Archives for December 2015

Jabberwocky

’Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
All mimsy were the borogoves,
And the mome raths outgrabe.

Lewis Carroll turned the writing of nonsense into an art form, securing his place in history. Generations of children have delighted in hearing and saying the made up words that create a vivid imagery, thrusting the reader into the bewildering world of the fearsome Jabberwock with eyes of flame. Try as one might, it is not possible to penetrate many of the word combinations Carroll used. But the story he tells is strikingly clear. We will trust similar logic will apply to understanding the nature of the cyber events that unfolded as 2015 drew to a close.

Beware the Jabberwock, my son! The jaws that bite, the claws that catch!” (Are boards and senior corporate leadership now prepared?)

Corporate Governance in the Age of Cyber Risks
Knowledge at Wharton, UPenn
Corporate boardrooms are waking up to the encroaching, systemic threat of cybersecurity risks. But while awareness is growing — more than 80% of boards now discuss cybersecurity at most, if not all, of their meetings — many directors simply are not sure if they have the information and tools at their disposal to provide effective oversight of top management to handle today’s hacking dangers, especially intrusions sponsored by nation-states.

Why are Companies and their Directors and Officers Still Behind on Cyber Security Oversight and Disclosure?
JD Supra Business Advisor
And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way. Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

Our Cybersecurity Problem is a Lack of Safe Harbor Rules
Forbes
You can’t manage what you can’t measure. In my more than 25 years of business leadership, this fact has proven itself true, time and again. When I talk to CEOs about network security, I sense some denial about the fact that they may be vulnerable to a breach. They believe they are reasonably safe from cyber attacks because they have invested in the most current cybersecurity products.  But they can only protect what they know about.

He took his vorpal sword in hand; Long time the manxome foe he sought—…(Will government provide solutions?)

DHS Hacks Businesses for Free to Test Cybersecurity
The Hill

The Department of Homeland Security (DHS) is peppering U.S. businesses — mostly banks and energy firms — with cyberattacks to test their digital defenses. The little-known program, offered to companies free of charge, is part of an ongoing effort to help critical infrastructure companies bolster their cybersecurity.

Officials Seize on Paris Attacks to Push Cybersecurity Measures
Forbes
So far, it seems that the ISIS attackers who carried out the November 13 terror attacks in Paris planned their attack “in plain sight” and did not use sophisticated means of encrypted communications to coordinate their attacks. The Paris attacks were traditional, physical attacks using guns and explosives, not cyber attacks. Nonetheless, officials in Western nations are seizing on the Paris attacks to promote cybersecurity measures that include censorship, weakened security standards, and militarization of the Internet. Here’s a run-down of what they have proposed.

EU Can Suspend New Data Transfer Pact with U.S. if Worried about Privacy: Official
Reuters
A new data transfer pact between the European Union and Washington will give the EU the right to pull the plug on the deal if it fears the United States is not safeguarding privacy enough, the EU Justice Commissioner said on Thursday. A previous transatlantic data transfer framework, Safe Harbour, was struck down on Oct. 6 by the European Union’s top court because of worries about mass U.S. surveillance practices.

Cyber Compromise Sparks Privacy Feud
The Hill
Lawmakers, privacy advocates and civil liberties groups sparred Wednesday over the final text of a major cybersecurity bill released overnight as part of an omnibus spending package. The bill, which would encourage businesses to share more data on hackers with the government, has drawn fierce opposition from privacy groups and a vocal coalition of lawmakers. These opponents came out swinging Wednesday against what they see as a bill that would merely shuttle more of Americans’ personal data to the National Security Agency (NSA) without actually boosting the nation’s cyber defenses.

Is the Cybersecurity Act Really Government Spying in Disguise?
The Christian Science Monitor
After years of debate over how Washington and the private sector should cooperate on confronting cybersecurity threats, last week President Obama signed into law the Cybersecurity Act to vastly expand the flow of information on digital threats into federal agencies. While the law signed as part of a $1.1 trillion omnibus package aims to boost the exchange of data between the private sector and the government, the information sharing act has been maligned by critics as a Patriot Act in disguise, another mechanism for government spying on citizens, and an overall detriment for cybersecurity.

The Jabberwock, with eyes of flame, Came whiffling through the tulgey wood, And burbled as it came! (What comes for us in 2016?)

Kaspersky Labs Offers 2016 Security Predictions
itWeb
Next year will herald “the end of the world for APTs as we know them”, Kaspersky Labs predicts. Advanced persistent threats (APTs) – multi-phase cyber-attacks in which criminals stealthily penetrate a network, avoiding detection to obtain data over an extended period of time – will dramatically change in structure and operation in 2016, said Dirk Kolberg, senior security researcher at Kaspersky Labs.

