Top Cybersecurity Trends 2020 & the Perils of Prediction

 

(i.e., Cybercriminals read the same articles as cybersecurity experts)

Oh how we love to predict the future. Who will win the next Super Bowl, Presidential Election, or Best in Show Pooch-a-thon following the Macy’s Day Parade? I’m frequently asked as a cybersecurity expert to peer into my somewhat cloudy crystal ball and give opinions on what cybersecurity trends the criminals have in store for us. It’s so common at this time of year that I’m thinking of setting up a Fantasy Hacker League to take advantage of our love of betting on things that haven’t yet happened. 

Ironically, cybercriminals read the same predictive articles that we do, but they take notes. And then, innovative as they are, run in the complete opposite direction. Here’s a peek into the cheeto-soaked (that’s a false stereotype by the way – these criminals have PHDs) and highly brilliant minds of organized cybercriminals: “If a CEO is reading this same predictive article on how bad Ransomware is going to be in 2020, and that advice serves as the basis for her decision to over-fund anti-ransomware countermeasures, I, smart hacker that I am, will trade my pick on Ransomware in 2020 and browse the “Insider Theft” section of the cybercrime-gamblers catalog.” 

Unlike football (or dog shows), where the outcome is not influenced by predictions, cyberthreats often become trends because no one has predicted them yet. And by the time they do, the smart criminals have moved onto something new. 

But this isn’t always true, and we still do need to prepare for what is coming, which is why, in the spirit of the season, I can predict with almost perfect accuracy, the Top Cybersecurity Trends for 2020 that will affect the average organization. 

Top Cybersecurity Trends 2020 – The average organization will CONTINUE to…

  • Treat cyber risk as an overwhelming tech puzzle rather than a solvable business issue
  • Fail to budget appropriate funds to train the humans that misuse the technology
  • Give hackers easy access to the crown jewels by allowing pet names as passwords (see graphic)
  • Shut down for weeks or pay the ransom due to system backups that “just won’t restore”
  • Spend inordinate amounts of cash to protect “all the data” instead of “the right data”
  • Lose more data to incompetence, human error and malicious insiders than to hackers
  • Live in a Fantasy League where “something like this” can’t happen to “someone like them”

Why can I predict these and other trends so accurately? Because they have been trending for the past ten years and show no signs of stopping. The good news is that everything in this list is eminently solvable if you dedicate the appropriate time, budget and leadership focus. While you are taking action on the above items, don’t forget to consider the Top 2020 Cybersecurity Trends, Part II.

Top Cybersecurity Trends 2020 (What You Were Actually Looking For)

The Internet of Things and Ransomware Will Get Married. Instead of just freezing an organizations’ computers, ransomware will burrow it’s way into WiFi-connected refrigerators, industrial control systems, operational sensors and monitors, pace-makers, emergency room equipment, traffic lights and anything connected to the internet. It will then freeze the operation of the device and ultimately will demand that you pay a sizeable ransom to (maybe) get your nuclear power plant back online. 

Leading Organizations Will Discover a Centuries-Old Cybersecurity Tool: Going Analog Once information or operational systems are digitized, they are vulnerable to attack by remote forces—including hostile nation states, organized crime and malicious competitors. In other words, when the only method of controlling a system is digital, hackers have a way to assume 100% control. Going analog—introducing human and physical “backstops” into your security supply chain—provides the best defense against network-based remote control takeover. We will see traditional analog systems (paper ballots) increase security in the 2020 Presidential Election, better protect the electric grid (manual on/off switches) and decrease the chance of hacked naval navigation (sextants). 

Data Manipulation Will Challenge Financial Gain For Top Cybercrime Honors 

Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests. Every one of us takes data integrity for granted, except for cybercriminals, who will use that bias against us. Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.

