Preparing for disaster includes preparing for what follows when your employees and community most need you to be open for business.
Disasters can strike businesses at any time and take almost any shape: A flood takes out a startup’s servers. A founder is imprisoned. A tornado destroys the office building. Whether it’s a natural disaster, a PR scandal or something else altogether, not being ready can add another level of devastation to an entrepreneur’s life.
I know this firsthand. My company, ONTRAPORT, endured the Santa Barbara fires and aftermath that started in late 2017 and ravaged into this year. We also had shifts on our accounting team that resulted in me trying my hand at accounting (not my forte). Needless to say, 2018 has been a year of unexpected change and destruction — both of my team’s physical surroundings and our “usual” way of doing things.
Alongside our CEO, Landon Ray, I debated: “What do we do as leaders of this company and leaders in our community?” It all boiled down to a question that wasn’t so simple to answer: What kind of emergency preparedness should you have in place so when stuff hits the fan, you’re ready to execute?
Stuff hits the fan
The fires and mudslide in Santa Barbara were crazy acts of nature that resulted in evacuations as people’s health was put at risk with the toxic air. Twenty-three people died in what’s been called “the worst disaster in Santa Barbara history.” It was a scary and traumatic experience as people were spread out, unsure of the status of people they cared about.
Before we knew how bad things were going to get, we still knew that the only way to keep our company up and running was by being proactive. We’d created an emergency plan years ago, so when the fires started, I immediately pulled the plan out at 6 a.m. because I had already lost power at my house and knew we were going to lose power in the office. We weren’t in the evacuation area yet, but we needed a generator before they sold out.
We made sure to buy the right masks for everyone after we researched how to stay safe with declining air quality. Unlike most homes in Santa Barbara, our office had air conditioning, so we ordered HEPA filters. And when we realized that wasn’t going to be enough because the air quality had become hazardous, we rented a ranch in Los Osos, two hours away. At that point, we evacuated and couldn’t return to the office. We told people to work where they could — about half came to the ranch, while the rest went to other areas with their families and loved ones.
When safe places no longer feel safe.
We heard stories from others in the area that their employers wouldn’t pay them because they couldn’t work. I get that this was an emergency, and business owners have to make business decisions. We also had some employees who couldn’t work: Our coffee and meal program employee couldn’t take care of people’s food because they weren’t in the office.
In the same vein, our childcare center wasn’t taking care of people’s kids, but we knew that, just like our meal program provider, we had to pay them so they could in turn pay rent. Those are the decisions you have to make as an employer; they go a long way toward building trust with people. Treating people well isn’t just a short-term investment but a long-term one, too. We wanted people to feel really taken care of.
And that applied to the employees who could still work as well. We set the ranch up with Wi-Fi, VPN, laptops and docking stations. We tried to close every loophole that could prevent us from offering customer support, prevent our marketing team from implementing campaigns or stop our engineers from fixing bugs or working on the development of new features on schedule.
How to prevent a disaster from getting bigger
Not every employer can move things around the way we did — but a lot of entrepreneurs can do better than they’re currently planned for. It’s all about remaining thoughtful in how you handle the disaster facing you, and there are some smart ways to do that.
1. Make your priorities known.
The only thing more demoralizing for employees who are going through a situation of disastrous proportions is feeling as if they’re means to an end. Servers, process documents and computers can all be replaced; people can’t be. Make it clear that their safety is the most important thing.
We sent daily morning and evening emails or messages through our ONTRApeeps social media community to keep everyone connected and make sure people were safe. Every day, we also sent updates on the fire situation based on the information we were receiving so our team knew we were staying informed on a situation that directly impacted their lives and livelihood.
2. Plan ahead to stay open.
While some businesses are built to be hands-on entities — say, massage therapy or tutoring services — most entrepreneurs can make plans to keep working when disaster strikes. We proactively placed our servers for customer work in different locations so customers wouldn’t see disruptions, and we created redundancy with Amazon and Google Web Services. Creating tech stopgaps can save your business.
