Posts

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Cyber Security Tips to protect your business - John Sileo

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 


About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University. 

 

Data Integrity Attacks: How Cybercriminals Manipulate Rather Than Steal Your Info

john-sileo-data-integrity

You’re rushed to the hospital after a serious car accident. Doing her job, the admitting physician verifies your blood type prior to giving you a life-saving transfusion. But no one knows the hospital’s medical records have been hacked — but not stolen. In this case, your records have been changed, reflecting a blood type that if transfused, would likely kill or seriously harm you. Welcome to the age of data manipulation.

Manipulating data is the latest trend in cybercrime, and it’s on the rise. The most recent study by Ponemon Institute and Accenture warned that attacking data integrity is the “next frontier.” To understand how we got to this point, we need to take a look at the evolution of cybercrime over the past two decades and how hackers seek a variety of hacking outcomes.

An approximate cybercrime timeline

Early on, cybercriminals were mostly looking to restrict access to your data availability, using malware to launch Denial of Service attacks, where legitimate users are kept from accessing a network, information or devices. Their motivation was twofold: to test their hacking tools for larger campaigns and to disrupt business operations of predetermined targets. 

Next, hackers expanded their exploits to steal data out of large databases — such as the Equifax breach that compromised the personal information of 143 million Americans — and sell it for a profit on the dark web. The cybercriminals’ primary motivation was good old fashioned greed. 

Simultaneously, cybercrime expanded into espionage, using malware and other methods to obtain secret files from U.S. defense contractors, including plans for the F-35 jet from Lockheed Martin. 

Then came cyberextortion, like when Sony Pictures was hacked just before it released the anti–Kim Jong-un movie, “The Interview.” At the time, the FBI said North Korea was responsible for the attack, but five years later questions about the perpetrators and motives remain, which just goes to show how hard it is to identify cybercriminals. 

On the heels of cyberextortion came disinformation and influence campaigns, like those used with Brexit and the 2016 U.S. presidential election. 

The point of this brief history lesson is to demonstrate how quickly sinister actors migrate time-tested tools of crime (fraud, extortion, disinformation, etc.) into cyberspace.

Data manipulation is mostly unique to cyberspace

The old fashioned alteration of checks, IDs and airplane tickets aside, data manipulation is a crime that grew exponentially in cyberspace. Former U.S. Cyber Command and NSA head admiral Michael Rogers said his worst-case attack scenario would involve data manipulation “on a massive scale.” 

Despite Rogers’ warning, the U.S. government continues to drag its feet on combating cybercrime, including data manipulation, which is now being discovered only after the fact by security teams. And I’m expecting that data alteration attacks will quickly become one of the most pernicious and undetectable threats for nation-states and corporations around the world. 

To expand on my previous example, it’s no longer just your blood type at risk. It’s the blood type, address and information on the family members of every soldier, spy and diplomat serving the United States. The potential to inflict great harm is enormous.  

Cybercrime is like a virus altering your DNA

Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests. 

Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.

The integrity of our data is at stake

In 2017, a Michigan man hacked the IT system of the Washtenaw County Jail and altered the release date of a friend who was serving a sentence there. The hacker used a social engineering campaign to trick workers at the jail into downloading malware on their computers and was then able to access and change the data. Luckily, staff noticed something was amiss and used paper records to verify the sentence But the scheme cost Washtenaw more than $230,000, and the criminal got access to the personal information of over 1,600 people.

Getting a friend out of jail is one creative use of data manipulation, but there are far more nefarious uses, such as altering operating procedures on nuclear facility instruction manuals, modifying software code in driverless vehicles, and changing the temperature threshold on refrigeration equipment or power turbines. And of course, as we’ve already experienced, altering votes or voter eligibility.

The stock market is another place that’s ripe for data manipulation. As the Wall Street Journal reported last year, 85% of stock market trades happen “on autopilot — controlled by machines, models, or passive investing formulas.” Consequently, if the underlying data that feeds the algorithms is altered by hackers, it could create widespread chaos in the markets and ultimately destabilize the global economy.

