberattack, it seems highly unlikely that will happen. It seems this incident makes it actually more likely that future cyberattacks will produce similar arguments on effect, attribution and fault, further limiting any positive outcome for the good of the country or any community.
  2. Over exposure. Every day, another Russian hacking story. There is every indication that this Russian hacking conversation is simply too much for people to digest and make sense of, especially in any detail. Honestly, how many Americans have read deeply into any of the stories or reports to understand who Crowdstrike is, who Fancy Bear or Cozy Bear are, what a SeaDaddy tool is, what operation “GRIZZLY STEPPE” was, or, in the case of John Podesta’s email hack, how multi-factor authentication might have prevented the incident in the first place (or what MFA is, anyway). When something is overwhelming, like this story has been, folks don’t embrace and learn from it, they run the other way.
Cybersecurity is a life and death matter, as shown by a recent Hamas operative cyberattack aimed at Israeli troops to learn their whereabouts and movements.

All of this presents a real problem in terms of increasing cybersecurity awareness and motivating people to act securely and responsibly in their personal and professional lives, especially considering what’s at stake and what lies ahead.

In the very near future, the Internet of Things will create for us a world of Internet-connected devices. Projections vary, but conservative estimates indicate there will be as many as 24 billion connect devices by 2020 (think shoes, TVs, clothes, cars, crock pots, refrigerators as well as factories and the machines in our power plants and water treatment facilities) (Source: Business Insider, “The IoT 101 Report: Your essential guide to the Internet of Things, January 12, 2017). With so much of who we are and what we do on the ‘Net, we need people to be more concerned and more united around resisting cybercrime, not less.

As for what’s at stake? Consider a recent story about Hamas’ use of a cyberattack on Israeli soldiers. Hamas operatives posed as cute girls in texts with the soldiers. The goal was to get the soldiers interested, get them to agree to a video chat, and then have the soldiers download what they were told was a video chat program that would let them connect. In reality, the chat app, called WoWo Messenger, was a delivery method for malware, the intent of which was to provide information on troop location and movements to Hamas for military operations. (Source: BleepingComputer, “Israeli Military Tricked Into Installing Malware by Hamas Agents Posing as Women,” January 16, 2017). The lesson is clear: cybersecurity is no longer about hacking enthusiasts “messing with” companies or the government just to show they can. Cybersecurity, very often about money, theft and fraud, is also about life and death, and as such should be addressed deliberately, carefully, intellectually and ultimately with a united front to be successful.

Will the recent Russian hacking incident make Americans care less about cybersecurity? It may be too early to tell. But the lessons for savvy business and organizational leaders couldn’t be more clear. Stay focused. Hacking is very real, and it is increasingly being done in more sophisticated ways by foes near and far. Put politics aside, understand the criminal intent of those that would do you or your organization harm, understand the environment and what’s at stake, and then act accordingly. It’s only going get tougher from here on in – let smarts, vision and courage be your guide.

What Business Leaders Need to Know Now about Recent, High Profile DDoS Cyberattacks

Over the past several weeks there has been a lot of talk in the media about DDoS attacks, especially “Mirai malware,” botnets for rent, Chinese-built webcam recalls and the “destructive power” of the Internet of Things (“IoT”). For the uninitiated (or disinterested), this sounds like a lot of “tech talk” reserved for real and wannabe tech geeks (like me) to ruminate about.

The very real reality, however, is that these recent, high profile IoT (connected device)-driven DDoS (distributed denial of service) cyberattacks are very much a “business” matter for business leaders to address, as these attacks have the potential to disrupt operations for significant periods of time, and to cause physical harm to corporate assets and even personnel.

“A growing mass of poorly secured devices on the Internet of things represents a serious risk to life and property.”

By way of background, here is a short, quick list of recent events that have highlighted this threat:

“A new monster botnet, which hasn’t been given a name yet, has been spotted in the wild launching massive DDoS attacks.”

What these events of the past 90 days show us is that cyberthieves have (most would say, predictably) managed to combine a known, common (and mostly defensible) cyberattack method (DDoS) with the Internet of Things (a world of connected devices) to launch massive, historic-by-proportion cyberattacks against organizations around the world. More specifically, attackers can now use unsecure, commonplace devices such as webcams, refrigerators, and fax machines as conduits to launch massive traffic attacks that can disrupt and shut down businesses whose systems are connected to or dependent on the Internet.

