Archives for September 2015

Exploring the Cybersphere: September

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

So who’s the biggest internal cybersecurity problem for corporations? Employees?

Data breaches – hackers have nothing on your own employees
Computer Business Review
Cyber attacks like the recent Ashley Madison incident make great headlines but as many within the security industry will know, it’s not only external threats that we need to worry about. One of the biggest threats out there is human error which means you need to protect your data from your employees just as much as you do from hackers….

Employees put business data at risk by installing gambling apps on their phones
If you work for a large, global company, chances are some of your peers have installed gambling apps on the mobile devices they use for work, and that’s bad news for IT security…

Employees are the biggest threats to cybersecurity
Business professionals surveyed about the security measures they felt are the most important in thwarting cyber threats pointed to the use of employee background checks. According to the results of the First Advantage 2015 Cybersecurity Survey, people within companies are a huge cybersecurity concern…

Or executives?

Study of CEOs Reveals Alarming CyberSecurity Trends
A study of CEOs recently released by KPMG revealed some alarming trends about cybersecurity preparedness. The report, entitled, Global CEO Outlook 2015, included information garnered from over a thousand CEOs of companies with at least $500M in revenue in ten major economies around the world…

And do Boards even care?

Do boards of directors actually care about cybersecuritry?
CSO Online
There’s no shortage of arguments that cybersecurity needs to be aligned with the needs of the business, or that security is now a “boardroom issue.” And it seems that a new report or study is issued every day that states that boards of directors are more involved with their organizations’ cybersecurity efforts than ever before.

How much bull is there in this China closet?

Russia and China could be ‘making it impossible for the US to hide’ its intelligence activities
Business Insider
US officials believe China and Russia are building a database of US intelligence information using massive amounts of files stolen from government agencies and private companies, the Los Angeles Times reported on Monday…

U.S. urged to tighten cyber security to counter Chinese hacking
The United States must beef up cyber security against Chinese hackers targeting a broad range of U.S. interests to raise the cost to China of engaging in such activities, America’s top intelligence official said on Thursday.

Will American CEOs cave to China’s president?
Los Angeles Times
Pope Francis isn’t the only high-profile international figure arriving in the United States this week. Chinese President Xi Jinping is due in Seattle on Tuesday before heading east for an official White House visit. He and President Obama will have much to discuss, including economics, trade, human rights and China’s territorial ambitions. But 30 U.S. business leaders will meet with Xi in Seattle first, and it’s important that they not undermine their long-term interests by giving Xi the wrong message on cybersecurity.

Obama Won’t Sanction China for Cyber Spying…Yet
The Daily Beast
The Obama administration has been suggesting for weeks that it plans to impose financial sanctions on Chinese companies and individuals to punish them for cyberspying against U.S. corporations. But while officials aren’t ruling it out, the White House reportedly won’t take punitive actions against China before President Xi Jinping visits Washington next week…

US skeptical China will adhere to cyber promises
The Hill
Lawmakers were encouraged yet wary of a deal the White House and China revealed Friday, in which both sides committed to not support the digital theft of industry secrets.

Maybe we need to spend more, and/or, more wisely

The US government is not spending enough on cybersecurity
Business Insider
In the past 12 months, the US government has not fared well against cyberattacks, and the budget may give an insight why…

FTC: Startups Need to Up Cybersecurity Investments
Federal Trade Commission Chairwoman Edith Ramirez is reinforcing the need for technology startups to invest in ensuring cybersecurity measures are integrated into their products from Day 1, the Financial Times reported yesterday (Sept. 10). Ramirez called for a “culture of security” during the FTC’s Start With Security conference in San Francisco on Wednesday (Sept. 9), where developers and companies were encouraged to think about security earlier on in the product lifecycle instead of when it has already gained popularity…


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

September 29, 2015


How I…Respond to a Hack Attack

Transparency and constant communication are key to a company’s response plan, says Tom Davis, vice president and crisis management expert at Susan Davis International.

By Naomi Eide, BizSmarts

Published in the Washington Business Journal

Sep 18, 2015

Tom WBJ article image

With security breaches popping into the news almost weekly, Susan Davis International works to find the best way to respond to the potential fallout. Vice president and crisis management expert Tom Davis, a member of the firm’s recently created cyber risk communications team, discusses how a targeted company can still at least protect its reputation.

