Should CEOs Lose Pay For Cybersecurity Failures?

Given all the cyber­se­cu­ri­ty fail­ures we’ve wit­nessed thus far, could it be any more clear that our legal and gov­er­nance incen­tives and mech­a­nisms for pre­vent­ing and deal­ing with cyber­se­cu­ri­ty attacks are not prop­er­ly aligned? Here’s the lat­est data point: The CEO of Talk­Talk was paid almost £2 mil­lion on top of her base pay of £550,000 in 2015 which includ­ed Talk­Talk’s lat­est cyber attack and result­ing loss of 95,000 sub­scribers.


I came across this news over at the CFO Net­work group on LinkedIn where Conor Marken recent­ly post­ed a link to an arti­cle enti­tled Fine Firms For Cyber Secu­ri­ty Fail­ures. The arti­cle reports that in the UK, mem­bers of par­lia­ment recent­ly con­sid­ered whether com­pa­nies should be fined if they fail to guard against cyber attacks. This comes as they dis­cuss last year’s Talk­Talk hack. Here’s the best line:

The com­mit­tee also rec­om­mend­ed that CEOs’ pay should be linked to effec­tive cyber secu­ri­ty;

Great sen­ti­ment, but who knows if that would real­ly work? Link­ing CEO pay to oth­er per­for­mance fac­tors has­n’t turned out as well as we hoped. Har­vard Busi­ness Review was sour on the whole idea as ear­ly as 1999. And here’s their lat­est take on it: Stop Pay­ing Exec­u­tives for Per­for­mance.

I’m not sure what the big fix is for the fact that many of the same qual­i­ties of the Inter­net that lets Ama­zon dom­i­nate are the same ones that are fuel­ing the rise of online crim­i­nals (bul­lies): Low-cost, glob­al reach, most­ly auto­mat­ed, and large­ly anony­mous. How­ev­er, it is clear that the legal and gov­er­nance incen­tives and mech­a­nisms are not prop­er­ly aligned.

So, what should we do?

Proof Cybersecurity Is A Management Problem

Back on March 28th, I talked about the $54 mil­lion Busi­ness Email Com­pro­mise (BEC, or CEO Fraud) at FACC, an Aus­tri­an sup­pli­er of spare parts to Boe­ing and Air­bus. As bad as it was, it’s got­ten worse: In addi­tion to the CFO, CEO Wal­ter Stephan has been fired after 17 years in that job.


Here’s the rough time­line lead­ing up to this point:

  1. FACC dis­closed the Busi­ness Email Com­pro­mise (BEC) in Jan­u­ary 2016
  2. US$56 mil­lion stolen; about US$11 mil­lion recov­ered
  3. CFO fired in Feb­ru­ary 2016
  4. Net loss of about US$22 mil­lion announced for 2015, a direct result of the BEC
  5. An imme­di­ate 17 per­cent drop in its share price fol­low­ing the net loss announce­ment
  6. May 2016, CEO fired, after 17 years with FACC

One way to put this all into per­spec­tive, is to know that BEC loss­es glob­al­ly from Octo­ber 2013 through Feb­ru­ary 2016 are $2.3 bil­lion and climb­ing!

Anoth­er way to put this into per­spec­tive is to real­ize that rel­a­tive­ly lit­tle in the way of tech­nol­o­gy was com­pro­mised to steal all that mon­ey. And, while there are some tech­no­log­i­cal things we can do to reduce risk, the best defense is had by hav­ing trained finance peo­ple fol­low­ing strong process­es work­ing in a cul­ture where it’s OK to respect­ful­ly ques­tion unusu­al emails.

In my view, cyber­se­cu­ri­ty is no longer a tech­nol­o­gy prob­lem. It’s a man­age­ment prob­lem. And exec­u­tives need to lead the way by com­mit­ting their orga­ni­za­tions to cyber resilience.

Do you know a bet­ter way?

Wi-Fi Security During Business Trips & Conferences

Although it’s often easy to use pub­lic Wi-Fi when you’re trav­el­ing, it’s also easy for some­one to eaves­drop on your Inter­net ses­sions, even with Wi-Fi encryp­tion enabled.


For exam­ple, the free net­work man­age­ment tool Wire­shark has a built-in func­tion that auto­mat­i­cal­ly decrypts net­work traf­fic as long as you input the Wi-Fi pass­word, which is typ­i­cal­ly post­ed on a sign for every­one to see.

Why do peo­ple want to view Wi-Fi traf­fic? The moti­va­tions are sim­i­lar to why peo­ple attack com­put­ers in gen­er­al: To steal mon­ey or steal secrets (e.g., pass­words, social secu­ri­ty num­bers, pend­ing busi­ness deals) that can be sold for mon­ey. Oth­ers with polit­i­cal agen­das also steal data to fur­ther their cause.

