Hacking People: Why Your Biggest Vulnerability Isn’t In Your IT Department

By Clinton Henry

Clinton HenryLast week, Chris stopped off at his local coffee shop to have a chai before heading off to a trade show to deliver a keynote speech. As he sat at his usual spot near the counter, a heated discussion ensued next to him regarding the third quarter of 2017. In the middle of the morning’s caffeinated hustle and bustle, a marketing meeting was in progress.

He knew it was a marketing meeting because the three employees left the screens on their computers open to “Marketing Plans.” Much to his amazement, they abandoned the table and were apparently in line—as well as online. They left two smartphones and a couple of memory sticks out in the open, plain as a Pumpkin Spiced Latte.

While reasonable predictions aren’t always correct, there’s a strong possibility that eventually the company will experience a breach. Moreover, it’s highly unlikely that anyone within the business or IT has taken a serious look at how its users operate to protect it from this sort of vulnerability.

The biggest risk for any organization being hacked is neither the firewall nor the server. It is another problem altogether: social engineering. Social engineering is when employees inadvertently (or out of malice) give cyber thieves sensitive corporate or client information. The problem with most businesses and IT departments is while they may be eager to invest in cybersecurity measures for their organization, they often neglect investing in shielding the most common attack surface motivated hackers use to gain access: employees.Over-familiarity with and blind trust of technology can be a dangerous thing. Click To Tweet

Let’s review some of the socially engineered pitfalls that occur all too often:

Public Wi-Fi: Public Wi-Fi is to your computer network as Kryptonite is to Superman or garlic is to a vampire. Unless you are sending out information that is encrypted via a secured site, never conduct any business from an unsecured Wi-Fi hotspot.

Public Places: In the space of two seconds, it would have been possible for a thief to take screen shots of the third quarter plan with a smartphone or to swipe the smartphones and stick drives or even one of the laptops. Any document, especially any document with links to your organization, is all a cyber thief needs to get going. Never leave documents unattended.

Ever hear of visual trespass? It is the practice of someone in any public space looking over your shoulder viewing your computer screen. Here’s an apt example: Alison, the head of tax and audit for a publicly traded company, was traveling and noticed a stranger was trying to observe her computer screen in an airport while she was working on her corporation’s soon- to-be-public 10-k filing. While the stranger may have been rude (and not a cyber thief), the person working on those financials was misguided and careless.

Moreover, public conversations that should be held in private can undo a company quite easily. Recently, the same Chris from earlier was in O’Hare airport while a gentleman next to him was on the phone with a colleague who needed access to a file. The helpful companion, within earshot of Chris, decided it was a good idea to give his coworker his personal password so he could access the file. If Chris was an opportunist, he could have simply made conversation with the unsuspecting traveler later and traded business cards, giving Chris his username and company along with his password. The businessman would have been none the wiser.

Phishing: Remember those emails we once received from Nigeria, Lithuania, or Romania that named us as the heirs to great fortunes? All they needed to secure the millions owed to us was a credit card number. People fell for it in droves. Then there were fake job postings that asked us for background information. The postings looked legitimate and we fell for that too. We gave them what they asked for.

Phishing has not gone away. It has become so sophisticated that we believe it comes from our bosses, a supplier, or a nonprofit we might support. The links in the email are typically malware that can infect the entire network and grab important files. Don’t fall for it. When in doubt, always verify. An interesting fact: Millennials are more prone to falling for phishing than older employees. Over-familiarity with and blind trust of technology can be a dangerous thing.

Vindictiveness: Remember that angry employee who was terminated? What precautions were taken to make sure that he or she was immediately shut out from the network? Terminated employees can sometimes be vindictive. Have a plan and protect your data so the recently fired sales executive can’t walk to your competitor with your latest leads or biggest accounts.

Vendors: Your computer network is only as good as who has access to that network. Many cyber thieves have successfully snuck in through a back door by going through the networks of your vendors. This is a potentially huge problem for any organization having a continuous relationship with suppliers. If your network is secure but your vendors have cyber security that is more like Swiss cheese, it can potentially create a huge vulnerability in your network.

Remember that while most internal IT organizations often seek funding for the latest network security equipment or software to beef up cybersecurity, they often neglect to engage their users to harden the organization from social engineering attacks that are commonly used to compromise a company. Neglecting to offer sufficient training for their users leaves the organization vulnerable to a hacker using a company’s own employees against it.

Clinton Henry is one of the world’s leading cyber security and identify theft experts. Known for his engaging keynotes and insightful perspective on business and personal cyber security, Clinton has amassed a loyal following of business and IT executives who look to him for guidance on how to protect their corporate profits and reputation from attack or compromise.