US Elections May Spur Cyber Attacks
The Financial Times
The era of the large-scale cyber security breach looks set to stretch into 2016, with new targets replacing the likes of as US-based Anthem Healthcare, Ashley Madison, a Canadian dating website for married people, and UK telecoms company TalkTalk in the headlines.

Cybersecurity: Key Themes and Threats 
Forbes
Dhanya Thakkar, Asia-Pacific managing director at Trend Micro, discusses the threats, themes and trends in cybersecurity for 2016. He speaks to Bloomberg’s Yvonne Man on “Trending Business.” (video)

How Artificial Immune Systems May be Cybersecurity of the Future
SingularityHUB
2015 was a year of jaw-dropping hacks. From CIA director John Brennan’s private email to Sony Inc, from the IRS to CVS, from Target to the notorious Ashley Madison, millions of people suffered from cybersecurity breakdowns across industries. According to the Ponemon Institute, the average cost of damages from data breaches in the US hit a staggering $6.5 million this year, up $600,000 from 2014. Untallied are the personal costs to the hacker’s victims: the stress associated with leaked phone numbers, credit card information, social security numbers, tax information, and the time spent getting their lives back on track. The sophistication and scope of cyber threats are expected to further escalate, yet our defenses remain rudimentary, even medieval.

Predictions Cybersecurity 2016
CloudTweaks
From Ashley Madison to the Office of Personnel Management (OPM), hackers did not discriminate between organizations or industries when it came to unleashing cyber-attacks in 2015. This past year, data breaches affected millions of people with headlines of a new hack appearing almost daily. On an individual level, customers’ passwords were compromised, credit card information stolen, and private lives became public to name a few ill-fated scenarios.

We wish all of you a prosperous 2016, and hope each of you has a moment to say “O frabjous day! Callooh! Callay!”

By Tom Davis, SDI Cyber Risk Practice
December 29, 2015

The SDI Family of Characters Wishes You and Yours a Safe and Happy Holiday

We look forward to working with you in 2016!

Susan Davis International and Santa Claus holiday partysusan davis international washington dc holiday partySusan Davis International dan Santa Claus holiday partySusan Davis International judy and Santa Claus holiday partySusan Davis International holiday ugly sweater party Santa ClausSusan Davis International christmas Santa Claus partysusan davis international jingle bells holiday party santa claussusan davis international public relations firm dc holiday party

The Risks of Celebrity Endorsers: What the Subway Brand Taught Us

Jared Fogle subway brand celebrity endorsement crisisCelebrities have been traditional favorites to feature in advertisements; they are seen as individuals with attractive qualities that are consistent with the brand’s value proposition. The right celebrity can reap huge rewards for a brand. Brands have capitalized on the marketing value of celebrity endorsers for years, with overwhelming success. While the practice is effective at enhancing brand image, instilling trust in and creating credibility with consumers, it remains a risky proposition for a brand, perhaps positioning it at serious risk for reputational damage.

Shock and disgust erupted across the nation when news broke of former Subway pitchman Jared Fogle child pornography investigation in 2015. Fogle, who thanks to Subway had become a household name, has brought much unwanted negative attention to the Subway brand, thrusting Subway into nearly every headline about the atrocious activities of the person who served as the face of Subway for more than a decade. Consumers will perpetually associate the Subway brand with a convicted pedophile.

Fogle joins the list of brand endorsers that become examples of the risks companies take when having high profile public figures endorse their products as part of their market strategy. Tiger Woods, Paula Deen, and Lance Armstrong are just a few familiar faces who were dropped from brands because of controversial headlines.  They highlight the fact that endorsements can be incredibly challenging and costly.

When a story that paints a negative image of a celebrity endorser plays out in front of the public, a tainted picture is also painted for the company’s brand, making it difficult to regain consumer trust to support the organization or buy the product. In the worst case it can lead to a company to rebrand its identity to recapture its place in the market.

When celebrity endorsers come under fire, companies must assess whether the negative actions of their endorser outweigh the value of the partnership that the brand has with the celebrity. It is common for advocates for causes associated with presumed victims of the celebrity endorser’s actions to immediately bring pressure on the brand to disassociate itself. It’s critical for a brand to anticipate the dissolution of its celebrity relationship and have a contingency plan prepared in case things do go awry to avoid or minimize damage to the brand.

By Gadeer  Ghannam  

Gadeer is an SDI intern earning her Master’s degree in Strategic Communications and Public Relations at Trinity Washington University.