Wher­ev­er you are, avoid pub­lic Wi-Fi in favor of a portable hot spot. Often, you can acti­vate one on your mobile phone if you have that fea­ture from your car­ri­er. If you have no oth­er choic­es and must be online, turn on a vir­tu­al pri­vate net­work (VPN) as soon as you can after con­nect­ing to some­one else’s Wi-Fi. If your com­pa­ny does­n’t have a VPN, you can get one your­self, often for free, from a provider such as the high­ly rat­ed CyberGhost VPN.

Final thought: Just because Star­bucks, or some oth­er trust­ed brand, offers free Wi-Fi does­n’t mean their Wi-Fi is as trust­wor­thy as their paid prod­ucts and ser­vices. Data thieves count on this con­fu­sion in the minds of con­sumers to steal data from every­where they can!

Two Daily Actions To Contain Data Breach Costs

A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

Screenshot 2016-05-14 08.25.19

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

  1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
  2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?

How Much Should You Pay For Cyber Insurance?

The cyber insur­ance mar­ket is boom­ing. Seems like every­one wants to get a pol­i­cy to trans­fer risk. And why not? Insur­ance is a use­ful risk man­age­ment tool in so many oth­er sit­u­a­tions: Gen­er­al lia­bil­i­ty, prop­er­ty dam­age, errors and omis­sions, etc. The ques­tion on every­one’s mind is: How much for a cyber pol­i­cy?


How big is the mar­ket get­ting? Accord­ing to David Brad­ford, co-founder and chief strat­e­gy offi­cer at Advisens, an advi­sor to the insur­ance indus­try:

The mar­ket for cyber insur­ance in 2015 was $2.5 bil­lion. For 2020 it’s esti­mat­ed any­where between $5 bil­lion and $10 bil­lion. By com­par­i­son, work­ers’ com­pen­sa­tion insur­ance is a $55 bil­lion mar­ket.

Brad­ford says this is rough­ly what you can expect to pay for a year of cov­er­age:

  • For com­pa­nies with less than $500 mil­lion in rev­enue, poli­cies with lim­its of between $1 mil­lion and $5 mil­lion cost between $2,000 and $5,000.
  • For com­pa­nies with more than $500 mil­lion in rev­enue, for a pol­i­cy with lim­its of $5 mil­lion to $20 mil­lion, pre­mi­ums will range from $100,000 to $500,000.

There’s a big caveat, though: Even though about 60 com­pa­nies are writ­ing cyber insur­ance poli­cies today, in my expe­ri­ence many are mak­ing it up as they go along. Terms, con­di­tions, cov­er­ages, exclu­sions, and risk assess­ments are all over the place. Unlike a com­mer­cial fire pol­i­cy, there’s almost no stan­dard­iza­tion.

Insur­ance com­pa­nies aren’t even in agree­ment about what fac­tors indi­cate a decreased risk of pol­i­cy hold­er fil­ing a claim. And that can trans­late to high­er (or low­er) pre­mi­ums than required to cov­er the risks. At this point, it’s rea­son­able to won­der if your claim will be paid at all. The lit­i­ga­tion over cyber cov­er­ages is just get­ting start­ed.

If you want to go for­ward with buy­ing a pol­i­cy, get your­self a reli­able bro­ker and get ready to do some seri­ous com­par­a­tive shop­ping. Buy­er beware!

77 Percent of Businesses Have No Cyberattack Response Capability

Did you know that lean­ing into your cyber risks can be a source of com­pet­i­tive advan­tage? Here’s a stun­ning data point that makes my case.

The NTT Group (Japan­ese AT&T) recent­ly released their 4th annu­al Glob­al Threat Intel­li­gence Report (GTIR). Sim­i­lar to the recent­ly released Ver­i­zon Data Breach Inci­dent Report, the NTT report…

…ana­lyzes attacks, threats and trends from the pre­vi­ous year, pulling infor­ma­tion from 24 secu­ri­ty oper­a­tions cen­ters, sev­en R&D cen­ters, 3.5 tril­lion logs, 6.2 bil­lion attacks and near­ly 8,000 secu­ri­ty clients across six con­ti­nents.

Here’s one of their most strik­ing find­ings for 2015:

Trend data over the last 3 years illus­trates on aver­age only 23 per­cent of orga­ni­za­tions are capa­ble of respond­ing effec­tive­ly to a cyber inci­dent. 77 per­cent have no capa­bil­i­ty to respond to crit­i­cal inci­dents and often pur­chase inci­dent response sup­port ser­vices after an inci­dent has occurred.