Save

9 Surefire Steps to Lockdown Your Cyber Security

By Clinton Henry

Clinton Henry“Dear Client.” That’s how the letter usually begins.

The next few sentences are a little trickier; there is really no good way for someone to hear that their data has been stolen. Unfortunately, getting this letter is becoming an all too common occurrence in business. Businesses lose more than $100 billion a year to cyber-attacks and fraud globally.

While a security breach might be one of the last things on your mind, the most recent Travelers Risk Index report shows that it’s a top concern for your clients, customers, and contractors – “Personal Privacy Loss and Identity Theft” went from barely ranking on their survey a few years ago to being number two, right behind “Financial Security.”

The expectation of cyber security has to be met with the same fervor and drive that you strive to meet all your other clients’ expectations.

1) Engage and Educate Employees: It’s important that you create a culture of security within your organization because security is everyone’s responsibility. If you don’t have buy-in from all your team members, you’re exposing your business to unnecessary risk. The majority of attackers gain access to networks via social engineering and the manipulation of a user within an organization, not via command line “hacking” from a dark, Cheetos-filled basement somewhere, as the movies often portray. Why would someone spend days trying to crack your accountant’s password when they can simply call your IT desk pretending to be your accountant and ask him to reset it to something new?

2) Anti-Virus: Having an up to date anti-virus deployed on all of your desktops and servers is vital. An unprotected computer is an easy target for a motivated attacker. Don’t make it easy on them – pay for anti-virus and make sure it’s regularly updated by your IT staff.

3) Password Management: It’s important that you and your employees leverage strong, complicated passwords that aren’t easy to guess. There are now hacking applications you can plug into a computer that will run through the most common 10,000 passwords used in about four minutes, trying each of them. You’d be surprised how many folks with access to critical data have the password of “password,” or if they are feeling clever, “password1” (Did this just guess your password? Go change it!).

4) Secure Your Networks: Without getting too technical, just know that having a firewall between your corporate network and the Internet is very important. If you don’t, there is very little stopping someone from freely accessing your data.

5) Secure Your Cloud: No matter what cloud provider or service you use, make sure you do your due diligence on their security practices. If they can’t easily and quickly tell you how your data is secured, odds are it isn’t. Also, for any accounts used to access your firm’s data, make sure you have strong passwords and only access it via a computer you own or trust. If you access your cloud on an infected machine, a hacker could potentially learn your password and use it later on without your knowledge.

6) Protect Banking Information: Make sure that all financial data, accounts, and records are kept secure and segregated from the rest of your business’ general shared drives. If financial transactions are conducted electronically, ensure they are done over an encrypted connection and that your employees never email account numbers, credit card information, or sensitive financial documents.

7) Backups: One of the most common types of breaches now being seeing are called “ransomware” attacks. Instead of “stealing” data from your organization, these attackers find your critical data and then encrypt it (digitally locking you out of it), making it so only the person with the digital “key” can unlock and access that data. The hackers then offer the victim access to the “key” for a very large fee. If you’re hit with one of these attacks you have two options:

Pay the fee or restore the locked data from a recent backup. This is why backups are so important. Recently a very large hospital, a police department, and a public school (along with literally thousands of other victims) have been forced to pay tens of thousands of dollars to get their data back. Making sure your data is backed and stored separately from your main repository can help protect you from attacks such as these.

8) Physical Security: This one is self-explanatory but you’d be surprised how much client data is left lying around the office. Ensure your partners, trusted employees, and finance team lock away any sensitive documents when they aren’t working with them.

9) Mobile Devices: While they are a convenience and increase productivity of the staff, mobile devices mean that your clients’ sensitive data can potentially walk out your firm’s door without you ever knowing it. Make sure that all mobile devices used to access corporate data have passwords (your email server can force this requirement), and if you have employees that use laptops you should look at having the hard drives for those machines encrypted. Most modern operating systems have encryption built in (you just have to enable the feature), and it’s foolish not to leverage it. If an employee accidently leaves a laptop on a plane or in the back of a taxi, you’ll be guaranteed that all data on it is secure and protected.

Your business, your brand, and your bottom line depend on the trust you develop with your clients. Handling the items listed above will go a long way in protecting all three.

Clinton Henry is one of the world’s leading cyber security and identify theft experts. Known for his engaging keynotes and insightful perspective on business and personal cyber security, Clinton has amassed a loyal following of business and IT executives who look to him for guidance on how to protect their corporate profits and reputation from attack or compromise.

