Happy Thanksgiving! I am grateful for the opportunity to work with all of you who have benefited from reading my blog, attending my workshops and live sessions, and those who continue to work with my through the SVLC Insider’s Circle and Coaching/Mastery Programs…
There are 7 Things You should be Focused On
Security is more a people problem than it is a technical one. Many of the losses you read about could be prevented if people better understood how security works, and how data is compromised. In each of these concerns you will see a technical issue. But underlying most are mindset problems. Mindsets that could be changed with some education. Stop talking product, and start talking like this when meeting with prospects.
- Malware Advancements. The bot, or robotic malware, is the most common tool used to compromise computers today. Most people are thinking about viruses, but bots are not viruses. They install on your computers when you download infected emails or files, or visit an infected website. Just about every company has bots. Most don’t realize how dangerous they are or how to detect and remove them. The problem is, because they are so common, even technical people treat them as “normal”. Brian Krebs just put a great book called SPAM NATION, The Insider Story of Organized Crime – From Global Epidemic to Your Front Door. I’m just into the second chapter, but I can already tell this is going to be spot on. If you want up to date, relevant stuff to talk about with your clients, get this book and study it.
Spam Nation, Brian Krebs << Get it on Amazon.
- Trends in Mobility and BYOD (Bring Your Own Device). BYOD initiatives are going on in companies all over the world right now. Since almost every aspect of life involves technology, drawing a hard line between work and personal is becoming impossible. And no one is going to carry two laptops or two phones for long. This will become more and more pervasive over the next few years as generation C evolves. The destructive mindset here is thinking that computing on one device or in one location is just as safe as any location. And so your employees are likely to store and transmit your company’s secrets just about anywhere and on any device. They’re assumption is, security technology has me covered. They’re wrong.
- Misuse of Social Media. The use of social media at work has been an Achilles heal for office managers for several years now. It’s a time waster. But wasting time is of little concern when compared to the mindset social media has created. Remember when people were afraid to purchase something online? Or when it was scary to write something about yourself or post a family photo? That’s gone. People send naked pictures of themselves across the Internet everyday. If they’re willing to do that, what will they do with your data? In a recent WSJ article, one financial firm reported that 75% of the men in their company gave up highly sensitive information to a woman on Facebook. But get this, 13% of them gave away company passwords. You might have guessed, but this was a 40-year-old male, white hat hacker, posing as a woman to test the integrity of the office workers in that firm. How can companies like yours protect against this type of irresponsible behavior?
- Misunderstanding Compliance. Compliance is not security. Lawmakers would like to think that HIPAA or GLBA compliance are going to keep healthcare and financial data safe. But the truth is, compliant companies get hacked all the time. Compliance rules are set up to move a company toward security, but in no way are they actually addressing the problem. The problem with compliance, according to McConnell is, “Once a company passes the compliance audit, they stop working on security.” Compliance is the law, but in my opinion it’s too often just a distraction from true security.
- Internal Threats. Cybercriminals, spies, and hacktivists are real. But in just about every major data breach, there’s an internal component. In some cases it’s operator error. In other cases it’s a bribe to cooperate with an outsider. The perimeter security mindset assumes that the threat is always outside, yet a recent WSJ report tells us that 75% of employees admit they steal data. When employees don’t get promoted, do get laid off, or move on to a better opportunity, you can assume they’ll be taking data with them. But it’s also true that a hacker can easily pay off one of your employees, giving them 3 to 5 times what they make in salary to cooperate in a data heist.
- Nation-State & Advanced Persistent Threats. You’ve probably seen the term, “Advanced Persistent Threat,” or APT. What is this? The APT are groups of people that want in – they are a “who”, not a “what”. Google “Stuxnet” (a highly sophisticated attack targeting the Iranian nuclear uranium enrichment program,) and you’ll start to get a glimpse of the control the hacker has over us. Or consider cyberwarfare attacks that have taken down power grids – they’re seemingly unstoppable. The APT is bigger than malware. These groups are sophisticated, well sponsored, and determined to get something they specifically want. In other words, they are “Persistent.” If they can’t get what they want one way, they’ll simply find another entry point—likely through an unsuspecting employee or third party supplier. If they have to, they’ll pay off an internal employee to get the access they need.
