Category Archives: Uncategorized

What the Latest Cybersecurity Reports are Telling Us

Over the past few weeks, Verizon, Symantec and others have published a number of in-depth reports setting out the state of cybersecurity here in the U.S. and globally. These reports, including Verizon’s 2017 Data Breach Investigation Report (VDBIR) and Symantec’s Internet Security Threat Report (ISTR),  set out in detail the types of threats facing organizations and, in doing so, provide something of a road map for how organizations can prepare for and defend against cyberattacks.

“Symantec has established the largest civilian threat collection network in the world [that] monitors threat activities in 157 countries and territories…”
To follow, then, are 10 takeaways and excerpts from these reports, as well as a few suggestions for how to move forward:

• The frequency of ransomware attacks (a cyberattack that limits a user’s access to their system, network or data unless and until a ransom is paid) increased 50% in 2016 compared to the year prior. (Source: Fortune | Tech, Data Sheet — Saturday, April 29, 2017, by Robert Hackett, citing the VDBIR).

• In 2016, ransomware was “one of the top five most common varieties of malware, rocketing from 22nd place in 2014.” (Source: Id.)

• “The United States continues to be the region where ransomware is most prevalent, where more than 1/3 of all ransomware infections were logged in 2016.” (Source: Symantec April 2017 Internet Security Threat Report, p. 57).

Business email compromise (a/k/a “BEC,” sometimes called “wire transfer fraud”) and email account compromise (a/k/a “EAC”) scams “continue to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed [BEC/EAC] losses.” (Source: Federal Bureau of Investigation Public Service Announcement Alert Number I-050417-PSA, May 4, 2017).

• The FBI estimates BEC/EAC scams have cost organizations more than $5 billion in losses over the past three years. (Source: Id.).

Overall email malware rate “increased significantly during 2016, from 1 in 220 emails sent containing malware in 2015, to 1 in 131 emails in 2016 (that’s a 40% increase) (Source: ISTR).

Email malware hit small- to medium-sized businesses the hardest (251-500 employees); these businesses saw the highest rate of malware in email traffic at 1 in every 95 emails received containing malware. (Source: ISTR).

“The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses.”

90% of all data breaches are attributed to phishing emails. (Source: Malware Year in Review 2016, published by PhishMe).

63% of all phishing attacks were used to deliver malware designed to siphon information and data from victim’s environments to the threat actor. (Source: Id.).

• While the number of data breaches in 2016 remained steady compared to 2015, the number of identities stolen increased significantly. Almost 1.1 billion identities were stolen in 2016, a big jump from the 563.8 million stolen in 2015. (Source: ISTR).

There is a lot of good information in these reports and others, the cumulative effect of which is to shine a bright light on the cybersecurity problem facing organizations in the United States and globally.  The problem can be, frankly, overwhelming for many, which is why focus is so important.

Smart leaders will digest these reports and identify what’s applicable and relevant to their organizations, only. Don’t try and tackle the universe of cybersecurity issues. Instead, deliberately pursue a strategy of preparedness (technical and cultural) for the threats you’re most likely to face. Be comprehensive, for sure, but train employees to resist threats they are most likely to encounter (ransomware, phishing, BEC) so that training can be effective and productive.

It certainly can be a scary time right now as these reports illustrate. But with dedication of time, energy and resources, organizations large and small can prepare and be ready to defend the fort against those seeking to do damage or profit through cyberwarfare.

Could an Augmented Reality Solution Help you Work Smarter?

When I think of virtual reality (“VR”) or augmented reality (“AR”), I usually think of a teenager and his buddies wearing their goggles, playing Call of Duty®, eating Cheetos® and blowing stuff up. Like most folks I know,  I do not usually think of VR and AR in the context of business, or as a tool that can be used today to drive productivity, enhance training and improve worker safety. Times, however, might be a changin’…

A field tech’s AR-supplemented view layers instructions and part numbers on top of the physical to help him complete the work quickly and safely.

According to TechTarget, “Augmented reality is the integration of digital information with the user’s environment in real time. Unlike virtual reality, which creates a totally artificial environment, augmented reality uses the existing environment and overlays new information on top of it.” (Source: TechTarget WhatIs?).  Put a little more simply: with AR, folks in the workplace can wear glasses or headsets that allow employees to see the world as is, while also layering ‘on top’ of that view additional computer-generated information, including everything from directions and instructions to warnings, part numbers, etc.