The biggest threat may be to the healthcare industry, which has become a prime target in ransomware attacks, and where the effects of data manipulation can be deadly. To underscore this point, researchers in Israel created malware that can add realistic but fake malignant growths to CT or MRI scans before they’re reviewed by doctors or radiologists. Likewise, the malware can remove cancerous nodules or lesions from patients’ scans. 

In April, The Washington Post reported on the malware and revealed that a blind study conducted by researchers at Ben-Gurion University Cyber Security Research Center had devastating results. “In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.”

When it comes to cybercrime, the best defense is a good offense

Because the defense of data integrity is in its early stages, there is very little that organizations can do to defend against manipulation once the cybercriminals have cracked into critical databases. Few organizations possess the tools to accurately detect and eliminate data manipulation, and those tools are more than a year away. 

In the meantime, your solution is to keep criminals out of your data in the first place, using the tools that I talk about in every one of my presentations. When it comes to data integrity, prevention beats recovery every time.

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on data integrity, cybersecurity and tech/life balance.

What if Putin Had an Army of Killer Artificial Intelligence Robots?

John-sileo-artificial-intellegence-expert

The New Frontier: How Science Fiction Distorts Our Next Move on Artificial Intelligence and Cybersecurity

It’s been 51 years since a computer named Hal terrorized astronauts in the movie 2001: A Space Odyssey. And it’s been more than three decades since “The Terminator” featured a stone-faced Arnold Schwartzenegger as a cyborg terrorizing “Sarah Connah.” Yet, dark dystopian civilizations — where computers or robots control humans — are often what come to mind when we think of the future of artificial intelligence. And that is misleading.

I was happily raised on a healthy diet of science fiction, from the “Death Star” to “Blade Runner.” But increasingly, as we approach the AI-reality threshold, Hollywood’s technological doomsday scenarios divert the conversation from what we really need to focus on: the critical link between human beings, artificial intelligence and cybersecurity. In other words, it’s not AI we need to fear; it’s AI in the hands of autocrats, cybercriminals and nation-states. Fathom, for a moment, Darth Vader, Hitler or even a benevolent U.S. president in charge of an army of robots that always obey their leader’s command. In this scenario, we wouldn’t avert a nuclear showdown with a simple game of tic-tac-toe (yes, I loved “War Games,” too). 

As I noted in my post about deepfakes, not only is AI getting more sophisticated but it’s increasingly being used in nefarious ways, and we recently crossed a new frontier. Last March, the CEO of a U.K. energy firm received a call from the German CEO of the parent company who told him to immediately transfer $243,000 to the bank account of a Hungarian supplier — which he did. After the transfer, the money was moved to a bank in Mexico and then to multiple locations.

In fact, the U.K. executive was talking to a bot, a computer generated “digital assistant” — much like Siri or Alexa — designed by criminals using AI technology to mimic the voice of the German CEO. The only digital assistance the crime-bot gave was to digitally separate the company from a quarter million dollars. 

Rüdiger Kirsch of Euler Hermes Group SA, the firm’s insurance company, told the Wall Street Journal  that the U.K. executive recognized the slight German accent and “melody” in his boss’s voice. Kirsch also said he believes commercial software was used to mimic the CEO’s voice — meaning this may be the first instance of AI voice mimicry used for fraud.

Trust me, it won’t be the last. We’re at the dawn of a whole new era of AI-assisted cybercrime.

What’s ironic about the prevailing wisdom around AI, however, is that the capabilities of criminals and bad actors is often underestimated, while those on the cybersecurity side are overestimated. At every security conference I attend, the room is filled with booths of companies claiming to use “advanced” AI to defend data and otherwise protect organizations. But buyer beware, because at this stage, it’s more a marketing strategy than a viable product. 

That’s because artificial intelligence is more human than we think. From my experience peering under the hood of AI-enabled technology like internet-enabled TVs, digital assistants and end-point cybersecurity products, I’m constantly amazed by how much human input and monitoring is necessary to make them “smart.” In many ways, this is a comforting thought, as it makes human beings the lifeblood of how the technology is applied. People, at least, have a concept of morality and conscience; machines don’t. 