A.I. Won’t Take Over the World, But it Will Follow Malicious Instructions Like a Robot

Right now, artificial intelligence is more human than we think. From my experience peering under the hood of AI-enabled technology like smart TVs, digital assistants and end-point cybersecurity products, I’m constantly amazed by how much human input and monitoring is necessary to make them “smart.” But that is changing as machine learning progresses. We tend to focus on AI taking over the world (thanks to the movies), but it’s not that we need to fear. It’s AI in the hands of would-be dictators and cybercriminals. Fathom, for a moment, Darth Vader, Hitler or a cyberterrorist in charge of an army of robots that always obey their leader’s command. As always, there is the positive side of the technology, and AI will be used to detect malicious attacks and defend the data on which our economy runs. 

To help you get ahead of these topics, I will be writing at length and speaking on all of the above trends (and more) in 2020. Please check back here often, or connect with me to get our latest news on Facebook, Twitter or YouTube. In the meantime, resist the trend to let fear paralyze you in taking action on cybersecurity.  

 

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on intentional technology, cybersecurity and data privacy.

How to Turbocharge your Cybersecurity Awareness Training

Security awareness training can’t be a boring afterthought if it’s going to work. 

Own it. Secure it. Protect it. 

Those are the key themes for this year’s National Cybersecurity Awareness Month, coming up in October, and it’s good advice. Unfortunately, it’s the same message your trainees have been hearing for years and, at this point, they’ve largely tuned it out.

The challenge isn’t creating a pithy slogan. It’s turning advice into action and an enduring “culture of security.” At this point, cybersecurity is on the radar for most companies, and the smart ones make it a priority. To achieve their cybersecurity goals, many organizations implement security awareness training sessions, which seek to educate the rank and file on threats and how to thwart them. When done well, these initiatives can be a way to focus the entire organization — and can greatly reduce the risk of data breach, cyberextortion or damaging disinformation campaigns.

When not done well, you’ll be lucky if your team remembers the words cybersecurity awareness as they shuffle out the door — no doubt refreshed after scrolling through Facebook or watching the latest Taylor Swift video.

The problem is that many security programs are actually less than the sum of their parts for the simple reason that they don’t have an overarching end goal. Sure, the objective is to educate your team on emerging threats so your company is more secure, but that’s a nebulous goal. And because it’s a nebulous goal lacking tangible motivation, your team doesn’t buy in. 

That’s not to say they don’t care about the company’s security. Of course they do — but it’s not personal. 

Unfortunately, when it comes to cybersecurity in the corporate sector, the human element is usually overlooked. This is a mistake. I often hear companies refer to humans as the “weakest link” in cybersecurity, which of course becomes a self-fulfilling prophecy. Enlightened organizations understand that security is a highly effective competitive differentiator (think Apple) and that humans, when properly trained, are the strongest defense against cyberthreats. Consequently, an effective program must start by getting people — from the top down — invested in the goal and the process. 

I’ve been the opening keynote speaker for hundreds of security awareness programs around the world, many of them outside the bounds of National Cybersecurity Awareness Month, and most of them leave me hungering for more: More engagement, more interaction and more actionable information. In short, more substance. 

Here are a few tips for designing a cybersecurity awareness program that will engage your team and get results.

Ownership

Don’t focus on the CISO, CRO, CIO or CTO. That would just be preaching to the choir. The missing but crucial link in cybersecurity awareness programs tends to be a security “believer” from the executive team or board of directors. Successful programs are clearly led, repeatedly broadcast and constantly emphasized from the very top of the organization — with an attitude of authenticity and immediacy. Whether it’s your CEO at an annual gathering or a board member kicking off National Cybersecurity Awareness Month, your security champion must not only become an evangelist but also have the authority and budget to implement change.

Strategy

Approach your program strategically, and devise a plan to protect your intellectual property, critical data and return on information assets. You’re competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in technobabble. 

  • What did it cost your competitor when ransomware froze its operation for a week? (e.g., FedEx: $300 million)
  • How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company millions of dollars? 
  • What do the directors of compliance, HR and IT have to add to the defense equation? 

