Did You Hire a Hacker? The Latest Cyberattack Starts Inside Your Organization

If you’re as chronologically mature as I am, you already know the take-your-breath-away punchline to the 1979 horror film “When a Stranger Calls”. For cinephile newbies, let me set the scene.

This cult thriller follows Jill Johnson, a young woman being terrorized by a psychopathic killer… while BABYSITTING. The stalker’s torture of choice is to ring Jill repeatedly on a phone, that still had a cord, and whisper odd things “Have you checked the children.” I don’t even have children, and that scares the babysitters out of me. Oh, I do have children. Clearly, mom and dad didn’t prep her for this date-night disaster.

After a mind-numbing series of creeper calls and ominous music, Jill wisely barricades herself inside the Mendrokus home with a series of locks, deadbolts and sliding security chains reminiscent of your favorite Howard Johnson. She dims the lights, pulls the drapes and calls the police to have them track the source of the call. She is one aware au pair!

Fast forward to the final phone call of that fateful night, which happens to be from the policeman who’s been tracing the killer’s calls. The call is coming from inside the house. Mr. 1970s psycho-killer (qu’est-ce que c’est) is already in the house, and Jill and the tater tots are just, shall we say, DYING to get out. For you chronological newborns, the more recent thriller Scream paid homage to this cult favorite, as did Rick and Morty.

And you ask, what, pray tell, does this have to do with the latest and greatest cyber threats that seek to separate me from my profits and reputation? I’ll tell you, but in my serious voice.

The coming attraction in the world of cyber horror happens to be hackers and corporate spies gaining INSIDER access to the confidential systems of unprepared organizations. Insider theft is the hacker’s way of adapting to the technological barricades we have put in front of our critical data. If they can’t get around it, they find a way to get invited in to babysit. In other words, when it comes to ransomware attacks and hacking, deepfakes and intellectual espionage, the call is coming from inside your house.

Here’s how the inside job often works. Most businesses are STARVED for cybersecurity staff, because we have a worldwide shortage of qualified candidates. Hackers funded by rogue nations seek to fill that void. Due to the remote nature of cyber work, the ease of masking one’s worldly whereabouts, and a skillset honed while hacking US businesses, it’s easy for North Korean, Chinese, and Russian hackers to get legitimate jobs INSIDE US businesses. And once they’re in a trusted position, they have unfettered access to all your data, because you willingly gave them the keys to the house when you hired them to babysit your security.

Those of you who’ve been in one of my keynotes know that I use blockbuster movies and the formula they follow as a framework for how to repel the latest cyberattacks. Which means that you already know the answer to the quiz: your HEROES, your people, are the ONLY thing standing between you and successful insider theft.

The solution, of course, is to effectively train your people to pause and verify before they hand over the keys. And by effectively, I mean that you must make security awareness training entertaining and relatable so that they remember what you taught them after the movie is over. You need to let them know how artificial intelligence has raised the Hacker’s game and how to combat it and you need to make it personal. And that’s my specialty. I hope you’ll ring me for a keynote to update your organization on the latest threats so that you don’t become the next Blockbuster horror flick. I’ll deliver a keynote presentation your people won’t forget.

John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

A.I. Deepfake Posing as the CFO Scams $25 Million: How to Protect Your Organization from the Exploding Deepfake AI Cyber Scam

Deepfakes use Artificial Intelligence (A.I) to create fake, hyper-realistic audio and video that is generally used to manipulate the viewer’s perception of reality. In most deepfakes, the legitimate person’s face or body has been digitally altered to appear to be someone else’s. Well known deepfakes have been created using movie stars and even poorly produced videos of world leaders.

Removing the malicious part of the definition, deepfakes have been used in the film industry for quite some time to de-age actors (think Luke Skywalker in The Mandalorian) or resurrect deceased actors for roles or voiceovers (think Carey Fisher in Rogue One – okay, can you tell I’m a Star Wars geek?). Cybercriminals have latched on to the technology, using AI-generated deepfakes in conjunction with business email compromise (also known as whaling and CEO fraud) to scam organizations out of massive amounts of money.

