The massive distributed denial of service (DDoS) attack that cut consumers off from their favorite web haunts recently was the loudest warning yet that cyber criminals can be expected to take full advantage of gaping security flaws attendant to the Internet of Things (IoT).
For much of the day, on Friday, Oct. 21, it was not possible for most internet users to consistently access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal.
Using malware, dubbed Mirai, an attacker had assembled a sprawling network of thousands of hacked CCTV video cameras and digital video recorders, then directed this IoT botnet to swamp the marquee web properties with waves of nuisance pings, thus blocking out legitimate visitors.
Mirai is designed to take over lightweight BusyBox software widely used to control IoT devices. The source code for Mirai can be found online and is free for anyone to use. ThirdCertainty asked Justin Harvey, security consultant at Gigamon, and John Wu, CEO of security startup Gryphon, to flesh out the wider context and discuss the implications. The text has been edited for clarity and length:
ThirdCertainty: Why do you think these attackers went after BusyBox systems?
Wu: Because Busybox is lightweight; it’s used on most IoT devices that have limited memory and processing. Busybox is a utility with lots of useful commands.
Harvey: BusyBox is very standardized. It is highly used in the field, and it also runs Linux, so the internals are very straightforward and easy to duplicate in testing systems.
3C: How did the attacker locate so many vulnerable devices?
Wu: Standard IP scanning would identify the devices, and then the attacker could use the admin interface to install the malware. These devices had weak default passwords that allowed hackers to install Mirai.
Harvey: Cross mapping manufacturers with types of devices. Then using the website Shodan to get a list of open devices. Once they had the list of devices, they could create a massively parallel script to step through each and determine whether they used the version of the OS they wanted.
3C: How many devices did they need to control to carry out three waves of attacks over the course of 12 hours?
Harvey: 300,000 to 500,000.
Wu: Probably a few hundred thousand devices. Because it’s distributed, there is no way to simply block all the IP addresses.
3C: Are there a lot of vulnerable devices still out there, ripe for attack?
Harvey: Yes! Shodan specializes in noting which devices are out there and which are open to the world. The devices used in this attack were but a small fraction of open or insecure IoT devices.
Wu: We don’t know exactly how many devices are still out there as sleeper bots. Mirai also is actively recruiting new bots. From what I understand, these IoT devices had open channels, and the users had practiced poor password protection for root access to install additional components.
3C: What do you expect attackers to focus on next?
Wu: I would expect the attacks to get larger and more sophisticated. Mirai also is working in the background to recruit more devices. The next attack may not be as public because they’ve already shown what the botnet network is capable of.
3C: What should individual consumers be most concerned about at this point?
Harvey: Consumers need better education on changing the default access and security controls of their IoT devices. Manufacturers need to take security seriously. Period. Congress needs to step in, conduct some hearings on IoT issues and perhaps regulate these devices.
Wu: Consumers need to be concerned if their device is one of the devices already compromised or at risk of being compromised. They should contact the manufacturer to ask if a security patch is available. A simple solution would be to take the device offline, if it’s something you can live without.
3C: What is the most important thing company decision-makers need to understand?
Wu: If you are dependent on the internet for your revenue and business, you should be planning alternative communication channels. If DNS is critical to your business, you should look at backups to just one service provider. Let people know that, if email is down, you can still get business done over the phone.
Harvey: Businesses need to understand the implications to running IoT devices within their companies and question the business need for using IoT devices versus the convenience.
The power of social media is undeniable. Whether it’s political movements, disasters, or breaking news, social media delivers unfiltered information instantaneously to people around the world. When a catastrophe occurs today, comments, pictures and video are likely to appear on the Internet as it happens. For instance, a deadly explosion at a Texas fertilizer plant was caught live on video and posted to social media, as was an enormous explosion that rocked the Chinese port of Tianjin. But when social media posts about a catastrophe go viral, the company involved can be in for a struggle.
To avoid getting left behind, companies need to prepare for how they will communicate using social media when a catastrophe strikes. A company that plans ahead and is able to mount a robust response may not only salvage its reputation, but may actually enhance its public image if it is seen as managing a difficult situation well. Because many companies lack this kind of communications expertise, they may want to work with consultants that can help them prepare for a disaster and respond appropriately. In addition, they should consider insurance that provides coverage for experienced public relations catastrophe management services to protect their corporate reputation.