The most successful cybersecurity awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology

Here’s a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings, and they want to know how this affects them personally before they invest time to protect the organization’s coffers. 

Excellent security awareness kicks off by making data protection personal — building ownership before education. From there, the training must be engaging (dare I say fun?) and interactive (live social engineering) so your audience members pay attention and apply what they learn. Death-by-PowerPoint will put behavioral change to sleep permanently. Highly effective programs build a foundational security reflex (proactive skepticism) and are interesting enough to compete against cute puppy videos and our undying desire for a conference-room snooze.

Sustenance

Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss — but that’s only the beginning. 

From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we’ve found short, funny, casual video tips on the latest cyberthreats to be highly effective (once your team takes ownership for their own data, and yours). Then, add lunch workshops on protecting personal devices, incentive programs for safe behavior, and so on. Culture matures by feeding it consistently.

Measurement

If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s training budget. Here are a few questions I ask when facilitating board retreats on cybersecurity: 

  • What are your cybersecurity awareness training KPIs, your key metrics? 
  • How did successful phishing or social engineering attacks decline as a byproduct of your program? 
  • Has user awareness of threats, policy and solutions increased? 
  • How many employees showed up for the Cybersecurity Awareness Month keynote and fair? 
  • Do your events help employees protect their own data as well?
  • How department-specific are your training modules? 

When you can show quantitative progress, you’ll have the backing to continue building your qualitative culture of security.

Over the long term, a culture of security that reinvents itself as cyberthreats evolve will be far less costly than a disastrous cybercrime that lands your company on the front page. National Cybersecurity Awareness Month is a great catalyst to get your organization thinking about its cybersecurity strategy. Now it’s time to take action.

About Cybersecurity Author & Expert John Sileo

John Sileo is an award-winning author and Hall of Fame Speaker who specializes in providing security awareness training that’s as entertaining as it is educational. John energizes conferences, corporate trainings and main-stage events by interacting with the audience throughout his presentations. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Deepfakes: When Seeing May Not Be Believing

 

How deepfake videos can undermine our elections, the stock markets and our belief in truth itself

Last weekend, attendees at a conference in Las Vegas got quite a surprise. They were waiting for a presentation by Democratic National Committee Chairman Tom Perez and, instead saw his image on a big screen via Skype. During his brief video appearance, the chairman apologized that he was unable to be there in person. In fact, the voice coming out of Perez’s mouth was DNC’s chief security officer Bob Lord and the audience had just been treated to a deepfake video — video that’s been manipulated to make it look like people say or do things they actually didn’t.

The video was shown in the AI Village at DEFCON — one of the world’s largest hacker conventions — to demonstrate the threat deepfakes pose to the 2020 election and beyond. It was made with the cooperation of the DNC; Artificial Intelligence (AI) experts altered Perez’s face to make it look as if he were apologizing, and Lord supplied his voice. 

Watch carefully as Bill Hader turns into Seth Rogan & Tom Cruise!

https://www.youtube.com/watch?v=VWrhRBb-1Ig’ format=’16-9′ width=’16’ height=’9′ custom_class=” av_uid=’av-mobzww’

[For a CNN video primer on deepfakes, click here.]

Remember when Forrest Gump shook hands and spoke with Presidents Kennedy and Nixon? That was an early example of a deepfake video. More recently, and less innocuous, was a video of House Speaker Nancy Pelosi, altered to make it appear that she was drunk and slurring her words. The video went viral and was viewed more than 3 million times. For some viewers, it confirmed their disdain for Nancy Pelosi; for others, it simply confirmed that they can’t trust the other side of the political spectrum. It’s troubling that neither of these reactions is based in fact.

In the 25 years since Forrest Gump introduced manipulated video, sophisticated AI has been developed to create nearly undetectable deepfakes. Not only has the technology improved, but the nefarious uses have proliferated. Take deepfake porn, where a victim’s face is superimposed on the body of a porn actor. It’s often used as a weapon against women.  Actress Scarlett Johansson, whose face was grafted onto dozens of pornographic scenes using free online AI software, is one famous example, but it happens to ordinary women, too. Just for a second, imagine your daughter or son, husband or wife being targeted by deepfake porn to destroy their reputation or settle an old score. As the technology becomes less expensive and more available, that is what we face.