Just recently, a finance worker at an international firm was tricked into wrongly paying out $25 million to cybercriminals using deepfake technology to pose as the company’s Chief Financial Officer during a video conference. And it wasn’t just one deepfake! The fraudsters generated deepfakes of several other members of the staff, removing any red flags that it wasn’t a legitimate virtual meeting. As a subordinate, would you refuse a request from your boss that is made face-to-face (albeit virtually)? You might be savvy enough, but most employees aren’t willing to risk upsetting their boss.

The days of just sending suspicious emails to spam is no longer adequate. Our Spidey Sense (the B.S. Reflex I talk about in my keynotes) must be attuned to more than business email and phone compromise. We have entered the age of Business Communication Compromise, which encompasses email, video conferences, phone calls, FaceTime, texts, Slack, WhatsApp, Instagram, Snap and all other forms of communication. It takes a rewiring of the brain; TO NOT BELIEVE WHAT YOU SEE. AI is so effective and believable that workers may even feel like they are being silly or paranoid for questioning a video’s validity. But I’m sure as the employee who lost their organization $25M can attest, it’s way less expensive to be safe than sorry.

The solution to not falling prey to deepfake scams is similar to the tools used to detect and deter any type of social engineering or human manipulation. Empowering your employees, executives and customers with a sophisticated but simple reflex is the most powerful way to avoid huge losses to fraud. When you build such a fraud reflex, people will be less likely to ignore their gut feeling when something is “off.” And that moment of pause, that willingness to verify before sharing information or sending money, is like gold. These are the skills that I emphasize and flesh out in my newly-crafted keynote speech, Savvy Cybersecurity in a World of Weaponized A.I.

Get in touch if you’d like to learn more about how I will customize a keynote for your organization to prepare your people for the whole new world of AI cybercrime. Contact Us or call 303.777.3221.

John Sileo Lost Nearly Everything to Cybercrime

John’s Story of Loss Inspires Organizations to Take Action

John Sileo lost his multi-million-dollar startup, his wealth, and two years of his life to cybercrime. It began when a hacker electronically embezzled from the company’s clients using John’s identity. John was initially held legally and financially responsible for the felonies committed. The losses not only destroyed his company and decimated his finances, but consumed two years of young fatherhood as he fought to stay out of jail.

But John’s story has a happy ending and has become a worldwide catalyst for change. Since being found innocent of all crimes (and the real hacker put in jail), John has made it his life’s work to share hard-earned wisdom as a cybersecurity expert, award-winning author, 60 Minutes guest, and keynote speaker. His happy clients range from the Pentagon to Amazon, small associations to enterprise organizations. His mission is to keep others from becoming the next disastrous data breach headline. John specializes in the human elements of cybersecurity and uses disarming humor, audience interaction, and cutting-edge research to keep his training relevant and entertaining.

John is President & CEO of The Sileo Group, a Colorado-based technology think tank, and serves on a variety of boards. He graduated with honors from Harvard University and was recently inducted into the National Speakers Hall of Fame. John finds his greatest joy in spending time with the loves of his life: his wife, two daughters, and mini golden doodle. And yes, life’s bumps have shaped him into a slightly over-protective but well-intentioned helicopter dad.

Cybersecurity Keynote Speaker John Sileo Video

Fear alone is not enough to engage your audience to make changes to their personal and professional cybersecurity posture. In my presentations, I like to use a healthy dose of humor, audience interaction, wow moments (like a live smartphone hack), my own personal story of losing everything to cybercrime and any means to make this crime personal to the audience. Call and talk to me about how I will customize for your industry and audience. 303.777.3222

How Hackers Use A.I. to Make Fools of Us (& Foil Security Awareness Training)

In a bit of cybercrime jujitsu, A.I.-enabled hackers are using our past security awareness training to make us look silly. Remember the good old days when you could easily spot a phishing scam by its laughable grammar, questionable spelling and odd word choice? 

“Kind Sir, we a peel to your better nurture for uhsistance in accepting $1M dollhairs.” 

