Archives for January 2016

Exploring the Cybersphere 2016 – January

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Rethinking cybersecurity

Cyber Defenses Should Emphasize Resilience As Well As Protection
Forbes
The rise of digital has revolutionized how business work and serve their customers, but it has also added new dimensions of risk for financial services firms.  Five out of every six large companies – those with more than 2,500 employees – were attacked in 2014, a 40% increase over the previous year.  The costs of digital attacks are also increasing; the average annual cost per company of successful cyber-attacks increased to $20.8 million in financial services last year.  And many incidents go undetected for long periods of time, so the true scale of the problem is even greater.

Data Insecurity: Flawed Technology or Outdated Business Process?
Dark Reading
Are data breaches caused by flawed security or outdated business processes? If we want to truly shift the momentum in the cybersecurity fight, as an industry we need to drastically change how we conduct business and think about securing business processes first. Only then can we focus on the IT systems in which they reside. To be clear, this is more than implementing a few processes. Getting to the crux of this global problem will require a top-down audit of how a specific business operates. From there, we will need to undertake a complete overhaul of each and every function. The reason: in many cases, when business processes were “automated” the process was not altered — just transformed into digits.

Cyber Security Isn’t Working- Security Breaches are Inevitable
Security News Desk
Paul German, VP EMEA, Certes Networks, insists it is time to face up to the futility of breach detection and protection alone, and that organisations must make a change to avoid the fate of the organisations that have recently hit the hacking headlines. Cyber security isn’t working. Too many companies are being breached; and governments globally are recognising the need to invest heavily to protect vital services and infrastructure. However, today’s defence in depth security models is not completely flawed; they are, perhaps, naïve.

Deloitte: For CyberSecurity – Offense Can Be the Best Defense
Integration Developer News
As 2016 begins, organizations are going on the offense to combat cyber threats, according to a report this month by Deloitte LLP.  Companies and government agencies are no longer satisfied with simply “locking the doors” where cybersecurity is concerned, said the 2016 Deloitte Analytics Trends report. “Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. [They] are beginning to employ more predictive approaches to threat intelligence and monitoring—in short, going on the offensive,” the Deloitte report found.

Organizations are Spending Ineffectively to Prevent Data Breaches
Net Security
A new report by 451 Research, which polled 1,100 senior IT security executives at large enterprises worldwide, details rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans. Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant. Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.

Key Changes to the Cybersecurity Landscape in 2016
IT ProPortal
Cybercrime will not go away or be defeated in 2016, and will instead continue its spread into all sectors of the economy as the digital revolution brings more and more firms into the firing line. Simon Viney, a director of Security Science at Stroz Friedberg, the investigations, intelligence and risk management company, believes the threat will increasingly have ramifications for corporations, boards, governments and regulators, and is predicting a number of key changes to the cybersecurity landscape in the year ahead.

Are we safe on land?

The ‘Mind-Boggling’ Risks Your City Faces from Cyber Attackers
Market Watch
During a 2014 cybersecurity drill New York City officials held with intelligence agencies in 2014, the Federal Bureau of Investigation posed several scenarios. What if the city noticed that the 911 system had shut down? What if criminals attempted to coordinate a computer attack on emergency infrastructure with a physical attack? The city often had the same response: They’d call the FBI. Unfortunately, they were told, that might not help. “That’s not what we do,” Leo Taddeo, former head of the Federal Bureau of Investigation’s cyber and special operations division in New York, said he told them.

US Utilities Warned to Boost Defenses After Blackout in Ukraine
The Hill
A pseudo-governmental electricity industry group in the U.S. has advised its members to boost their network security after reports emerged that a cyberattack downed a Ukrainian utility for six hours, Reuters reports. The Dec. 23 incident left roughly 700,000 homes without power and is thought to be the first major blackout caused by hackers. The Electricity Information Sharing and Analysis Center (E-ISAC) called the blackout a “coordinated effort by a malicious actor” and last week urged its members to “do a better job” at layering digital security to keep out hackers.

