For Lawyers and Law Firms

In my most recent piece for New York Law Journal, I look at and discuss in detail how lawyers and law firms can mitigate cyber risk with the right cybersecurity controls.

The first step, “We need to recognize there is no ‘one size fits all’ solution.”

Read the full piece here: For Lawyers and Law Firms

Cybersecurity and Due Care for Law Firms

In my article for New York Law Journal, I explore how law firms can get more involved in their cybersecurity initiatives as well as how to care for themselves, their clients, and their employees.

Read the full article here: Cybersecurity and Due Care for Law Firms

When Bad Hacks Happen to Good Real Estate People

Have you ever wondered how a doctor feels when delivering a bad diagnosis to a friend or family member? When a real estate friend reached out to me with a case of a nasty laptop hack, I knew the situation was bad. Theirs wasn’t a life or death case, but a real estate agent’s professional life depends on information technology, and experiencing a bad hack can have a colossal negative impact on their financial well-being. Read more about when bad hacks happen to good real estate people in my latest article in the New York Real Estate Journal here.

When Bad Hacks Happen to Good Insurance People

We all read about the terrible hacks that happen to big corporations, or large insurance companies. Unfortunately, many of us are lulled into a false sense of security that those sort of security failures would never happen to us. This is far from the case. Even good insurance people face times when their systems were hacked – often by some form of malware – and they have to move forward as best they can in an effort to protect themselves and their clients.

Read more in my latest article for Insurance Advocate Magazine.

Under Attack: When Bad Hacks Happen to Good Advisors

Colossal computer hacks don’t just happen to big companies with huge data banks with information “worth” accessing. They happen to you and me, to individuals and enterprises alike. Even the best insurance advisors encounter cyber attacks, and they can be injurious to both their professional and personal lives. So, what do you do? The process won’t be easy, but there are steps you can take to right the situation.

You can read more about how to prevent bad hacks as well as what to do when they happen in my latest article for Insurance News Net here.

Clear and Present Danger

On December 13th the New York Times published a feature article titled “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” In it Eric Lipton, David Sanger and Scott Shane do an excellent job in framing in detail the recent state-sponsored cyber attack against United States interests. But, the story doesn’t end there.

Russia is not alone in excelling at cyber warfare. Many nation-states see this as the new arms race. They believe, rightly so, that this is a race they can win. North Korea, Iran, and China have demonstrated their capabilities time and again. So has the United States and Israel. There is little doubt that practically every country is actively participating in the development, management, and deployment of cyber warfare infrastructure. They all are, and they are building massive defensive and offensive cyber warfare capabilities. Moreover, they are “in it to win it,” and they think they can.

What has made Russia’s cyber attack particularly egregious is not that it is the first, but that it is a blatant, “in your face,” show of power, ridiculing the last superpower standing. What makes it particularly deadly is that it is coupled with Russia’s deep scholarship in propaganda. I have read recent interviews from officials downplaying and demeaning Russian propaganda as “par for the course,” and “things we’ve seen before from the Russians.” If so, then we have not learned, and that costed us dearly. We have been badly defeated and ridiculed by what we all thought was a vanquished enemy of a cold war gone dead. In my view, news of the enemy’s demise are premature, and the cold war is very far from over.

On April 4th 1949, with the memories of the second world war brutally fresh, an alliance was formed between the United States, Canada, and several European countries. The North Atlantic Treaty Organization (NATO) was formed. Article 1 of the treaty reads: “The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations.”

Many more treaties followed, and the world’s doomsday clock reflected the threat: 7 minutes to midnight in 1947. 3 minutes in 1949, after the first USSR nuclear test. 17 minutes — the lowest value — in 1991. Now, it is back to 3 minutes to midnight.

The lowest value, 17 minutes to midnight, was reached when the world thought the cold war to be over, and the United States and Russia were engaged in nuclear arms reduction. Since 2015 it is back to 3 minutes as “Unchecked climate change, global nuclear weapons modernizations, and outsized nuclear weapons arsenals pose extraordinary and undeniable threats to the continued existence of humanity,” and world leaders fail to act.