For a great example of this, check out this video demo (see YouTube screenshot, above). In the video, a field tech outfitted with Vuzix AR glasses is dispatched to fix lights in a stadium that have gone out during a soccer match. Using the glasses, the tech is able to quickly locate the correct workspace with step-by-step directions, enter the restricted area using the door code he’s provided, replace the faulty part via the guided instructions he receives real-time, and even schedule follow up maintenance with the live support connection. (Source: YouTube, “SAP and Vuzix bring you the future of Field Service,” Feb. 24, 2014). The field support call is fast, seamless, efficient and safe, allowing the match to get back underway in no time.

“Augmented reality (AR) holds a lot of promise for businesses looking to work smarter.”

It turns out there are a lot of these types of solutions in development that organizations large and small are looking at in order to improve performance and customer service. An article published by ZDNet last year discussed some of these solutions and identified ways in which AR might “transform business,” including:

  • Training.  “Unlike a real-world training scenario, a trainee can play through an AR situation as many times as they need to grasp a concept or a procedure. Training can also be a lot more elaborate — it’s far simpler to have someone take a virtual car engine apart than a real one — and be repeated with as many people as necessary.”
  • Visualization. “Melding the virtual and the real in this way offers designers a way of interacting with virtual 3D models of their creations as if they were physical, real-world objects.”
  • Customer Service. “[A retail] sales assistant at a make-up counter could use AR glasses to help the customer buy cosmetics that best suits them…Not only could the assistant see what the customer would look like wearing different make-up, they could also get guidance on how to apply it.”

(Source: ZDNet, “Five ways augmented reality will transform your business,” by Nick Heath, February 1, 2016).

It seems there is a lot of energy surrounding and attention being paid to AR in the workplace at the moment. According to Gartner, the emerging technology has moved out of the “inflated expectations” phase and is now rounding the “trough of disillusionment” on its famed “Hype Cycle.” The tech is also getting serious play at conferences, including the recent CES (Jan 2017), and the upcoming AWE (Augmented World Expo), which will take place May 31-June 2 in Santa Clara (showcase of “200 exhibitors spearheading the widespread embrace of these [AR] technologies by companies in industries including manufacturing, training, transportation, retail, healthcare, aerospace, entertainment and more.”) (Source: ReadITQuik, “How AR + VR is Changing Business,” by News Desk, March 22, 2017).

In short, given recent advances in AR technology and the relevant, applicable solutions now being developed and deployed, it would seem now is the time for leaders – tech-savvy and otherwise – to be asking, “Could AR help us do what we do, better?”

Small Business, Big Data: a (Tech) Match Made in Heaven

The term “big data” has been around for a little while now. Even so, ask most folks what it means and you’ll likely get all kinds of answers. One common characteristic of the answers you’ll often get, however, is that “big data” is something “big companies” use to sell more, do more, and make more money.

The idea that big data is only for big companies couldn’t be further from the truth. Over the last few years, costs associated with big data have declined while big data “self service” tools have become increasingly available (meaning small  business leaders – many without technical expertise or an IT staff – can leverage big data tools and applications themselves). (Source: Small Business Trends, “Making Big Data User Friendly For Small Businesses,” by Jeff Charles, Jan. 19. 2017). As a result, big data has become accessible not just to big companies, but also to small business owners and their non-technical leaders who want to get into the big data game.

“Through its numbers, small business can quickly recognize improvement and erosion, commonality and outliers, etc. Measurement quickly becomes insight when continually and critically reviewed.”

Being ‘in the game’ and ‘competing smartly’ can be two separate things, however. To ensure best outcomes, a deliberate thoughtful approach is required. To follow then, originally set out in full in a wonderful Entrepreneur Magazine article last year, is a short list of action items to help small business leaders leverage big data tools to their fullest potential (Source: Entrepreneur, “The Big Deal About Big Data for Small Business,” by Carol Roth, July 19, 2016, citing Marina Erulkar, founder and principal of Hampstead Solutions LLC).

