Take the time now to assess your enterprise cyber risk and discover where best to invest for the best defense!
Since 2013, there have been 169 cyber attacks against city/state government agencies; 22 so far this year. Of the 169, 45 targeted law enforcement
In a recent cybersecurity conference I attended, CISO panelists were asked for their #1 cybersecurity issue. Surprisingly, their answers was NOT better cyber security tools, more cybersecurity staff (that was their second priority), or more cyber intelligence.
Their #1 answer?
More action by executives and boards of directors to do what needs to be done to help better protect their cyber assets.
Now, to be fair to those executives (public and private sector), “cyber” is just one of numerous front-burner issues they must deal with, and unfortunately taking the time to learn about and effectively address cyber risks doesn’t always make the cut – until their agency/company is attacked.
I refer to this the “911 effect“…Terrorism was a problem on September 10th; however, it took the horrific events of September 11th to get the attention and investment that others, like FBI SA John O’Neil* and others knew it desperately needed.
So, as an executive, how can you avoid the “Cyber 911 Effect” for your agency? I offer three steps:
Elevate cyber risk as a priority at the executive/board level and do the work needed to better understand what your organization’s cyber risk really is;
Conduct an enterprise-wide cyber security assessment to become informed for how your current cybersecurity behaviors and investments stack-up to your inherent risk; and
Implement a program of continuous risk monitoring and mitigation to build stronger cybersecurity maturity against the threats you face.
What? You say you don’t have the time or funds to do these three things? Well the truth is that it’s going to cost you a LOT more time and money if you do get attacked and you don’t do them…a few examples:
Albany, NY – city services and police department impacted, cost not yet known
Atlanta, GA – city services impacted; estimates vary, $5,000,000 and $17,000,000
Baltimore, MD – weeks with many city services offline; $18,000,000 recovery estimated
FBI National Academy – websites breached, stolen PII of thousands of LEOs exposed
FEMA – personal information on 2.5 million disaster victims exposed by subcontractor
Indiana – health information of >31,000 patients exposed
Massachusetts – attack shuts down parts of Public Defender Agency
Oklahoma – millions of government files exposed, some pertinent to FBI investigations
Riverside, TX – 10 months of police/fire department files affected
While I’d love you to call me in (410-903-6289) to help you get it done, there are many good cyber risk assessment offerings out there. Whichever way you go, take the time and make the investment now (less than $10k) and just do it.
* Note: John O’Neil died in the September 11, 2001 attacks on the WTC, 2001. Believe it or not, it was his first day on the job as the Chief Security Officer for the WTC compound. You can read more about him in the book Securing the City.
NOWHERETOHIDE is pleased to announce it will soon be launching an innovative and comprehensive Cyber Assessment Service offering.
Public and private sector organizations will be able to either have NOWHERETOHIDE perform an enterprise wide Cyber Assessment for them, or they will be able to subscribe to the award winning and innovative CyberPrism Cyber Assessment Tool(CAT) being offered as a SaaS application.
Cyber Risk International recently held an executive briefing for US and European CIOs entitled Empowering the CIO with Cyber Security; here’s a short video capturing the briefing and the post-event networking session:
I just gave this presentation to nearly 200 attendees of the ICTTF Cyber Threat Summit 2015 in Dublin, Ireland.
For those of you that attended; thank you!
Through this presentation I hope I was able to communicate three points:
How company/agency executives put their agencies at risk by blindly trusting that they are doing all that can be done to secure their networks, applications and data;
That leadership’s approach to motivating employee’s to practice better cyber hygiene needs to mimic principles of behavioral economics theory that advertisers use; and
By changing the way they ask questions to their senior staff (mainly their CIO/CISO), they can a) have better proof that necessary cyber protections are in-place, and b) they will have a better understanding of the unaddressed cyber risk their company/agency faces.
One reader commented on my post and asked if I would balance the conversation by creating a corollary list that identifies what leaders (and executives) do to create toxic working environments that contribute to the development of rogue employees.
So, I penned the following list of seven caustic categories of leaders that I feel help to create these environments:
The reluctant leader: They really didn’t want to be in-charge of people, through words or behaviors, they give you the feeling that they’d rather be back doing “real-work” than being a leader. They will care very little about training and development, innovation, or accountability, and will shun any activities that will cause them to act as a leader.
