cybercrime - Blog - Global Risk Community2024-03-29T10:00:39Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/cybercrimeInterview with Greg Edwards, CEO at Cryprostopperhttps://globalriskcommunity.com/profiles/blogs/interview-with-greg-edwards-ceo-at-cryprostopper2021-02-17T11:10:00.000Z2021-02-17T11:10:00.000ZBoris Agranovichhttps://globalriskcommunity.com/members/BorisAgranovich<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/8563792689?profile=RESIZE_400x&width=400"></div><div><p><span style="font-size:12pt;">This is a transcription of our interview with Greg Edwards, CEO at Cryprostopper.</span></p>
<p><span style="font-size:12pt;">You can watch the full <a href="https://globalriskcommunity.com/video/interview-with-greg-edwards-ceo-at-cryprostopper" target="_blank">video interview here</a>. Make sure to subscribe to our <a href="https://globalriskcommunity.libsyn.com/" target="_blank">Risk Management Show</a> via <a href="https://podcasts.apple.com/nl/podcast/risk-management-show/id1523098985" target="_blank">iTunes</a>, <a href="https://open.spotify.com/show/1IynksT6tH80Nw9LTyI7bt" target="_blank">Spotify</a> or other major podcast apps. Just search using the keyword "Risk Management Show" inside your favorite app so that when interviews will start rolling in, you receive your notifications or podcast will download straight to your phone.</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> Hello ladies and gentlemen and welcome to our interview with Greg Edwards.</span></p>
<p><span style="font-size:12pt;"><strong>Greg is a CEO at Cryprostopper which provides ransomware protection by automatically detecting and stopping actively running ransomware attacks.</strong> </span></p>
<p><span style="font-size:12pt;">They are the world’s first digital security product to offer 100% ransomware protection. In addition, Greg also owns an MSP IT business that has been helping businesses recover from the land hurricane named Derechio that hit Cedar Rapids, Iowa, where he lives. </span></p>
<p><span style="font-size:12pt;">Greg, Thank you for coming to our interview today.</span></p>
<p><span style="font-size:12pt;"><strong>Greg: </strong>Thanks for having me Boris</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> With your background. I believe that we will have a really thoughtful conversation about cybersecurity, ransomwere and emerging threats. From fears of a Cyberspace based New Cold War between Global Powers to emerging fraud threats, to financial services, small businesses, consumers, the issue of the cyber security is likely to loom large over all technology discussions in 2021.</span></p>
<p><span style="font-size:12pt;">Greg, can you tell us a short story about your unique path in the cyber field and what you and your colleagues at Cryprostopper have been up to recently?</span></p>
<p><span style="font-size:12pt;"><strong>Greg: </strong>Absolutely. I previously owned an offsite backup and disaster recovery company and starting in 2012, we started seeing ransomware attacks, hitting our offsite backup clients, and actually between 2012 and 2015, 20% of our offsite backup clients needed a full on recoveries because of Ransomware. <strong>So I saw that escalation and that all really started because of the availability of Bitcoin which became available in 2012.</strong></span><br /> <br /> <span style="font-size:12pt;"><strong> And if you look at the rise of Ransomware in cyber crime in general, it really all started to escalate at that point when the attackers could get paid completely anonymously.</strong> So with CryptoStopper, essentially what I was seeing is that antivirus was not able to stop it and it actually 77% of companies that are hit by Ransomware have up-to-date antivirus and is still today. And so what we created is a tool that detects and stops Ransomware after it's already running and does it in less than a second.</span><br /> <br /> <span style="font-size:12pt;"><strong> We use what's called deception technology to deploy Bait files</strong> throughout a network, and then monitor those Bait files and then take automated action to kill the Ransomware once it's running. So that's the background story, how Cryprostopper was started. It was really out of an absolute need that there wasn't another product in the marketplace that was doing that.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris: </strong>Interesting. This is actually a very special year, a year of a major disruption, mainly related to the global pandemic. And then we also have seen many cyber related incidents. Could you perhaps tell us your thoughts on what has gotten us to this point, that every CEO fierce Ransomware?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>It really all goes back to that availability of cryptocurrency. So the fact that these attackers can now make millions of dollars from their attacks. Actually Garmin here in the U S was hit this past summer of 2020 and paid a $10 million ransom.<strong> So in the average ransom paid is now over $338,000.</strong></span><br /> <br /> <span style="font-size:12pt;"> What’s driven this is the ability to make millions and millions of dollars is actually more profitable now than drug trafficking. So a lot of the cyber criminals are former organized crime that used to be involved and more likely are still involved in the drug trafficking, but have now added Cyber cybercrime to their list of businesses activities.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris: </strong>On your website you stated that you guarantee a hundred percent protection. How can you guarantee to protect the companies against ransomware?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>Our tool, every time it's deployed is completely random in installation of those deception technology files. So the attackers can't thumb print what we're doing. Each installation is unique, just like now almost all malware is unique, and that's why it's getting past so many of the antivirus solutions. We designed our solution to be unique to each installation so that the attackers can't thumbprint it and determine how we're doing what we do.