Or how about fear-based emails with an utter lack of context from a Gmail account linking to suspicious “at-first-glance-it-looks-real” URLs: 

“Your recent paycheck was rejected by your bank! Please click on definitely-not-a-scam.com [disguised as your employer] and give us the entirety of your sensitive financial information”  

Well, those tools no longer work.

Here’s the deal: Hackers use A.I. or more specifically Gen A.I. (Generative Artificial Intelligence) to turn outdated phishing detection tools on their heads by empowering them to tailor perfectly crafted, error free, emotionally convincing emails that appear to come from a trusted source and reference actual events in your life. Giving A.I. to cybercriminals is like handing your five-year-old a smartphone – they’re better at it than you will ever be. 

A.I. augmented phishing emails are designed to trigger your trust hormone (oxytocin, not to be confused with Oxycontin) by systematically eliminating all of the red flags you learned during your organization’s cybersecurity awareness training. So, when an employee receives a well-crafted, error free email from a friend that references recent personal events, past cybersecurity awareness training actually encourages them to click on it.

To make matters worse, if the hacker happens to have access to breached databases about you, like emails compromised during a Microsoft 365 attack, they become the Frank Abagnale of phishing (the world’s most famous impersonator, if you don’t know who he is). Criminals can easily dump breached data into a Large Language Model (LLM) and then ask A.I. to compose a phishing campaign based on your past five emails

A.I. software allows even novice cybercriminals to scrape your relationships, life events and location from social media, combine it with personally identifying information purchased on the dark web, and serve it up to your email or text as if it originated from someone you trust. It’s like having your own personal stalker, but it’s a cyborg that understands your love of blueberry cruffins and ornamental garden gnomes. (Ok, maybe those are my loves, not yours.).  

The reality is that hackers are no longer crafting the emails one by one; it’s artificially intelligent software doing millions of times per day what nation-state hackers used to spend months doing to prepare spear-phishing campaigns. And it means that phishing and business email compromise campaigns will eventually appear in your inbox as often as spam. And that threatens your bottom line. 

Let’s get serious for a hot minute. For those of you who have attended one of my cybersecurity keynotes, here is a comprehensive and organized approach to the steps your organization should begin taking as outlined by the Blockbuster Cyber Framework:

  1. HEROES (Your people): Immediately retrain your people to properly identify, verify and distinguish harmful phishing and social engineering schemes from legitimate communication. This requires new thinking applied to old reflexes. 
  2. STAKES (What you have to lose): Identify which data is the most sensitive, profitable, and targeted by ENEMIES, and prioritize its defense. You can’t protect everything, so protect the right things first. 
  3. SETTING (Your technology): 1. Implement defensive software tools like A.I.-enhanced spam filtration that helps detect phishing emails. Generative A.I. is brilliant at detecting patterns, and that will make identifying even the most well-crafted phishing campaigns somewhat easier. 2. Properly segment and segregate your network so that access to one area of your data doesn’t expose others.
  4. GUIDES (Experts in the field): Hire an external security assessment team (not your I.T. provider) to evaluate your technological and human defenses and known vulnerabilities. Internal teams have less incentive to  discover their own mistakes. 
  5. PLAN (Pre-attack and post-attack next steps): Develop a prevention roadmap before the ATTACK and an Incident Response Plan that lets you know exactly who to call and how to respond when a successful phishing attack occurs (because it will). Preparation is the greatest form of mitigation. 
  6. VICTORY (When you don’t end up on the front page): When nothing bad happens, reward your people. Throw a party for your team, because nothing says “thank you for not clicking on that profit-destroying scam” like a rowdy office shindig. Incentivizing good behavior is just as critical to your culture of security as retraining after someone mistakenly clicks on a phishing email. 

Cybercrime is constantly changing and now A.I. enables every attack type to scale. Make sure your cyber defenses and people don’t end up being the fool. 

John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.

