Tag Archives: home depot

Natural Disasters and Risk Management

For many people, their first thought about natural disasters is the devastating property damage that is extremely visible and highlighted by the media. However, the impact of natural disasters goes far beyond property damage and includes the impact to your workforce, your supply chain and the operations of your business.

During a recent Out Front Ideas webinar, we were fortunate to get the perspectives of leaders from three different segments of our industry on the impact of natural disasters on risk management. Our guests included:

  • Tom Best, deputy general counsel for Home Depot
  • Ryan Brannan, commissioner of workers’ compensation for the Texas Department of Insurance
  • John Hinz, vice president of Vericlaim

Types of Disasters

There are two basic types of natural disasters – those with warning and those without. With hurricanes and flooding, you typically have some degree of warning that allows you to initiate disaster response protocols and to prepare for the disaster. However, with events such as tornados, earthquakes and other sudden events, there is no warning and no opportunity for advance preparation to minimize the impact and maximize the response. Both types of disasters benefit from developing a disaster response plan in advance.

Workplace Injuries

One of the first employer concerns has to be preventing and responding to employee injuries when a disaster occurs. At Home Depot, they work with vendors on a daily basis to identify any potential weather that could affect their stores. When there is a potential event, they pull together their response team, led by a disaster captain. Their response team has functional members of all their critical business areas, including human resources, legal, supply chain and business operations. These teams meet every year before the start of hurricane season to make sure everyone understands their role and the disaster response protocols. They also connect with state, local and federal authorities to coordinate response efforts. Because Home Depot has a very important community role in disaster preparedness and response, they keep stores open as long as possible and reopen them as soon as possible.

From a workers’ compensation claim standpoint, there are many concerns. Employees can be injured during the disaster itself. There is also significant potential for injuries sustained by first responders and the National Guard during the response and recovery. Texas deployed 14,000 National Guard troops in response to Hurricane Harvey, and those troops are all considered employees of the state of Texas when deployed. Traumatic physical injuries are not the only concerns. There are also occupational disease concerns because of the toxic chemicals that were in the floodwaters of Houston. Furthermore, there are concerns about post-traumatic stress. Because of the occupational disease exposure, there could be a very long claims tail from this natural disaster.

Workforce Disruption

Home Depot is a major employer, but they are also an essential element in any disaster response because people depend on them for building materials and other supplies. Their command center is focused on taking care of both their employees and the community as a whole.

The Texas Workers’ Compensation Commission closed five field offices at various times in response to Hurricane Harvey. Their primary focus was the safety of their staff, but they were also concerned about being able to conduct the business of the commission.

See also: 6 Reasons We Aren’t Prepared for Disasters  

It is important to give your employees time off during a natural disaster to take care of their families and personal needs. Employers often bring in workers from other locations to assist in the affected areas so that the employees living in the area can tend to their personal needs first, then come back to work when able to do so. This allows the business to continue serving the community while also making sure that employees are settled.

Workers’ Compensation System Impact

Keeping the workers’ compensation system running during a natural disaster is important and challenging. In Texas, the governor suspended certain regulations and extended or tolled deadlines in affected areas to ensure that workers were receiving timely care and benefits and that carriers were focused on benefit delivery instead of bureaucratic issues. Social media was very useful in keeping people updated on when field offices were open and providing other important information to all stakeholders.

Healthcare Impact

One thing people do not often think about in natural disasters is the impact on the healthcare delivery system. The healthcare delivery system is disrupted in many ways:

  • Technology: With electronic medical records and a wide variety of equipment powered by electricity, a prolonged period without power can make delivery of care very challenging.
  • Continuity of care: Patients are often forced to treat at facilities outside their areas during natural disasters. Facilities need to not only be able to handle the influx of patients, but to deal with the potential HIPAA considerations.
  • Supply chain: One impact of the hurricane that hit Puerto Rico was a significant disruption to the pharmaceutical industry, which accounts for more than 70% of Puerto Rico’s exports. There was a nationwide shortage of saline IV bags after the hurricanes, for instance, because most of these were manufactured in Puerto Rico, and those factories were shut down for a time.
  • Life and death issues for patients: During Hurricane Katrina, healthcare workers and patients in New Orleans were trapped for many days without power. Providers had to make decisions around which patients to evacuate first and which patients were in such bad shape that they could not be saved.
  • Litigation costs: There is always a big spike in litigation against healthcare facilities following a natural disaster because of care disruption and other challenges.