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris: </strong>I remember the times when all software was on the premises, and one of the selling points of companys offering us a cloud solution was a promise of security and a reliable backup service. Now the same companies that moved their software to the cloud hear that they have to buy additional software to make them even more secure in the cloud and even on top of that, they have to buy some add ons for additional layers of protection. What is your opinion on this is why is that?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: <em>The biggest thing is the layered security and proper configuration</em></strong>. So I agree with you that years and years ago, when we were disconnected and didn't have the internet, and I I've been in the business long enough to remember those days and remember when everything was disconnected and just on individual networks. The Risk, wasn't nearly what it is today. So now that everything is connected and required to be connected because you really can't operate a business without internet connectivity today that's, what caused that.</span><br /> <br /> <span style="font-size:12pt;"> And the configuration is the big issue and then adding that layered Security. <em><strong>So I absolutely believe that to secure all of the infrastructure within a business, you've got to have that layered security, and you've got to have a proper configuration.</strong></em></span><br /> <br /> <span style="font-size:12pt;"><strong> Boris:</strong> I believe that nowadays many customers have been doing their cybersecurity with large vendors. Could you please elaborate more on that, what is your best type of customer and what is the unique selling point of your solution.</span></p>
<p><br /> <span style="font-size:12pt;"><strong> Greg:</strong> We actually focus on managed service providers that provide their service to small businesses. So small and medium-sized businesses are the end users of our product, but we distribute that through managed service providers. So those managed service providers, they essentially act as the IT company or the IT department for those SMB clients. Companies that are between 25 and 300 employees, which is the bulk of businesses across the world, and these managed service providers become that IT department and then they are tasked with creating that layer Security that gets installed and Cryprostopper is a part of that layered security.</span></p>
<p><br /> <span style="font-size:12pt;"><strong> Boris:</strong> Maybe without dropping the names, it would be interesting to know what you or your team have recently achieved that you are really proud of, how does it work in real life?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>Well, a couple of things, just the fact that we stop Ransomware on a very consistent basis. We just had a law firm that we stopped a ransomware attack, and that would have devastated and shut down the company. And that's something that really, it's almost a non event now. So it isn't that big of a deal because nothing really happens. And that's what we want is boring Ransomware. So between that, and some of the advancements that we've made with our software are the biggest, things that I'm proud of right now. </span><br /> <br /> <span style="font-size:12pt;"><strong> Boris:</strong> I would love to hear your personal opinion. What is a commonly held belief as it relates to cybersecurity and especially Ransomware in particular that you are strongly or even passionately disagree with?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>So <strong>there’s no one silver bullet to stop Ransomware.</strong> I know that even owning Cryprostopper and owning a product that stops Ransomware, it still takes a full layer of defense because there are other problems, other cybersecurity crimes that can happen and devastate businesses too. So it's the fact that every business needs a fully layered security solution, and it needs to understand what that is.</span><br /> <br /> <span style="font-size:12pt;"> So CEOs and boards need to educate themselves and understand what their IT department or what their managed services business is doing for them. They don't need to become cybersecurity experts, but they need to make sure that they understand that what's being done and what that layered security on their network looks like.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris: </strong>For example, if we take a life of a risk manager. If there is one thing that risk managers should start doing right now that they are not doing currently, what would it be?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>I'm making the assumption that they're all doing this, but really looking at the individual business units within the company and where are those business units driving their revenue from, and how is technology affecting that. So if any one piece of the technology is taken down, whether it be by Ransomware or some other attack, or the data is breached, and exfiltrated, what is that risk to the business?</span><br /> <br /> <span style="font-size:12pt;"> And I think that today, cybersecurity is a certainly a more prevalent risk than any other kind of disaster. It is certainly became more prevalent in my offsite, backup and disaster recovery companies that I previously own. We were doing more recoveries because of cyber attack then because of natural disasters, hardware failures and employee mishaps. Ransomware and cyber crime was more prevalent than all other things combined.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris:</strong> I would like to ask the same question, but another way around. What should risk managers stop doing right now that they are doing currently?</span></p>
<p><br /> <span style="font-size:12pt;"><strong> Greg: </strong>I think just looking at insurance as fixing the problem, because that does not fix the problem of cyber crime. It helps to mitigate it, but it doesn't fix the problem.</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris:</strong> Because there were a lot of a cybersecurity insurance that you can buy but what will you really get?</span></p>
