Supply Chains — Your Weakest Link?

With COVID-19, all businesses are getting their bearings in uncharted territory.  Trying to work through the changing restrictions.  Managing remote work forces.  Adapting to changing client needs.

As you go through your business continuity checklist or contingency plans, don’t forget to include your suppliers and related third parties in your considerations.  You might have the resources to weather this, but do they?  And, if a critical vendor to your supply chain is unable to deliver what does that do to your ability to deliver?

Make sure you take the time to evaluate your supply chain.  If you haven’t done so already, at minimum, take these steps:

  1. Prioritize your supply chain vendors: Go through all your vendors and ask yourself what would happen to your business if the vendor could not deliver.  Prioritize each vendor based on the risk they pose to you should their commitments fall through.
  2. Get on the phone with your highest risk vendors. Talk with them about this current situation.  Learn what strategies they have in place to respond to any potential disruptions to their workforce, operations or critical third-parties they have.  Get details and be prepared to probe as if they were part of your business.  Because, after all, they are.
  3. Treat those vendors like a partner. At this point, you need each other.  Be prepared to restructure deals or assist in other ways to help your vendor keep up its commitments.  It will help you keep clients and pay off in spades down the road.
  4. Don’t let quality control fall by the wayside. When stretched, certain things might fall short.  However, at the end of the day, you want to make sure you are delivering a reliable product to your customers.  Make sure you continue to do the right things to ensure your vendors are providing a quality product.
  5. Make contingencies. Some vendors will be there with you and for you (and you for them).  Some will not be able to.  It’s important to review the contractual commitments you have and to explore alternatives.  It may not be easy to switch horses in mid-stream, especially when the stream is raging, but you may not have any choice.

Napoleon once said that an army marches on its stomach, meaning that it is critical to focus on making sure it is well provisioned.  One could say that a company, indeed the entire the economy, marches on its supply chain.  Make sure you understand where it is strong and especially where it is weak.

The time you spend with your supply chain might make all the difference.

 

Coronavirus and Cybersecurity: The Human Factors

In the past, cybersecurity threats tend to increase in times of crisis. Now, bad actors are already using the coronavirus pandemic to their advantage. Employers are beginning to ask employees to work from home, and there are already numerous articles on security concerns about remote access. And while it is certainly important to ensure remote access systems are properly secured, it is equally as important to understand the human factors that create certain security vulnerabilities. Mass confusion and panic often lead to faulty or rash decision making, which is precisely what scammers are banking on now. A study by Check Point, for instance, revealed that coronavirus-related web domains are 50% more likely to be malicious than other domains.

When considering the coronavirus and cybersecurity, it is important for employers to use cyber awareness training to ensure employees continue to think critically and use proper judgment online. Here are four key areas to help employees limit their risk of exposure:

Use Multi-Factor Authentication

Perhaps the most important measure you can put in place is to make sure that all remote users are required to use multi-factor authentication (MFA) when accessing your system.

Device Security

Businesses need to ensure all employees that are working from home are taking appropriate steps to keep sensitive information safe. Anyone using remote access needs to be trained in the use of essential endpoint protections. VPNs, for example, are extremely important to make sure logs can’t be sniffed out by others in the neighborhood.

Employees should also be reminded of basic measures to take with personal devices. Screen and application time-outs should be set up to limit the risk that unwanted eyes around the house can view sensitive information and communications.

To limit the impact of stolen or lost devices, all sensitive information should be fully encrypted.

Online communication

Employees should be updated about current phishing campaigns that are taking advantage of the confusion and panic surrounding the coronavirus. The World Health Organization recently released a statement warning of fake emails posing as the WHO to steal money, information, and credentials. According to The Wall Street Journal, the WHO is receiving daily reports of coronavirus-related phishing schemes.

Working remotely will also require expanded use of online communications such as email, video services, and phones. It is therefore important that all communications relating to business should only take place through company-approved communication services. It is difficult to monitor the security of personal and social media messaging services and should not be used for any business-related communications.

Reporting and Incident Response

Being aware of increased cyber threats is only half the battle. Employees also need to understand how and when to report any suspected incidents. Keep help desks up and running, and encourage employees to be overly cautious in reporting any suspicious emails or activity. Employees need to know that someone can help if they think any information is at risk. 

Incident response teams should also be briefed on and prepared for any threats related to remote access work. Not only should response teams understand the current threats, everyone involved should have a clear understanding of how communication and responses will be carried out remotely. Because previous response simulations were probably conducted in-office, it is helpful to run a test response using only remote communication.

