The challenges of cybersecurity have been covered ad nauseum: the ever-increasing volume and sophistication of attacks, the shortage of skilled cybersecurity analysts, and the general inability to keep up with all that is going on in the cybersecurity market have all been well documented.
So, what can be done? Given all these conditions, how can a business better protect their operations and resources? The short answer is they can start using a combination of technologies, services and education to stem the impact of cyber-attacks on their organization.
Technologies Can Help Fill the Gap Created by the Skills Shortage
Organizations can look for technologies that are primed to automate and orchestrate responses to cyberattacks.
This is not a new concept – back in 2011, the US Department of Homeland Services described, in their paper “Enabling Distributed Security in Cyberspace,” an ecosystem where “cyber devices are able to work together in near-real time to anticipate and prevent cyberattacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.”
This is very different from what most organizations have today. Typically, companies have a host of cybersecurity technologies, from firewalls and to that are working alongside, but not in concert with one another. Each solution is specialized to look for something – e.g. evidence of a distributed denial of service attack, indicators that a user’s credentials have been compromised, pointers to data being leaked via cloud apps, signs that a mobile device has been taken over, etc.
Each of these solutions requires someone to deploy, manage and maintain it, as well as make sense of the information it generates. The data these solutions produce and the people managing them often remain in a silo, making it hard for anyone or anything to see the complete picture to quickly and confidently take action, as appropriate. But change is coming.
Half of the respondents (55%) to a survey by Intel Security “believe cybersecurity technologies will evolve to help close the skills gap within five years.” Likely this will come in the form of advances in intelligence, automation and orchestration. We have already seen vendors dabble with artificial intelligence (AI) and machine learning to accelerate the identification of an attack and support the orchestration of more automated responses.
It has been particularly effective when entities or events can be easily incriminated or exonerated, such as in the incident response process. A large organization can average close to 17,000 alerts a week, which is why only one in five alerts ends up being something worth dealing with.
A solution, however, that can automate investigations and help prioritize subsequent activities is sustainable. Hence, we have seen an explosion in the IR automation market – the Enterprise Strategy Group found that 56% of enterprise organizations “are already taking action to automate and orchestrate incident response processes;” Technavio has the IR system market growing at a compound annual growth rate (CAGR) of 13%.
To truly ease the burden on cybersecurity analysts and improve the efficiency and productivity of their cybersecurity infrastructure, organizations need to look for and demand more of these kinds of innovations from their technology vendors.
Services Play a Viable Role in Augmenting Capabilities
The reality is there are always times when organizations, even those with SOCs that are skilled and staffed appropriately, may need a little help. This is where services come in; we are finding there is greater acceptance that augmenting resources with a service offering can be a good way to enhance the effectiveness of an organization’s cybersecurity strategy and implementation.
An outsider’s view can give organizations the knowledge they need, a fresh perspective or a new way of thinking that helps drive better decision-making and ultimately better security.
The problem is managed security services providers (MSSP) are having to staff up themselves to meet the demand, which is why we’ve seen some a lot movement in this space. For example, there has been FireEye’s acquisition of Mandiant, IBM’s acquisition of Lighthouse Security, and BAE System’s acquisition of SilverSky, etc.
Ultimately, being able to deliver the experience and know-how organizations need will help close the gap and strengthen overall security.
Educational Opportunities are Key to Bolstering General Awareness and Expertise
At the end of the day, nothing replaces the knowledge and expertise of an in-house analyst. Only they truly understand an organization’s nuances, putting them in the best position to effectively identify, contain and fully remediate many of the more sophisticated attacks targeting the organization.
Unfortunately, as we’ve already mentioned, these folks are in short supply, so organizations need to look across their IT organization to develop cybersecurity awareness and know how.
Training courses taught by experts with real-world experience and include lab time are invaluable for building the skills that will be applicable to strengthen the organization’s security stance. Virtual sandboxes (vSandbox) and Ultimate Test Drives (UTD) are also good tools to deploy. They allow attendees to test and work with solutions in a safe environment, so they can see firsthand how they can be deployed and used to improve the cybersecurity capabilities of the organization’s own environment.