Malware Alone Didn’t Cause Ukraine Power Station Outage
CSO
A new study of a cyberattack last month against Ukrainian power companies suggests malware didn’t directly cause the outages that affected at least 80,000 customers. Instead, the malware provided a foothold for key access to networks that allowed the hackers to then open circuit breakers that cut power, according to information published Saturday by the SANS Industrial Control Systems (ICS) team. Experts have warned for years that industrial control systems used by utilities are vulnerable to cyberattacks. The Dec. 23 attacks in Ukraine are the most prominent example yet of those fears coming to fruition.

Or on the sea?

Cyber Attacks – Coping with New Threats to the Maritime World
Seatrade Maritime
“From rock and tempest, fire and foe, protect them where so ever they go” is an all-encompassing list of maritime hazards which is usefully encapsulated in the seafarers’ favourite hymn –“Eternal Father”. A very 21st century addition to these timeless risks of maritime commerce might now be that of cyber attack, which conceivably could be as serious and damaging as any of those on this list. Ships are no different to any other facet of modern life and have become, in recent years, horribly vulnerable to malicious or criminal external interference, with all the sophisticated electronics that keeps them operating efficiently. The fact that nothing really terrible has happened (at least that which has been made public) probably owes more to the general ignorance of marine technology and the plethora of other tempting targets, than the efficacy of shipping’s own defences.

BIMCO Releases First Cybersecurity Guidelines for Shipping Industry
SC Magazine
The Baltic and International Maritime Council (BIMCO) today launched the first set of cybersecurity guidelines for the global shipping industry to prevent issues that could arise from cyber incidents at sea. The guidelines were developed by international shipping associations including BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO) and International Association of Independent Tanker Owners (INTERTANKO), according to a Jan. 4 release. The guidelines also contain information on understanding cyber threats, how to assess and reduce risks, how to develop contingency plans, and identifying vulnerabilities and potential targets for cybercriminals.

Is anybody safe?

The Flaw in ISIS’s Favorite Messaging App
The Atlantic
In some corners of Washington, D.C., cryptography is becoming a dirty word. Since the rise of the Islamic State, hardly a day goes by that politicians don’t raise the specter of a terrorist attack planned on encrypted messaging platforms. In December’s Democratic debate, viewers heard Hillary Clinton call for a “Manhattan-like project” to ensure that law enforcement would always be able to implement a wiretap. For more and more lawmakers, encryption is that perfect, pitch-black night in which radicalized things go bump.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

January 26, 2016

Snowzilla 2016 Strikes the Washington, DC Area (Images)

So. Much. Snow. The snow began falling fast across the Northeast, on Friday, forcing cities to shut down. Some of the SDI team were finally able to venture out and have some fun in the blanket of snow, while others enjoyed the view from indoors, opting to stay warm.

Check out the images of surreal and extremely white pictures of the storm, dubbed “Snowzilla,” courtesy of the intrepid SDI team. It’s fair to say, the photos show us adjusting perfectly fine after the storm.

January 26, 2016

susan davis international washington dc snowzilla 2016susan davis international washington dc snowzilla 2016
susan davis international washington dc snowzilla 2016susan davis international washington dc snowzilla 2016susan davis international washington dc snowzilla 2016jayne tracksbird cagesusan davis international washington dc snowzilla 2016susan davis international washington dc snowzilla 2016sdi dogsusan davis international washington dc snowzilla 2016

Ragan Honors Susan Davis International with 2015 Ace Awards for ‘Specialty Agency’

susan davis international

In announcing its 2015 Ace award winners, Ragan Communications and PR Daily stated their goal was to honor the individuals, agencies and teams in PR and marketing who begin and end each day at the top.

While every award is meaningful, this one has particular resonance because it exemplifies the depth of SDI’s expertise across the company, and reaffirms our commitment to excellence for each and every client.

