Tag Archives: security

Navigating Security in the Remote Paradigm

Summary 

The current remote work situation has brought to light a three-part problem around security. First, it has created challenges in defending against traditional threats – both physical and information security. Second, emerging technologies promise new threats that will be all the more difficult to counter in remote settings. Third, the body of regulations mandating security measures vis-à-vis personal data is growing. Liability for breaches does not abate due to the current circumstances. The inherent vulnerabilities of the remote situation paired with likely advances in adversary tactics and threats from emerging technologies will challenge organizations to meet their regulatory security obligations. In this article, I will give an overview of these problems in isolation and discuss how they might combine. Finally, I will suggest some measures to take to begin to deal with this predicament. 

Introduction

At its core, a security program’s goals are the protection of life and the maintenance of the confidentiality, integrity and availability of information. 

The recent widespread shift to off-premises work has two primary distinguishing features from a security perspective: It expands or eliminates the organization’s physical perimeter and necessitates remote access to corporate networks as well as a far higher degree of dependence on information systems for communication between employees. These factors upend an entity’s normal process of security assessments and controls and create fertile ground for both traditional and emerging threats. With unsupervised personnel and data dispersed to uncontrolled locations, using various means to access organizational networks, numerous varieties of threats abound.

Categories of vulnerabilities and threats for which there were standard controls and processes in the traditional setting require rethinking in this new reality. Likewise, emerging technologies pose novel threats. We can expect adversaries to continue to adapt to changing conditions of work by capitalizing on physical vulnerabilities and developing increasingly sophisticated and clever implementations of both existing and new technologies. 

At the same time, targeted organizations and individuals continue to bear the costs and liabilities of adversary actions. Victim entities may suffer direct losses from attacks. In addition, cybersecurity requirements related to privacy and penalties for failure to comply grow with each new law without regard to the remote work situation. This creates a difficult bind for defenders and all types of enterprises and individuals who control the data of others. 

There are, however, steps that can be taken to address these concerns. Now, more than ever, defenders will see the advantage of relying on skilled security personnel and cross-disciplinary leaders and teams as well as adopting an approach to security that recognizes that cyber and physical security are intertwined.  

While the long-term status of the recent shift to work-from-home remains unclear, inherent vulnerabilities of the remote paradigm combined with threats based on new technologies present an opportunity for reflection on the status of future contingency plans and demand the attention of executives, counsel, security professionals and insurance providers now. 

How the Remote Paradigm Interacts With Security for Traditional Threats  

Effective security programs apply technical, physical and administrative controls or countermeasures to assessed vulnerabilities, threats and risks. While not always uniformly or well-applied, and noting that threats are continually evolving, standards are generally well-developed in the context of traditional workplaces and often in the case of small groups of workers who require remote access, such as members of sales teams and business travelers. 

The remote paradigm expands or eliminates the physical perimeter and forces remote access and communication, with serious significant consequences for security controls. 

In very general terms, an expanded perimeter leads to: 

  1. Less physical control over information systems and data
  2. Technical/physical vulnerabilities (e.g., potential adversary access to residential Wi-Fi) 
  3. Less physical security over personnel (e.g., threats to their physical safety) 
  4. Less supervision over staff 
    1. complicating application of administrative controls such as job rotation 
    2. greater potential for problems from insider threats – both witting and unwitting 

In equally general terms, remote access and communication means: 

  1. Inherent technical vulnerabilities to data – both at rest and in transit 
  2. Proliferation of endpoints and lack of control over these 
  3. Reliance on communication between remote users and the need for out-of-band communication
  4. Communications involving proprietary data (e.g., trade secrets) and sensitive activities (e.g., engineers working on live systems) that normally occur in controlled settings and may now be conducted remotely
  5. Increased reliance on, and accelerated migration to, the cloud 

Organizations have established processes for addressing traditional threats in the context of the status quo. The remote paradigm entails significant changes to the security process. Categories of vulnerabilities, threats and risks that are relatively well-managed in an on-site setting must be reconsidered when the whole enterprise is operating remotely. Adversaries are left to their imagination in ways to overcome whatever security measures may (or may not) be in place in the many home offices from which employees operate. 