Ultimately, to address the cybersecurity gap and all the threats that are targeting an organization, it will take a confluence of technologies, services and experiential learning. Together, organizations can deploy the skills and capabilities they need to keep up, and ideally get ahead, in this harried cybersecurity landscape.
Source: InfoSecurity Group
Author: Pradeep Aswani
Generally, when we talk about risk management for nonprofits, there is a note of panic in the conversation, as we hold the image of organizations teetering with the uncertainties of government policies and funding, philanthropists changing the focus of their giving, and increasing demand for services. In fact, grantspace.org quoted the Alliance for Nonprofit Management as defining risk management as a discipline intended to identify and protect against any threat to an organization’s ability to deliver on its mission. It is a definition based on fear: fear of loss. A report covered by NPQ in 2016 represents another example of this approach.
In 2017, NPQ devoted an entire issue of its print journal to the subject of risk management in the nonprofit sector. The focus was on how to move from risk management to risk leadership, with an interview with David Renz providing focus for what that actually means. Not only do nonprofits live in a world of risk, but at times it is important to acknowledge that risk fully and even use it as a way to move forward.
A recent article in the Greenwich Sentinel by Michele Braun builds on this idea and proves some very simple how-to’s for nonprofit boards and leaders. Braun, director of the Institute for Managing Risk at the Manhattanville School of Business, argues that if nonprofits do not take any risks at all, they cannot grow, adapt, or respond to the needs of their clients. The question, instead, is how to be intentional about which risks to take on and how to avoid ones that could be detrimental to the organization’s survival.
Nonprofit leaders should ask a few key questions:
- What risks do we face that can derail our mission?
- What risks can we take that would help us accomplish our mission?
- What processes do we have in place for assessing and managing risk?
- Why haven’t we committed to be a risk-aware and risk-savvy organization?
Two easy steps to take, according to Braun, involve annually having a look at risk and your organization. A conversation among staff and representatives throughout all strata of the organization could lead to clearer understanding of what has changed internally and externally that might alter the risk landscape. Are there new threats or opportunities the organization should be aware of and act on? People from outside the organization should be included in this discussion, as they may see things from a different angle and set of experiences.
In addition, also on an annual basis, the organization’s insurance carrier should be asked to review coverage and services. Periodically, the organization should ask an insurance provider that is not their current carrier what they would propose as coverage. There may be something that the current provider is overlooking.
Inherent in what Braun is saying is that although we need to be aware of and prepared for risks, we need not always live in fear of them. A risk management policy can include more than simply how not to be devastated by a negative risk. It can also include ways to be aware of and take advantage of risks that will help us grow. By managing the process of taking a strategic risk, and with some forethought, your nonprofit can have the courage to do something new while minimizing the potential downside.
Source: Nonprofit Quarterly
Author: Rob Meiksins
How many passwords do you use for work? Five? 10? More? Most nonprofit staffers have too many passwords to remember them all. This leads to bad habits –writing them down on sticky notes, sharing them with colleagues, or reusing the same password over and over. These bad habits can put your organization’s data at risk.
Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.
Some people worry that putting all your passwords in one place is too risky because one hack opens the door to all your data. That’s a valid concern, but chances are that the encrypted system used to manage your passwords and the value-added services you get from a password manager will make you more secure than whatever you’re doing currently.
If you’re interested in implementing a password manager at your organization, here are a few of the features you should look for.
- Enterprise Control. One of the biggest benefits of a password manager is the ability to manage every password user at your organization. Look for a service that allows you to turn off access for people who have left your organization and select the users who should and should not have access to specific accounts. A good system will allow you to maintain this admin-level control without giving you direct access to any password content.
- Audits and Changing. Many password managers can guide users to choose stronger passwords. Some will audit your passwords and suggest ways to strengthen them. Many also allow you to schedule password changing and even automate password changes.
- Two-Factor Authentication. A good password management vendor will understand your concern that one password in the wild can lead to dozens more roaming passwords. Two-factor authentication, a method that requires you to verify your identity in a second way, adds an extra layer of security to make it more difficult for a thief to get into the system.
- Multiple Devices. Chances are your staffers want to use various operating systems and mobile devices. Look for a password manager that is compatible with PCs, Macs, and all the various mobile devices out there.
Source: The Nonprofit Times
What would you do if your nonprofit had over 500 W2 tax forms stolen electronically and put up for sale on the dark web?