Sadly, this is not their only failure. As catastrophically serious both climate change and nuclear arsenals are, and for that there should be no doubt, a third blight has surfaced: Cyber War. Most think that hacking or cyber warfare is a threat, to be sure, but not on the same level as nuclear weapons. Yes, millions of dollars may be lost, political careers ruined, and service interruptions may be inconvenient, but a cyber war is thought to be confined to the virtual world, not the real one. They are deadly wrong.

Acts of cyber warfare may have already claimed lives in the Ukraine, when Russian hackers attacked that country’s power grid leaving almost a quarter million residents without power. Lives may have been lost when the centrifuges in Iran’s nuclear enrichment facility were destroyed by Stuxnet, a suspected U.S. / Israeli cyber weapon. And, of course, there are many victims of cyber-bullying that took their own lives demonstrating the power of reputational damage, an easily attainable effect of hacking any individual’s life story.

Experts warn of the certainty of real human casualties from cyber warfare. Consider what would happen if the electrical grid was hacked and the country, or regions, went dark for weeks on end. Ted Koppel did in his “Lights Out” book, and the implications are devastating. Consider the ramifications of hacking medical records, devices and facilities, water purification plants, traffic control, or telecommunications. I am sure that you can come up with your own nightmare scenario that leaves thousands, if not hundreds of thousands dead or injured, and our country in chaos.

I also have no doubt that there are brilliant minds working around the clock in our security services that continuously analyze and respond to these threats, as well as advise our leaders.

But, I know from experience, their advice frequently falls on deaf ears.

Just as executives don’t want to hear about risk, be it cyber, technology, or otherwise, so, I suspect, are government “executives.” Certainly, recent rhetoric on the value of intelligence briefings demonstrates this, just as the inaction and hesitation of the Obama White House in responding to the Russian attack against our political process, or the flaccid reaction of the fourth estate in the face of fake news sites.

We need a concentrated effort in this new front for the survival of humanity. Confidentiality, Integrity, Availability, and Safety — the four pillars of cybersecurity, are now as fundamental to our lives as freedom of expression, movement, assembly and all the rights we have been taken for granted as inalienable.

We need our leaders to be educated and alert to the danger that cyber warfare poses. We need our people to be better educated in navigating the information highway, and sensitized to the danger of cyber attacks — think “duck and cover” for the cyber age.

Finally, we need to join with our allies and reinvigorate our frameworks for resolving conflicts peacefully to include cyber warfare. A cyber attack to one country should be considered an attack to us all, with the commensurate and immediate response. And, we need all international organizations to recognize the danger of cyber actor and weapons proliferation and take immediate and decisive action.

It’s a start, when nothing less will do. My Cyber Clock is set to 1 minute to midnight, and the seconds are ticking…

You Probably Can’t ‘Prevent’ Cyberattacks

Is your bank struggling to create a cybersecurity plan thorough enough to meet all of your needs? Every bank is unique, and no off-the-shelf, one-size-fits-all solution will completely solve your cybersecurity woes.

Luckily, by taking a moment to evaluate your bank’s business and pain points, you can set up the right controls that will preemptively ward off cyberattacks and compensate for attacks that have already happened.

My article in American Banker covers this in depth – read it here.

Mitigating Cyber Risks With the Right Security Controls

Understanding that no organization can fully protect themselves from cyberattack is the first step to better protecting yourself and your business. Through a careful evaluation of both your enterprise’s current cybersecurity weak spots and your risk appetite, you can implement the right security controls to mitigate the risk of an attack.

To learn more, read my article for Information Management.

The 3 Biggest Mistakes in Cybersecurity

Cybersecurity seems to be an elusive concept for many businesses, big and small. They’ve tried countless solutions and strategic security plans, often without much success. This can be a frustrating process, but you can break the cycle!

By taking the time to understand what difficulties you might encounter, you can proactively set up controls that help to mitigate your risk. In my article for Information Management, I cover the three biggest, most common cybersecurity mistakes that I see repeatedly. Learning about the pitfalls that many face when working to secure their businesses is an excellent first step to take on your journey to a more cyber aware operation.

