Tag Archives: internet

What is My Playbook if I Have a Cybersecurity Incident?

By Bryce Austin

“I have been investigating a large number of failed logins on your server. Due to the volume of failed attempts, it does appear that the attempts are coming from an outside source. My company recommends that you reach out to a Security Firm to have your network investigated for a possible breach.”

He couldn’t believe what he was reading. A local cybersecurity professional was forwarded the email above from his new client’s outsourced computer management company. The owner of the business was concerned, and for good reason. They had only brought him onboard as their part-time cybersecurity advisor the month before, and the vendor that manages their network had kicked this ball squarely into his court. He had to figure out what to do—fast.

The priorities were simple:

  • Alert his client’s executive team about the situation.
  • Determine if this is or is not a real hacking attempt.
  • If it is a real hacking attempt, determine how it is occurring.
  • Assess if the hack was successful in any way. Was any damage done? Was any data accessed?
  • If the hack was unsuccessful, terminate the hacker’s access immediately.
  • If the hack was successful, start making calls to his client’s CEO, their cybersecurity insurance carrier, a third-party company that specializes in breach remediation, and my client’s attorney.
  • Follow-up with root-cause analysis and recommend preventive measures.

It took over ten hours to determine the extent of the issue. Cybercriminals had breached a single server, and a malicious program was running on that server. It was trying various dictionary words as passwords against common “administrator” level accounts. He breathed a tiny sigh of relief to see that it had only started several hours earlier and appeared to be moving ahead at full steam, which meant that the bad guys had most likely not yet been successful at cracking an administrator-level password.

The cybercriminals gained access into that server via a combination of a phishing email and a bad firewall configuration. Thankfully, forensics found no evidence of further intrusion.

His blood pressure began to return to a more reasonable level.

The example above is real, and while it represents the best possible outcome of a cybersecurity incident, it was used here to make a number of points. This client didn’t have a playbook on what to do when a cybersecurity incident is suspected, so they had to make it up as they went. Doing so took extra time and might have led them to miss obvious steps.

  • The company did not have documents outlining how to bring operations back online if the hack had been successful, nor did they have procedures to follow if it was determined that any sensitive data had been stolen.
  • Their IT services vendor wasn’t well trained in how to get to the bottom of the technical issues quickly, which lengthened the incident by hours.
  • The client didn’t have a list of whom to call if a cybersecurity incident was suspected, which made the phone number to their cybersecurity advisor the only number they thought to use. What if he was unavailable when this took place?

In a nutshell, they didn’t have their act together, and it showed.

After an incident occurs, your company will be judged on the following criteria:

  • Before the incident, did your company take all actions to prevent the incident that one would expect of a prudent organization?
  • Did your company respond to the incident using procedures that one would expect of a prudent organization?
  • Are there any ways that the media could portray your actions around steps 1 and 2 to make your company appear to be culpable or incompetent? If true, expect that they will. It attracts more readers to their publication.An incident response playbook needs several key elements to be effective. Click To Tweet

A robust playbook that includes the CEO, Chief Legal Counsel, and all other senior leaders will do immeasurable good in your ability to respond to an incident.

An incident response playbook needs several key elements to be effective. It must:

  • Identify who in your organization has the authority to declare a cybersecurity incident. Who can initiate the playbook?
  • Spell out how much money that person can authorize to be spent to have an incident investigated or remediated.
  • Have a list of the types of scenarios that it is designed to cover. Examples include the loss of sensitive data, a ransomware attack, the loss of a critical system, natural disasters, law enforcement contacting your organization about a warrant or subpoena, and the loss of the use of one or more of your sites due to a natural disaster or because of other issues (such as a crime taking place in the building and the police barring your employees from entering the premises).
  • Have a call tree that includes which people or groups to call when an incident takes place.
  • Define the people or groups responsible for making the decision on when to bring in law enforcement.
  • List the people authorized to speak to the media about a cybersecurity incident, and what those who are not authorized to speak to the media should say if they are approached by a reporter.
  • List all of your critical systems, the location of the data in those critical systems, and the location of the backups of the data for those systems.
  • Outline your general incident-response process. While every scenario is different, this process normally follows these steps: preparation, detection/analysis, containment, eradication, recovery, incident closure/root-cause analysis, and preventative measures.
  • Be reviewed on a frequent basis. These plans get stale quickly, and need to be reviewed whenever a significant change in your organization takes place.

If the above points are reviewed as a group, an interesting trend emerges. Most of them are non-technical. The majority are operational and financial in nature. That is a critical misstep in many incident response plans. If your technology team manages your incident response plan, they are making business and financial decisions that should be made by CEOs and COOs and CFOs and legal counsel.

