When Bad Hacks Happen to Good Insurance People

We all read about the terrible hacks that happen to big corporations, or large insurance companies. Unfortunately, many of us are lulled into a false sense of security that those sort of security failures would never happen to us. This is far from the case. Even good insurance people face times when their systems were hacked – often by some form of malware – and they have to move forward as best they can in an effort to protect themselves and their clients.

Read more in my latest article for Insurance Advocate Magazine.

Under Attack: When Bad Hacks Happen to Good Advisors

Colossal computer hacks don’t just happen to big companies with huge data banks with information “worth” accessing. They happen to you and me, to individuals and enterprises alike. Even the best insurance advisors encounter cyber attacks, and they can be injurious to both their professional and personal lives. So, what do you do? The process won’t be easy, but there are steps you can take to right the situation.

You can read more about how to prevent bad hacks as well as what to do when they happen in my latest article for Insurance News Net here.

Clear and Present Danger

On December 13th the New York Times published a feature article titled “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” In it Eric Lipton, David Sanger and Scott Shane do an excellent job in framing in detail the recent state-sponsored cyber attack against United States interests. But, the story doesn’t end there.

Russia is not alone in excelling at cyber warfare. Many nation-states see this as the new arms race. They believe, rightly so, that this is a race they can win. North Korea, Iran, and China have demonstrated their capabilities time and again. So has the United States and Israel. There is little doubt that practically every country is actively participating in the development, management, and deployment of cyber warfare infrastructure. They all are, and they are building massive defensive and offensive cyber warfare capabilities. Moreover, they are “in it to win it,” and they think they can.

What has made Russia’s cyber attack particularly egregious is not that it is the first, but that it is a blatant, “in your face,” show of power, ridiculing the last superpower standing. What makes it particularly deadly is that it is coupled with Russia’s deep scholarship in propaganda. I have read recent interviews from officials downplaying and demeaning Russian propaganda as “par for the course,” and “things we’ve seen before from the Russians.” If so, then we have not learned, and that costed us dearly. We have been badly defeated and ridiculed by what we all thought was a vanquished enemy of a cold war gone dead. In my view, news of the enemy’s demise are premature, and the cold war is very far from over.

On April 4th 1949, with the memories of the second world war brutally fresh, an alliance was formed between the United States, Canada, and several European countries. The North Atlantic Treaty Organization (NATO) was formed. Article 1 of the treaty reads: “The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations.”

Many more treaties followed, and the world’s doomsday clock reflected the threat: 7 minutes to midnight in 1947. 3 minutes in 1949, after the first USSR nuclear test. 17 minutes — the lowest value — in 1991. Now, it is back to 3 minutes to midnight.

The lowest value, 17 minutes to midnight, was reached when the world thought the cold war to be over, and the United States and Russia were engaged in nuclear arms reduction. Since 2015 it is back to 3 minutes as “Unchecked climate change, global nuclear weapons modernizations, and outsized nuclear weapons arsenals pose extraordinary and undeniable threats to the continued existence of humanity,” and world leaders fail to act.

Sadly, this is not their only failure. As catastrophically serious both climate change and nuclear arsenals are, and for that there should be no doubt, a third blight has surfaced: Cyber War. Most think that hacking or cyber warfare is a threat, to be sure, but not on the same level as nuclear weapons. Yes, millions of dollars may be lost, political careers ruined, and service interruptions may be inconvenient, but a cyber war is thought to be confined to the virtual world, not the real one. They are deadly wrong.

Acts of cyber warfare may have already claimed lives in the Ukraine, when Russian hackers attacked that country’s power grid leaving almost a quarter million residents without power. Lives may have been lost when the centrifuges in Iran’s nuclear enrichment facility were destroyed by Stuxnet, a suspected U.S. / Israeli cyber weapon. And, of course, there are many victims of cyber-bullying that took their own lives demonstrating the power of reputational damage, an easily attainable effect of hacking any individual’s life story.

Experts warn of the certainty of real human casualties from cyber warfare. Consider what would happen if the electrical grid was hacked and the country, or regions, went dark for weeks on end. Ted Koppel did in his “Lights Out” book, and the implications are devastating. Consider the ramifications of hacking medical records, devices and facilities, water purification plants, traffic control, or telecommunications. I am sure that you can come up with your own nightmare scenario that leaves thousands, if not hundreds of thousands dead or injured, and our country in chaos.

