Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Merger mania: Why consolidation in the RIA space is about to explode

The steady increase in merger and acquisition activity in the registered investment advisory space over the past six years might seem impressive to some, but for industry players like Ron Carson, the party is just RIA mergersgetting started.

"I used to say, we're at the first pitch of the first inning, regarding consolidation in the RIA space, but now I believe it's more like the game hasn't even started yet," said Mr. Carson, founder and CEO of Carson Group, an $8.4 billion firm that has made mergers and acquisitions a foundation of its growth strategy.

"In seven years or less, you will see a third less firms than we have today in this industry," he said.

Mr. Carson, who says he has 17 acquisition deals in the works, is not alone in his view of a rapidly consolidating financial planning industry. While an aging adviser population looking for an exit strategy is still believed to be one driver of M&A, experts say the desire for economies of scale and the availability of capital from private equity are also major factors. And although the rise and fall of the stock market will continue to affect M&A activity, few believe that it will have any long-lasting effect on the trend toward consolidation.

One reason is because so little consolidation of the industry has taken place.

"Despite the record-level M&A activity, there's still not a lot happening given the size of the industry," said David DeVoe, managing director at the investment bank DeVoe & Co.

In some ways, tracking M&A activity in the RIA space is more art than science, because most of the deals involve privately owned firms, and the data collectors each have their unique criteria for calculating market activity.

But regardless of how the data are measured, the trends illustrate steady M&A growth.

Mr. DeVoe's calculations of RIAs registered with the Securities and Exchange Commission with at least $100 million under management count 97 acquisitions last year out of 5,000 SEC-registered RIAs.

That total is up from 89 in 2017 and 36 deals in 2013, but is still just scratching the surface of pent up deal potential, according to Mr. DeVoe.

Deals are not only becoming more plentiful, they also are getting bigger.

Mr. DeVoe reports that $513 billion in assets under management changed hands last year.

The 10 largest transactions in 2018 constituted $391 billion in AUM, which was nearly 24% more than the $316 billion top 10 total of 2017, and more than five times the $69 billion top 10 total of 2016.

'Flood gates will open'

Despite all of the rosy numbers, Mr. DeVoe said M&A activity is still relatively small.

"We know the demographics for financial advisers are skewed toward the older end, and right now we're not seeing enough deal volume to just clear the retirement dynamic of this industry," Mr. DeVoe said. "We should be seeing 200 to 250 advisers selling their firms annually just for succession, and I think the flood gates will open over the next five-plus years."

The reasons for M&A activity have changed over the years.


"It used to be the vast majority of deals were done because somebody was exiting the industry, but over the past few years we're seeing more deals done to achieve scale and for strategic reasons beyond succession planning," Mr. DeVoe said.

A subdriver of M&A activity is the growing influence of private-equity investors that is fueling deal activity by taking ownership stakes in major consolidator firms like Carson Group, Mercer Advisors, Focus Financial and HighTower Advisors.

"Private equity has helped to accelerate the pace of consolidation, but it didn't create consolidation in the RIA space," said David Barton, vice chairman at Mercer Advisors, a $15 billion, PE-backed firm that made eight acquisitions in each of the past two years and has completed two deals already this year.

"It's a competition issue," he said. "Smaller firms realize the larger firms can offer more services in addition to investment management and financial planning, so for them it's 'build it or join it.'"

While Mr. Carson and Mr. Barton cite the benefits of PE support, the flip side is seen as sometimes short-term and overly aggressive money.

"Private equity in many cases is not patient money," said Tom Haught, founder of Sequoia Financial Group, a $5 billion firm that has made three acquisitions in the past two years without the help of PE money.

Scott Slater, vice president of practice management and consulting at Fidelity Clearing & Custody Solutions, believes the stock market is playing a part keeping a certain amount of M&A activity at bay.

"I don't think there's enough activity yet," he said. "I think a lot of owners still like what they're doing, but there are dynamics that could change. Look at the [independent broker-dealer] world where they are not as valuable as they used to be."

Mr. Slater recalls the peak-valuation period of 2007 leading into the financial crisis and thinks some advisory firm owners could be at risk of riding the seller's market a little too long.

Market volatility

Even though it might be easier to postpone succession planning when the equity markets are strong, Mr. Slater said evidence of the market's influence on deal activity popped up briefly during the 20% market correction at the end of last year.

"I do think we appear to be potentially at a time of peak valuations, and market volatility could drive more discussions," he said. "A good example is during the volatility of last year, more advisers were having more serious conversations about selling."

The main reason the bull market for stocks has driven up RIA valuations and put sellers in the driver's seat is that most advisory firm revenues are based on AUM.

A stock market pullback is seen as a potential disruptor to the pace of M&A activity, even if it's a temporary one.

"I think sellers can and have commanded better deals and better terms, and the stock market cycle has everything to do with it," said Peter Raimondi, an industry veteran who recently founded Dakota Wealth Management, a $700 million firm that has made three acquisitions in its first eight months.

Tables will turn

A down market cycle for stocks, he added, is where the tables will turn in favor of the buyers.

"You have RIAs who have not experienced what it's like to have profits disappear for any period of time," Mr. Raimondi said. "A bear market will shift this to a buyer's market because the RIAs will feel like they have to sell."

Kurt Miscinski, president and chief executive of Cerity Partners, believes a stock market slowdown could slow the pace of M&A activity, but he doesn't believe the larger trend is going away.

Cerity Partners is a $10 billion PE-backed firm that has made seven deals in the past 10 years.

"Acquisitions are a great way to bring together advisers and clients, and develop a geographic presence," he said. "We will continue to make acquisitions."

Good times or bad, a major consolidation driver will continue to be the pursuit of scale, according to Rush Benton, senior director of strategic wealth at Captrust, a $315 billion firm that he describes as "active as hell" in acquisitions.

"The sellers want to benefit from the scale of better technology, better senior management and better back-office support," he said, emphasizing that even succession-plan acquisitions typically involve the seller sticking around for three to five years after the deal is complete.

Read more here:



Continue reading

The Top Dollar Costs for Cybersecurity Breaches and What Independent Financial Advice Firms Should Do

Independent wealth management firms are notorious for talking a good game about cybersecurity while doing frighteningly little to protect sensitive client information. The bottom line is that those poor practices carry wealth mgt firms cybersecurityhidden risks, threatening the long-term strategic plans of otherwise successful independent broker-dealers and RIAs.

Recent research from multiple sources — including IBMthe Ponemon Institute, and Beacon Strategies — help fill in the gaps. Taken together, this material shows how wealth management teams vastly underestimate the true cost and consequences of cyber-attacks, that firms and their employees are far too lax on recommended protocols, and that they are in dire need of unified cybersecurity tools with a greater focus on the financial advice industry.


This revelation lays bare the rampant lack of preparedness for cyberattacks in the wealth management industry. It’s no exaggeration to say that many firms and their employees are literally waiting for a data breach to occur.

But the most surprising discovery is that so few of them realize they don’t have to be in that situation. Affordable, effective and efficient solutions do exist for the financial advice space. Of course, like anyone who wants to break a bad habit, the first step is admitting there’s a problem.

Beacon Strategies estimates that 74% of financial advisors already have been the target of cyberattacks, yet a whopping 64% of employees think cybersecurity is not a priority for their firm.

Additionally, leaders at many firms believe that allocating more time and resources to shoring up cybersecurity is unjustified since their firm has not (yet) suffered a data breach. This reveals a dangerous misunderstanding of what’s at stake.


No other industry has been as vulnerable to cyberattacks over the last two year as financial services, according to IBM. And the Ponemon Institute found that the average remediation cost per lost or stolen record in a data breach is $141, factoring in direct expenses such as engaging forensic experts and indirect expenses such as lost customers.

Now consider that a single-advisor practice with five employees may have as many as 400 client records. Basic math suggests that such a practice could lose over $56,000 due to a breach, a seven-advisor RIA with 10 support staff could face over $240,000 in losses and a broker-dealer with hundreds of advisors could lose millions.


A common theme among wealth management firms is lax adherence to protocols. Rules from FINRA, the SEC and assorted state regulators, such as those in New York and Massachusetts, ought to be non-negotiable since those entities have made cybersecurity a top concern.

But far too often overlooked are recommendations by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. The NIST voluntary framework entails best practices on how to identify cyber threats, detect gaps, protect against attacks, respond to them and recover when compromised. Although all those areas are important, “protection” is the heart of the framework.

According to NIST, “protection” involves distinct actions to ensure identity management and access control; cybersecurity awareness and training; risk-based strategies for maintaining the confidentiality and availability of information; rigorous processes and procedures; system maintenance; and audit logs.


The average wealth management firm uses more than 75 different software technologies and seven different software agents installed on their endpoints for IT and cybersecurity. That makes it cumbersome and time-consuming to protect sensitive data. Worse still, many of those tools were not designed for advice practices.

The Ponemon Institute says that the faster a data breach is spotted and put under control, the less burdensome its cost will be for firms. Beacon Strategies goes a step further and says that, for broker-dealers and RIAs, the best approach is avoiding unnecessary cyber incidents to begin with, namely by adopting a unified platform designed for independent advisory firms.