Above all, your incident response plan needs to be tested. Unless you have rehearsed an incident response procedure, you’re only able to guess if it will work. This is too important to be left to guesses.

The takeaway messages from this article are easy to list:

  • Your company needs an incident response playbook.
  • The incident response playbook should be owned by a non-technical member of your executive team.
  • Your company needs to periodically test your incident response capabilities.
  • Your company needs to update the playbook from lessons learned as a result of tests, whenever significant changes occur to the operational or technical aspects of the company, or when merger/acquisition activity occurs.

Questions to explore this topic further with your company’s leaders:

  • How do we test our incident response playbook?
  • How often do we test it?
  • What did we learn from our last test?

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over ten years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.

How to Establish a Real “Worldwide” Web Presence

By Anne Connor

It’s a well-known fact that people prefer to shop in their native language. Naturally, they feel more comfortable when they completely understand what they’re reading. The same goes for searching. It’s highly unlikely that potential consumers in foreign markets will find their way to your website using English-language searches, which means you need to incorporate keywords in your target languages for the best Search Engine Optimization. SEO is complex in your own language—and it’s constantly changing—for example, while Google is the top search engine in many international markets, Yahoo is number one in Japan and Yandex is the most popular in Russia.

Unique URLs

Consider investing in local domains so you have unique URLs for each market and language in which your website is translated. A local domain will give you higher search rankings in that country; while unique URLs ensure that search engines can identify the different versions of your site to rank them for the right audience. Basically, you’ll be running multiple versions of your site, which makes it easier for users to switch between languages and have completely local experiences.

“House” page?

In today’s age of automation, its right to assume that there are plugins available to instantly translate your web presence. Maybe you’ve seen the “Translate this page” links when searching on Google. But remember there’s no such thing as a free lunch. These “machine translation” tools will only give potential customers the gist of what your website says, which simply won’t do if you’re trying to dress your site to impress.

When a small U.S. auto repair parts company had its site content professionally translated into Spanish for Mexico, its website developer created those new pages, but he used the platform’s embedded plugin to automatically translate the navigation and menus. That program rendered “Home,” used in a link to the website’s homepage, to “Casa,” which just means “house” in Spanish, and other menu terms into ridiculously incomprehensible phrases. An employee caught it and had the developer disable the plugin before the pages went live. It’s doubtful anyone would have read the beautifully translated Spanish copy after being put off by the unwieldy automatic translations. The whole costly exercise would have been a waste of time. To create a real worldwide web presence, you need to reach people at the local level. Click To Tweet

Video content

Videos are becoming an increasingly productive part of online content marketing, and that’s true in most foreign markets as well. After all, YouTube is the second largest search engine after Google. So, if your site offers YouTube video content, make sure you make your videos global. Use international SEO practices to research and identify key words in every end-user language. Have high-quality subtitles produced for your target markets, and consider transcribing and translating the full text for each video. Avoid crowd-sourced or auto-translated subtitles, such as YouTube’s auto-caption feature. They not only often produce poor translations that will make a bad impression; they don’t get indexed by Google or YouTube. To take your videos to the next level, hire voiceover experts to dub them into your target languages.

Dates and currencies

For English-speaking countries, localization also includes converting dates and currencies, and you’ll save yourself a lot of headaches by ensuring this little detail doesn’t go overlooked. Most countries outside the United States use the Day/Month/Year format instead of the Month/Day/Year format, so make sure to write out dates like 2018 and avoid numeric formats such as “4/3” because it could be mistaken for “March 4th.” Consider the potential sales losses if you’re misleading product release date drives customers to your competitors who got the date right.

You can gain a step on some of your competitors by accepting foreign currencies, offering local payment methods, and displaying product prices in local currencies. Credit cards and PayPal are not ubiquitous around the world. For instance, iDeal is popular in the Netherlands and, in some countries, cash on delivery is still in use. Some sites even offer instant conversion, which could offer you an additional competitive edge in our increasingly global and mobile world. Whatever you do, remember to account for all fees charged by your financial institution or other payment portal.

Localization, Localization, Localization

In addition to translation into other languages, localization involves tailoring your brand voice to the local market and accounting for country-to-country differences. For instance, if you’re a women’s fashion e-tailer based in the U.S., your “fall line” would become your “autumn line” in the UK, and you’d need to change descriptions like “pullover sweater” to “jumper.”

