How Secure Is Your Data – What About China?
The big companies have had their share of horror stories with credit card theft this year, but are you and your customers watching the trends in Espionage? Earlier this month I interviewed a couple of former NSA agents to give technology providers some insights into cybercrime trends and a war we are all involved in. Summer Worden, one of my guests on the SVLC Insider’s Circle Program talked about Russian and China, revealing some of the hidden agendas and what to expect in the future. Much of this is driven by Economics according to Worden. China’s economy needs more innovation, and what better way to get it than to take it from the United States?
Espionage Is Hitting Businesses Right Now
This week in the Wall Street Journal, FRANK J. CILLUFFO AND SHARON L. CARDASH gave us more on this. Here’s a sound bite that should shock us; “The FBI reports a significant spike in its number of economic espionage cases: a 53% increase just this past year.” Where is this coming from and what’s driving it?
According to the article, “Randall Coleman, the head of the FBI’s counterintelligence division, told the Wall Street Journal in July that much of the suspicious activity is performed by Chinese companies against U.S. firms and that the Chinese government plays “a significant role” in the attempted theft of trade secrets.” Espionage, as pictured in movies is generally dealing with government data – like the recent OPM hack I wrote on a few weeks ago. But this is about business. These are companies, targeting companies that have new ideas, strategies, and innovations that the competition in China will benefit from.
In Kevin Mitnick’s book, The Art of Deception, he shares the tale of a businessman entering a small business responsible for developing high tech manufacturing equipment. The man approaches the front desk asking to see the president of the company. The receptionist informs him that the president is out of the country and unavailable. At that point the businessman begins to fumble through his planner, double checking his meeting. He’s flown in from out of town, and is supposed to be meeting the president to discuss a joint venture. There must be a mistake!
In a last ditch effort, he asks if the development team is in – perhaps he can take them out to lunch to review the plan he and the president have come up with. They agree, and into the development area he goes. They spend several hours discussing the latest drawings and plans – the company’s latest top secret innovations. The businessman takes a few pictures, and heads out, promising to reconnect next week when the president returns.
You probably guessed – but when the president returns, and the team reviews their recent meeting, the president has no idea who they are talking about. This is a case of economic espionage, and chances are the business guy is now back in his own lab building a “Copy-Cat” product with only a few months of R&D vs. the decade the first company spent developing these ideas.
No Need to Go Onsite
Like your evolving managed services program (if you are an MSP), you no longer have to go onsite to do your work…the same is true when it comes to stealing company secrets. As the WSJ article states, “If you place yourself in the shoes of those playing economic catch-up, why invest millions in R&D if you can simply steal it at a fraction of the cost, especially with just a few clicks of a mouse?”. Now that everything is connected and online, stealing information is simple.
Cilluffo and Cardash rightly point at that, “The theft of intellectual property and trade secrets destroys jobs in this country, and undermines the nation’s economic competitiveness by striking at the heart of U.S. innovation.” And in this case, nation states are behind these acts of war! Years ago I read in another WSJ article, “This is a slow sifting of the American Economy,…and because it lacks the alarming explosions and bodybags, no one is really paying attention.” At some point we will find our bank accounts empty, and our businesses collapsed.
No One Is Claiming Responsibility, But Who’s Investigating This?
Terrorists claim responsibility when they blow things up. They want us to be afraid. In a war, the opposing country generally announces their demands and threats of invasion. In this case, the thief is not interested in being known – they have no demands. They are looking for a competitive advantage. It’s to their benefit that no one know what they are up to. If they can silently get away with strategic information, they can recreate a product in their own lab, with a fraction of the required investments in time and money. With their copy-cat product in hand, they are now able to sell it at a fraction of the cost. Recovering their investment is easy – they didn’t spend their own money on this invention.
What to Do About It
In the WSJ Article, the writers tell us, “Recent reporting suggests that the Administration is striving to craft an innovative and calibrated response to the OPM hack in light of its scale. This is a significant development in the ongoing match of Spy vs. Spy on steroids. An equally compelling answer is needed to China’s economic espionage against the United States. Time is money in this context — but more importantly, it is national security.”
It’s true, our government needs to get on this. In a recent Presidential speech I heard Obama say that our greatest threat right now is environmental…I have to respectfully disagree. Without a doubt, I believe it’s cybercrime – Hacktivists, Nation States, and Cybercriminals. All three are attacking everything from your personal data, to company innovation, to our nation’s intelligence. As a technology provider I want to encourage you to start educating your clients – everything must be secure, and it can’t wait for the next budget cycle or a government mandate. Like a doctor sharing the diagnosis of cancer with a patient, it’s up to us to convince them to begin treatment. This is not about insurance, it’s about preservation.