I also have no doubt that there are brilliant minds working around the clock in our security services that continuously analyze and respond to these threats, as well as advise our leaders.

But, I know from experience, their advice frequently falls on deaf ears.

Just as executives don’t want to hear about risk, be it cyber, technology, or otherwise, so, I suspect, are government “executives.” Certainly, recent rhetoric on the value of intelligence briefings demonstrates this, just as the inaction and hesitation of the Obama White House in responding to the Russian attack against our political process, or the flaccid reaction of the fourth estate in the face of fake news sites.

We need a concentrated effort in this new front for the survival of humanity. Confidentiality, Integrity, Availability, and Safety — the four pillars of cybersecurity, are now as fundamental to our lives as freedom of expression, movement, assembly and all the rights we have been taken for granted as inalienable.

We need our leaders to be educated and alert to the danger that cyber warfare poses. We need our people to be better educated in navigating the information highway, and sensitized to the danger of cyber attacks — think “duck and cover” for the cyber age.

Finally, we need to join with our allies and reinvigorate our frameworks for resolving conflicts peacefully to include cyber warfare. A cyber attack to one country should be considered an attack to us all, with the commensurate and immediate response. And, we need all international organizations to recognize the danger of cyber actor and weapons proliferation and take immediate and decisive action.

It’s a start, when nothing less will do. My Cyber Clock is set to 1 minute to midnight, and the seconds are ticking…

You Probably Can’t ‘Prevent’ Cyberattacks

Is your bank struggling to create a cybersecurity plan thorough enough to meet all of your needs? Every bank is unique, and no off-the-shelf, one-size-fits-all solution will completely solve your cybersecurity woes.

Luckily, by taking a moment to evaluate your bank’s business and pain points, you can set up the right controls that will preemptively ward off cyberattacks and compensate for attacks that have already happened.

My article in American Banker covers this in depth – read it here.

Mitigating Cyber Risks With the Right Security Controls

Understanding that no organization can fully protect themselves from cyberattack is the first step to better protecting yourself and your business. Through a careful evaluation of both your enterprise’s current cybersecurity weak spots and your risk appetite, you can implement the right security controls to mitigate the risk of an attack.

To learn more, read my article for Information Management.

The 3 Biggest Mistakes in Cybersecurity

Cybersecurity seems to be an elusive concept for many businesses, big and small. They’ve tried countless solutions and strategic security plans, often without much success. This can be a frustrating process, but you can break the cycle!

By taking the time to understand what difficulties you might encounter, you can proactively set up controls that help to mitigate your risk. In my article for Information Management, I cover the three biggest, most common cybersecurity mistakes that I see repeatedly. Learning about the pitfalls that many face when working to secure their businesses is an excellent first step to take on your journey to a more cyber aware operation.

For the full article, head to Information Management. 

The Wrong Ways to Manage Cyber Security

So, you’re finally convinced that this “cyber security thing” is not going away.  Now what?  Well, there are many ways to go about this:  On the one hand, you can take ownership of the problem and address this clear and present danger to your business, or, on the other hand, you can “lie” to yourself, throw the ball over the technology wall, and assume that everything is taken care of!  You would be in good company.

You see, many executives are tricked into thinking cyber security is a technology problem.  Far from it.  Perhaps it is wishful thinking, or, given the high-tech nature of the risk, an honest misunderstanding of the issue.  It doesn’t matter:  The end result is the same.  Cyber security is not a technology problem.  It is a business problem, and most importantly it is a people problem.

To understand this better, consider for a second the actual role that Information Technology (IT) plays in your world.  The role transcends all the “crucial” and “essential” adjectives that describe your IT.  And, it holds true no matter what your business is, no matter what size company.  This role is the same for everyone, and it is a simple one:  IT generates Value.  It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)

Why is understanding the role of IT as a value creator important?  Because the priorities of the IT function and the priorities of the cyber security function are at odds.  Cyber security is about managing risk.  IT is about creating value.  Think of it this way:  IT is like a banker.  Their goal: Create value for the bank’s shareholders.  Take risks, underwrite those loans, develop creative financial instruments, do whatever it takes to generate value.  Cyber security is like the regulators.  Their concern is with the viability of the institution, the risk to the system, the possibility of failure.  You can easily see, I hope, that you cannot have the regulator (cyber security) report to the banker (IT).