Supply Chain

Supply chain is important to most businesses, and a natural disaster can significantly disrupt the normal supply chains. This was especially challenging on an island like Puerto Rico. Getting the supplies to the island was only the first step. Supplies sat for days in the ports because there were no dock workers to unload them and no trucks to deliver them. There are many lessons to be learned about disaster responses to islands after the events of 2017.

On the mainland, supplies can be staged out of harm’s way in advance of a hurricane so that the trucks can start rolling in once the area is safe. Additional products are purchased in advance so there are ample supplies available. Home Depot works with local, state and federal authorities to coordinate the distribution of disaster relief supplies.

Disaster Preparation

Mitigating the risks and challenges from disasters takes extensive planning and practice. Every location and each facility is different and has varying needs. But as John Hinz explained, planning for emergencies can be the difference between staying in business and losing everything. There are several essential elements that should be included in any emergency preparedness plan.

  • Focus on prevention: If there is any way to prevent a disaster from happening, that is your best defense. The first step in the process is to assess your risk and the potential impact to see how you can be more effective in disaster planning. Once you know the type of disasters for which you are most at risk, take steps to minimize potential damage to your facility and harm to your employees. Think of the actions you might need to take and what you would need in the event of a fire, flood, severe storm or other disaster.
  • Evacuation plan: Every facility should have primary and secondary routes and exits that are well-lit, marked and easily accessible. There should be an outside area designated as a meeting place for employees to gather once they are out of the building. Staff members that may require assistance during an evacuation due to physical limitations should be noted in the plan.
  • Communication: In addition to emergency contact information for local police, fire and ambulance numbers, you should have a contact list that also includes information for your customers, suppliers and distributors. This list should be updated continually, and copies kept both in your files and in offsite locations so you will be able to access them regardless of the situation. You may want to preset conference call numbers in case that is needed. Be sure you have a way to contact key players in and outside the organization.
  • Protect vital company information and critical data and programs that are imperative to keep your operation running. Make sure these things are backed up and that the backup is kept in a location separate from the primary facility.
  • Understand your insurance coverage: Review your insurance policies with your agent or broker so you know your deductibles and how they are applied to your coverages. You should know the limits and nature of your insurance, including coverage specifics. You may want to make changes to some policies, as all coverages are subject to limits and exclusions.
  • Keep insurance information handy: The names and numbers of your insurance representatives should be kept in a safe, accessible place, as this will expedite the claims process when the time comes.
  • Plan for contingencies: Despite your best efforts, your preparation may not be enough. Have an offsite location or allow personnel to work from home, if necessary, to keep the business running.

See also: Cognitive Biases and Risk Management  

Final Thoughts

There is no foolproof plan that will protect your organization from every disastrous situation, but you can be well prepared for most emergencies. If your company does not yet have such a plan, you can work with carriers or agents and brokers to begin the process. There are also a number of consultants that specialize in this area.

After developing a disaster preparedness plan, you need to continually review and update it to make sure that it is current and that everyone understands his or her role if there is a disaster.

You can listen to the archived Out Front Ideas with Kimberly and Mark webinar on this topic here.

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

How to Determine Your Cyber Coverage

Public agencies and organizations around the world are making cyber risk their top priority. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.

Deciding how much cyber insurance to buy is no inconsequential matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

See also: New Approach to Cyber Insurance  

So, how much does your organization stand to lose from a supply chain shut down, a web site outage or service downtime?

Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.

In 2013, Target suffered a very public breach that resulted in the resignation of the CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.

Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.

These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.

Organizations need to review their security posture and threat environment on a regular basis and implement mechanisms for incessant improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve; targets, motives and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.

Most policy premiums are currently based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet to qualify for full coverage; be sure to read the fine print and seek expert advisement.

A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.

Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.

See also: Promise, Pitfalls of Cyber Insurance  

As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.

My advice is to lead from the top. Organizations need to ensure risk assessments are thorough and up-to-date, policies are communicated and enforced and security technology is properly configured, patched and monitored.

Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and risk management.