Until recently, the warnings about deepfakes in the U.S. have focused on political ramifications, most notably their expected use in the 2020 election. Imagine a doctored video of a candidate saying they’re changing their position on gun control, for example. In June, during a House Intelligence Committee hearing on the issue, experts warned that there are multiple risks, including to national security: What if our enemies post a video of President Trump saying he’s just launched nuclear weapons at Russia or North Korea? 

The business community and financial markets may also be targeted. A video of Jeff Bezos warning of low quarterly Amazon results could cause a sell-off of Amazon stock, for instance. Bezos has the platform to quickly respond, but by the time he’s corrected the record, real damage could be done. Similarly, CEOs of lesser-known companies could be targeted, say the night before an IPO or new product launch. 

There’s currently a kind of arms race occurring between those developing deepfake technology and those developing ways to detect the altered videos — and the good guys are losing. 

In an interview with The Washington Post in June, Hany Farid, a computer science professor and digital forensics expert at the University of California at Berkeley said, “We are outgunned. The number of people working on the video-synthesis side, as opposed to the detector side, is 100 to 1.”

Soon, we may all be awash in deepfake video, unable to detect truth from fiction, and this is perhaps the most worrying aspect. We already live in an age where more than half the U.S. population distrusts the media, the government and their neighbors, and belief in conspiracy theories is on the rise. A staggering one in 10 Americans don’t believe we landed on the moon — 18% of the nonbelievers are between the ages of 18 and 34 — and a 2018 poll found that one-third of Americans don’t believe that 6 million Jews were murdered in the Holocaust. That’s to say nothing of the people worldwide who deny the Holocaust ever happened. 

Historically, the best way to refute conspiracy theorists has been video proof. The countless hours of footage of the Allies liberating concentration camps, the 9/11 attacks and that grainy film of Neil Armstrong planting the American flag on the moon couldn’t be denied. Until now. 

In a statement, the House Intelligence Committee said, “Deep fakes raise profound questions about national security and democratic governance, with individuals and voters no longer able to trust their own eyes or ears when assessing the authenticity of what they see on their screens.”

In other words, we’re entering an age when seeing is no longer believing. 

This is all part of a larger movement where technology is used to erode trust, and in the hands of foreign enemies like Russia, it can and will be used to undermine our belief in the free press, in our leadership and in democracy. It is essentially the use of the First Amendment to undermine the First Amendment, and unethical corporations and cyber criminals will hop on board as soon as the AI technology is affordable to the mass market.

So where is the hope in all of this? Unlike our weak regulatory response to the malicious tools that have come before — from viruses to spyware, botnets to ransomware — we must combine comprehensive legislative oversight and control with the ethical use of technology to proactively minimize the problem before it becomes mainstream. Our senators and representatives must take the lead in setting standards for how AI technology, including technology to produce deepfakes, is released, utilized and policed. 

Bruce Schneier’s book, “Click Here to Kill Everybody,” includes an excellent primer on the regulatory framework that would start us down the path. We, as voters, must directly express our concern to congressional leadership and urge them to act before a proliferation of deepfake videos destroys reputations — along with our ability to believe our own eyes.

About Cybersecurity Keynote Speaker John Sileo

John Sileo is an award-winning author and keynote speaker on cybersecurity, identity theft and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

[elfsight_social_share_buttons id=”1″]

Russian Election Interference Coming to Your Vote in 2020

https://www.youtube.com/watch?v=PPMrQKHnu_4′ format=’16-9′ width=’16’ height=’9′ custom_class=” av_uid=’av-mo9up3′

What will it take for Americans, especially our politicians, to care about Russian election interference? That’s a question I’ve been asking myself since early 2017, when the NSA, CIA and FBI universally concluded that Russian President Vladimir Putin interfered with the 2016 presidential election. At the time, I wrote a call-to-arms blog post that recommended a thorough bipartisan investigation into Russian election interference and our own cyber infrastructure weaknesses. 