For the full article, head to Information Management. 

The Wrong Ways to Manage Cyber Security

So, you’re finally convinced that this “cyber security thing” is not going away.  Now what?  Well, there are many ways to go about this:  On the one hand, you can take ownership of the problem and address this clear and present danger to your business, or, on the other hand, you can “lie” to yourself, throw the ball over the technology wall, and assume that everything is taken care of!  You would be in good company.

You see, many executives are tricked into thinking cyber security is a technology problem.  Far from it.  Perhaps it is wishful thinking, or, given the high-tech nature of the risk, an honest misunderstanding of the issue.  It doesn’t matter:  The end result is the same.  Cyber security is not a technology problem.  It is a business problem, and most importantly it is a people problem.

To understand this better, consider for a second the actual role that Information Technology (IT) plays in your world.  The role transcends all the “crucial” and “essential” adjectives that describe your IT.  And, it holds true no matter what your business is, no matter what size company.  This role is the same for everyone, and it is a simple one:  IT generates Value.  It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)

Why is understanding the role of IT as a value creator important?  Because the priorities of the IT function and the priorities of the cyber security function are at odds.  Cyber security is about managing risk.  IT is about creating value.  Think of it this way:  IT is like a banker.  Their goal: Create value for the bank’s shareholders.  Take risks, underwrite those loans, develop creative financial instruments, do whatever it takes to generate value.  Cyber security is like the regulators.  Their concern is with the viability of the institution, the risk to the system, the possibility of failure.  You can easily see, I hope, that you cannot have the regulator (cyber security) report to the banker (IT).

Understanding that you need to segregate these two functions is the first step.  The next pitfall is understanding the real problem that your cyber security function is trying to solve.  Frequently, cyber security is thought of as a checklist exercise:  Get the right firewalls, the right antivirus, establish a set of policies and procedures, and you’re all set.  Do it and forget it.  Nothing could be further from the truth.  To be sure, there are technology elements in deploying the right defense-in-depth strategy for your company, but stopping there is treating a continuously evolving problem with a solution that will probably be obsolete by the time you finished reading this article.  Managing cyber security is managing a chronic condition.  Both the condition and the medicine applied will change and adopt with time.  Remember:  The real problem you’re trying to solve is how to manage cyber security risk.  A risk that continuously changes as threats and technologies change, and – just as importantly – a risk that you mitigate based on your risk appetite that will also change based on market conditions and business priorities.

Which brings us to the real crux of the issue:  People.  In 2016 ISACA published the top three cyber security threats facing organizations in that year.  They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.  Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element:  People.

Social engineering is, essentially, a dangerous con game where hackers pretend to be trusted sources so that they can compromise your data.  “Your data” can mean anything, from your personal financial data, your medical information, and your family’s most private records, to your business data.  Social engineering can also morph into an extortion instrument above and beyond the typical ransom-ware whereby the attacker encrypts your data and will only release the key after payment.  By compromising your personal information, the attacker may find personal vulnerabilities that they can use to turn you into an insider threat:  A person who willingly or unwillingly commits cyber fraud from within the company.

The good news here is that once you realize that this is a people-centric problem you can shift your focus and give it the proper attention.  You, for example, can institute a robust cyber security awareness program for your people.  Repeated quarterly, semiannually, or annually, as your company size and needs dictate, cyber security awareness training has proven to be one of the most potent controls against cyber crime.  Sensitizing people to the threats, the techniques, and giving them practical, realistic options results in a safer cyber-workplace, and safer employees.  In turn, being aware of employee behavior, access, and personal and professional goals can give you enough advanced indication of possible insider threats before they turn into attacks.

The bottom line here is this:  Cyber security is not a technology problem that you can delegate.  It is a business problem affecting you personally and your people.  It requires your engagement along with that of your organization as a whole: Executives, IT, Cyber, Risk, Compliance, and staff.

Nothing less will do, and nothing less should be acceptable to you and your company.  The stakes are simply too high.