While it may be debatable which platform is best for every firm and every advisor, there should be no debate that now is the time to act, for both the sake of your business and the best interests of your clients.



Continue reading

7 Tips for Creating a Better Password

How strong is your password, really? Do you use the same one on a number of accounts? Or refer to your dog Fluffy in all of them? Chances are you could use a change.better password

About 73 percent of online accounts are guarded by duplicate passwords, according to a 2015 report by TeleSign, an internet security firm, and 54 percent of those surveyed use five or fewer passwords across their online accounts.

Meanwhile, just over 10 percent of consumers use one of the 25 worst passwords of 2016, according to SplashData, a provider of password management applications, which analyzed more than 5 million leaked passwords used by users in North America and Western Europe.

Topping the list of the worst passwords? 123456, password, 12345, 12345678, football and qwerty.

The problem with this is that our passwords are a key component of our lives, and as more of the services we rely on every day move online, the stakes grow ever higher.

It may seem overwhelming, but you can improve your internet security today with these seven tips.

1. Create Strong Passwords

What does that mean? Ideally, a password should be at least 10 to 15 characters and include a mix of lower case and capital letters, numbers and special characters such as @, $, or *. It should also be unrelated to any of your prior passwords.

Struggling to think of something? You can use a password generator (there are a number of free options available), or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. For example, you could channel Cookie Monster and go with, “W@nT~C0oK13$.”

2. Avoid Passwords Containing Info Easily Found Online

Part of having a strong password is not using information someone could easily (or even not-so-easily) figure out by checking out your social media accounts. That means if you constantly post about your cat, Fluffy, don’t make your password Fluffy_Lv3r.

Consider the whole extent of the information out there. While H@rRy*P0tt3r is generally a strong password, don’t use it if you are a member of a Harry Potter fan club or post quizzes to your page like “What Hogwarts House Would You be Sorted Into?”

The same goes for those account security questions you are sometimes asked to fill out. If your Facebook includes information on where you went to high school avoid the security question like, “What was your high school mascot?”

3. Use a Unique Password for Every Website or App

It may be super annoying, but sorry, you’ve got to do it. You need to have a different password for all your different accounts.

You might think a security breach at, say, LinkedIn doesn’t matter—they have your resume, so what? But if you use the same password, or even a similar one, for LinkedIn as you do for your bank account, or Facebook, or any number of other applications a hacker can soon find a way to wreak havoc in your financial and personal life.

Need help remembering all those passwords? There are a number of options for keeping track. You can download a password manager app, or if you don’t feel comfortable keeping that info in the cloud, you can also just create a document on your computer and encrypt that with a password. If you are more the pen-and-paper type, you can keep a list at home.

“In some scenarios, writing down passwords isn’t a terrible thing (it’s offline) provided you protect what you have written and where you store it,” said Whitney Hewatt, a lead security engineer at FINRA. “Certainly don’t store such things right next to any systems you use making it easy to find such lists.”

4. Avoid Linked Accounts

While we are on the subject, avoid linked accounts. What does that means? That means when you are new to a website and it says you can create a new account, or you can link the account to use your Facebook or Email log in, just create the new account instead.

“Sure, linked accounts are convenient,” Hewatt said. “But convenience comes at a cost.”

When you log in using another account, you are usually allowing that website to have some of your data, whether you realize it or not. That may be a privacy concern and may make identity theft easier. But beyond that, allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.

5. Use Multi-Factor Authentication

When possible, use multi-factor authentication, or two-factor authentication, particularly for your email accounts. Many e-mail providers now allow for this, including Gmail, Microsoft Mail and others.

“Protect your email accounts as best you can,” Hewatt said. “Enable this setting to provide an added layer of security where you authenticate and then have to use another validation process, such as a code sent by text or authenticating app to secure the logon process.”

You should do this whenever possible, but your email account is particularly important. Your email address is also where password resets are typically sent, so it’s imperative that you protect your email address in order to protect all other accounts. Not to mention how much other information a hacker could get from your email account: your address, possibly medical information or information on your financial accounts and utility accounts.

6. Beware Where You Enter Your Password

Be aware of possible risks such as using public kiosks and charging stations when logging on to any site or app you use. There may be malware or virus designed to capture any information you type on the machine.

“You never know who manages these systems or how securely they are configured,” said Hewatt.

The same goes for pubic Wi-Fi. Public Wi-Fi might be convenient and easy on your wallet as you look to avoid data overage charges from your cellular provider, but steer clear of entering your password into any website from a public network, be it at an airport or your favorite coffee shop, or in a college classroom or hotel room.

“Until better security solutions created, traffic on open networks can generally be discovered by anyone else on that network,” Hewatt said. “You are better off using cellular communications when possible,” he said.

And never change your password on a public network or a public machine.

7. Take Note When a Data Breach Occurs

If you hear about a possible data breach of a website or app you use, don’t just assume others were affected, but not you. Take steps to determine if your credentials have been stolen.

You can reach out to the company that was hacked, or use test sites to determine if your credentials were stolen. Have I Been Pwned is one option that tracks many of the known data breaches. You can enter a user name or email address to determine if one of your accounts is located on lists which have already been dumped to the internet for public download.

“This may not be your actual password, but a scrambled version of it that is easily deciphered by common tools” Hewatt said. “If you encounter this, change your password right away.”



Continue reading

Crackdown showdown: Serious Cybersecurity Enforcement is Coming in 2019, But Are Advisers Ready?

After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cybersecurity rules.cybersecurity enforcement

A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.

The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.

"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cybersecurity practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors."

Voya troubles

No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.

Even though Voya had a cybersecurity policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cybersecurity policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.

This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cybersecurity is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.

"Firms have cybersecurity policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cybersecurity firm Entreda.

For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.

Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cybersecurity.

"People talk about having a good cybersecurity policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.

These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.

2018 warnings to heed

When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cybersecurity, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cybersecurity preparedness and response team.

"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cybersecurity programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."

The agency last year named cybersecurity as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cybersecurity; and issued new guidance on public companies' obligations to disclose cybersecurity risks and incidents, updating its previous guidance issued in 2011.

The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cybersecurity when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.

It isn't just the SEC getting tougher with cybersecurity. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cybersecurity best practices for broker-dealers.

State regulators are making their own rules. Since New York issued rulesrequiring financial institutions to establish cybersecurity programs, the number of bills and proposals addressing cybersecurity at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.

The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.

For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cybersecurity breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.

The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cybersecurity plan in place. Regulators want to see firms continually testing, reviewing and updating cybersecurity policies and procedures to ensure they remain effective as threats evolve.

Business email

Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.

"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.

Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.

Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.

Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.

Where advisers can improve

The good news is that the financial services industry has done a pretty good job of adapting to new cybersecurity requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.

Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.

"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."

At smaller firms, there can be a sense of fatigue and helplessness when it comes to cybersecurity, because even the largest companies get hacked.

"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cybersecurity for advisers. "I do think that causes some frustration."

Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.

Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.

Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cybersecurity controls. When used alongside Finra's previously released small firm cybersecurity checklist, it should give smaller advisers an effective guide to remaining compliant.

The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cybersecurity is something more important than another compliance chore. The key to that may lie in thinking of cybersecurity as a competitive advantage, Mr. Yenamandra said.

Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.

"Cybersecurity needs to be viewed as not only an operational risk but also a strategic function," he said.

Continue reading

Everything You Need to Know About Router Security to Avoid Getting Hacked by Cybercriminals

The bad news: most people don’t give a second thought to their routers.

This lack of know-how puts a lot of households in a dangerous position. The United States Computer Emergency Readiness Team (US-CERT) has issued an alert about Russian state-supported hackers carrying out router march 2019attacks against a large number of home routers in the U.S.

Some routers are inherently flawed and can never be fixed. To help beef up your router’s security, here are five tactics for protecting your home network, devices and files from hackers.

First, check your router's admin page

Before you start, make sure you can get into your router's administration console; this is where you manage your router's settings, including password management to firmware updates.

First, make sure your computer is connected (either wired or wirelessly) to your router, open a web browser and type in the router's IP address. The IP address is a set of numbers, and the default depends on your router's manufacturer. The common ones are, or

If you're don’t know your router's IP address or password, it’s on the internet

1. Select the best encryption

Criminals love unsecured home Wi-Fi networks. Securing your Wi-Fi network can also shield you from unwelcome connections that may be using your network for illegal activities.

This is why it's important to protect your Wi-Fi network with strong encryption. If you are required to enter a password to connect to your Wi-Fi, you already have some encryption enabled on your router.

There are different types of Wi-Fi encryption, and you have to make sure that it's the most secure one you can employ.

The most widely-used Wi-Fi security protocol right now is still Wi-Fi Protected Access 2 (WPA2) encryption. However, this standard is over a decade old, and it is already susceptible to serious security vulnerabilities like 2017's KRACK attack.