Communicate and Connect

Companies are ecosystems and healthy corporate ecosystems are a function of purpose, recognition, connection and intentional urgency.  All of which feeds into employee actions, whether it involves cybersecurity issues or marketing or administration or service issues.  Companies which do a better job of communicating what is going on in their organization and connecting with their remote staff and acknowledging their respective situations create a caring environment which helps everyone pay attention to little things – like perhaps not clicking on that strange link or hiding the fact they accidentally sent the wrong person confidential information.

Conclusion

Given the severity of the ongoing coronavirus crisis, bad actors are counting on an increase in confusion, panic, and fear to profit and cause further disruption. The coronavirus and cybersecurity concerns need to be considered, Above all else, employers need to do their part to ensure workers stay well-informed and secure. Working at home might mean we can dress a little more casually, it doesn’t mean we should be any less serious about threats online.

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.

 

Targeted Ransomware Attacks on the Rise

At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”

Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.

Easy Money

So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.

However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.  

Protect and Prepare

Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.

Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.

However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.

Are These the Cybersecurity Guidelines “To Which Nobody Can Deny”?

It may seem that when you seen one set of cybersecurity guidelines, you’ve seen……one set of cybersecurity guidelines.  Every vendor, every regulation, every client is looking for something similar, but not quite the same when it comes to cybersecurity.  Maybe there’s some hope, for U.S. businesses, at least, coming from the Securities and Exchange Commission.

At the end of January, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report of cybersecurity guidelines based on observations made during “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” The report details a series of cybersecurity practices within 7 key areas of concentration:

#1 Governance and Risk Management

The report emphasizes the role senior leadership needs to play in defining and implementing cybersecurity strategies for the organization. Board members and other senior leaders should oversee the adoption and regular updating of policies and procedures based on an organization-specific risk assessment as well as establish proper communication channels regarding cyber threats throughout all levels of the organization.

#2 Access Rights and Controls

The report also highlights the need for organizations to limit access to sensitive information only to those who need it for specific and legitimate purposes. The OCIE recommends organizations frequently reevaluate access privileges and implement systems to monitor unauthorized access attempts.

#3 Data Loss Prevention

The OCIE also outlines a number of steps organizations should take towards preventing the loss or exposure of sensitive information. This includes measures such as frequent vulnerability scans, encryption and network segmentation, and insider threat monitoring.

#4 Mobile Security

Organizations should also have policies and monitoring systems in place for the use of mobile devices for business purposes. The OCIE recommends training employees on mobile security as well as requiring the use multi-factor identification for any business applications used on mobile devices.

#5 Incident Response and Resiliency

Developing and testing a response plan for any cybersecurity incidents is also an important area for organizations to concentrate. The OCIE recommends assigning and training specific staff members in incident response, simulating an incident to test response effectiveness, and updating the response plan based on testing.

#6 Vendor Management

Because vendors may have access to an organization’s information, the OCIE also recommends implementing policies to assess and monitor vendors’ security posture. This includes reviewing vendor contracts and implementing a vendor management program.

#7 Training and Awareness

Lastly, the OCIE encourages organizations to provide training in cybersecurity for all employees. Organization leadership should develop the training based on the their specific security policies and use training programs that actively engage employees.

Implications

While the cybersecurity guidelines that the OCIE outlines cannot ensure compliance or prevent liability concerns, many consider the report as a strong and practical roadmap for organizations to consider. In an article for the Legal Intelligencer, Devin Chwastyk laments the legal ambiguity of what is considered “reasonable care” with regards to safeguarding sensitive information and sees the steps outlined in the SEC’s report as offering “practicable (and understandable) advice on how [organizations] might start to try to avoid liability for a data security incident.” The National Law Review also notes that, while the report is aimed at the financial sector, it provides “helpful benchmarks” for a variety of industries. Moreover, given the SEC’s strong focus on cybersecurity in the past few years, there is speculation that this report could help inform regulation enforcement determinations in the future.

Creating a Vaccine for Phishing Attacks

Creating a Vaccine for Phishing Attacks

Another day another phishing story.  According to reports a scammer recently sent out emails to a Texas school district posing as one of the district’s vendors and requested a series of payments. One month later, the district realized they had been conned out of $2.3 million. 