Understanding that you need to segregate these two functions is the first step.  The next pitfall is understanding the real problem that your cyber security function is trying to solve.  Frequently, cyber security is thought of as a checklist exercise:  Get the right firewalls, the right antivirus, establish a set of policies and procedures, and you’re all set.  Do it and forget it.  Nothing could be further from the truth.  To be sure, there are technology elements in deploying the right defense-in-depth strategy for your company, but stopping there is treating a continuously evolving problem with a solution that will probably be obsolete by the time you finished reading this article.  Managing cyber security is managing a chronic condition.  Both the condition and the medicine applied will change and adopt with time.  Remember:  The real problem you’re trying to solve is how to manage cyber security risk.  A risk that continuously changes as threats and technologies change, and – just as importantly – a risk that you mitigate based on your risk appetite that will also change based on market conditions and business priorities.

Which brings us to the real crux of the issue:  People.  In 2016 ISACA published the top three cyber security threats facing organizations in that year.  They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.  Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element:  People.

Social engineering is, essentially, a dangerous con game where hackers pretend to be trusted sources so that they can compromise your data.  “Your data” can mean anything, from your personal financial data, your medical information, and your family’s most private records, to your business data.  Social engineering can also morph into an extortion instrument above and beyond the typical ransom-ware whereby the attacker encrypts your data and will only release the key after payment.  By compromising your personal information, the attacker may find personal vulnerabilities that they can use to turn you into an insider threat:  A person who willingly or unwillingly commits cyber fraud from within the company.

The good news here is that once you realize that this is a people-centric problem you can shift your focus and give it the proper attention.  You, for example, can institute a robust cyber security awareness program for your people.  Repeated quarterly, semiannually, or annually, as your company size and needs dictate, cyber security awareness training has proven to be one of the most potent controls against cyber crime.  Sensitizing people to the threats, the techniques, and giving them practical, realistic options results in a safer cyber-workplace, and safer employees.  In turn, being aware of employee behavior, access, and personal and professional goals can give you enough advanced indication of possible insider threats before they turn into attacks.

The bottom line here is this:  Cyber security is not a technology problem that you can delegate.  It is a business problem affecting you personally and your people.  It requires your engagement along with that of your organization as a whole: Executives, IT, Cyber, Risk, Compliance, and staff.

Nothing less will do, and nothing less should be acceptable to you and your company.  The stakes are simply too high.

What matters most…

I got an email today… One of many.  One of hundreds.  This one, though, was one of an increasingly common thread.

An increasingly common thread.

Submitted bellow for your review and reflection.  Names have been deleted to protect their identities. Context: Trying to get professional introductions among two c-level executives in Pharma/BioTech (industry is irrelevant – we see the same thing across all industries). The conversation was forwarded to me from one of the participants in… despair?

This is far from “ok.” We, all of us, are responsible from shifting this transactional, “what have you done for me lately” existence into something more meaningful, more human. We must pause, reflect, and make space to engage again. As hard as it is, it is critical to our wealth as people, critical to the legacy we leave behind, essential to what we teach those that are steps behind.

I’ve heard all the excuses, all the truisms: Too busy, fighting everyday for survival, no time, no space… That may appear real, but are not. That is an empty reality, a soulless void, not a place for you. It’s an illusion.

Stop. Think. Act. And be human, first and foremost.

Read from bottom up, as usual…
———————————————————————————–
From: ABC
Date: Sep 9, 2014 1:56 PM

Interesting that you mention that. It seems to me that since the financial crisis of 2008, the world is topsy turvy. There don’t seem to be any boundaries anymore and certainly not much professionalism or integrity. It’s sad to me that it seems like people are just grabbing for whatever they can get and they don’t care who it hurts in the process. Glad I’m at the end of my career. Not sure I want to continue on much longer in this type of circumstance.

From: XYZ
Sent: Monday, September 09, 2014 10:44 AM

ABC,

Thank you. I understand the difficulties. I cannot even get folks to call me back when I’m willing to donate my time to their organizations.

Best,

XYZ

*** On Mon, Sep 8, 2014 at 1:34 PM, ABC wrote:

Well XYZ, I don’t know what to tell you.

I have not heard back from any of the folks I e-mailed, and have to admit that sadly, this is becoming more the case. I think they are just getting overwhelmed with people asking them similar questions, but I don’t know that as a fact. Anyway, I will send out another e-mail “in case they didn’t get my last one” and see if that prompts anyone. Thanks for your patience.