In a sense, AI is really just an advanced algorithm (which, by the way, can build better algorithms than humans). The next stage is artificial general intelligence (AGI), which is the ability of a machine to perform any task a human can (some experts refer to this as singularity or consciousness). This is an important distinction because current AI can perform certain tasks as well as or even better than humans, but not every task — and humans still need to provide the training. 

We’ll achieve artificial general intelligence when we’re able to replicate the functions of the human brain. Experts say it’s not only theoretically possible, but that we’ll most likely develop it by the end of the century, if not much sooner. 

The U.S., China and Russia are all pursuing the technology with a vengeance, each vying for supremacy. In 2017, China released a plan to be the leader by 2030, and that same year Russian President Vladimir Putin said, “Whoever becomes the leader in this sphere will become the ruler of the world.” Darth Putin, anyone?

And this brings us back to those doomsday scenarios, but I’m not talking about cyborgs roaming American cities with modern weaponry. The real threat is to American industry and infrastructure. So, instead of worrying about a future where bots are our overlords, it’s time we focus on the technological and legislative conversations we need to have before AGI becomes ubiquitous.

Cybercriminals using AI were able to swindle an energy company out of a quarter million dollars without breaking a sweat. 

They’ll be back.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

How to Turbocharge your Cybersecurity Awareness Training

Security awareness training can’t be a boring afterthought if it’s going to work. 

Own it. Secure it. Protect it. 

Those are the key themes for this year’s National Cybersecurity Awareness Month, coming up in October, and it’s good advice. Unfortunately, it’s the same message your trainees have been hearing for years and, at this point, they’ve largely tuned it out.

The challenge isn’t creating a pithy slogan. It’s turning advice into action and an enduring “culture of security.” At this point, cybersecurity is on the radar for most companies, and the smart ones make it a priority. To achieve their cybersecurity goals, many organizations implement cybersecurity awareness training sessions, which seek to educate the rank and file on threats and how to thwart them. When done well, these initiatives can be a way to focus the entire organization — and can greatly reduce the risk of data breach, cyberextortion or damaging disinformation campaigns.

When not done well, you’ll be lucky if your team remembers the words cybersecurity awareness as they shuffle out the door — no doubt refreshed after scrolling through Facebook or watching the latest Taylor Swift video.

The problem is that many security programs are actually less than the sum of their parts for the simple reason that they don’t have an overarching end goal. Sure, the objective is to educate your team on emerging threats so your company is more secure, but that’s a nebulous goal. And because it’s a nebulous goal lacking tangible motivation, your team doesn’t buy in. 

That’s not to say they don’t care about the company’s security. Of course they do — but it’s not personal. 

Unfortunately, when it comes to cybersecurity in the corporate sector, the human element is usually overlooked. This is a mistake. I often hear companies refer to humans as the “weakest link” in cybersecurity, which of course becomes a self-fulfilling prophecy. Enlightened organizations understand that security is a highly effective competitive differentiator (think Apple) and that humans, when properly trained, are the strongest defense against cyberthreats. Consequently, an effective program must start by getting people — from the top down — invested in the goal and the process. 

I’ve been the opening keynote speaker for hundreds of security awareness programs around the world, many of them outside the bounds of National Cybersecurity Awareness Month, and most of them leave me hungering for more: More engagement, more interaction and more actionable information. In short, more substance. 

Here are a few tips for designing a cybersecurity awareness program that will engage your team and get results.

Ownership

Don’t focus on the CISO, CRO, CIO or CTO. That would just be preaching to the choir. The missing but crucial link in cybersecurity awareness programs tends to be a security “believer” from the executive team or board of directors. Successful programs are clearly led, repeatedly broadcast and constantly emphasized from the very top of the organization — with an attitude of authenticity and immediacy. Whether it’s your CEO at an annual gathering or a board member kicking off National Cybersecurity Awareness Month, your security champion must not only become an evangelist but also have the authority and budget to implement change.

Strategy

Approach your program strategically, and devise a plan to protect your intellectual property, critical data and return on information assets. You’re competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in technobabble. 

  • What did it cost your competitor when ransomware froze its operation for a week? (e.g., FedEx: $300 million)
  • How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company millions of dollars? 
  • What do the directors of compliance, HR and IT have to add to the defense equation? 