This nightmare happened to one unnamed nonprofit, and their solution was to contact the National Cybersecurity Center, a nonprofit founded in 2016 by Colorado Governor John Hickenlooper. The NCC’s mission is to provide collaborative cybersecurity services and training. Their goals are to provide education, training, and response services. According to CEO Ed Rios, almost 90 percent of the attacks reported to the center have been mitigated.
What happened to those W2s? The NCC determined that the records were obtained via an email scam. To help with prevention, the NCC offered training to the nonprofit on identifying and avoiding such attacks in the future.
Rios stated that approximately 75 percent of attacks result from user error. Commonly known as PICNIC: Problem In Chair, Not In Computer, this term is popular with IT help desk employees to describe the non-IT workforce’s propensity to click first and ask questions later.
There are three pillars of the NCC’s work:
- The Rapid Response Center is a dedicated facility with experts, vendors, and partners to serve as a trusted resource during a time of security breaches. Their plan is to be the “one-stop shop” when immediate assistance is needed to solve an attack. The RRC is reached via 877-90-CYBER. Currently only available during business hours, the plan is to offer 24/7 assistance in the future.
- The Cyber Institute takes a think-tank approach to exploring emerging tactics and trends, encryption, and protocols available to better protect our electronic assets. Examples include cyber law, cyber budgeting, cyber communications, and other activities that a small or medium nonprofit or business needs to understand, both now and as technology evolves.
- The Cyber Research, Education and Training Center partners with K-12 and higher education to drive research and development and to provide cyber workforce preparation and education.
Statistics reveal that a single breach can cost up to $9 million for complete resolution, says Rios. Referring to the management level, he said, “50 percent don’t really know enough to even have a discussion.”
Regarding the cybersecurity workforce shortages, Rios further explained that cybersecurity skills can often be taught at the “tactical level” as opposed to the formal education perspective with degrees in computer science. As nonprofits face an increase in cybersecurity and other online threats, it behooves them to be aware of the dangers and the resources available to mitigate them.
Source: The Nonprofit Quarterly
Author: Jeanne Allen
For nonprofits, reputation — theirs and their private-sector partners’ — is everything. Managing it has become a key strategic goal.
When an organization’s mission and message are about “doing good” — helping those in need or tackling an important social or environmental problem — it may be hard to imagine any reputational risk associated with their enterprise. Isn’t reputational risk management something that only private-sector, for-profit corporations need to be concerned with?
Although it might come as a surprise, the reality is that nonprofits — whether they’re development organizations, charitable bodies, or advocacy groups — have started to build fully-fledged reputational risk management systems similar to those employed in the private sector. Why? Because they meet challenges to their missions very similar to those faced by private-sector companies. First and foremost, they want to avoid a relationship with a controversial donor that might jeopardize their reputation.
Reputation as an Asset
A friend who advises the nonprofit sector recently explained it like this: “Companies have products and services. Even if a company is criticized, selling products and services will continue to generate revenues. Nonprofits, on the other hand, depend on donations that are primarily given on the basis of the organization being an honorable and effective one. Put simply, their reputation is really all they have.”
Here’s an example of the harm that comes from an attack on a nonprofit’s reputation. In 2011, the World Wildlife Fund (WWF) was criticized for its partnerships with industry in a German documentary with the audacious title, Der Pakt mit dem Panda — Was uns der WWF verschweigt. This roughly translates as “The Pact with the Panda: What WWF isn’t telling us,” but it was recast in English as The Silence of the Pandas, a reference to the thriller The Silence of the Lambs, insinuating that WWF was involved in an awful crime. The title alone was damaging in either language because it cast WWF as manipulative and dishonest; the film’s content itself, which according to WWF contained a number of significant factual errors, was even more so.
In its press release addressing the issue,WWF was able to prove that most of the claims made in the documentary were unfounded. However — and this is again similar to the situation of private-sector companies — dealing with the controversies absorbed valuable time and money. WWF Germany also lost members and donations. The drama of a message often overshadows a rational, point-by-point refutation; WWF may have had the last word, but it didn’t necessarily reach the ears of donors (or potential donors).