Beyond considerations around configuration management, security professionals must be aware of the potential presence of Internet of Things devices such as smart appliances and smart speakers that may have implications from both a technical and physical security perspective.

In addition, two newly established threats can have significant potential ramifications in a remote environment. In “Zoom bombing,” someone who is not supposed to be involved in a meeting can disrupt it, eavesdrop or alter the message. In other words, the person can interfere with the confidentiality, integrity or availability of information. Secondly, a well-made deep fake can be very damaging to an organization if, for example, it falsely portrays an employee acting in a way that runs counter to the entity’s interests. These threats are particularly problematic in remote settings because communication and public messaging is complicated and potentially interfered-with. 

See also: Getting Back to Work: A Data-Centric View

Emerging Threats 

At the same time as the remote paradigm complicates existing threats, new threats are on the horizon with emerging technologies. As with traditional threats, emerging threats will pose more of a problem in the remote environment. Here, we will consider some potential malevolent applications of quantum computing, artificial intelligence/machine learning (AI/ML) and real-time deep fakes. 

Both quantum computing and AI/ML are broad new technologies with myriad potential beneficial implementations as well as malevolent uses by adversaries. 

Practical applications of quantum computing are not yet reported to be in use outside of a laboratory setting. However, there is a quantum arms race underway due in large part to the fact that quantum computing will revolutionize cybersecurity. Quantum computing is predicted to make child’s play of current encryption. Remarkably, it may be possible to apply quantum decryption of current protocols retrospectively. That is, traffic might be recorded today and replayed through future quantum decryption tools to decrypt it later. This could have dramatic implications for organizations to the extent that they rely on current encryption to safeguard sensitive communications that will remain sensitive. The current predicted timeframe for widespread use of quantum technology varies; however, three recent developments suggest it may be accelerating. First, processor power has been improving exponentially. Second, the U.S. Department of Energy recently unveiled a blueprint report to develop a national quantum internet. Third, given the threat of quantum computing to current cryptography, the National Institute of Standards and Technology (NIST) aims to develop a post-quantum cryptography standard by 2022. 

Moving to AI/ML, adversaries are already using the beneficial features of AI/ML in numerous malicious ways. For example, AI/ML can obfuscate an attacker’s location and identity and augment traditional attacks, providing additional power and scale. Malevolent uses will continue to evolve to enable far more sophisticated attacks. Recent developments involving photon-based chips have moved us closer to AI/ML that learns independently at the speed of light.   

Judging anecdotally from the preponderance of articles and developments in both AI and quantum, we may be at a tipping point for both.

Although enabled by AI/ML, deep fakes are a sufficiently rare use case as to merit their own mention. Separate from the pre-recorded deep fakes discussed above, it is now possible to create a deep fake in real time. The primary concern with real-time deep fakes is that an adversary could appropriate the likeness of an employee, infiltrate an internal or external video teleconference, convince an audience of the veracity of the messages and influence outcomes. It is also possible to imagine that a real-time deep fake could falsely portray an individual engaging in some sort of behavior that is damaging to the organization.

Whether in a traditional setting or operating at a distance, these emerging threats are problematic. However, the remote environment continues to provide adversaries with more opportunity due to the expansion or elimination of the physical perimeter and the necessity of remote access and communication. 

Some Scenarios

Having looked at the inherent problems of the remote paradigm and some of the emerging technologies, consider some edge cases. Each of these is presented in its starkest form and capitalizes on weaknesses in a generic remote model. 

The first scenario stems from advanced persistent threats (APTs). APTs are insidious in that they tend to burrow into an information system and lie in wait or operate undetected, frequently exacting a heavy toll. They can benefit from emerging technologies of AI and ML as well as the security shortcomings and potential chaos around the current remote work situation. 

The next general category of threats has to do with physical violence against employees operating away from corporate offices or in settings that are not within a security perimeter managed by the organization. This could range from a kidnapping to a home invasion and assault or murder. Likewise, as in a remote bank robbery, an employee could be forced to take actions against an organization’s interests under duress. 