If you're shopping for a new router, look for one that supports the newest security standard called WPA3. These models have just started rolling out. Every router has a different menu layout, but you should be able to find encryption under the "Wireless" or "Security" menu. You'll have a number of encryption options: if you still have an older router, you want to select one that starts with "WPA2." If your router is not WPA3 compatible, then "WPA2-PSK AES" is your best option right now.

However, if you have older Wi-Fi gadgets, you might have to select the hybrid option "WPA2-PSK AES + WPA-PSK TKIP" to get them working.

Never choose Open (no security), or if it is using WEP, change the security setting immediately. An open network will make it easy for someone to steal your Wi-Fi, and the older WEP security is easily hacked.

If the only encryption options your router has are WEP or WPA, tell your router to check for a firmware update. Look in your manual for the instructions.

Don't have your manual anymore? Try ManualsLib or ManualsOnline, which both have hundreds of thousands of manuals, from routers to refrigerators to anything else you might need.

If there's no firmware update or your router updates but you're still stuck with WPA or WEP, it's time to buy a new router. These encryption methods are too unsafe to use, plus it means your router is probably more than 7 years old.

2. Pros set up an additional separate network

A great tactic is to put visitor devices on a separate network. You do this by setting up a completely different Wi-Fi router or enabling your router's "Guest Network" option, a popular feature for most routers.

Guest networks are meant for visitors to your home who might need a Wi-Fi internet connection, but you don't want them gaining access to the shared files and devices within your network.

This segregation will also work for your smart appliances, and it can shield your main devices from specific Internet-Of-Things attacks.

To avoid confusion with your primary network, set up your guest network with a different network name (SSID) and password. Please make sure you set up a strong and super-secure password on your guest network, as well. You still won't want crooks and strangers mooching off it for security reasons.

Newer routers do this segmentation automatically. With this feature, it allows users to put Internet-of-Things appliances on a separate network, shielding your central computers and other personal gadgets from attacks.

With this virtual zoning of your network, you can still allow all your smart appliances and hubs to communicate with each other while keeping your main computing gadgets safe in the event of an Internet-Of-Things attack.

Also, if you're worried about "wardrivers" or people roaming around looking for Wi-Fi spots to hack, you can disable the broadcasting of your network and your guest network's name (SSID) entirely.

3. Use the free parental controls

To shield your kids from inappropriate sites, most routers have built-in content filters, parental controls and time-based restrictions.

To enable these filters, visit your router's administrator page or app again and look for a section called "Parental Controls" or "Access Controls." Here, you can choose what type of sites to disable access to, set the schedule when the filters are in effect and set curfew hours for certain gadgets.

You can even set filters for specific IP and MAC addresses. The downside of this method is the inconvenience and it takes a bit of technical skill to pull this off. The good thing about this is that you'll have a map of all your connected gadgets and their corresponding IPs.

To take this a bit further, turn on MAC (Multimedia Access Control) filtering. With MAC filtering on, you can specify which MAC addresses will be allowed to connect to your network at certain times. Note: MAC addresses can usually be found in the gadget's settings, label or manual. Look for a set of 16 alphanumeric characters. (Here's an example of what a MAC address will look like: 00:15:96:FF:FE:12:34:56 )

4. Turn on the VPN

You have likely heard of a VPN (Virtual Private Network), which is an excellent way to boost your online security and privacy.

With a VPN, your gadget's IP address is hidden from websites and services that you visit, and you're able to browse anonymously. Web traffic is also encrypted, meaning not even your internet service provider can see your online activity. It is a good way to hide your internet tracks from would-be snoops.

VPN services are typically accessed via software, but some newer routers can be configured with VPN capabilities straight into the router itself. Instead of protecting each gadget protected with its own VPN service, your router will protect every connected device.

Routers with this capability have open source router software support (such as DD-WRT), and they can be configured to use services like OpenVPN.

Currently, there are a variety of open source and OpenVPN capable routers to choose from, but the most popular models are the Linksys AC3200 and the Netgear Nighthawk AC1900.

5. Turn on and test the firewall

One valuable tool that can protect your router from hackers is a firewall. With it, even if they manage to know your router's location and IP address, the firewall can keep them from accessing your system and your network.

Almost every newer router has built-in firewall protections in place. They might be labeled differently, but look for features under your router's advanced settings like NAT filtering, port forwarding, port filtering and services blocking.

With these controls, you can configure and specify your network's outgoing and incoming data ports and protect it from intrusions. Be careful when tweaking your port settings though, since a wrong port setting can leave your router vulnerable to port scanners, giving hackers an opportunity to slip past.

To check if your router's firewall and your ports are secure, you can use an online tool for a quick test.


Continue reading

12 Most Common Phishing Email Subject Lines Cyber Criminals Use to Fool You

The most common subject lines used in phishing emails targeting businesses show how cyber criminals are exploiting urgency, personalisation and pressure in order to trick victims into clicking on malicious links,phishing 3 2019downloading malware or otherwise surrendering confidential or sensitive corporate information.

Cyber criminals are well aware that people respond to dozens if not hundreds of emails a day – and this is reflected in the most common subject lines used when conducting business email compromise attacks.

After analyzing 360,000 phishing emails over a three-month period, researchers at cybersecurity company Barracuda Networks have detailed the most common lines used in phishing attacks – these subject lines are the most common because it's highly likely they're often the most successful bait for reeling in victims.

According to Barracuda's spear phishing report, by far the most common subject line used in attacks is simply 'Request' – accounting for over a third of all the phishing messages analysed. That's followed in popularity with messages containing 'Follow up' or 'Urgent/Important' in the subject line.

The simple trick attackers are using here is to make potential victims think they need to open and respond to the email as a matter of urgency – especially if the message is designed to look as if it comes from one of their colleagues, or their boss. That could nudge the victim into responding quickly, without thinking, especially if it claims to come from a board-level executive.

The top subject lines according to Barracuda analysis are based around the following key phrases:

  1. Request
  2. Follow up
  3. Urgent/Important
  4. Are you available?/Are you at your desk?
  5. Payment Status
  6. Hello
  7. Purchase
  8. Invoice Due
  9. Re:
  10. Direct Deposit
  11. Expenses
  12. Payroll

'Are you at your desk' uses the trick of familiarly to try and coax victims into falling for the attack, while subjects suggesting the email is part of a previous conversation are also used for a similar goal – to trick the user into trusting the sender.

Many of the most-used subject lines also refer to finance and payments; if the recipient thinks they might lose money if they don't respond, they'll likely jump to it. The same also goes for messages about payments – an employee might think it will look bad if they leave somebody without being paid, especially if the request comes from someone who is their senior.

"Increasingly the social element is becoming the key "attack vector" in cybersecurity attacks. In the past, attackers sent ransomware emails, which actually took over the computer and encrypted the files, asking for a ransom," Asaf Cidon, VP for content security at Barracuda Networks told ZDNet.

"But today, they don't even need to send ransomware. They can simply use social manipulation to get the recipient to send a ransom – which is far cheaper, more effective and harder to detect."

To avoid falling victim to phishing attacks, cybersecurity researchers recommend the implementation of DMARC authentication to avoid domain spoofing, along with the deployment of multi-factor authentication to provide users with an extra layer of protection. Those techniques should be combined with user training and the use of security software.


Continue reading

Massachusetts Public Defender System Hit with Ransomware Attack

The Massachusetts Committee for Public Counsel Services (CPCS) is in the process of restoring its systems from backups in the wake of a February ransomware attack. CPCS CIO Daniel Saroff says that the 5aa7983c1f0a6.imageorganization’s network was hit with both a Trojan and ransomware. The organization did not pay the ransom. The attack has caused attorneys who work through CPCS’s bar advocate program to miss a payday. A notice on the website as of Monday evening March 18, says “CPCS’s computer systems have been attacked and are not working properly. We are still representing clients. In addition, there is no evidence that confidential information from clients has been released as a result of these attacks.”

The Massachusetts public defender agency has been unable to access its IT network for weeks, following a cyber attack that forced the shutdown of its email service.

The Committee for Public Counsel Services suffered both a ransomware attack, in which hackers demand money to restore access to data, and a Trojan horse attack in which malicious software is installed on a network, CPCS Chief Information Officer Daniel Saroff told MassLive.

The committee, which employs staff attorneys but also manages the bar advocate program that assigns private lawyers to represent indigent criminal defendants, immediately shut down its servers to prevent further damage, Saroff said.

That has left CPCS unable to pay the bar advocates who handle 80 percent of the public defender caseload in Massachusetts, CPCS told MassLive. CPCS has since cleared the ransomware off its network and is gradually restoring its systems from backup data.

“The comptroller and the courts and executive branch and the legislature have all been extremely supportive of us," CPCS General Counsel Lisa Hewitt said.

CPCS refused to meet the payment demands made by the hackers, both because the committee had backups of its data and because complying with hackers can leave agencies vulnerable to future attacks, Saroff said.

The agency posted a notice on its website on Feb. 28 saying that its email service was down, but at that time did not publicly disclose the hack.

Saroff said that the organization has hired two consulting firms to assist in the recovery and harden its security. CPCS has not identified any data that was stolen, though that remains under investigation.