- Cyberterrorism. Finally there is the threat of war or cyberterrorism. While many of these things may not directly impact the small business owner or entrepreneur, they are real. In a worst-case scenario, hacker groups are capable of taking down power grids and other critical infrastructure you rely on to carry on business. There’s not much you can do here to protect yourself. The best thing is to just be aware of it and at some level be prepared for disaster.
In a recent interview with Matt Keane of RiskIQ, we discussed the relevance of security going forward. Over the next 5 years expect your hardware sales to drop off. If you want to grow your business you either need to move into AppDev – with a focus on customer acquisition, customer experience, and customer retention, or you need to focus on security. If you sell infrastructure today, security will be the easiest direction to head. This is what everyone out there needs – the opportunity is big. The challenge is learning how to get to the right people, and how to deliver the right message. When you get there, budget will be available.
Learn more about selling security – check out my newly released Security Sales Mastery Program…
Master the Security Sale <<< Click to Learn More!
© 2014, David Stelzl
Nobody thought phones would anything more – just a handset tied to a box with a rotary dial.
Wireless was neat. Remember when it first came out? You could walk around the house, go outside, and continue working on projects while talking…it was amazing.
This weekend was revolutionary for me. Equipped with my iPhone 6 and a $2 app called MotionX, I was able to pin point my elevation and location trekking through the Smoky Mountains over the weekend. I also had weather and a way for emergency rescue to track me down if the need arose…
Being a late adopter, I could have spent over $300 easily, just a few years ago, and had a 1 x 1 screen with digital readouts of my latitude and longitude. I would have had to turn off my GPS while hiking to conserve my battery. And when I powered up, it would have been painful to reconnect to a satellite.
This weekend was much different. The iPhone 6 with it’s larger screen had my topo loaded up before we left Charlotte. That was easy. I just searched with the app, found the location online, downloaded it in just a few seconds, and turned off my phone. When I arrived, I had already reviewed the terrain on Google Earth – printed out trailhead directions from AllTrails.Com, and had my starting position marked on the MotionX map. I also had back-country campsites reserved online – a requirement in the Smoky Mountains. I opened the app at the trailhead – of course we didn’t have service, it’s the Smoky Mountains. But we did have satellite – and I was connected in seconds.
The app runs in background, so I shut off the screen, put it in my shirt map pocket, and headed out with my kids. Every 10 minutes Siri updates us on our position – she tells us how fast we walking, what our altitude is, and how far we’ve walked so far. To check how much further… I can either have preloaded waypoints or just check the map on the screen. I chose the latter since I was not able to download the waypoints and didn’t want to enter them by hand.
My phone was on the entire time. The next morning, in 15 degree weather, my battery was looking a little weak. So I plugged into my Anker portable recharger! In minutes my phone was back up and running – which lasted me through Saturday and Sunday.
It’s a little off topic, but not really. The point here is technology is getting faster, smaller, and cheaper. How much longer will the $300 GPS be a viable solution? I can’t imagine the average hiker buying one – the $2 app does it. What about PCs? How long do we have? Servers? Storage? I agree, we will continue to need some of this hardware. But the cloud is changing the value of infrastructure. The iPhone is one example of a computer most of us can’t make a living selling. It and the tablet are changing the way we compute.
How long will it take you to retool? Can you continue to live on basic managed support services and infrastructure resale? As we move into 2015, we should all be thinking about the future of technology sales. What will still be worth paying for? Security will. Security Managed Services will. Consulting will – when it relates to the business. Virtual CIOs and CISOs will be in demand. Custom software will…. Networks, storage, computers….not so much. What are you selling in 2015? What about the year after that?
© 2014, David Stelzl
P.S. I also took all of my pictures with my iPhone – leaving my $350 outdoor point and shoot, and my Canon SLR in my home office collecting dust. Back in the car I made calls, checked in by phone with those back home, and more…
The Security equation has changed. This week I’ll be speaking to business execs in Atlanta on some of the changes they need to be aware of over the next 12 months…Thanks for Milestone Systems for hosting the event. This is much needed in every city! Here’s a quick overview of what’s happening – companies have to change to compete – and this changes everything they’ve ever known about securing data.