Next is the new category of real-time deep fakes. The real danger to organizations with this technology is the prospect of a real-time deep fake during an internal or external communication. At a minimum, this could interfere with the confidentiality, integrity and availability of information. At worst, such a tactic could be used as a ruse to outright direct the actions of employees or outside interlocutors. 

Finally, a very serious and dramatic threat is that an adversary could take advantage of the various attack vectors available combined with the weaknesses in the remote paradigm to completely divert the organization’s resources to his or her uses for a time. Far more damaging than ransomware, this could constitute a total takeover. This might involve a mix of physical force and real-time deep fakes as well as other technical weaknesses inherent in remote communications. Further, the attacker could rely on an entity’s lack of out-of-band communication or other successful means of authentication to ensure that he or she is able to carry out the plan. This is admittedly an extreme, worst-case scenario. A far more nuanced possibility would involve an attacker subtly manipulating corporate resources using scaled-down versions of the same tactics. 

Considering these scenarios, readers might be tempted to ask who would do these things and why. 

The potential cast of bad actors and motives is the same as always. It ranges from opportunistic “script kiddies” to activists to common thieves and organized criminals to nation-states. What is different here is that the how becomes easier. Further, bad actors may be emboldened by the lack of traditional security controls and barriers. Simply, someone not otherwise inclined to physically access a system or commit violence in the service of what could be a relatively white-collar crime might make a calculated decision that the risks involved are not prohibitive relative to the rewards. In a traditional environment, corporate security and access control measures would ordinarily discourage the mere consideration.  

Potential Consequences 

These threats can cause a variety of harms – physical harm to people, exposure of private data, financial loss to shareholders and damage to the organization through lost profits, regulatory trouble and reputational harm. 

Regardless of other priorities, any entity’s first concern must be mitigating increased risk to remote employees stemming from their employment. Should harm come to pass, there could possibly be civil liability, but safety is the first priority.   

The next area for concern is data privacy. Nearly all entities hold personally identifiable information (PII) of some sort, even if it is little more than the data of their own employees. If a breach exposes that data, liability to data holders (customers, employees, vendors) or shareholders may ensue. Likewise, chances are that a given entity is bound by at least one of the ever-growing number of industry- or regional-specific regulations addressing cyber security and privacy.

In the U.S. alone, there are multiple regulatory regimes and regulators that address PII and security – the California Consumer Privacy Act (CCPA), the Sarbannes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry-Data Security Standard (PCI-DSS), as well as those falling under the jurisdiction of the New York State Division of Financial Services (NYSDFS), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) – and the list is growing. Meanwhile, the GDPR has major implications for organizations whose operations have a connection to Europe.

In some cases, the obligations are clear, while in others, what exactly a business is required to do vis-à-vis PII is opaque. For instance, both the FTC and CCPA refer to a requirement to implement “reasonable” data security, without providing much clarity on what constitutes “reasonable.” The sum and substance of these requirements is that even when, or precisely when, they are the victim of an attack, organizations remain obligated to provide a given measure of security over PII. 

Although beyond the scope of this article, organizations might consider potential downstream effects should their systems be used as a launching point for attacks on third parties, as well as impacts on the performance of contracts. 

Finally, the takeover or even meddling with a given entity’s operations is clearly likely to have severe direct consequences to the enterprise itself. For a business, this could include loss of revenue during down time, siphoning of productivity and damage to reputation, among other potential consequences. 

What Organizations Can Do

I hope it is clear that there are some immediate problems that merit attention. In this situation, one of the worst things to do would be to deny the problem and do nothing. 

Moving forward, organizations should start by asking whether the remote situation is temporary or permanent. For any entity that has plans to return to full on-site operations in the very near term, some of these considerations may be less pressing. 

For all other entities, the first concern is how to improve security in the remote situation. The best thing any organization can do is to hire, fund and take the advice of a competent chief security officer, chief information security officer and counsel, who should work together on issues of physical security, information security and administrative controls. Preferably, the CSO and CISO will take a holistic view of security favoring a convergence approach, where appropriate. If an organization does not currently have the benefit of competent or sufficient in-house security personnel, a firm specializing in security may be a viable option in the short term.  

Developing and adjusting security controls to the remote paradigm is a challenge, but it is not insurmountable. What follows is a non-comprehensive list of recommendations that can be taken related to certain key steps. 