Last month, we finally got the Senate Intelligence Committee report about Russian election meddling in 2016—spoiler alert: they did it—with recommendations on how to protect the nation’s voting infrastructure the next time around. But to some degree, it’s too late. With only a year before the election, it will be almost impossible to make the cybersecurity and social media changes necessary to protect the integrity of the election. Even if our government engaged in an all-out defensive strategy for the four years between elections, it still might not be enough. The bad guys always seem to be one step ahead, but that’s only because of our general refusal to do what it takes to protect our systems.

In any event, so far the only all-out defensive strategy we’ve seen has been against efforts to protect the 2020 election from Russian interference. While Putin and his cohorts are dancing through the halls of the Kremlin, President Trump and the Republicans are sitting on their hands.

Trump’s refusal to back intelligence reports about Russia’s election hacking and influence campaigns—and his administration’s delay in taking action—are within months of guaranteeing that we won’t be able to stop tampering in 2020. Meanwhile, Senate Majority Leader Mitch McConnell continues to block bills aimed at making the polls more secure—further ensuring that our election will be compromised once again.

And that’s precisely the point.

Why Does the White House Turn a Blind Eye to Russian Election Interference?

Both Trump and McConnell know that Russian meddling will benefit them in 2020 (it’s a safe bet that Putin doesn’t want a more confrontational president than Trump back in office), but they are missing the bigger picture. 

Yes, Putin’s Russia helped elect Trump, but that wasn’t the primary goal: handing Trump a win was just icing on the cake. Putin’s goal was and is to destabilize American democracy. If we are focused on our own crises, we pay less attention to his encroachment into the Ukraine, Crimea and other nations. It doesn’t hurt that Putin’s machinations demonstrate to the world that democracy—particularly American democracy—is not as viable as autocracy, thus strengthening his power. 

Putin is a chess player, and his chess board end-state looks more like the USSR than Russia. 

To his delight, we are mere pawns in his game. Trump—who plays into Putin’s hands perfectly because of his distrust of American institutions, including his own intelligence agencies—is his queen and McConnell his devoted bishop. 

I agree with other experts that Russia’s pre-2016 hacking of election systems in all 50 states was mostly reconnaissance for a larger campaign. They were testing the waters with this and with their Facebook influence campaigns. But I don’t think their ultimate goal is to alter votes. It’s far less work and expense to simply create the perception that they’ve altered votes or manipulated any other outcome that undermines the credibility of democracy. Again, the end game is one of destabilization, of creating doubt in the minds of Americans so we don’t know who we can trust. 

Our system of state-controlled voting for national elections makes a mass hack more difficult, but altering the voting rolls is something the average teenage hacker could probably pull off. What if next time, a hacker decides to remove hundreds of thousands of white men from Mitch McConnell’s available voters, or if Facebook influence campaigns target Trump loyalists with false claims that he wants to pass gun-control legislation?

What I fear most is that we Americans, fatigued by political arm wrestling for the past three years, are going to stand complacently by as the influence campaigns and election tampering take place, and that our government has no incentive to stop it because the tampering benefits them. This time.

About Cybersecurity Keynote Speaker John Sileo

John Sileo is an award-winning author and keynote speaker on cybersecurity, identity theft and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

 

Just Wait for the Cavity: Dental Cyber Security

Dental Cyber Security is kind of like, well, being a dentist. You’re in your patient’s mouth. The red flags are clear as day: calculus buildup going back to pre-fluoride Woodstock days. Severe dentin erosion, onset of gingivitis, gums retreating like Arctic glaciers. But there is no actual decay yet. No cavities to drill or crowns to fill, no stains to cap or roots to tap. Absolutely. Nothing. Profitable!