3. Look at what your state provides.
Our state had disaster recovery funds, and employees who didn’t get paid could apply for unemployment during that time. Knowing what state benefits are available can be life-saving for both your business and your employees. Go the extra step to prepare the paperwork for affected employees so they can simply submit it if they’d like to access the benefits. Be informed ahead of time.
4. Always have three people who know how to do a job.
Not every entrepreneur has three employees. However, every entrepreneur can ensure processes are documented so anyone can follow them. When we ran into issues on the accounting side, many employees asked if they could help, but because some processes weren’t documented, we couldn’t take them up on their offers. Enforce documentation updates — if you don’t, you’ll be the one cleaning up the debris.
5. Do what you can to help.
Our company did Valentine’s Day candy grams as a fundraiser for affected families, raising several hundred dollars through people buying handmade cards from our HR team. We went together to dig out houses and hosted a bucket brigade of 300 people at our office to show our support. We couldn’t afford to provide housing or write huge checks, but we did what we could.
No one is immune from disaster, but everyone can prepare for disasters so their impact is limited. Entrepreneurs have a lot to lose when disaster strikes, and not being ready ensures that the devastation takes on new proportions. Planning ahead for the inevitable will save not just your sanity, but also your company.
Author: Lena Requist
Preparing for any potential cyberattack is an increasingly important precautionary steps in every organization. Here’s how your team could do it without disrupting existing processes.
In an age when cybercriminals abound, it pays to prepare and be always on guard. It means being aware of strategies criminals often resort to and investing in monitoring tools as well as preventive measures to avoid such massive cyber atrocities in the first place.
Security software company Avast found that of 132 million routers tested, 41 percent could easily be hacked, a recent GSMA Intelligence report showed. In the recent years, we have seen cyber thieves switching from personal computers to smartphones to steal personal information or credentials and get the unwitting victims’ funds. Successful cyberattacks in years past may also have spawned a new generation of criminals who now focus on the preferred terminal for online payments and shopping transactions: smartphones.
Various forms of cyberattacks
Just as there are software programs that can protect users from cyber crooks’ exploits, including creating malicious phishing websites that closely resemble trusted destinations, there are software that hinders users from accessing their systems. Being locked out of their computers has sent many people into panic mode.
So, what can regular users do to avoid or be ready for cyberattacks? First and foremost, be mindful and do not be easily tricked into clicking on a link or attachment. Accessing the web or sensitive information through VPNs is another way (free VPNs are no way to go!).
Information technology experts have repeatedly warned people about the existence of malicious sites that impersonate legitimate URLs. It is high time PC and other gadget users heed such warnings and keep a closer eye on URLs.
Now that cyber villains have turned their attention to smartphones, it is crucial to protect personal information and other data stored in it in two ways: One is by avoiding installation of unofficial applications. Another is by doing regular updates of the operating system when requested, and not forgetting to enable security mechanisms.
At the recent Mobile World Congress held in Barcelona, smartphone makers have unveiled phone innovations with enhanced security features. With the growing uneasiness of consumers over hacking incidents, companies have lost no time rolling out into the marketplace supposedly more “secure” devices.
Notwithstanding the arrival of gadgets with improved security features, consumers still should not be complacent. Software firm strategists have advised checking out online file sharing services and making the most of protective features that come with certain devices.
With its ability to predict health conditions, support more accurate and timely clinical diagnoses, and streamline clinical operations, artificial intelligence is opening new frontiers in healthcare.
CEOs and IT security experts continue to underscore how perilous cyber threatsare to their organizations. They maintain that there are ways to safeguard systems and be prepared for such attacks. The best form of an advance, they say, is advance planning.
Numerous companies across the world have taken a proactive stance and instilled greater awareness in their workforce on the steps to take to protect organizational assets in the face of rampant cyber attacks.
