Cybersecurity In 2017: Don’t Be Afraid, Be Aware!

Chris Johnston

In today’s climate, it’s necessary for both small businesses and large global enterprises to have comprehensive cybersecurity plans. In this blog, I’d like to discuss how vulnerable small businesses can be to modern cyber threats, and share how global enterprises  are largely unprepared for the EU General Data Protection Regulation (only 14 months away).

A 2017 small-business cybersecurity story

I was sure that it was a “bum dial” when the name “Simon R” appeared on my phone close to midnight last Monday. Simon’s son plays football on the same team as my son but, although we share a Whatsapp group, he’d never actually called me before so I was sure it was a mistake. Unfortunately, it wasn’t!

“Hi, sorry it’s so late. I’m just not sure whether you can help me, but I didn’t know who else to call and I’m not sure what to do. My company has been hacked!”

Before this call, we had previously chatted at football matches a few times, and we had been to some of the same parties, but almost all of our shallow knowledge of each other came virtually, through social media. So with that limited information (and a fair amount of misunderstanding), Simon identified me as an appropriate person to contact for advice on his cyber breach.

When a small company gets hit with an encrypting ransomware attack

It wasn’t good news. His company was the victim of an encrypting ransomware attack. The three machines in his office had had all their files encrypted, and on initial investigation, all that could be found was a small text file indicating that the attackers would like to be paid through the Bitcoin Digital currency. Simon was a designer, not a computer expert, and unfortunately, he had completely underestimated how reliant his business was on the computers in his office. He had not considered a cyberattack as a significant risk at all. After all, he just used the computer for e-mails and research … right?

Unfortunately not. All his business accounts were on those computers: all his employees’ human resources information and salary detail, and all e-mails from clients (many of whom had sent ideas and designs with confidential information that he needed to work on). Gradually, he started to realize the enormity of his situation

The value—and difficulties—of backups

I explained that under no circumstances should he pay any ransom and that I would find a “real” cybersecurity expert to speak to him about the possibilities of decryption. However, I warned that decryption may not be possible, and he may need to just accept the situation and restore everything from backups. The silence at the other end of the line spoke volumes.

Computer backups had not been seen as a major priority for his company. When his backup tapes were full, someone was required to walk all the way across the office to agree to the “overwrite” prompt on the screen. Nobody had ever really been given responsibility for this task, and soon it simply stopped being done. The most recently available backup was 11 months old!

A week later, the situation is still not resolved, but is being managed. He has now engaged a computer management firm that will, in future, provide all network and application support, manage security and backups, and provide training to his team on an ongoing basis. He has had to accept the loss of tens of thousands of pounds and, more importantly, suffered significant reputational damage. For a small company fighting for a larger share in a busy market, Simon and his team were completely blindsided by this.

“I just don’t understand why someone would target me,” Simon said. “Surely there are more lucrative targets.”

The risks for small businesses

That, I think, is the biggest misunderstanding amongst many small business owners. The idea that someone would target them seems so unlikely that cybersecurity is a minor concern. The fact is that his company was not targeted, but simply received a mass spam phishing e-mail that someone in his office opened. That was the door opener. So he was not the victim of a targeted attack, but had simply not prepared to defend against random, hopeful, low-complexity, high-volume attacks.

According to Symantec, cyberattacks against small businesses increased from 18% in 2011 to 43% in 2015. Attackers are realizing that there is money to be made from smaller companies whose executives put little thought into their own protection. The most important things are usually the simple things—a cybersecurity policy, education of employees, and, of course, strong passwords.

The truth about passwords

Using the very limited information I thought I knew about Simon, I asked if I could try to guess his password. As a Facebook friend, I knew that he had just turned 52, had a wife called Sara, three young boys, and a dog called Sonic. I knew that he went on a skiing holiday once a year, had parents who lived in Spain, and that he voted differently from me in the last election. He was a fan of U.S. basketball, Spanish football, and cricket, and had a frustrating tendency to misspell the words “their” and “there.” He often played something called “Boom Beach” on his iPhone and repeatedly shared “People are Awesome” YouTube clips. As a LinkedIn contact, I knew that he grew up in Cardiff and went to University in Leeds, started his career in recruitment consulting, and for the last 12 years ran a small, 8-person design company in north London.