Social Media Plays a Crucial Role in a Crisis
When it comes to disasters, mobile apps and social media are seen by the public as crucial ways to get information, according to a Red Cross survey. During Superstorm Sandy in 2012, social media played a significant role in providing official information and combating rumors. When Cyclone Tasha struck Australia in 2010, the Queensland Police Service made extensive use of Twitter to provide information to people spread over a vast area.
Social media, however, is widespread and public information, which means that if there is an explosion, fire, or other disaster, chances are someone may be streaming it live to the Internet, tweeting about it, posting it to Facebook or uploading pictures to Instagram even before the affected company is aware of it. In essence, that means public opinion about the incident, as well as the company involved, is already being shaped, possibly without any direction from corporate communications.
Because information travels so quickly through social media, the public no longer has to wait for the evening news to receive the most up-to-date information. Therefore, companies are not afforded the luxury of time to gather all available facts before addressing the public. Traditional media and news organizations are also feeling an increased amount of pressure. Since social media has enabled news to travel quicker, stories may not receive the same level of scrutiny as they once did. That leaves plenty of opportunity for the spread of misinformation, which can be very difficult to counteract. On the Internet, inaccurate information may persist long after it has been thoroughly discredited elsewhere.
Embrace Social Media in Crisis Communications
To handle the social media aspect of a crisis, companies need to be able to act immediately or risk allowing reporters and “citizen journalists” to tell the story they want to tell, which may not provide a complete and accurate picture. Being unprepared can lead to inconsistent messaging, or even misstatements that may create confusion and ultimately damage a corporation’s reputation. A company that is seen as clumsy in its media response to a crisis risks losing credibility.
When a disaster is handled well – by providing the public with timely and accurate information as well as proper reassurances about its products and services – an organization can actually bolster its reputation. While social media accelerates the media cycle, it can also enable a company to take control of its image by acting as a primary and reliable source of information when a catastrophe occurs. This requires planning and preparation.
An initial step is to review the corporate crisis communication plan to understand its limits in social media. A traditional crisis plan provides for one-way, controlled communication through prepared statements, press conferences, marketing tools, and commercials.
Such an approach is likely to be viewed as unresponsive by the public seeking immediate information. Incorporating social media into the traditional plan provides for two-way communication that allows for debate, insight, and opposing viewpoints that can guide the company’s responses.
The social media plan, however, should remain consistent with the company’s traditional media efforts. The company should provide consistent messaging in both traditional and social media about its culture and philosophy, the actions it is taking and the expected results, and its concern for those who have been affected.
Develop a Detailed Social Media Plan
The plan should delineate the policies and procedures to be followed in the event of a catastrophe, and – most importantly – assign roles and responsibilities to specific staff. This ensures that someone who understands the company’s message will maintain control, which can help lessen potential mistakes. Both external and internal policies should be covered so that the information communicated to and among employees and the public is timely, accurate and consistent.
The written policy should detail the information to be provided – for instance – pre-vetted information about the company and its corporate philosophy. It should establish guidelines pertaining to the types of social media posts that necessitate a response. Not every
post merits a reply. Anyone who uses a computer or smartphone can post information to the Internet. Identifying legitimate posts and inquiries and providing necessary information can help preserve a company’s reputation.
Because the social media landscape is dynamic, companies shouldn’t limit themselves to just one outlet, but rather those that are most appropriate for the business, the audience and the geographic region. If an incident occurs abroad, companies should use the
social media outlet most appropriate for that region. With their massive user base, Facebook, Twitter and YouTube are obvious choices for domestic and international audiences. Others such as Instagram, Snapchat and Tumblr, should be considered. Companies active in Europe and Russia should consider the social networking site VK.
Prepare the Response
While it may not be possible to prepare material for every potential catastrophe, companies can still organize information ahead of time that can be released as soon as something happens. Information can be prepared for a “dark page” for the corporate website that can be published in the event of an emergency; however, companies should be careful not to publish a “dark page” until a crisis actually occurs.