  • Ask: What do you really need to know? “Create a learning agenda so that you will have the intelligence — and the data that supports it — in advance of that need…Defining and collecting the data that supports anticipated, essential intelligence needs to happen in advance so that progress is not slowed, interrupted, or driven off course.”
“The emergence of (big data) self-service solutions [ ] has been slowly opening the gates for small businesses and the opportunities to leverage internal data are growing.”
  • Ignore the noise. “To make the most of big data, small businesses must be laser-focused on their intentions and goals, being selective about what they consider, and disregarding the rest…discipline is key to harnessing the power of big data and without it, it’s too easy to become overwhelmed by the metrics that can be generated. Just because you can measure it doesn’t mean that you should.”
  • Analyze (and Repeat).  Once you get the info, spend time with it. Critically analyze the results of your big data analysis efforts, and then do it again. And again. “Understanding the implications of measurement requires critical thinking. You must know your business, your objectives, and your numbers in order to be successful at this crucial step….Establishing iteration as a process will ensure that small businesses continually improve as data-driven opportunities are recognized.”

Big data is an incredibly powerful tool that can be leveraged to truly understand a business and make meaningful adjustments in order to drive performance and improve outcomes. And there is no longer any reason in the world why this tool can’t be used by small business leaders. Using self-service tools increasingly within the budgets of those on a budget, small businesses can take advantage of big data. With a deliberate and focused approach, and a commitment to understanding results, small business leaders in any industry can now reap the benefits of big data tools previously reserved for only the biggest businesses among us.

To Resist Top Business Cyberthreat Ransomware, it’s all about Prevention

Well, the results are in and we have a winner…ransomware wins first place for the top global cybersecurity threat of 2016.

According to a recent report by cybersecurity company SonicWall, ransomware attacks (malware that prevents or limits users from accessing their system or data unless a ransom is paid) soared in 2016, up 167 times the number recorded in 2015. (Source: Computerworld, “Ransomware soars in 2016, while malware declines,” by Matt Hamblen, February 7, 2017, citing the SonicWall report). “Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016…SonicWall theorized that ransomware was easier to obtain in 2016 and that criminals faced a low risk of getting caught or punished…Ransomware was the ‘payload of choice for malicious email campaigns and exploits,’ SonicWall said.” (Source: Id).

“…ransomware attacks soared, up 167 times the number recorded in 2015.”

The report concluded that in 2016, “the most popular malicious email campaigns were based on ransomware [ ] which was deployed in more than 500 million total attacks throughout the year.” It also indicated that, “No industry was spared: the mechanical and industrial engineering industry got 15% of the ransomware hits, while pharmaceuticals and financial services companies each got 13%, while real estate companies got 12%.” (Source: Id.).

So, if you are a business leader in one of these (or any other) sectors, what can you do to resist the onslaught of ransomware cyberattacks? Focus on prevention. “Most security experts agree that it is almost impossible to recover data that might have been encrypted in a ransomware attack without access to the decryption keys, or to a backup copy of the affected data. So the focus has to be on prevention.” (Source: DARKReading, “Here’s How To Protect Against A Ransomware Attack,” by Jai Vijayan, February 4, 2016).

According to experts, there are a good number of actions (technical and non technical) leaders can take to prevent ransomware. Here are my top three:

  • Have Backup. “Having a robust data backup process can go a long way in blunting the threat posed by ransomware. In fact, it is often the only way to recover data if you are unwilling to pay the ransom demanded by an extortionist.” (Source: Id.)
“Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach.”
  • Develop a Response Plan. “Time is critical for an organization faced with a ransomware deadline. Online extortionists typically give organizations a very specific time limit within which to pay…They deliberately don’t give enough time for an organization to figure out if it can try and unlock the data without paying any ransom. So it is important to have a plan in place describing what needs to happen in the event of a ransomware attack. ‘The last thing you want is to be doing a Google search for a local forensics experts at 2am on a Saturday morning.’” (Source: Id.)
  • Train (Test and Re-Train) Employees. There may be no better non-technical defense against ransomware than training and empowering employees to recognize and resist emails used to deliver ransomware malware. But ‘train, fire and forget’ won’t cut it. “Raising awareness about ransomware by educating staff about the dangers of clicking on attachments or links in emails is clearly important as a baseline security measure. But it only takes one employee to lower their guard on one occasion for an organization to be compromised…companies such as PhishMe provide technology to help keep employees on their toes by sending them simulated malicious emails on an ongoing basis; if an employee clicks on a simulated malicious link, they get feedback to help ensure that they don’t fall victim to a similar email again.” (Source: eSecurity Planet, “How to Stop Ransomware,” by Paul Rubens, January 31, 2017).