Fraud and Extortion, delivered fresh daily.

Today, we sent the following email to all our clients.  We wanted to share this with you at large – this matter is too important to ignore.

-cm.

———————————-

Everyone,

Cyber attacks are on the rise and projected to grow.  This is a multi-million dollar “business” and you are directly a target.

Just this last quarter, three of our clients have found themselves the victims of malicious attacks, and our consultants have been deployed to mitigate harm. It is estimated that 95% of all US business have been the target of attacks.  These numbers will continue to grow.  It’s not an “if you get attacked.”  It is a “when.”

Please be very careful.

This is what you need to know to protect your files, assets, and your identity from being compromised:

What is it?

  1. Continuously Evolving Threats:  The new “viruses” are not viruses in the traditional sense.  There is no technology that is guaranteed to “catch” them (they mutate, making “vaccines” rapidly obsolete).  One of the ways that they are activated is when the user clicks a link on a seemingly innocuous email.  Once active, the virus will encrypt your files, including network-stored files, and files that are on any on-line site (e.g. on-line backup).  They most famous one is called “Cryptolock,” and it demands payment for a key to unlock your files.
  1. No (or little) Cure:  Even when you pay the ransom, there is no guarantee that you will a) be able to complete the transaction, or b) get the key to unlock the files.  Why?  Because law enforcement is doing their job!  They constantly hunt down and close the “payment” servers, thus the extortionists can’t get paid.  That adds insult to injury – you are out both the money you paid and you have no files.  Worse, depending on how the user activated the encryption, your backup files themselves may be corrupted.

What can you do?

  1. Think before you click.  If you get an email from an unknown sender, delete it.  If you get an email that is asking you to click a link, even if the email is from someone you know, do not click the link.  Never, ever, ever click a link in an email unless you are certain that the link is safe.  How do you know?  You get in touch with the sender. Call them (preferably) and ask if they did indeed send the email with a link.  Can’t confirm it?  Delete it.  Simple.

    All too frequently people’s email accounts are hacked and emails are sent on their behalf to fool their contacts.   It is difficult in a stress-filled day to keep thinking about this type of malice.  It is short of impossible to look at every communication with suspicious eyes.  But that is exactly what the perpetrators are counting on.  Take a moment and think before you click.  Is this email something that your contact would send?  Does it make sense?  Is it consistent with their style of communication?  It only takes one click…

  1. Never respond, always initiate.  If you get a call (or email) from someone claiming they are your bank, your broker, your insurance, or any other trusted institution alleging that your account has been compromised (e.g. credit card stolen, fraudulent wire transfer, etc.) hang up!  Do not give any information.  Instead, after you hang up, call the institution yourself and ask to speak with their fraud (or security) department.  You initiate the call, never respond.  Control the communication.
  1. Password control.  Make sure that your passwords are changed frequently and are of substantial complexity.  Never, ever, ever, give your password out to anyone.  Not even to the most trusted relative or co-worker.  Through no fault of their own, their systems may be compromised and then it is your password that has been exposed.  Use a password utility like LastPass and/or services like LifeLock to keep track of your electronic footprints.

Questions?

Call us or email us.  We are happy to discuss this at length.  But please: Do not ignore this.  There is too much at stake.

Thank you,

tmg-emedia

10 questions you should be asking about IT

I have to admit that I don’t often get excited about IT articles.  But, the recent article titled “The do-or-die questions boards should ask about technology” by Paul WIlmott, a director in McKinsey’s London office, had me at “Hello!”

Now, granted, part of why I got so excited is because what Mr. Willmott writes is almost to the letter the types of questions we’ve confronted with our clients for decades.  It is very nice to be affirmed!

The article centers on nine key questions that boards should be asking.  Our list has ten, and is not directed to board of directors. Rather, we insist that everyone responsible for the business confront them.  Everyone.  From business unit managers, to lone-wolf proprietors.  From the c-level suite, to brand managers.  We believe that it is the only way to raise awareness, technology literacy, and operational results across the business.

Our questions, formed over years of experience and client feedback, are distilled to the ones below:

1.  Is IT an integral part of your business plan?

When was the last time you did a SWOT analysis?  Was IT a component of this work?  It takes courage to face the sometimes brutal truth of a SWOT analysis, and all too frequently IT is omitted.  What happens next, if that happened? IT is be proven a tremendous vulnerability, with myriad outside threats confronting technology laggards.