The site can include background information about the company and its specific businesses as well as the corporate philosophy during times of crisis. Other information might be media contacts and toll-free phone numbers for claims intake. Preparing the information ahead of time makes it possible to have it reviewed by a company’s legal department, public relations, and senior management. Once the page is live, it should be monitored and updated so that it always provides the most current information.
Whether information is prepared ahead of time or developed in response to a particular incident, it should be presented in a way that is accessible for the audience. Written material should be understandable by a wide range of people. Companies should avoid industry jargon and acronyms, which may be unclear or even misunderstood by the general public.
Monitor and Test
When not in crisis mode, it is helpful for companies to monitor social media. Viewing the social media environment in the normal course of business can help companies ascertain how their brand, products and services are viewed by the public. Companies can purchase monitoring services or build these capabilities in-house.
While monitoring social media is an important part of regular business, it becomes essential after a catastrophe to identify issues that need immediate attention. This helps to ensure that the traditional and social media messages the company is sending are having the desired impact. If the same questions continue to be asked on social media, it’s a clear sign that the message is not getting across.
As part of their overall catastrophe preparation, companies should test their communication response plan to assess their procedures as well as their staff. Testing can help ensure that everyone understands their roles and responsibilities and is able to react quickly. Drills assist in identifying blockages and help address uncertainties in the process. After the test or following an actual event, the company should conduct a thorough reevaluation and debriefing to identify the areas that worked well and those that need improvement.
Preserve the Corporate Reputation
Today, a story about a disaster can be trending on social media even before the company involved is aware of the loss. Organizations that wait too long to respond can cause lasting damage to their reputation. A company that is perceived as avoiding or failing to address a story may soon realize that its lack of response becomes the subject of that story. Undoing the damage caused by a tardy or ill-conceived response can be very difficult.
Many people realize that companies may make mistakes, but how these companies react and the decisions they make when faced with a disaster can potentially lessen confidence among customers and the wider public. Knowing how and when to respond helps project an image of competence and concern. Social media is the fastest way to reach people, project the company’s message and protect its reputation.
To become better prepared, companies have to identify their most likely risks and develop plans to mitigate those exposures, whether they are health, safety or environmental. Companies need to know how best to respond on social media if a disaster were to affect their business. To do so, companies may want to work with consultants that can provide risk analysis and mitigation services and help to prepare a crisis response. In addition, to help plan how they will respond to a crisis on social and traditional media, companies should also consider insurance that can defray the costs of hiring expert help when a disaster strikes. No one knows when a catastrophe may occur, but being prepared can help lessen the damage. Customers will look to these companies for information– companies that can provide that information are more likely to weather a crisis with their reputation unscathed.
Suppose you walked into a store to look for a new television. If the store only carried one brand, would you shop there? Of course not, but that’s just what today’s insurance behemoths want you to do when you buy insurance.
With an abundance of information just a few key strokes away, today’s consumers demand choice. From automobiles to zucchini, consumers do research online before they make a purchase. Today’s policyholders no longer accept a single company quote. It’s hard to satisfy this consumer demand if you’re an agent who can only offer one product. It’s why the era of the captive agent is coming to an end. Only independent agencies that “meet” their customers online by leveraging their customers’ desire for information and choice will succeed.
The rise of digital media—the web, social media, the smartphone and other mobile devices—has leveled the playing field and even tilted it toward independents. Independent agents can now compete against the industry’s brand behemoths by making their brand even more powerful in their area. They can become local brand behemoths.
Digital tools enable you to provide a better experience to existing clients. Online lead generation allows you to more efficiently find new clients.
Improving customer experience
In a commoditized industry like insurance, the only way you can differentiate yourself is to provide excellent customer service. In the digital age, that means providing your customers with the opportunity to interact with your agency whenever and however they want. From policy changes to evidence of insurance, customers today would rather do things themselves online than have to wait to call your office when it’s open.
One of the most surprising things is how much people love self-service. Surveys show that companies of all types, including insurers, consistently get better service scores when they let consumers manage their account themselves.
Does your website allow customers to make policy changes, track their claim, get a quote or review their policy limits? Consumer tastes also require that your website be mobile-compatible. The smartphone has replaced the computer as the device of choice for consumers. A mobile-compatible site must be clean, because smartphone screens are small. Users must be able to navigate and read your site quickly on a smartphone. Is your company’s website easy to use on a smartphone?