From an information and technology security perspective, this starts with knowing the enterprise’s network, what machines are connected to it and the identity and location of the organization’s crown jewels. Organizations must decide whether the risks of allowing certain business functions that may have only historically occurred in dedicated spaces and via hardline connections (such as discussions of trade secrets and access to live/production systems for engineers) should occur remotely. Likewise, organizations must make decisions related to approved devices, means of accessing corporate networks and standardized security procedures (e.g., securing Wi-Fi). Organizations should also decide on remote identity and access management, to include the use of two-factor authentication. Organizations should consider engaging outside security firms to assist with these assessments as necessary, to audit physical and cyber security through penetration testing and, potentially, to conduct employee training. 

Administrative controls are more difficult. Given the variety of harms that can arise directly from human behavior, leaders need to find a way to encourage and maintain a culture of security despite the lack of physical proximity. Witting and unwitting insiders have much more room to cause damage away from supervision and peers. Organizations need to find ways to implement controls such as those related to access management and job rotation, among others. Education and training, particularly around topics such as spear phishing and authorized uses of corporate networks, should be designed with an emphasis on the remote setting. Employees should be given incentives to comply with security. Security managers need to stay abreast of trends in employee malfeasance around remote work as well as emerging best practices in this new area. 

Physical security will also prove challenging. Organizations should consult with counsel to determine their obligations to employees and tailor programs to meet these needs. Just as enterprises assess the sensitivity of their data systems, they should also assess the exposure of their personnel. For certain high-risk employees, it may be wise to consider implementing off-premises physical security measures or, at the very least, training. 

For all types of enterprises, whether they plan to return to on-site operations now or not, there are some common considerations. First, they should consider the possibility that clever and determined adversaries may have taken advantage of this period during which their guard has been down to some degree to access systems and plant malware or establish an unauthorized presence on the organization’s systems. With this in mind, organizations should carefully examine their networks for indicators of compromise. Likewise, they should consider that this has been a period in which insiders have had an opportunity to grow bolder. Security departments should step up their efforts to detect insider threats. 

See also: Keeping an Eye on Consumer Privacy

In the longer term, all organizations can take certain additional measures. This period has proven fortuitous in a number of ways. First, it can be treated as a practical drill. All entities should conduct an after-action review. Leadership at all levels from individual teams to the C-suite and boards should sit down and discuss what went right and wrong. Where business continuity plans and other policies and procedures did not match with reality, they should be rewritten. We’ve been handed a real-world opportunity to improve upon our posture. 

One specific action all sorts of entities should ensure is that they have reliable out-of-band communication and authentication. This is absolutely essential. In the event of a form of takeover such as the doomsday scenario proposed above, an organization needs a reliable and immediate way of verifying information, authenticating its source and enacting contingency plans should it become necessary. 

The various regulatory obligations to provide measures of security over PII imply a responsibility to keep up to date on shifting threats and vulnerabilities that stem from changing environments and emerging technologies. Organizations are on notice that they must begin to find ways to ensure they are meeting their obligations to develop measures to provide security against these threats. In other words, organizations are on notice. The fact that NIST has a public target date for its first quantum security standard provides some saliency around this. Some companies have already taken action along these lines. 

It does not appear as though exceptions will be made for shortcomings in security in the current situation, for example under NYSDFS rules and the CCPA. However, the rules of the road for the remote paradigm are being written as we speak. Organizations should use this opportunity to help write them. They should also develop relationships with law enforcement and regulators. They should join industry ISACs and other relevant security groups. Groups such as the IAPP and SANS also offer a wealth of information for professionals interested in working to improve their processes. In consultation with counsel and security professionals, all enterprises need to consider what constitutes acceptable security measures in the current situation and with awareness of emerging technologies. 

Of course, organizations should consider which forms of insurance are best-suited to the purposes of the scenarios laid out above. Cyber insurance and kidnapping and ransom may apply.

Conclusion 

We are facing three simultaneous game-changers – the remote paradigm, emerging technologies and increasingly prescriptive privacy regimes. At the same time, adversaries are taking advantage of this time to invest in research and development. Victim enterprises continue to bear many of the costs. 