CPCS has contacted the Massachusetts Attorney General’s Office and the Office of Consumer Affairs and Business Regulation, as is standard protocol following a cyberattack, the committee told MassLive.

CPCS is working with the state comptroller’s office to speed payment to bar advocates, who have so far missed one payday.

“Our office is aware of this and we are reaching out to gather more information," a spokesperson for the Office of Attorney General Maura Healey said in a statement.



Continue reading

Wi-Fi 6: Is It Really That Much Faster?

Wi-Fi is about to get faster. That’s great news: faster internet is constantly in demand, especially as we consume more bandwidth-demanding apps, games, and videos with our laptops and phones.Wifi 6

But the next generation of Wi-Fi, known as Wi-Fi 6, isn’t just a simple speed boost. Its impact will be more nuanced, and we’re likely to see its benefits more and more over time.

This is less of a one-time speed increase and more of a future-facing upgrade designed to make sure our speeds don’t grind to a halt a few years down the road.

Wi-Fi 6 is just starting to arrive this year, and there’s a good chance it’ll be inside your next phone or laptop. Here’s what you should expect once it arrives.


Wi-Fi 6 is the next generation of Wi-Fi. It’ll still do the same basic thing — connect you to the internet — just with a bunch of additional technologies to make that happen more efficiently, speeding up connections in the process.


The short but incomplete answer: 9.6 Gbps. That’s up from 3.5 Gbps on Wi-Fi 5.

The real answer: both of those speeds are theoretical maximums that you’re unlikely to ever reach in real-world Wi-Fi use. And even if you could reach those speeds, it’s not clear that you’d need them. The typical download speed in the US is just 72 Mbps, or less than 1 percent of the theoretical maximum speed.

But the fact that Wi-Fi 6 has a much higher theoretical speed limit than its predecessor is still important. That 9.6 Gbps doesn’t have to go to a single computer. It can be split up across a whole network of devices. That means more potential speed for each device.


Instead of boosting the speed for individual devices, Wi-Fi 6 is all about improving the network when a bunch of devices are connected.

That’s an important goal, and it arrives at an important time: when Wi-Fi 5 came out, the average US household had about five Wi-Fi devices in it. Now, homes have nine Wi-Fi devices on average, and various firms have predicted we’ll hit 50 on average within several years.

Those added devices take a toll on your network. Your router can only communicate with so many devices at once, so the more gadgets demanding Wi-Fi, the more the network overall is going to slow down.

Wi-Fi 6 introduces some new technologies to help mitigate the issues that come with putting dozens of Wi-Fi devices on a single network. It lets routers communicate with more devices at once, lets routers send data to multiple devices in the same broadcast, and lets Wi-Fi devices schedule check-ins with the router. Together, those features should keep connections strong even as more and more devices start demanding data.


Unfortunately, there’s no easy answer here.

At first, Wi-Fi 6 connections aren’t likely to be substantially faster. A single Wi-Fi 6 laptop connected to a Wi-Fi 6 router may only be slightly faster than a single Wi-Fi 5 laptop connected to a Wi-Fi 5 router.

The story starts to change as more and more devices get added onto your network. Where current routers might start to get overwhelmed by requests from a multitude of devices, Wi-Fi 6 routers are designed to more effectively keep all those devices up to date with the data they need.

Each of those devices’ speeds won’t necessarily be faster than what they can reach today on a high-quality network, but they’re more likely to maintain those top speeds even in busier environments. You can imagine this being useful in a home where one person is streaming Netflix, another is playing a game, someone else is video chatting, and a whole bunch of smart gadgets — a door lock, temperature sensors, light switches, and so on — are all checking in at once.

The top speeds of those devices won’t necessarily be boosted, but the speeds you see in typical, daily use likely will get an upgrade.

Exactly how fast that upgrade is, though, will depend on how many devices are on your network and just how demanding those devices are.


You’ll need to buy new devices.

Wi-Fi generations rely on new hardware, not just software updates, so you’ll need to buy new phones, laptops, and so on to get the new version of Wi-Fi.

To be clear: this is not something you’ll want to run out to the store and buy a new laptop just to get. It’s not that game-changing of an update for any one device.

nstead, new devices will start coming with Wi-Fi 6 by default. As you replace your phone, laptop, and game consoles over the next five years, you’ll bring home new ones that include the latest version of Wi-Fi.

There is one thing you will have to make a point of going out and buying, though: a new router. If your router doesn’t support Wi-Fi 6, you won’t see any benefits, no matter how many Wi-Fi 6 devices you bring home. (You could actually see a benefit, though, connecting Wi-Fi 5 gadgets to a Wi-Fi 6 router, because the router may be capable of communicating with more devices at once.)

Again, this isn’t something worth rushing out and buying. But if your home is packed with Wi-Fi-connected smart devices, and things start to get sluggish in a couple years, a Wi-Fi 6 router may be able to meaningfully help.


There are two key technologies speeding up Wi-Fi 6 connections: MU-MIMO and OFDMA.

MU-MIMO, which stands for “multi-user, multiple input, multiple output,” is already in use in modern routers and devices, but Wi-Fi 6 upgrades it.

The technology allows a router to communicate with multiple devices at the same time, rather than broadcasting to one device, and then the next, and the next. Right now, MU-MIMO allows routers to communicate with four devices at a time. Wi-Fi 6 will allow devices to communicate with up to eight.

You can think of adding MU-MIMO connections like adding delivery trucks to a fleet, says Kevin Robinson, marketing leader for the Wi-Fi Alliance, an internationally backed tech-industry group that oversees the implementation of Wi-Fi. “You can send each of those trucks in different directions to different customers,” Robinson says. “Before, you had four trucks to fill with goods and send to four customers. With Wi-Fi 6, you now have eight trucks.”

The other new technology, OFDMA, which stands for “orthogonal frequency division multiple access,” allows one transmission to deliver data to multiple devices at once.

Extending the truck metaphor, Robinson says that OFDMA essentially allows one truck to carry goods to be delivered to multiple locations. “With OFDMA, the network can look at a truck, see ‘I’m only allocating 75 percent of that truck and this other customer is kind of on the way,’” and then fill up that remaining space with a delivery for the second customer, he says.

In practice, this is all used to get more out of every transmission that carries a Wi-Fi signal from a router to your device.


Another new technology in Wi-Fi 6 allows devices to plan out communications with a router, reducing the amount of time they need to keep their antennas powered on to transmit and search for signals. That means less drain on batteries and improved battery life in turn.

This is all possible because of a feature called Target Wake Time, which lets routers schedule check-in times with devices.

It isn’t going to be helpful across the board, though. Your laptop needs constant internet access, so it’s unlikely to make heavy use of this feature (except, perhaps, when it moves into a sleep state).

Instead, this feature is meant more for smaller, already low-power Wi-Fi devices that just need to update their status every now and then. (Think small sensors placed around a home to monitor things like leaks or smart home devices that sit unused most of the day.)


Last year, Wi-Fi started getting its biggest security update in a decade, with a new security protocol called WPA3. WPA3 makes it harder for hackers to crack passwords by constantly guessing them, and it makes some data less useful even if hackers manage to obtain it.

Current devices and routers can support WPA3, but it’s optional. For a Wi-Fi 6 device to receive certification from the Wi-Fi Alliance, WPA3 is required, so most Wi-Fi 6 devices are likely to include the stronger security once the certification program launches.


Devices supporting Wi-Fi 6 are just starting to trickle out. You can already buy Wi-Fi 6 routers, but so far, they’re expensive high-end devices. A handful of laptops include the new generation of Wi-Fi, too, but it’s not widespread just yet.

Wi-Fi 6 will start arriving on high-end phones this year, though. Qualcomm’s latest flagship processor, the Snapdragon 855, includes support for Wi-Fi 6, and it’s destined for the next wave of top-of-the-line phones. The Snapdragon 855’s inclusion doesn’t guarantee that a phone will have Wi-Fi 6, but it’s a good sign: Samsung’s Galaxy S10 is one of the first phones with the new processor, and it supports the newest generation of Wi-Fi.

The inclusion of Wi-Fi 6 is likely to become even more common next year. The Wi-Fi Alliance will launch its Wi-Fi 6 certification program this fall, which guarantees compatibility across Wi-Fi devices. Devices don’t need to pass that certification, but its launch will signify that the industry is ready for Wi-Fi 6’s arrival.


Continue reading

What It Means When Microsoft Stops Supporting Your Version of Windows

Microsoft only supports each version of Windows for so long. For example, Windows 7 is currently in “extended support” until January 14, 2020, after which Microsoft will no longer support it. Here’s what that means.Windows 7

No More Security Updates

When Microsoft stops supporting a version of Windows, Microsoft stops issuing security updates for that operating system. For example, Windows Vista and Windows XP no longer receive security updates, even if substantial security holes are found in them.

On January 14, 2020, the same will be true for Windows 7. Even if people discover huge security holes that affect Windows 7, Microsoft won’t issue you security updates. You’re on your own.