Twenty years ago we thought math would solve this problem. Encryption algorithms and authentication keys were the answer. We all realize now that keeping thieves out is more difficult than we originally thought. And with digitization, expect the problem to get worse.
Who Is Behind The Latest Cybercrime Disasters?
Experts tell me there are three primary “actors” in the hacker world; Traditional Cybercriminals, Hacktivists, and Spies (Think – Espionage.) In addition, significant threats may exist internally among full time employees as well as with contractors and partners (a major topic of conversation these days among business leaders.)
Over the past decade the emphasis has been on credit card theft and skimming money. But more recent attacks focus on IP (Intellectual Property.) This is what Mike McConnell, former director of national intelligence, secretary of homeland security, and deputy secretary of defense, means when he writes, “The Chinese government has a national policy of economic espionage…in fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today,” He is accusing China of carrying out Nation-State Sponsored Attacks. In reality, these are well-funded acts of war.
Recent U.S. security advisor reports add Russian hacker groups to this problem. Russian groups are thought to be far more sophisticated than the Chinese and therefore pose an even greater threat. Evidence suggests they are actively stealing U.S. innovations right now.
Many have called these acts of war, “The greatest transfer of wealth in history.” When you read about large complex cyberattacks, both Russian and Chinese groups are the primary suspects.
How Is Cybercrime Impacting Businesses Around Us?
Obviously there is the financial loss. But these crimes also cut into jobs, your competitive advantage, and even national security. McConnell comments how large-scale this problem is, stating, “We think it is safe to say that large easily means billions of dollars and millions of jobs.”
The Internet is the ideal medium for stealing intellectual capital, money, and power. Hackers can easily penetrate systems that transfer large sums of data, while corporations and governments have a hard time identifying specific perpetrators.
In a recent study, the 9/11 Security Commission reported back stating, “Our most pressing problems are the daily cyberattacks against the nation’s most sensitive public and private networks.” They later added, “Yet, because this war lacks attention-grabbing explosions and body bags the American people remain largely unaware of the dangers.” In the case of 9/11 we didn’t awaken to the gravity of this terrorist threat until it was too late – we must not repeat this mistake in the cyber-realm.
What Are Cybercriminals Really After?
As just mentioned, Company Secrets and IP are the newest hacker targets. So who is at risk? The truth is, no business is safe. But small business and entrepreneurial startups are often the primary targets for these perpetrators.
A recent WSJ headline reads, “Hackers target startups that secure early-stage funding.” Startup companies are now detecting cyberattacks just after they raise their Series “A” funding. They’re watching to see when funding is made available, knowing that there will be a sudden influx of cash. Another target would be new innovation. These groups are looking to advance without the R&D cost. To further exasperate this problem, recent patent law changes actually encourage the theft of intellectual property. The person who files first has an advantage over the patent right. That means that as you are inventing, others are watching. Suddenly credit card theft is of little consequence compared to your ten-year R&D effort. A copycat product overseas might be enough to put your company out of business.
How Will A Digitized World Worsen This Problem?
When it’s digital it’s connected, and that means it’s accessible. It doesn’t matter if something has a password on it. It doesn’t even matter if it’s encrypted. Firewalls are no match for today’s cybergangs. But as we necessarily move more toward the use of transformational technologies and IoT we expose ourselves more and more.
Over the past decade your clients have probably safeguarded their data behind network perimeters. Using firewalls, passwords and encryption, They have felt fairly secure. However there’s an underlying flaw in this approach. See my free ebook below for a thorough description of this flaw…
But a move to transformational technology is necessary. And that means moving away from traditional perimeter security. Digitization means connectivity, mobility, and a necessarily open computing architecture. If you’re clients are going to compete, all of this is necessary. As I’ve already stated, this is a great opportunity for the small and medium business leader. But with it comes exposure. People can’t control their data in someone else’s cloud, and they don’t oversee the network their employees are using at Starbucks. Their systems will, by design, face the public web, and their company no longer has any definable perimeter security. In the new world, their data is everywhere and accessible by just about anyone. And so, security approaches must change…
This is your opportunity. They need an advisor. But this is not a product sale – it’s an advisory role. One IT can’t really fill…
Make sure you have my book, The House & the Cloud – and get access to the House & the Cloud private resource page, only accessible by those who have the book!
