Cybersecurity Awareness 101

If you operate a business that uses a computer, you need a cybersecurity awareness program. That is the single, most valuable piece of cybersecurity advice that I have to offer. As a matter of fact, in all my nearly 20 years working as a cybersecurity professional, I’ve not seen a single business or industry impermeable to cyber attacks. Not one. According to Gartner, 89% of all businesses, large or small, will experience a cyberattack this year. And 91% of all cyber attacks today target humans. Creating a cybersecurity awareness program for your business is not an option.

A Case Study – Sony Hack

Let’s support that statement with a case study – one of my favorites. On November 24, 2014, Sony was big-time hacked by a cyber group called “Guardians of Peace.” In fact, Sony was hacked long before that date – important to note if you are trying to prevent attacks. Sony is a textbook case study because of the many areas of business impacted – areas that can affect your business as well. Let’s examine a few incident highlights:

Hackers stole 100 terabytes of data. (Think: all the data stored in the Library of Congress times 10.)

• Confidential emails and human resource data were leaked to the public. Do you remember all the embarrassingly horrifying things you have said in an email you intended to be private? Did you think what you said was in the past? Do you even want to remember? What would happen if your employees suddenly knew each others (and your) salary?

• Their data and systems were placed on lockdown for days. Both directly by the attackers and because the company was trying to protect the business from further harm, the computers, networks, and phone systems were inaccessible for weeks. Employees were sent home. How long can your business survive without it’s systems and data? Without its staff? Do you have customer information stored outside of your company?

• They were sued by their employees for breach of privacy. Twice. Legal ramifications of cyber breaches are far-reaching and still being explored. Many center around negligence on the part of the business.

• They lost intellectual property. They lost the core of their business – their product. Movies were leaked before their planned release, reducing Sony’s profits and ability to recover production costs. Most companies have some form of IP, and for many, losing it would mean shutting their doors.

• The breach cost Sony hundreds of millions of dollars. Incident clean-up is extremely expensive. It requires expertise that not even Sony had on hand. What’s more, they suffered the the cost of intangibles, like loss of productivity, business and reputation.

Why Awareness?

Sony’s breach reveals both the far reaching effects of a cyberattack, and why you need an awareness program for two key strategic reasons:

1. To teach your employees cybersecurity best practices. In this case, password safety. Sony’s management team routinely maintained lists of username and passwords in a spreadsheet labeled ‘Passwords.’ (Insert eye-roll emojii here) They regularly sent and stored passwords in unencrypted emails.

2. Train your executives on the dangers of neglecting cybersecurity. Start with them. Teach them in terms of risk (include reputational risk) and cost – a language they understand. Use case study incidents, like the one conveniently bulleted in the previous section to demonstrate risk. We wrote the previous section so you can literally use it. Keep saying the word “risk” until they start to use it to describe security exposure. Don’t share a single incident without using that word! Trust me, I’ve been doing this for a very long time.

A Note About Compliance

By now you will have noticed that I’ve not even mentioned compliance. Compliance is the single-most-often-cited reason why small and medium-sized businesses implement an awareness program. Compliance is probably why you are bothering to read this far. It used to be the main reason large corporations with sufficient funding implemented it, but not these days. Compliance is critical, especially if you are in a heavily regulated industry like healthcare, finance, or the public-sector. (Not one of these? Do you accept credit-cards? There are regulations that affect your business, and they include security awareness for your staff).

So, why not mention it first? For one simple reason: Non-compliance costs less to remedy than experiencing a cybersecurity attack. It makes little strategic sense to implement security awareness that only works for compliance, when for the same cost and level of effort, you can reduce the risk of a cyber breach that can destroy both your profits and your business.

Compliance is necessary and is a goal of implementing security awareness, but it should not and need not be the focus. In a future blog, we will provide in-depth information on meeting the awareness portion of compliance for your business. For now, keep focus on the first step to implementing an awareness program that reduces risk to your business – Getting Started. Don’t worry, we will help you make sure it meets compliance checkboxes. Who are we? We are a security awareness consulting business passionately devoted to addressing the ever-growing, human-risk side of cybersecurity. More about us here.

Getting Started

Start small and start with the executives, leadership team, and founders. We’ve created a tool to guide you – a list of talking points that can be used to brief them on the need for an awareness program. Don’t make it a separate meeting. Keep it light, just add it to the regularly-scheduled agenda and devote 5-10 minutes consistently to the mention of cybersecurity events and potential areas of risk to your business. Encourage them to agree to a simple email or newsletter piece focused on teaching staff one simple cyber best-practice, for example: passwords should not be stored in a way that is easy for someone to access and refer them to the related company policy. We will supply you with a steady stream of cybersecurity awareness-related news incidents and articles – the hackers are busy keeping us busy. Sign up for our monthly newsletter and best of luck. If you’d like a consult, we are here to help.