Within two minutes of my guessing, he admitted that I had mentioned an approximation of his, his wife’s, and his corporate domain passwords. Honestly, he’s not alone—for 20 years, security consultants have continued to highlight the importance of complex passwords, yet it still seems that this message is not getting through.

Common passwords and public information—two password don’ts

You can easily download a list of the 10,000 most common passwords from this site to try a “brute-force” attack, but you probably wouldn’t need that many. The figures are shocking:

  • 1.6% of users have a password from the top 10 passwords
  • 10% of users have a password from the top 100
  • 30% of users have a password from the top 10,000

Also, using personal, yet relatively public information is vulnerable due to social media. Almost everyone today has a Facebook page, a Twitter account, and various other forms of social media. People post their birthdays and their kids’ birthdays online. They give anyone who cares to look a glimpse at the most common dates and people in their lives – not a terrible thing, but it should make you wary of using that same information to safeguard vital systems and data.

This experience was a painful learning experience for Simon— the realization that even the smallest companies must consider cybersecurity as a major business risk. How could he have missed something so big?

“I’m so embarrassed,” he said. “I’m sure that if I ran a much bigger company, this would have been a much higher priority for me.”

I didn’t say anything because unfortunately, I think that he’s completely wrong. Even large companies don’t prioritize cybersecurity correctly. Right now, we have the perfect example of how cybersecurity continues to be underappreciated by the majority of global companies.

The underprepared global company and the EU General Data Protection Regulation

A small number of companies are rushing to prepare for the biggest overhaul of data protection regulations ever: the EU General Data Protection Regulation (GDPR). Only 14 months away, with massive fines promised and huge hurdles to overcome. Yet although a few companies are desperately seeking answers, figures suggest that the majority of companies are still totally unaware of what it entails or its myriad implications.

Perhaps some companies still persist with the myth that this is an IT issue and not a C-suite problem. A recent global survey by Dell makes worrying reading and to conclude, I’d just like to point out some of the findings.

  • More than 60% of respondents say they are aware something is going on with GDPR, but they know little or nothing about it.
  • Only 4% of respondents outside of Europe said they are very knowledgeable about the details of GDPR, while just 6% of those in Europe said they are very familiar with the requirements.
  • Fewer than 1 in 3 companies feel they are prepared for GDPR today.
  • Nearly 70% of respondents say their organization is definitely not or don’t know if their organization is prepared for GDPR today, and only 3% of these have a plan for readiness.
  • Less than half of respondents say they feel confident they’ll be ready when GDPR kicks off in 2018, while only 9% expect to be fully prepared in time.

This article, GRC Tuesdays:Cybersecurity In 2017—Don’t Be Afraid, Be Aware!, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube

Comments

Chris Johnston

About Chris Johnston

Chris Johnston is currently SAP’s Vice President of GRC Sales in EMEA. He has almost 20 years GRC experience and was one of the first people to be certified as a GRC Professional by OCEG. He is a firm believer in the strategic upside of the appropriate implementation of ‘governance, risk management and compliance’ technologies as one of the core drivers towards true enterprise performance. Prior to joining SAP, he worked in network security, as an ethical hacker, as a ‘Big 4’ auditor, and as one of the first European employees at Virsa Systems, creators of the Access Control product now sold by SAP.

Cybercrimes Now Force Rethinking Public Safety And Security

Mohammed Karzoun

Public safety and security is a conceptual dynamic that hinges on the perception of the community related to the well-being of the people. At its core is the way individuals perceive and identify with threats and how authorities respond to those threats. This contemporary paradigm has the potential to create a safer world by effectively utilizing cutting-edge technology and advances.

Public safety agencies are operating in a fast-changing world. Evolving citizen expectations for safety and trust, new threats and patterns of crime, and increasing pressure to improve operational efficiency are driving a re-imagining of public policy. Should public safety leadership focus on fighting crime efficiently? Or should it focus on gaining public trust? Forward-thinking public safety leaders realize that to build legitimacy they must improve crime prevention and public trust. Police technology and digital applications offer public safety leaders ways to do both.