Here’s what Ragan had to say about us:

Susan Davis International has handled the introduction of national memorials, historical institutions, and monuments to audiences around the world. You know many of them: The U.S. Holocaust Memorial Museum, the National World War II Memorial, the Martin Luther King, Jr. Memorial, and the Franklin Delano Roosevelt Memorial. SDI’s work reflects its passion for its specialties. In one case, SDI built awareness of and support for the Marine Corps Heritage Foundation by promoting the unveiling of a monument to a Marine Corps horse outside the National Museum of the Marine Corps. In another example, SDI helped the Elizabeth Dole Foundation release results of a critically important study revealing the seemingly overwhelming challenges faced by military and veteran caregivers, leading to establishment of a national coalition of leaders and organizations to address the issues. In both cases, SDI developed extensive, multi-phased strategies with results that would be the envy of any agency.

January 20, 2016

First We Must Know Ourselves

It is not the mountain we conquer but ourselves.
Edmund Hillary

Ferdinand Magellan. Marco Polo. Leif Ericson. Sir Francis Drake. Vasco de Gama. Roald Amundsen. Christopher Columbus. Thor Heyerdahl. Dora. Intrepid souls one and all. Their insatiable quest to explore the unknown enriched the world and carved their places in history. They exhibited a particular behavior characteristic that will serve executives well in learning about the cyber world. They demanded to know more about the mysteries of the world and they spent the time and effort necessary to learn.

The same ethic will well serve executives with oversight responsibility for cybersecurity. There are five core areas executives with oversight responsibility for cybersecurity practices need to explore.

The first is Risk Identification and Assessment. Every institution should have a process in place for identifying threats to data or information systems, in order to calculate the likelihood of the occurrence of the threat and to identify internal vulnerabilities. A risk assessment should include the classification of critical information assets, as well as identifying threats and vulnerabilities. The process should include the initial assessment of threats; identifying and prioritizing the closing of gaps in current policies, plans, procedures, and controls; and updating and testing plans, procedures, and controls on a recurring basis.

The second core cybersecurity function is Asset and Data Protection — working to ensure your business has the appropriate safeguards or controls in place to defend against and mitigate the damage from the various threats to your company. Here you need to inventory all the devices on your network and look at how your data is protected including assessing access control measures, data encryption, and employee education.

The third core function is Intrusion Detection Measures. Business systems are under continuing attack as cyber threats probe for weaknesses and seek to identify and exploit vulnerabilities that they find. Businesses must not only employ tools that prevent or limit unauthorized access to computer networks, systems, or information, but quickly identify intrusions so that damage can be contained. Do you know what you are using to detect anomalies? Are intrusions regularly reported and used in incident response planning?

Next is Response Planning. It is a virtual certainty that at some point a business will be breached and its data will be compromised. How effectively it responds to the breach will directly affect the amount of damage it suffers. Therefore, an incident response plan is a critical element of cybersecurity preparation. So, do you have a multi-disciplinary incident response team in place? Have you created an incident response plan? Used it or practiced it? Trained people in their response roles?

Finally, in a bit of a catch-all, there is Post-incident Recovery and Review. If you have a business continuity plan (and you should), ask how it contemplates recovering from a data breach. What mechanical processes exist to restore data, rebuild servers, databases, devices? Do you have procedures for restoring confidence in your recovered systems and data? Can you assure customers of your reliability? And, if you had an incident, have you reviewed your response and adjusted your plans and procedures based on what you learned?

The cyber world is wild and wooly. There is much to be learned and it changes rapidly. You can be forgiven for not knowing that world intimately. But the mistake that cannot be forgiven is failing to explore what your own business is doing to protect itself.

