Browse > Home /

Is It Time to Educate CEOs about Threats from Cybercrime?

July 13, 2010

Many senior executives still don’t get it about cybercrime. There is plenty of evidence that cybercriminal activity is flourishing. But a USA Today report indicates research shows many CEOs remain unaware about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believe that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros. It was conducted by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

  • 83 percent indicated their organization has been a recent target of advanced threats
  • 41 percent said they were frequently attacked

So, it’s time to check with go-to security expert Dr. Stan Stahl. Is it really possible that senior executives don’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” believes Dr. Stahl. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Indeed, the study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program”, writes Dr Stahl. “Our objective is nothing less than to raise information security awareness.”

Of course, the association has local chapters in multiple cities; see www.issa.org.

Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem. Here’s more: How CIOs Can Get More Respect in the C-Suite.

From the Coach’s Corner, this site’s Tech section contains many Biz Coach columns on cybersecurity with solutions from Dr. Stahl. (Note: I’m very familiar with Dr. Stahl’s expertise as we’re both members of Consultants West, www.consultantswest.com.)

For more on Dr. Stahl: http://www.citadel-information.com/index.php ; and blog.citadel-information.com.

Resources links: Ponemon Institute, www.ponemon.org; and NetWitness, www.netwitness.com.

Filed Under: Tech
Tagged: , , , , , , ,

Antivirus Company Names Most-Perilous Internet Cities

 

Updated March 23, 2010

In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city. That’s according to Norton from Symantec. The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime.

Maybe they are and maybe they’re not. A leading cyber-security expert, Dr. Stan Stahl, questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (www.citadel-information.com).

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

  • Number of malicious attacks
  • Number of potential malware infections
  • Number of spam zombies
  • Number of bot infected computers
  • Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

  • Number of information systems security professionals in the city
  • Average number of information security professionals per 1,000 computers and per company
  • Percentage of computers who connect to hotspots using a VPN (virtual private network).
  • Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
  • Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
  • Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C  

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento 

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach columns featuring his expert opinions:

His security blog: http://citadelonsecurity.blogspot.com/

Filed Under: Tech
Tagged: , , , , , , , ,

How to Protect Yourself from the Internet Crime Wave

 

For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming.

The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – has been hushed up.  

Many online security experts say online fraud is skyrocketing and there are FBI warnings about online fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”). The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks are using what are called “banking Trojans.” Here’s a typical case: “New Trojan Intercepts Online Banking Information – PC World.”

A cybersecurity expert, Dr. Stan Stahl, recently developed a plot line in another cybercrime issue, which is applicable to the banking scams.

“The plot line isn’t with Citibank but related to the recent web attack on Twitter that redirected users to the ‘Iranian Cyber Army.’ This same type of attack – stealing the UserID/password of Twitter DNS administrator and then changing the DNS to point to the Iranian Cyber Army – could be used to create a “cybercriminal-in-the-middle” attack against an eCommerce site,” he said.

Dr. Stahl further explained the cybercriminal is then able to steal a consumer’s sensitive credit-card information and seize control of the victim’s computer.

He is a widely known pioneer in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

“I feel the banks must bear a significant share of the responsibility because they have the knowledge of what’s happening yet, in my experience and based on what I’ve been told by people in law enforcement, they are not working the problem with their customers nor are they supporting law enforcement by sharing what they know,” said Dr. Stahl. “They strike me as wanting to pretend this isn’t a problem.”

It’s true insurance companies reimburse victims of cybercrime. But cybercrime is expensive.

A client once hired Dr. Stahl to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

“The lawsuit I’m involved in, for example, is between two insurance companies; both will lose dollars regardless of how the suit turns out,” Dr. Stahl explained. “If the insurance companies made bank cooperation with law enforcement a policy requirement, we’d get a lot more cooperation and the insurance companies would have fewer claims to pay.”

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

Smartphone dangers

A published report, “BBC News – Cybercriminals revive old scams to target smartphones,” raises the specter about threats against mobile phones.

The BBC smartphone report prompts this question from Dr Stahl: “How long will it take until this type of malware is used to steal online bank credentials?”

Here are some of his tips to enhance your personal online security:

  • Review all privacy and policy information.
  • Use unique and hard to guess login information.
  • Protect your computer.
  • Check your account balance regularly.
  • Pay using credit cards.
  • Do not access your account from public locations.
  • Verify email correspondence from bank.
  • If your account is compromised, take swift action.

For your company’s management controls:

  • Don’t allow your employees to use your computers in social networking.
  • Establish a list of allowable web-sites.
  • Closely monitor your bank account.
  • Train employees in social engineering awareness.
  • Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security. 
  • Strengthen your defenses.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

From the Coach’s Corner, here are additional security tips:

  • If you’re a cyber victim, contact a noted security expert and authorities (How to Report E-Scams and Hoaxes to the FBI).
  • If you want to help the victims in Haiti: “Only donate through the Red Cross or other well-established charity organizations,” said Dr. Stahl. Ignore all email solicitations. They could be fake and prudence requires that one assume they are. There are lots of known safe groups through which one can contribute; no reason to take a risk here.”
Filed Under: Tech
Tagged: , , , , , , ,

Business 101 Lessons: Google vs. China’s Censors, Cybercriminals

 

So Google is finally paying attention to a free-enterprise business compass. In other words, the search engine is threatening to extract itself from China over censorship and cybercrime issues. Because it’s a huge marketplace, Google and other companies have been tolerant of such problems.