So what do you tell the patient? That’s easy…

“Looks good! Come see me when that molar finally cracks.”

Of course that’s not what you say, but that is roughly how it sounds to me when a practice director tells me that they invest minimally in ongoing preventative cyber security because nothing truly bad has happened yet with their practice data. In other words, Just Wait for the Cybercrime Cavity and spend ten times as much recovering.

But I would never advise you to wait for the cyber decay, and you would never advise your patients to hold off on brushing, flossing and regular dental checkups. Nor should you wait to implement regular dental cyber security. We are both in the prevention business and we are building long-term relationships that have a great LTV. There are enough patients to keep us both in business with bad hygiene, so we can focus on doing our job well and stopping the problem before it takes root. That preventative mindset will save you approximately $380 per patient record, which is the average cost of breach recovery in the health industry (excluding reputation damage and customer attrition).

Here are what I consider to be the 5 Most Pressing Cybersecurity Vulnerabilities in Dentistry:

  1. Outdated operating systems (Windows XP/2000) and unpatched operating systems, software and apps
  2. Weak spam filtration and barely-existent employee training that leads to email-based phishing attacks
  3. Poor data backup and recovery planning that allows ransomware to lock and destroy patient and financial data
  4. Lack of solid encryption on data at rest (on servers), in transit (to patients, vendors) and in the cloud (practiced management software) that allows easy access to hackers
  5. Credential hacking of cloud data due to lack of 2-factor authentication and password managers

When your practice begins to protect patient data in the same way that you ask patients to protect the health of their mouth, you have just discovered a critical competitive advantage for patient acquisition and retention. Your patients want to know that their data is safe in your hands. Here are some additional resources to help you take the next steps in protecting your practice data:

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings and in industry study clubs. He specializes in making security fun, so that it sticks. His clients include the Seattle Study Club, the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.

John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.

6 Ways Your Facebook Privacy Is Compromised | Sileo Group

One billion people worldwide use Facebook to share the details of their lives with their friends and may be unaware their Facebook Privacy could be compromised. Trouble is, they also might be unintentionally divulging matters they consider private to co-workers, clients and employers.

Worse yet, they may be sharing their privacy with marketing companies and even scammers, competitors and identity thieves. Luckily, with some Facebook privacy tips, you can help protect your account online.

Here are six ways Facebook could be compromising your private information and how to protect yourself:

 

1.  The new Timeline format brings old lapses in judgment back to light. Timeline, introduced in late 2011, makes it easy for people to search back through your old Facebook posts, something that was very difficult to do in the past. That could expose private matters and embarrassing photos that you’ve long since forgotten posting.

What to do: Review every entry on your Facebook timeline. To hide those you do not wish to be public, hold the cursor over the post, click the pencil icon that appears in the upper right corner, select “Edit or remove” then “Hide from timeline.” Being able to “revise” your history gives you a second chance to eliminate over-sharing or posts made in poor taste.

2.  Facebook third-party app providers can harvest personal details about you—even those you specifically told Facebook you wished to be private. Third-party apps are software applications available through Facebook but actually created by other companies. These include games and quizzes popular on Facebook like FarmVille and Words with Friends, plus applications like Skype, TripAdvisor and Yelp. Most Facebook apps are free—the companies that produce them make their money by harvesting personal details about users from their Facebook pages, then selling that information to advertisers. In other words, you are paying for the right to use Facebook using the currency of your personal information.

Many apps collect only fairly innocuous information—things like age, hometown and gender that are probably not secret. But others dig deep into Facebook data, even accessing information specifically designated as private.

Example: A recent study found that several Facebook quiz game apps collected religious affiliations, political leanings and sexual orientations. Many Facebook apps also dig up personal info from our friends’ Facebook pages—even if those friends don’t use the apps. There’s no guarantee that the app providers will sufficiently safeguard our personal information and there are numerous instances where they have done just the opposite.

