Archives For opm

dollardataCredit Card Data Is A Commodity…It’s The Company Secrets That Profit

How Secure Is Your Data – What About China?

The big companies have had their share of horror stories with credit card theft this year, but are you and your customers watching the trends in Espionage?  Earlier this month I interviewed a couple of former NSA agents to give technology providers some insights into cybercrime trends and a war we are all involved in.  Summer Worden, one of my guests on the SVLC Insider’s Circle Program talked about Russian and China, revealing some of the hidden agendas and what to expect in the future.  Much of this is driven by Economics according to Worden.  China’s economy needs more innovation, and what better way to get it than to take it from the United States?

Espionage Is Hitting Businesses Right Now

This week in the Wall Street Journal, FRANK J. CILLUFFO AND SHARON L. CARDASH gave us more on this. Here’s a sound bite that should shock us; “The FBI reports a significant spike in its number of economic espionage cases: a 53% increase just this past year.”  Where is this coming from and what’s driving it?

According to the article, “Randall Coleman, the head of the FBI’s counterintelligence division, told the Wall Street Journal in July that much of the suspicious activity is performed by Chinese companies against U.S. firms and that the Chinese government plays “a significant role” in the attempted theft of trade secrets.”  Espionage, as pictured in movies is generally dealing with government data – like the recent OPM hack I wrote on a few weeks ago.  But this is about business. These are companies, targeting companies that have new ideas, strategies, and innovations that the competition in China will benefit from.

In Kevin Mitnick’s book, The Art of Deception, he shares the tale of a businessman entering a small business responsible for developing high tech manufacturing equipment. The man approaches the front desk asking to see the president of the company. The receptionist informs him that the president is out of the country and unavailable. At that point the businessman begins to fumble through his planner, double checking his meeting.  He’s flown in from out of town, and is supposed to be meeting the president to discuss a joint venture. There must be a mistake!

In a last ditch effort, he asks if the development team is in – perhaps he can take them out to lunch to review the plan he and the president have come up with.  They agree, and into the development area he goes. They spend several hours discussing the latest drawings and plans – the company’s latest top secret innovations. The businessman takes a few pictures, and heads out, promising to reconnect next week when the president returns.

You probably guessed – but when the president returns, and the team reviews their recent meeting, the president has no idea who they are talking about. This is a case of economic espionage, and chances are the business guy is now back in his own lab building a “Copy-Cat” product with only a few months of R&D vs. the decade the first company spent developing these ideas.

No Need to Go Onsite

Like your evolving managed services program (if you are an MSP), you no longer have to go onsite to do your work…the same is true when it comes to stealing company secrets. As the WSJ article states, “If you place yourself in the shoes of those playing economic catch-up, why invest millions in R&D if you can simply steal it at a fraction of the cost, especially with just a few clicks of a mouse?”. Now that everything is connected and online, stealing information is simple.

Cilluffo and Cardash rightly point at that,  “The theft of intellectual property and trade secrets destroys jobs in this country, and undermines the nation’s economic competitiveness by striking at the heart of U.S. innovation.” And in this case, nation states are behind these acts of war!  Years ago I read in another WSJ article, “This is a slow sifting of the American Economy,…and because it lacks the alarming explosions and bodybags, no one is really paying attention.”  At some point we will find our bank accounts empty, and our businesses collapsed.

No One Is Claiming Responsibility, But Who’s Investigating This?

Terrorists claim responsibility when they blow things up. They want us to be afraid. In a war, the opposing country generally announces their demands and threats of invasion. In this case, the thief is not interested in being known – they have no demands. They are looking for a competitive advantage. It’s to their benefit that no one know what they are up to. If they can silently get away with strategic information, they can recreate a product in their own lab, with a fraction of the required investments in time and money. With their copy-cat product in hand, they are now able to sell it at a fraction of the cost. Recovering their investment is easy – they didn’t spend their own money on this invention.