Sure, you can run antivirus tools and other security software to try protecting yourself, but antivirus is never perfect. Running software with the latest security updates is important, too. Antivirus is just one layer of defense. And even security programs will gradually drop support for older versions of Windows.

Microsoft will keep making security updates for Windows 7, even though you can’t get them. Large organizations can sign “custom support” contracts to keep getting security updates for a period while they transition to a new operating system. Microsoft ratchets up the price going forward to encourage those organizations actually to move to a new version of Windows. The same thing happened with Windows XP.

Software Companies Stop Supporting It Too

When Microsoft ends support for an operating system, that’s also a signal to other software and hardware companies. They’ll stop supporting that older version of Windows with their own software and hardware, too.

This doesn’t always happen immediately, but it does eventually. For example, Windows XP support ended on April 8, 2014. But Chrome didn’t stop supporting Windows XP until April 2016, two years later. Mozilla Firefox stopped supporting Windows XP in June 2018. Steam will officially drop support for Windows XP and Windows Vista on January 1, 2019.

It may take a few years—as it did with Windows XP—but third-party software will gradually drop support for Windows 7 after the end of support date.

Software companies dropped support for Windows Vista more quickly, as it was much less popular than Windows XP.

New Hardware May Not Work

New hardware components and peripherals will stop working on your system, too. These need hardware drivers, and manufacturers might not create those hardware drivers for your old, out-of-date operating system.

The latest Intel CPU platforms don’t even support Windows 7 and 8.1 right now, although those operating systems are technically still in “extended support” today. It’s already beginning, and Microsoft is still supporting Windows 7!

Sure, you can keep using your old operating system with your current software and hardware, but you have no guarantees of future updates or compatibility.

When Will Microsoft End Support

Technically speaking, there are multiple types of “support.”

Normal consumer versions of Windows 10—that is, Windows 10 Home and Windows 10 Pro—receive feature updates every six months. Those updates are then “serviced” for 18 months. That means they’ll receive security updates for eighteen months, but you can always get more security updates by updating to the next release. Windows 10 automatically installs these new releases, anyway.

But, if you’re still using Windows 10’s Creators Update for some reason, Microsoft stopped supporting it on October 9, 2018, because it was released on April 5, 2017.

Businesses using Enterprise and Education editions have the option of using some of these updates for longer. In Windows 10 parlance, they’re “serviced” for longer. Organizations using Windows 10 LTSB have even longer support periods.

Things are a bit different with older versions of Windows. Windows 7 left “mainstream support” on January 13, 2015. This means that Microsoft stopped non-security updates. In extended support, Windows 7 is just receiving security updates. Those will stop on January 14, 2020. (Note that Windows 7 only receives security updates if you’ve installed Service Pack 1.)

Windows 8.1 left mainstream support on January 9, 2018, and will leave extended support on January 10, 2023.

You Should Upgrade Rather Than Using an Unsupported Windows

We don’t recommend using a release of Windows that’s no longer supported by Microsoft. It’s just not secure.

We recommend upgrading to a newer version of Windows. Don’t like Windows 10? Well, then consider switching to Linuxtrying out a Chromebook, or buying a Mac.

By the way, while Windows 7 only has until January 14, 2020, you can still upgrade to Windows 10 for free from Windows 7 or 8 with this trick.



Continue reading

SEC fines Voya $1M for Cybersecurity Failures

Almost eight years after the Identity Theft Red Flags rule went into effect, the SEC announced its first enforcement of the law. SEC whistle

The Des Moines, Iowa-based broker-dealer and investment advisor Voya Financial Advisors will pay $1 million to settle charges that it failed to adopt procedures that protected customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers.

Over the course of six days in April 2016, cyber thieves impersonated Voya Financial Advisors contractors on the firm’s technical support line and requesting representatives’ passwords be reset for access to the proprietary web portal Voya used to share customer information with contractors.


The SEC order states that two of the phone numbers the impersonators used had already been identified by the company as linked to prior attempts to impersonate Voya Financial Advisor contractors. Nonetheless, Voya Financial’s support staff still reset their passwords and even provided the representative’s username.

While the affected contractors contacted the firm to report the suspicious account changes, the steps Voya took to end the intrusions did not work and the fraudsters were able to impersonate more contractors, the SEC order states.

Using the reset passwords, the thieves were able to access personal details for 5,600 of Voya’s 13 million customers. They then created new customer profiles using the information they’d gleaned from posing as contractors and even gained access to account documents for three clients. No customer lost money as a result of the attack, according to the SEC order and Voya Financial.

“Voya promptly addressed and reported the incident when it occurred two years ago, and we notified the individuals who were involved,” said Joe Loparco, Voya Financial’s vice president of communications in an emailed statement. “No personal information was downloaded from our systems, and there was no evidence of financial harm.”

The SEC’s order found that Voya Financial Advisors’ inability to end the intruders’ access comes from problems within its cybersecurity procedures, some of which had already been highlighted during previous fraudulent activity attempts. The firm’s cybersecurity procedures were also not applied to the systems used by its independent contractors, which comprise the largest portion of Voya’s workforce, the SEC order notes.

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Enforcement Division in a statement. “[Voya] failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Voya Financial Advisors agreed to be censured and pay the $1 million penalty, but admitted no wrongdoing. It will, however, hire an independent consultant to review its procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.

Loparco added that Voya Financial Advisors has since improved its cybersecurity procedures to prevent a similar situation from reoccurring.
“This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC enforcement division’s cyber unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Businesses would do well to heed Cohen’s advice and evaluate their own cybersecurity policies and make improvements as experts in the cybersecurity space feel the SEC will be increasing their enforcement of these rules.

“We think the SEC is just scratching the surface,” said Sid Yenamandra, co-founder and CEO of Entreda, a cyber security firm that works with wealth management practices and brokerages. “In this particular case, Voya just happened to be the company that was flagged. But this could happen to any organization.”


Continue reading

What is the Difference Between Sync and Backup?

  • To Sync or Backup, That is the Question

Syncing and backing up files are often used as interchangeable solutions for protecting data, but there are critical differentiators between the two options, especially when it comes to data restoration, that all business owners should understand.

Let’s explore the differences between syncing and backing up data.

File Backup

Backup refers to copying data from one location to another. For example, duplicating information from your laptop to an external hard drive, the cloud, another computer or a flash drive.  backup and sync

Backing up files tends to be the most traditional and reliable way a business can both protect their digital assets and ensure business continuity.

The benefits of backing up files include:

  • It can be automatic, so users can rest assured their information is safe, without doing anything
  • Users don’t need technical acumen, like setting up specific folders or dropping into the command bar to take action
  • Backup that occurs multiple times a day provides snapshots of your data, which allows you to access multiple versions of your content
  • With cloud-managed backup services, you don’t need on-premise infrastructure and can check-in on backup status anytime, anywhere

Backup is also useful for anyone who stores copious amounts of videos. Syncing often works with public cloud-based services, which have storage limits. To save space, most people opt to store videos locally, then back them up for security.

Syncing Files

To sync data, it typically means that two devices merge the same, and most recent information available. The most common example in business is the use of syncing and sharing services like:

  • Dropbox
  • Box
  • Google Drive
  • OneDrive
  • Evernote

These services allow data to be stored in an approved data repository, then accessed remotely by anyone with permission via PCs, laptops, tablets or smartphones.

While syncing can be an incredibly powerful option for accessing and collaborating on work, it’s often most effective with an additional backup system in place.

This is true for a number of reasons, the first being that synced files can easily be misplaced as syncing directories between machines can get confusing. And even when you pay the premium to help improve search power, like selective syncing products, the setup can be overly technical.

Secondly, syncing to one of these programs doesn’t make your content immune from ransomware attacks.

For example, if you get ransomware on your local laptop then connect to a cloud data sync like OneDrive, not only will the malware encrypt the data on your laptop, it can also sync to the cloud, infect the cloud, and therefore put your synced data at risk.

In the event of data loss or a ransomware attack, restoration of the data, site structure, and permissions can be a long, and sometimes manual process — unless your data has been backed up.

Sync vs. Backup: Data Recovery

When it comes to recovering data, there are marked differences between sync and share services and backup recovery.

When it comes to sync and share, most often you can only recover data over the internet. That means if you need access to several gigabytes of data, not only can the process be time-consuming, but it’s also not a reliable method of recovery, as there may be errors if the internet connectivity drops or files fail to transfer.

Additionally, if you’re on the hook to pay for storage or egress of the data, recovering information can be expensive with public cloud or sync and share services.

Backing up data should make it easier for organizations to:

  • Recover lost files and folders
  • Locate emails, contacts, files, and folders through robust search capabilities
  • Leverage larger, or unlimited, storage capabilities to cost-effectively recover mass data

The Bottom Line

While syncing and backup strategies can work well in unison, a backup solution will always reign supreme.  

In fact, industry experts recommend having a total of three copies of backed up data, each stored differently:

From drive failures to malicious attacks on your information, you can never be too careful. And, without backing up your critical data, it may be impossible to access or recover your information in the event of accidental or malicious activity that impacts your organization.