<p><br /> <span style="font-size:12pt;"><strong> Greg: </strong>The thing about a cyber liability insurance is that you really have to understand and look at the policy. So from a risk manager standpoint, they need to understand what the different kinds of cybercrime are that can affect to them. And then what are the most prevalent and what is the cyber liability policy that they're purchasing? What are the individual limits within that policy and making sure that it's broad enough coverage that there aren't going to be exclusions,</span><br /> <br /> <span style="font-size:12pt;"><strong> Boris: </strong>You also have been helping your community at Ceder Rapids, Iowa to recover from the land hurricane Derecho, that happened last summer? Could you please elaborate on this topic?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg:</strong> From a risk management standpoint, this was something that even my self being in the disaster recovery business was something that I did not look at as a potential risk for our area. We're in Iowa, which is right in the middle of the US. And we don't have hurricanes here. I mean, there's hurricanes along the coast and I've helped, companies prepare for hurricane season what they need to do to be able to relocate and run their business somewhere else, but have never had to do that here in the Midwest and in Iowa.</span><br /> <br /> <span style="font-size:12pt;"> And this land hurricane that hit was called Derecho, basically was hurricane speed winds. So a 110 mile an hour a sustained winds across about a 40 mile swath. And it went to it directly hits Cedar Rapids, Iowa, which is a community that I live in and took power out for 97% of the residents, myself included. And I was without power for six days.</span><br /> <br /> <span style="font-size:12pt;"> And lots of the community was out without power for two weeks. And so the thing that companies had prepared for here was if their building had a fire or some other type of disaster, that they could go and work from home, recover to the cloud, or utilize their cloud services and work from home. Well, that wasn't an option because no one had power. And so for myself, I being in the industry and I was pretty well-prepared and within about two hours had my generator up and running and was back online and was able to work completely cloud based.</span><br /> <br /> <span style="font-size:12pt;"> So it really wasn't a problem for me, but I helped lots of other businesses figure out how they could get their employees back up and running. And really, what it ended up being was lots of people going and working from hotels, which during a pandemic was not the easiest thing either. So it was devastating in the disruption to businesses. So from a risk management standpoint, something that I've re-evaluated and looked at, okay, what happens if an event like that happens again, because there's other things that could take power out for an extended period of time in a large area.</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> As an entrepreneur to entrepreneur, what is the most important lesson that you have learned through your years of entrepreneurship?</span></p>
<p><span style="font-size:12pt;"><strong>Greg: </strong>For me, it's really being transparent and honest with my employees. And that's something that I feel like companies and CEOs have not done in the past as we progress forward and the new generation of employees that are coming on board, they do not respond well to “just do your job”. We have to be as CEOs transparent across the company.</span><br /> <br /> <span style="font-size:12pt;"> And what I mean by that is that as the CEO that I'm available and that all of the other managers in the company are available and transparent and everything that we do.</span></p>
<p><span style="font-size:12pt;"><strong>Boris: </strong>Fantastic. Have I missed some questions that you would like to add to the Interview?</span><br /> <br /> <span style="font-size:12pt;"><strong> Greg: </strong>I think that when really looking at what the biggest risks that I see for business today and what risk managers need to be thinking about is everything that you've thought about in the past, and then add cybercrime to that and understanding what are the most prevalent and most damaging risks to a business, and how does that affect them? <strong>So right now, a business email compromise is the most prevalent with Ransomware being number two.</strong></span><br /> <br /> <span style="font-size:12pt;"> And so really understanding how those first two top things from a risk management standpoint can affect the businesses that you're working with. And what would that devastation within the company look like and how do you mitigate that?</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> Fantastic. Thank you. Greg for talking to you with me today, and I wish you a great success with growing your company and as a private individual with your community that you helped. Perhaps we can come back in a few months and see the progress with your company.</span></p>
<p><span style="font-size:12pt;"><strong>Greg:</strong> Yes, we've actually been making lots and lots of progress from the Derecho as a community. We're pretty well recovered from that. And as a company with Cryprostopper we were seeing explosive growth already in 2021. Thanks for having me on today.</span></p>
<p><span style="font-size:12pt;"> </span></p>
<p><span style="font-size:12pt;"> </span></p>