Furthermore, the Internet is an unforgiving archive of allegations, regardless of whether they are true or false. The undesirable effects not only last over time, but also spread across borders. Incidents that occur in a specific region can affect other countries’ offices and the organization’s headquarters as well. WWF Switzerland, for example, felt the ripple effects of the controversies in Germany.
Managing Risk in Corporate Partnerships
Completely avoiding partnerships with private-sector companies would be an effective way of mitigating the corresponding reputational risks. Some nonprofit organizations do exactly that. Think of Greenpeace, an organization active on the very front line of corporate criticism. The last thing it wants is to be accused of taking money from controversial companies or supporting “greenwashing” by partnering with them.
But this strategy comes at a price. First, private-sector companies are an important source of revenue. Donations from private individuals have not grown for many years, but there is still an untapped potential among corporates. “Although only 5% of donations come from companies, the volume of corporate income among Swiss nonprofits grew by 7% last year. However, the more funding nonprofits receive from companies, the more tough questions they will have to answer. The best way for them to avoid controversies is to agree with the partner on a truly transformational agenda. The positive impact of the partnership should be the primary reason to engage with the private sector,” says Michael Arnold, head of corporate partnerships at WWF Switzerland.
Second, as highlighted by Arnold, private-sector companies can play an important role in projects themselves. They have much-needed knowledge and resources. Many subject matter experts at nonprofit organizations believe that it will not be possible to solve today’s challenges without the involvement of the private sector. From the opposite perspective, private-sector companies are more often seeking partnerships with nonprofit organizations as part of their corporate responsibility and sustainability strategies.
With this in mind, donor organizations have also started to think about how they can manage the corresponding reputational issues. Jean-Christophe Favre, in charge of private-sector partnerships at the Swiss Agency for Development and Cooperation (SDC), says that the SDC needed a system “that allowed them to have a good enough understanding of the potential partner so that they could feel comfortable about the partnership.
Not having a reputational-risk framework and clear criteria also made it very difficult to discuss partnerships in a productive manner and to ensure institutional coherence. Every office would make decisions differently. And, in the worst case, SDC would not be able to explain how the partnership was assessed and why SDC came to the conclusion that this partnership was beneficial to SDC’s mission.”
Christian Görg, responsible for the reputational risk process used to assess private-sector partnerships at Germany’s largest development organization GIZ, has had similar experiences: “At GIZ, we wanted to avoid inconsistent decisions in different areas of the organization. The most important benefit of our reputational risk process is that we think about ways to mitigate risk from day one. The process sharpens our senses and makes sure that we don’t enter into partnerships hastily.”
Looking at potential partners, nonprofit organizations need to be able to answer the same questions as private-sector companies in the same situation: with which companies do you want to work? Or, in other words: with which companies is it better not to have a business relationship — and if you embark on a partnership anyway, what should be your terms?
While businesspeople tend to see reputational risk management as an obstacle to business, it is an enabler of business in the world of nonprofits. Understanding the issues a potential partner is exposed to and identifying risk-mitigating measures are essential to doing business. This enables nonprofit organizations to frame the discussion, to evaluate risks and options, and to overcome internal concerns.
Author: Olivier Jaeggi
In the era of 24-hour news coverage, and in the aftermath of highly publicized catastrophic events including hurricanes, earthquakes and terrorist attacks, insurance policyholders have very little patience for a protracted claims process.
At the risk of alienating customers, especially younger policyholders who grew up in a digital age, the insurance industry must adapt to keep up with the speed of business and increased expectations regarding how companies administer claims.
Consumer expectations aside, there’s also pressure from internal stakeholders who expect up-to-date evaluations of risk and more efficient business practices that drive down costs and create competitive advantages.
So, how can insurance companies redesign their business models, particularly the claims administration process?
Leveraging the wisdom of crowds
With these challenges in mind, innovative insurance companies increasingly see a reason to incorporate alternative data sources as an element of their insurance contracts. Given the prevalence of smartphones and the general public’s willingness to use their social media accounts to share events as they happen, real-time social media posts are often the fastest indications of a breaking event. In fact, governments, news agencies, and businesses commonly rely on social media to keep track of breaking news stories.