December 17, 2015

You Better Watch Out, You Better Not…Shop Online at Christmas?

crisis communication cyber tuesdayAt this time of the year, it may not be Santa Claus who is watching while you’re sleeping and knowing when you are awake. The sheer volume of online shopping, projected by the National Retail Federation to be $105 billion this year, together with the urge to get to the finish line makes Christmas a hugely attractive holiday for hackers around the world. Cybersecurity services provider Cytegic tracks cybercrime trends and notes that “Attacks against retailers usually take place a few days before a major holiday, with the week before Christmas being the most threatened time in this period.”

The Retail Cyber Intelligence Sharing Center points out a couple of major realities that underlie the retailer end of the holiday cyber challenge. “Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it’s impractical to block IP ranges based on geography, because online sales can be global.” Also, “Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.”

On the home front, keeping your data secure becomes ever more difficult, as we move from buying hobby horses to buying Trojan horses. Once again, the Internet of Things may be making it possible for a Grinch to steal your Christmas in ways you hadn’t considered.

Earlier this year Mattel introduced “Hello Barbie,” a talking version of its iconic Barbie doll. Critics pounced, suggesting it was downright creepy for children to be talking through Barbie to a toy company that wants to sell more toys. As it turns out, the bigger concern may be that folks with other motives might also be listening to those conversations. Computer security researchers just announced that the app used by the toy has flaws that let hackers eavesdrop on communications between it and cloud servers to which it connects. That notice comes on the heels of a November incident in which we learned that someone breached an app store data base from toy manufacturer VTech, uncovering the names, birthdays and genders of more than six million children and apparently getting their photographs as well.

What should a harried holiday shopper do? Security software company McAfee (now Intel Security Group) offers a helpful shopping list of scams and how to avoid them. The FBI checks in with its own warnings and precautions. In the end, it is up to us to pay attention, be cautious, and be good for goodness sake.

By Tom Davis, SDI Cyber Risk Practice
December 15, 2015

Here’s The Thing

cyber tuesday logo smaller

When night falls at the Amundson-Scott South Pole Station it is a long wait until dawn. Six months, to be exact. Outside, in the darkness, the wind howls, and blizzards rage. Inside, the few dozen people who are spending the night pass the popcorn and settle in to watch John Carpenter’s “The Thing,” a classic sci-fi horror story about an extra-terrestrial life form that awakens and begins to consume the researchers at an Antarctic research station. In 2011, a prequel was released after the producers opted not to attempt a remake of Carpenter’s masterpiece on the assumption that a remake could not possibly be scarier that the original. Little did they know that people around the world were working on a concept that would eventually threaten far more people than the cloistered Antarctic researchers. I give you, “The Internet of Things” (IoT).

In its most benign form, the IoT means the network of devices that are connected to the Internet and can be controlled remotely.  It imagines a world where anything can be connected and communicate with other devices. Cisco estimates 50 billion devices will be connected through the IoT by 2020. Smart homes; smart cities — a steady stream of data exchanged between and among devices, with the potential to enhance efficiency, lower costs, improve security. Except, that last attribute is open for debate.

Peter High is writing a series in Forbes titled “IT Influencers.” Highs’ series offers an interesting read.  He recently interviewed Ron Ross, a Fellow at the National Institute of Standards and Technology, where he leads the Federal Information Security Management Act Implementation Project. Ross captures the essence of the challenge posed by the rapid expansion of the IoT:

“…the common denominator in everything that we are talking about in cybersecurity. That computer is driven by firmware and software created by human beings. It is getting larger, and the complexity is getting greater. When you have that situation, there are a certain number of flaws, weaknesses, or deficiencies that exist in any code. A certain percentage of those are vulnerabilities that can be exploited by threat sources or agents. That gives us great concern, because as the number of systems, platforms, and applications expands the number of vulnerabilities is growing. Those vulnerabilities are not always known…IoT is expanding the universe…as we put more things into our information technology infrastructure, more opportunities are given to adversaries to attack us. That attack surface grows larger every day, so we have to do some things to manage it, especially where we want to have systems that are dependable.”

Ross goes on to point out that as we head into an ever less certain future, we have to recognize that a core cybersecurity consideration for the IoT will simply be who and what we can trust. Trust will be earned and merited by the security features built into whatever product we buy. Marketing products that are part of the IoT will require earning and assuring trust—which brings us back to the fundamental challenge facing the dwindling band of researchers being devoured by The Thing. Who, and what, can we trust?


By Tom Davis, SDI Cyber Risk Practice

December 8, 2015

Thank You, SDI

morgan and julie blogDear Susan Davis International,

Where has the time gone?  It seems like just yesterday we were eagerly waiting in the library ready to meet you all.  We came in to this experience with high expectations, and SDI has exceeded each of them.  It’s amazing how much opportunity there is for growth in 15 short weeks!  We are grateful you were all so welcoming and helpful during our time here.  As we are taking away so much from this experience, we hope to leave a small mark on SDI as well.  Everyone in Suite 400 has positively impacted our internship experience, so instead of writing a generic thank you note, we decided it was only right to give those of you we worked with a shout out for all to see.