Your website can’t be static and one-dimensional. People don’t want to read gobs of copy online. Your site should give visitors interactive experiences. For instance, display the icons of the companies you represent instead of listing them.
Attracting new customers
Use online resources to expand the reach of your marketing efforts.
LinkedIn provides a great example. Start by identifying people on LinkedIn whom you are connected to indirectly (i.e. through an existing contact but not directly) or are members of the same business group as you. These are your LinkedIn prospects. Next, go through your existing business network and identify a service provider like an accountant, photographer or other small-business owner. Ask if they would be willing to provide a discount to customers you refer to them. If they agree, send an email to your prospects identified from LinkedIn letting them know they can receive a discount. This creates a win-win for both of you.
Here’s a real-life example: I received an email from an executive coach introducing herself and offering me a 75% discount on professional executive photographs. All I had to do was contact the photographer, mention the promotion and schedule a time for my photo shoot. At the end of the email, the executive coach asked me to add her to my network on LinkedIn. While I didn’t need a professional photo taken, I was intrigued by this online joint venture.
It turns out that one of the executive coach’s referral sources is a professional photographer, and they created a photo day for the executive coach’s clients and prospects. The photographer could give a deep discount because he only had to set up once for all of the photos that day.
Thirty people set up appointments. Existing customers of the executive coach were impressed with the value she brought in addition to her coaching. Prospects were introduced to the executive coach in a positive way – you just saved me a lot of money and introduced me to a quality photographer. The executive coach attended the whole day and used the time in between photo shoots to introduce herself or reacquaint herself with past clients. It was a win-win situation for both the coach and the photographer.
No one gets excited about a birthday card from his agent. Instead, how about giving away a mobile app so your business can stay top of mind? An app that gets your name on a client's phone is a great way to stay in touch—and provide something of real value.
Facebook, Twitter, Tumblr and more….
You need to be on social media. Although engaging with social media takes time, what you learn online provides you with valuable customer insights. It’s like getting the questions to a test in advance. You have a real advantage.
Social media isn’t just about following people. Post or tweet information about how to prepare for catastrophes unique to your area so people can prepare for them. The more you engage digitally, the more relevant you become online.
You’re probably thinking: “I don’t have time for this!” You’re right! Find someone who uses these tools everyday – a student or a young person in your office and put that person in charge.
All the pieces have fallen in place for independent agents. Seize the digital moment now and prosper!
Viral phenomena on the Internet more frequently concern “Cats that Look like Hitler” or racy photos of Prince Harry cavorting in Las Vegas.
Insurance claims rarely go viral on social media, but that changed recently with a controversial underinsured motorist claim involving Progressive Insurance Company. You can find background on the case here.
The sad facts here are straightforward. Progressive Insurance Company policyholder Katie Fisher died in a 2010 automobile crash in Maryland. Allegedly, the other driver ran a red light, though there was a dispute as to who had the green light and the right-of-way. The driver that struck Katie’s vehicle was under-insured. The good news: Katie had bought underinsured motorist coverage (UIM).
The bad news: to collect, Katie’s family had to sue the other driver for negligence to force Progressive to pay. However, when the family sued the other driver, Progressive’s attorneys associated with the other driver’s attorneys to defend the liability claim. As a result, the deceased’s brother went viral in social media rounds, complaining that Progressive used premium dollars to defend his sister’s killer in court. That makes for an arresting headline.
This claim illustrates the importance of an insurance company being attuned to social media and having a social media policy. Of course, here Progressive did not stick its head in the sand. It did not ignore the social media buzz surrounding its handling of the case. Apparently, it responded but responded in a way perceived as tone-deaf.
Progressive In A Lose-Lose Situation?
Maybe Progressive Insurance Company was in a no-win situation. If it ignored the social media banter about its stance, consumers would accuse it of insensitivity. It entered the dialogue to justify its actions. In so doing, people accused it of being tone-deaf to consumer sensitivities. I don’t know what response Progressive could have launched on social media that would have satisfied its critics.