The real-time nature of social media dovetails with the need for insurance companies to pick up the pace when processing claims. When analyzed correctly, social media data can inform a parametrics insurance contract, triggering the payment of a predetermined amount when conditions exceed certain metrics, such as the wind speed associated with a hurricane or tremors accompanying an earthquake. In addition to natural disasters, alerts derived from social media could justify payouts of a parametric insurance policy covering a man-made event, such as a terrorist attack.
In short, when a significant incident impacts policyholders, a parametric contract that relies on social media alerts can generate a payment. And there’s an added bonus: After an event, the real-time information from social media becomes historical information that helps underwriters assess future policy risks.
A front-row seat to insured events as they unfold
As the recent hurricane in Puerto Rico or the 2017 terror attack in the Parson Green Underground station in London demonstrate, a spike in volume of real-time social media posts is a leading indicator of breaking news. In the simplest terms, social media posts emanating from Puerto Rico or in the vicinity of the Parson Green station provided compelling evidence of an incident. Over time, as the volume of posts grows, the evidence of a covered event becomes incontrovertible.
Nonetheless, insurance companies don’t need to wait until there’s a vast amount of social media posts to initiate the claims process. With the right tools in place to mine social media, insurance companies can be alerted to an event before the volume of posts surges exponentially.
Whether an insurance company relies on the first post to act or decides to wait until the volume of social media posts mushrooms, the corroborative nature of social media, including the analysis of geolocated posts, offers an up-to-date portrayal of events.
While incorporating alternative data as part of parametric insurance contracts may face organizational resistance, making use of social media data benefits those covered by policies, as well as the insurers themselves — removing the burden of assessing a loss solely off insurance adjusters and shortening the time needed to assess a loss and issue a payment. Customers who are helped quickly are also less likely to complain about service and may support the insurance company publicly, contributing to brand strength.
The rush to leverage social media alerts
Up until recently, the insurance industry has resisted the pressure to jump on the technology bandwagon. However, in the midst of unrelenting changes in consumer expectations, and the proliferation of online insurance upstarts determined to disrupt the industry, many insurance companies are in the process of overhauling their business models and embracing the latest technology.
In particular, the claims process is ripe for change. While the industry’s staid approach to claims used to suffice, today’s policyholders no longer deem it acceptable for insurance companies to take months to evaluate and pay out claims. In order to attract and retain customers, while reducing claims processing costs and creating competitive advantages over less refined competitors, insurance companies must build business models that allow for a faster, more agile response. That means looking beyond the traditional tools and approaches for a nimble solution with the potential to support the accelerated payouts policyholders expect.
Using alerts derived from social media provides claims processors with real-time, actionable alerts, including images and video that offer third-party evidence of an event and the extent of the damage, and consequently, the ability to expedite and automate policy payments. Insurance companies that tap into social media data to speed the claims process may impress policyholders by avoiding typical operational challenges and may help the strength of public brand perception.
The competitive landscape of shifting business models may propel many insurance companies to use social media data as an indispensable linchpin in their revamped claims administration process.
Source: Property Casualty 360
Author: Dillon Twombly
Employees must do their part to ensure they get enough rest to perform their work duties, experts say.
Fatigue is “not always the employer’s responsibility,” said Bill Spiers, Charlotte, North Carolina-based vice president, unit manager and risk control strategies practice leader for Lockton Cos. L.L.C.
Wellness initiatives have been catching on to that way of thinking, helping to explain to employees the importance of sleep because much of the fatigue can be caused by factors outside of work, he said.
“The interesting thing is fatigue really hits that bridge between wellness and safety that companies have been struggling (to link) for many years,” said David L. Barry, Kansas City, Missouri-based national director of casualty risk control and senior vice president in the risk control and claims advocacy practice for Willis Towers Watson P.L.C.
Fatigue awareness needs to be a part of employer culture, said Emily Whitcomb, senior program manager for the Itasca, Illinois-based National Safety Council. “You want to make sure your employees understand fatigue is a hazard… push them to prioritize seven hours of sleep.”
Other issues such as employee mental health and diet and exercise also come into play when it comes to adequate rest, said Mr. Spiers.
“We are not robots — we are human beings,” he said. “With human beings, you have physical and mental things” occurring outside of work, he said. “You can’t just isolate one thing.”
“A lot of times it’s just having a good conversation” with employees, said Mr. Barry.