The Cyber Threat in Manufacturing

A friend of mine asked me if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. He compared cyber-risk to the Red Scare of the 1950s, when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he concluded.

I found his question incredible. But I realized that he didn’t work in the commerce stream, per se, which quelled my impulse to slap him around.

See also: 3 Things on Cyber All Firms Must Know  

I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy more than $400 billion per year, according to estimates by the Center for Strategic and International Studies. Each year, more than 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet, the Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: “90% of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks.”

Cyber protection is not just about deploying advanced cyber threat technology to manage risk; you also have to educate your employees to not fall victim to unassuming scams like “phishing,” which is stealing private information via e-mail or text messages. It remains the most popular con as far as stealing company data because it’s so painfully simple. Just pretend to be someone else and hope a few people fall for it.

While most people understand the threat to data privacy for retailers, hospitals and banks and other financial institutions, few realize that manufacturers are also vulnerable in terms of property damage and downtime. In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. While property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide.

According to The Manufacturer newsletter, “the rise of digital manufacturing means many control systems use open or standardized technologies to reduce costs and improve performance, employing direct communications between control and business systems.” This exposes vulnerabilities previously thought to affect only office computers. In essence, according to The Manufacturer, cyber attacks can now come from both inside and outside of the industrial control system network.

See also: Now Is the Time for Cyber to Take Off  

Manufacturers also need to be concerned about cyber attacks that would: a) interrupt their physical supply chain or, b) allow access to their system via the third-party vendor. Manufacturers must then take steps to mitigate those risks. When Target and Home Depot were hacked several years ago, it wasn’t a direct attack on them but an attack on one of their third-party vendors. By breaching the vendors’ weak cyber security, the criminals were able to access the larger prize.

To circle back to my friend’s weird fallout-shelter theory, it’s certainly a good idea to have a backup plan in case one is hit by a proverbial “cyber-bomb.” But rather than hunker down and wait for the attack to occur, it’s critical to educate employees, vet vendors’ cyber-security and adopt — and continuously optimize — a formal cybersecurity program.

Dark Web and Other Scary Cyber Trends

We have all heard the continued drum beat regarding hacking. Anthem, Sony, Target, Home Depot, Experian and various government and military branches have all been hacked and have received their fair share of negative press. In each case, people were harmed, leaders were fired, brands were damaged and no one was really surprised.

I am not a singularly focused cybersecurity expert, but I have been up to my neck in tech for 30 years and have a knack for seeing emerging patterns and macro trends and stitching those together to synthesize consequences and outcomes. In the case of the Dark Web, none of that is good news; The emerging patterns should worry us all. As English historian (1608-1661) Thomas Fuller wrote, “Security is the mother of danger and the grandmother of destruction.”

See also: Best Practices in Cyber Security

Below is my list of the “Top 10 Scary Macro Cyberthreat Trends” –and this is still early days for them.

1. The Dark Web Pareto 

Over the last decade, the hacker population has gone from 80% aficionados/hacktivists/deep-end-of-the-pool techies and 20% professional criminals to 80% professional criminals and 20% “other.” To be clear, by “professional criminal” I mean organized criminals who are there for the money, not just to someone who broke the law.

2. “Lego-ization” of the Dark Web

Over the last few years, technology in the Dark Web has been changed from intricate, end-to-end hacks to a place where one merely assembles “legos” that are commercially available (albeit inside an anonymized criminal environment.) People don’t just buy tool kits with instructions but also the ability to buy “lego-ized” services like illicit call center agent time for more complex criminal activities such as getting access to someone’s bank account. Parts of the Dark Web look like IKEA without the assembly difficulty or the inevitable leftover parts.

3. The Dark Web embraces the capital-lite approach

Of course, the Dark Web has embraced the cloud-computing model for the reasons we see in the enterprise world. What this means to the criminal hacker or, more likely, hacker organization, is that they can now go asset-free and rent the assets they need when they need them.

For example, there are services for running a few hundred million password permutations in less than an hour for a few hundred dollars. Hackers no longer need to infect a massive amount of computers to fire up a denial-of-service hack; they can simply rent time on a botnet, a massive amount of “hijacked” computers up for sale in the Dark Web. Most companies still do not have a botwall to deflect bots.