The current remote work situation may continue, we may return to normal or we may find itself somewhere in the middle. Regardless, this time presents an opportunity to look at our approach to remote situations. By extension, it should be a time to examine and adjust business continuity plans, many of which may have been found lacking in this experience. Moving away from the remote setting, this experience highlights many aspects of traditional security that can benefit from fresh work. Again, it calls for a recognition of the increasing interdependence of physical and information security. Further, overall, this period should demonstrate the need for competent security officers and cross-disciplinary teams dealing with security at the highest levels of the organization as well as the need to invest in comprehensive security and exercise plans meaningfully. 

Disclaimer: This article is intended as general educational information, not as security guidance with respect to any specific situation or as legal advice. If the reader needs legal advice, the reader should consult with an attorney.

Cyber Insurance Needs Automated Security

Hackers, malware, viruses, ransomware and phishing emails are becoming a normal part of increased connectivity, and their impact on everyday life is growing. The result is a profound increase in the demand for cyberinsurance. The downside? Cyberinsurance is hard to price as risk potential is not well understood, and losses can enter into the millions of dollars. Moreover, businesses with cyberinsurance may be lulled into complacency by their coverage. They shouldn’t be. Just reimbursing the costs of damage after a cyberattack isn’t smart business—smart businesses seek to prevent the cyberattack from occurring.

Enterprises do this at great expense, with costly, complex tools and teams beyond the reach of small and medium-sized enterprises (SME). SMEs need automated cybersecurity for cost-effective, full protection. That’s because cyberninsurance is insufficient to protect a business: It isn’t a substitute for good business practices that work in concert with cybersecurity. In short, cyber insurance and cybersecurity must complement each other to provide what businesses really want: peace of mind at predictable costs.

Cyber Safety Is as Essential as Fire Safety

Think of it like this: You wouldn’t protect a business from a fire simply by buying a fire insurance policy. Best practice fire safety includes smoke alarms, fire extinguishers, fire-retardant building materials, a designated gathering spot and regular fire drills. On the other side of the coin, governments have adopted fire safety building codes, and insurers don’t sell fire insurance without verifying fire safety compliance: Fire extinguishers, smoke detectors and sprinklers must be installed and properly maintained.

See also: Cybersecurity Holes in Connected Cars  

Similar businesses practices are necessary for cyber protection. But the technology has not caught up with business needs. Many cyber insurance policies are written without accurately measuring the risks that make a business vulnerable to a cyber attack. A one-time snapshot of the number and type of data records, or even a more full-fledged review of internal and external systems, is inadequate to assess risk. Technology evolves too quickly for these snapshots or scores to be valid over time. The moment a system needs upgrading, data may be at risk. The moment a new virus begins to spread, businesses are vulnerable. As long as a patch is not applied, systems and data are exposed. These big changes to risk affect the underwriting assumptions. It’s a shifting landscape, one that requires that businesses remain constantly vigilant. Automated cybersecurity technology is more effective than people at monitoring and addressing threats. In short, cyber insurance without automated cybersecurity is like fire insurance without smoke detectors.

Cyber Risk Models Need Much More Data

Automated cybersecurity platforms that detect and protect against cyber attacks are also useful to measure risk over time. Telematics let auto insurers such as Progressive and Metromile more accurately measure risk—and price accordingly. We need new “cyber-telematics” that allow underwriters to more accurately measure cyber risk. They provide risk insights about the insured, enabling the development of rich aggregate risk models. Cyber-telematics also helps underwriters develop risk models from the measurements correlated with cyber risk—and see the red herrings that aren’t. Cyber-telematics answers industry concerns noted in a March 2017 Property Casualty 360 article that “the insurance industry faces a rampant reporting bias that is hard to translate into policies.”

Without a thorough understanding of the profound risk being underwritten, losses are unpredictable—and potentially catastrophic. Insurers have long understood the impact of underestimating exposure aggregation with respect to natural disasters and other correlated losses like terrorism or asbestos claims. Of these, Towers Watson wrote, “The difference is that the terrorist attack is a single event and not a decades-long process, and the losses will be recognized and paid much more quickly.” The same, or worse, should be expected of large-scale single cyber events.