<p><span style="font-size:12pt;"> </span></p></div>10 Internet Security Myths that Small Businesses Should Be Aware Ofhttps://globalriskcommunity.com/profiles/blogs/10-internet-security-myths-that-small-businesses-should-be-aware2018-05-11T15:18:58.000Z2018-05-11T15:18:58.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Most small businesses don’t put as much focus on internet security as they probably should. If you are a small business owner or manager, not focusing on internet security could put you in a bad spot. Are you believing the myths about internet security or are you already using best practices? Here’s a few of the most common myths…take a look to see where you truly stand:</p><p><img src="https://activerain.com/image_store/uploads/agents/robertsiciliano/files/cyber-crime.jpg" alt="" width="300" height="300" align="right" /></p><p><strong>Myth – All You Need is a Good Antivirus Program</strong></p><p>Do you have a good antivirus program on your small business network? Do you think that’s enough? Unfortunately, it’s not. Though an antivirus program is great to have, there is a lot more that you have to do. Also, keep in mind that more people than ever are working remotely, and odds are good that they are working on a network that is not secured.</p><p><strong>Myth – If You Have a Good Password, Your Data is Safe</strong></p><p>Yes, a strong password is essential to keeping your information safe, but that alone is not going to do much if a hacker is able to get it somehow. Instead, setting up two-factor authentication is essential. This is much safer. Also make sure that your team doesn’t write their passwords down and keep them close to the computer or worse, use the same passwords across multiple critical accounts.</p><p><strong>Myth – Hackers Only Target Large Businesses, So I Don’t Have to Worry</strong></p><p>Unfortunately, many small business owners believe that hackers won’t target them because they only go after big businesses. This isn’t true, either. No one is immune to the wrath of hackers, and even if you are the only employee, you are a target.</p><p><strong>Myth – Your IT Person Can Solve All of Your Issues</strong></p><p>Small business owners also believe that if they have a good IT person, they don’t have to worry about cybercrime. This, too, unfortunately, is a myth. Though having a good IT person on your team is a great idea, you still won’t be fully protected. Enlist outside “penetration testers” who are white-hat hackers that seek out vulnerabilities in your networks before the criminals do.</p><p><strong>Myth – Insurance Will Protect You from Cybercrime</strong></p><p>Wrong! While there are actually several insurance companies that offer policies that “protect” businesses from cybercrimes, they don’t proactively protect your networks, but will provide relief in the event you are hacked. But read the fine print. Because if you are severely negligent, then all bets may be off. In fact, it is one of the strongest growing policy types in the industry.</p><p><strong>Myth – Cyber Crimes are Overrated</strong></p><p>Though it would certainly be nice if this was false, it’s simply not. These crimes are very real and could be very dangerous to your company. Your business is always at risk. Reports show as many as 4 billion records were stolen in 2016.</p><p><strong>Myth – My Business is Safe as Long as I Have a Firewall</strong></p><p>This goes along with the antivirus myth. Yes, it’s great to have a good firewall, but it won’t fully protect your company. You should have one, as they do offer a good level of protection, but you need much more to get full protection.</p><p><strong>Myth – Cybercriminals are Always People You Don’t Know</strong></p><p>Unfortunately, this, too, is not true. Even if it is an accident, many instances of cybercrimes can be traced back to someone on your staff. It could be an employee who is angry about something or even an innocent mistake. But, it only takes a single click to open up your network to the bad guys.</p><p><strong>Myth – Millennials are Very Cautious About Internet Security</strong></p><p>We often believe that Millennials are very tech-savvy; even more tech-savvy than the rest of us. Thus, we also believe that they are more cautious when it comes to security. This isn’t true, though. A Millennial is just as likely to put your business at risk than any other employee.</p><p><strong>Myth – My Company Can Combat Cyber Criminals</strong></p><p>You might have a false bravado about your ability to combat cybercrime. The truth is, you are probably far from prepared if you are like the majority.</p><p>These myths run rampant in the business world, so it is very important to make sure that you are fully prepared to handle cybercrime.</p><p><a href="http://robertsiciliano.com/" target="_blank">Robert Siciliano</a> personal security and identity theft expert and speaker is the author of <a href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996" target="_blank"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a>. See him knock’em dead in this <a href="https://www.youtube.com/watch?v=2m3Ra6ROPeA&index=1&list=PL68455D9C6D4E9101&t=237s" target="_blank">identity theft prevention</a> video.</p></div>Equifax Data Breach: What Businesses Should Be Doinghttps://globalriskcommunity.com/profiles/blogs/equifax-data-breach-what-businesses-should-be-doing2017-09-21T15:19:23.000Z2017-09-21T15:19:23.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028264890,original{{/staticFileLink}}"><img width="350" src="{{#staticFileLink}}8028264890,original{{/staticFileLink}}" class="align-right" alt="8028264890?profile=original" /></a>As I watch the Equifax scandal unfold, it becomes clear to me that many are at a loss of what to do, or even how to think about this data breach. The first reaction people have is centered on if they, their friends, or family were personally impacted. Rightfully so. For some advice on what you can do to protect your identity, read my recent blog, <a href="http://www.logicmanager.com/erm-software/2017/09/18/equifax-data-breach-how-to-protect-yourself/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Equifax Data Breach: How to Protect Yourself</a>.</p><p>In addition to the personal reaction, however, I would call on all employers to consider how this breach, and future breaches, could affect their business. Contrary to popular belief, the answer to avoiding the consequences of this breach have nothing to do with technology. The weakest links right now are people, processes, and procedures. First and foremost, your business is comprised of people—people who have access to sensitive information from bank accounts to what gets published on your website—people whose identity is now at risk of being stolen.