You can find this sup­port­ing chart on page 47:

Screenshot 2016-05-02 07.50.21

My ini­tial reac­tion is that exec­u­tives are plan­ning for cyber attacks as they do for 100-year floods: We’ll deal with it, if it ever hap­pens.

Giv­en the fre­quen­cy and sever­i­ty of the attacks doc­u­ment­ed in the rest of the report, and all over the news media, that’s not lined up at all with the real­i­ty of today’s cyber risks!

But back to the oppor­tu­ni­ty for com­pet­i­tive advan­tage: What if your fiercest com­peti­tor was a mem­ber of the 77% and was cyber-attacked? They could expect to bleed cash and be dis­tract­ed for months. Now what if you were one of the 23% able to effec­tive­ly respond to a major cyber­se­cu­ri­ty inci­dent? How would that boost dig­i­tal trust with your cus­tomers and part­ners? How much rep­u­ta­tion would you save by hav­ing your experts get out in front of the sto­ry? And, how much more quick­ly could you get back to work­ing on what’s most impor­tant to your busi­ness?

By the way, if you want a glimpse at data breach response done very well, check out this cri­tique of Anthem Blue­Cross BlueShield­’s 2015 data breach. If you want to see a poor­ly done exam­ple, here’s a cri­tique of Talk­Talk’s slow, awk­ward response.

Which one would you rather be?

Lean Into Your Cyber Risks To Thrive In The New Normal

How do you lean in? By pur­su­ing cyber resilience through mea­sure­ment, smart pri­or­i­ti­za­tion of future spend­ing, and con­tin­u­ous improve­ment. Let’s quick­ly step through the plan right now, at a high lev­el…

The rest of my blog post for today appears over at my good friend Mike Hamil­ton’s Crit­i­cal Infor­mat­ics web site.


Mike and I were chief infor­ma­tion secu­ri­ty offi­cers (CISO) at about the same time a few years ago. He was at the City of Seat­tle while I was a cou­ple miles away at PEMCO Insur­ance.

Like me, Mike and his team pro­vide cyber­se­cu­ri­ty con­sult­ing ser­vices. But what makes his team dif­fer­ent is their net­work secu­ri­ty man­aged ser­vice, called Crit­i­cal Insight. I’ve learned how they serve their cus­tomers with it and I wish I had it when I was CISO. Check it out! (After you read my post for today, of course.)

Any­way, here’s the link to my week­ly post. You’ll find plen­ty of insights and action­able tips on how to thrive in The New Nor­mal.

Why You Should Pay Ransom For Your Data

A few weeks ago I talked about why pay­ing ran­som to get your data or com­put­ers back online was a bad idea: Like any bul­ly, once they suc­ceed in get­ting your mon­ey it will embold­en them to demand more and from more peo­ple.

But it turns out that at least one ven­er­a­ble Amer­i­can insti­tu­tion thinks you should pay: The Fed­er­al Bureau of Inves­ti­ga­tion.


Yep, the FBI says you should pay up. They are, in fact, on record (Octo­ber 22, 2015) telling peo­ple to pay the ran­som:

Joseph Bonavolon­ta, the Assis­tant Spe­cial Agent who over­sees the FBI’s CYBER and Coun­ter­in­tel­li­gence Pro­gram in Boston, spoke at the 2015 Cyber Secu­ri­ty Sum­mit and advised that com­pa­nies infect­ed with ran­somware may want to give in to the criminal’s demands.

After my post went online, I heard from a col­league who told me:

I was pre­sent­ing in an Infra­gard brief­ing at the FBI office, and they basi­cal­ly told every­one there was noth­ing they could do if it hap­pened, that they were pret­ty much on their own. There is also no telling what the ran­somware left behind for anoth­er go-round, or con­tin­ued sur­veil­lance while it held the sys­tem cap­tive. Mere­ly breath­ing a sigh of relief and think­ing you are in the clear a real­ly bad idea.

Although it’s still the right thing to do, I know that not pay­ing the ran­som is dif­fi­cult, even if you have good back­ups. It’s not as fast as just pay­ing because it takes a lot of time to restore and you’ll still lose some data. And, whether you pay or not, there’s a good chance you will get hit again with a new strain of ran­somware, so why fight it?

I won­der what the dom­i­nant type of back­lash will be as more US cit­i­zens wake up to the fact that law enforce­ment can’t help them pre­vent or recov­er from these new cyber crimes? Anger? Fear? Vig­i­lan­tism?

What do you think is most like­ly?