What’s the first piece of advice you have for companies? You’re entering a relationship with a client somewhere along the continuum, from the planning and preparation side to the response side. I think anyone in the business will tell you that, ideally, you’re coming in on the preparation side. You’re really talking about doing the planning, evaluation and doing some sort of exercise to understand what the true capabilities are. Then, if and when there is an actual incident that occurs, then supporting the plan. Now that isn’t the way it always works, that’s the ideal way. Because when you get to the response side, a lot of what’s going to be done will be heavily dependent on what is done on the planning and preparation side.

Planning and preparation early on is key to how well a company responds later to a hack… more

When there is a compromise, what do you advise companies to do? There are essentially two parts that have to work in harmony here. One of them is the distinct technical response internally, which is not what we do. But the company, either using its assets or a vendor will be dealing with the breach to patch that. On our end of it, on the response side, basically the company needs to do the calculus about what the damage is and what its stakeholder universe is. Then look across that stakeholder universe to understand what the key concerns are of all those who have an interest in the company’s response.

What’s key in thinking about that? Effectively, what’s at stake here is the company’s reputation. How people perceive the company’s response will have a lot to do with the ultimate penalty that any given victim of a breach will have to pay. What you’re looking to do there as quickly as possible is understand what the key concerns are and start addressing those concerns on the communication side. This is really a critical component: You have to make sure what you’re saying is consistent with what you’re doing.

How should companies deal with the communications if they don’t want to share there was an attack? You really do need to make sure that you’re getting out in front of it. This is sort of a classic crisis management consideration. The underlying reality here is that, at some point, it is going to be apparent. Generally speaking, when a company is breached, the data suggests that it takes, on average now, nearly seven months for the company to discover the breach. Most of the time, it doesn’t discover it itself. The breach is brought to its attention by somebody from the outside, could be law enforcement. Ultimately, the accompanying reality here is that people are going to know about the breach, and it is going to get disclosed in some fashion.

So what should they do? The appropriate thing for a company to do is take control of the situation. You want to be in control and driving the messaging, rather than responding to it. Understand your responsibility to all your stakeholders is to do just that.

How should companies do this? Identify internally how responses are going to be handled, and set some policies. Typically, you’re going to identify the characteristics of an incident here, which is unlike others. If you’ve got information of value, you’re going to be the subject of recurring kinds of attacks. What you’re saying is, for us to respond, it has to cross this threshold. Part of the process on the front end of planning and preparation is to say, “Here is our threshold.” When an incident occurs and it has these characteristics and crosses that threshold, that’s going to mean our crisis management team is going to be brought to bear on this. All the internal procedures we have been practicing regularly, hopefully, will now kick in.

Is a cyber attack any different than any other crisis a company might face and need to respond to? There are two things that make it a little unusual. One is the usually distinctly technical aspect of it. You’ve got the wonkiness part of IT people where the language is not that which is generally available to other people in the organization. There’s sort of a chasm here that has to be crossed, that has to be bridged in some fashion so that the internal communication flow makes it really obvious exactly what’s going on. Because that, in turn, has to be part of the messaging that takes place on the other end of it.

And the other thing that differentiates it? There is a certain unknowability about the breach. If you have a classic crisis that’s driven by a natural disaster, for example, or you have an oil spill — any of the things you think about that constitute crisis for different kinds of organizations — there’s all this information you have going out in the early stages. But there’s more of a certainty to what it is and how it’s going to play out than when the crisis is driven by a data breach. The breach aspect of this, there is a certain mystery that accompanies that. When a data breach is discovered, the clock is ticking immediately but it is really unlikely that the companies will really, truly understand the scale and scope. There’s going to be the issue of attribution — and you’ve seen this play out multiple times — where attribution is difficult.

What could the Office of Personnel Management have done differently in responding to its hack? Frankly, the first thing that comes to mind with regard to OPM is the dripping of information in the aftermath of the attack. It’s a very slippery slope that you start on when you don’t reveal information at the beginning, which comes out in drips and drabs over a protracted period of time. That’s a little bit like Chinese water torture, and you end up seeing that the spotlight doesn’t go away. It continues, it actually grows ever hotter. In the end, the head of OPM loses her job over this and the job loss was driven, in my mind, less by the actual breach than by how the aftermath of their breach was handled.

