Top 3 Actions Every Middle Market Executive Must Take on Cyber Incident Response

Over the last several weeks, as summer wrapped up and our kids went back to school, I’ve been talking with a great bunch of middle market executives in the greater Seattle-area. These folks fit the profile of our potential customers: They’re cyber risk managers. But, rather than selling to them, I’ve been doing research to learn more about their cybersecurity needs.

Credit: Horseshoe Bay Resort

Credit: Horseshoe Bay Resort

Some subjects come up a lot, like cyber-insurance. And the large number of ransomware attacks. And emails trying to get someone in finance to move a ton of cash on short notice to a dark corner of our planet.

Every now and again I hear about a really meaty issue, like whether to turn on full or partial encryption for production databases. Yet some things I expect (hope?) will come up just don’t.

Like cyber incident response. (Although, a couple executives have mentioned Yahoo’s all-time record-breaking 500 million user account compromise.)

So, I’ve taken it upon myself to answer the question never asked: “Kip, what are the top 3 things I should do at my level to prepare for the big cybersecurity breach I hope will never come?”

Glad you asked!

  1. Believe it or not, early detection of a data breach saves you money. The longer it takes to discover a breach, the more it costs to deal with. (Just ask Yahoo, who’s in the middle of being acquired.) So your first step is to ask your management team: “How good are we at detecting data breaches?” If anyone answers “Great!” ask them to walk you through how they do it. Right now, very few of us are great at it. But this will give you some idea of where you are.
  2. Cybersecurity breaches are packed with a lot of potential liability issues. To reduce your risk, all types of non-routine cybersecurity events that involve people outside your organization should be discussed under attorney/client privilege. So your next step is to have a conversation with an outside attorney who specializes in cybersecurity and ask them for guidance.
  3. Unfortunately, most companies find out they’ve suffered a data breached by law enforcement, the news media, or a customer. Ouch! The only thing worse than battling a data breach is when someone else fires the starting gun! Maybe that’s why Yahoo sat on their 2014 data breach for two years before telling anyone about it. So your last step is to ask your head of public relations if they’re ready right now to manage a data breach that spins out of control before you’ve even had a chance to understand what happened.

What’s on your top 3 list?

Moving To Quarterly Posting Schedule

When I started my blog over a year ago, my goal was to publish something helpful to cyber risk leaders every week on Monday morning.

A quick review of my log shows I’ve done a very good job of hitting that goal!

Kids thumbs.001

Posting weekly made a lot of sense to me. Until recently, when I started taking my act to the next level in terms of sales, marketing, and delivery of my company’s main product, the Cybersecurity Executive Toolkit.

When I started my blog, I didn’t yet know how I was going to focus my company, Cyber Risk Opportunities. Who would we help? Specifically how would we help them? In what ways would we be distinctly different from our competitors? How will we earn enough money to become (and remain) a viable business? I had just started working to answer these and other foundational questions.

After a year of hard work, countless conversations, and doing real work with my customers I now have solid answers. You can get a quick summary of how I’m helping cyber risk managers by watching the 3 minute video over at my company’s website, That’s where I’ll keep all the information about our products and services.

Meanwhile, here on my blog, you’ll get a longer, more thoughtful post about cyber risk management once per quarter. I’ll publish on the first working Monday of every January, April, July, and October. I’ll put my shorter, more frequent thoughts out on Twitter and LinkedIn. And maybe something extra here when I think it makes sense.

Hope you enjoy the rest of your summer! Me? I gotta find some cyber risk leaders to help…

Three More No-Capex Ways to Detect Network Intruders

I previously outlined three strategies for detecting intruders on your network without the need for a large capital expense for specialized systems. In fact, you don’t even need a managed service provider.

Currency stacks

Now, as promised, here are three more ways:

  1. Using time stamps and the geolocation of the source IP addresses, look for simple irregularities in log-ins and access patterns. The most obvious would be an account that is logging in from two countries so close together in time that it’s unlikely they are both legitimate. You can access geolocation data for free or low cost.
  2. When the HTML response sizes leaving your network are much larger than usual, that’s a sign you’ve probably been the victim of a SQL injection attack.
  3. Finally, watch for outbound web traffic where 30 or 40 browser windows are opening all at once. This kind of behavior is more likely a sign of an automated session rather than a human one.

Will you have false positives? Yes. But you’ll also understand what’s considered normal on your network much better than you do today.

Do you have any low-cost, yet automated, strategies for network intrusion detection?

Three No-Capex Ways to Detect Network Intruders

Organizations can do a good job of detecting intruders who have infested their data network without buying and operating an expensive commercial network intrusion detection system. You don’t even have to hire an outside managed network security provider. Check out these three powerful strategies for dealing with this cyber risk:


  1. The first strategy is possibly the most powerful: Use your existing administrative tools to produce a daily report that shows all membership changes to all administrative groups for the past 24 hours. Then assign someone to validate every change. This will tell you if someone tries to “sneak in” through a privilege escalation.
  2. One sign that an attacker is “bedding down” in your network to conduct long-term surveillance is the unexpected patching of systems. Why? An attacker doesn’t want another attacker breaking in and messing up his inside access to your data network! So watch your vulnerability scans for systems that don’t need a patch you never pushed.
  3. To detect the staging of data for exfiltration, monitor your critical databases for sudden, unexplained swells in read activity. In addition, monitor all filesystems for large quantities of data suddenly or gradually appearing in the wrong places.