Final takeaway: Whatever your plan is, for business continuity’s sake, make sure you act now. Without a plan in place, your data is at risk.


Continue reading

How to Stop the Cycle of Technology Stage Fright

Everyone has been there.

The annual industry conferences.  A time to soak it all in.  The educational sessions, the community camaraderie, the inspiring keynote speeches.  The coliseum of tech vendors where rows of system demos and technology stage frightsales people seem to be endless.

Let the vicious cycle begin…tech window shopping followed by foggy uncertainty.  By the time attendees get home, they are often more confused then when they arrived. The bling of the event wears off and the real questions bubble to the surface.

“How will we implement all this software?”

“Will the tech integrate with what we already have in place?”

“Will the price be worth the pain?”

This is the beginning of Technology Stage Fright.

“Let’s keep an eye on those tech companies and revisit in 6 months”

“Not sure we really need the tech – we are OK…right?”

“The cost & the hassle isn’t worth it”

Rinse & repeat.

Related: Segmenting Your Clients: Services vs. Deliverables

How can firms stop the cycle of tech stage fright?


New technology WILL impact your business!

  • Business Growth & Your Team:  Staff will have less capacity to service business growth as they convert or implement technology.  Tech projects can be tough.  Prepare your teams,  assess their workloads and adjust accordingly.  Remember –  the goal will bring value in the long term.
  • Internal Processes:  New tech often upsets current processes.  Be flexible and consider updating your internal processes to match your tech & integrations.  You might be surprised by the efficiencies you uncover!


Conversion, Implementation & Training takes time!

  • Timeline: Create a timeline that accounts for hiccups & real-life implementation hurdles.  Consider the different roles & users that will be using the new tech and map out realistic expectations for staff to learn & adapt.
  • Usage vs. Adoption: Remember tech usage IS NOT tech adoption.  The goal is adoption – baking your firm’s repeatable processes into your tech & integration landscape.
  • Prioritize: Identify & track your milestones, goals, pain points, needs & wants.


Use the industry as your resource.

  • Ask vendors for referrals, reach out to Custodians or colleagues and ask about their research & experiences.


Continue reading

Georgia County Paid $400K to Ransomware Hackers

Just days after informing residents that its computer systems were severely crippled by a ransomware attack, the government of Jackson County, Georgia, paid hackers $400,000 to regain access to its files.ransomware 100739759 large.3x2

The payment, one of the largest recent sums to pay off a ransomware scheme, was first reported by the Athens Banner-Herald.

County officials said last week that a ransomware attack locked agencies out of nearly all their systems, forcing many, including the sheriff’s office, to resort to carrying out operations on paper.

“We are doing our bookings the way we used to do it before computers,” Sheriff Janis Mangum told StateScoop.

The Banner-Herald reported that County Manager Kevin Poe made the decision to pay the ransom after speaking with cybersecurity consultants, who advised him that rebuilding networks from scratch — as other ransomware victims, like Atlanta, have done — could be a long and costly process for the 60,000-person county.

“We had to make a determination on whether to pay,” Poe told the Banner-Herald. “We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.”

After paying, the hackers sent a decryption key that allowed county workers back into their computer systems.  The county is also working with the FBI, which tells ransomware victims not to pay up.

Poe also said the ransomware that took down Jackson County’s systems has been identified as the Ryuk virus, which demands far higher payments than other strains. Research published last month by McAfee and Coveware found that the hackers behind Ryuk typically ask for 100 bitcoin — equal to about $384,000 as of this writing. Ryuk is now believed to have originated in Eastern Europe or Russia, contradicting earlier reports of origin in North Korea.


Continue reading

2018 Data Breaches

2018 saw some of the biggest data breaches yet, with Marriott, Under Armour and Facebook suffering breaches that affected 500 million, 150 million and 100 million people respectively.

It was also the year of the GDPR (General Data Protection Regulation), which changed the way organisations handle customers’ personal data and introduced hefty fines for non-compliance.

However, the Regulation didn’t seem to reduce the number of data breaches: there were approximately 2.3 billion last year, compared to 826 million in 2017.

Click here to view the ‘List of data breaches and cyber attacks’ blog posts and an infographic to sum up the reported data breaches of 2018.


Continue reading

Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?

After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with SECinvestigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.

The SEC’s Focus On Cybersecurity Since his confirmation as SEC Chair in 2017, Clayton has made cybersecurity one of the SEC’s main priorities. In 2017, Clayton formed the cybersecurity working group, an initiative to coordinate information sharing, risk monitoring, and incident response throughout the SEC. In discussing the working group, Clayton defined the SEC’s cyber focus as “identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.” See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017). In September 2017, the SEC also announced the creation of a Cyber Unit. The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate a wide-range of cyberrelated threats, including (1) market manipulation schemes involving false information communicated electronically; (2) hacking to obtain material nonpublic information; (3) fraud involving blockchain technology and “initial coin offerings”; (4) hacking into retail brokerage accounts; and (5) cyber threats to trading platforms and market infrastructure. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.” SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017). Since its creation, the Cyber Unit has wasted little time in bringing cases. According to the Enforcement Division’s 2018 Annual Report, during 2018, the SEC brought 20 stand-alone cases related to cybersecurity and has 225 cyber-related investigations that it deems “ongoing.”

See SEC SERVING THE BENCH AND BAR SINCE 1888 Volume 261—NO. 38 Wednesday, February 27, 2019 Outside Counsel Joseph Facciponti and Katherine McGrail are partners at Murphy & McGonigle, P.C., a financial services law firm. Mr. Facciponti is a former cybercrime prosecutor at the U.S. Attorney’s Office for the Southern District of New York. Ms. McGrail counsels financial institutions on compliance with industry regulations and serves as the firm’s chief diversity and inclusion officer. www. By Joseph Facciponti And Katherine McGrail Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC? Annual Report, Division of Enforcement (Nov. 2, 2018). In several cases, the enforcement actions were firstof-their-kind, as discussed below. The SEC’s focus on cybersecurity also appears to be driven by its own experience with cybersecurity issues. The same month that the SEC announced the creation of its Cyber Unit, the SEC announced that it, too, has experienced data breaches. In an extended Statement on Cybersecurity that likely is also intended to serve as a model for public companies in discussing their own material cybersecurity risks and incidents, Clayton announced a number of cybersecurity risks and data incidents effecting the SEC, the most significant of which involved hackers gaining access to the SEC’s EDGAR filing database in 2016 to steal unreleased corporate filings that potentially contained material nonpublic information. See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

Cyber Disclosure Guidance. One of the centerpieces of the SEC’s enhanced cybersecurity strategy is in encouraging public companies and issuers to be transparent with the investing public about their material cyber risks and incidents. In September 2017, Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.” C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017). Perhaps exemplifying the SEC’s concerns, that same month, credit reporting agency Equifax disclosed that an unknown attacker had stolen personally identifiable information of approximately 145 million consumers. K. Coen, Populist Pitchforks Come Out: Insider Trading and Equifax, Law360 (Nov. 6, 2017). Equifax faced immediate public criticism over the timeliness and adequacy of its disclosure, which came approximately six weeks after it discovered the breach. Further, questions were raised about potential insider trading by four Equifax executives, including the Chief Financial Officer, all of whom collectively sold $1.8 million of Equifax shares between the time the breach was discovered and when it was disclosed to the public. Id. An internal review ultimately cleared those executives of any wrongdoing.

In February 2018, and consistent with the SEC’s focus on disclosure— and perhaps in response to the Equifax breach—the SEC published revised guidance regarding public company disclosures about material cyber risks and incidents (2018 Guidance). See SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018). The 2018 Guidance consolidated and built upon the SEC’s prior guidance on disclosure obligations relating to cybersecurity, particularly the Division of Corporation Finance’s guidance from 2011. Among other things, the 2018 Guidance addresses topics such as: (1) the criteria for determining whether a cyber risk or incident is “material”; (2) how promptly companies must disclose material cyber incidents; (3) the level of specificity required when disclosing material cyber risks; and (4) the need to adopt policies and procedures to prevent insider trading on as-yet undisclosed cyber incidents. Disclosure-Related Enforcement Actions. At the time the 2018 Guidance was released, it was still unclear whether the SEC would bring an enforcement action against an issuer that failed to disclose material cyber risks or incidents to the investing public. Previously, Stephanie Avakian said that she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures. J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (April 20, 2017).

That uncertainty was resolved in April 2018, when the SEC announced its first-ever enforcement action against a public company for failing to disclose a breach. The enforcement action involved Yahoo, which the SEC alleged had misled shareholders by not disclosing in its public filings for nearly two years a data breach that affected hundreds of millions of its internet email subscribers. See SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018). The Yahoo breach only came to light as a result of merger discussions with Verizon, which sought to purchase the company. According to the SEC, Yahoo’s senior management and legal staff allegedly “did not properly assess the scope, business Wednesday, February 27, 2019 Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance. impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.” The SEC further noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, the breach should have been disclosed in the company’s regular periodic reports. The company ultimately agreed to pay a $35 million fine. In the case of Yahoo, the failure to disclose the breach had a clear effect on the company’s shareholders, who saw Verizon reduce its purchase price for Yahoo by $350 million after the breach was disclosed. In announcing the Yahoo enforcement action, Steven Peikin, co-director of Enforcement, observed that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” Id. It remains to be seen whether the SEC will take any actions with respect to Equifax for its six-week delay in disclosure of its 2017 breach. 