Ransomware has clearly been the chief cyberthreat for business in the last year, and if the first month or so of 2017 is any indication, this year will be no different. (See, “Ransomware expected to dominate in 2017,” ComputerWeekly.com, by Warwick Ashford
January 6, 2017). Business leaders will have to face the ransomware cybersecurity threat head on, and do so deliberately, methodically and purposefully. Only by taking this threat seriously, and preparing a business and its employees accordingly, will leaders prevail in this fight. And only then, when an organization can access and protect its information and that of its customers, will leaders be able to focus on the myriad of other day-to-day efforts to make their business truly great.

For a more complete list of action items and methods that can be used to combat and resist ransomware, both technical and non-technical, check out the DARKReading.com article, as well as the eSecurity Planet article.

Could “Russian hacking” actually make Americans care less about Cybersecurity?

Trump. Russians. Hacking.

Over the last few months, cybersecurity (and specifically “hacking”) has been at the epicenter of the national conversation. These issues have been in the news now more than ever primarily as a result of our recent presidential election and allegations by intelligence officials and others that Russian hacking of the Democratic National Committee (DNC) (and others) altered (or tried to alter) the outcome of our presidential election. It seems like almost every day, especially in late December and early January, there was an article, update or new revelation about Russian hacking, the DNC, calls for congressional hearings, Fancy Bear or sanctions.

The President Elect has tweeted repeatedly about Russian hacking, keeping the cybersecurity issue front and center in the minds of Americans.

Now usually, when there is a major cybersecurity story in the news (think Target, Home Depot, Yahoo!) cybersecurity professionals welcome the exposure (if not the incident), because the result of the attendant media attention often drives cybersecurity awareness leading to folks to be more concerned about how to protect themselves and their companies, as they should be.

The allegations of Russian hacking of our elections might mark a significant departure from this typical, cybersecurity incident silver lining, however. Here’s two reasons why:

  1. Politicization. According to a new CNN/ORC poll, while nearly 2 in 3 democrats believe Russian hacking “ruined Democratic candidate Hillary Clinton’s chances,” only 10 percent of Republicans agree.  (Source: theblaze, “Poll: Majority of Americans believe Russian hacking did not impact election outcome,” January 17, 2017, citing CNN/ORC poll).  Party affiliation is influencing views on this particular cybersecurity incident. Republicans want to “move on” and blame the DNC for operating insecurely. Democrats want hearings and sanctions. Ultimately, a cyberattack is a criminal action. What we want in a post attack “lessons learned” analysis is an open discussion about how to prevent such attacks in the future. With Americans so divided over the Russian cyberattack, it seems highly unlikely that will happen. It seems this incident makes it actually more likely that future cyberattacks will produce similar arguments on effect, attribution and fault, further limiting any positive outcome for the good of the country or any community.
  2. Over exposure. Every day, another Russian hacking story. There is every indication that this Russian hacking conversation is simply too much for people to digest and make sense of, especially in any detail. Honestly, how many Americans have read deeply into any of the stories or reports to understand who Crowdstrike is, who Fancy Bear or Cozy Bear are, what a SeaDaddy tool is, what operation “GRIZZLY STEPPE” was, or, in the case of John Podesta’s email hack, how multi-factor authentication might have prevented the incident in the first place (or what MFA is, anyway). When something is overwhelming, like this story has been, folks don’t embrace and learn from it, they run the other way.
Cybersecurity is a life and death matter, as shown by a recent Hamas operative cyberattack aimed at Israeli troops to learn their whereabouts and movements.

All of this presents a real problem in terms of increasing cybersecurity awareness and motivating people to act securely and responsibly in their personal and professional lives, especially considering what’s at stake and what lies ahead.

In the very near future, the Internet of Things will create for us a world of Internet-connected devices. Projections vary, but conservative estimates indicate there will be as many as 24 billion connect devices by 2020 (think shoes, TVs, clothes, cars, crock pots, refrigerators as well as factories and the machines in our power plants and water treatment facilities) (Source: Business Insider, “The IoT 101 Report: Your essential guide to the Internet of Things, January 12, 2017). With so much of who we are and what we do on the ‘Net, we need people to be more concerned and more united around resisting cybercrime, not less.