Banking Malware Generates $800K Per Campaign

What moti­vates online crim­i­nals? Mon­ey, of course. Based on recent research by cyber intel­li­gence firm buguroo, you can make a lot of mon­ey spread­ing mali­cious code around the Inter­net. The crooks who dis­trib­ute the bank­ing Tro­jan Dridex make about US$800,000 for every 16,000 stolen cre­den­tials. Based on the num­ber of cam­paigns they are able to con­duct, they’re steal­ing over US$50 mil­lion per year.

Here’s how their illic­it busi­ness works:


Cred­it: buguroo

What exact­ly is Dridex? Webo­pe­dia explains:

Dridex is a strain of bank­ing mal­ware that lever­ages macros in Microsoft Office to infect sys­tems. Once a com­put­er has been infect­ed, Dridex attack­ers can steal bank­ing cre­den­tials and oth­er per­son­al infor­ma­tion on the sys­tem to gain access to the finan­cial records of a user.

Won­der­ing what it looks like to be a tar­get of a Dridex infes­ta­tion?

Dridex oper­ates by first arriv­ing on a user’s com­put­er as a mali­cious spam e‑mail with a Microsoft Word doc­u­ment attached to the mes­sage. If the user opens the doc­u­ment, a macro embed­ded in the doc­u­ment sur­rep­ti­tious­ly trig­gers a down­load of the Dridex bank­ing mal­ware, enabling it to first steal bank­ing cre­den­tials and then attempt to gen­er­ate fraud­u­lent finan­cial trans­ac­tions.

Here’s a screen shot of an infect­ed email:

Dridex screen shot

Cred­it: buguroo

Would you open this attach­ment and enable the macros? Would your CFO? We know plen­ty of peo­ple are open­ing it, oth­er­wise the crim­i­nals would switch to anoth­er line of attack.

Your best defense is to train your peo­ple to be skep­ti­cal of unex­pect­ed emails. Pick up the phone and ver­i­fy or ask a co-work­er to give it a sec­ond look. You could also strip such attach­ments from inbound email, but that might cause too much trou­ble for your busi­ness.

What are you doing to pro­tect your­self? To detect Dridex infes­ta­tions?

Boeing Supplier Lost $54 Million to CEO Fraud

Did you know that Busi­ness Email Com­pro­mise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen mon­ey that caus­es exec­u­tive headaches. It can dam­age your stock price and rep­u­ta­tion with major cus­tomers. And, in the case of FACC, it cost the CFO, Min­fen Gu, her job.


Here’s what Com­put­er Week­ly said about the fraud, announced on Jan­u­ary 19th:

A $54m cyber fraud against Austria’s FACC has sent the air­craft supplier’s share price reel­ing. The company’s share price fell near­ly 17% in response to news of the company’s loss, which is one of the great­est loss­es to date caused by cyber fraud, accord­ing to Bloomberg. The loss report­ed by the sup­pli­er to com­pa­nies such as Boe­ing and Air­bus is way above the aver­age cost of the worst breach­es in the UK of between$1.9m and $4.4m, report­ed by Price­wa­ter­house­C­oop­ers (PWC) in 2015.

So, how do you pre­vent these attacks from suc­ceed­ing?

In my expe­ri­ence, most com­pa­nies are over spend­ing on tech­nol­o­gy to pre­vent data and mon­ey theft while down­play­ing the peo­ple, process, and man­age­ment aspects. As with FACC, the recent theft of W‑2 infor­ma­tion from Mon­eytree was suc­cess­ful most­ly because of weak inter­nal process­es and poor­ly trained peo­ple. And there’s a lot you can do in these areas for lit­tle or no added expense.

Train­ing peo­ple to detect and resist attempts to trick them into send­ing mon­ey (or sen­si­tive data) to crim­i­nals is a top action every­one should be tak­ing right now. A good approach is to com­bine a strong inter­nal com­mu­ni­ca­tions cam­paign in con­junc­tion with a soft­ware-as-a-ser­vice anti-phish­ing test­ing ser­vice, such as PhishMe or one of its com­peti­tors. Expect to pay about $20 per user, per year.

On that note, orga­ni­za­tions need to make sure their man­age­ment team ful­ly sup­ports their cyber­se­cu­ri­ty pro­gram, espe­cial­ly first line super­vi­sors. Why? When peo­ple hear about their respon­si­bil­i­ty to pre­vent cyber crime, their first ques­tion will be “is this for real?” and then they will won­der “how will this affect me?” Their super­vi­sor will either encour­age peo­ple to join the pro­gram, or kill it, depend­ing on how they answer.

Final­ly, peo­ple have to feel safe to respect­ful­ly chal­lenge any sus­pi­cious requests. Oth­er­wise, they will be stuck between the fear of being fired for not imme­di­ate­ly com­ply­ing with the request and the fear of mak­ing a big mis­take.

What else would you do to pro­tect your orga­ni­za­tion from CEO Fraud?