John Sileo Live-Hacks an Audience Smartphone (Video)

Why do I perform a live hack during my cybersecurity keynote speeches? Here’s what I have found giving cybersecurity keynotes for the past two decades – if you don’t interact with your audience, if you don’t keep them laughing while they are learning, they won’t stay engaged and they will forget everything they have learned when the lights come back up. When I perform a live smartphone hack or otherwise humorously engage the audience, it makes them a direct part of the solution. And it also shows even the most sophisticated audiences, even security professionals, don’t know everything about security. In over 1,000 presentations, I have never failed to successfully hack a smartphone. Cybersecurity keynotes can be dry, but they don’t  have to be. My specialty is in keeping keynote content entertaining, so that it sticks. To see more cybersecurity speaking videos, visit my Cybersecurity Keynote Speaker page.

Cybersecurity Habits Meet Neuroscience

Bad Cybersecurity Habits

Hack your cybersecurity habits to avoid being hacked! The human element of cybersecurity is the most overlooked and underused tool for data protection. People are our strongest line of defense. In other words, your employees are your greatest asset in the fight against cybercrime, but only if you train them to be. By fortifying data at its source –us– we have a much better shot at preventing cyber disasters in our businesses.

Drawing inspiration from the book “Atomic Habits” by James Clear, we can apply his principles to reinforce best cybersecurity practices. Just as small, incremental changes lead to significant long-term results in personal growth, cultivating atomic cybersecurity habits can fortify our digital defenses. In this article, we will explore how the concepts of “Atomic Habits” can be seamlessly integrated with cybersecurity practices, empowering individuals to navigate the online world with confidence and security.

Let me hack your brain to make security simple. 

Healthy Cybersecurity Habits 

  1. Strong and Unique Passwords: Use strong, complex passwords. Avoid reusing passwords. Use a password manager to generate and store passwords.
  2. Two-Factor Authentication (2FA): Enable 2FA whenever possible. 
  3. Regular Software Updates: Keep your operating system, antivirus software, web browsers, and other applications up to date. Updates often include important security patches that address vulnerabilities.
  4. Secure Wi-Fi: Use a strong, unique password for your home Wi-Fi network. Enable encryption (WPA2 or WPA3). Avoid using public Wi-Fi networks for sensitive activities unless you are using a reliable VPN (Virtual Private Network).
  5. Phishing Awareness: Be cautious of suspicious emails, messages, or calls. Verify the legitimacy of requests and avoid providing personal information unless you are certain of the source.
  6. Regular Backups (Daily): Backup your important files and data regularly to an external hard drive, cloud storage, or other secure location.
  7. Privacy Settings: Review and adjust privacy settings on your devices, apps, and social media accounts. Limit the amount of personal information you share. Consider what permissions an app truly needs (spoiler alert: not much).
  8. Secure Web Browsing: Use secure websites (HTTPS) when providing sensitive information. Look for the padlock icon in the address bar. Be cautious of clicking on suspicious links. Avoid downloading files from untrusted sources.
  9. Device Protection: Use reputable antivirus or security software on all your devices and keep them updated. Enable device lock screens or biometric authentication (fingerprint or facial recognition). 

How to Hack your Habits

ATOMIC HABIT CYBERSECURITY APPLICATION
Use the two-minute rule: identify a small, actionable step you can take that only takes two minutes. Do it immediately.
  • Change one password.
  • Put. A. Password. On. Your. Lock. Screen. 
  • Enable two-factor authentication for one account
  • Grab your phone. Settings >> privacy >> location. Turn off location services for apps that absolutely don’t need your whereabouts. 
  • Delete 2-3 apps you do not use.
  • Unsubscribe from a few junk mailing lists
Make habits obvious: Create clear cues and reminders to engage in the healthy habit. 
  • Create a regular and recurring phone reminder to update software or add another financial site to your two-step login list. Make cybersecurity a visible part of your daily routine.
“Habit stack” for better integrations. 

Link new habits to existing ones to help them become more automatic and ingrained. 