There are five ways to brace for cyber attacks, as The Guardian gathered from a range of experts:
- Identifying the key threats and ensuring that incident management processes address those threats
- Deciding which data or information to protect and opting for a pragmatic approach
- Practicing response to a potential attack and creating a sense of urgency as well as a culture of security in the workforce.
- Enlisting the services of a good forensic vendor at the soonest possible time
- Consider the role of big data, and meld data analytics with human threat research
Importance of preparations
Various industries have fallen prey to cyber villains. Studying and using a multi-faceted approach and making informed decisions may save organizations a great deal of resources, apart from eliminating huge stress on IT workers.
At an event in Beijing that doubled up as a pre-briefing for the MWC 2019, Huawei announced the TIANGGANG chip that will support simplified 5G networks and large-scale 5G networks all over the world.
It is also important to note that cyber attacks may strike and affect even established firms. In addition, companies should look into investing in monitoring tools.
David Mytton, CEO of a scalable infrastructure monitoring software company, lamented that “most businesses aren’t up to speed with how to mitigate the damage if an attack occurs.” Among the things that can help is a well-structured recovery plan, and testing the plan with regular simulations and practice runs, The Huffington Post reported.
Cybersecurity measures require more than fleeting attention. Cyber crimes have become commonplace, necessitating planning and implementation of strategies and countermeasures. Undertaking concrete steps now may help neutralize the threats. An updated knowledge on the vulnerabilities that you or your organization faces can go a long way.
Author: Josh Althuser
Ransomware isn’t the only cyberthreat your business will face this year. Here are five emerging threats that leaders need to know about.
The cyberthreat landscape continues to evolve, with new threats emerging almost daily. The ability to track and prepare to face these threats can help security and risk management leaders improve their organization’s resilience and better support business goals.
The number of high-profile breaches and attacks making headlines has led business leaders to finally take cybersecurity seriously, said Sam Olyaei, senior principal and analyst at Gartner.
“Today, not only are business leaders and the business community understanding cybersecurity, they know it’s important to their business outcomes and objectives,” Olyaei said. “The problem is, there is still a lack of understanding as to why it’s important.”
Firms must work to bridge the gap between communicating the technical aspects of cybersecurity and the business outcomes, such as customer satisfaction, financial health, and reputation, Olyaei said.
Keeping track of new threats and not just established ones like ransomware is key for a strong security posture, said Josh Zelonis, senior analyst at Forrester.
“Whenever we develop our strategies for how we’re going to protect our organizations, it’s really easy to look at things that you’re familiar with, or that you have a good understanding of,” Zelonis said. “But if you’re not looking ahead, you’re building for the problems that already exist, and not setting yourself up for long-term success. And that is really the number one reason why you need to be looking ahead — to understand how attack techniques are evolving.”Bringing the Power of Lithium-Ion for IoT and Edge Computing Applications through APC Smart-UPSLi-Ion battery technology offers a host of benefits that make it an attractive and affordable option for a growing set of businesses reliant on distributed IT infrastructure.Sponsored by Schneider Electric
Here are five emerging cybersecurity threats that business, technology, and security leaders need to take seriously this year.
Ransomware has been one of the biggest threats impacting businesses in the past two years, exploiting basic vulnerabilities including lack of network segmentation and backups, Gartner’s Olyaei said.
Today, threat actors are employing the same variants of ransomware previously used to encrypt data to ransom an organization’s resources or systems to mine for cryptocurrency — a practice known as cryptojacking or cryptomining.
“These are strains of malware that are very similar to strains that different types of ransomware, like Petya and NotPetya, had in place, but instead it’s kind of running in the background silently mining for cryptocurrency,” Olyaei said.
The rise of cryptojacking means the argument that many SMB leaders used in the past — that their business was too small to be attacked — goes out the window, Olyaei said. “You still have computers, you still have resources, you still have applications,” he added. “And these application systems, computers, and resources can be used to mine for cryptocurrency. That’s one of the biggest threats that we see from that standpoint.”