As for what’s at stake? Consider a recent story about Hamas’ use of a cyberattack on Israeli soldiers. Hamas operatives posed as cute girls in texts with the soldiers. The goal was to get the soldiers interested, get them to agree to a video chat, and then have the soldiers download what they were told was a video chat program that would let them connect. In reality, the chat app, called WoWo Messenger, was a delivery method for malware, the intent of which was to provide information on troop location and movements to Hamas for military operations. (Source: BleepingComputer, “Israeli Military Tricked Into Installing Malware by Hamas Agents Posing as Women,” January 16, 2017). The lesson is clear: cybersecurity is no longer about hacking enthusiasts “messing with” companies or the government just to show they can. Cybersecurity, very often about money, theft and fraud, is also about life and death, and as such should be addressed deliberately, carefully, intellectually and ultimately with a united front to be successful.

Will the recent Russian hacking incident make Americans care less about cybersecurity? It may be too early to tell. But the lessons for savvy business and organizational leaders couldn’t be more clear. Stay focused. Hacking is very real, and it is increasingly being done in more sophisticated ways by foes near and far. Put politics aside, understand the criminal intent of those that would do you or your organization harm, understand the environment and what’s at stake, and then act accordingly. It’s only going get tougher from here on in – let smarts, vision and courage be your guide.

What Business Leaders Need to Know Now about Recent, High Profile DDoS Cyberattacks

Over the past several weeks there has been a lot of talk in the media about DDoS attacks, especially “Mirai malware,” botnets for rent, Chinese-built webcam recalls and the “destructive power” of the Internet of Things (“IoT”). For the uninitiated (or disinterested), this sounds like a lot of “tech talk” reserved for real and wannabe tech geeks (like me) to ruminate about.

The very real reality, however, is that these recent, high profile IoT (connected device)-driven DDoS (distributed denial of service) cyberattacks are very much a “business” matter for business leaders to address, as these attacks have the potential to disrupt operations for significant periods of time, and to cause physical harm to corporate assets and even personnel.

“A growing mass of poorly secured devices on the Internet of things represents a serious risk to life and property.”

By way of background, here is a short, quick list of recent events that have highlighted this threat:

“A new monster botnet, which hasn’t been given a name yet, has been spotted in the wild launching massive DDoS attacks.”

What these events of the past 90 days show us is that cyberthieves have (most would say, predictably) managed to combine a known, common (and mostly defensible) cyberattack method (DDoS) with the Internet of Things (a world of connected devices) to launch massive, historic-by-proportion cyberattacks against organizations around the world. More specifically, attackers can now use unsecure, commonplace devices such as webcams, refrigerators, and fax machines as conduits to launch massive traffic attacks that can disrupt and shut down businesses whose systems are connected to or dependent on the Internet.

Because the overwhelming majority of organizations and businesses alike are, in fact “connected to or dependent on the Internet,” this means that IoT-driven DDoS cyberattacks now represent a major cyberthreat to the business community. Savvy, informed leaders will be quick to recognize and understand this threat, and to work with their IT teams and the organization’s IT partners and providers to understand just how vulnerable they in this environment. Steps should be taken to identify vulnerabilities and to put in place incident response plans so that everyone within the organization knows who should be doing what and when and with whom in the event of such an attack.

IoT-driven, mass-traffic DDoS cyberattacks are technical in nature, but their impacts are not. Organizations who understand and recognize this reality will be better prepared and ready if and when they do face this twisted, criminal effort.

 

Businesses Beware: Wire Transfer Cyberscams Likely to Increase over the Holidays

It’s well documented that cyber threats and attacks tend to rise around the holidays. People are busy, they get distracted, and cyber thieves know that.

We’re likely to see that in the coming weeks, for sure, especially with a specific type of business cyberattack known as “wire transfer fraud,” or as the FBI calls it, “business email compromise” or “BEC.”

bec-3-billion
“According to the FBI, in October 2013 through May 2016, US and foreign victims have reported 22,143 BEC-related cases, resulting in a 1300% increase in identified losses since January 2015.”