How this develops rogue behavior: Without leadership support, people will begin to act on their own, circumventing security policy and controls to get the job done. In the absence of real leadership many will take the lead, making decisions that are not necessarily in the best interests of the organization.
The self-centeredleader: They are more concerned about their own achievements, and are always worrying about how bad you will make THEM look if you don’t perform well. You’ll hear them talk about the job they want rather than working the one they have. They will have no time for staff that isn’t helping them to look good.
How this develops rogue behavior: This demoralizes staff and may lead them to sabotage organizational efforts, especially if senior managers don’t intervene on behalf of the staff. This can result in lost productivity, lost loyalty for the organization, and ultimately loss of good employees.
The gloom and doomleader: They are negative about everything – we don’t have enough money, our company/agency sucks, management is worthless, just be glad you get a paycheck. They are also the ones who poo-poo on any ideas their staff may offer – “don’t rock the boat, we don’t have the time, we already tried that” – rather than being supportive, they do their best maintain the status quo.
How this develops rogue behavior: This too demoralizes the staff and may lead them to hurt the organization. Disheartened staff might also seek external interactions and opportunities that could be exploited by others who want to hurt the organization.
The sociopath leader: They are quick to tell you how “lucky” you are to have a job, and how important they are to YOUR success. Rarely will they apologize for being wrong, nor will they be concerned about the consequences of their actions, and they will be also the ones to take personal credit for staff accomplishments. They will also be the ones to force polices and rules on their staff that they won’t apply to themselves.
How this develops rogue behavior: People working for this type of leader may take on characteristics of the sociopath. In an effort to “win over” the boss, they will take shortcuts, bend the rules, and abuse or hurt other people in the organization. They too will have little regard for security policies, especially ones that they perceive will prevent them from making the boss happy.
The absent leader: They seem to be busy all the time; with what, no one knows. They are never in their office and never seem to have time for their staff. When they are cornered, they defer you to someone else: “Got a pay problem? Go see HR” or “Looking for advice? Talk to (fill in the blank); just don’t bother me” – no one can nail them down for anything.
How this develops rogue behavior: Working under the absent leader is very frustrating, and over time, can lead to people in the organization to simply no longer care. People may try to do their best, but even with best effort, mistakes will be made, and eventually people will get fed up and either leave or take revenge against the leader. Either way, the organization will suffer.
The interferingleader: They are the micromanagers, distrusting of the abilities of their staff. They love to control every aspect of their organization, believing that they their staff cannot perform as well as they do. If they do delegate work, they will in your knickers every day, questioning staff actions and decisions. Rather than developing their staff, they are more likely to move or remove staff that don’t perform up to their standards.
How this develops rogue behavior: Opposite of the absent leader, this one just loves being in control. However, the results will be the same. After a while, people will just give-in to the leader, try to effect revenge on his/her actions, or will pack up and leave, possibly taking organizational information with them.
The minimalistleader: They just want to do the “absolute minimum” that needs to be done to “check the boxes.” Most likely they have been there for a long time and are quick to warn you not to stick your neck out as it will get cut-off. They will be the ones to tell you “we’re not responsible for that” or “just go back to your cubicle and do your job.” They stomp on any creative or innovative ideas, and suck the life out of their staff.
How this develops rogue behavior: Similar to the absent leader, this one actually prevents people from doing the right thing. Over time, this can lead to the same results as many of the other types of leaders described above.
I honestly don’t think that preventing ‘rogue” employees is rocket-science. If you take the time to be genuinely interested in your people’s lives, give them opportunities to grow and be creative, along with the opportunity to contribute to higher organizational goals, and thank them once in a while, they will be much less likely to want to go “rogue” and hurt you or your organization.
But, do the opposite – treat them like furniture, ignore their needs, stomp on their personal goals for growth and development, and yes, they will be pissed off. And, if you piss them off long enough they will:
Leave your organization (with your proprietary/sensitive information); or
Do something to sabotage your organization’s success; or even worse
They may just stay-on, get promoted, and be there to piss off everyone else you place beneath them.
Day Two at IACP and straight in early on Sunday morning to attend the Cyber Threats and Attacks Facing Law Enforcement Agencies session. Having attended the last two Cyber Threat Summits in Dublin, Ireland, I am well aware of the challenges we are all facing everyday in trying to protect our technology.