What to do: Read user agreements and privacy policies carefully to understand what information you are agreeing to share before signing up for any app. The free Internet tool Privacyscore is one way to evaluate the privacy policies of the apps you currently use (www.facebook.com/privacyscore), but remember that it is provided by the very company that is collecting all of your data. You also can tighten privacy settings. In “Facebook Privacy Settings,” scroll down to “Ads, Apps and Websites,” then click “Edit Settings.” Find “Apps You Use” and click “Edit Settings” again to see your privacy options. And be sure to delete any apps you don’t use. While you are in the privacy settings, take a spin around to find out other data you are sharing that might compromise your privacy.

3.  Facebook “like” buttons are spying on you—even when you don’t click them. Each time you click a “like” button on a Web site, you broadcast your interest in a subject not just to your Facebook friends but also to Facebook and its advertising partners.

Example: Repeatedly “like” articles in a publication with a specific political viewpoint, and Facebook advertisers might figure out how you vote.

Not clicking “like” buttons won’t free you from this invasion of privacy. If you’re a Facebook user and you visit a Webpage that has a “like” button, Facebook will record that you visited even if you don’t click “like.” Facebook claims to keep Web browsing habits private, but once information is collected, there’s no guarantee that it won’t get out.

Example: If an insurance company purchases this data, it might discover that someone applying for health coverage has visited Web pages about an expensive-to-treat medical disorder. The insurer might then find an excuse to deny this person coverage, or to raise their rates substantially.

What to do: One way to prevent Facebook from knowing where you go online is to set your Web browser to block all cookies. Each browser has a different procedure for doing this, and it will mean that you will have to re-enter your user ID and password each time you visit certain Web sites.

Another option is to browse the web in “InPrivate Browsing” mode (Internet Explorer), “Incognito” mode (Google Chrome) or “Private Browsing” mode (Firefox and Safari), which seems to be a less intrusive way to raise your privacy levels.

Less conveniently, you could log out of Facebook and select “delete all cookies” from your browser’s privacy settings before visiting Web sites you don’t want Facebook to know about. There are also free plug-ins available to prevent Facebook from tracking you around the Internet, such as Facebook Blocker (webgraph.com/resources/facebookblocker).

4.  Social readers” tell your Facebook friends too much about your reading habits. Some sites, including the Washington Post and England’s The Guardian, offer “Social Reader” Facebook tools. If you sign up for one, it will tell your Facebook friends what articles you read on the site, sparking interesting discussions.

The problem: excessive sharing. The tools don’t share articles with your Facebook friends only when you click a “like” button, they share everything you read on the site. Your Facebook friends likely will feel buried under a flood of shared articles, and you might be embarrassed by what the social reader tells your friends about your reading habits.

What to do: If you’ve signed up for a social reader app, delete it. In Facebook privacy settings, choose “Apps you use,” click “Edit Settings,” locate the social reader app, then click the “X” and follow the directions to delete.

5.  Photo and video tags let others see you in unflattering and unprofessional situations. If you work for a straight-laced employer, work with conservative clients or are in the job market, you may already realize that it’s unwise to post pictures of yourself in unprofessional and possibly embarrassing situations.

But you may fail to consider that pictures other people post of you can also hurt you.

A Facebook feature called photo tags has dramatically increased this risk. The tags make it easy for Facebook users to identify by name the people in photos they post—Facebook even helps make the IDs—then link these photos to the Facebook pages of all Facebook users pictured.

What to do: Untag yourself from unflattering photos by using the “remove” option on these posts. Arrange to review all future photos you’re tagged in before they appear on your Facebook Timeline by selecting “Timeline and Tagging” in Facebook’s Privacy Settings menu, clicking “Edit settings,” then enabling “Review posts friends tag you in before they appear on your timeline”. Better yet, ask your friends and family not to post pictures of you without your permission. Be sure to extend the same courtesy to them by asking whether or not they mind you tagging them in a photo.

6.  Our Facebook friends—and those friends’ friends—offer clues to our own interests and activities. Even if you’re careful not to provide sensitive information about yourself on Facebook, those details could be exposed by the company you keep.