Aliza – Your enthusiasm is an inspiration to both of us.  It seems like you manage to accomplish what 10 people would in a day, and sometimes you go so fast we swear you’re a blur!  We’ll miss your positivity and dedication to your work.  Your consistent guidance helps us increase our potential.  You’re a good teacher! P.S. Sorry for figuring out Cision didn’t work properly on Google Chrome only two weeks ago!

Allison – What can’t you do?  You are crucial to the SDI team, and your ability to pick up any task and complete it successfully is truly impressive.  Thank you for always being there for any questions we had, and for letting us borrow your gym membership.

Dan – It is hard to imagine you were once in our shoes after seeing your tremendous role and success in your work at SDI.  You are a true leader.  Also – thank you for answering our knock on the door in the early morning when we forgot the key!

Jayne – Thank you for choosing our resumes out of the pile and giving us the opportunity to succeed at SDI.  Thank you for keeping us on track and brightening our day with your emails.  This experience has been made more wholesome and enjoyable because of your guidance, and we wouldn’t be here without you!

Judy – Judy, you’re the  backbone of SDI.  While we worked the corridors of SDI,  we’ve both seen how incredible your role here is.  From leading our media meetings every Monday, and overseeing and offering your help in every single account we have to keep them and the office in ship shape, we can’t imagine SDI without you.

Julie – Though it’s been a short time here with you, we’re so glad we got to be here when you joined SDI!  You jumped right in, and now it’s hard to imagine SDI without your hard work and dedication.  Thanks for being another “Julie!”

Leila – Leila! We’re going to miss you and your laugh.  Whether it’s a question about how to draft talking points or what the best place to camp in South America is, you’re remarkable.  Working with you has been a privilege.  You have taught us so much!  Thanks for being sweet, fun, and encouraging.

Tom – Thanks for always being a smiling face.  Every time you pass by, we’re guaranteed a bright smile and warm hello.  And, the cyber practice is resonant  with your knowledge and expert analysis!

Maddie – Thank goodness we had you to count on as part of the intern team! We were welcomed by Vicky and sad to see her go, but your arrival made everything better again. We’ve loved getting to know you (especially in our cozy little office together) and will miss you tons. Best of luck as you finish school!

Susan – Last but of course not least, thank you, Susan, for bringing us into your company and showing us not only how to be successful in the PR world, but in the world as a whole, and specifically as empowered women.  The work you do and the legacy you’ve built and continue to build is incredible and inspiring.

Please keep in touch!

Best,

Morgan Beavers, University of Georgia

Julie Haupin​, Penn State

 

 

One Cybersecurity Question Every Leader Should Ask

cyber tuesday logo smallerErnst & Young’s 2015 Global Information Security Survey is out, and, as usual, is just chock full of information. This year’s survey of 1,755 organizations from 67 countries finds that 88 percent of the global respondents do not believe their information security architecture is sufficient to meet their security needs.

Ernst & Young correctly notes that one of the major challenges organizations confront in the cybersecurity arena is figuring out how not to drown in all the data. You could comb through the report and make judgments about the relative maturity of your organization, or you could take a shortcut and heed this observation— “To efficiently guide your organization through the layers of risks and threats, leaders must have the confidence to set the risk appetite, and be prepared to swing into decisive action to handle any incidents. For example, one clear theme emerging from the last couple of years is that the impact of an incident is greatly reduced by the leadership ensuring there is intelligent and appropriate handling of cyber incidents, and effective communication both internally and externally to manage the outcome.”

There you have a list of priorities in a nutshell. Arguably, the single most important cybersecurity consideration in any organization is whether leadership is both demanding and supporting internal efforts to identify and prioritize threats, taking appropriate measures to reduce risks, and developing comprehensive and effective response plans. Corporate boards must demand accountability from the C Suite, and C Suite leadership should be fully invested in ensuring the organization’s readiness.

Here’s a simple introductory test. Leadership should ask whether the company’s critical data assets have been identified and prioritized, and whether the company can identify who has access to those assets, where they reside within the company (typically in many places given the nature of the workplace), and how they are moving out of the company. If the answers to these questions are not a crystal clear and convincing “yes,” you’ve got work to do. If you do get a “yes” you still have work to do, because readiness is a process, not an end, but you’re in a far better place than those starting with a “no.”


By Tom Davis, SDI Cyber Risk Practice

December 1, 2015

 

active