Archives For Data Security

How Long Will Your Business Remain Relevant…

…As Companies Around You Are Transitioning to Cloud, Consolidating IT, and Buying Less Hardware???

This morning, in my TechSelect Business Pillars Session, I delivered urgent steps of action EVERY technology reseller should be jumping on…here’s a summary:

Over the past 12 months, live event, one-to-many selling, has produced more leads and deals than just about anything.

The value of one MSP client in the SMB market averages at about $1500/month, or $18,000 per year – with a 5 year average retention rate, that’s just short of $100,000 per client!

Add advanced security to that deal and you’re likely to push your average up 20%…(Mid market deals, although harder to close, offer even greater potential if you understand the sales process I describe here).

What would your business look like if you could hit the numbers I reference in this video? What would it be worth to you to achieve this level of sales?

Find out in this 25 minute video how to re-engineer your business, with a new breed of security, now becoming a necessity in the SMB and mid-market space.

© 2017, David Stelzl

P.S. Get the step by step process in written form – The House & The Cloud

cloud diagramIf You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk

Too Many Security Assessments Start and End With Technology – Big Mistake!!!

Data Security is a BUSINESS RISK issue, not a technical exercise…

Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.

The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…

With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…

In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.

(For More In-depth, Step By Step Selling Ideas… See Page 194 of The House & The Cloud – Get The Book for Just $1 Right Here!) <<< Click For More Info!

Over the past several months I’ve written a series of articles on how to approach data security risk assessments.

However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.

The approach you take, and the people you include, have a lot to do with your conversion rates and business success.

Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).

Remember, the purpose of assessing risk is to move the company forward on remediation efforts.

If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES.  Threats and security vulnerabilities are everywhere!!!

Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.

By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.

The First and Only Place to Discover a Company’s Most Valuable Assets

Years ago I was struggling with just how to get executive attention with security assessments.

We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).

In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).cloud computing

DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.

When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.

In order to create a successful failover, business people have to be involved. Every step must be planned and tested.

The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).

DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture.  But DR is SECURITY!  That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.

In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS.  They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.

Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…

And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact.  It’s UNTHINKABLE.

Only These People Can Tell You How Data Gets Created and Where It Sits

Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.

The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…

Maybe in a very small business…but go upstream and talking to end-users becomes necessary.

Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews.  Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.

Finally, It’s Time To Invite Technical People To The Party

It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)

Enter the SECURITY technical subject matter expert(SME).  In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let  the tech guy do it.

Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…

However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.

You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…

Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.

You and your team are asking the question: What would need to be true to keep this company safe?

DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).

NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).

It is from this list your technical team will begin their analysis.

You May Now Look At The Network

List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance.  Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.

Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.

ASSET FOCUSED – I call this…

Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?

In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!

And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.

Time To Deliver Results – Don’t Leave Out This One

You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????

In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).

Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.

If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.

Important Factor: After All, You’re Liable!

Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment.  Insist on it! Don’t take NO for an answer.

After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.

© 2017, David Stelzl

 

1What’s The One Big Issue Behind Almost Every Hack?

Hint: Most Risk Assessments Ignore It!

One questions I always ask on our final coaching call (in The Security Sales Mastery Program)…
“What is your client’s number one security mistake?” Answers vary…
Is it… 
  • Poorly configured or managed firewalls,
  • Untested backup systems,
  • Improper network segmentation
All are important, but none are right, said Security Expert Thomas L. Norman (author of several security/risk analysis books and a recognized industry speaker).
In a recent interview, I asked Tom what he believes is corporate’s biggest mistake…
“Easy!” says Norman, “It’s a lack of user awareness training. Training is always treated as an afterthought, and a waste of time in the mind of employees”
He went on to explain that every security issue is rooted in a mistake made by an end-user, who just didn’t understand security.
In many cases the mistakes are made by hard-working end users doing their job, looking to be helpful and efficient, but out of touch with the surrounding threats.