</p><p>Hackers will always go for the lowest hanging fruit with the most bang for their buck. Finding weaknesses in a corporation’s technology is time consuming. But with the information gained from the Equifax hack, it is now exponentially easier for identity thieves to impersonate those with access to sensitive information and authorize fraudulent actions that could do immense damage to your company, from both a financial and reputational perspective.</p><p>The answer to protecting your company from these damages is actually quite simple, and will cost you absolutely nothing. You have to rewrite your processes, or playbooks if you will, of how you protect your employees and authenticate sensitive activities both internally and through your third-party vendors.</p><p></p><p><span class="font-size-2"><strong style="font-size:1.5em;">Playbook One: Take care of your employees</strong></span></p><p>The first step is to take care of your employees. With 143 million U.S. consumers affected by this hack, the chances are about half of your employee base is affected.</p><p>The sheer awareness of this data breach and its extreme potential consequences are enough to induce a great deal of anxiety in your employees and reduce productivity a great deal. Ultimately, the only way you can ensure that your business is running smoothly, and that your customers are getting the service they deserve, is to alleviate your employees’ anxiety.</p><p>The best way to do this is to educate them on what this breach means for them, and what they can do to protect themselves. Direct them to articles outlining the difference between credit monitoring, fraud alerts, and credit freezes. Give them recommendations on which option is best and the next steps to pursuing that option.</p><p>Another way to alleviate your employees’ anxiety is to encourage them to get identity restoration support, or better yet, offer it to them through the company. Knowing that even if they are victims of identity theft, they’re covered provides a huge sense of relief.</p><p>I have already written this playbook outlining what American consumers should be doing to protect themselves after this breach. Feel free to read the article <a href="http://www.logicmanager.com/erm-software/2017/09/18/equifax-data-breach-how-to-protect-yourself/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">here</a>.</p><p>The benefits of writing this playbook are manifold. Your employees will feel safe and secure enough to focus on their work. Taking demonstrable steps to help your employees protect themselves and their families will also improve company culture and inspire your employees to look out for your best interests in return.</p><p></p><h2><strong>Playbook Two: Change Internal Authentication Procedures</strong></h2><p>The next step is to change how sensitive requests and actions are authenticated internally. With a flood of SSNs, birthdates, drivers’ licenses, addresses, and names now on the marker, it’s no longer effective or prudent to authorize these actions based on this information.</p><p>Banks have gotten better at rewriting this playbook. You may have noticed that in recent years, banks have switched from asking you questions found in the public domain, to questions only you would know. For example, asking what your first car was isn’t as effective as asking you what your favorite color is because the former can easily be found by identity criminals, while the latter cannot.</p><p>Although most companies have been gearing up for years for digital hacking prevention, fewer resources have been put into employee identity theft vulnerabilities. The truth is, if verbal authentication is based on information breached by Equifax, any impersonated employee can have their accounts manipulated, addresses changed, and passwords reset and sent, which bypasses all of your existing digital controls of two-factor authentication and other defenses.</p><p>Every company in every industry should be reviewing and changing internal controls to an authorization process that does not involve information that can be found in the public domain, like favorite animal, best friend’s name, first pet’s name, etc.</p><p>For example, if you have sensitive equipment or restricted areas at your facilities, how will you prevent identity thieves from impersonating employees to gain access? How do you know you are not authorizing a breach of your data by an impersonated partner or employee authorizing access for change of password assistance or other activities? Your employees’ information is now likely for sale, and the buyers may not only be interested in direct credit card theft, but business espionage, terrorism, and competitor actions, as well.</p><p></p><h2><strong>Playbook Three: Change Third-Party Authentication Procedures</strong></h2><p>Once you have rewritten your internal authentication processes, you must make sure that all third-party vendors are dealt with similarly. Today, every company is outsourcing one process or another. The fact is, these vendors are dealing with sensitive information and processes that could have an immense impact on your company. As I often say, you can outsource the process, but you can never outsource the risk.</p><p>For example, although most companies process payroll electronically, what is there to prevent a phone call to your payroll provider to make administration changes? What information is used to authenticate payroll distributions if provided verbally? There must be a phone protocol that does not rely on information that can be impersonated.</p><p>Every company has different impersonation/identity theft risks, but there are some universal questions each company should ask of themselves:</p><ul><li>Who are the key control personnel with security clearances and access to sensitive information?</li><li>What would be the impact if their personal identities were compromised by third parties and used in the workplace against the company?