BEC is a pretty straightforward scam: cyber criminals send an email to a company’s accounting or finance employee pretending to be the CEO or other high level executive. The email requests that a wire transfer be made – allegedly for business purposes – and when that transfer is completed, the company finds out the unwitting employee sent the money to an account in a foreign country where it’s difficult, if not impossible, to retrieve. Ubiquiti Networks was swindled out of almost $47 million thru just such a BEC attack; and, more recently, Leoni AG lost €40m after a company CFO unwittingly transferred funds to hacker’s bank account. (Sources: CIO Magazine, “How to Prevent CEO Fraud,” by Chris Carroll, October 27, 2016; International Business Times, “Cable giants Leoni AG lose €40m after CFO transfers funds to hacker’s bank account,” by Mary-Ann Russon, September 2, 2016).

What’s different these days with BEC attacks from previous years is the level of sophistication and social engineering that goes into them, helping thieves to appear more legitimate even to a discerning employee (the Leoni AG attackers knew which of the four factories were authorized to make wire transfers). These tactics have helped cybercriminals create a serious threat to business, stealing more than $3 billion from domestic and international victims. (Source: TrendMicro, “BEC Scams Amount to $3 billion According to Latest FBI PSA,” June 16, 2016).

The good news for businesses and organizations of all sizes is that, for the most part, these attacks are avoidable. Here are 3 easy steps to take to help you, your business and your employees resist the BEC:

1. Educate. The most important thing you can do is educate and inform your team, especially your accounting folks, about this cyberthreat. “Educate executives and your finance team about CEO fraud, and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or confidential information.” (Source: CIO Magazine).

prevent-ceo-fraud

2. Authenticate. Utilize multi-factor authentication (MFA), “especially [with] financial applications, [ ] so users must confirm their identity when initiating a wire transfer…MFA, which requires multiple methods for identification, is one of the best ways to prevent CEO fraud.” (Source: Id).

3. Create. Empower your IT professionals to be innovative and create technical solutions, for email and otherwise, to help you and your company defend against BEC. “The FBI recommends that security teams create system rules that flag e-mails with extensions that are similar to the company’s. For example, while an e-mail from abc_company.com can be legitimate, the system would flag a similar looking, fraudulent e-mail from abc-company.com.” (Source: Id).

For a longer list of actions you can take to fend off BEC, check out the CIO magazine article here.

The holidays will no doubt bring an increase in cyberattacks as criminals count on you and your employees to be distracted. Fight them off by paying extra attention to your emails and the requests that come through, and by educating, informing and even rewarding your employees for suiting up and helping out to stop BEC before it gets started.

In Cybersecurity, Awareness is Key

Well it’s October again, which means Fall is here, Sundays are for football, folks are picking out costumes for Halloween and, of course, people are paying extra close attention to cybersecurity in recognition of National Cyber Security Awareness Month…right…?

Ok, so maybe not everyone is focused on National Cyber Security Awareness Month, but the program, “a Department of Homeland Security-administered campaign held every October,” does provide a great opportunity to raise awareness of cyber threats, especially as we head into the holiday season, a time when cyberthieves tend to get especially aggressive. (Source: FBI.gov, “National Cyber Security Awareness Month, Cyber Security is Everyone’s Responsibility,” October 3, 2016).

cyber-awareness-month
“[I]t’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month [ ] is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.”
So, in the spirit of “NCSA month,” here are three things you and your company can do to heighten your cybersecurity awareness towards remaining vigilant, strong and cybersecure:

1. Conduct Awareness Campaigns. Something you can do throughout the year is send e-mails to your team members (or organization-wide) keeping them informed of the latest cyberthreats, including such threats as the latest ransomware variants (“Cry” or “Fantom,” for example). During NCSA month, specifically, consider sending an e-mail once a week to really raise awareness and stress to employees that it’s everyone’s job to keep the company and its employees and customers secure. The Department of Homeland Security has a number of resources to help with these efforts, as do various private sector vendors. For more from the DHS, check out their website at www.dhs.gov/stopthinkconnect.

2. Rehearse a Data Breach. One thing you and your leadership can do to really raise cybersecurity awareness at senior staff levels is to conduct tabletop exercises that simulate an actual data breach or other cybersecurity incident. Not only will these practice sessions help to put the cybersecurity issue front and center for the company’s key players, but, “Going through the motions of an imaginary attack can help prevent executives from making common mistakes and mishaps during times of crisis…It’s one of the best ways to test one’s incident response team and plan ahead.” (Source: Fortune magazine, “The Best Way for Companies to Prepare for Inevitable Data Breaches: Rehearse,” citing Diana Kelley, executive security advisor at IBM, September 27, 2016).

fortune-mag-rehearse
“Script through an attack at your company.”