The most successful cybersecurity awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology

Here’s a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings, and they want to know how this affects them personally before they invest time to protect the organization’s coffers. 

Excellent security awareness kicks off by making data protection personal — building ownership before education. From there, the training must be engaging (dare I say fun?) and interactive (live social engineering) so your audience members pay attention and apply what they learn. Death-by-PowerPoint will put behavioral change to sleep permanently. Highly effective programs build a foundational security reflex (proactive skepticism) and are interesting enough to compete against cute puppy videos and our undying desire for a conference-room snooze.

Sustenance

Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss — but that’s only the beginning. 

From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we’ve found short, funny, casual video tips on the latest cyberthreats to be highly effective (once your team takes ownership for their own data, and yours). Then, add lunch workshops on protecting personal devices, incentive programs for safe behavior, and so on. Culture matures by feeding it consistently.

Measurement

If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s training budget. Here are a few questions I ask when facilitating board retreats on cybersecurity: 

  • What are your cybersecurity awareness training KPIs, your key metrics? 
  • How did successful phishing or social engineering attacks decline as a byproduct of your program? 
  • Has user awareness of threats, policy and solutions increased? 
  • How many employees showed up for the Cybersecurity Awareness Month keynote and fair? 
  • Do your events help employees protect their own data as well?
  • How department-specific are your training modules? 

When you can show quantitative progress, you’ll have the backing to continue building your qualitative culture of security.

Over the long term, a culture of security that reinvents itself as cyberthreats evolve will be far less costly than a disastrous cybercrime that lands your company on the front page. National Cybersecurity Awareness Month is a great catalyst to get your organization thinking about its cybersecurity strategy. Now it’s time to take action.


About Cybersecurity Author & Expert John Sileo

John Sileo is an award-winning author and Hall of Fame Speaker who specializes in providing security awareness training that’s as entertaining as it is educational. John energizes conferences, corporate trainings and main-stage events by interacting with the audience throughout his presentations. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Just Wait for the Cavity: Dental Cyber Security

Dental Cyber Security is kind of like, well, being a dentist. You’re in your patient’s mouth. The red flags are clear as day: calculus buildup going back to pre-fluoride Woodstock days. Severe dentin erosion, onset of gingivitis, gums retreating like Arctic glaciers. But there is no actual decay yet. No cavities to drill or crowns to fill, no stains to cap or roots to tap. Absolutely. Nothing. Profitable!

So what do you tell the patient? That’s easy…

“Looks good! Come see me when that molar finally cracks.”

Of course that’s not what you say, but that is roughly how it sounds to me when a practice director tells me that they invest minimally in ongoing preventative cyber security because nothing truly bad has happened yet with their practice data. In other words, Just Wait for the Cybercrime Cavity and spend ten times as much recovering.

But I would never advise you to wait for the cyber decay, and you would never advise your patients to hold off on brushing, flossing and regular dental checkups. Nor should you wait to implement regular dental cyber security. We are both in the prevention business and we are building long-term relationships that have a great LTV. There are enough patients to keep us both in business with bad hygiene, so we can focus on doing our job well and stopping the problem before it takes root. That preventative mindset will save you approximately $380 per patient record, which is the average cost of breach recovery in the health industry (excluding reputation damage and customer attrition).

Here are what I consider to be the 5 Most Pressing Cybersecurity Vulnerabilities in Dentistry:

  1. Outdated operating systems (Windows XP/2000) and unpatched operating systems, software and apps
  2. Weak spam filtration and barely-existent employee training that leads to email-based phishing attacks
  3. Poor data backup and recovery planning that allows ransomware to lock and destroy patient and financial data
  4. Lack of solid encryption on data at rest (on servers), in transit (to patients, vendors) and in the cloud (practiced management software) that allows easy access to hackers
  5. Credential hacking of cloud data due to lack of 2-factor authentication and password managers

When your practice begins to protect patient data in the same way that you ask patients to protect the health of their mouth, you have just discovered a critical competitive advantage for patient acquisition and retention. Your patients want to know that their data is safe in your hands. Here are some additional resources to help you take the next steps in protecting your practice data:

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings and in industry study clubs. He specializes in making security fun, so that it sticks. His clients include the Seattle Study Club, the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.