Example: A 2009 MIT study found it was possible to determine with great accuracy whether a man was gay based on factors including the percentage of his Facebook friends who were openly gay—even if this man did not disclose his sexual orientation himself.

Sexual orientation isn’t the only potential privacy issue. If several of your Facebook friends list a potentially risky or unhealthy activity, such as motorcycling, cigar smoking or bar hopping among their interests—or include posts or pictures of themselves pursuing this interest—an insurer, college admissions officer, employer or potential employer might conclude that you likely enjoy this pursuit yourself.

What to do: Take a close look at the interests and activities mentioned by your Facebook friends on their pages. If more than a few of them discuss a dangerous hobby, glory in unprofessional behavior, or are open about matters of sexual orientation or political or religious belief that you consider private, it might be wise to either remove most or all of these people from your friends list, or at least make your friends list private. Click the “Friends” unit under the cover photo on your Facebook page, click “Edit,” then select “Only Me” from the drop-down menu.

Most of all, remember that Facebook and other social networking sites are social by nature, which means that they are designed to share information with others. The responsibility to protect your personal and private information doesn’t just fall on the social networks; it is also up to you.  Following these Facebook privacy tips can help you succeed in keeping your most personal information safe. 

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube https://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

Password Managers Protect the Organization

We hear all the time about stupid things people do when it comes to creating passwords; the most commonly used passwords in the United States for the past several years include “123456”, “password” and some variation like “password1234”. People are easily tricked into giving away their passwords to the likes of Jimmy Kimmel or Ellen to our amusement. Before Sony was breached, they infamously kept their passwords in a file called “Passwords”!

The bottom line is it is nearly impossible to effectively create and remember all the passwords we need to function in our daily lives. It seems there are two ways people handle this. They continue to use the same (usually poor) passwords over and over or they do what I highly recommend and use some sort of password manager program. 

A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password that grants the user access to their entire password database. For a hint on creating that all-important master password, check out our blog on that topic.

At a minimum, a good password manager program should:

Have a strong password generator— a single click gives you a random, extremely strong new password using combinations of digits, special characters and mixed cases letters. No more having to think of (and try to remember!) catchy, unhackable passwords for each account.
• Use a “vault” in which all of your data is stored and is ready to be automatically accessed when needed by simply typing one master password that only you know. Of course, if you forget your master password, you may be out of luck, though some password managers offer password recovery under certain circumstances.
Be easy to use– one click can open your browser, take you to a site, fill in your username and password, and log you in. Many password managers can import a list of passwords from generic CSV or TXT files, a browser’s password cache, and in some cases from other password managers.
• Have the ability to store your credit cards, reward programs, membership cards, bank accounts, passports, wills, investments, private notes and more. Think of it like a 21st-century digital wallet. (But no one can pickpocket you.)
Show all your items with weak, duplicate, and old passwords so you can decide which ones to fortify and update. No more using five variations of your childhood dog’s name. It will look at the strength of each password as well as find duplicate passwords and replace them with strong, unique ones.
• Be fluent in multiple platforms and browsers, including Mac, Windows, iPhone, iPad, Android, and Windows Phone.

Some additional features you may want to consider:
The ability to allow file attachments, so you can safely store related receipts and images, and keep track of your software licenses.
• Can you place your password vault in Dropbox or on a USB thumb drive, so that you may use it from any traditional computer in the world with a modern browser? This has security implications of its own, which you’ll need to consider, of course.
• Some offer a menu of credit cards that actually look like credit cards and can track online purchases.
• An emergency contacts feature that will ensure that your credentials won’t be lost if something happens to you.
• Cost—there are plenty of free versions around, but they usually have limited uses and not as many features. I’d say spend the money to get what really works for you.

Fully 50% of the corporations that I work with and speak to have had data breaches due to poor password habits. Surprising, given how many of those would have been avoided had they simply used password manager software.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.