Experts Without Experience, Opening the Doors To Destruction

Imagine going in for heart surgery. Your surgeon – an expert on IT and certified with his CISSP.
He’s earned his masters in computer science (with a specialty in data security), has designed networks, written books, and even designed his own operating system.
But this is heart surgery!
So while he is able to access everything he needs online, including the patients medical history, YouTube videos on how to perform the surgery, and perhaps even hacked into a paid channel online to observe an actual surgery, he has zero credentials when it comes to medicine and surgery. Are you going to let him proceed?
Now turn this scenario around. The doctor knows everything there is to know about heart disease and protocol. He’s performed hundreds of successful surgeries.  Yet, this degreed professional has zero IT experience. He’s used computers, but he has no idea how they work, where patient protected data is stored, or how that data can be used to harm him, the organization, or his patients.
The truth is, there are millions of professionals around you doing all kinds of specialty work.  They’re calculating taxes, auditing, designing bridges and buildings (earthquake proof and more), building airplanes and space ships, and performing intricate surgeries.
None of these professionals  took on these complex  projects without significant training and certifications.
Yet, every one of them is given access to the one device that (if used improperly) has the power to destroy an entire company.
Computers are the heartbeat of your prospect’s business, as well as the central nervous system of government, education, healthcare, and transportation (all critical infrastructure). One wrong move could bring lawsuits, expose data to the competition, threaten the stability of your countries economy, the military, and just about everything that matters – including life itself.

Stupid Things Smart People Do

My first IT job was a CO-OP position at Johnson & Johnson (McNeil Pharmaceuticals). I’ll never forget the day one coworkers deleted our entire poison control system (Highly sensitive data used in drug trials for government approval)!!!!
We were working on DOS back in those days (Window’s predecessor),a command line driven operating system. Just one missing parameter in his command-line ended up deleting everything. Keep in mind, we didn’t have a trash can on the desktop like you do in Windows.  Lucky for him, we did have a backup.  Still, it was a major ordeal. We had to restore from floppy disks – a painfully slow and risky process.
Smart People do stupid things on computers all the time. Not because they’re stupid. They just don’t know any better. Image how many mistakes you or I might make while performing major surgery using an instructive YouTube Video!!!
On any given day,…
Messages pop up saying your computer’s infected, call this number (a simple ruse used to take over ones computer by phone).
Perhaps you are at home, working on a late night project with an approaching deadline. What will you do? What would the average office worker do?
Another user receives an email from the bank requesting updated information, or a wire transfer request to a known supplier (with updated account numbers). What will they do? Will they check with someone first, or just move the money so they can be back on task?
How many people have been duped on Facebook to friend innocent or attractive looking people, only to be lured into giving up confidential information?
It’s been shown time after time, people trust people, even when they’ve only met online.  Office workers are busy. They don’t have time to check with IT every time an email comes in or a website looks different.
Do these knowledge workers ever leave mobile devices unprotected and unattended at Starbucks? Do they have personal data on their phones when the list them on eBay? Do they click on sites that have invalid security certificates, or click on links emailed by people they don’t recognize?
Do they download apps with little thought of malware, or work from home on unprotected systems and unencrypted networks.
Yes!
These are all common end-user habits. People are busy, and without some serious training, they won’t spot the clever ruse that comes through the firm’s various levels of security and insecurity.