Technology is essential to collecting the data for, then understanding, mitigating and accurately modeling cyber risk.

Large enterprises have massive budgets, and most create a custom cybersecurity system using expensive experts and tools from multiple vendors. This has made it much harder to penetrate their defenses. As a result, hackers have moved down the food chain, making small and medium-sized businesses especially vulnerable. These businesses face the potential of a business-ending event in the face of a cyber attack.

Automation is the right answer when people and systems aren’t available or affordable. SMEs need automated cybersecurity to reduce risk and reduce cost. Current solutions are simply too expensive in terms of staffing and too complex in terms of tool integration. With automated cybersecurity, SMEs receive the benefit of robust machine learning coupled with economies of scale that take advantage of the cost efficiencies introduced by automation. For insurers, automation enables data gathering that informs robust risk management models, providing key insights to identify and mitigate loss potential.

See also: How to Eliminate Cybersecurity Clutter  

According to Hiscox data, 60% of smaller companies in the U.S. reported one attack or more in the last 12 months—and 72% of larger companies. In the U.S., the average estimated cost of an organization’s largest cyber incident was $35,967 for 99 or fewer employees and $102,314 for 1,000 or more employees. However, a November 2017 Property Casualty 360 article reports that “in the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets; additionally, disruption to normal operations cost an average of $955,429.” This wide variance in the reported cost of cyber incidents reflects uncertainty among insurers.

The Hiscox report further observes, “While big firms incur the highest costs in nominal terms, the financial impact of cyberattacks is disproportionately high for the very smallest companies.” Because these “smallest companies” can least afford effective cybersecurity, they need automated solutions. Let the machines do the work.

Peace of Mind

Cyberinsurance complemented by automated cybersecurity is key to modern business—neither is sufficient on its own. SMEs are better protected with the complement of these tools. A simple metaphor is the modern automobile. Today’s cars don’t simply provide airbags to react to accidents, they include technologies to avoid accidents: anti-lock braking systems (ABS), blind spot monitoring, lane departure warnings and more. Modern cybersecurity and cyber insurance are similar complements: Airbags cushion the blow, much as a rapid response can limit the losses from a cyberattack, and automated cybersecurity monitors networks and protects SMEs, much as accident prevention systems protect drivers.

Modern technology demands the next evolution of cyber insurance and cybersecurity measures, similar to the evolution of fire insurance and car safety technology. Effective, automated cybersecurity technologies, coupled with comprehensive cyber insurance, are needed for real peace of mind against cyber attacks.​

Security Training Gets Much-Needed Reboot

Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.

Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Wash.-based security awareness training company with such clients as Microsoft, Yahoo and Adobe.

Old training methods “usually consisted of slide presentations — or their online equivalent — that were super dull and could last an hour or two,” he says. “Employees were expected to sit through this, either at their desks or in a group and come away with knowledge gained. And that was it. Awareness training was once and done, and it just didn’t work.”

See also: How Good Is Your Cybersecurity?  

Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Fla., says “old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.”

Those days are over, according to officials of the two companies.

MediaPro — which was founded in 1992 and has focused on security awareness training programs as a product since 2003 — says it’s an e-learning company that bases its training on proven adult learning principles, providing educational content in a way that learners remember.

“This concept extends beyond the training courses themselves,” Conrad says, “to our focus on consistent reinforcement of key learning principles through extracurricular content such as games, videos and posters, as well as phishing simulation exercises.”

Phishing exercises help change behavior

KnowBe4, Sjouwerman says, sends frequent simulated phishing attacks to train employees “to stay on their toes.”

Both companies believe that employees’ most common security mistake is falling for an email phishing scam.

“Bad guys have come up with all sorts of creative ways to convince employees to click on a link or send sensitive information via a spoofed (sender) address,” he says.

Clicking on a link in a suspicious email and opening an infected attachment can be avoided, Sjouwerman says, “by recognizing red flags.” Red flags include receiving an email from a suspicious domain or address you don’t ordinarily communicate with, or one sent at an unusual time, such as 3 a.m.