Save

Save

The Product Pivot: The Gift That Keeps On Ticking

By Steve Blue

Steve BlueWhether you know it or not, your business is a time bomb. The seconds are counting down until it explodes into a million pieces, littering the marketplace like a war-zone.

And it’s not just you. Every company is on a going-out-of-business curve unless it constantly reinvents itself. Examples abound of businesses that clung wistfully their old products and decried anything new. Kodak failed to reinvent itself even though it clearly saw the move toward digital film. Netflix assassinated Blockbuster. Uber is destroying the entire taxi business. And what is the taxi industry’s response? Cling to the old model and ask the government to protect it. These are all examples of companies that chose to cling to the tried-and-true but destined-to-fail old ways. All because of a failure to execute what is called “the product pivot.”

The product pivot is shedding the old skin of dying product lines and weathered technology and reinventing new ones to fit the times and the changing market conditions. It’s taking an old-line company and transforming it to a digital dynamo.

If you haven’t solidly positioned your company for the digital world, you soon will. Or you’ll soon be joining Kodak. Beware the transition from not digital to digital is as tricky and perilous as careening off an icy highway. It’s a high wire juggling act that requires the CEO’s constant attention to make mid-course corrections along the way. Many mid-course corrections.

But imagine this. You have picked a new technology with high margins. It has a solid market need and very little competition. You’ve retained a killer product development company that delivers the product to you on time and on budget. What a dream! But then it fails miserably. In fact, it never gets off the ground. Why? Your “new idea assassins killed it.”

Launching a new technology is never about the technology. That’s easy. Launching a new technology is all about the organization. That’s the hard part. Arguably, in the case of Kodak or Blockbuster, the impossible part. Kodak and Blockbuster had, or certainly could have procured the technology, but the organization refused to use it. Their “new idea assassins” killed it before it even gets started. And the CEO’s never even knew what happened.

Choosing the technology or product will be simple, compared to the organizational challenges you will face. Choosing the technology is just an exercise in good old-fashioned product marketing and development. But, do not underestimate the resistance you will encounter when you start your product pivot. Spend all your time and attention on how the organization is reacting to the change. Here are seven things you should do:

  1. Do an Organization Checkup: How ready is it to accept a new technology? In large organizations, conduct an online survey to determine the comfort level of your employees with the technology you have chosen.
  2. Address Concerns Directly: The most important issue will be to deal with employee’s fears about what the new technology will mean to them. When people don’t understand something, they will resist it and sabotage it. People will naturally be fearful that the new technology will displace them. Make a commitment that this won’t happen. Put a plan in place to train people on the new technology, and communicate it widely.
  3. Communication is the Key: Remember the Cs of effective communication: Clear, convincing, and compelling. Clearly communicate the importance of the new technology. Paint a convincing picture of what will happen to the company if it is not successful in the endeavor. That means lost jobs so don’t sugar coat it. At the same time talk about the compelling and exciting future everyone will have if it is successful.
  4. Make it Clear This is Not an Optional Transformation: Anyone who doesn’t support it can’t stay. It’s just that simple. And then you need to back that up with personnel changes, including termination if necessary. Don’t hesitate to make these changes because employees who are against it will find nefarious ways to scuttle it. And you won’t even know it until it is too late.
  5. Stay Close to the Project: Don’t delegate it. If you delegate it, you will soon discover it is stuck in the mud and no one knows why. Hold the team accountable to commit to action plans and dates. And question them intensely when they miss them. Expect missed commitments, after all it is all new to the organization. Just be sure the misses aren’t because of resistance. When you do discover the reason for the misses you will find they were caused by a lack of talent (which you can fix with new hires), a lack of resources (which you should also fix), or a lack of a clear product development plan.
  6. Celebrate Small Successes: Recognize, reward, and promote the people who are making it happen. These people are your new technology heroes.
  7. Don’t Forget to Pay Attention to the Rest of the Business: You still have to maintain the old while you are creating the new. Don’t let the people in the old products feel like they are not important. You need them to keep performing well.

A product pivot is essential to ensure the prosperity of the company. The challenge of a product pivot is never in deciding what product to develop or the technology in developing it. The challenge is always organizational. Remember that the organization is likely to be against it because it represents a threat. Stay close to the project and communicate constantly with the employees affected. And always remember to mind the store in the meantime.

Steve Blue is president and CEO of Miller Ingenuity and author of American Manufacturing 2.0: What Went Wrong and How to Make It Right. As a nationally recognized business transformation expert and speaker, Steve has been featured in Forbes, Entrepreneur, and The Wall Street Journal. He is founder and contributor to American City Business Journal’s “League of Extraordinary CEOs” series. To learn more about Steve Blue, please visit www.milleringenuity.com.