With each of these tips, I’m sure you’ll get a few false positives. And, you’ll have to climb a learning curve that keeps changing as the activity of your organization transforms over time. A new product launch will cause permanent changes in what’s considered “normal” on your network.

These are just the first three on my list. Next week I’ll give you three more. See you then!

Should CEOs Lose Pay For Cybersecurity Failures?

Given all the cybersecurity failures we’ve witnessed thus far, could it be any more clear that our legal and governance incentives and mechanisms for preventing and dealing with cybersecurity attacks are not properly aligned? Here’s the latest data point: The CEO of TalkTalk was paid almost £2 million on top of her base pay of £550,000 in 2015 which included TalkTalk’s latest cyber attack and resulting loss of 95,000 subscribers.


I came across this news over at the CFO Network group on LinkedIn where Conor Marken recently posted a link to an article entitled Fine Firms For Cyber Security Failures. The article reports that in the UK, members of parliament recently considered whether companies should be fined if they fail to guard against cyber attacks. This comes as they discuss last year’s TalkTalk hack. Here’s the best line:

The committee also recommended that CEOs’ pay should be linked to effective cyber security;

Great sentiment, but who knows if that would really work? Linking CEO pay to other performance factors hasn’t turned out as well as we hoped. Harvard Business Review was sour on the whole idea as early as 1999. And here’s their latest take on it: Stop Paying Executives for Performance.

I’m not sure what the big fix is for the fact that many of the same qualities of the Internet that lets Amazon dominate are the same ones that are fueling the rise of online criminals (bullies): Low-cost, global reach, mostly automated, and largely anonymous. However, it is clear that the legal and governance incentives and mechanisms are not properly aligned.

So, what should we do?

Proof Cybersecurity Is A Management Problem

Back on March 28th, I talked about the $54 million Business Email Compromise (BEC, or CEO Fraud) at FACC, an Austrian supplier of spare parts to Boeing and Airbus. As bad as it was, it’s gotten worse: In addition to the CFO, CEO Walter Stephan has been fired after 17 years in that job.


Here’s the rough timeline leading up to this point:

  1. FACC disclosed the Business Email Compromise (BEC) in January 2016
  2. US$56 million stolen; about US$11 million recovered
  3. CFO fired in February 2016
  4. Net loss of about US$22 million announced for 2015, a direct result of the BEC
  5. An immediate 17 percent drop in its share price following the net loss announcement
  6. May 2016, CEO fired, after 17 years with FACC

One way to put this all into perspective, is to know that BEC losses globally from October 2013 through February 2016 are $2.3 billion and climbing!

Another way to put this into perspective is to realize that relatively little in the way of technology was compromised to steal all that money. And, while there are some technological things we can do to reduce risk, the best defense is had by having trained finance people following strong processes working in a culture where it’s OK to respectfully question unusual emails.

In my view, cybersecurity is no longer a technology problem. It’s a management problem. And executives need to lead the way by committing their organizations to cyber resilience.

Do you know a better way?

Wi-Fi Security During Business Trips & Conferences

Although it’s often easy to use public Wi-Fi when you’re traveling, it’s also easy for someone to eavesdrop on your Internet sessions, even with Wi-Fi encryption enabled.


For example, the free network management tool Wireshark has a built-in function that automatically decrypts network traffic as long as you input the Wi-Fi password, which is typically posted on a sign for everyone to see.

Why do people want to view Wi-Fi traffic? The motivations are similar to why people attack computers in general: To steal money or steal secrets (e.g., passwords, social security numbers, pending business deals) that can be sold for money. Others with political agendas also steal data to further their cause.

Wherever you are, avoid public Wi-Fi in favor of a portable hot spot. Often, you can activate one on your mobile phone if you have that feature from your carrier. If you have no other choices and must be online, turn on a virtual private network (VPN) as soon as you can after connecting to someone else’s Wi-Fi. If your company doesn’t have a VPN, you can get one yourself, often for free, from a provider such as the highly rated CyberGhost VPN.

Final thought: Just because Starbucks, or some other trusted brand, offers free Wi-Fi doesn’t mean their Wi-Fi is as trustworthy as their paid products and services. Data thieves count on this confusion in the minds of consumers to steal data from everywhere they can!

International Use of NIST Cybersecurity Framework

A customer of mine recently wondered about how much the NIST cybersecurity Framework was being used internationally. This is important because they have offices in other countries and wanted to know how favorably they would respond to using the Framework to guide their own cybersecurity program.