No company is immune to such scams, Conrad says, “but simulated phishing campaigns aimed at an organization’s employees teamed with comprehensive cybersecurity education can go a long way toward changing risky employee behavior.”

Technical safeguards against phishing scams exist, “but no organization should rely on those alone,” he says. “Social engineering — the basis of phishing scams — is such an effective way into the sensitive data of an organization because it completely bypasses these technical safeguards and goes after what is most companies’ weakest link: the human.”

Workers’ weak spot

Why do employees engage in risky behaviors when cybersecurity threats are so abundant?

“It’s likely a combination of being busy and being exposed to so many technological sources of distraction on a daily basis,” Conrad says.

Sjouwerman mentions another reason: “No one ever took the time to enlighten them about the clear and present danger that risky behavior can really cause, especially in an office environment.”

A 2016 study by PhishMe, a Virginia-based phishing threat management company, found that 91% of cyber attacks — and the resulting data breaches — begin with a spear-phishing email.

Another study done last year by LastPass, a Virginia-based password management service, found that 91% of respondents know it’s risky to reuse passwords for multiple online sites, but 61% do it anyway. The study also found that the No. 1 reason respondents changed their password was because they forgot it, and only 29% changed it for security reasons.

Employees’ risky behaviors have triggered an increasing number of companies to provide better security training.

“I think this is a really exciting time in the market. Huge numbers of companies are committing to doing real education, and we’re seeing exciting innovations in the variety of content that is available,” Conrad says. “I like to think that the age of boring people about security is over and we’re entering an era where people are going to be motivated and engaged by education around these issues.”

See also: Cyber, Tech Security Start to Merge  

Repetition is key

Employee training, Conrad says, needs to be more frequent than an annual affair.

He says, “Learners need to hear something more than once for it to stick — just ask any ad executive or marketing jingle writer,” he says. “Think about what makes up an advertising campaign: a series of messages that share a single idea or theme, transmitted via different media channels on a regular basis, for an extended period of time — with the singular goal of influencing consumer behavior.

“A great security awareness initiative should look like a great advertising campaign. Repeated, consistent messages delivered throughout the month, quarter or year — whatever cadence is appropriate for a given organization.”

This post originally appeared on ThirdCertainty. It was written by Gary Stoller.

How to Picture the Future of Driverless

Picture this:

The year is 2025. A call comes to the police station—someone has broken into a local home. A drone is deployed to the address and arrives within five minutes. The drone feeds video to the station and to the closest autonomous (driverless) police vehicle. The drone guides the police car to the location. The officer in the car (we’ll assume he’s human, for now!) isn’t actually driving; he’s an occupant, watching the drone’s video feed. He can see the suspect fleeing, and he researches other crimes in the neighborhood along with potential suspects. The drone estimates the perp’s height and weight, and the officer can see his clothing and a possible gun in his belt. The police officer communicates with other officers in the area to coordinate the capture. As the suspect runs, his description and location is fed constantly to all nearby police vehicles, and he is surrounded within 15 minutes of the initial call.

This is far from fiction. The international consulting firm Frost and Sullivan predicts that 180,000 driverless cars will hit the U.S. market in 2020. That’s less than 1% of today’s annual new car market, but that’s just the beginning!

Just about every major car manufacturer (as well as Google, of course) is developing autonomous vehicles, and the competition is getting  more intense as the demand for collision avoidance features grows. Just as drones are spreading (if not yet regulated), driverless cars will become widely accepted. Americans love to drive, but there are too many undeniable advantages to autonomous cars.

The first one is safety. According to the U.S. Insurance Institute for Highway Safety  (IIHS), 94% of all car accidents are caused by human error. Nearly two million crashes could be avoided if human error were eliminated. That’s not to say that driverless vehicles won’t crash, but, as the technology improves, crash rates will drop like a rock. In 2025, if our roads are still packed with commuters, the occupants of many vehicles will be reading, answering emails, video conferencing and browsing the web. In other words, they’ll be working. A recent Morgan Stanley report predicted that driverless cars could add $5.6 trillion (yes, with a ‘T’) to the global economy because of the combination of a steep reduction in accidents and the dramatic increase in productivity. It is estimated that in 2035 autonomous cars will account for 25% of all cars.