Because the overwhelming majority of organizations and businesses alike are, in fact “connected to or dependent on the Internet,” this means that IoT-driven DDoS cyberattacks now represent a major cyberthreat to the business community. Savvy, informed leaders will be quick to recognize and understand this threat, and to work with their IT teams and the organization’s IT partners and providers to understand just how vulnerable they in this environment. Steps should be taken to identify vulnerabilities and to put in place incident response plans so that everyone within the organization knows who should be doing what and when and with whom in the event of such an attack.

IoT-driven, mass-traffic DDoS cyberattacks are technical in nature, but their impacts are not. Organizations who understand and recognize this reality will be better prepared and ready if and when they do face this twisted, criminal effort.

 

Businesses Beware: Wire Transfer Cyberscams Likely to Increase over the Holidays

It’s well documented that cyber threats and attacks tend to rise around the holidays. People are busy, they get distracted, and cyber thieves know that.

We’re likely to see that in the coming weeks, for sure, especially with a specific type of business cyberattack known as “wire transfer fraud,” or as the FBI calls it, “business email compromise” or “BEC.”

bec-3-billion
“According to the FBI, in October 2013 through May 2016, US and foreign victims have reported 22,143 BEC-related cases, resulting in a 1300% increase in identified losses since January 2015.”

BEC is a pretty straightforward scam: cyber criminals send an email to a company’s accounting or finance employee pretending to be the CEO or other high level executive. The email requests that a wire transfer be made – allegedly for business purposes – and when that transfer is completed, the company finds out the unwitting employee sent the money to an account in a foreign country where it’s difficult, if not impossible, to retrieve. Ubiquiti Networks was swindled out of almost $47 million thru just such a BEC attack; and, more recently, Leoni AG lost €40m after a company CFO unwittingly transferred funds to hacker’s bank account. (Sources: CIO Magazine, “How to Prevent CEO Fraud,” by Chris Carroll, October 27, 2016; International Business Times, “Cable giants Leoni AG lose €40m after CFO transfers funds to hacker’s bank account,” by Mary-Ann Russon, September 2, 2016).

What’s different these days with BEC attacks from previous years is the level of sophistication and social engineering that goes into them, helping thieves to appear more legitimate even to a discerning employee (the Leoni AG attackers knew which of the four factories were authorized to make wire transfers). These tactics have helped cybercriminals create a serious threat to business, stealing more than $3 billion from domestic and international victims. (Source: TrendMicro, “BEC Scams Amount to $3 billion According to Latest FBI PSA,” June 16, 2016).

The good news for businesses and organizations of all sizes is that, for the most part, these attacks are avoidable. Here are 3 easy steps to take to help you, your business and your employees resist the BEC:

1. Educate. The most important thing you can do is educate and inform your team, especially your accounting folks, about this cyberthreat. “Educate executives and your finance team about CEO fraud, and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or confidential information.” (Source: CIO Magazine).

prevent-ceo-fraud

2. Authenticate. Utilize multi-factor authentication (MFA), “especially [with] financial applications, [ ] so users must confirm their identity when initiating a wire transfer…MFA, which requires multiple methods for identification, is one of the best ways to prevent CEO fraud.” (Source: Id).

3. Create. Empower your IT professionals to be innovative and create technical solutions, for email and otherwise, to help you and your company defend against BEC. “The FBI recommends that security teams create system rules that flag e-mails with extensions that are similar to the company’s. For example, while an e-mail from abc_company.com can be legitimate, the system would flag a similar looking, fraudulent e-mail from abc-company.com.” (Source: Id).

For a longer list of actions you can take to fend off BEC, check out the CIO magazine article here.

The holidays will no doubt bring an increase in cyberattacks as criminals count on you and your employees to be distracted. Fight them off by paying extra attention to your emails and the requests that come through, and by educating, informing and even rewarding your employees for suiting up and helping out to stop BEC before it gets started.

In Cybersecurity, Awareness is Key

Well it’s October again, which means Fall is here, Sundays are for football, folks are picking out costumes for Halloween and, of course, people are paying extra close attention to cybersecurity in recognition of National Cyber Security Awareness Month…right…?