What’s a better way to handle the communications then? Customers will be one of a whole range of audiences that you have to deal with. This is kind of driven by an understanding of what business you’re in and which of your stakeholders are most likely to have been affected. But, it’s basically a process in which you have to say: What are your critical interests and how is this incident affecting those critical interests? Then what do we need to say to them that essentially gives them solid information about exactly what’s transpiring here — together with the implications for them about what’s transpiring? If they are injured by this, what it is that we can do that will ameliorate the injury?

How about when you don’t know those implications? There’s probably not a situation in which it is perfectly knowable. But the dimensions of the implications are generally available relatively early on. It won’t be a complete picture, it’s a little bit like weather forecasting — if you look out over 30 days, it’s a little murkier. But near term, it’s a little more clear what we know right now. That has to be part of the message. You have to lay the groundwork for the possibility that you’re going to be coming out a second time around and saying that we have updated information, and this is what we have. And that’s not unusual. But it’s important that whoever is speaking on behalf of the organization is doing so in a way that inspires confidence in people. You know, that there’s a sense that this individual in the organization is being candid about it.

What are common mistakes that companies make when they’ve been hacked? The mistakes on the response side tend to be either being close-mouthed and reticent about response or being in denial about the implications about the response. Those are sort of classic kinds of mistakes. The other thing that happens with some regularity is you see organizations being very defensive about it. The other thing is the inclination to really portray themselves as victims. The whole victimology part of this is an interesting conversation.

What do you mean? Clearly, you’re being victimized by somebody. But if you’re holding, for example, personally identifiable information of a lot of your customers and now that’s been lost in the breach, they’re seeing themselves as victims. They’re not going to send a sympathy to you as a victim.

How you deal with losing customers as a result of a breach? I wouldn’t want to underplay the fact that you might lose customers. We know that customers have this set of expectations about what an organization is going to do. There was a study done that basically says about 90 percent of people who were victimized by a data breach felt that businesses have to notify customers immediately when their breach is discovered. Because that has not always been the case, there is reason to believe that customers will be disaffected. They may judge who they’re going to do business with based on their sense of how reliable the relationship is and how reliable this business is.

What factors might that depend on? This is all driven by what competition exists in the marketplace. If you happen to be like OPM, in which no one is competing for your services, it’s a slightly different premise. In the business world, if there is competition and your competitors are deemed to be more reliable and your response undermines confidence, then you can expect there is going to be some customer loss. That’s really why we’re so adamant that you need to establish your process and be able to get out and get in front of this unfolding event as quickly as you possibly can.

What’s an example of a company that handled its response well? Frankly, you can point out small flaws in lots of different responses, but I think, generally speaking, Morgan Stanley did a pretty good job in handling its breach. It was a significant breach, and they did a pretty good job. What you’re looking at is sort of the essence of how companies are resilient in the marketplace. Part of that is keeping your relationship, and that means communicating continually, and they do a good job ensuring there are aren’t lengthy intervals where people aren’t hearing from them and understanding what’s going on.

When is that most important? Particularly when the response is unfolding, it’s really important to communicate regularly, effectively. Anthem did a really good job in the beginning, in terms of getting out in front. Once they were breached, very quickly they were in the marketplace letting customers know about the breach. Then there wasn’t any communication, and they end up having the state’s attorney general going after them because it’s taking them too long to get back to their customers. It’s really critical that you live up to what you say you’re going to do.

How about a company that bungled its response? I’m reluctant to pile on here, but let’s take Target, for example. Target had this classic slow response where it seemed to be largely in denial about the nature of the breach and, frankly, its own responsibility. That rolled out over an extended period of time. Any number of lawsuits were filed against them. It ended up being dramatically unsuccessful in getting the suits thrown out, so it’s exposed to huge damages. The CEO loses his job — that’s sort of the classic, OK, but that’s probably not the way you want to do it.

What is most at stake for companies after a cyber breach? Really, the reputation. That’s what’s critically at stake once you’ve been breached. The fact that a company has been breached is hardly going to come as a surprise. We have this steady drumbeat of breaches going on. All you have to do is look to any news outlet on any given day and see something about somebody being breached someplace. But your reputation rides on the perception of how you’re responding to it.

What sparked your firm to start a cyber risk communications practice? It really was driven by the growing recognition that this was effectively an insoluble threat at the moment. There is no response that’s going to change the nature of the dynamic right now. So for the foreseeable future, companies are going to have to deal with this. It was apparent that companies were struggling with the whole aspect of the planning and preparation and what role is played by the board of directors. There were just so many moving pieces. Because of the work we do and the people we deal with, we decided there was a contribution we could make here that could be fairly significant.