The world may be getting smaller as the internet gets bigger, but to create a real worldwide web presence, you need to reach people at the local level. Make sure you tap the right professionals—localization specialists, native translators/language consultants, and international SEO experts—to optimize international demand for your business line. If you follow some of these best practices, you’ll be well on your way to reaching new consumers around the globe and sending your sales through the stratosphere!

 Anne Connor holds a BBA in Business Law from Temple University’s Fox School of Business and is an active member of the American Translators Association. The American Translators Association represents over 10,000 translators and interpreters across 103 countries. Along with advancing the translation and interpreting professions, ATA promotes the education and development of language services providers and consumers alike. For more information on ATA or translation and interpreting professionals, please visit www.atanet.org.

Your Company’s Future May Be Online

Peter DeHaan recomends that every business have a websiteBy Peter DeHaan

I have long been a proponent of the necessity for companies to have websites. In fact, I view a website as a veritable requirement for success in today’s market.

Organizations lacking a website are quickly viewed as second-rate providers and not worth the consideration of first-rate prospects. With the current concerns over attracting new customers, now is the time for site-less companies to embrace the Internet as a means of marketing and validation.

I know there are still organizations out there that have not yet fully embraced the internet revolution. Sadly, I hear from them on a somewhat regular basis. In addition, a few business owners and managers still say they don’t have an email address. Lastly are those who do not have a website or who state that “it’s not up yet.”

How can these companies serve customers, market to prospects, and stay in business? If you are one of these organizations, take action today to embrace the Internet before it is too late, with your business paying the price.

Website Basics

Although it can cost thousands of dollars to have a whiz-bang, high-tech, professional-looking Website designed, there are less costly options. After all, we don’t all drive a Mercedes-Benz—sometimes a Chevy will do. You can make an inexpensive website yourself for under $100. The goal is for it to not look cheap. Most hosting companies offer do-it-yourself website templates that you—yes, you—can customize to provide a basic, yet professional-looking site. However, there are a few beginner mistakes that you will want to avoid: It doesn't matter if you are a beginner in this area, have experience, or are a veteran, there are always more opportunities waiting in the rapidly growing realm of cyberspace. Click To Tweet

  • Stay away from line art graphics or any artwork that looks like it was homemade.
  • If you need to resize a graphic, be sure to keep it proportional. Otherwise, it will distort, either being stretched or squished.
  • Take time to proofread the text, verify spelling, use correct grammar, and employ commonly accepted punctuation. Have others double- and triple-check your work.
  • Don’t go crazy with different fonts. Use one or two at the most.
  • Avoid uppercase text; people will feel like you’re screaming at them. (The one possible exception might be listing your company name at the top of the page.)
  • You might be tempted to insert a page counter or some other nifty gadget. Resist that urge. Just because those features are available doesn’t mean you should use them.
  • Although not available with predesigned Website templates, you might think you need to have a flashy animation on your home page. Don’t go there; the only ones who will be impressed will be you and the person who designs it. Everyone else will be irritated, and the search companies will dismiss you.
  • Don’t piggyback off someone else’s domain name; get your own. This can be inexpensively obtained from your hosting company. While you’re at it, set up an email account using that domain name. Post that email address on your Website. If need be, you can have this new address forwarded to an existing email account.

Search Engine Optimization

Now that you have a functioning website (which avoids all the beginner errors), you want people to find it. Aside from telling everyone you meet and listing it on every piece of literature and stationery that you have, you need search engines to notice and appreciate your website. This is Search Engine Optimization (SEO).

Although this is more of an art form than an exact science (since the search engine companies closely guard their methodologies), here’s some generally agreed upon SEO basics:

  • Each page of your site needs a title tag, and each page’s title should be different.
  • Each page also needs a description tag; again each one should be different from the other pages.
  • Add reasonable and accurate keywords. Although most experts say Google ignores them, some search engines will use them, so it’s a good idea. Again, they should not be the same for each page.
  • Although some people still value reciprocal linking (that is, “I’ll link to your site if you link to mine”), the conventional wisdom is that in most cases this no longer helps and may actually hurt your visibility with the search engines.
  • Most of the companies that guarantee you top search engine placement for a fee, fail to deliver or can’t do so for the long-term. There are experts who can do this, but they are in a minority and their skill is often hard to substantiate.

Search Engine Marketing

If you want people finding your site and contacting you, the next step to consider might be Search Engine Marketing (SEM). This is when you sign up with Internet advertising companies such as Google, Yahoo, or a host of others. Basically, you tell them how much you are willing to pay each time a person clicks on your ad, and they place your ad on Websites where potential prospects frequent. If you go this route, proceed slowly and carefully until you have a good understanding of how this works. I have heard stories of novices spending hundreds of dollars in a couple of hours with not much to show for it. A key thing to remember is that just because they clicked on a link that points to your Website does not mean they will become a customer—or even contact you.