Ok, so maybe not everyone is focused on National Cyber Security Awareness Month, but the program, “a Department of Homeland Security-administered campaign held every October,” does provide a great opportunity to raise awareness of cyber threats, especially as we head into the holiday season, a time when cyberthieves tend to get especially aggressive. (Source: FBI.gov, “National Cyber Security Awareness Month, Cyber Security is Everyone’s Responsibility,” October 3, 2016).

cyber-awareness-month
“[I]t’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month [ ] is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.”
So, in the spirit of “NCSA month,” here are three things you and your company can do to heighten your cybersecurity awareness towards remaining vigilant, strong and cybersecure:

1. Conduct Awareness Campaigns. Something you can do throughout the year is send e-mails to your team members (or organization-wide) keeping them informed of the latest cyberthreats, including such threats as the latest ransomware variants (“Cry” or “Fantom,” for example). During NCSA month, specifically, consider sending an e-mail once a week to really raise awareness and stress to employees that it’s everyone’s job to keep the company and its employees and customers secure. The Department of Homeland Security has a number of resources to help with these efforts, as do various private sector vendors. For more from the DHS, check out their website at www.dhs.gov/stopthinkconnect.

2. Rehearse a Data Breach. One thing you and your leadership can do to really raise cybersecurity awareness at senior staff levels is to conduct tabletop exercises that simulate an actual data breach or other cybersecurity incident. Not only will these practice sessions help to put the cybersecurity issue front and center for the company’s key players, but, “Going through the motions of an imaginary attack can help prevent executives from making common mistakes and mishaps during times of crisis…It’s one of the best ways to test one’s incident response team and plan ahead.” (Source: Fortune magazine, “The Best Way for Companies to Prepare for Inevitable Data Breaches: Rehearse,” citing Diana Kelley, executive security advisor at IBM, September 27, 2016).

fortune-mag-rehearse
“Script through an attack at your company.”

3. Conduct a training. There is really never a bad time to conduct cybersecurity training in the workplace, but doing so during NCSA month can both increase awareness and help the company resist an attack.  Since, “Increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent,” and, “employees are ‘perhaps the greatest evolving security threat,'” it would seem that National Cyber Security Awareness month would be the perfect time to not only better prepare employees, but also raise their awareness of the cybersecurity threats they and their employers face. (Source: BizTimes, “Reduce cyber security risks with employee training,” citing a 2015 study by Wombat Security Technologies and the Aberdeen Group, March 28, 2016).

This month, National Cyber Security Awareness month, is the perfect time for leaders to make cybersecurity a priority and truly empower employees with knowledge and awareness. Set aside some time, collaborate with your colleagues, and take steps that make sense for you and your organization so that when the next cyber attack does come along, you and your folks will be ready, willing and able to mount a strong defense and help defeat those seeking to do harm to your company, your people and your customers.

 

Low Tech ‘Social Engineering’ is Often Key to Successful Cyberattacks

You hear about it in the news all the time now. A company has been “hacked,” leading to the exposure of thousands or even millions of consumer or employee records. Inevitably, there is then the follow on credit monitoring, regulatory action, and some forensic look at how the bad guys “got in” and what variant of the latest virus was used to infiltrate the victim company’s systems.

gizmodo
In depth social engineering supported an attack that cost Leoni AG, one of the world’s largest manufacturers of wires and electrical cables, more than $44 million.

These stories are real and important, for sure, but one thing that has been increasingly overlooked in the headlines is the fact that many of these so-called “hacks” don’t begin in a technical manner at all. Many so-called cyberattacks start with nothing more than good old fashioned “casing” or scouting of the victim company and their employees, often through seemingly innocent phones calls placed to company employees or through the review of easily and publicly accessible online social media accounts (think LinkedIn profiles that tell the world who does accounts payable for company ABC).

This low tech approach, known as “social engineering,” when done well empowers would-be cyber thieves to learn user names, passwords, job titles, functions, responsibilities and other information that is in turn used to perpetrate the follow-on attack.

This attack method was on full display during a “social engineering contest” at last month’s Def Con hacking conference in Las Vegas. Chris Silvers, who won first prize in that contest, called a company employee and pretended he was “filling in gaps in an internal survey the company had sent out to employees — a real survey he’d found on the company’s website during his pre-contest research.” (Source: USA Today, “A hacker’s best friend is a nice employee,” by Elizabeth Weise, Aug. 15, 2016).

“The staffer who answered her desk phone fell for his ploy hook, line and sinker, no doubt soothed by his southern accent and calm conviction he had every right in the world to be asking his questions. He convinced her to go to a non-existent website to sign up for a $10 Amazon gift card for her trouble. When that — of course — didn’t work, he offered to help her troubleshoot the problem.” (Source: Id.).