Gameover ZeuS is a massive example of a botnet with one variant able to generate 10,000 domains a day with more than three million zombie computers — just in the U.S. Botnets are sometimes referred to as “zombie armies” (surely there’s a TV series in there somewhere.) The Bredolab botnet may have had as many as 30 million zombie computers.

See also: Demystifying “The Dark Web”

4. Clandestine versus brazen 

The bragging rights for revealing a hacking “accomplishment” was once a hallmark of this space. Over the past decade or so, that factor has greatly diminished. The criminal enterprise would like nothing more than to go unnoticed. The recent massive Experian hack only came to light after the Secret Service let Experian know some of its stuff had been found for sale in the Dark Web. Focusing on avoiding detection by adopting smarter methods, targets, distribution models and revenue capture is better business and is in line with a longer, sustainable view of profit. None of the criminal organizations have boards of directors that pressure them to hit the quarterly sales and operating income figures. A hack is not a moment in time; if a hacker can go undetected, he or she can milk the hack for years. This is worrisome.

5. The total available market has grown and is target-rich 

The target space for crime connected to an IP node has grown tremendously, and so has the value of the content. The massive increase in mobile IP addresses, the online transactions we do and IP-related things like stored value cards or mileage points makes a rich target for crime. It is 100x bigger than what it was just 10 to 15 years ago.

The target space’s growth is accelerating. After banking regulations on the minimum size of banks were relaxed in 1900, 2,000 banks were added in two years along with growth in the relatively new credit union sector. This increase in “target space” spawned bank robbers. The target space for Dark Web crime loves the increase in the target area and doesn’t mind that the “banks” are smaller. The number of people using the Web and the average amount of time spent on the Web continues to increase. I think with the advent of things like the Internet of Things, 5G, Li-Fi and a quantum leap in cloud computing capacity per unit cost, this increase will accelerate.

6. Small many versus big few 

Over the past decade, the trend in conjunction with the above items moved toward smaller “heists” but a lot more of them. Someone in Venezuela took $2 a month off my credit card for 18 months before it stopped. How many people would miss a dollar or two off a stored value card/account that has an auto-refill function like my Skype account does?

What sort of statistical controls would you put on your revenue flows (as a business) to even recognize that leakage? Of course, there are still big hacks going on, but a lot of those are just the front end of a B2B transaction that then sells off that big pool of hacked data to buyers in the criminal bazaar. Small, often and dispersed is harder to catch and more clandestine by nature.

7. Automation of the Dark Web

Timing is everything. As the Dark Web evolved into a scale-based, organized criminal environment, it leveraged modern automation from provisioning to tool sets to communications and even to billing.

Blackshades creepware is a great example of automation extending into the consumer product end. Available for $50, it has a point-and-click interface and has internalized all of the complexity and has automated hacking even for actors with very low-level tech skills. It allows the bad actor to browse files, steal data/passwords and use the camera (often relating to extortion). Blackshades infected more than 500,000 computers in more than 100 nations. A lot of the people who bought this did not have the skills to do any hacking without this kind of automation.

8. Tech getting better, faster, cheaper while talent improves

Late last year, TalkTalk, an ISP quad-play provider in the U.K., got hacked and held for ransom by four teenagers. The company estimates $90 million of cost tied to this hack, and no one really knows what the cost of the brand damage has been. There’s also a third of the company’s market cap gone, and it lost 95,000 customers. In all fairness, TalkTalk’s security was poor. The point here is that the technology in the Dark Web is getting faster, better and cheaper. At the same time, the average talent level is rising, which may not be the case in the non-criminal tech world.

There are three factors at play:

  1. Communities of collaboration and learning are becoming commonplace. Blackshades is a great example of a malicious tool with a super-low point of entry (price and tech skills) backed up by great online help and a community site.
  2. The likes of the Metropolitan Police Cyber Unit (London), the FBI, Interpol, etc. are all very effective and are continually improving organizations that stop crime and lock up cyber criminals. In some ways, this is a culling of the herd that also serves to create a positive Darwinian push on the average talent in the Dark Web.
  3. The giant upside financial opportunity to using tech skills for nefarious purposes creates a big gravitational pull that is only enhanced by recent economic and national turmoil, especially in places like Eastern Europe, Russia and Ukraine. In addition to that, state-sponsored or affiliated hackers with military-like rigor in their training can often make money moonlighting in the criminal world.