  • Before you start browsing the internet each day, make it a habit to check for secure connections (HTTPS) or verify the legitimacy of websites. 
  • At the same time, check to make sure that your backup is working properly.
  • Monthly family/business meetings? Add a 5 min technology check-in to the schedule (updates, passwords, issues). 
Environmental design can make 

  1. desired behaviors more convenient (make good habits EASY to do)
  2. undesirable behaviors more difficult (make bad habits HARD to do)
  • Enabling fingerprint recognition on your password keeper will make it more appealing to log into.
  • Invest in a larger cellular data plan so that you aren’t tempted to join insecure free WiFi hotpsots.
Track habits to maintain motivation and measure progress.
  • Keep a log of actions such as updating software, conducting regular backups, or practicing safe browsing.
Make habits satisfying: immediate rewards increase the likelihood of habit formation. 
  • After completing any of the above, or even a thorough scan of your device for malware, reward yourself with a short break or engage in an enjoyable activity. 
Build an identity of the person who embodies desired habits. 

You are more likely to put effort into something that relates to who you are (identity) rather than what you do (behavior)

  • Embrace the identity of a proactive and security-conscious individual. Visualize yourself as someone who prioritizes protecting their digital assets. By identifying as a cyber-conscious person, you’ll be more likely to adopt and maintain good cybersecurity habits

Cybersecurity often feels like an endless journey. This is why celebrating progress is crucial to maintaining hope and momentum. By embracing the principles of “Atomic Habits,” we can forge a path towards a more secure digital future. And we can do so without burning ourselves out or becoming digital nomads (I know how tempting it may seem…). What matters is that we show ourselves some grace as we build better cyber health. 

The power lies within our daily actions—the consistent implementation of small, atomic cybersecurity habits that reinforce our protection. Just as Clear’s book teaches us to focus on the process rather than the outcome, let us concentrate on the journey of developing healthy cybersecurity habits, one smart step at a time. 

 

___________________________

 


John Sileo is an award-winning keynote speaker who educates audiences on how cybersecurity has evolved and how they can remains ahead of trends in cybercrime. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our contact form to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

Security by Design in a Tesla Driven World

Security by Design, Cybersecurity Expert John Sileo

When my daughters were younger, they took it upon themselves to invent the first flying car. This included drawing designs, testing out ways to fly (plastic bags and cardboard wings were, sadly, ruled out), and brainstorming stoplight systems for the sky. From that day forward, I knew that innovation (flying cars) and protection (stoplights in the sky) could and should coexist and happen simultaneously. 

If you had told me at the start of my career 20 years ago that my favorite model for security by design would be drawn in crayon, I would’ve… totally believed you. I’m a sucker for my daughters. But that’s besides the point… My girls are grown now and while flying cars aren’t quite there yet, electric vehicles offer a remarkable blend of convenience, efficiency, and connectivity, transforming the way we experience transportation. In many ways, EVs are more computer than they are traditional car, which opens them up to hackers just like any other device

What we know now is that innovation creates risk but that risk also creates innovation. Companies like Tesla cannot afford to have their EVs regularly hacked, as that would put their customers and passengers at huge risk. Imagine the destruction and liability of a hacker steering an EV off the road remotely. Consequently, Tesla has had to build security into their automobiles by design. 

Security by design serves as the cornerstone for fortifying our connected cars to ensure safety and instill confidence in the ever-evolving automotive industry. Security by design is a transformative and powerful tool that gets cybersecurity experts all giddy.  

Understanding Security by Design

Security by design means security built in from the start, during the “design” phase. It is an approach to system and product development that incorporates security considerations from the very beginning. For once, security is not an afterthought. 

A Sample of Security by Design Principles

Threat Modeling Conducting a systematic assessment of potential threats and vulnerabilities that could impact the system, and designing appropriate countermeasures to address them.
Defense in Depth Implementing multiple layers of technical, procedural and physical controls to create a strong and comprehensive security posture. 
Least Privilege Granting users and processes only the minimum level of access and privileges required to perform their specific functions, reducing the potential attack surface.
Secure Default Configuration  Configuring systems and software with secure settings as the default, ensuring that security measures are in place from the outset.
Continuous Monitoring and Assessment  Implementing mechanisms to continually monitor, detect, and respond to security events and incidents. Regular assessments and audits help identify vulnerabilities and ensure ongoing compliance with security standards.
Secure Development Practices Following secure coding practices, conducting thorough security testing, and implementing secure development methodologies to prevent and identify vulnerabilities early in the development lifecycle.
User Awareness and Training Educating users about potential security risks, promoting best practices, and providing training on how to identify and respond to security threats.