Ultimately, during a single phone call that lasted less than 25 minutes, Silvers was able to learn a “treasure trove of information about her company’s computer network, antivirus software and web filtering protocols  — more than enough information for a hacker to easily infiltrate the network.” (Source: Id.).

defcon
Chris Silvers, who runs CG Silvers, an independent security consulting firm in Atlanta, won first prize in the social engineering contest held at the DefCon hacker conference in Las Vegas. “You can get everything you need — information about their security, their operating system, what kind of computers they use. Just with a call,” he said.

This same type of social engineering was a key element in a real life multimillion dollar attack just last month on Leoni AG, one of the world’s largest manufacturers of wires and electrical cables. According to media reports, thieves “spoofed emails to look like official payment requests.” The CFO of the targeted Leoni factory then sent more than $44 million (USD) in funds to the thieves after receiving those emails, which were “cloned to look like they came from [the Company’s] German executives.” (Source: Gizmodo, “An Email Scam Cost One of Europe’s Biggest Companies $40 Million,” by Hudson Hongo, Sept. 1, 2016).

Apparently, the Leoni attack was successful largely because of the extent to which the thieves socially engineered their efforts, cloaking their fraud in the appearance of legitimacy.

“Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. ..The [ ] factory was [also] not chosen at random…Leoni has four factories in Romania, and the [targeted] branch is the only one authorized to make money transfers.” (Source: Softpedia, “One of Europe’s Biggest Companies Loses €40 Million in Online Scam,” by Catalin Cimpanu, Aug. 31, 2016).

The lessons here are clear. Training employees is incredibly important in the defense of cybercrime. And, given the evidence of the latest attacks, that training must be broad enough to ensure that companies and their employees are on the lookout for and prepared to rebuff the social engineering tactics employed by cyber thieves. We’ve moved well past the “Nigerian prince” emails, and now live in an increasingly dangerous environment in which the bad guys are smart, cunning and seriously deliberate about who they target and what they’re after. Companies should be equally as committed, deliberate and thorough when it comes to their defenses – those that do will dramatically increase their chances of staying safe and staying out of the cyberattack headlines.

Toddler Trampling Robots, Killer Cars: What to Do When Technology Fails Us

I’m a huge fan of tech, especially cutting-edge tech that holds the promise of saving lives, keeping us safer and helping us to care for our loved ones. Which is one of many reasons why I was incredibly saddened to hear about two recent incidents in which cutting-edge tech failed, allegedly causing the injury of a child in one case and, in another case, contributing to the death of a motorist.

mall robot toddler
“A mother and father watched in horror as a security robot at a mall in California knocked their 16-month-old to the ground and ran over one of his feet.”

On May 7, an Ohio man was killed in a car crash in which his Tesla Model S, operating in “autopilot mode,” ran into and underneath a tractor trailer. (Source: The Verge, “Tesla driver killed in crash with Autopilot active, NHTSA investigating,” by Jordan Golson, June 30, 2016). This was the first known fatality in a Tesla where Autopilot was active. (Id). It also appears to have been, “the first known death caused by a self-driving car… Against a bright spring sky, the car’s sensors system failed to distinguish a large white 18-wheel truck and trailer crossing the highway…” (Source: The Guardian, “Tesla driver dies in first fatal crash while using autopilot mode,” by Danny Yadron and Dan Tynan, June 30, 2016). The NHTSA notified Tesla it is investigating.

And earlier this month, a 300-lb robot security ‘guard’ on patrol at a mall in California allegedly “ran over” a toddler. The 16-month old boy’s mother said the robot “ran directly into her son — striking him in the head and knocking him to the ground. The robot continued forward, running over the boy’s right foot.” (Source: CNNMoney, “300-pound mall robot runs over toddler,” by Matt McFarland, July 14, 2016). Thankfully, the child was not seriously hurt. “X-rays taken after the incident were negative. The toddler has a scrape on the back of one of his knees.” (Id.).

no new tech
Source: INKCINCT — June 4, 2007

The harsh reality is that technology (especially leading edge tech) will never be “perfect.” Technological advances often require many iterations before realizing their full potential and certainly before  meeting consumer expectations and attaining mainstream acceptance. Even then, no technology is perfect. In ten years, self-driving cars will still be involved in accidents.

