Best Wishes, not Phishes this Holiday Season

Best Wishes, not Phishes this Holiday Season

The holidays are a huge time for buying and giving to loved ones. Unfortunately, this increase in purchasing means there is an increase in phishing and other holiday scams. Phishing is typically targeted towards consumers aiming to collect credentials, credit card or financial information, although companies are also affected since many employees now use their personal devices for business reasons.

The most common forms of scams this time of year are non-delivery; where you pay for something online and never receive it, or non-payment; where the product is being shipped but the seller is never paid. Some tips to avoid this: do not click any suspicious links or emails in attachments or on other platforms/websites and be wary of any websites asking you to update account information.

While you’ve all heard of phishing, don’t forget about smishing this holiday season. SMS phishing is only the first step in these types of attacks. Once the system has been successfully compromised, scammers can then install malware on the targeted devices. This enables them to control device functionality and makes you vulnerable to other attacks. To avoid this, be diligent in your research of any websites you purchase from and be wary of emails or text messages relating to purchases.

Especially during this holiday season look out for any suspicious text messages or emails and employ email filtering. Companies can reduce these threats by patching, using multi-factor authentication whenever possible and incorporating security awareness training to better spot scams. Be extra diligent this time of year, as hackers are becoming more sophisticated and making their scams look more legitimate.

Clients increasingly Asking about Vendor Cybersecurity Procedures 

Clients increasingly Asking about Vendor Cybersecurity Procedures 

With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.

In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:

  1. Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
  2. Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
  3. Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
  4. Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.

If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.

The Human Factors Behind the Robinhood Data Breach

The Human Factors Behind the Robinhood Data Breach

Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.

While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.

This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.

Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.

Ethics by Design

Ethics by Design

Every so often something comes along and disrupts the normal order of things, and out of that disruption a something new emerges. It’s certainly not a stretch to say that 2020 has brought plenty of disruptions with it, and according to a recent report by Gartner, businesses are starting “reset” how they operate and implement new strategies reliant on emerging, more sophisticated technologies. In the report, Gartner lists a number of predictions for what the future of business will look like. Perhaps the most startling prediction the report makes is the increase in workplace surveillance: “By 2025, 75% of conversations at work will be recorded and analyzed, enabling the discovery of added organizational value or risk.” Whether this prediction will turn out to be true is up for debate, however the tone of the report seems to imply there isn’t much we can do about it. The problem, of course, is that these changes don’t appear out of thin air. People create the change. This means, if Gartner’s prediction turns out to be true, we aren’t completely helpless and could even play a role in building new technologies based on the values and ethics people share. Just like there is a movement in cybersecurity to create technologies that are based on privacy by design, as we begin moving towards a new future, we also need to focus on creating technology based on an ethics by design that promotes the well-being and rights of individual

While the idea of having every conversation and interaction you have at work recorded and analyzed probably doesn’t sound to appealing to employees, Gartner’s report highlights the possible benefits this will have for businesses. As Magnus Revang, research vice president at Gartner, explained to Tech Republic, “By analyzing these communications, organizations could identify sources of innovation and coaching throughout a company.” This may certainly be true. In fact, organizations could even use this data to help improve the workplace for employees.

Of course, if we’ve learned anything in the past decade, the technology that is used for good can also be used for bad. And Revang recognizes the risk involved with this shift. “I definitely think there [are] companies that are going to use technology like this and misuse it, and step over the line of what you would call ethical or moral.” When used correctly, however, Revang belives the benefits of the this technology will outweigh any possible risks.

The problem with this argument, however, is that it assumes the problem is not with the technology itself, but the people who use it. According to Tech Republic, Revang believes “technology is inherently neutral, however the way an organization chooses to deploy and use a technology is another consideration.” What this way of thinking doesn’t consider, however, is that technology is built by people — people who are certainly far from neutral. As Joan Donovan, a social science researcher at Harvard University, recently put it, the technology we build encodes “a vision of society and the economy.”

Humans are flawed, and technology is stained with our flaws before it is even operationalized. So, when looking towards the future of technology in business, without designing these new innovations with an ethics in mind, our underlining biases and flaws will play a big role in the consequences this technology will have for our everyday lives. This has huge implications in every facet of society, and unfortunately, our ethical oversight structures are very weak to mitigate these threats.

There’s talk about privacy by design principles and there are AI-bias frameworks being developed. But, in order to create technologies that support our better angels and not our worse impulses, we need experts across all fields and sectors to work together in order to understand and develop ethics by design principles that can help build technologies that are not only useful, but that reflect the values and ideals for a more just and equitable society.

Cyber Death by Imagination

Cyber Death by Imagination

Behavioral economics teaches us that we are more fearful of immediate losses than future gains.  Conversely, we are also tend to choose immediate gains over protecting ourselves from future losses.  Especially when the type of loss is too foreign to us or is ever changing.  

We do have available to us a tool that doesn’t require a lot of tech to use but perhaps can do more to both enhance and protect our organization than any piece of software or hardware we might have:  our imagination.

When things are changing, you can’t rely on static measures or processes designed to defend against what today’s threats.  Because the use of technology as a business enabler is ever changing as is the nature of cyber threats, businesses need to take a dynamic approach to risk mitigation and transfer strategies and constantly imagine both the opportunities and the risks they may face tomorrow.

As a report from the UC Berkeley’s Center for Long-Term Cybersecurity and Booz Allen Hamilton states, “….failures of cyber defense in some cases — possibly the most important ones — [are] not necessarily a failure of operational rigor but equally or more so a failure of imagination.”

There are a number of tangible ways businesses can leverage the use of imagination in addressing the cyber risks that they may face.  One is through an incidence response simulation.  Get your team around a table.  Imagine a ransomware event has occurred.  What do you do?  Do you pay the ransom? How long will your systems be down?  How much business do you stand to lose?  Brainstorm other scenarios, focusing on ones that could take you out.  Risks that cause you to be shut down for an extended period of time or do irreparable harm to your ability to serve your customers or to your reputation.

Not only do these types of simulations help you be better prepared to respond if they occur, it also helps you better define what risks you might face and what defenses to build to mitigate those risks.  This can therefore become the basis for your risk assessment (which, if you are simply focused on compliance you generally have to do anyway).

We often think of creativity when it comes to innovation and growth that are critical our long term success.  In the ever-changing world of cyber threats, we need to be equally creative when it comes to imagining and addressing risks what are crucial for our long term viability.