Why Open Space Offices Didn’t Have To Happen

By Barbara Hemphill

Barbara HemphillEstimates on time wasted by executives on searching for data ranges from 150 hours to six weeks per year. That means if an executive makes $200,000 per year, the company is spending anywhere from $16,600 to $25,000 per year, per executive, looking for lost information. Not only does it represent a dollar loss, but a time loss as that executive spends 8% to 12.5% of their time just finding what they need to work.

The figures for employees underneath the executives are even more astounding (probably because they’re looking for what their bosses need!). Studies show the average office workers spends anywhere between 25% and 35% of their time every day finding the information they need to do their job.

In a hypothetical organization with 1,000 workers, each drawing salary and benefits that together average $80,000 per year, the organization will spend $6 million on looking for information that should be readily available.

Research also shows that 80% of what we keep we never use, and the more we keep the less we use—because we don’t know we even have it, or we simply can’t find it.

Clutter is postponed decisions.

Prior to personal computers, organizations had a personnel structure that ensured decisions were made about what need to be kept. Executives had private secretaries. Departments had file clerks. Companies had file rooms, and file rooms had “Mabel” – a records manager who was the keeper of the records retention program for the organization.

The Pile-Up Begins: When computers showed up on everyone’s desks, support staff were deemed no longer necessary. When they left, so did the decision-making mechanism and the clutter began piling up. An administrator in a large Manhattan company shared that her company had ten floors with 1,000 file cabinets on each floor. In addition, there were banker’s boxes of full of files, and loose papers piled on desks and file cabinets. An evaluation of the problem quickly demonstrated unnecessary duplication of papers being filed. This same company was spending money to eliminate private offices and add filing cabinets, when the problem could have been avoided by simply eliminating the unnecessary files.

By nature, entrepreneurs and executives are not attuned to the issue of clutter. It seems a minor issue and employees being paid to organize their workspaces is not an efficient use of time and money. As a result, for the past several decades, clutter has been accumulating on desks, in file cabinets, in storage closets, and off-site. One IT manager said she used to look at her boss’s office and wonder how he could manage a company if he couldn’t even manage his own office.

Avoiding the Issue: When a major banking institution moves into its new multi-story building in Manhattan, their employees certainly won’t have any clutter. They also won’t have a door in their office, and most of them won’t have a desk. If they want to have a photo of their family in the office, they’ll have to lock it up every night, since they won’t have the same desk every day.

Company management says the setup will connect people face-to-face, raise energy levels and save money—by fitting more people into one space. People will learn to use headphones and talk more softly to enable privacy.

Other companies are doing the same. While researchers disagree about whether open offices foster communication or encourage distraction, the truth is the entire issue could have been avoided if executives would have started paying attention to the clutter that began accumulating in offices when Bill Gates put computers on everyone’s desk.

What Can We Learn? If companies had paid attention to the paper accumulation decades ago, perhaps today we could still have offices with desks and doors, because there wouldn’t be millions of files stored that no one needs or uses.

While it’s true that open offices solve the problem of paper clutter, the clutter problem has merely been transferred from physical to digital. For decades, companies have spent millions of dollars on software for their employees, but refused to invest in any training on how to organize the millions of files that are created daily. Now our computers and the cloud are filling up with clutter as surely as our desks and file cabinets have in the past.

As the familiar saying goes, “Those who don’t learn from history are condemned to relive it.”

What We Must Do Now: While we can’t undo the past, we can certainly take steps to avoid repeating in the digital world the mistakes we made in the paper world. Here are five steps your organization can take now:

  1. Identify someone in your organization to take ownership for effectively managing information.
  2. Take a serious look in your office to see if there is a clutter problem you are ignoring.
  3. Create a user-friendly records retention program for your organization.
  4. Implement a training program to teach employees how to make decisions about what information they need to keep.
  5. Empower employees to eliminate unnecessary clutter by designating specific times for that purpose.

Barbara Hemphill is the Founder of Productive Environment Institute, in Raleigh, N.C., and author of Less Clutter More Life. As one of the country’s leading organizational experts she has helped many corporations, such as Staples, Hallmark and 3M increase their productivity and efficiency.

Save

Save

Automation Doesn’t Solve Everything

Six Things You Should Know About Machine Translation

By Caitilin Walsh

Caitilin WalshTaco Bell’s return to Japan in 2015 was widely anticipated, but the company’s launch of its Japanese-language website spawned a media frenzy—not because of the food. With machine-translated menu items that turned “Cheesy Fries” into “Low Quality Fleece” and “Crunchwrap Supreme – Beef” into “Supreme Court Beef,” the company had to rush to take down the site to mitigate the damage to its image.