The Value of the Documentary in the New Media Age

Professional video cameraThe documentary is not a new media genre.  The reality-based form has been a longstanding tool of informing, educating and entertaining. However, as we evolve into a new media age where more than sufficient information is available anytime, and at anyone’s fingertip, is the documentary still a viable medium for your client’s objectives?

The nonfiction characteristic of the documentary distinguishes it but also limits both its entertainment value and audience.  However, research by Amy Hardie suggests that documentary enthusiasts proactively seek out topics of interest to them. Thus, the limitation of the scope of viewers can in turn mean that documentaries attract a more focused audience that is receptive to the material, not only in terms of the stories, but also as persuasive vehicles for change, and audience members are more likely to become agents for manifesting the documentary’s message.

Today, the Internet extends the documentary’s reach and increases the scope of targeted viewers who are potentially interested in its message. In the past, the only way a documentary could reach the public was through television or the big screen, excluding many independent documentaries with meaningful topics but limited resources. The Internet significantly lowers the threshold for circulating a documentary and increases marketing efficiencies. Social media makes it feasible for viewers to engage the documentary’s promoters as well as to communicate with each other.

Skilled documentarians are improving the medium with better storytelling and visual effects to attract more viewers. The combination of enhanced visuals, increased entertainment values and improved marketing efficiencies of the Internet ensures that documentaries will remain a powerful media tool for your client, business or educational objectives.

By Vicky Wang, SDI

September 25, 2015 



Rotten Apples?


cyber tuesday logo smaller

Last December an article in Tech News World took a shot at forecasting the year ahead in cybersecurity. Among the predictions in the article was this from SentinelOne, a leading provider of endpoint protection, “Cybercriminals will train their gaze on Apple more often next year…An acceleration of those attacks is likely…because Apple continues to grow its share of the enterprise market, where it has become a darling of executives who are ripe targets for hackers.”

Apple has long enjoyed a reputation as a company whose products are safe. Apple’s many devotees historically have been quick to tout how secure their devices are, but they now are starting to feel just a little uneasy. Many security experts have suggested that Apple’s reputation for security is a bit of a myth. After the high profile iCloud hack last year that garnered so much attention because it exposed nude photos of celebrities, Apple users started to pay attention to an expanding list of vulnerabilities. Apple users are starting to wake up to the reality that their devices and data are vulnerable too.

Now this. On Monday Apple announced it was cleaning up its iOS App Store to remove malicious iPhone and iPad programs that were placed there as part of a large-scale attack on Apple. The announcement came after several cybersecurity firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of apps. The hack itself was both clever and troubling. Developers were tricked into using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode then put malicious code into otherwise-legitimate apps that were not detected by Apple during the submission process.

While the attack will take another bite out of Apple’s reputation, its bigger impact may lie in what it tells us about the ability of hackers to infect machines of software developers writing legitimate apps. Developers may increasingly become targets for these attacks, which would further complicate life for both the sellers and users of these apps.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

September 22, 2015

Sun Tzu Insights Precede Visit from Chinese Premier

cyber tuesday logo smaller

The supreme art of war is to subdue the enemy without fighting.

– Sun Tzu

Sun Tzu, noted Chinese general and philosopher, is widely perceived as a master military strategist.  He is known for authoring The Art of War, a treatise on military strategy and tactics that has survived the test of time, having been written roughly 2,500 years ago. In recent times his philosophy for managing conflict has been embraced by such notables as Chinese communist leader Mao Tse-Tung and North Vietnam’s Ho Chi Minh. The U.S. military also educates its officers in Sun Tzu’s teachings, and his philosophy has become a popular topic among business leaders. Thus, it may be instructive to look at the US/China cybersecurity challenge through his eyes.

Chinese premier Xi Jinping is scheduled to travel to Washington to meet with the President next week.  In advance of his visit, there’s much written and said about Chinese hacking, and considerable speculation that the White House may adopt some economic sanctions against China. The White House has publicly stated that the President will raise the issue with the Chinese premier, and in a sign that China is taking the matter very seriously, Meng Jianzhu, secretary of the Central Political and Legal Affairs Commission of the Communist Party of China, came to Washington to participate in a series of high-level meetings to prepare the way for the premier’s visit, and in all likelihood to try to reduce the possibility that the issue could be embarrassing for Xi Jinping. In the aftermath of the visit, China’s state-run Xinhua News Agency reported that the U.S. and China had reached agreement on important cybersecurity concerns.