</li><li>What information do you depend upon to authenticate verbally with your third-party vendors like datacenters that manage your customer’s sensitive data to issue new ID cards, entrance badges or changing personnel records?</li><li>Have you updated your vendor forms for collecting information and data privacy consents including photographic images?</li><li>How will you conduct due diligence on your key suppliers performing a rewrite of their internal control procedures described above?</li><li>How will you monitor their compliance with your new policies and procedures?</li></ul><p>The Equifax data breach has redefined operational risk and is a point of no return for enterprise risk management, as every corporation will need to develop an ERM program that can help them answer these questions. For more on the business implications of the Equifax data breach, read my blog <a href="http://www.logicmanager.com/erm-software/2017/09/13/equifax-data-breach-point-of-no-return/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Equifax Data Breach: The Point of No Return</a>.</p><p>Fortunately, if all authentication processes internally rely on information not found in the public domain, and if all authentication processes of third parties rely on information not found in the public domain, then all of your bases are covered, and you have dramatically reduced the risk of suffering the consequences of identity impersonation.</p><p></p><h2><strong>Tips for rewriting these playbooks</strong></h2><p>At first glance, rewriting all of your authentication procedures seems a daunting and even impossible task. But in fact, <a href="http://www.logicmanager.com/grc-software/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">enterprise risk management</a> at its core is designed to achieve this exact goal in a timely and cost-effective manner.</p><ol><li>The first step is to perform <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">risk assessments</a>. Every company is different and there’s no cookie-cutter way to prepare for the risks of a data breach or identity impersonation. The best way to rewrite these playbooks in a way that best supports your company is to perform risk assessments. Risk assessments will tell you which personnel, processes, policies, and technology need to be taken care of first.</li><li>While you need to take care of all of your employees, it might be overwhelming to do this all at once. Therefore, you may choose to determine which employees are most critical from a security perspective and what the impact would be if they were to be impersonated, and take care of these employees first.</li><li>The same goes for your authentication processes. It would be overwhelming to rewrite all process, control, and policy combinations at once, so it’s important to determine the processes and controls that would have the most impact on your company if compromised in order to allocate your time and resources effectively.</li><li>Remember to repeat steps 1, 2, and 3 above for your third-party partners and customers. Since there are so many vendors and so many internal and external relationship owners, a risk assessment will quickly identify which vendors are higher risk than others for any process, department or function.</li><li>Document the steps you are taking to protect your company. This way, if a breach occurs, you will be able to prove to regulators that you were aware of the risk and were doing everything you could to mitigate it. In turn, you will be protected from punitive damages and lawsuits due to negligence.</li></ol><p></p><p><b><i>To help get you started, download a copy of our eBook</i></b> <a href="http://www.logicmanager.com/ebook-5-steps-for-better-risk-assessments/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic"><i>5 Steps for Better Risk Assessments</i></a><b><i>, or download our</i></b> <a href="http://www.logicmanager.com/free-best-practices-risk-assessment-template/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic"><i>free risk assessment template for excel</i></a><i>.</i></p><p></p></div>How to Make $5 Million a Day in Cybercrimehttps://globalriskcommunity.com/profiles/blogs/how-to-make-5-million-a-day-in-cybercrime2017-02-08T14:05:53.000Z2017-02-08T14:05:53.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>This post isn’t exactly a “how to” but if your current employment isn’t bringing in the bacon, I’m sure your criminal mind can figure it out. In the biggest digital advertising fraud in the history of the U.S., it was recently found that a group of hackers is bringing in from $3 million to $5 million a day from media companies and brands. That’s some scratch!</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/11D.jpg" alt="" width="300" height="228" align="right" /></p><p>White Ops, an online fraud-prevention firm, uncovered this campaign, which they have called “Methbot,” and the firm found that the campaign is generating more than 300 million video ad impressions each day.</p><p>AFT13, which is a cyber criminal gang, has worked to develop the Methbot browser, which spoofs all of the interactions that are necessary to initiate and carry out these ad transactions.</p><p>The hackers, which are allegedly Russia-based, have registered more than 250,000 distinct URLs and 6,000 domains, all of which impersonate US brand and companies, including Vogue, ESPN, Fox News, Huffington Post, and CBS Sports. They then take these sites and sell fake ad slots.</p><p>The cybercriminals that are behind Methbot are using their servers, which are hosted in Amsterdam and Texas, to give power to almost 600,000 bots. These have fake IP addresses, most of which belong to the US, and this makes it look like the ads are being viewed by visitors in the US. The criminals then get video-ad inventory, which they display on the fake media website that they have created. They get top dollar for this, and they trick the marketplace into believing that this content is being seen by legitimate visitors. In reality, however, these ads are being “viewed” by fake viewers thanks to an automated program that mimics a user watching an ad.