3. Conduct a training. There is really never a bad time to conduct cybersecurity training in the workplace, but doing so during NCSA month can both increase awareness and help the company resist an attack.  Since, “Increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent,” and, “employees are ‘perhaps the greatest evolving security threat,'” it would seem that National Cyber Security Awareness month would be the perfect time to not only better prepare employees, but also raise their awareness of the cybersecurity threats they and their employers face. (Source: BizTimes, “Reduce cyber security risks with employee training,” citing a 2015 study by Wombat Security Technologies and the Aberdeen Group, March 28, 2016).

This month, National Cyber Security Awareness month, is the perfect time for leaders to make cybersecurity a priority and truly empower employees with knowledge and awareness. Set aside some time, collaborate with your colleagues, and take steps that make sense for you and your organization so that when the next cyber attack does come along, you and your folks will be ready, willing and able to mount a strong defense and help defeat those seeking to do harm to your company, your people and your customers.

 

Low Tech ‘Social Engineering’ is Often Key to Successful Cyberattacks

You hear about it in the news all the time now. A company has been “hacked,” leading to the exposure of thousands or even millions of consumer or employee records. Inevitably, there is then the follow on credit monitoring, regulatory action, and some forensic look at how the bad guys “got in” and what variant of the latest virus was used to infiltrate the victim company’s systems.

gizmodo
In depth social engineering supported an attack that cost Leoni AG, one of the world’s largest manufacturers of wires and electrical cables, more than $44 million.

These stories are real and important, for sure, but one thing that has been increasingly overlooked in the headlines is the fact that many of these so-called “hacks” don’t begin in a technical manner at all. Many so-called cyberattacks start with nothing more than good old fashioned “casing” or scouting of the victim company and their employees, often through seemingly innocent phones calls placed to company employees or through the review of easily and publicly accessible online social media accounts (think LinkedIn profiles that tell the world who does accounts payable for company ABC).

This low tech approach, known as “social engineering,” when done well empowers would-be cyber thieves to learn user names, passwords, job titles, functions, responsibilities and other information that is in turn used to perpetrate the follow-on attack.

This attack method was on full display during a “social engineering contest” at last month’s Def Con hacking conference in Las Vegas. Chris Silvers, who won first prize in that contest, called a company employee and pretended he was “filling in gaps in an internal survey the company had sent out to employees — a real survey he’d found on the company’s website during his pre-contest research.” (Source: USA Today, “A hacker’s best friend is a nice employee,” by Elizabeth Weise, Aug. 15, 2016).

“The staffer who answered her desk phone fell for his ploy hook, line and sinker, no doubt soothed by his southern accent and calm conviction he had every right in the world to be asking his questions. He convinced her to go to a non-existent website to sign up for a $10 Amazon gift card for her trouble. When that — of course — didn’t work, he offered to help her troubleshoot the problem.” (Source: Id.).

Ultimately, during a single phone call that lasted less than 25 minutes, Silvers was able to learn a “treasure trove of information about her company’s computer network, antivirus software and web filtering protocols  — more than enough information for a hacker to easily infiltrate the network.” (Source: Id.).

defcon
Chris Silvers, who runs CG Silvers, an independent security consulting firm in Atlanta, won first prize in the social engineering contest held at the DefCon hacker conference in Las Vegas. “You can get everything you need — information about their security, their operating system, what kind of computers they use. Just with a call,” he said.

This same type of social engineering was a key element in a real life multimillion dollar attack just last month on Leoni AG, one of the world’s largest manufacturers of wires and electrical cables. According to media reports, thieves “spoofed emails to look like official payment requests.” The CFO of the targeted Leoni factory then sent more than $44 million (USD) in funds to the thieves after receiving those emails, which were “cloned to look like they came from [the Company’s] German executives.” (Source: Gizmodo, “An Email Scam Cost One of Europe’s Biggest Companies $40 Million,” by Hudson Hongo, Sept. 1, 2016).

Apparently, the Leoni attack was successful largely because of the extent to which the thieves socially engineered their efforts, cloaking their fraud in the appearance of legitimacy.

“Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. ..The [ ] factory was [also] not chosen at random…Leoni has four factories in Romania, and the [targeted] branch is the only one authorized to make money transfers.” (Source: Softpedia, “One of Europe’s Biggest Companies Loses €40 Million in Online Scam,” by Catalin Cimpanu, Aug. 31, 2016).

The lessons here are clear. Training employees is incredibly important in the defense of cybercrime. And, given the evidence of the latest attacks, that training must be broad enough to ensure that companies and their employees are on the lookout for and prepared to rebuff the social engineering tactics employed by cyber thieves. We’ve moved well past the “Nigerian prince” emails, and now live in an increasingly dangerous environment in which the bad guys are smart, cunning and seriously deliberate about who they target and what they’re after. Companies should be equally as committed, deliberate and thorough when it comes to their defenses – those that do will dramatically increase their chances of staying safe and staying out of the cyberattack headlines.

Toddler Trampling Robots, Killer Cars: What to Do When Technology Fails Us

I’m a huge fan of tech, especially cutting-edge tech that holds the promise of saving lives, keeping us safer and helping us to care for our loved ones. Which is one of many reasons why I was incredibly saddened to hear about two recent incidents in which cutting-edge tech failed, allegedly causing the injury of a child in one case and, in another case, contributing to the death of a motorist.

mall robot toddler
“A mother and father watched in horror as a security robot at a mall in California knocked their 16-month-old to the ground and ran over one of his feet.”

On May 7, an Ohio man was killed in a car crash in which his Tesla Model S, operating in “autopilot mode,” ran into and underneath a tractor trailer. (Source: The Verge, “Tesla driver killed in crash with Autopilot active, NHTSA investigating,” by Jordan Golson, June 30, 2016). This was the first known fatality in a Tesla where Autopilot was active. (Id). It also appears to have been, “the first known death caused by a self-driving car… Against a bright spring sky, the car’s sensors system failed to distinguish a large white 18-wheel truck and trailer crossing the highway…” (Source: The Guardian, “Tesla driver dies in first fatal crash while using autopilot mode,” by Danny Yadron and Dan Tynan, June 30, 2016). The NHTSA notified Tesla it is investigating.

And earlier this month, a 300-lb robot security ‘guard’ on patrol at a mall in California allegedly “ran over” a toddler. The 16-month old boy’s mother said the robot “ran directly into her son — striking him in the head and knocking him to the ground. The robot continued forward, running over the boy’s right foot.” (Source: CNNMoney, “300-pound mall robot runs over toddler,” by Matt McFarland, July 14, 2016). Thankfully, the child was not seriously hurt. “X-rays taken after the incident were negative. The toddler has a scrape on the back of one of his knees.” (Id.).

no new tech
Source: INKCINCT — June 4, 2007

The harsh reality is that technology (especially leading edge tech) will never be “perfect.” Technological advances often require many iterations before realizing their full potential and certainly before  meeting consumer expectations and attaining mainstream acceptance. Even then, no technology is perfect. In ten years, self-driving cars will still be involved in accidents.

The question is not, however, one of “perfection,” but of advancement. Are we better off with significantly fewer accidents on the road (and thousands of lives saved), or are we so outraged when technology fails us that we reject advancement and regulate progress away? Do we value a drop in crime that results from automated robots patrolling a mall, or are we so incensed at the injury of a child (and rightly so) that we take all the robots “offline?”

I respectfully suggest that the answer is, “both.” (taking my cue from my three and half year old son who tells me it’s not “or” daddy, it’s “and,” when I ask him to make a choice he doesn’t like, either). Consumers and companies alike must reject the false choice of wholeheartedly embracing tech or rejecting it outright. We should be angered when tech fails us, and we should value and support the advances that the same tech has produced and enjoy the improved safety it provides. (See this July 21 report of a Tesla Model S’ Automatic Emergency Braking system reportedly saving the life of a pedestrian in Washington, D.C.). There will never be a time when technology is 100% fool proof. But if we can be deliberate and thoughtful about our approach to tech, if we can embrace the advances and manage the setbacks as they inevitably occur, we may then be able to improve our world, improve our lives and improve our communities through technological advancement without sacrificing who we are or what we value. Companies and organizations that understand, acknowledge and evangelize that truth will inevitably come out on top.