Given the current concerns over the economy and finding new business, organizations need to do everything they can to help them succeed. The Internet is a cost-effective and increasingly popular method. It doesn’t matter if you are a beginner in this area, have experience, or are a veteran, there are always more opportunities waiting in the rapidly growing realm of cyberspace.

Peter DeHaan is a commercial freelance writer who provides content marketing services and does ghostwriting.

What’s Your Copyright IQ?

By Andrew A. Gonzalez, Esq.

Andrew A. GonzalezIn the old days, the Power of the Press was a luxury reserved for those with a press. Today, anyone with a desktop computer and an internet connection can become an electronic publisher. Before the internet, any entrepreneur not only had to know the nuts and bolts of marketing, but they had to be aware of complex legal issues such as libel and copyright infringement. An unintentional mistake and you could be sued out of existence. Professionals understood that the Power of the Press carried with it great responsibility and legal risk.How much do you really know about copyright law? Click To Tweet

If you are a website designer, or business owner, it is time to wake up to laws that have always applied to intellectual property in the real world. How much do you really know about copyright law? A copyright is a form of protection for original works of authorship fixed in a tangible medium of expression. Dangerous myths about copyright law.

MYTH: If it doesn’t have a copyright notice, it’s not copyrighted.
FALSE. In the USA, almost everything created after April 1989 is copyrighted and protected whether it has a notice or not. The default you should assume for other people’s works is that they are copyrighted and may not be copied unless you know otherwise.

MYTH: It is okay to copy as long as you give proper credit to the author/artist.
FALSE. If you copy an original writing, graphic, song, or other work without
permission, you are guilty of copyright infringement. The Digital Millennium Copyright Act [DMCA] restricts access to or distribution of copyrighted material. Violators may be subject to civil and criminal penalties.

MYTH: I goofed and used someone’s graphic on my web page without realizing that it is copyrighted, but I cannot be sued as long as it was an honest mistake.
FALSE. Ignorance of the law is no excuse. Copyright law does not care about your “intent”, only that you have infringed work of another.

MYTH: It is okay to use less than 10 percent of someone’s work.
FALSE. Although it may be permissible to use limited portions of a work for limited purposes, there is no rule permitting a certain percentage of the work to be reproduced, distributed, performed or translated.

MYTH: The work doesn’t show a copyright notice, so it is in the public domain and content can be used freely.
FALSE. A work has automatic copyright protection the moment it exists and in tangible form. While it is good practice to insert a copyright notice, it is not mandatory.

MYTH: If I don’t charge for it, it’s not a copyright violation.
FALSE. It is a violation even if you give it away—and there can be serious damages if you diminish commercial value of the property.

MYTH: It doesn’t hurt anybody and it’s free advertising.
FALSE. It Is up to the owner to decide if they want the free ads or not.

MYTH: I paid someone to create something for me so I own the copyright.
FALSE. If the content creator is on staff, and the work is created during their employment as part of their job, usually the employer owns the copyright. If, on the other hand, the content creator is an independent contractor, then the contractor may own the copyright unless there is something in writing transferring copyright to you.

MYTH: I copyrighted the name of my brand.
FALSE. Copyright protects original works of authorship, but a trademark protects words, phrases, symbols and logos that identify the source of the goods or services.

MYTH: I can mail myself a copy of my work to protect it [commonly known as “the poor man’s copyright”].
FALSE. There is no provision in copyright law granting any such protection and it not a substitute for registration.

MYTH: If I am caught infringing, I will just stop.
FALSE: The penalties for copyright infringement can be severe, and the technology for catching offenders gets better all the time. The penalties for copyright infringement include both criminal and penalties.

The purpose of copyright law is to provide a commercial framework to ensure that artistic, intellectual or other works of value are fairly rewarded. The development of technology in general and the internet in particular has dramatically increased the ease with which works are violated. In this environment, a number of misconceptions have become common currency. This article is intended as an introduction to copyright laws and is provided in good faith to gain a general understanding of the topic.

Andrew A. Gonzalez, Esq. is an experienced attorney with over twenty-five years in practice. He focuses attention on business and intellectual property matters. He provides sophisticated services to commercial and individual clients who need to effectively compete in a business environment. For more information, call 914-220-5474 or email gonzalez@golawny.com.