By Tom Davis, SDI Cyber Risk Practice

January 19, 2016

Wikipedia Exemplifies Team Building in the Workplace

wikipedia susan davis international washington dcToday we honor the incredible, and at least semi-credible source of information you can’t help but secretively take a peek at every once in a while (or more) — Wikipedia. Why the honor? It’s Wikipedia’s 15th birthday, and although it’s a resource we in the public relations field are loath to quote, let alone celebrate, it does offer some public relations bona fides. One of them is team building.

In spite of its open platform, where independent editors write and rewrite immeasurably to create a free online encyclopedia for all Internet users, Wikipedia exemplifies team building.

How does it do that?  It’s true that there’s a continuous battle between people who make a living editing Wiki articles and the unpaid true believing editors of Wiki, 250,000 strong, who zealously guard the process. But Wikipedia’s veritable army of editors (or auditors, I should say) put strong mechanisms in place to deal with people who breach guidelines and engage in what they believe is unethical and a conflict of interest editing. Overall, editors collectively decide what content can be edited and which new entries to create. On a platform of more than 5 million articles, talk about team work!

Looking at Wikipedia in this way reminds PR practitioners of the importance of working effectively as a team, especially in the increasingly complex environment of public relations, where many “editors” can either make the broth or spoil it.  Here are 4 reasons to value working as a team:

  1. Improves communication – Sharing responsibilities requires checks and balances, which encourages team members to engage openly with each other. Perceived barriers to communicating can break down in a group environment and in the best team practices, individuals are inspired by the group dynamics to share and discuss ideas and opinions. Improved communications can reinforce office relationships and in turn, the quality of work performed.
  2. Promotes creativity – Working together with other team members can ignite creativity and engender fresh ideas. Bringing people together from different backgrounds and levels of experience brings diversity of thought and can help create optimal solutions.
  3. Develops problem-solving skills – Public relations practitioners must be prepared to handle crises for their clients at any time. Tasks that require coworkers to work together to solve problems can improve their ability to think rationally and strategically.
  4. Increases efficiency ̶  Most people don’t have all the skills or all the answers to tackle complicated problems. Harnessing the rich diversity of abilities among a group of individuals can present the quickest, most efficient path to a solution.

This is your day Wikipedia. So to you we say thanks for striking a chord for us PR professionals in exemplifying the possibilities of effective collaboration.

Happy Birthday!

By Gadeer Ghannam, SDI

Gadeer is an SDI intern earning her Master’s degree in Strategic Communications and Public Relations at Trinity Washington University.

January 15, 2016

A Geneva Convention for Cyber Warfare?

The Geneva Conventions generally are understood to establish standards that govern the behavior of combatant nations toward civilians, prisoners of war and soldiers who are not capable of fighting. Their adoption created norms of behavior for tempestuous times. While they may not always be scrupulously followed, the fact they have been ratified by 196 sovereign states suggests there is solid accord on the principles they set forth. Now the Geneva Convention model is being held out as a way to address cyber warfare.

The Chairman and ranking member of the House Subcommittee on the National Security Agency and Cybersecurity sent a letter to Secretary of State John Kerry and National Security Advisor Susan Rice that said, in part, “Nonproliferation agreements were negotiated to curtail the exponential growth of nuclear weaponry during the second half of the 20th Century. Now is the time for the international community to seriously respond again with a binding set of international rules for cyber warfare: an E-Neva Convention… .”  The letter asked for the U.S. to take the lead in developing a binding set of international rules for cyber warfare. The Congressmen pointed out that the United Nations Group of Governmental Experts on Information Security last year affirmed a nonbinding consensus among twenty nations that international law, including the United Nations Charter, applies in cyberspace, and suggested it might be possible to build on that effort.

The letter might have been a short-lived blip on the cyber radar except for one additional development. The recently enacted Cybersecurity Act of 2015 contains a provision that requires the State Department to create an international cyberspace policy within 90 days. It shouldn’t go unmentioned that the State Department recently has been having a problem meeting deadlines, but we can assume that at some point we will see a State Department plan that lays out a strategy for developing international norms covering standards of behavior for cyber warfare.