What to Do About It

In the WSJ Article, the writers tell us, “Recent reporting suggests that the Administration is striving to craft an innovative and calibrated response to the OPM hack in light of its scale. This is a significant development in the ongoing match of Spy vs. Spy on steroids. An equally compelling answer is needed to China’s economic espionage against the United States. Time is money in this context — but more importantly, it is national security.”

It’s true, our government needs to get on this. In a recent Presidential speech I heard Obama say that our greatest threat right now is environmental…I have to respectfully disagree.  Without a doubt, I believe it’s cybercrime – Hacktivists, Nation States, and Cybercriminals.  All three are attacking everything from your personal data, to company innovation, to our nation’s intelligence.  As a technology provider I want to encourage you to start educating your clients – everything must be secure, and it can’t wait for the next budget cycle or a government mandate.  Like a doctor sharing the diagnosis of cancer with a patient, it’s up to us to convince them to begin treatment. This is not about insurance, it’s about preservation.

“Those who say they have it covered are either ignorant or lying to you.” – A quote from my most recent book, The House & The Cloud 2nd Edition.

HC Image

© 2015, David Stelzl

P.S. If you want more on how to convince your customers they need better security, this book explains how to do it…(click to see it on Amazon.com).

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

Donna+SeymourHow to Stop CIOs From Sending You Back To IT

And What We Can Learn From Donna Seymour

Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services.  Cost savings are great, but security is crucial.  In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.

What Happened to Donna Seymour?

Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name.  Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider.  Due care means taking the steps that should be taken to decrease the risk of an attack.  But this is harder than it sounds.

First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under.  I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?

With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk.  They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.

As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits.  She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.

Why did OPM get hacked?

Outdated infrastructure – that’s what they are telling us.  But why is the infrastructure outdated?  Because Donna didn’t get budget to upgrade it sooner.  Why not….etc.  I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated  that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed.  Donna on the other hand may not be for long.  Donna should have taken the meeting.

Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.

Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for?  Or did the provider deliver the right results, but Donna failed to take action?  Who knows?

These lawsuits are personal 

Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)

Are You Talking To The People Who Need To Know?

Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…”  In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know.  So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.

© 2015, David Stelzl

shadow

32 Million Important Records

Are you up on OPM? 18 Million personnel records breached in the Office of Personnel Management.  It’s the latest in a string of high-profile data breaches our government has suffered. There’s been some reporting on this, but not nearly enough.  The number was first reported around 4 million, then 18, and now, after a recent congressional hearing, the number may actually be as high as 32 million.  But there’s more…

Here’s what you need to know…

1. L. Gordon Crovitz, columnist for the Wall Street Journal writes, “The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers …among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas.” He goes on to report, “That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information …that includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.”

2. Much blame is being cast on the Chinese for this attack, however Crovitz points out that, given the opportunity, any government who has access to another government’s records is going to take them; the US included. It’s up to the US government to make sure our data isn’t available to other countries.  We saw fines and personnel changes when Home Depot and Target were hit – what happens when the Government, the ones who impose these fines on private sector companies, make the same mistakes?  It’s an interesting question…

3. The fallout is potentially big.  While a recent Wall Street article suggests that the US data has not shown up in online chat rooms yet, Crovitz calls this issue a much bigger problem than Edward Snowden’s breach. He writes, “Millions of patriotic Americans entrusted with national secrets are going to lose much of their privacy because their government was unable to protect their confidential personnel records…That loss of privacy dwarfs the hypothetical risks from the NSA that have dominated the headlines.”

4. Other reports discuss national security… These “hackers accessed not only personnel files but security-clearance forms, current and former U.S. officials said. Such forms contain information that foreign intelligence agencies could use to target espionage operations.” WSJ. Apparently the government officials announced the personnel attacks, but held back on the security-clearance theft for at least a week.

Stay on top – learn the sound bites… in my book, The House & the Cloud, chapter 6, I discuss the power of sound bites and how to effectively use them (and how not to use them) in a sales call.

© 2015, David Stelzl