Advertisements

My New Backyard Renovation

Why isn’t this easier?  I want a patio and a deck. I’ve birthed three kids. Surely, this should be easier.

I pulled a set of landscaping plans from Jason at Wentworth Nursery done for me as a courtesy back in 2007 (I wonder if Jason still works there….see how easily distracted I am?). Let’s start there. The quote for that job – a simple 16 x 12 wood deck, a brick patio, and a 25 ‘ (18 ” high) retaining wall was $20,000.  Either they were on methamphetamines or they thought I was.

Pray for me.

Petarded

Eddie Izzard, one of my favorite British comedians did a bit about California some time ago.  It was about that states decision to ban smoking in restaurants.  His punch line was:

Soon there’ll be no talking. (You had to be there).

Eddie (Nostradamus) Izzard was onto something.  With an increasing number of politically correct rules surrounding each word, we are starting to have less to say.

I am musing the recent controversy between Rahm Emanuel and his comments that something (shouldn’t we care what specifically was the object of his statement) was retarded.  Without spending too much time following this news item, the next name I heard thrown into the arena was Sarah Palin, famous mother of a clinically retarded child.

So, here we go.

  1. I don’t like rules surrounding verbal expression.
  2. I don’t like offending the disabled; especially children.

I hear the word retarded used often.  In fact yesterday, I wrote about an experience with a lovely old saleswoman who used the term.  I don’t think she was trying to be offensive.  I believe she was expressing herself.  Had I not written about it, and perhaps even though I did, (who’s reading this anyway 🙂 ), nobody could have heard to be offended.  Intention should matter too.  Along with a hundred other things, like the personality of Rahm Emanuel or Sarah Palin or Rush Limbaugh, (I heard he joined in the fun at some point).

I don’t know the kind of people they are, only how they are written by the media.  My personality isn’t one that’s often offended by strangers, but then again, I am not retarded.  What do I know?

Perhaps, the answer is we should use a new word to describe the thing that means you are acting like you are not mentally average, without meaning to offend those that legitimately and helplessly are.  An answer to a real-life problem easily solved by a really funny episode of Family Guy, called Petarded.  How amusing.

The Old Lady Who Lived In Borders.

On what’s becoming an increasingly rare occasion, I ran into my local Borders.  I was looking for a book by Steven Levy, “The Perfect Thing – How the iPod Shuffles Commerce, Culture, and Coolness”.  His highness and the kids were in the car, and I was going to run into Borders for a quickie – in and out.  The entire trip took 27 minutes, (Admittedly, I have issues. I actually timed it).  The following is a breakdown:

  • 8 minutes, spent on the Borders kiosk searching for the book.  As it turns out, they didn’t stock it.   I was given the option to order it.  It would take 2-3 weeks?!
  • 4 minutes looking through the Paperchase section looking for a pencil sharpener.
  • 12 minutes at the counter waiting for a sweet elderly Lady named Ross to ring up my purchases.

The offender?  A box of tropical Mike & Ike’s.  They cost $1.99 and nothing this poor old lady did seemed to get the register to ring it up properly.  I was in no particular rush to get back to the car of screaming children, but as the line behind me started to swell, I became increasingly uncomfortable.  Ross was the only person at the any of the six registers.  She was also full of conversation.  By the end of our twelve minutes together, I knew a lot about her.

Ross doesn’t usually work on Sunday’s but they offered it to her and she needed the extra money.  She didn’t remember that the Grammy’s were on this particular night, and if she knew she may have stayed home.  Ross was hopeful that this Borders wasn’t going to go the way of the dozens of Walmart stores that recently closed.  Ross was, by her own admission, an optimist.   I started to shift and quickly glance at the line behind me.  At some point, they’d begin to realize the problem was my box of candy, and already self conscious about my ginourmous belly – I loudly proclaimed, “I don’t really have to have the candy.”

“Nonsense, it’s not your fault this computer is retarded.  Besides, if not you – somebody else”, Ross retorted as she logged into a second computer to look up the price.

I decided I wasn’t really in a rush, and we (me and all my line friends) could simply wait it out.

Later that night, thinking of that sweet lady and the future of my once beloved Borders, I did a bit of research.

Borders (BGP) is indeed in financial trouble, in spite of major shareholder, Bill Ackman’s confidence that bankruptcy is a ”low-probability event”.  His enthusiasm is reminiscent of the recently departed CEO, Ron Marshall, who similarly acknowledged in 2008 that his company had “lots of challenges”, while simultaneously proclaiming that it had the bones to become a world-class retailer.  The company hasn’t declared a profitable year since 2006, and since then has closed 112 of its Walden bookstores.  It is reportedly surviving on loans from Ackman’s hedge fund company, Pershing Square Capital Management, to the tune of 42.5 million dollars, due for repayment on April 1.  It’s surprising the company hasn’t closed down more stores or declared bankruptcy already.