Read more here:

Continue reading

The Overlooked Security Threat of Sign-In Kiosks

DANIEL CROWLEY HAS a long list of software platforms, computers, and internet-of-things devices that he suspects he could hack. As research director of IBM’s offensive security group X-Force Red, Crowley's jobTablet SignIn Security 1060706456 is to follow his intuition about where digital security risks and threats may be lurking and expose them so they can be fixed. But so many types of computing devices are vulnerable in so many ways, he can’t chase down every lead himself. So he does what any self-respecting research director would do: He hires interns, two of whom have found a slew of bugs in software platforms that offices rely on every day.

On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities. Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets. But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist. If you had signed in on one of these systems, an attacker could've potentially nabbed your data or impersonated you in the system.

“There’s this moment of surprise when you start assessing real products, real devices, real software and see just how bad certain things are,” Crowley says. “These systems would leak information or not properly authenticate a person, or would allow an attacker to break out of the kiosk environment and control the underlying systems to plant malware or access data.”

The systems X-Force Red analyzed don’t integrate directly with systems that print access badges, which would have been an even greater security concern. Still, the researchers found vulnerabilities that endangered sensitive data and created security exposures.

The very nature of visitor management systems is partly to blame. Unlike the remote access attacks most organizations anticipate and attempt to block, a hacker could easily approach a visitor management system with a tool like a USB stick set up to automatically exfiltrate data or install remote-access malware. Even without an accessible USB port, attackers could use other techniques, like Windows keyboard shortcuts, to quickly gain control. And while faster is always better for an attack, it would be relatively easy to stand at a sign-in kiosk for a few minutes without attracting any suspicion.

Among the mobile products the researchers looked at, The Receptionist had a bug that could potentially expose users’ contact data to an attacker. Envoy Passport exposed system access tokens that could be used to both read data and write, or input, data.

"IBM X-Force Red discovered two vulnerabilities, but customer and visitor data was never at risk," Envoy wrote in a statement. "Worst case, these issues could cause inaccurate data to be added to the systems we use to monitor how our software is performing." The Receptionist did not provide comment by deadline.

Among the PC software packs, EasyLobby Solo by HID Global had access issues that could allow an attacker to take control of the system and potentially steal Social Security numbers. And eVisitorPass by Threshold Security had similar access issues and guessable default administrator credentials.


Continue reading

Common Attack Hackers - Think Like a Hacker Presentation

Please join Contextual Security and True North Networks, leaders in compliance and security services, for an upcoming seminar, that will focus on the most commonly used attack vectors deployed externally and internally by Contextual’s assessment team. Relevant examples will include:  host-based attacks, network exploits, password attacks, and phishing examples. The presentation will include time for questions from attendees and will provide real-world attack planning and execution strategy from the perspective of a penetration tester.


Event Details:

Date: Thursday April 11th

Time: 11:30am-1:30pm

Venue: Pappadeaux's Seafood Kitchen, 18349 Dallas Parkway, Dallas, TX 75287


Register TODAY

Lunch is provided; Space is limited


Slade Griffin is the Director of Critical Infrastructure Security at Contextual Security Solutions where he leads the cybersecurity services practice. A very dynamic presenter often speaking at security conferences, he has over 14 years of experience in the security industry specializing in assessments, forensic analysis, and incident response.



Continue reading

Insurance Industry Battles Back Against Fiduciary Standard

The three leading insurance and agent associations are working in tandem to support a state “standard of care” proposal for agents that rejects fiduciary responsibility for agents and advisors. At stake, they say: Cyber Insurance 580x387middle-class investors.

By avoiding a fiduciary standard, more insurance companies and agents will be able to continue to offer “small and moderate balance savers and typical buy-and-hold investors who rely on commission-based advice for their retirement needs,” the American Council of Life Insurers, the Association of Advanced Life Underwriting and the National Association of Insurance and Financial Advisors said in a joint statement supporting the National Association of Insurance Commissioners’ (NAIC)’s “Suitability in Annuity Transactions Model Regulation.”

The NAIC’s draft model—years in the making and still a proposal—would require an agent to act with reasonable diligence, care, skill and prudence on behalf of clients and to disclose conflicts of interest as well as cash and non-cash compensation. The proposal relies heavily on a consumers’ ability to decipher myriad legal disclosures.

“We support rules requiring all financial professionals, when making a recommendation, to act in the consumer’s best interest—with care, skill, prudence, and diligence—based on the consumer’s financial needs and objectives. Financial professionals also support requirements to avoid or reasonably manage conflicts of interest through increased transparency,” the three insurance associations said in their joint statement.

Industry groups have much at stake when it comes to controlling variable annuities regulation. Total annuity sales hit $59.5 billion for the second quarter of 2018, after the insurance and securities lobbies successfully overturned the Department of Labor’s fiduciary rule in court, according to the Limra Secure Retirement Institute. Sales had not been as high since early 2015, just before the DOL rule was being put in place.

“Experience with the Department of Labor’s now appropriately vacated investment advice fiduciary regulation showed that when faced with a fiduciary standard, many financial firms moved to a fee-for-service-only model, eliminating choice and access for small and moderate balance savers and typical buy-and-hold investors who rely on commission-based advice for their retirement needs,” the groups said in their joint statement.

“As a product that is designed as a long-term retirement solution, most annuities are sold on a commission basis. According to a LIMRA survey, if the Labor Department’s fiduciary regulation had remained in-force, 54 percent of advisors might have dropped or turned away small investors, resulting in as many as four million middle-class households losing access to information they need to ensure a secure retirement,” the group continued.

According to the latest available data, the median annual household income of annuity owners is $64,000. Eighty percent have total annual incomes below $100,000 and 35 percent have household incomes less than $50,000.

Will the NAIC’s proposed model be eclipsed by initiatives in states such as Maryland, which has introduced legislation that would apply a fiduciary standard to all agents and brokers? If successful, such a state standard could force VA issuers and agents to eliminate commissions altogether and sell only no-load variable annuities or at least more standardized, low-load products.

Even without the NAIC model—which would need to be approved by all 50 state legislatures—the domino effect of individual state fiduciary bills, as well as Securities and Exchange Commission and Finra initiatives, are sure to add a sober note to insurer and agent practices nationwide.

Federal regulators are using enforcement, tougher proposals and investor alerts to crack down on high-commission variable annuity sales, including “replacement” sales that generate high commissions and replacement penalty fees.

The insurance industry is battling back. In a self-published op-ed published on, ACLI President and CEO Susan K. Neely came out swinging against the Maryland fiduciary standard for brokers and agents.

“The problem comes with the fact that the bill in Maryland would make every financial professional who sells an annuity a 'fiduciary' of the customer. This would end commission-based sales because fiduciaries are generally not allowed to represent both the buyer and seller in the same transaction,” Neely said.

"If financial firms are forced to move to a model where the only way a consumer can get financial advice is if that consumer pays a fee to a financial professional year after year out of their own pocket, then lower- and middle-income consumers—everyday Americans—are far less likely to be able to consider all their options for their own retirement needs. It’s also unfair to consumers who don’t want a fee-based arrangement where the annual charges can become costly over time,” she added.


Continue reading

Microsoft touts coming Dynamics 365 Services and Apps for iOS, Android, HoloLens

Microsoft is readying new Dynamics 365 AI- and mixed-reality-centric services and applications for remote-assistance, customized bots and more. remoteassistonphone

Microsoft is readying more new Dynamics 365 applications which officials are touting as AI and mixed-reality-infused. At the "Microsoft Business Forward" conference in Paris on February 21, company officials outlined plans for several new business applications that are in the pipeline.  Microsoft already has been building up its portfolio of Dynamics 365 AI and mixed-reality applications. The next wave of these kinds of applications will coincide with the April 2019 release of Dynamics 365, which Microsoft will be rolling out to customers from April to September 2019.  On the coming-soon Dynamics 365 app list Dynamics 365 Remote Assist for mobile devices. Microsoft has been touting its Remote Assist application for the HoloLens for a while now. Coming in a preview for Android first, Remote Assist for Mobile will allow users to work with an Android mobile device in conjunction with the HoloLens (or not) to collaborate remotely and troubleshoot issues. This app will be integrated with Dynamics 365 for Field Service.  I asked Microsoft if/when there would be a Dynamics 365 Remote Assist app for iOS devices and was told by a spokesperson that Microsoft would evaluate this based on customer feedback. Dynamics 365 Product Visualize. Microsoft officials foreshadowed plans for this application last year at Build. Coming first to iOS devices in preview form, the Product Visualize app is meant to help sellers showcase and customize products in their actual environments in industries like manufacturing, healthcare and automotive. This app will be integrated with Dynamics 365 for Sales and Microsoft Teams.  I asked officials when and if Product Visualize would also be available for Android devices and was told by a spokesperson that Microsoft would evaluate this based on customer feedback.