Unfortunately, stories like these are increasingly common 

Not unlike propaganda, social engineering and phishing campaigns are forms of attack that rely primarily on deception and disinformation. Defending against these attacks therefore requires more than technical defenses. Instead, it’s necessary to look at strategies used to combat disinformation in general.  

A Vaccine for Social Influence

Inoculation theory is one such strategy and has been gaining steam recently. The main premise of the theory is that the best way to defend against manipulation and unwanted influence is through exposure to the influence in a smaller, weaker form. Exactly like a vaccination.  

In general, the application of inoculation theory involves three basic elements: 

Threat 

The first step is so obvious that it’s can be easy to overlook. If you want to defend against a threat, you first need to be aware that the threat exists.  For instance, if your employees don’t know what a phish is, they are far more likely to get tricked by oneOne study found that the simple awareness that a threat exists increases the ability to combat it, even when they weren’t given the tools to fight it.  

Refutational Preemption

Refutation preemption is a fancy phrase, but, in the metaphor of the vaccine, it simply stands for the weak strain of a virus or threat. The idea is to introduce someone to faulty messaging that stands in opposition to what they usually hold to be true. By being exposed to a weaker version of the messaging, the person receiving the message will be able to learn how to argue against it and strengthen their own beliefs. Then, when they encounter a similar but stronger message in real life, they will have already developed the tools needed to combat it.  

Within the context of phishing schemes, this would involve presenting someone with examples of phishing emails asking them to identify the methods used that make the email seem real. Another method is to have participants create their own phishing emails to get them to know what is involved in creating a deceptive message.

Involvement

The final element of the theory simply states that the more someone cares about an issue, the easier it will be for them to defend against a threat to that issue. So, when it comes to phishing, if your employees understand and care about the stakes involved with a phishing attack, they will be in a better position to spot them. Essentially, the more vested interest someone has in defending against an attack, the easier it will be for them to do so successfully.  

Putting Inoculation Theory into Practice

With the rise of socially engineered threats, inoculation theory has seen a bit of a resurgence lately. For instance, researchers at Cambridge University created the simulation Get Bad News, a game that uses inoculation theory to combat false or misleading news articles.  

And it doesn’t take a big leap to see how inoculation theory can be useful for cyber security threats, such as phishing campaigns. By combining education with simulated phishing attacks, businesses can use inoculation theory to: 

  1. Using education tools to raise employees’ awareness of the threat phishing attacks pose. 
  2. Expose employees to simulations of phishing attacks and have them proactively respond to it by reporting potential phish. You can even have employees create their own phish. Like Get Bad News, this will further inform participants of common tactics used in social engineering schemes.  
  3. Create a program that keeps employees engaged in the process. Focusing on positive reinforcement over punishing mistakes, for example, will help encourage participants to take the process seriously. 

Inoculation Theory At Work

Our digital awareness program The Phishmarket™uses inoculation theory in various phases throughout the program. Our phish simulations uses a reporting feature that empowers participants to be actively involved in combating phishing attacks and rewards progress instead of punishing mistakes. 

The Phishmarket™ also includes an online training program that uses daily micro-lessons to teach participants about common and emerging methods used in social engineering schemes. Some of the micro-lessons even asks users to try creating their own phish.  

Want to try it out for yourself? Simply follow this link to test out a preview of the training program and create your very own (fake) phishing campaign.  

Cyber Resiliency is the New Cyber Security

Here is the bottom line: when it comes to cyber threats, wshould of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systemsThat’s why many cyber experts are beginning to use the new term “cyber resiliency.”  

The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack. 

The Basics of Cyber Resiliency 

In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals: 

1. Anticipate 

According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.

2. Withstand  

Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yetIn general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activitiesYou should also be prepared to entirely remove and replace systems that are badly damaged. 

3. Recover 

Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly

4. Adapt 

At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats.  If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.  

Leaders are best equipped to drive cyber resiliency efforts 

It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organizationWe’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.  

Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.  

That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:  

Scaling

The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.  

 

Training 

 

Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacksBusiness leaders are therefore key for investing in and maintaining robust training programs.  

 

Collaborating 

 

Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.  

The Take Away

At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systemsand a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on leadership team that takes the task seriously. 

Reducing the Privacy Trust Deficit

A while back, when I ran an Insurance brokerage, a good friend of mine who owned a mid-size company said, “you know Doug, when it comes to insurance the one thing I’ve learned is that the insurance carriers are only out to [bleep] us.”  I can only imagine what CEO clients who weren’t my friends were saying.