Mark Gage opened with a very worrisome statement, saying that we spend so much money trying to protect everything else in our lives, but not enough care is given to protecting our information and identity networks. We are at risk every single day, just by viewing Facebook or opening up an untrusted email attachment our phones/laptops can become infected, and spread malware.
We should all know better, in-fact we do know better, we know the risks associated with all these things, but yet we are all capable of making silly mistakes and suffering the consequences.
Mark says the most important thing is to educate your staff, consult with those you share systems with, do not use the same password for everything, and make your password changes a minimum of 90 days. It’s also critical that we keep all software up to date, particularly anti-virus software, and implement back up procedures. For companies, he suggests paying money to employ IT staff or contractors.
George Arruda spoke next of the worst day for him in Sept 2013, whilst driving on holiday in Florida, he received a phone call, which gave him the news he dreaded – a virus had locked down ALL of Swansea Police Department’s files thanks to a vicious virus called Cryptolocker!
The only way to get the files back was to pay a ransom of bitcoins, to some criminals out there in cyberspace. He didn’t know who there were, or where they originated from, but he gave the order to pay and get the files back.
A cyber security expert was called in and he advised against this, but they eventually began the transactions of transferring bitcoins and they started to get data back. The main problem here was that they did not have back up, so they were indeed in a vulnerable position.
Having amassed a very large amount of data, this incident shook the Swansea PD. On the back of this, George gave advice to everyone – Back Up Everything and teach your staff NOT to open anything suspicious, and only have ONE administrator access with a password.
Steve Sambar warned of the dangers of terrorist cyber attacks, and the worry of, if they attack, what do we do? Who will be responsible for handling it? How long will it take to cover? We face so many threats every day, human error, insider threats, external threats. Many big corporations have suffered already. For example, Target had 40 million accounts hacked in Dec. 2013, and Ebay’s database with 233m users was hacked in Feb. 2014.
Jim Emerson had the last word, delivering a fast paced description of the emerging threats and challenges. Everything is happening faster, he said, and we have to understand the reality of what cyber security is.
He showed two short videos from IACP about cyber security, these are available on the IACP website. Jim wants us to:
Check carefully where is the suspicious email coming from.
Be aware of who you connected to.
Jim also stressed the importance of this being a day to day footrace, and it never ends. He is right, and we do not want to be sorry when it is too late.
Everyone is missing the boat on the insider threat issue – INSA too…to paraphrase James Carville, “It’s leadership stupid.”
Government and private sector organizations are the primary reason for insider threats – senior leaders and the boardroom grow them internally.
With very minor exception, NO ONE COMES TO WORK FOR YOU ON DAY ONE WITH THE INTENT TO HURT YOU, steal your secrets, or sell your intellectual property.
It’s how you treat them, over time, that turns them into insider threats.
You put them in the wrong jobs;
You fail to trust them;
You make it hard for them to do their jobs;
You put asshole/untrained managers over them;
You treat them like furniture;
You , threaten their existence in your companies and agencies;
You kill their spirit; and
Then, you wonder why they decide to hurt you.
Want to reduce/eliminate the insider threat? Treat you staff the way you did on day one:
Welcome them as a human being;
Be aware of how they are cared for in your organization;
Show them you care about them and their families;
Give them a future;
Put r-e-a-l leaders over them;
Give them a voice; and
Pay them well.
In other words, treat them as you would want to be treated.
Now, why is that so hard?
And, why do NONE of the plans I have seen for combatting the insider threat even mention poor leadership as a factor?
INSAonline.org | 9.12.13 Assessing Insider Threat Programs of U.S. Private Sector http://www.insaonline.org/i/f/pr/9.12.13_InsiderThreat_WP.aspx
“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”
While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.
On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force(ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.
Get on a plane and join me at International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland 20/21 September 2012, be my guest by using the registration code: nowheretohideguest – http://www.cyberthreatsummit.com/
Warhas been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfarehas been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”
While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).
While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…
More of this type of cyber-crime is occurring today than the stuff showing up on the front page of any newspaper; and
What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.
I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:
One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.
Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?
Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.
Day Two at IACP and straight in early on Sunday morning to attend the Cyber Threats and Attacks Facing Law Enforcement Agencies session. Having attended the last two Cyber Threat Summits in Dublin, Ireland, I am well aware of the challenges we are all facing everyday in trying to protect our technology.