Criminals are becoming smarter, more technologically advanced – even collaborating in what’s called “Crime as a Service.” New patterns of crime are surfacing, such as organized crime, terrorism, drug production and distribution, human trafficking, and cybercrime. Public safely agencies need to work hand-in-hand with citizens to be steps ahead of the criminals.

The difficulty arises when considering the diversity of communities, often conveying contradictory priorities, demands, and concerns. This results in a complex policing model, where each facet has to be covered adequately and differently. Digital policing needs to encompass transformative solutions that are as much about citizens feeling secure and protected as apprehending offenders.

Cybercrime investigations adapt to the changing archetype

The increasingly sophisticated criminality of cybercriminals ensures that modern communities are facing an ever-changing and evolving threat to public safety, in the form of terrorism, conflicts, and the malicious use of technology. The continuously increasing frequency, scale, and severity of cyberattacks must be fought on the same turf.

Embracing the power of real-time analytics and situational awareness, wrong-doers can be identified based on the cornucopia of data generated daily and in real time.

  • Solutions can be found by using this data to identify and subsequently eliminate threats. By integrating various databases from different agencies and cross-referencing information for possible criminal activities, government can effectively derive meaning and take action against these crimes, often preemptively.
  • Cybercrime investigation management needs to take a holistic approach, from beginning to end. To ensure human resource capability and competence, investments must be made into front-line empowerment with skills such as investigative case management.
  • Incident response time is an important factor when garnering community support, and all incidents. Internal and external events and emergencies must receive a prompt response. Situational awareness is essential, supporting officers’ ability to sense, analyze, predict, and act with immediate effect.
  • Cybercrime units are at the forefront of forensic investigation and must be trained to comply with correct and legally binding methods for evidence collection. The benefits of a functional, successful cybercrime investigative unit will have far-reaching consequences, in that it can process cases faster, improving the ends of justice.

Digital government can protect our children

Society must do all it can to protect our children from those who exploit technology to create misery, loss, and ruin. Digital and real-time technology should be used to detect, deny, deter, and disrupt predators.

Governments can use technologies to develop strategies, programs, and policies to protect children and achieve predictive real-time situational awareness with effective operational models.

Social media analysis, especially in contemporary society, is a valuable platform for providing leads and investigative trails against child predators. Sentiment analysis – determining emotional responses and feelings based on text or words – is also invaluable in the investigative procedure, as it can facilitate behavior prediction and insights into criminal activities.

The future of public safety

Digital policing epitomizes the future of public safety, providing heightened awareness, better risk mitigation, improved situational awareness, and enhanced threat anticipation. All will lower the crime rate and effectively reduce the impact of emergencies and disasters.

Technology can improve preparedness, which is demonstrated by increased operational capacity, better adaptability and agility, reduced response time, and, consequently, reduced risks and threats.

Real-time solutions and technologies can support public security agencies by connecting local, vital information – such as traffic, police cases, crimes, disasters, social media, and public events – and making them available in real-time so law enforcement can sense, analyze, predict, and respond effectively and efficiently to prevent crime and protect citizens. Efficient security response and technology capabilities result in improved trust and respect for authorities.

Superior incident resolution, better detection rates, and reduced time to justice all positively affect the community, and digital policing embodies this ethos.

Cybercrime is a bottom-line concern. See The Future of Cybersecurity: Trust as Competitive Advantage.

Comments

Mohammed Karzoun

About Mohammed Karzoun

Mohammed Karzoun is the Industry Leader for Public Sector at SAP. He manages government, smart cities, healthcare, public security, defense, higher education, and postal services sectors across the United Arab Emirates and Oman. With 20 years of experience in primarily public sector transformation, Mohammed has been engaged with multiple government entities to help drive their strategies and digital transformation initiatives.

Digitalist Flash Briefing: IT And HR Work Together To Keep Employee Data Safe

Peter Johnson

Today, we’re taking a look at the collaboration between IT and HR and their mission to ensure employee data safety.

Tune in Monday through Friday for more Digitalist Flash Briefings on disruptive technologies and trends on your favorite device or app.

  • Amazon Echo or Dot: Enable the “Digitalist” flash briefing skill, and ask Alexa to “play my flash briefings” on every business day.
  • Alexa on a mobile device:
    • Download the Amazon Alexa app: Select Skills, and search “Digitalist”. Then, select Digitalist, and click on the Enable button.
    • Download the Amazon app: Click on the microphone icon and say “Play my flash briefing.”