Hacking People: Why Your Biggest Vulnerability Isn’t In Your IT Department

By Clinton Henry

Clinton HenryLast week, Chris stopped off at his local coffee shop to have a chai before heading off to a trade show to deliver a keynote speech. As he sat at his usual spot near the counter, a heated discussion ensued next to him regarding the third quarter of 2017. In the middle of the morning’s caffeinated hustle and bustle, a marketing meeting was in progress.

He knew it was a marketing meeting because the three employees left the screens on their computers open to “Marketing Plans.” Much to his amazement, they abandoned the table and were apparently in line—as well as online. They left two smartphones and a couple of memory sticks out in the open, plain as a Pumpkin Spiced Latte.

While reasonable predictions aren’t always correct, there’s a strong possibility that eventually the company will experience a breach. Moreover, it’s highly unlikely that anyone within the business or IT has taken a serious look at how its users operate to protect it from this sort of vulnerability.

The biggest risk for any organization being hacked is neither the firewall nor the server. It is another problem altogether: social engineering. Social engineering is when employees inadvertently (or out of malice) give cyber thieves sensitive corporate or client information. The problem with most businesses and IT departments is while they may be eager to invest in cybersecurity measures for their organization, they often neglect investing in shielding the most common attack surface motivated hackers use to gain access: employees.Over-familiarity with and blind trust of technology can be a dangerous thing. Click To Tweet

Let’s review some of the socially engineered pitfalls that occur all too often:

Public Wi-Fi: Public Wi-Fi is to your computer network as Kryptonite is to Superman or garlic is to a vampire. Unless you are sending out information that is encrypted via a secured site, never conduct any business from an unsecured Wi-Fi hotspot.

Public Places: In the space of two seconds, it would have been possible for a thief to take screen shots of the third quarter plan with a smartphone or to swipe the smartphones and stick drives or even one of the laptops. Any document, especially any document with links to your organization, is all a cyber thief needs to get going. Never leave documents unattended.

Ever hear of visual trespass? It is the practice of someone in any public space looking over your shoulder viewing your computer screen. Here’s an apt example: Alison, the head of tax and audit for a publicly traded company, was traveling and noticed a stranger was trying to observe her computer screen in an airport while she was working on her corporation’s soon- to-be-public 10-k filing. While the stranger may have been rude (and not a cyber thief), the person working on those financials was misguided and careless.

Moreover, public conversations that should be held in private can undo a company quite easily. Recently, the same Chris from earlier was in O’Hare airport while a gentleman next to him was on the phone with a colleague who needed access to a file. The helpful companion, within earshot of Chris, decided it was a good idea to give his coworker his personal password so he could access the file. If Chris was an opportunist, he could have simply made conversation with the unsuspecting traveler later and traded business cards, giving Chris his username and company along with his password. The businessman would have been none the wiser.

Phishing: Remember those emails we once received from Nigeria, Lithuania, or Romania that named us as the heirs to great fortunes? All they needed to secure the millions owed to us was a credit card number. People fell for it in droves. Then there were fake job postings that asked us for background information. The postings looked legitimate and we fell for that too. We gave them what they asked for.

Phishing has not gone away. It has become so sophisticated that we believe it comes from our bosses, a supplier, or a nonprofit we might support. The links in the email are typically malware that can infect the entire network and grab important files. Don’t fall for it. When in doubt, always verify. An interesting fact: Millennials are more prone to falling for phishing than older employees. Over-familiarity with and blind trust of technology can be a dangerous thing.

Vindictiveness: Remember that angry employee who was terminated? What precautions were taken to make sure that he or she was immediately shut out from the network? Terminated employees can sometimes be vindictive. Have a plan and protect your data so the recently fired sales executive can’t walk to your competitor with your latest leads or biggest accounts.

Vendors: Your computer network is only as good as who has access to that network. Many cyber thieves have successfully snuck in through a back door by going through the networks of your vendors. This is a potentially huge problem for any organization having a continuous relationship with suppliers. If your network is secure but your vendors have cyber security that is more like Swiss cheese, it can potentially create a huge vulnerability in your network.

Remember that while most internal IT organizations often seek funding for the latest network security equipment or software to beef up cybersecurity, they often neglect to engage their users to harden the organization from social engineering attacks that are commonly used to compromise a company. Neglecting to offer sufficient training for their users leaves the organization vulnerable to a hacker using a company’s own employees against it.

Clinton Henry is one of the world’s leading cyber security and identify theft experts. Known for his engaging keynotes and insightful perspective on business and personal cyber security, Clinton has amassed a loyal following of business and IT executives who look to him for guidance on how to protect their corporate profits and reputation from attack or compromise.

Save