Regarding the expected sanctions, the Washington Post reported that an administration official said “ The expected sanctions move will send two signals…It sends a signal to Beijing that the administration is going to start fighting back on economic espionage, and it sends a signal to the private sector that we’re on your team. It tells China, enough is enough.”

Interestingly, the Administration seems to have accepted the argument made by Director of National Intelligence James Clapper that the attack on the Office of Personnel Management, which is widely believed to have been carried out by the Chinese, and which has spurred many calls for retaliation, should be seen as a legitimate form of government espionage.  This argument suggests that there is an evolving murky standard which permits some forms of hacking and should prohibit others. Unfortunately there is scant evidence that there is widespread accord among nations as to what that standard is and allows.

Subduing the enemy without fighting is a concept that has particular value during this period of escalating cyber warfare. How the United States rises to the conceptual challenge will have profound implications for our economic well-being in the coming decade. Next week we may get some insight about how this challenge will play out in the near term.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

September 15, 2015


Merited, But No Easy Answers to Cyber Info Sharing…

cyber tuesday logo smallerLast fall the Federal Bureau of Investigation took the historically notable step of issuing  a private warning to industry about a group of Chinese government hackers  that were stealing data from U.S. companies and government agencies. The FBI sent a nine page alert that said the Chinese hackers were using at least four “zero-day exploits” based on previously unknown flaws in Microsoft’s Windows operating system.  The agency also sent along some “indicators of compromise” that companies could use to determine whether they had been hacked by the Chinese.

Most companies are aware that the government has been urging corporations to share information about breaches, and that Congress has been struggling with creating legislation that would actually encourage sharing such information. Corporations in return have suggested that the government should be more forthcoming about information it possesses that could reduce cyber crime, and should be more proactive in alerting companies to continuing threats. In this regard it is useful to be aware of the FBI Liaison Alert System—the FLASH—created in 2013 and used by the bureau to send specific data used in an attack that the FBI  believes will be used again.

How often does the bureau issue these alerts? In a July 2015  letter to the Department of Justice Office of the Inspector General, responding to its report on the FBI’s  cybersecurity, the agency said “through our FBI Liaison Alert System (FLASH) Reports, we have broadly shared 70 anonymous and declassified technical indicators for immediate action to protect critical networks.”

Sharing of information between government and private industry remains a contentious issue, and the FBI’s efforts in this regard will do little to put the issue to rest. Government will continue to hold close certain information which may either reveal sources or capabilities that could be compromised or that could imperil ongoing security operations. Industry will continue to have concerns over privacy and safeguarding critical information.  But the FBI’s FLASH reports offer a tangible example of how sharing information can offer a valuable contribution to the effort to lessen our vulnerability to the ongoing cyber threat.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

September 8, 2015


FTC Rings the Bell

̶  Ask not for whom the bell tolls, it tolls for thee.cyber tuesday logo smaller

John Donne’s famous “Meditation XVII” offers a haunting reflection on humanity. It also serves as an apt reference for the meaning of the recent decision by the U.S. Court of Appeals for the 3rd Circuit upholding the Federal Trade Commission’s (FTC) authority to investigate and take action against companies who fail to protect customers against cyber breaches.  This decision in FTC v. Wyndham Worldwide Corp. has been keenly anticipated because Wyndham had argued that the FTC lacks the authority to regulate cybersecurity practices.

The FTC had accused Wyndham of using cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” It further alleged that Wyndham failed to use “readily available security measures” such as firewalls to limit access to its data.

The FTC has been fairly aggressive in bringing suits based on data breaches, having settled 53 cases to date.  It argues that it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches. Wyndham, whose computer systems were hacked on three occasions in 2008 and 2009, resulting in the loss of hundreds of thousands of credit and debit card numbers, did not settle. Instead, it took on the agency headlong, suggesting that the FTC has consistently overstepped its statutory authority.

In upholding the FTC’s authority to pursue companies who suffer breaches and whose security practices do not meet evolving industry standards, the 3rd Circuit is effectively putting companies on notice.  We can anticipate even more aggressive actions by the FTC.  It is useful to read an analysis of the Court’s reasoning, such as the one done in The National Law Review. It will be prudent to take this decision as a harbinger of where regulation and law are headed, and prepare accordingly, before the bell tolls for thee.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

September 1, 2015