By adopting security by design principles, organizations can build more secure and resilient systems, reduce the likelihood of successful cyberattacks, and enhance overall cybersecurity posture. It helps to shift the focus from reactive measures to proactive security integration, ensuring that security considerations are an integral part of the design and development process.

Potential Electric Vehicle Cybercrime Vulnerabilities

  1. Over-the-Air Updates: Tesla’s cars boast a futuristic feature similar to giving your vehicle a software makeover. However, this convenience can inadvertently create an entry point for hackers to exploit vulnerabilities during the update process. 
  2. Remote Control: Hackers could gain control over critical vehicle functions remotely, such as acceleration, braking, and steering, potentially compromising the safety of the occupants and others on the road.
  3. Theft and Unauthorized Access: Hackers could potentially gain unauthorized access to your vehicle, disable security features, and potentially steal the vehicle or valuable personal information stored within.
  4. Tracking and Surveillance: Hacked electric vehicles could be used as a means for tracking individuals’ movements or gathering sensitive personal data. This information could be used for identity theft or targeted attacks.
  5. Manipulating Vehicle Data: Hackers could tamper with the data collected and transmitted by the vehicle’s sensors and systems leading to false readings and inaccurate diagnostics that may affect performance and safety features.
  6. Ransomware Attacks: Hackers might employ ransomware tactics, locking the vehicle owner out of their own vehicle until a ransom is paid to regain control.
  7. Unauthorized Firmware Modifications: By gaining access to the vehicle’s firmware, hackers could make unauthorized modifications that impact the vehicle’s functionality, compromise its safety systems, or introduce vulnerabilities for future attacks.
  8. Privacy Breach: Hacked electric vehicles could expose personal information stored within the vehicle’s systems, such as contact lists, call logs, and location history. 

Tesla’s “Security From the Start”

While we don’t have access inside of Tesla’s security measures, software or cloud network, they claim to take the following steps to secure their vehicles and connectivity. Only time will tell if their Security by Design is as robust as they claim.

Encryption and Secure Communication Tesla employs state-of-the-art encryption techniques to ensure secure data transmission between the vehicle and external servers. 
Bug Bounty Program Tesla encourages ethical hackers to identify vulnerabilities in their systems and report them so that weaknesses can be remedied. 
Over-the-Air Updates (OTA) While OTA updates present a potential vulnerability, they also serve as a powerful tool for Tesla to deploy security patches rapidly. 
In-House Security Team  Tesla has assembled an elite squad that works tirelessly to stay one step ahead of potential threats. 

Business Implications: Maintaining Trust and Competitive Edge

In today’s interconnected world, trust is a valuable currency. The robust cybersecurity measures purportedly implemented by Tesla serve not only to protect the privacy and safety of its customers but also to maintain its reputation as an industry leader. If in fact Tesla continues to prioritize cybersecurity along with automobile safety, their profitability and reputation will create a long lasting competitive advantage in the market.

Revving Towards a Secure Future

Security today is about protecting our children’s tomorrow. And innovation makes that future a better one. Whether my daughters’ stop lights in the sky or Tesla’s Bug Bounty Program, cybersecurity by design is the revolution we are eager to see. We could all learn something from the creativity and curiosity of our kids. Cybersecurity is no exception.

___________________________

John Sileo is an award-winning keynote speaker who has entertained and informed audiences about the importance of cybersecurity in business for two decades. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.


Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our contact form to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

A Breakup Letter to Bad Cybersecurity Habits (Featuring Makayla Sileo)

Bad Cybersecurity Habits - Sileo

Cybersecurity habits are a lot like dating – you have to weed out the bad to make room for the good. As we approach National Cybersecurity Awareness Month and my busiest speaking season, my radically creative daughter Makayla (💜) wrote a series of Breakup Letters to all of the bad cybersecurity habits that lead to huge organizational losses and reputational damage. To help protect yourself and your business, here are a few Breakup Letter Beginnings (and my suggestions on how to change the relationship) to get you started: 

Dear Guessable Passwords (Easy Love)

It’s not you, it’s me. I can’t keep blaming you for my mistakes. I was seduced by your simplicity, lured into a false sense of security. Plus, I just love using my puppy’s name as my passcode! You were predictable and I thought I wanted that. But in all honesty, I know now that I am the problem. Starting today, I will make the effort to create long and strong passwords using a password manager to keep cyber criminals out of the middle of our private data.  My newfound confidence will end in better relationships for both of us. So long. 

Dear Re-Used Passcodes (Predictable Love)

I feel like our relationship is lacking the spark it used to have. We both deserve better. I’m looking for a more complex interaction, one that challenges me. So I am leaving you, same-ol, same-ol passphrase, for two-step logins, which will keep even the craftiest of hackers out of the middle of my private relationships. Now that’s what I call a spicy upgrade! Au revoir. 

Dear Phishing Links (Manipulative Love)

I was intrigued by all that you had to offer. I got lost in your charm and smooth ways. I should’ve listened to my gut that screamed “Bad news! Do not engage!” Your calls are the “u up?” texts that I can’t stop answering. You’ve found sneaky ways to get me to pick up and open up and then you use my vulnerabilities against me. I’m done playing your phishy little games. Starting today, I will only engage with links, attachments, and requests that I trust deeply and am expecting. Consider yourself off the hook! 

Dear Free WiFi Hotspots (Convenient Love)

I thought you would always be there for me when I needed you most. I was a romantic once, assuming our connection was a safe one. I can see now that I deserve a partner I can trust over simple convenience. I’m ready to settle down with a soulmate who communicates in safe ways, like using the cellular data connection on our smartphones or demanding that we protect our interests by installing a Virtual Private Network (VPN) on all of our devices. Over and out, Hotty. 

Dear Eavesdropping Smart Devices (Clingy Love),

I think it’s time I go out on my own. Your constant tracking and sharing of my every move and desire has crossed the line. Our connection–once filled with convenience–has become suffocating and invasive. I am reclaiming my freedom. Am I scared to find my way in a world without you? Yes. But I know I am safer navigating life on my own than being stalked by you. Going forward, I promise to actually be smart about how I connect smart devices to the Internet, to change my privacy and security defaults and to limit location and behavior sharing on devices like my smartphone. This, my love, is where I go dark. Night, night.

Dear Gratuitous Social Media Sharing (PDA Love)

Enough with the public displays of affection. I don’t want the general public knowing every detail of my personal life. It’s become too unsettling knowing that nothing is private anymore. If I want to share my triumphs and defeats, I will communicate with you directly, via text, email, or private DMs. You deserve my full integrity, so I am limiting what I share. Duck face no more.

Dear Neglected Software Updates (Missed Love),  

Our relationship has been a rollercoaster of missed opportunities. You–with your security patches and bug fixes–always doing your best to make my life better, while I foolishly ignored your messages. I should’ve known you were there the whole time. Please give me a second chance… I promise to upgrade my software every chance I get from today forward. Because our relationship is all about growth and evolution. Please take me back. 

___________________________

Looking for a creative way to engage your audience to care more about cybersecurity and breakup with their bad cybersecurity habits? Call us directly to learn how John will humorously update your crowd on the latest cyber threats and simple solutions. Call 303.777.3221 or fill out our Contact Form to connect with Sue Bob Dean (yes, that’s a joke), John’s business manager extraordinaire.

John Sileo is a Hall of Fame Keynote Speaker who educates audiences on how cybersecurity has evolved and how they can remain ahead of trends in cybercrime. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s. But John is most proud of being an unforgiving helicopter dad to his two daughters, Sophie and Makayla.