Posts

Are Hackers Targeting Your Association? Here’s How to Stop Them.

Chinese Hackers Targeting Your Association

Are hackers targeting your association?

The recent revelation that Chinese hackers penetrated the internal computer network of the National Association of Manufacturers (NAM) last summer should be a clarion call to all associations: They are coming for you. 

The suspected Chinese hackers ramped up their efforts to steal information in the days surrounding a meeting between NAM President Jay Timmons and President Trump this past summer. While we don’t know what data was stolen, the incident took place during intense trade negotiations, as US and Chinese government officials began to hash out details of a potential deal.

The primary motivating factor behind the hacking of trade associations is simple: INFLUENCE. The fact that NAM is an influential group that’s helped shape Trump’s trade policy made them an attractive target for the Chinese, who undoubtedly leveraged inside information to gain an upper hand in the talks. 

While the NAM hack is notable for its ties to the executive branch and high-stakes negotiations, the fact is that associations of all sizes and political influence are potential targets of hackers such as nation-states, foreign businesses or individual cybercriminals. In other words, you don’t need to have political or lobbying connections to be an attractive hacking target. Your member list, industry-specific intellectual property, employee data, digital connections to influencers, and banking and financial information are all just as attractive to cybercriminals and cyberextortionists as your political relationships. 

Over the past decade, numerous associations have been hacked: In May, the National Association of Realtors reported on a number of hacks of state associations and advised their members to beef up cybersecurity. Earlier hacks include (ironically) the Intelligence and National Security Alliance, the Fraternal Order of Police and the US Chamber of Commerce.

It’s not a matter of if your association will be hacked, but when

The World Economic Forum’s 2019 Global Risks Report ranked cyberattacks as the number one risk in North America. And with good reason. Data breaches alone are predicted to cost $5 trillion globally by 2024; in just the first nine months of this year, 7.9 billion records were exposed in North America. Associations haven’t traditionally been a large part of those statistics, which is exactly what makes them ripe for future picking. Lack of direct threats tends to breed complacency and lack of proactive protections.

Protecting your association from hackers and cybercriminals

As an industry association, in addition to advocating for your members, you have two vital responsibilities:

  1. Protecting your member data, financial details and intellectual property from cybercrime 
  2. Educating your members about protecting their organizations against those same evil forces

Here are the first steps you can take to fulfill both responsibilities:

  • Commission an External Cyber Penetration Test to expose your specific and known vulnerabilities
  • Educate your internal employees to detect and deter social engineering tactics like phishing, ransomware and deepfake videos
  • Prepare a data breach response plan in case you are successfully attacked. This should include a list of executive responsibilities, a public relations strategy, legal response and methods of communicating with the breach response team (remember, your email and texts and mobile devices can be compromised in a breach)
  • Educate your association members about cybersecurity best practices at your next annual event

Your reputation as an association depends on many factors. One of the most overlooked of those is the reputational damage done by a cyber breach incident, especially if member data is compromised. Take steps to manage your risk and defend your data — before it’s too late. 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging for association and corporate audiences. Contact him directly on 303.777.3221. 

 

 

Zappos Breach: 5 (Foot)Steps for the CEO, 6 for Victims

Let’s say you ordered winter boots for your spouse on Zappos.com (now part of Amazon), which has world-class customer service. You don’t really even shop the competition because someplace in your brain you already trust Zappos to deliver as they always have. Your unquestioned confidence in Zappos is worth a fortune.

And then hackers break in to a server in Kentucky this past weekend and steal private information on 24 million Zappos customers, including (if you are a customer) your name, email address, physical address, phone number, the last four digits of your credit card number and an encrypted version (thank goodness) of your password. Consequently, your junk email folder is overflowing (your email has been illicitly sold to marketing companies), you receive the doom-and-gloom breach notification from Zappos (just like I did), and suddenly, you don’t have quite the same confidence in this best-in-practice business any more. Your shaken confidence in Zappos costs them a fortune. For the foreseeable future, you will pause before using their website again.

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Zappos CEO Tony Hsieh said in a note to employees Sunday. “It’s painful to see us take so many steps back due to a single incident.”

In a smart move, Zappos reset the passwords for all affected accounts and notified victims on how to create a new one. But their efforts to recover customer trust are just beginning. Here are 5 Core Concepts of Trust that Zappos leadership should weave into their breach recovery process:

  1. Ownership. Leadership at the company should take complete responsibility for the loss of data and not make excuses as to how it was someone else’s fault (remember the BP oil spill finger pointing?). The last thing victims need is to become more victimized by a corporate spin cycle that further erodes trust. Authentically respecting their customer base (which they do), even when it costs a few extra dollars to maintain, is a sound investment strategy.
  2. Transparency.  Zappos customers have the right to know exactly what was stolen and how it might be used. They deserve to know what the company knows and what law enforcement knows. Sharing their failure (as opposed to covering it up in any way, which they don’t seem to be doing) is a painful process with high short-term costs, but it is the first step in taking responsibility.
  3. Expectation.  Zappos needs to set customer and marketplace expectations early and often about how they will make it better. Forcing users to change passwords does little to ease fears that it will happen again. What tangible steps will they take to repay customers for the trouble they have caused and what measures will they implement to better protect users in the future?
  4. Delivery. Zappos must deliver on the expectations they set with the victims, with the media and with the marketplace. False promises (pretending to implement better security but underfunding the budget) are cheap Band-Aids but only further infect the inflicted wounds when nothing actually changes. To regain trust, Zappos must set impressive expectations and deliver on them flawlessly
  5. Competence. Zappos is not in the business of recovering from identity theft or data breach. They need to aid their legal department by bringing in breach mitigation and recovery experts. Saving a few dollars up front keeping the efforts in house will raise downstream recovery by multiples.

In the meantime, if you are a victim of the Zappos’ breach, begin with these steps:

  • Immediately change your password according to Zappos emailed instructions.
  • Use an alpha-numeric-upper-lower-case password that has nothing to do with your personal life and can’t be found in a social networking profile or dictionary
  • If you use the same password on other sites (webmail, financial), change those as well
  • Implement identity theft monitoring services.
  • Monitor your credit profile for suspicious activity at AnnualCreditReport.com
  • Don’t click the links in that email. Zappos is sending every one of its affected customers a warning e-mail. However, more often than not such “official” e-mails are from hackers (for example, “We’ve had a security problem. Please change your password.”). These fraudulent e-mails can be virtually indistinguishable from legitimate communications, including identical graphics, logos, and authentic looking return e-mail addresses. Instead of clicking, type the URL (in this case Zappos.com) directly into your address bar. If there’s an important notice on your account, you’ll find it there.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach) or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

 

Information Offense – How Google Plays

Google recently offered $20,000 to the first person who could hack their web browser, Chrome. Without question, a hacker will crack it and prove that their browser isn’t as mighty as they might think.

So why waste the money?

In that question, ‘why waste the money?’ lies one of the root causes of all data theft inside of organizations. Google’s $20,000 investment is far from a waste of money. Consider:

  1. The average breach inside of an organization costs $6.75 million in recover costs (Ponemon Study). $20,000 up front to define weak points is a minuscule investment.
  2. Chrome is at the center of Google’s strategic initiatives in search, cloud computing, Google Docs, Gmail, displacing Microsoft IE and mobile OS platforms – in other words, it is a very valuable asset, so Google is putting their money where their money is (protecting their profits).
  3. By offering up $20,000 to have it hacked IN ADVANCE of successful malicious attacks (which are certain to come), Google is spending very little to have the entire hacker community beta test the security of their product.

I would bet that there will be tens or hundreds of successful hacks into their browser, all of which will be fixed by the next time they commission a hack.

Anticipating the inevitable attacks and investing in advance to minimize the chances and resulting costs of a breach is a perfect example of Information Offense. Instead of waiting for your data to be compromised (defense), you take far less costly steps up front to deflate the risk. Only the most enlightened leaders I work with inside of corporations understand the value of spending a little bit on security now to reap huge benefits (in the form of avoided losses) down the road.

Too many leaders are so focused on the revenue side of the model (most of them are from a sales background) that they lack the depth of seeing the entire picture – the long-term health and profitability of the company. You know the saying… an ounce of prevention being worth a pound of cure. Just think of the ounce being loose change and the pound being solid gold.

Marshall Goldsmith, the executive coach, nails the behavior behind this phenomenon in his book, What Got You Here Won’t Get You There,

“Avoiding mistakes is one of those unseen, unheralded achievements that are not allowed to take up our time and thought. And yet… many times, avoiding a bad deal can affect the bottom line more significantly than scoring a big sale… That’s the funny thing about stopping some behavior. It gets no attention, but it can be as crucial as everything else we do combined.”

Listen to Google and Mr. Goldsmith, and avoid the mistakes before you make them by asking yourself this simple question: How can I refocus my efforts and resources on playing offense rather than defense?

John Sileo’s motivational keynote speeches train organizations to play aggressive information offense before the attack, whether that is identity theft, data breach, cyber crime, social networking exposure or human fraud. Learn more at www.ThinkLikeASpy.com or call him directly on 800.258.8076.

Is Online Banking Safe from Identity Theft?

I am starting to reconsider my opinion that online banking is safer than traditional banking. Primarily because I have been hearing horror stories during some of my identity theft seminars. But now I am seeing it in the mainstream media. Case in point: read this short article in this morning’s USA Today about Hackers Swarming Bank Accounts. I’m open to your opinions, but I feel like the thieves are starting to win. In a YouTube video post I did some time ago about online banking, I suggested that if your computer is well-protected, you are better to bank online.

Online Banking & Identity Theft Video

But lately, it seems like the thieves are a step ahead. What are your thoughts? Have you had any troubles with identity being compromised because of the types of threats discussed in the article?

Identity Theft Seminars