2. Internet of Things (IoT) device threats
Companies are adding more and more devices to their infrastructures, said Forrester’s Zelonis. “Organizations are going and adding solutions like security cameras and smart container ships, and a lot of these devices don’t have how you’re going to manage them factored into the design of the products.”
Maintenance is often the last consideration when it comes to IoT, Zelonis said. Organizations that want to stay safe should require that all IoT devices be manageable and implement a process for updating them.
3. Geopolitical risks
More organizations are starting to consider where their products are based or implemented and where their data is stored, in terms of cybersecurity risks and regulations, Olyaei said.
“When you have regulations like GDPR and threat actors that emerge from nation states like Russia, China, North Korea, and Iran, more and more organizations are beginning to evaluate the intricacies of the security controls of their vendors and their suppliers,” Olyaei said. “They’re looking at geopolitical risk as a cyber risk, whereas in the past geopolitical was sort of a separate risk function, belonging in enterprise risk.”
If organizations do not consider location and geopolitical risk, those that store data in a third party or a nation state that is very sensitive will run the risk of threat actors or nation state resources being used against them, Olyaei said. “If you do that then you also impact the business outcome.”
4. Cross-site scripting
Organizations struggle to avoid cross-site scripting (XSS) attacks in the development cycle, Zelonis said. More than 21 percent of vulnerabilities identified by bug bounty programs are XSS areas, making them the leading vulnerability type, Forrester research found.
XSS attacks allow adversaries to use business websites to execute untrusted code in a victim’s browser, making it easy for a criminal to interact with a user and steal their cookie information used for authentication to hijack the site without any credentials, Forrester said.
Security teams often discount the severity of this attack, Zelonis said. But bug bounty programs can help identify XSS attacks and other weaknesses in your systems, he added.
5. Mobile malware
Mobile devices are increasingly a top attack target — a trend rooted in poor vulnerability management, according to Forrester. But the analyst firm said many organizations that try to deploy mobile device management (MDM) solutions find that privacy concerns limit adoption.
The biggest pain point in this space is the Android installed base, Zelonis said. “The Google developer site shows that the vast majority of Android devices in the world are running pretty old versions of Android,” he said. “And when you look at the motivations of a lot of IoT device manufacturers, it’s challenging to get them to continue to support devices and get timely patches, because then you’re getting back to mobile issues.”
Organizations should ensure employee access to an anti-malware solution, Forrester recommended. Even if it’s not managed by the organization, this will alleviate some security concerns.
Author: Alison DeNisco Rayome
According to Gartner in 2018 information security spending will exceed $96 billion — companies will be purchasing credential management software, infrastructure and network security equipment, information security services, client data protection software.
Learning about new incidents companies agree to increase their costs. Businesses are mostly focused on protection from external threats. WannaCry alerted people to the dangers of cyberattacks: during the first two days of ransomware activity there were hacked more than 200 thousand users from 150 countries. All the attention is drawn to hackers, zero-day vulnerabilities and ransomware, while incidents caused by just one click or just one decision of an employee may be overlooked.
South African financial services company Liberty Holdings got its corporate email compromised. The violators were going to sell the obtained information. They would release the data if they didn’t get paid.
There were a few pointers which made everyone question the breach source: the leak wasn’t reported straight away, the facts confirmed by the Liberty CEO seemed to lack details, the server was fully accessible to those who seized the data. When a leakage happens the source should be a company’s major concern. Hackers are never as informed as insiders are, only the people who cooperate within a particular network know exactly what and where can be accessed. Although hacks are no good news, companies are encouraged to be vocal about an incident, while insider leaks are often skimpily, half-heartedly exposed.
Human factor can trigger different situations and any of them might appear detrimental to an organisation.