The Only Reason to Measure Risk…Or You’re Wasting Your Time

The purpose of an assessment was explained in an article I wrote earlier this year – the bottom line is, Assessments should be performed to expose weaknesses, measure risk, and move the company toward remediation (the long tail of security assessments). If your assessments fail to do these three things, you’ve wasted your time.
So, while the misconfigurations (so often found in network devices and server)s are important, understanding the risk (Impact vs. Likelihood) of a user’s mistakes is more important.
Looking at risk, what is the impact of an enduser acting on email infected with spyware or ransomware? It’s extremely high!
How likely are they to act on it by clicking? Again, extremely high.
When the impact and likelihood are both high, the company has a major problem; one that must be addressed.
Take this same concept home or on the road. How likely are end-users (executives, sales people, office workers) to give into just about any social engineering effort – Phishing, infected websites, a fake support call,…? Higher than you can imagine.
You should expect that your client’s office workers are making mistakes every day.
Expect them to be downloading untested apps, letting their kids trade pirated music and videos, accessing high-risk sites such as gaming and porn, and more…
The average teen is probably friending all kids of predators disguised and prepared to steal and destroy. Employees regularly email confidential data, store data on personal devices, and use insecure home networks to conduct business. The end-user is the new firewall, and they’re failing.
After all, none of these workers have ever really been trained.
And if they have (through some ill designed, one-off training program) chances are they didn’t really pay attention. The training was probably boring, overly technical, and ineffective.
In the case your prospect company did bring in someone entertaining, or use one of the few attention-grabbing programs out there, everything they learned was out of date (or forgotten) within a month.
Remember, hackers are creative, stealth, and always one step ahead of the good guys. Training needs to be a high priority and frequently updated/repeated.

What’s At Stake? Your Prospect’s Most Valuable Assets

Looking at your client’s most important assets, it used to be the people. No longer.
Data is the most important asset. Everything your client does is digital. The money, the R&D, the customer lists, the strategies and processes; everything.
There are three areas to consider; confidentially, integrity, and availability.
Anything that would expose confidential data, affect the integrity of the business’s information, or reduce the reliability or performance of the company’s computer systems is at risk.
When building the impact vs. likelihood graph, (Find out more in my book, The House & The Cloud)  your first consideration is assets. Which applications and what data represent the greatest negative impact to the business, if made unavailable, corrupted, or exposed (to other governments or organizations, hackers, or the competition)?
What’s at stake? Loss of shareholder value and customer confidence, competitive advantage, operational efficiencies, quality, and perhaps fines or lawsuits for non-compliance.  The cost of any breach, according to Thomas Norman, is about 20X the cost of remediating that one threat!
So when a company refuses to secure something, in order to save $100,000, they can expect to spend about $2 Million on recovery when a “Boom” (the industry term for disaster) occurs.
Second, consider the likelihood.  The client needs a metric to understand their risk – and it can’t be three colors. These RED, YELLOW, GREEN system is over used, and of little value. CFO’s don’t approve large security budgets just because your report has a RED light on it.

Correcting The Course – How to Include People In Your Assessment

Security awareness training, like policy (the other root cause of security disasters according to Norman), should be a primary consideration when assessing risk. If the user/operator of a mission critical system is highly likely to cause disaster (through ignorance or an act of vengeance) it should be noted in the findings.
A few things to consider in your next assessment:
Make Time For People Interviews. 
There’s no point in scanning networks and looking for patches and open ports if you’re not going to assess risk. The chances of that company actually taking action on your remediation steps are nearly zero.  Build interviews into your assessment process, both with executives and end-users.
On the executive side, you need to know what they believe are their most mission critical systems. You’ll want to know what data matters, what applications are core to the business, and how much risk can be tolerated.
Find out who would want certain data, or what impact a down system would have on the profits and customers, for any given length of time.
Remember, IT can’t answer these questions. There are too many variables. Pending lawsuits, product announcements, M&A actives, and the competitive landscape all play a role in data asset value – it’s a moving target.
Once you know what really matters, it’s time to talk to their end-users. You want to understand their workflow; how and when data is created, used, transmitted, and stored. How about data disposal?
You also want to know how much these knowledge workers know about security. Is email encryption just an option on their email application, or are workers forced to comply with corporate security policies?
Do employees use personal devices, and do they understand how these handy devices are compromised, or what happens to data when they sell their iPhone of tablet online?
A security quiz issued to a sample population would be perfect (I’ve never seen this done – but it makes sense. A quiz would certainly set you apart from your competition).
There’s a lot more to cover when discussing risk assessment process. However, these ideas concerning end-users awareness, and likelihood of enabling a disaster, are a great place to begin.
Copyright 2017, David Stelzl

2017-03-03_13-54-13NIST Framework: You’ve Heard It, Lot’s of People Refer to It, But Do You Know What the NIST Security Framework is…

If forced to… (sales person to client) could you explain what the NIST Security Framework is?

NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.

How will you answer?

If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…

(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).

Either way, it’s important to know NIST if you’re going to talk security.  So here’s the simple “sales person level” overview…

Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).

2017-03-03_07-23-01

In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.

  • What are you trying to protect?
  • What are your relevant threats?
  • How likely are you to be able to detect and respond before damage is done?

These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.

PDR – The Core of NIST, But Selling It Requires Strategy

Understanding PDR. 

The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process.  Your client/prospect won’t know my name, but they can Google NIST.

It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.

But getting buyers to part with money for NIST is a hard hill to climb.  Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.

The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.

If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!

The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).

Finally -Recovery…As in Disaster Recovery

My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.

In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.

However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…

Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).

Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).

© 2017, David Stelzl

data-security-picWhat’s The Point of Your Security Assessment?

Are Your Clients Actually Taking Any Relevant Action?

This week on a coaching call with one of our Mastery Security Training Attendees we were discussing the role of the consultant in the security assessment process. In this case the Assessment Sales were NOT closing.

In other cases we discussed conversions from Assessment to Remediation or Managed Service were weak.

The complaint: Can I rely on our security consultants to deliver, or should I sell something else?

The Problem is Sales, Not Technical

First, sales people should never turn the SELLING over to a consultant or engineer unless that technology expert has a track record of closing. Knowing a lot about security does NOT lead to selling assessments. Selling and marketing are not driven by sound bites, technical know-how, or certifications.

In the Security Sales Mastery Program we teach sales people to speak about security at the business level. Executive Management is where the assessment should be sold.

Assessments are about risk. They measure Impact vs. Likelihood. At least they should. 

The Point of the Assessment is NOT Just About Risk: It’s About Conversion

In a sense Assessments are a marketing effort.

The Sales person sells the deal to measure risk. The consultant measures risk. But then something salesy has to happen.

Like the Cardio Doctor, if your patients are about to die but don’t take on the treatment plan, the doctor is failing.  It’s the doc’s job to sell his patient on doing something. Yes, ultimately the patient is responsible for their health, but if the diagnosis is poorly communicated or risk poorly described, the doc is doing something wrong.

Look at the Deliverable.

In many cases it will be a 50 page paper (enterprise size deal) or something much shorter in the SMB.  But is it written to the person who cares about risk? In most cases the answer is NO.

This is a sales problem. If you, the sales person, sold the assessment, hopefully you sold it to to someone at the business level to help them measure something specific – risk.

It might be compliance like HIPAA or it might be to identify the likelihood of data theft, system disruption, or data misuse.  Theft, misuse, and disruption can all be in the same report, however your findings must be written to the asset owner. The person with liability.

Don’t let the consultant take this to the client before reading and understanding what it says.

Are there mistakes?

Was the paper written using an old assessment from another deal?

If so, are there facts left over such as a “company name” that just don’t belong in this paper?  Believe it or not these are common problems. But it’s the sales person’s job to read it and scrutinize the value of the report.

Sure, the technical team shouldn’t be making mistakes like labeling a diagram with Cisco routers when the client uses Juniper (Yes, I’ve seen this happen!). But technical people are rarely writers. They won’t write at the executive level, they’ll miss edits that are obvious to the sales person, and they’ll often use an older document rather than starting from scratch. It happens even with the best teams.

Should You Keep Selling Assessments?

Yes, your clients need them. And they’re one of the best avenues to big business.