Given that the proponents of an E-Neva Convention saw no need for a G in describing their approach, I think we can borrow the G to make the following observations. Gee, it would be great to have universally agreed upon protocols for cyber warfare. Gee, it is exceedingly unlikely such protocols will be adopted anytime soon. It does appear that at the highest levels of U.S. governmental thinking there is an effort to draw clear lines of distinction between cyber warfare and other acts. We were able to say, for example, that the presumed Chinese sponsored attack on OPM was business espionage. We deemed the Sony hack attributed to North Korea a cyber attack and enacted sanctions against North Korea, in part because it was felt necessary to establish deterrence against further attacks. But how the U.S. sees and categorizes cyber activity does not determine how other nations will view the same actions. We are a long, long way from bridging the enormous gap that exists among nations over the use of cyber warfare.  But perhaps the fledgling State Department effort will make a contribution toward the day when that gap will be reduced or eliminated. As the Chinese philosopher Laozi said, “A journey of a thousand miles begins with a single step.”

By Tom Davis, SDI Cyber Risk Practive

January 12, 2016

Periscope: The Next Big Social Marketing Tool?

periscope live streaming susan davis international dcVideo marketing has been around for quite a while now, but expect to see live streaming play an increasing role in digital and social marketing this year.

With social media sites such as Facebook, Twitter, Instagram and Pinterest encouraging businesses and brands to promote their goods and services with user-generated content, video content provides a dynamic marketing opportunity. The demand for brands to be more accessible to consumers on a personalized level is growing.

That’s where Periscope comes in. Unlike other online video services such as YouTube, Periscope, the Twitter-owned live video streaming app launched in early 2015, allows anyone to broadcast video for free with the 24-hour ‘replay’ option, giving small businesses an easy, fast and affordable way to communicate with their Twitter followers customers in real-time.

Watch WSJ’s Joanna Stern test out the popular live streaming app

Here are some ways brands can use the app to maximize their appeal for brand marketing purposes.

Live Q&A Sessions and Instant Feedback
This is a quick, convenient way to interact with customers and clients while you showcase your experience and expertise. These opportunities help humanize your brand, address pertinent issues and solve problems. Regular Q&A sessions can be a good way to gain valuable firsthand feedback and insights from your customers. You can also hold live webinars on Periscope to boost engagement. Webinars provide audiences the opportunity to ask questions and leave comments, which allows you to respond in real-time.

Announcements
Periscope presents a fun way to announce special offers and contests, giving brands a new way to push instant traffic to their website. Whether you’re unveiling a new product or hosting an event, you can make your audience feel special by announcing it first on Periscope. It’s also a great way to gauge interest and keep people in the ‘buzz’ about what’s to follow. You can also offer Periscope-based discounts and exclusive offers to boost sales.

Behind the Scenes
Customers always want to know more about a company’s culture. With the Periscope app, you can take customers on office tours, show interviews and introduce them to the people behind the brand, making an instant personal connection to reinforce consumer trust in your brand.

Build Twitter
Periscope is a live-streaming app that allows you to broadcast to all your Twitter followers any kind of content through real-life videos. You can use Periscope to increase and enhance your Twitter followership.

How might you use Periscope to engage your audience?

By Gadeer Ghannam, SDI
Gadeer is an SDI intern earning her Master’s degree in Strategic Communications and Public Relations at Trinity Washington University.
January 7, 2016

 

On Sin and Sinners, Cyber Style

There is no sin except stupidity…
– Oscar Wilde

Way back in 2015, New York Times columnist David Brooks was interviewed in The Washington Post about his new book, “The Road to Character.” The book explores (and seeks to inspire in readers) what Brooks terms “eulogy virtues,” such as humility, kindness, and bravery, attributes that might be mentioned during a eulogy. The book also mentions sin a number of times, a topic with which I am quite conversant. Brooks is quoted in the Post interview as espousing “identifying your core sin, keeping a journal of how it manifests itself in your life, what behavior it leads to…” I find the suggestion useful, both on a personal and professional basis. It just happens to tie in nicely with a new article by security expert Brian Contos in CSO Online titled “5 Sins Cybersecurity Executives Should Avoid.” Herewith, the five sins.