This vignette underscores how little people understand what they buy when purchasing underinsured motorist coverage. Buying underinsured motorist coverage essentially risks putting you at odds with your own insurance company. In such a claim, your own insurance company is incentivized to show that you in fact were at fault for the accident and/or that your injuries were not the result of the negligence of an underinsured driver. People assume that the insurance company to whom they paid their premiums will always be on their side. Typically, this is the case. Typically, this is the alignment of interests.
In underinsured motorist coverage and claims, however, “typical” doesn’t necessarily apply. Here, interests are aligned differently. Just because you pay your insurance company for the coverage doesn’t mean that — in a claim involving an underinsured adverse driver — your insurance company is going to act all soft and fuzzy.
Of course, insurance companies would not effectively market and sell underinsured motorist coverage if they made this reality explicit and spotlighted it in the sales process. People don’t think it through. Nobody really believes deep down they will be hurt due to the fault of an underinsured driver. If they pay for the coverage, perhaps they pay for it begrudgingly at best.
Policyholder Ignorance About Underinsured Motorist Coverage
So, those who say “Shame on Progressive” for its stance adverse to its own policyholder could add, “Shame on the policyholder” for not realizing the dynamics in underinsured motorist claims. Of course, it sounds callous to be lecturing a family on the dynamics of claims-handling when they have lost their daughter in a fatal car accident.
Further, there was a reasonable question of fact as to who had the right-of-way. Should Progressive and its adjusters have ignored evidence that the deceased may have been at fault in order to pay the claim? It’s difficult to fault Progressive’s adjusters here, as tempting as it may be to do so. There was a legitimate dispute as to who had the right-of-way and who ran the red light. Was Progressive wrong for exercising its legal right to seek a judicial determination of liability?
Personally, I don’t think so.
Nevertheless, insurance companies now face not just bad faith risks over how their claim department handles or mishandles an automobile loss. They also face reputational risks if disgruntled consumers take to Twitter, Facebook, blogs, Tumblr, etc. to air their gripes.
The Internet and social media provides a bully pulpit and cyberspace megaphone for anyone who has a beef, whether that complaint is justified or specious. On the other hand, since everyone now has an electronic megaphone via the Internet, World Wide Web and social media, the cacophony of complaints can create a “white noise” effect that makes any one complaint difficult to stand out. This complaint did stand out, though, and got widespread media play.
While it is tempting to say “No comment” or “We won’t try our case in the media,” insurance companies — like other businesses — cannot take an ostrich approach and stick their heads in the proverbial sand.
The takeaways and lessons from this go beyond Progressive Insurance Company. Katie Fisher’s case illustrates that in the 21st century:
insurance companies must have social media policies,
they must monitor social media, and
they must be able to articulate a concise yet compelling message to an often skeptical audience.
It’s not enough to handle the claim conscientiously.
It’s not enough to handle it in accord with the policy conditions.
It’s not enough to comply with state insurance department regulations.
It’s not enough to believe that you acted in good faith.
If you have an under-insured motorist claim, you must realize that your adjuster will not be perky Flo from the TV commercials.
Insurers Need Social Media Strategy
This case study also spotlights the need for insurance companies to have a refined social media strategy. That goes beyond grappling with questions like, “Should we be on Facebook or Twitter?” or, “Should we have a blog?”
Sorry — those questions are so 2010. That no longer cuts it as a coherent social media strategy.
It’s no longer enough to have a digital footprint in the social media world. The content of what companies put out on social media is vital, scrutinized, and should promote their brand. Content is king.
Moreover, insurance companies must have institutionalized disciplines to monitor what is being said about them on social media so they can respond quickly and persuasively. The consumer conversation about your service and policies is going on — with you or without you. It is best that it goes on with you. It’s best that you have an opportunity to be aware of customer service firestorms brewing so that you have the opportunity to squelch them, address them and nip them in the bud.
You may have to justify your steps in the court of public opinion through social media or suffer the consequences of a public relations black eye if you hunker down and go incommunicado.
As this case study shows, adjusters are sometimes damned if they do and damned if they don’t.
Pay the claim in the face of conflicting evidence, and be second-guessed for poor decision-making by higher-ups. Contest the claim and align yourself with the other driver’s insurance company, and you get criticized in the court of public opinion for callousness.
No one promised adjusters a rose garden and they certainly don’t get to operate in one in the age of viral posts and social media!