Actually, tolerating an uncontrollable, hostile environment violates principles in best-practices management. So it’s a tardy development, but let’s roll out the welcome mat.

After President Nixon bridged the diplomatic gap between the U.S. and China in 1972, companies and nations have tolerated and perhaps even encouraged China’s behavior – censorship, violation of human rights, intellectual-proprietary thefts, currency manipulation for cheap exports, other discriminatory-protectionism policies, and Communist Party activities.

In 2006, I wrote that I was disappointed by the decisions of Internet companies that decided to acquiesce to China’s behavior and environment. It’s one thing to accept it, but another to condone it and build a business model around it.

My reasons:

  • Values matter
  • The free-enterprise system works best
  • Economic and political freedoms are connected – lose one and you lose the other

Business Leadership

To be a business leader, it’s important to know who you are…what your roots are…plan strategically…and always try to do the right thing – even if your decisions and actions are unpopular.

Actually, this principle applies to all facets of life and even sports. And I love writing sports metaphors for business topics.

For example, many Seattle Seahawks’ fans were delighted with the selection of Pete Carroll as coach, especially, after his initial press conference upon being hired away from the University of Southern California. That was when he explained why he was previously unsuccessful in the NFL. By any standard, he was dominant in his tenure at USC.

Before coaching at USC, his pro football teams – the New York Jets and New England Patriots – were mediocre. It was refreshing when he admitted in Seattle that he didn’t know himself or who he was in his earlier pro jobs.

In referring to his new team he made this comment: “When we start this thing off, they’re going to know where I’m coming from, because I know where I’m coming from.”

One of his Seattle predecessors, Cleveland Browns executive Mike Holmgren, had success as coach of the Seahawks and Green Bay Packers. But he was unsuccessful his first four years in Seattle because he was both coach and general manager. It was only after the management responsibilities were taken from him that he coached the team to the Super Bowl in 2005. During that time, I speculated that his lack of success stemmed from the Peter Principle. In essence, people rise to their level of incompetence.

Few people are equipped to handle both responsibilities. Even if they have all the technical and management skills, their attention to detail, energy and efficiency will plummet.

So possibly, the Google brain trust needed to learn about themselves and the downsides from conducting business while abandoning their values.

Socrates was right

Ancient Greek philosopher Socrates is known for his aphorism: “Know thyself.” And it’s right out of my human resources training materials.

For individuals, a complete self-assessment of strengths and weaknesses is the key to success. Once an employee knows who she or he is, then it’s possible to effectively set goals. Then, execution comes into play.

For success in business, an analysis of strengths, weaknesses, opportunities and threats will pave the way for writing a productive strategic plan and a business plan. And again, it’s important to execute.

Google’s courage will help other businesses to fully realize about the problems associated with foregoing their values in order to do business in China. Certainly, it will be a catalyst for discussion.

Google believes its security was violated by hackers based in China. But there is probably another motivation.

The search giant has relatively little to lose unlike companies such as General Motors. China is a profit source for GM. Depending on your preferred source of information, Google’s search market share ranges from less than 20 percent to 35 percent. But it isn’t enjoying bountiful profits because e-commerce is not as big in China as the rest of the world.

Here is Google’s explanation  of its new perspective.

Let’s hope others are paying attention.

From the Coach’s Corner, what is your profit forecast this year?

Here is a top-10 checklist for profits:  

  1. Review and fine-tune your business plan. Be sure to discern your competitive landscape and benchmark your main competitors.
  2. Bring on the A team – both in staff and advisors. Recruitment and training will remain important, and seek the best mentors and professionals for inspiration to help you sustain growth.
  3. Remember Pareto’s Principle – the 80/20 rule – that applies to you and your business in a variety of ways. It means, for example, that 80 percent of your revenue comes from 20 percent of your customers. So evaluate how you spend your time and resources.
  4. Enhance your staying power by concentrating on your most profitable customers while identifying new revenue sources.
  5. In prospecting and marketing, select and target the right customers.
  6. Add sizzle by improving your niche-performance. Uniqueness will count even more in this year.
  7. Watch your cash flow and your firm’s overall budget each week.
  8. Focus on quality in your business processes – make it your No. 1 job.
  9. Innovate – plan for more marketplace changes and evolving consumer preferences.
  10. Practice the art of mental toughness. Remember when it’s appropriate to ignore the opinions of others, and to persevere in your dreams against seemingly insurmountable odds. I’m still marveling at the success of my mother, who is in her eighties. She was diagnosed with macular degeneration, which meant she couldn’t read the newspaper. A couple of years ago, she had life-threatening complications from back surgery. A few weeks later, she was back in intensive care and doctors warned she wouldn’t walk again. Well, guess what? She’s walking, passed her driver’s test, and once again insists on preparing full-course meals, especially at family gatherings.  Mmm, delicious! Go mom!
Filed Under: Marketing/Sales, Tech
Tagged: , , , , , ,

Biz Coach Terry Corbell – the business-performance consultant – provides Proven Solutions for Maximum Profits.