“Those who say they have it covered are either ignorant or lying to you.” – A quote from my most recent book, The House & The Cloud 2nd Edition.
© 2015, David Stelzl
P.S. If you want more on how to convince your customers they need better security, this book explains how to do it…(click to see it on Amazon.com).
If you’ve encountered Cryptolocker – it’s just one of many attacks that have come out of the Gameover Zeus Gang. But the story is just now unfolding. The Gameover Zeus Gang refers to itself as The BusinessClub. Their botnet has been one of the most destructive forces in cybercrime over the past few years – focusing on espionage, bank account sifting, and ransomware. Small and large businesses have been impacted – this is important! Rather than rewriting all the details, there are two ways to get more insight on this:
The FOX IT Report on Gameover Zeus
Read two reports – Krebs on Security does a nice job of summarizing. The Fox IT report contains more details, and looks to be the primary source for Krebs.
The Fox IT Report << Click Here to Access it
Brian Krebs Summary Report << Click Here and Consider Subscribing
Interview: Get The Inside Scoop on Gameover Zeus
On August 11th, I’ll be interviewing former NSA Agent Summer Worden – who has been collaborating with investigators on this major crime break over the past several months. Summer Worden is the founder and chief executive director of Filly Intelligence LLC, an advisory firm focused on applying an intelligence-based approach to secure enterprise vulnerabilities using military cyber and intelligence best practices. Ms. Worden is a 13-year veteran of the U.S. military and Intelligence Community (IC). During this time she served as an operational intelligence officer in a variety of leadership roles; her positions held within the IC were served at both the field level and at the heartbeat of our nation’s highest authority for strategic national intelligence. Her strong competencies within sensitive intelligence operations were recognized when she was selected to lead one of the five operational teams of the National Security Agency (NSA). These five teams serve as a direct asset of the Director of the NSA, and their mission delivers 24-7 national support for critical events and clandestine operations across the globe.
To join us on August 11th, simply join the SVLC Insider’s Circle today – there’s no obligation to stay long term, however this is one of the best ways to stay on top of security trends, as well as sales and marketing strategies needed to serve the security market. CLICK HERE to read more << Discover the SVLC Insider’s Circle.
© 2015, David Stelzl
Windows 10 Is Here – So How Will This Affect Your Managed Services Business Over the Next 12 Months?
Resellers – I’m talking about the SMB VAR that has converted most of the business to managed services.
There are many; if you’re a VAR, it’s you and your competition. Since the late 1980’s, when Microsoft Windows first appeared as a viable business choice, beating out OS/2 for the majority market share, Window’s problems have dominated IT’s time. This operating system has never really worked – not like other operating systems. If you don’t agree – you may not have experienced the amazing capabilities and stability of IBM Mainframe technology, the OS/400 and it’s System 36 predecessors, and of course many flavors of UNIX. These computers run circles around Windows. But that’s another subject for another day.
The point is, Managed Services has been sold as a way to even out the expense associated with the support nightmares small businesses face every day. And I have to believe that 90% of them, based on many VAR interactions, are Windows problems. What happens to your manage services business if this version actually works?
I Use Mac and Don’t Really Need An IT Group
I started with Apple back in 1984. In 1987, taking a job with what is now Bank of America, I was forced to move to DOS (which was also extremely stable and easy to use,) and eventually Windows 3.0 (The First real Windows look and feel). Windows 3.0 was not an operating system – it was an overlay that ran on DOS. Eventually Microsoft turned this thing into a complete operating system – NT.
Remember Vista? Many revisions after the original NT operating system…It was supposed to be the silver bullet. I bought my a new laptop from Dell around that time, with Vista installed. By the time Windows 7 came out I was ready to convert! I did – I moved back to Apple. I rarely need any support, and have no regrets. It’s been over seven years now.
Mac People Converting? It’s a Sign.
When Microsoft Windows 7 came out, many of the problems were said to be corrected. And they were. I had one Windows desktop remaining in my office, and immediately upgraded it to the new Windows OS. Running 4 Macs and one Windows 7 computer was interesting. In case you haven’t guessed, the Windows box was the only system that required frequent rebooting, laborious updates, and periodic wiping and reloading.
So I was surprised when I read last week in the Wall Street Journal about a Mac follower converting to Windows 10! Something about 10 must be really good! I guess we’ll see – but what happens to your business if Window’s users suddenly don’t need much in the way of support?
Sure, there will always be a need for some support. The entire city of Charlotte, NC and surrounding 100 mile radius is supported by about 2 Apple Stores. There might be a third. This is actually good. I mean, computers should be getting better, and software should be more stable over time. This technology is maturing. But what’s you’re next move.