Dynamics 365 Virtual Agent for Customer Service. This is a new cloud service for creating custom virtual assistants. The public preview of the Virtual Agent is slated to hit in April. At CES this year, Microsoft officials talked up a Microsoft solution accelerator -- a collection of templates and best practices -- designed to help users build their own custom virtual agents based on Microsoft's technology.  Dynamics 365 Fraud Protection. Fraud Protection is another new cloud service for e-commerce merchants, which is meant to help cut back on fraud loss; increase bank acceptance rates; and improve customers' online shopping experience. A public preview is coming in April 2019. 

Dynamics 365 Customer Insights. This is another Dynamics 365 app designed to provide customer information. It's different from the previously announced Dynamics 365 AI for Customer Service Insights and Dynamics 365 AI for Market Insights. It's more focused on helping users retain customers and build loyalty through insights from their data. Last year, Microsoft officially designated Remote Assist and Layout, two HoloLens applications developed by Microsoft for business users, part of its Dynamics 365 October release. Officials also said Microsoft was building two other new augmented/mixed reality apps for HoloLens: One for Training and Dev and another for product-focused collaboration, during its Build 2018 developer conference. The Product Visualize app is the latter; the training and dev app has yet to be unveiled.

Microsoft recently published the release notes for its Dynamics 365 April 2019 release, which will begin rolling out to customers on April 5.

Continue reading

Automation Is Key To Thwarting Cloud Security Threats, New Oracle-KPMG Research Shows

Phishing attacks, unpatched systems, and unauthorized cloud applications are creating unrelenting risk for enterprise security teams. Automation of threat monitoring and patching of software vulnerabilities is often the best way—and increasingly the onlyeffective way—to tackle those challenges.  

That’s one of the key conclusions from a research project jointly conducted by Oracle and KPMG. The Oracle and KPMG Cloud Threat Report 2019, released in February, examines many threats facing organizations. The data comes from 450 cybersecurity and IT professionals from private- and public-sector organizations in the United States, Canada, United Kingdom, Australia, and Singapore.

Key findings from the Oracle and KPMG study include:

• 23% of respondents say their organizations don’t have the resources to manually patch all their systems. This calls out the need for automation in rolling out patches.

• 50% say that use of unsanctioned cloud applications resulted in unauthorized access to data; 48% say that unauthorized access introduced malware, and 47% say that data was lost. This points to the need to set policies to limit the use of unapproved cloud applications—and perhaps to introduce technology to automatically detect or block such uses.

• 92% are concerned that individuals, departments, or lines of business within the organization are violating security policies when it comes to the use of cloud applications. This may mean using unsanctioned cloud applications, or in using sanctioned cloud applications in a way that’s not sanctioned.

• 69% of organizations stated that they are aware of a moderate or significant amount of unapproved cloud applications, with another 15% stating they are aware of a few such apps in use. The appeal of cloud applications is tremendous, and employees aren’t going to let security policies or approval processes slow their adoption of them.

The big picture conclusion: It’s more important than ever that businesses use automation tools, in addition to human security analysts, to protect the business. The study also showed that it’s essential for CISOs to become more aware of the uses of cloud computing within their organizations, and that all parties in the business—including IT teams—need a better understanding of the shared security model for cloud computing.

Phishing Attacks Are Top Risk

The single most common cyberattack vector: Phishing emails, either generic ones that flooded employees’ inboxes, or personally targeted “spearphishing” messages aimed at, say, a CFO or IT technician. In the Oracle-KPMG study, 27% of organizations were attacked with email phishing with malicious attachments or links in the past year.

The next most common attack vectors: malware that moved laterally through the organization and infected a server (cited by 23% of respondents); misuse of privileged accounts by an employee (19%); and “zero day” exploits that exploited previously unknown vulnerabilities in operating systems or applications (18%).

When employees open a phishing email and click on a link, or open an attachment, many bad things can happen, but one of the nastiest is when the hacker installs malware or sends the employee to a faked-up web page to steal login credentials.


“Email is the number-one attack vector,” says Greg Jensen, senior director of cloud security at Oracle and coauthor of the Oracle and KPMG Cloud Threat Report 2019. “Employees have these human tendencies where they are drawn to look at an email, like moths to a flame, if it says ‘important’ or if it appears to originate from a known executive, I'm going to click it.” Or if it appears to be formatted to be from a trusted partner with a request to provide information.

As the report explains, these techniques, and other more sophisticated phishing attacks, can let the attacker gain access to cloud infrastructure services, or software-as-a-service. For example, perhaps the phished employee is a software developer, cloud administrator, or application release engineer. Armed with that employee’s credentials, “hackers can access cloud infrastructure management consoles, provision new services such as compute instances, and begin to move laterally across the affected company’s cloud infrastructure,” the report says.

The best way to stop phishing is to prevent the malicious message from getting to the recipient. Security software can help in this regard, such as by using advanced email security solutions that use artificial intelligence and machine learning to inspect email content—including addresses, message text, links, and attachments—to detect malware, links to malicious web sites, and business email compromises. So can machine-learning powered monitoring software that looks for out-of-the-ordinary behavior. If your US-based CFO logs onto your procurement system from the Ukraine in the middle of the night, your system can flag that as an anomaly that might point to a stolen credential.

Not Knowing the Shared Security Model

In an organization’s data center, the IT and security teams are responsible for all aspects of security. In the cloud, however, there’s a shared responsibility security model (SRSM) that includes both the cloud service provider and the enterprise customer.

Unfortunately, sometimes business units that implement cloud applications and infrastructure aren’t aware that the enterprise shares responsibility for securing those cloud applications, such as vetting the vendor, monitoring security alerts, patching the portions of the cloud they are responsible for, and ensuring that user authentication is strong and synchronized with existing on-premises credentials-management systems. This leads to situations where the CISO team isn’t involved with vendor selection, third-party security audits, and other activities that normally take place when onboarding a cloud service provider.

The shared responsibility security model for any particular cloud service explains the division of labor between the cloud service provider and the customer. For example, says the report, while some cloud service providers offer specific cloud security options such as data masking, it may be the responsibility of the customer to determine if it’s appropriate to apply and manage those controls. Ultimately, it’s the consumer of cloud service’s responsibility to ensure their organization is protected.

“Organizations are being compromised because someone signed up for an unsanctioned cloud service, and they falsely believe that the cloud service provider will address of all the security requirements,” says KPMG risk-management consultant and report coauthor Brian Jensen (no relation to Oracle’s Jensen).

Automation Can Make a Difference

The number of alerts and incidents coming into a typical enterprise security team is too much to handle—and when alerts of anomalous end-user behavior are included (as they should be), the problem is likely to grow quickly.

A typical large enterprise deals with 3.3 billion events per month, “yet only 31 of those events are actually real security events or threats,” KPMG’s Jensen says. “That's truly a needle in a haystack—or worse.”

An enterprise can’t hire its way out of this mess, because it’s not feasible to find, recruit, hire, train, and retain so many security analysts. “The challenge will not be addressed with manpower alone, what is needed is intelligent automation and trained skilled staff to architect a scalable solution that addresses the unique cloud risk use cases,” KPMG’s Jensen says.

Another looming risk comes from unpatched systems. When vulnerabilities are found in operating systems, applications, or device firmware (such as in Internet of Things implementations), it can take too long for IT staff, working with the security team, to install and test the required patches or configuration changes.

The answer is to let software do the tedious, repetitive grunt-work while human IT and security analysts focus on solving more difficult problems. Patching vulnerable hardware or software is among the most high-impact steps a cybersecurity team can take. Automated patching is used by 43% of organizations, the report finds, with 50% of larger organizations (1,000 or more employees) using it. A further 46% of all organizations plan to implement automated patching over the next 12 to 24 months.

The research shows a clear strategic intent to leverage automation for database patching. About one-quarter (24%) of respondents have fully or mostly automated patching their database servers, and another 18% have somewhat automated their database patching. However, what the report details are clear differentiators in the levels of automation that have been used over the years, and what truly impactful forms of automation.

The Imperative for Cloud Security

How can organizations protect the increasing number of business-critical cloud services? Make sure that employees are trained about various forms of social engineering attacks, such as phishing—and because the hackers keep getting trickier, realize that training isn’t enough. So, it’s important to implement solutions to block phishing and spearphishing emails from reaching employees, and continually monitor systems for signs of out-of-the-ordinary behavior that might signal an email compromise.

Organizations also need to enforce policies about the use of third-party cloud services without the full engagement and approval of IT and/or the security teams. Everyone needs to understand the specific shared responsibility security model for each cloud service, and as much as possible, use automation to handle tedious, repetitive tasks such as doing triage on security alerts, and applying patches and fixes to address vulnerabilities.

The 2019 threat report offers additional research information, as well as prescriptive ideas for addressing these and other enterprise security challenges as you transition to the business-critical cloud.


Continue reading