Joe Sullivan, former Uber cybersecurity chief, used to have an impeccable track record. He participated in the investigation of high profile cyberattacks in USA, worked at Facebook, eBay and PayPal — he’s been chasing and catching criminals all his life. An undetected data theft which happened in 2016 affected his professional reputation. Joe decided that the incident should be withheld even if it would take him collaborating with his own enemies. He paid hackers $100 thousand for keeping silence. 57 million passengers and drivers had no idea their data has been compromised for more than a year.
Vainglory is what led to another real life case. In February, 2017, the photo of the USA President and the Prime Minister Shinzō Abe at the golf club was made by a businessman who was sitting next to them and published by various media. He posted on Facebook the photo commenting that “…it was fascinating to watch the flurry of activity at dinner when the news came that North Korea had launched a missile in the direction of Japan.”
One of the photos depicts club members gathering around the confidential documents. The other photo captures the USA President talking on the phone turning away from Japanese Prime Minister. Here’s the human factor at its best. First of all, the heads of states rushed into discussing the secret issue in front of people. Second of all, smartphones which were used by those standing around could be a direct leakage source.
That’s the main reason why many contractors reveal client data.
In 2017 an American telecommunications giant Verizon lost the data of 14 million clients: names, addresses, account data and PIN codes for client verification. The data was uploaded to Amazon by a contractor hired to improve the call center functioning. The specialist forgot to check security settings — a URL with the information could be freely accessed by anyone in the Internet.
Amazon became part of many leakage stories: 198 million registered US voters were exposed in the cloud (the archive didn’t have even a password protection — it was uploaded to the cloud by a company which collected data for Donald Trump’s election campaign); 2.2 million Dow Jones company subscribers got their data compromised; 3 million WWE clients (an American entertainment company known for managing wrestling events) got their data leaked in the Amazon service; Time Warner Cable (the second largest cable network in the USA) got 4 million client records exposed.
Amazon could have introduced some extra control to detect faulty configuration and limit the access to sensitive data without password protection. In November 2017 the service provider presented a solution: the control panel featured a notification warning users that incorrectly configured storage endangered data security. Amazon also applied full data encryption by default.
Some people tend to profit from their status — one of the biggest temptations which cause incidents.
An information security director of North American Association of State and Provincial Lotteries cracked a random number generator. The specialist had been working in the organisation for 10 years before he decided to create a malware and infect computers which managed winning combinations for the lotteries. The “correct” tickets were bought by his brother and friend. The scheme was started in 2005 and was running for 7 years.
A leak can be accidental — a mere fatigue or automated address selection in the email client. That is what happened to the Pentagon in 2017 — Public Affairs included an email of correspondent for Bloomberg in the mailing list. The journalist informed the Pentagon of the mistake but the email kept coming. The correspondence between the Department of Defense and the Federal Emergency Management Agency employees discussed ways the media covered the scale of Hurricane Maria’s destruction. They were sharing instructions on how to make the news seem positive.
The journalist benefited from the opportunity and equipped an article for Bloomberg Businessweek with some excerpts from the emails which he received accidentally from the Pentagon.
Another unintentional data exposure occurred in Finland. In 2017 a citizen of Oulu received an email revealing some messages sent by local policemen to each other discussing security measures which should be taken during the visit of Vladimir Putin. The email contained a detailed itinerary of Sauli Niinistö and the precise time of Putin’s helicopter arrival.
The Eastern Finland Police Department weren’t silent about the incident and explained the confidential email sent to a random person admitting a human factor to be the cause. The email client suggested contacts from the list of those who were addressed at least once automatically. The citizen of Oulu who received the secret email and the press officer appeared to have similar names.
Author: Alexei Parfentiev
It’s budget season. As the current fiscal year comes to a close, business leaders everywhere will convene to discuss business strategy, opportunities and return on investment (ROI) while prioritizing next year’s budget spend. Amidst the planning and prioritization, it is a safe bet that IT organizations will renew their annual request for an increased budget allocation for security. After all, increasing cybersecurity spend will stop the attackers from compromising their infrastructure next year, right?