However, when you are selling an intangible, like insurance, you are immediately starting with a trust deficit between you and your prospect.  And it’s that deficit you need to overcome before you can hope to make a sale.

Privacy is an intangible, as well.  You can’t see it.  You can’t touch it.  It’s a concept, a concept that is closely tied to our sense of ourselves and the freedom to express and “own” our identity as we choose.  And, like other intangibles, companies have a trust deficit which they need to overcome if they want to establish strong customer relationships.

The need to bridge the trust deficit is a theme coming from a recent survey on consumer attitudes towards privacy that Deloitte has just released.  As the article states, over two thirds of consumers believe their data is used primarily for target marketing and over half believe the data is shared with third parties.  And, ironically, despite increasing privacy legislation, only 22% of companies are aligning their privacy requirements with business strategy.

This is an epic fail on two fronts:  1) misalignment of privacy compliance with strategy will inevitability result in the sub-optimal compliance measures which open the organization to regulatory action; 2) misalignment of privacy with strategy keeps the organization from taking advantage of a huge opportunity to leverage privacy as an asset to develop stronger customer relationships and propel growth.

For companies that want close the Privacy Trust Deficit, increase market share and improve operational and regulatory compliance, they can start with four steps:  1)  Define the company’s desired relationship with its customers; 2)  Outline privacy requirements as minimally defined by regulation and maximally defined by the company’s desired relationship with its customers; 3) Create a customer data and engagement map which defines how,, why and what the company does with its client data; 3)  Express each point of the data and engagement map in terms of a repeatable behavior with a quantifiable outcome that both leverages and enhances privacy and customer value; 4) Communicate and be transparent of the privacy-related behaviors the company is doing at the same time it is doing them.

Applying these steps will help align privacy with business strategy, minimize the privacy trust deficit and enable the organization to take market share from it’s competitors who view privacy as a compliance objective as opposed to a strategic opportunity.

 

Cyber Awareness 4 mins at a time

Last week we announced our new Behavior-Designed Cyber Awareness ProgramOne part of that program will be a structured phish simulation campaigns; another part of the program is series of courses on a broad range of topics related to digital awareness, appropriate security practices, and behavioral biases which impact susceptibility to phishing emails and other forms of social engineering. Each course contains a number of micro-lessons designed to take only a few minutes — typically around 4 minutes — to complete. The intent of each course, in addition to the phish simulations that will run concurrently, is to give participants the tools they need to recognize and modify their online behavior in order to maintain a safer and healthier digital presence.  

Soon we will be rolling out the entire program, but for now we want to offer a sneak peak of what’s to come. Right now we are offering a free preview of a course on phishing attacks and how to spot them. If you want to try it out click here and enroll now for free 

And, if you haven’t already, you can check out a review of our new program published as a part of the Stanford Peace Tech Lab. 

Behavior-Designed Cyber Awareness — A New Program

For the Past Year, Designed Privacy has been working to integrate behavior design into the cyber awareness process. Through a series of testing, we have created a CyberAwareness Program which we are launching this Fall.  The Program not only shows strong results in reducing phish susceptibility, the behaviors it’s designed to create show the potential to both mitigate digital disinformation efforts and get people to collaborate on reinforcing secure behaviors, whether in the office, at home or with clients and vendors.

In addition, we are extremely pleased to have process and results published by the Peace Innovation Lab at Stanford.

After a year of testing three things are clear:
1). Cyber awareness without behavior change is a waste of time, money and energy;
2). Behavior changes occurs through a combination of ease, prompting and positive reinforcement. People are more apt to change behaviors when they see a positive WIIFM.
3). Behavior-designed cyber awareness not only leads to reduced phish susceptibility, but it also has the potential to lead to better organizational decision making, especially as we are relying more and more on digital information to make those decisions.

In a world of phishing, online scams,  deepfake video and content, and the weaponization of social media, we all need to develop behaviors to help us determine what is real and what is not if we want to be secure, make sound decisions and feel that we still have the space where our choices are our own.

Please read the Stanford Peace Innovation Lab article here.

Introducing PhishMarket,

Click here for a new way to secure your most valuable asset— your employees.

 

Not Ready to Commit?

Subscribe To Our Newsletter

Join our mailing list to receive the latest tips and news about cyber security and data privacy

You have successfully Subscribed! Please make sure to check your email to confirm registration.