Send me the Book! <<< You can get the book, and access to the resource page right here!
© 2014, David Stelzl
Your Clients are going digital. We all are. And it’s happening fast. Obviously we all use computers and smartphones. That’s not what I mean. I’m talking about a Megatrend. A complete paradigm shift in the way we think about business. Think cloud, appstore, smartphones, and Internet of Things (IoT). Everything is connected; everything is digital. This is the mindset of Generation C – C stands for connected, and they will be connected.
By 2020 our businesses will be fully meshed with a generation of digitized workers and leaders. Their world is online – friends, family, photos, entertainment. They bank on tablets, invest electronically, buy and sell on their smartphones, and transact business anywhere at anytime. These people share their lives on Facebook, opt for a text message over a phone call, and hang-out together in chat rooms.
This trend is unstoppable. To compete in the future, your clients must be connected too. They must be mobile. They must be global. All of this is now possible, even for the micro business, using what have been called transformational technologies. The cloud, big data, online collaboration, social business, etc. With these space-age advancements, small businesses or start-ups have an incredible opportunity. You have global reach. Suddenly they can complete with fortune 500 companies. They can utilize enterprise class technology simply by plugging in like a utility. All of this was out of reach just a decade ago.
But what about security???
We’ve already seen evidence of the disaster that awaits us if we don’t wake up. Everything is online. Everything is accessible. Keeping it in the right hands will be overwhelmingly difficult. Over the past five years we’ve seen power grids disrupted, military secrets compromised, major retailers sifted of their customer’s data, and some of the most intimate parts of our lives digitally exposed. And it will get worse.
So while your clients must be digital, can they handle these new threats? Threats that may surreptitiously take their most prized intellectual property (IP), and steal the trust of their most loyal customers.
This is an opportunity for every technology reseller – but especially those of you who call on the SMB sector…
This is so important that I’ve recently updated my book, The House & the Cloud to include these concepts. I had hoped to have it out this past summer, but it was just too much. So I am making some final edits, including some recent events, and hope to have this in the printer’s hands before month-end!
As a bonus, I have created a special private membership site just for those who have the book. You can get access to it by downloading the current free version of The House & the Cloud – an email with instructions will get you there. You’ll find updates on the new version as well as videos and other tools to supplement the book content…
Get The House & the Cloud << Click to Get the Book and Access The Site!
Also, if you have not seen my new Security Sales Mastery Program – it’s in place and people are taking advantage of it. You can read more here:
Master The Security Sale <<< Click to Read More About It!
© 2014, David Stelzl
IoT Brings Danger – And The Executives Around You Don’t Understand!
Do You Sell Technology? What About Security?
If your company sells technology, and specifically security technology, your firm has an important job to do. It’s frustrating when marketing efforts seem fruitless or when prospects seem to have no real needs. Or when executives refuse to meet with you, insisting that your meet with IT Administrators. But the truth is, they all have an urgent need. And your technology firm could be helping them.
The Internet of Things (IoT) is a game changer. I’ve posted the TED video above because it speaks to the future when just about everything is online. Even the chair sitting next to the speaker. The IoT can mean a lot of things. It offer all kinds of efficiencies, like resetting your A/C while away on a trip, to using your smartphone to control your home security system, or maybe a deer cam deep in the woods. But there’s a problem no one’s really addressing. It’s a big opportunity if you’re ready for it.
So Where’s The Big Opportunity?
It’s the threat that stands behind the chair in the TED video. Target was attacked through an HVAC connection. But an article posted in the Wall Street Journal today sheds light on a much bigger issue. Critical Infrastructure Devices on the Internet. Stuff that’s connected that no one is really thinking about.
The U.S. tops the list of connected critical infrastructure. Rachael King, one of the WSJ writers I follow daily, writes, “control systems used in utilities, health care facilities and transportation systems are connected…to the Internet…In many cases, the operating companies are not even aware…” That last sentence is the key. The people running the companies you call on have no idea what’s connected and how that exposes them. In fact, Rachael goes on to point out that “Most of the systems that are exposed seem to be accidental…and the result of poorly configured network infrastructure.” In other words, no one really knows until a thorough investigation takes place. IT is making mistakes, and no one really knows until it’s too late.