The combination of forces raising the talent level and the continued improvement of technology make for a bad combo. The Dark Web is also embracing open sourcing. Peer-to-peer bitcoin-based plays may become the next dark commerce platform.

9. The Dark Web itself

The Dark Web has evolved over the past decade or so from a foggy, barely penetrable space to a labyrinth of loosely connected actors and now to a massive, modernized bazaar thriving with commercial activity with a huge neon sign on the front door saying “Open for Business.” It is not just a bazaar, it is a huge B2B marketplace where the best criminals can resell their wares whole or in “lego-ized” pieces. Some of these criminals even offer testimonials and performance guarantees!

The Dark Web has moved from what economists call “perfect competition” to a more imperfect model trending toward oligopoly. In simpler terms, it is not a sea of malevolent individuals but, rather, the domain of organized businesses that happen to be largely illegal. These are organizations of scale that must be run like a business. This new structure will evolve, adapt and grow so much faster than the prior structure because these organizations have mission-focus and cash-flow pressures. Of course, the market forces common in a bazaar will winnow out low-value and defective products quickly, simply because word travels fast and customers vote with their wallets. 

10. The truly ugly “What’s next?” section

Like many thriving businesses, there is a tendency to move into adjacencies and nearby markets. This has already happened.

There is a lot of money in fiddling with clickstreams and online advertising flows. Bots account for about 50% of the traffic on the Internet; of those, about 60% are bad bots.

There is money to be made in transportation. One can buy fake waybills on the Dark Web to ship a crate to, say, Kiev at a fraction of the price FedEx or UPS would charge, even though the package will travel through FedEx or UPS.

Here are four emerging and even more worrisome areas that could be leveraged (in a bad way) by sophisticated, tech-savvy commercial criminal enterprises that are alive and thriving today in the Dark Web.

  • Internet of Things – It is just the beginning for the IoT. If you click here, you can read a paper on what may drive the amazing growth and where the potential is. The available talent who know how to secure devices, sensors and tags from hacks and stop those hacks from jumping five hops up a network are few and far between, and they don’t normally work in the consumer and industrial spaces that make stuff and that have decided to make an IP-enabled model. Few boards in the Fortune 500 can have an intelligent conversation about cybersecurity at any level of detail that matters. In short, over the next few years, IoT may be a giant hunting ground. For instance, what if a hacker goes through the air conditioning control system to point-of-sale devices and steals credit card info? That is a target with a big bull’s eye on it. (That is what happened to Target.)
  • Robotics – This is a little further out, and the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage? The Samsung SGR -1 (no, not a new phone) is a thermal imaging, video-sensing robot with a highly accurate laser targeting gun that can kill someone from 3,000 yards out. The Oerlikon GDF005 is a less-sophisticated antiaircraft “gunbot” that is, in part, designed to be turned on and left to shoot down drones. These things are both hackable. 
  • Biochem – What if some of the above Dark Web trends extend into this area, renting assets and expertise, point-and-click front-end designs? The bad news is that this seems to have started. 
  • The over-the-horizon worries – Nanotech, Li-Fi, AI, synthetic biology, brain computer interface (BCI) and genomics are all areas that, at some point in their evolution, will draw a critical mass of criminal Dark Web interest. The advances in these areas are at an astounding pace. They are parts of the near future, not the distant future. If you have not looked at CRISPR, google it. Things like CRISPR, coupled with progressively better economics, are going to supercharge this space. Li-Fi, coupled with 5G and the IoT (including accelerated growth in soft sensors), will create a large target space. The Open BCI maker community is growing quickly and holds enormous promise. Take a look at the Open BCI online shop and see what you could put together for $2,000 or  $10,000. The Ultracortex Mark IV is mind-blowing (not literally) and only $299.

All of this is going to get worse before it gets better. This is clearly not a fair fight. This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.

Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.

National organizations in law enforcement and intelligence need to think through fighting a borderless, adaptive, well-funded, loosely coupled, highly motivated force like those under the Dark Web umbrella. Those national organizations probably need to play as much offense as defense. Multiple siloed police and intelligence units that are bounded geographically, organizationally, financially and culturally probably will start out with a disadvantage.

This article was originally published on SandHill.com. The story can be found here.