The question is not, however, one of “perfection,” but of advancement. Are we better off with significantly fewer accidents on the road (and thousands of lives saved), or are we so outraged when technology fails us that we reject advancement and regulate progress away? Do we value a drop in crime that results from automated robots patrolling a mall, or are we so incensed at the injury of a child (and rightly so) that we take all the robots “offline?”

I respectfully suggest that the answer is, “both.” (taking my cue from my three and half year old son who tells me it’s not “or” daddy, it’s “and,” when I ask him to make a choice he doesn’t like, either). Consumers and companies alike must reject the false choice of wholeheartedly embracing tech or rejecting it outright. We should be angered when tech fails us, and we should value and support the advances that the same tech has produced and enjoy the improved safety it provides. (See this July 21 report of a Tesla Model S’ Automatic Emergency Braking system reportedly saving the life of a pedestrian in Washington, D.C.). There will never be a time when technology is 100% fool proof. But if we can be deliberate and thoughtful about our approach to tech, if we can embrace the advances and manage the setbacks as they inevitably occur, we may then be able to improve our world, improve our lives and improve our communities through technological advancement without sacrificing who we are or what we value. Companies and organizations that understand, acknowledge and evangelize that truth will inevitably come out on top.

Nationwide IoT is Here! (Disclaimer: Not available in the U.S.)

The race to develop, implement and roll out a nationwide Internet of Things (IoT) connected devices network is over, and two countries are laying claim to the “we were first” trophy.

Earlier this week, both South Korea and the Netherlands announced that they had switched on their own respective national IoT networks, which in the case of the Netherlands “reportedly covers the entire country and will be used to connect millions of devices.” (Source: Gizmag, “Netherlands rolls out world-first nationwide Internet of Things network,” by Michael Irving, July 1, 2016). South Korea did the same, launching “its first commercial, low-cost Internet of Things (IoT) network [that will]  allow smart devices to talk to each other via the network.” (Source: BBC News, “South Korea launches first Internet of Things network,” July 5, 2016).

Korea IoT pic
“South Korea has launched its first commercial, low-cost Internet of Things (IoT) network aimed at making the country even more connected.”

According to reports, the South Korea IoT nationwide network will:

  • allow smart devices to “talk to each other via the network [using] technology that will allow it to reach 99% of the country’s population.”
  • provide services viewed as a way to “ease the cost burden of startups and small and medium enterprises.”
  • on the consumer side, “help appliances like fridges or printers tell its owners when it needs to be refilled, help customers locate lost smartphones and even monitor pets.” (Source: Id.)

The South Korean IoT network provider (SK Telecom) is investing “up to 100 billion won by the end of next year to further develop the infrastructure…” (Source: Id.)

In the Netherlands, Dutch telecommunications company KPN technicians “fitted hundreds of existing mobile transmission towers with LoRa (Long Range) gateways and antennas, to create a new public network dedicated to IoT devices. Sections first went online in Rotterdam and The Hague in November 2015, before work ramped up earlier this year in response to customer interest.” (Source: Gizmag).

KPN reportedly has contracts for 1.5 million devices to utilize the network, already. Id. “Baggage handling at Schiphol Airport, depth sounders in the port of Rotterdam and rail switches at Utrecht Central Station are all currently being handled by smart connected devices, with plenty more expected to join the party as KPN continues to optimize and add functionality to the system.” Id.

dutch IoT
“…technicians fitted hundreds of existing mobile transmission towers with [ ] gateways and antennas, to create a new public network dedicated to IoT devices.”
The United States is a much larger country, of course, than both South Korean and the Netherlands, but even so there does not appear to be any significant movement here in the U.S. to develop and launch a similar IoT network. The most ‘movement’ that can be seen – if you can call it that – is related to legislation, not infrastructure. In April, a Senate committee voted to approve the DIGIT Act, which would “require the Federal Communications Commission to report on the spectrum required to support a network of billions of devices. It would also convene working groups [ ] to advise Congress on Internet of Things-related policy.”  (Source: NextGov, “Senate Committee Approves Bill to Create National Internet of Things Strategy, By Mohana Ravindranath, April 27, 2016). Roughly a year earlier, the Senate passed an Internet of Things resolution calling for a “national strategy on the topic.” Id.