Translating your materials professionally is a smart business move. Translation may be required for your market, it makes people more likely to buy your product or service, and support costs go down as people can access information in their own language. But where to begin?

Sure, professional translators will get you exactly what you want, but you’ve probably heard some buzz about machine translation (MT) and are wondering if it might save you money and time. Before you take the plunge, here are some things you should know about MT.

There’s no such thing as a free lunch: Free online translators are very popular—Google alone serves up more than a billion translations a day. It’s important, though, to understand what you get when you use any free machine translation service:

  • They can only give you an idea of what the foreign text says. Since they have to translate everything from love letters to shopping catalogs, they are designed to generalize rather than specialize. They don’t “know” what your text is about, so they “guess.” Often they guess right. Sometimes they don’t.
  • MT systems leverage big data, and are programmed to give preference to the most popular words and phrases. Predictably, problems emerge: in some language combinations “US President” was translated as “Bush” well into the Obama administration.
  • They store and use your data to learn. That’s fine for a public webpage for your family trip, but not for your company’s confidential material.

Free translators are fine for the casual user, but their reliance on statistics, errors from incorrect data and lack of confidentiality make them unsuitable for serious business translation.

The machine can only do so much: Most serious MT users invest in training proprietary machine translation engines for specific kinds of text. If trained well, the resulting output should get words right, though it might not sound particularly elegant or even be grammatically correct. For some kinds of texts this might be acceptable, but for most it isn’t.

It won’t work for all texts and languages: Machine translation almost always involves translators or editors to refine the output. Even MT vendors agree it would be counter-productive to use MT for creative materials such as marketing copy or literature, and that it’s best used for drafting large sets of documentation or short-lived or otherwise untranslated materials.

It’s also important to note that machine translation does not handle all languages equally well. Languages with a similar structure may produce fairly good results, but if they differ greatly or there isn’t enough data, it might be more costly or impossible to develop a solution—making it more cost-effective to use a professional translator.

In short, there is no easy formula that can be applied to all text types and languages. Most companies that use machine translation agree that there is a lot of work involved in finding out whether it makes sense for their text types and language combinations.

Machine translation is an ongoing process: Long before the first word is ever translated, consultants, outside vendors, or in-house specialists need to determine an appropriate approach. You will need to budget for an ongoing process of:

  • Establishing why you want to use machine translation in the first place (as opposed to professional translators)
  • Determining which types of text and languages you want to translate using MT or professionals
  • Evaluating what data and expertise you have available or need to acquire or to configure and customize your machine translation solution
  • Assessing how your professional translators and editors can support the process
  • Training your machine translation solution with new materials you produce
  • Fine-tuning your process and re-evaluating your approach as technology continues to evolve

You may not save time or money: Your machine translation process will change as your technical team and your translators and editors get better at working with MT.

Costs will likely shift. Once you’ve settled on an approach, your higher initial investment in systems and training costs might level off to a lower but ongoing constant—like any other IT investment. Engineering costs could be relatively stable, but translation and editing costs might eventually drop as systems improve and translators and editors refine their strategies.

You may have noticed frequent use of the words “likely” and “might” above. That’s because there are many variables that can affect machine translation cost and time savings. Those same variables might also prevent the desired savings or make it actually more costly than professional translation.

Machine translation uses humans; human translators use MT: MT and translation professionals interact: An editor may correct machine translation output and—depending on the system—simultaneously “teach” the system so the same error does not occur the next time.

In a more integrated process, professionals use machine translation to support their work in combination with their high-end software. By interweaving several tools, translators often achieve a significant productivity and quality boost.

There is a time and a place for every technology: If qualified consultants determine that the cost and time of introducing machine translation would help you, you will still need professional translators and editors on your side to help you on this journey.

On the other hand, if the effort to introduce machine translation into your process is too costly or risky, you can benefit from professional translators who already use sophisticated translation technology to streamline their work and translate your materials with high and consistent quality.

At the end of the day, accurate information is key as you decide whether to invest in automating your translation processes. Consulting with experts will help you make a wise decision that gets your message across clearly and effectively without tarnishing your image.

Caitilin Walsh is the past President of the American Translators Association. She has also worked at Bellevue College in Washington for 20 years, training the next generation of translators and interpreters. The American Translators Association represents over 10,000 translators and interpreters across 91 countries. Along with advancing the translation and interpreting professions, ATA promotes the education and development of language services providers and consumers alike. For more information on ATA or translation and interpreting professionals, please visit www.atanet.org.