Tomorrow I plan to spend some time researching the book-selling retail industry in general.  I don’t own a Kindle, but read many books on my Kindle iPhone application.  I am an Apple groupie and will be in line overnight if necessary to own a new iPad (3G, of course).  I will always long for and love the smells and comfort of a well maintained bookstore, but I equally admit an increasingly growing adoration for e-books.  The convenience is unparalleled.  At a time in my life, when being a pregnant, full time working mom, with two children under age 5 and an outrageously busy household means I no longer have a desire to keep up with the whereabouts of my book collection or its accompaniment of bookcases, book thongs and book-lights – convenience is an absolute must.

My thoughts wander back to that nice old lady in Borders, and while pondering the controversy, I began to wonder how many people I share this experience with.

Whose Book Is It Anyway?

I recently read a relevant commentary by, Michael Seringhaus, a third year Yale law student, that raises a lot of seemingly perpetual questions surrounding copyright, licensing, and law.  (And, more importantly, it raises personal questions like: Why didn’t I choose to become an attorney?)

According to Seringhaus, in July of this year, Amazon withdrew titles of George Orwell’s “1984” and “Animal Farm” from thousands of Kindle readers.  Amazon apparently lacked proper copyright authorization to sell the book in electronic format.  The striking bit of news was that according to their terms and conditions; you never actually own a Kindle book.  Instead you own a licensed copy to read it in digital form.  I was able to find the actual License Agreement & Terms of Use on the Kindle site, under “Kindle Support” (the link is http://www.amazon.com/gp/help/customer/display.html?nodeId=200399690&#content).

Here were my thoughts:

1.  If you never own a Kindle book, then Amazon has the rights to take it from you.

2.  If you never own a Kindle book, then you can never resell it.

3.  If you never own a Kindle book, and Amazon has the right to take it from you without notice, and you can never resell it; how much money is a fair price for it?

After all, a traditional print copy could never legally be taken from your personal library; not even if there were some problem with the stores rights to sell it.  Seringhaus argues several reasons for why this particular agreement and e-book licensing in general will be successfully challenged in court or deemed unenforceable.  I look forward to closely following the debate.

“Kindle, How to Buy a Book, But Not Own It”

http://www.law.yale.edu/news/10288.htm

Apple, the Full Moon, and A Bet.

I am not a believer in Astronomy. It would be more accurate to say Astronomy; with it’s far fetched reaches, is grossly annoying. So it was on a particular full moon, January 30th to be exact, I loathe to admit, I was more annoyed than usual. Most of the day was spent, grumbling about one minute offense or another. The socks on the floor, countertops with gooey spots, odd smells not easily identifiable. (Did I mention I’m six months pregnant?)

Needless to say, it was a perfect storm setting for a huge argument, and I was in rare form. The subject; an article in the New York Times, by Brad Stone and Motoko Rich, “Amazon Removes Macmillan Books.” I am an avid bookworm, reading several books a week, often more than three at any given time, and the only thing I love nearly as much as reading, is Apple. Yes, I mean Apple, as in iPod, iPhone, iMac, and the ultimate iPad. Eagerly anticipating the inevitable purchase of my new iPad, and ecstatic about the news that my Kindle purchases would be readable on the new device, I’d given little thought to e-book prices.

Enter the husband.

He was carrying two pieces of glad news. The first was an explanation of the full moon and the effects on mood, and the second – Did I hear that Macmillan publishing was being pulled from Amazon Kindle sales? Something about the pricing structure, and how this would turn out to be just like the entertainment industry griping with Apple over it’s pricing of movies on iTunes. I admit I was a tad defensive. Steve Jobs, like Albert Einstein, is a genius. Sure, there are fights with Netflix and Sony over pricing and release dates of new movies, but this is literature. What publisher in their right mind doesn’t understand the portion of book sales now attributable to e-book sales? I argued for a few minutes more, and then read the article.

Amazon wants to keep the average book price at $9.99
Macmillan wants to change the average book price to $15.00

Good for Amazon! Pooh on Macmillan.

I read on.

Apple e-book prices will likely be higher than $9.99.
Uh oh.

Then the debate turned heated. Macmillan and other publishing houses price their books based on overhead factors that are not applicable to electronic content. Publishers will see their books drop off bestseller lists if e-book sales are eliminated. Didn’t I just read a Yale law paper explaining that e-book buyers don’t really own the book, but the license to read it. Don’t they understand that in today’s technological age, I pay .99 for a song?! Do they really think consumers will quietly pay more?

I’m sure I was yelling by this time. My husband was stoic and characteristically calm. Did I mention I was annoyed? Looking for some way to validate my well thought out legitimate points, I blurt out, “Ok, I am willing to bet you $400 that one year from today, the average price for an e-book will be no more than $9.99.” He quietly accepted the wager.

A single day later, New York Times writers, Brad Stone and Motoko Rich print another article: “Publisher Wins Fight With Amazon Over E-books”.

Now, I’m beyond annoyed, I’m on a mission.

(lowerebookprices.ning.com)