Find and listen to previous Flash Briefings on Digitalistmag.com.

Read more on today’s topic

Comments

Peter Johnson

About Peter Johnson

Peter Johnson is a Senior Director of Marketing Strategy and Thought Leadership at SAP, responsible for developing easy to understand corporate level and cross solution messaging. Peter has proven experience leading innovative programs to accelerate and scale Go-To-Market activities, and drive operational efficiencies at industry leading solution providers and global manufactures respectively.

Diving Deep Into Digital Experiences

Kai Goerlich

 

Google Cardboard VR goggles cost US$8
By 2019, immersive solutions
will be adopted in 20% of enterprise businesses
By 2025, the market for immersive hardware and software technology could be $182 billion
In 2017, Lowe’s launched
Holoroom How To VR DIY clinics

From Dipping a Toe to Fully Immersed

The first wave of virtual reality (VR) and augmented reality (AR) is here,

using smartphones, glasses, and goggles to place us in the middle of 360-degree digital environments or overlay digital artifacts on the physical world. Prototypes, pilot projects, and first movers have already emerged:

  • Guiding warehouse pickers, cargo loaders, and truck drivers with AR
  • Overlaying constantly updated blueprints, measurements, and other construction data on building sites in real time with AR
  • Building 3D machine prototypes in VR for virtual testing and maintenance planning
  • Exhibiting new appliances and fixtures in a VR mockup of the customer’s home
  • Teaching medicine with AR tools that overlay diagnostics and instructions on patients’ bodies

A Vast Sea of Possibilities

Immersive technologies leapt forward in spring 2017 with the introduction of three new products:

  • Nvidia’s Project Holodeck, which generates shared photorealistic VR environments
  • A cloud-based platform for industrial AR from Lenovo New Vision AR and Wikitude
  • A workspace and headset from Meta that lets users use their hands to interact with AR artifacts

The Truly Digital Workplace

New immersive experiences won’t simply be new tools for existing tasks. They promise to create entirely new ways of working.

VR avatars that look and sound like their owners will soon be able to meet in realistic virtual meeting spaces without requiring users to leave their desks or even their homes. With enough computing power and a smart-enough AI, we could soon let VR avatars act as our proxies while we’re doing other things—and (theoretically) do it well enough that no one can tell the difference.

We’ll need a way to signal when an avatar is being human driven in real time, when it’s on autopilot, and when it’s owned by a bot.


What Is Immersion?

A completely immersive experience that’s indistinguishable from real life is impossible given the current constraints on power, throughput, and battery life.

To make current digital experiences more convincing, we’ll need interactive sensors in objects and materials, more powerful infrastructure to create realistic images, and smarter interfaces to interpret and interact with data.

When everything around us is intelligent and interactive, every environment could have an AR overlay or VR presence, with use cases ranging from gaming to firefighting.

We could see a backlash touting the superiority of the unmediated physical world—but multisensory immersive experiences that we can navigate in 360-degree space will change what we consider “real.”


Download the executive brief Diving Deep Into Digital Experiences.


Read the full article Swimming in the Immersive Digital Experience.

Comments

Kai Goerlich

About Kai Goerlich

Kai Goerlich is the Chief Futurist at SAP Innovation Center network His specialties include Competitive Intelligence, Market Intelligence, Corporate Foresight, Trends, Futuring and ideation. Share your thoughts with Kai on Twitter @KaiGoe.heif Futu

Tags:

Jenny Dearborn: Soft Skills Will Be Essential for Future Careers

Jenny Dearborn

The Japanese culture has always shown a special reverence for its elderly. That’s why, in 1963, the government began a tradition of giving a silver dish, called a sakazuki, to each citizen who reached the age of 100 by Keiro no Hi (Respect for the Elders Day), which is celebrated on the third Monday of each September.

That first year, there were 153 recipients, according to The Japan Times. By 2016, the number had swelled to more than 65,000, and the dishes cost the already cash-strapped government more than US$2 million, Business Insider reports. Despite the country’s continued devotion to its seniors, the article continues, the government felt obliged to downgrade the finish of the dishes to silver plating to save money.