</p><p>To make the bots look even more real, the group also uses methods such as fake clicks, mouse movements, and even social network login info. White Ops has also found that this fake army of viewers has amassed about 300 million ad views each day, and it has an average payout of about $13 per every 1000 views. If you multiply this by the compromised IP addresses out there, the money is rolling in.</p><p>White Ops believes that the Methbot empire has created from 200 to 300 million fake video ad impressions each day, which targets about 6,000 publishers. In a 24-hour period, this is generating somewhere between $3 and $5 million in each 24-hour period.</p><p>While the operation has its headquarters in Russia, White Ops can’t say for sure that Methbot has Russian origins. The good guys have been in contact with the FBI, and together, they have been working towards stopping this scam for several weeks.</p><p><a style="color:#bb0000;" href="http://robertsiciliano.com/">Robert Siciliano</a> personal security and <a style="color:#bb0000;" href="http://www.trustedalarm.com/">identity theft</a> expert and speaker is the author of <a style="color:#bb0000;" href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a>. See him knock’em dead in this <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a> video.</p></div>The Impact of Ransomware on Small Businesseshttps://globalriskcommunity.com/profiles/blogs/the-impact-of-ransomware-on-small-businesses2015-09-01T14:32:36.000Z2015-09-01T14:32:36.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>What’s going on this September? <a href="http://bit.ly/1EZvuso">National Preparedness Month</a>. This will be the time to increase your awareness of the safety of your business, family, pets and community. During disasters, communication is key. National Preparedness Month concludes on September 30 with the National PrepareAthon! Day.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/celebrate.jpg" alt="" align="right" height="300" width="300" /></p><p>It would be like a science fiction movie: You go to pull up the file detailing the records of your last quarter’s profit and loss statement, and instead you get a flashing notice: “Your computer has been compromised! To see your file, you must pay money!”</p><p>This is called ransomware: a type of malware sent by criminal hackers. Welcome to the world of cybercrime. In fact, ransomware can prevent you from doing <em>anything</em> on your computer.</p><p>Where does this ransomware come from? Have you clicked a link inside an e-mail lately? Maybe the e-mail’s subject line really grabbed your attention, something like: “Your FedEx shipment has been delayed” or “Your Account Needs Updating.”</p><p>Maybe you opened an attachment that you weren’t expecting. Maybe you were lured to a website (“Dash Cam Records Cyclist Cut in Half by Car”) that downloaded the virus. Other common ways crooks trick you into downloading ransomware include:</p><ul><li>Hackers impersonate law enforcement; claim you downloaded illegal material; demand a fine for your “violation.”</li><li>You receive a message that your Windows installation requires activation because it’s counterfeit.</li><li>Or, the message says your security software isn’t working.</li></ul><p><strong>What should you do?</strong></p><ul><li>Never pay the ransom, even if you’re rich. Paying up doesn’t guarantee you’ll regain access. Are you kidding?</li><li>Double check that all of the newly encrypted (and utterly useless) files are backed up, wipe your disk drive and restore the data.</li><li>Wait a minute—your files weren’t backed up?</li></ul><p><strong>An ounce of prevention is worth a pound of hacking.</strong></p><ul><li>Don’t open links or attachments you’re not expecting! This includes from senders you know or companies you patronize.</li><li>Install an extension on your browser that detects malicious websites.</li><li>Use a firewall and security software and keep it updated.</li><li>Regularly back up data, every day ideally.</li></ul><p>Needless to say, ransomware attacks occur to businesses. Small companies are particularly vulnerable because they lack the funds to implement strong security. Attacks on businesses usually originate overseas and are more sophisticated than attacks on the common Internet user at home or at the coffee house.</p><p>And just like the common user, the business should never pay the ransom, because this will only prolong the situation.</p><ul><li>Make the criminal think you’re going to pay. Tell them you need time to prepare the fee.</li><li>Build your defense by gathering all the correspondence.</li><li>Present this to your webhosting provider, not the police.</li><li>The webhoster will get to work on this.</li><li>If the loss is extensive, present the correspondence to the FBI.</li><li>If the attack is in virus form, you’re finished.</li></ul><p>The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how “phishing” e-mails work and other tricks that cyber thieves use. To learn more about preparing your small business against viruses like ransomware, download Carbonite’s <em>e-book</em>, “<a href="http://bit.ly/1EZvuso">5 Things Small Businesses Need to Know about Disaster Recovery</a>.”</p><p>#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>3 Ways Criminals influence to stealhttps://globalriskcommunity.com/profiles/blogs/3-ways-criminals-influence-to-steal2015-05-22T13:43:53.000Z2015-05-22T13:43:53.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Criminals use six basic principles of Influence to steal. In this post we will discuss the first 3. The ability to influence boils down to science. By applying some science, anyone can learn to be more influential. It’s easy to influence sheep and cattle. It’s a bit more complicated to influence people. But many people can be influenced as easy as a cow. Criminals understand this the same way sales people do. The derivative of “confidence” is con. All influence in some way is designed to gain your confidence and in some cases to trick you. That’s where “confidence trick” comes from. Robert Cialdini is a psychologist who studied influence for nearly 30 years, condensing his findings into six principles. I’ll bet every crime syndicate out there read his books.