So, while we in the U.S. take committee votes and issue calls for strategies and reports, countries elsewhere (including Mexico, now, which is working towards a 2017 nationwide IoT rollout) are forging ahead, launching 21st century infrastructure initiatives designed to empower industry, facilitate commerce and drive economic development and growth. Surely we’ll see a U.S. IoT nationwide network effort at some point; the question is, however, when? And until then, how many more countries will launch their own IoT networks and realize the benefits of connected device systems before we do?

Data Breach Costs are Up (Again), But Some Companies Know Just What to Do…

The Ponemon Institute, in collaboration with IBM, has released its annual study on the costs of data breaches globally and here in the United States. The “2016 Cost of Data Breach Study:
Global Analysis,” was published last week, and it contains some important findings to take note of, most of which reveal the rising costs associated with a data breach.

rising costs IBM release
“Slow Response and Lack of Planning Cost Companies Millions”

Among the study’s findings:

Although these statistics are sure to garner headlines, perhaps the most valuable findings from the report concern factors that can actually decrease the costs of a data breach. According to the study (page 14 of the Report), there are ten (10) actions that, when taken, are associated with lower data breach costs. They include:

  • Maintaining an incident response team ($16 per capita)
  • Extensive use of encryption ($13)
  • Training employees ($9)
  • Participating in sharing of threat information ($9)
  • Having a company’s board involved ($6)
Data breach costs saving efforts
“…an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of data breach.”

This latest Ponemon study confirms the continuing trend of rising costs associated with data breaches, both globally and in the United States. It offers some hope, however, as well. It is now increasingly clear that while data security incidents might well be an inevitable part of doing business, there are concrete actions that smart organizations can take  – and some that they can avoid taking – which can lower risks and resulting costs associated with those incidents. Cyber-savvy organizations will train their employees, maintain an IR team and involve their boards as they consider, plan and prepare for cybersecurity incidents. These actions and others will propel these organizations forward and add to their competitive edge in the marketplace.

Recipe for Disaster: as Phishing & Ransomware Attacks Spike, Companies “Turn a Blind Eye”

According to a recent report by the the Anti-Phishing Working Group (APWG), phishing activity is at an all time high. APWG “observed more phishing attacks in the first quarter of 2016 than at any other time in history…the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.” (Source: Phishing Activity Trends Report, 1st Quarter 2016, May 23, 2016).

At the same time, ransomware attacks have also spiked. “Kevin Haley, the director of product management at Symantec Security Response, said his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over the approximately 1,000 attacks per day in 2015…” Ransomware attacks in the first quarter of 2016 are “coming at quadruple the rate seen last year…” according to figures from the group. (Source: fedscoop, “Ransomware attacks quadrupled in Q1 2016,” by By Greg Otto, April 29, 2016).

ransomware trends
Ransomware activity has spiked in the first half of 2016.

So are companies responding, training their people and prioritizing cybersecurity as one might hope? Apparently not, at least according to a newly published study by Experian Data Breach Resolution and Ponemon Institute.

The study, entitled “Managing Insider Risk Through Training & Culture,” found that 60% of companies surveyed believe that their employees are “not knowledgeable or have no knowledge of the company’s security risks…Additionally, the study showed a lack of concern by C-suite executives. Only 35% of respondents said that senior management sees it as a priority that employees are knowledgeable about how data security risks affect their organization.” (Source: info security magazine, “Orgs Turn Blind Eye to Risky Employee Behavior,” by Tara Seals, May 23, 2016).

blind eye
“While employee-related security risks are the No.1 concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.”

According to Info Security Magazine which reported on the study, other findings of concern revealed that:

  • less than half (46%) of surveyed companies make training mandatory for all employees;
  • 60% of companies do not require employees to retake security training courses following a data breach, “missing a key opportunity to emphasize security best practices;”
  • about 43% of companies provide only one basic course for all employees;
  • phishing and social engineering attacks are covered in less than half of basic programs; mobile device security in 38%; and using cloud services safely is covered in less than a third (29%);
  • 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues; and,
  • only 29% mention security in performance reviews. (Source: Id.)

These findings are a real concern. They make clear that despite increasing cyberattacks, especially those like phishing and ransomware directed at employees, organizations are not taking the steps necessary to prepare those employees to defend themselves and their company. We can only expect employees to ‘play their part’ in cyberdefense if and when we train them and make them aware of the dangers. Successful, savvy business leaders will do that, and they will make cybersecurity a priority in the months and years to come.

John Ansbach on IoT, Cybersecurity & the Technology Trends of Tomorrow