The Point Is, VARs Must Change
I’ve written about this before, but it needs to be written again. I just got off the phone with a long time customer and friend. His business has been very successful over the years – he sells managed services. This year growth is flat. I know many resellers are making money – they’ve built substantial recurring revenue through managed programs. It was the smart thing to do. Those who didn’t do it are probably in trouble right now.
But there’s always a next move. The technology business won’t stand still. And it’s about that time. Regardless of when you made the transition, it was 2003 when the early adopters did it.
You have two choices, the way I see it. Security or Software. Either help companies make the digital transformation with customer software (a competitive advantage sell) or move to security – intelligent, predictive security. The technologies are new, but now’s the time to jump onboard. If not, you might find your Windows 10 customers don’t really need you. After all, it’s moving to the cloud…like just about everything.
© 2015, David Stelzl
P.S. Not related to this post really, but there are some interesting and concerning security issues emerging with the release of Windows 10. Your team might want to be up on these – might create some new business opportunities.
And What Questions Should They Be Asking?
The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?
According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”
Will We Be Hit Like Target, Home Depot, or OPM?
Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day. And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market. Most of these breaches never make the news. So the board can ask, but they’re not likely to get the real answer.
If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk. In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.
If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood. And that’s what the board is really asking – although they are asking it incorrectly. What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months? (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.
The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.
So what’s the right question? Can we detect and respond before it’s too late?
Are You Getting To The Board?
Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say. Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.
Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise. On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)
Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.
What About SMB Companies?
Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.
© David Stelzl, 2015
For some reason people still think their data is safe with someone else…
First it was Adult Friendfinder, now Ashley Madison, hacked…
In this most recent attack, 37 Million users are waiting to see what their online profiles might look like posted online somewhere. Back in March it was 3.5 Million users, taken from Adult Friendfinder. The hacker says he did it for money, and was looking to shame government workers. In case you’re not familiar with these sites, they specialize in extramarital hook-ups.
Speaking of this week’s hack, Brian Krebs writes, “The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison…In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”
Apparently that delete function doesn’t really work…but in the data world, you can almost never count on delete, actually deleting!
Why am I writing about Ashely Madison? There are a few important lessons here…
1. First, no site is safe from hackers – and like this hack, disgruntled employees or customers should always be considered in the long term defense planning. Many of your clients assume their employees and customers are safe. They’re not. One small problem can set off a business crippling sequence of events. Will Ashely Madison recover from this? Regardless of whether you agree with their business, the point is, it’s their data and their business – it could be any business.
2. Since no site is safe, people should be thinking hard about the data they entrust to someone else. People forget, but passwords don’t work. We should all be considering what data we put on a device that connects to a network…of course most of us have most of our lives online right now. How hard would it be to erase your bank account? It’s just data at this point. It’s also true that altering your medical data could disqualify you from a job or lead to all kinds of questions being asked. Data is an asset – the stakes are growing as we put more of it online.
3. When you move to the cloud, something most businesses are doing to one degree or another, the data is owned by someone else. Of course the cloud based provider will tell you it’s still your data, but when you say, DELETE, don’t be surprised if your data isn’t actually deleted – which brings up the $19 fee Ashley Madison charges to delete. Can you believe it? You have to pay to have your account deleted. And from what the hacker is saying, they don’t actually do the DELETE. They just collect the money. Do I hear another law suite coming?
The underlying problem here is education. Most of the companies you call on don’t understand their risk. They don’t understand where the data is, what’s protecting it, and the odds it will be compromised. I’m not speaking of IT here. I am speaking of the company leadership. IT will just go get a new job – the leadership will be stuck with the lawsuits and the mess to a clean up. In many cases they will go out of business. Only when they understand their likelihood can they make wise decisions to change their security approach. Either that, or wait until the hack happens, and then start scrambling for new strategies and technology.
© 2015, David Stelzl
And What We Can Learn From Donna Seymour
Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services. Cost savings are great, but security is crucial. In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.
What Happened to Donna Seymour?
Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name. Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider. Due care means taking the steps that should be taken to decrease the risk of an attack. But this is harder than it sounds.
First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under. I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?
With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk. They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.
As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits. She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.
Why did OPM get hacked?
Outdated infrastructure – that’s what they are telling us. But why is the infrastructure outdated? Because Donna didn’t get budget to upgrade it sooner. Why not….etc. I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed. Donna on the other hand may not be for long. Donna should have taken the meeting.
Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.
Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for? Or did the provider deliver the right results, but Donna failed to take action? Who knows?
These lawsuits are personal
Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)
Are You Talking To The People Who Need To Know?
Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…” In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know. So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.
© 2015, David Stelzl