Trying to be perfect. Don’t bother trying to position yourself to cast the first stone. As Contos points out, “trying to make our networks 100 percent impenetrable is an inconceivable path forward as myriad anecdotes have shown that even the most robust and layered security networks get penetrated sooner or later.” Instead, “shifting focus from trying to deter all attacks toward a more risk management focused approach allows organizations to understand their cyberthreat profiles… Identifying, analyzing, and prioritizing threats will better position organizations to allocate material, fiscal, and personnel resources accordingly, the results of which should bolster resiliency and recovery capabilities when breaches occur.”

Betting on cyberinsurance equaling security. Gambling may not be a classic sin but there’s a definite downside. Contos notes “cyberinsurance will help organizations absorb some of the costs that may occur after a breach.” However, “in a time when surreptitious theft of sensitive and personal information is increasing, organizations will need to balance that risk mitigation investment with other investments such as those supporting continuity of operations.” In truth, a key contribution of insurance can come in the demands an insurer may make for better planning and preparation.

Thinking that cybersecurity is a one-and-done solution. Absolution is hard to come by in today’s cybersecurity world. Per Contos, “As technology continues to advance, cybersecurity tools and products develop with it enhancing organizations’ abilities to quickly identify threats, reduce their response time to them, and ensure that business operations do not suffer long periods of inoperability as a result. But buying the most sophisticated monitoring device or data loss protection solution is not a panacea to breaches, theft of sensitive information, or other forms of cybermalfeasance.” He also drops this little gem — “Considering that in 2014, there were approximately 143 million malware samples, roughly 12 million new variants a month, in addition to at least 24 previously unknown vulnerabilities for which detection would not have been possible, it’s easy to see why organizations cannot rely on the productivity of technology as their sole defense mechanism.”

Forgetting about getting employee buy in. Oh those pesky unwashed masses. Contos notes, “The weakest link in most cybersecurity apparatuses is not an unpatched or misconfigured device, but the human factor. This should come as little surprise given the fact that phishing and spearphishing attacks remain a favored tactic used by hacktivists, criminals, and cyberespionage actors alike. Most e-mail message-based attacks do not involve advanced malware, although certainly they can. What they seek to exploit most of all is the recipient – whether it’s his trust, his lackadaisical approach to security, his interest in specific topics, or any other human factor that can be manipulated.”  He goes on to point out that effective cyber defense has to involve developing a culture of cybersecurity, and that training and education has to be ongoing.

Not having enough focus on an incident response plan. Finally, we get to the sin that plagues us all, the sin of omission. If you accept that breaches will occur (and you should), then you must focus time and attention on the incident response plan. Contos sums this up by stating “As the year of some of the most prolific breaches comes to a close, how organizations that were victimized handled the breaches is a direct reflection of the plans they had in place. Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organization had developed and tested in times of crisis. Perhaps more importantly, organizations need to have confidence in the plans they have developed.” He goes on to note that “In a 2015 study conducted by the Ponemon Institute, 81 percent of respondents said their company had a breach response plan, but only 34 percent believed they were effective…a good breach response plan will include risk assessments, business impact assessments, disaster recovery and continuity of operations models, contact list of appropriate law enforcement entities, forensics companies, and a post breach communications strategy to provide transparent and updated information as necessary… Sticking your head in the sand is not a viable option in 2016 and organizations need to be prepared.”

There you have it. As 2016 opens before us, go forth and sin no more.

By Tom Davis, SDI Cyber Risk Practice
January 5, 2016

active