But sell them at the business level. Don’t succumb to IT people wanting assessment quotes. Unless they’re high dollar projects, they’re not worth doing. Make your way upstairs and find out what’s really needed.

When it’s time to assess, make sure your technical team knows exactly what you sold. It should be a measure of risk as described in The House & the Cloud. And when it’s time to deliver. Read it. It’s your deal. It’s Your client. It’s your responsibility. And it’s your biggest up-sell opportunity.

© 2016

ohioSpeaker Notes for Tomorrow’s Session in Cincinnati…

This morning I am headed to Ohio to meet with business leaders in the Cincinnati area – Another Digital Money session on Stopping Hackers!

If you provide IT services to businesses, I hope you’ll consider doing one of these with me at some point. Every business needs it, and most don’t understand the threats they are up against.

It’s a busy fall for us. Last week we wrapped up a session in San Francisco with large reseller executives, then headed down to work with a large sales team in Irvine, CA.  And tomorrow, Cincinnati, a session sponsored by InTrust-IT…

The Most Frequently Misunderstood Truth In Small Business

The big question always comes up, “Why would anyone want my data? After all, we’re just a local business. There’s nothing interesting here.”  I think Verne Harnish answered that question last week. If you’ve read his books, Rockefeller Habits, and Scaling Up, you know he’s a small business with very little in the way of infrastructure. Like me, he’s a speaker and a business coach, supported by a small team. Yet his blog post tells the story of a $400K ruse that caught him and his team completely by surprise.

Why small business? Because small businesses still have money, take out loans, and process credit cards. They have bank accounts and payrolls. Today’s hacking tools are largely automated. So sending out hundreds or thousands of scamming emails takes the hacker very little time. When one lands, the hacker will follow up. Small businesses are also largely unprotected by this sort of thing.

It might be a fraudulent invoice or request for ACH wire transfer. In Verne’s case he writes, “They sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places.” This is getting more and more common. The more data we put online about ourselves, the easier it is for someone to impersonate us!

Tomorrow’s Session is About Digital Money and the Value of Data

Digital Money, my latest book, goes into detail on this. Data aggregation is in motion, pooling our data in one place where it can be analyzed.

There are several major data aggregators out there doing this. But the idea is to collect enough data to profile YOU. This is usually for the purpose of some analysis or marketing effort. We’re seeing it used right now in the election. That’s right. The candidates are leveraging this data to figure out who is likely to be on the edge, and needs a push. The data tells them both who to target  and how to influence them.

That data in the hands of the hacker allows the hacker to act just like Verne, or whoever they need to be, to issue orders to the team. Verne’s on stage in Russia, meanwhile his team is getting instructions to transfer funds. Will they? Of course. They’ve received these requests in the past, and they were real. There’s no reason to question them now, and the hacker knows that. These attacks are well scripted and highly successful. And the likelihood of prosecution is low.

Can it be stopped? Not completely. But there are ways to reduce the risk…and that moves us to a managed security program that involves people and technology, well equipped to deal with these common attacks. A program that detects these threats early on, before data has been compromised, and stops them before damage is done. Tomorrow, my goal is to give our audience the business-level understanding they need to make wise decisions going forward. And then to point them to the tools and process they’ll need to combat these attacks in the coming year.

© 2016, David Stelzl

 

img_4188

Stage Set Up

300 Security Leaders Meeting in Miami

Looking for More Tools to Combat Cybercrime!

I’m just heading back from meeting with over 300 CISOs and CIOs, all part of the Florida International Banker’s Association –  Celaes Event, at the Trump Hotel, Doral.  

Great event, very well run, and an opportunity to connect with security leaders from all over Central and South America.  I was also able to reconnect with old friends from Kaspersky and Dimension Data.

Here are a few pictures…You’ll notice Former Mayor Giuliani on stage as well!  The living room shot was part of my amazing suite…

And I’m leaving just in time to avoid Matthew, the latest hurricane headed this way.