Back to the police force. As driverless cars evolve, routine traffic monitoring will drop, high-speed chases will slowly decline (with drone help) and smaller police forces will focus on more serious crime. Cameras will capture everything—both from the ground and the sky. Officers will become highly trained in electronic law enforcement. Efficiency will rule!

Of course, these are just predicted outcomes. This policing panacea isn’t all roses; it will not eliminate the need for community relationships, direct contact with neighborhoods and personal contact in law enforcement. Furthermore, while vehicle collisions will fall, the cost and maintenance of autonomous cars will remain extremely expensive in the near future. Currently, it costs about $150,000 to equip a driverless car. But that cost will drop to $7,000 by 2030 and to $3,000 by 2035.

Nothing’s perfect. Every emerging concept or technology brings unexpected challenges and unintended consequences. But it appears that autonomous automobiles will emerge soon, and it’s likely that some day we’ll say they are “here to stay.”

For today, I guess I’ll have to drive myself home. What a chore.

growing

If Growing Gets Tough, Tough Get Growing

Successful businesses continuously draw on their strengths – and their people – for growth.

How do you describe the strengths of your business now? How would you describe the strengths that you’ll likely need in a year? In a few years? And how do these strengths translate into the skills your people will need in the future? For most companies, the answers to these questions are always evolving, as disruption increases and the pace of business picks up.

We’ve seen the recent evolution of companies’ capabilities — like fast-food chains rolling out deluxe coffee-shop menus, or utilities delving into smart home appliances.

A lot of organizations have solid processes for evolving their business strategies. But as sound as the development and approval process is, it often leaves out an important aspect: Can your people evolve, too?

Most CEOs aren’t certain that theirs can. In our latest CEO survey, nearly 80% of U.S. business leaders say they’re concerned that a lack of key skills threatens their organizations’ growth prospects.

This stat raises the question: Are some of these organizations taking their growth strategies too far afield, beyond their core strengths, in a desperate search for faster growth?

In Strategy+Business Magazine, we recently wrote about how companies that deliver sustainable growth remain true to what they do best and take advantage of their strongest capabilities—what we call a capabilities-driven strategy.

It takes a substantial effort. As we say in the story, “If you respond to disruption by changing your business model and capabilities system, you can’t dabble. You have to commit fully.”

That level of commitment is only possible, of course, with the right people to step up and deliver on your company’s greatest strengths.

Think of the potential talent issues at hand for so many businesses: How does a legacy technology company avoid disruption and commoditization? How can a fast-food chain turn up its café side of the business without trained baristas on hand? How can a utility amp up the tech-savvy talent needed to design Internet-and-data-fueled thermostats and security devices?

They’ll all need to align their talent strategy with their business strategy.

In our advisory work with clients, we are in frequent talks with companies that need to make these moves. And talent is at the top of the priority list.

Before preparing to grow your strengths, think about the capabilities in your current ecosystem of people and where gaps might pop up: 

People strategy, leadership and culture: Does our people strategy support our growth initiatives (and, more importantly, is there a strategy)? Is the right leadership development system in place, including a robust global mobility program? Will our culture support the execution that’s required?

  1. Reward: Does our compensation and benefits strategy still fit? Is pay competitive? Are there areas to be restructured that could free capital for re-investment?
  2. Talent acquisition: Do we need to pull in brand-new talent by strategically hiring from the outside or by making strategic acquisitions?
  3. Organization design and operating model: Have we designed an organizational structure and operating model that have clear links between all our capabilities?
  4. Change management and communications: Do we have the right program management structure and strategic change methods for execution? Do we know who the real information brokers are in the organization who will informally drive the change?
  5. Technology: Do we have the right technology to support the kind of employee experience our people need? Are we leveraging workforce analytics to retain our top-performing people, and are we conducting frequent employee surveys to understand the pulse of the organization?

These are just a few of the talent areas that are important to understand.

Odds are you won’t need to revamp all of them. But a carefully designed and innovative talent strategy underlies the successful evolution to get growing.

 To read more details on the strategic changes you may need to make to stretch your growth, read the full article, “Grow from your strengths” in strategy+business magazine.