This is a topic for your next Live Event Demand Generation Program!
Next week I’ll be speaking about these things in Cincinnati, Ohio. It’s an educational event with a big opportunity on the other side. My goal is to get business leaders thinking about this. No one has it covered. The question is, can we convince them to take a closer look? If we can, there’s an opportunity, because 95% of the time we will find evidence of data exposure or critical devices or data accessible from outside the firewall.
One of my coaching clients recently took a job with RiskIQ. This is cool technology. The idea is to profile the attacker. To take a look at a company’s assets from outside the firewall. Using some pretty sophisticated scanning technology, this company will scour the Internet to find data that belongs to a given company. That data might be unstructured date on a Sharepoint server, or it might be stolen data being sold in a chat room. In most cases they’ll find something that isn’t supposed to be outside the firewall. And when they do, it’s a surprise to the CIO. But it’s also an opportunity – a project opportunity.
While you don’t have to use RiskIQ, these types of issues demand something more than simply scanning the perimeter for open ports. In my book, From Vendor to Advisor (pg. 139), I describe an executive approach to discovery. The security message demands a executive audience. It requires involvement from the people who are liable when a breach occurs. Preparing to deliver this message might be the key to your future value proposition – the thing that sets you apart from the average reseller.
© 2014, David Stelzl
P.S. Looking to Make Quota This Year? Make sure you have a copy of my security sales book, The House & the Cloud… Get the free ebook version (CLICK HERE TO GET IT).
Healthcare Records Can Be More Valuable to Hackers Than Your Credit Card Number…
On the day JP Morgan announced the theft of 79 Million account records, I will be presenting a keynote on healthcare security at the annual 3T Systems Healthcare Summit, in Avon Colorado.
My heading – “Healthcare Records Can Be More Valuable Than Your Credit Card,” comes from a Sept 2014 article from Reuters. While the full details on one’s financial account information is worth quite a bit, card numbers and names have become a commodity. That doesn’t mean hackers don’t want them. They do. When a hacker steals 56 Million from a POS system, there’s money to be made.
But Healthcare records, containing names, birth dates, social security numbers, and medical history are worth about $10 per record. So when Community Health Services announced a 4.5 Million record breach earlier this year, you can believe the hackers are doing pretty well. And there’s no federal tax to be paid on the resale of this information.
Other important sound bites:
- Medicare fraud over the past year is up to $6 Billion. Who is going to pay for that? You and I will.
- 40% of healthcare companies have reported a breach over the past two years according to a resent threat report.
- 90% of healthcare cloud services are hosted by companies with a medium or high risk rating….
- The FBI tells us medical security is weak and it may take years before a victim catches on.
What Will Hackers Do With All This Data?
They’ll resell it of course. There is the threat of someone misusing this information on purpose for extortion purposes. And there’s that risk that data could leak out, exposing someone in a way that would harm their reputation. But the real threat is fraud. When Community Health Services was hacked, China was blamed. Why would the Chinese want this data?
Healthcare data is primarily used in two ways. The buyer will use it to buy expensive medical equipment that can then be resold – such as expensive motor scooters. The other scam is to file fraudulent medical claims. When this happens the victim will likely start getting medical bills that aren’t theirs. Trying to fight this won’t be easy if you’ve ever had to deal with bill collectors.
All of these costs will eventually be passed onto us as consumers and tax payers.
The Key Problem
The problem is HIPAA. I don’t mean that the HIPAA laws create a weakness. What I do mean is that they have pulled everyone’s attention toward compliance laws requiring a lot of effort to keep up with – but don’t necessarily lead to security. Take the assessment requirement for instance. Doing automated pen tests is something every company should do, but in my opinion it’s hardly an ethical hacking test. All it does is expose major weaknesses in the systems that are scanned. It does nothing to combat the social engineering tactics that hackers will actually use.
Thanks to 3T Systems for hosting this informative event, along with their partners including Check Point and Citrix.
© 2014, David Stelzl