2.  What is your competitor doing with IT?

Technology has dramatically shifted the way businesses compete, communicate, and deliver goods and services.  One of the most important metrics in your world should be tracking the IT innovation by your competitors.  What are they doing?  What software are they using?  What are they developing?  All these questions will give you actionable insight on what you need to pay attention to.  Remember:  If it can be done, it will be done. If not by you, then to you.

3.  Are you connected with your customers with IT?

We’ve seen this too many times – the customers are way ahead of companies on their adoption of technology.  How they view your partnership with them will depend on your nimbleness in integrating IT solutions with them.  From direct delivery of “work products” to sophisticated EDI, becoming interconnected results in efficient operations, clear communications, and loyal customers.

4.  Does IT show on the bottom line?

Most “old school” thinking around IT focuses on cost centers.  Nothing could be further from the truth.  IT can be a powerful, profit making, cost-cutting, people-enabling tool.  You will know if it is, by evaluating the results of your IT investments on your bottom line.  Still, few choose to measure it accurately.

What new business did you win from the software you developed? How did the new technology tools you gave to your people that cut costs and increase productivity? Did you increase customer loyalty by the steps you took to be available clients 24×7?

Ask these questions to see IT’s impact on your bottom line.

5.  Do you have the right IT?

Sadly nine out of ten executives cannot answer this question.  They simply do not know.  Frequently dependent on their “IT people,” they accept their word as gospel.  The same executives have their financials audited every year by an independent third party!  It is critical that you open your doors and let an objective review affirm your choices, suggest alternatives, and give you options.

All too frequently internal IT people are threatened by this, and management responds to the sensitive IT feelings by backing down.  Our answer to that is simple:  No seasoned IT professional is ever threatened by the influx of new perspectives and ideas.  They welcome it.  Just as your accounting department is not “threatened” by your auditors, your IT department should be the one recommending a reality check and be inspired by what an outside view may contribute.

6.  Are you vigilant with our IT security and compliance?

IT security and compliance is way more than password policies and a network firewall.  It is about data encryption, database vulnerabilities, penetration testing, privacy concerns, competitive secrets, and client and personnel records just to name a few.  And, these issues are getting bigger and more critical each day.  You need to be vigilant, proactive, and very, very careful when it comes to your company’s exposure.  So much so that security audits and policy reviews should be part of your annual review.  Ignore it, and you might as well leave all doors and windows unlocked.

7.  Are your managers and staff engaged with IT?

Engaged with IT does not mean, “I call the IT guy when something breaks.”  It means understanding and leveraging the power of IT on daily tasks and processes.  Everyone should be urged to ask the question of “How can we do this better?” push the envelope and use technology to do so.

8.  Is IT part of our message both in-house and out?

Actions speak louder than words.  Everyone across the board should be receiving the consistent message about the value of IT to the company, to its clients, to its future.  It will break the barriers and allow for the conversations to flow.  You will be amazed as to what your people, your clients, and your vendors can do once you make it clear that these tools, these resources are theirs to use.

9.  Do we foster a culture of both accountability and support around IT?

It takes two to tango.  Just as you need to be proactive and enabling of a new culture across all tiers regarding adoption and inclusion of IT, you also need to make sure that IT is accountable to the business, the IT staff recognizes the service component of the their function, and most importantly, that IT is synonymous with business support.  Be clear on what the metrics for success are.  Accountability is not about technology.  It is about people that create and run the technology.  Be clear about expectations and deliverables always.

10.  How do we ensure a forward-thinking mentality, strategically and operationally with IT?

This perhaps is one of the trickiest questions to answer.  It involves “living in” to decisions, processes, and a new culture.  You must be attentive, careful, and vigilant in making sure that all the hard work that you did, that your managers did, and that your staff did does not get pushed aside by the “day-to-day.”  Set time aside at least twice a year to meet, talk, and ask questions.  If that means off-site, so be it, but on-site can be just as productive.  Remember – actions speak louder than words.  Do the do!

No matter which questions you ask – the McKinsey ones or the ones here – the most important take-away is that you ask them.  We cannot emphasize this enough.  Print them, email them, modify them, cut-and-paste them – do whatever works for you and your company – but act on them.

I guarantee you immediate and tangible return on your investment.  Perhaps the only case where past performance is a guarantee of future returns!