So, I did some research. My goal was to find out how many non-US organizations are using the Framework, or planning to do so. I used open sources available via Google search.

Screenshot 2016-05-27 13.38.57

I wasn’t able to find any data on the rate of adoption by non-US organizations.

I found two reliable data sources on Framework adoption in general. Here are their conclusions:

  • The rate of adoption in the US was 30% as of end of 2015 (Gartner)
  • By the end of 2016, CSF adoption in the US is expected to be 43% (Dimensional Research, n=300).
  • By 2020, more than 50% of US organizations will use it (Gartner)
  • As compared with ISO 27001 and SANS Top 20, the Framework is the most likely security framework to be adopted by US organizations over the next year (Dimensional Research, n=300).

However, I did see a few case studies where large, US-based organizations (e.g., Intel) were using the Framework on an international basis. There is a Japanese translation of it and Italy has issued their own based on the NIST Framework.

Although not backed by any research, I also found indications that the Framework will soon become a requirement for all US federal government agencies. And I saw unsupported assertions that the Framework is being used by foreign organizations but no names were mentioned.

Here’s my advice if you are in a situation where you need to have some good PR on the Framework: Tell them you’re using ISO 27001. And this is easy and true because the NIST Cybersecurity Framework is 76% mapped to ISO 27001.

The remaining 24% of the non-ISO mapped subcategories are still easy to justify (RC.CO-1: Public relations are managed) and you probably already do many of them (PR.IP-12: A vulnerability management plan is developed and implemented).

Anyone have additional data to help better understand international adoption of the Framework?

4 Reasons Why Cybersecurity Depends On Relationships

Ever wonder why cybersecurity is so hard for people to get right? And, why are cybersecurity leaders failing to convince people to work more securely? We can learn some great lessons by studying the spread of medical and other technologies and then apply those lessons to cybersecurity technologies we know make a difference, such as password managers.

For example, anesthesia (specifically, chloroform) was in world-wide use less than a year from its introduction in 1846. In contrast, antiseptics, which were promoted in the 1860s, took over twenty years to become established in most operating rooms. Why the difference?


Dr. Atul Gawande: “We yearn for frictionless, technological solutions. But people talking to people is still the way that norms and standards change.”

Here’s why: The spread of all new ideas about what’s good and how things should be is dependent on people talking to each other. Everett Rogers, who is best known for introducing the term early adopter, tells us that “Every change requires effort, and the decision to make that effort is a social process.” In other words, new ideas are spread and adopted primarily through relationships.

I’ve learned this lesson the hard way. Only after wasting $30,000 of my budget and a good chunk of political capital trying to implement a new, homegrown cybersecurity tool did I realize my lack of the right relationships had doomed me almost from the start. Based on what I learned from my failure, I take a drastically different approach to introducing change these days. My approach is more relationship-driven, which is what you should do as well, so that your change efforts will be more successful.

Back to anesthesia versus antiseptics. The New Yorker published an article by Atul Gawande: Slow Ideas. You may remember one of his well-received books, The Checklist Manifesto. (Save yourself some time and money: read the article upon which the book was based.)

Slow Ideas describes and promotes Atul’s Better Birth project. It’s an experimental approach to reducing the rate of death among mothers and babies during and shortly after childbirth in poorer countries. And, along the way, Atul also answers the question about anesthesia versus antiseptics.

It’s a fascinating story that’s well worth reading on it’s own merits. But it also provides keen insight on the struggle to create new norms, which any cybersecurity leader looking to promote change should appreciate.

From reading Dr. Gawande’s article, I’ve identified four reasons why you should lead all your change efforts by first using your relationships:

  1. Technology alone won’t get the job done. Dr. Gawande describes seeing unused incubators pushed into dark corners, broken due to lack of spare parts or switched off due to a lack of electricity. As technologically advanced as the units were, dropping them off in underdeveloped countries and then making no arrangements for integrating them into local life speaks to the lack of relationships.
  2. Requests, incentives, and penalties only work up to a point. Merely requesting a change will win over a certain percentage of the audience, but probably not as many as you wanted. Studying the tax code of any country will reveal incentives are hard to get right. People have a way of maximizing incentives for themselves, often to the detriment of the stated goals, and in ways the authors never imagined.
  3. Research has shown relationships are the most effective way to bring about change. We can introduce a new idea to people. But, people follow the lead of other people they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the decision to make that effort is a social process.”
  4. Real-world experiences. In his article, Dr. Gawande tells a story about how drug makers persuade stubborn doctors to prescribe new medicines: “Evidence is not remotely enough, however strong a case you may have. You must also apply ‘the rule of seven touches.’ Personally ‘touch’ the doctors seven times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human interaction is the key force in overcoming resistance and speeding change.”

I encourage you to read the article for yourself. It’s persuasive and very inspirational. And, you’ll find out why anesthesia got into the operating room faster than antiseptics.

Have I convinced you that relationships are the best method for improving cybersecurity? If not, why not? Do you know a better way?