Cybersecurity Ventures recently predicted that global cybersecurity spending will increase steadily to exceed $1 trillion from 2017 to 2021. But the news site also claimed that the cost of cybercrimearound the world will rise to $6 trillion annually by 2021. Something seems wrong with any prediction that correlates increased spending on prevention with increased damages from successful penetration of those same defenses. That’s not because I disbelieve the numbers but because they show how truly broken the legacy approach to cybersecurity is. The industry has literally gone decades with no real improvement. How is this acceptable?
It is time we shined a light on the industry’s worst kept secret: Throwing more money at the problem simply does not keep attackers out or breaches from happening. It is a good bet both things will continue to happen. What’s more disconcerting to consider is that they have already happened and you just simply don’t know it yet.
Why The Math Doesn’t Add Up
The problem isn’t solely centered on technology, there have been many significant innovations in the cybersecurity industry in recent years. For many companies, the elephant in the room is treating security as only a technology problem. Just look at Facebook’s current situation. Modern-day CISOs have increasingly found themselves helpless to effect real change to secure an organization’s data and infrastructure because they lack the insight of the conditions that give rise to bad or risky behavior.
For instance, traditional IT security assumes everyone is a potentially malicious actor and therefore works to prove the guilt of someone who clicks suspicious links, visits dangerous websites or inappropriately accesses sensitive data. Not everyone is intentionally bad, but their behavior is a continuum that can change in an instant, especially when their identity is stolen. Even more basic, employees can make honest mistakes in today’s 24/7 culture. Pushing work-life balance to meet compressed deadlines, they may be too tired to recognize a phishing email compromising their credentials until after they clicked on it. What’s potentially more damaging, they could simply become disgruntled with their employer and decide to steal company data.
Behind Every AI Strategy Is A Data Strategy
Investments focused on securing a constantly changing IT infrastructure do not address the unpredictability of human behavior. Instead, organizations need to make a fundamental change in their approach to cybersecurity and reprioritize budgets to align with this newly defined reality of our modern society.
Rethink Operations Budgets To Focus On Behavior
The first step is to stop thinking about security as solely a technical problem with technical solutions. Today’s sophisticated threat landscape is a rich, multifaceted organizational challenge that requires insight on how data is used across myriad business functions. Shifting the focus to understanding the behavior patterns of people and their interactions with technology provides clarity in regard to who is using sensitive data, why and from where.
Having a baseline for behavior, a digital rhythm or routine, can help security and business leaders better manage risk. If an employee is working normally on the job, IT can get out of the way. But if the behavior is inconsistent with the organization’s mission, IT can recognize the risk and quickly respond with coaching or stronger enforcement policies. Context matters. Security teams that only focus on securing computers and servers will miss the broader perspective and the signs of an incident or data breach until months after it happened.
The cybersecurity skills gap has been another area where the security industry is struggling. With more seats to fill than there are educated and experienced people to fill them under the traditional model of cybersecurity, many cyber issues have arisen from simply lacking the time and manpower to find and resolve threats before they impact businesses. Businesses will always need skilled workers, but they can leverage automation and behavior analytics to help lighten the load.
Security leaders will also be more effective if they establish functional partnerships and strategic programs with human resources and legal teams. The HR and legal departments share the mission to secure the organization’s data and people. These business functions have a vested interest in user and data protection, from preventing confidential information from falling into the wrong hands to protecting the workforce by ensuring compliance, employee privacy, and safety.
It is no real surprise that the cybersecurity industry has been so resistant to changing its approach. Continuing reports of breaches are good for budget increases. But it’s clear this model is not good for global business, as breaches cost economies billions of dollars each year. It is time for a paradigm shift in the cybersecurity industry. When we understand people and their interaction with data, then we have the tools to mitigate cybersecurity risks before any real damage can be done.
Author: Matthew Moynahan