What tends to get lost in discussions about automation taking over jobs and Millennials taking over the workplace is the impact of increased longevity. In the future, people will need to be in the workforce much longer than they are today. Half of the people born in Japan today, for example, are predicted to live to 107, making their ancestors seem fragile, according to Lynda Gratton and Andrew Scott, professors at the London Business School and authors of The 100-Year Life: Living and Working in an Age of Longevity.

The End of the Three-Stage Career

Assuming that advances in healthcare continue, future generations in wealthier societies could be looking at careers lasting 65 or more years, rather than at the roughly 40 years for today’s 70-year-olds, write Gratton and Scott. The three-stage model of employment that dominates the global economy today—education, work, and retirement—will be blown out of the water.

It will be replaced by a new model in which people continually learn new skills and shed old ones. Consider that today’s most in-demand occupations and specialties did not exist 10 years ago, according to The Future of Jobs, a report from the World Economic Forum.

And the pace of change is only going to accelerate. Sixty-five percent of children entering primary school today will ultimately end up working in jobs that don’t yet exist, the report notes.

Our current educational systems are not equipped to cope with this degree of change. For example, roughly half of the subject knowledge acquired during the first year of a four-year technical degree, such as computer science, is outdated by the time students graduate, the report continues.

Skills That Transcend the Job Market

Instead of treating post-secondary education as a jumping-off point for a specific career path, we may see a switch to a shorter school career that focuses more on skills that transcend a constantly shifting job market. Today, some of these skills, such as complex problem solving and critical thinking, are taught mostly in the context of broader disciplines, such as math or the humanities.

Other competencies that will become critically important in the future are currently treated as if they come naturally or over time with maturity or experience. We receive little, if any, formal training, for example, in creativity and innovation, empathy, emotional intelligence, cross-cultural awareness, persuasion, active listening, and acceptance of change. (No wonder the self-help marketplace continues to thrive!)

The three-stage model of employment that dominates the global economy today—education, work, and retirement—will be blown out of the water.

These skills, which today are heaped together under the dismissive “soft” rubric, are going to harden up to become indispensable. They will become more important, thanks to artificial intelligence and machine learning, which will usher in an era of infinite information, rendering the concept of an expert in most of today’s job disciplines a quaint relic. As our ability to know more than those around us decreases, our need to be able to collaborate well (with both humans and machines) will help define our success in the future.

Individuals and organizations alike will have to learn how to become more flexible and ready to give up set-in-stone ideas about how businesses and careers are supposed to operate. Given the rapid advances in knowledge and attendant skills that the future will bring, we must be willing to say, repeatedly, that whatever we’ve learned to that point doesn’t apply anymore.

Careers will become more like life itself: a series of unpredictable, fluid experiences rather than a tightly scripted narrative. We need to think about the way forward and be more willing to accept change at the individual and organizational levels.

Rethink Employee Training

One way that organizations can help employees manage this shift is by rethinking training. Today, overworked and overwhelmed employees devote just 1% of their workweek to learning, according to a study by consultancy Bersin by Deloitte. Meanwhile, top business leaders such as Bill Gates and Nike founder Phil Knight spend about five hours a week reading, thinking, and experimenting, according to an article in Inc. magazine.

If organizations are to avoid high turnover costs in a world where the need for new skills is shifting constantly, they must give employees more time for learning and make training courses more relevant to the future needs of organizations and individuals, not just to their current needs.

The amount of learning required will vary by role. That’s why at SAP we’re creating learning personas for specific roles in the company and determining how many hours will be required for each. We’re also dividing up training hours into distinct topics:

  • Law: 10%. This is training required by law, such as training to prevent sexual harassment in the workplace.

  • Company: 20%. Company training includes internal policies and systems.

  • Business: 30%. Employees learn skills required for their current roles in their business units.

  • Future: 40%. This is internal, external, and employee-driven training to close critical skill gaps for jobs of the future.

In the future, we will always need to learn, grow, read, seek out knowledge and truth, and better ourselves with new skills. With the support of employers and educators, we will transform our hardwired fear of change into excitement for change.

We must be able to say to ourselves, “I’m excited to learn something new that I never thought I could do or that never seemed possible before.” D!

Comments