</p><p><img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/3S.jpg" alt="" align="right" height="203" width="375" /></p><p><strong>Reciprocation</strong></p><ul><li>Do something nice for a person and they will feel obligated to return the favor. This concept is seen in doctors who promote a particular drug—the pharmaceutical company has just given him free notepads, pens and a coffee mug.</li><li>Want your children to show you respect? Show <em>them</em> respect. They’ll feel obligated to treat you the same. Mostly.</li><li>Scammers use this by offering something free in an emailed link. You might have to reciprocate and give up an email address or simply click a link. Clicking on the link installs a virus. You get a call from a colleague in tech support. They say “I need your password to fix this server” and “I’ll be there for you someday when you need help”. We want to help, we want to return the favor.</li></ul><p><strong>Social Proof</strong></p><ul><li>This is the “It’s okay if everyone else does it” approach. People have a tendency to check out what other people are doing when they’re not sure what course to take. Stand on a street corner in a busy city and look up at a skyscraper, then watch the crowed gather to see what you are looking at.</li><li>Why does the new treadmill user at the gym hold onto the rails while walking? Because they see everyone else in the gym doing it. What made you decide to buy that kitchen gadget? Because the TV ad said, “They’re going fast, everyone’s buying it, so order now!”</li><li>This concept also applies to emergency situations, such as people lined up at a third story window of a burning building, afraid to jump—until one person leaps. Suddenly, everyone else leaps.</li><li>Scammers will use social proof to trick you in a Ponzi investment scheme. If all kinds of people you trust are making the same investment, then why wouldn’t you?</li></ul><p><strong>Commitment and Consistency</strong></p><ul><li>Get someone to verbally or in writing commit to something, and this will increase the chances they’ll follow through. They are committed. Signing a contract means you are committed. Anything that comes out of that contract is your responsibility.</li><li>People want to do things by the book, they want to be civilized and play by the rules. This plays off of social proof to conform like others.</li><li>Scammers recognize most people are committed to “doing the right thing”, or being appropriate. So if you get a call or an email saying there is an issue with your account, you want to do the right thing and fix it. Getting things right may mean giving your data to a criminal.</li></ul><p>Don’t be cattle. Don’t act like sheep. Most of the world functions based on the honor system. As long as everyone is honest, everything works seamlessly. The honor system is designed with the mindset that we are all sheep and there are no wolves. We know there are plenty of wolves. Don’t be sheep.</p><p>Robert Siciliano is an Identity Theft Expert to <a href="http://hotspotshield.com">Hotspot Shield</a>. He is the author of <a href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a> See him discussing internet and wireless security on <a href="http://www.youtube.com/watch?v=Ynj5SgZEIyY&feature=share&list=UUxPUhCstuAW8GJR826pamYA">Good Morning America</a>. <a href="http://ow.ly/1bdMH">Disclosures</a>.</p></div>What is a Remote Administration Tool (RAT)?https://globalriskcommunity.com/profiles/blogs/what-is-a-remote-administration-tool-rat2015-02-21T14:09:43.000Z2015-02-21T14:09:43.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Ever felt like your computer was possessed? Or that you aren’t the only one using your tablet? I think I smell a rat. Literally, a RAT.</p><p><img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/14D_new.jpg" alt="" align="right" height="233" width="350" /></p><p>A RAT or remote administration tool, is software that gives a person full control a tech device, remotely. The RAT gives the user access to your system, just as if they had physical access to your device. With this access, the person can access your files, use your camera, and even turn on/off your device.</p><p>RATs can be used legitimately. For example, when you have a technical problem on your work computer, sometimes your corporate IT guys will use a RAT to access your computer and fix the issue.</p><p>Unfortunately, usually the people who use RATs are hackers (or rats) trying to do harm to your device or gain access to your information for malicious purposes. These type of RATs are also called remote access <a href="http://blogs.mcafee.com/consumer/trojan-horse"> </a> as they are often downloaded invisibly without your knowledge, with a legitimate program you requested—such as a game.</p><p>Once the RAT is installed on your device, the hacker can wreak havoc. They could steal your sensitive information, block your keyboard so you can’t type, install other <a href="http://blogs.mcafee.com/consumer/malware">malware</a>, and even render your devices useless. They could also</p><p>A well-designed RAT will allow the hacker the ability to do anything that they could do with physical access to the device. So remember, just like you don’t want your home infested by rats, you also don’t want a RAT on your device. Here are some tips on how you can avoid a RAT.</p><ul><li><strong>Be careful what links you click and what you download.</strong> Often times RATs are installed unknowingly by you after you’ve opened an email attachment or visited an software in the background.</li><li><strong>Beware of </strong><a href="https://blogs.mcafee.com/consumer/back-to-college-means-p2p-file-sharing"><strong>P2P file-sharing</strong></a>. Not only is a lot the content in these files pirated, criminals love to sneak in a few malware surprises in there too.</li><li><strong>Use comprehensive security software on all your devices</strong>. Make sure you install a security suite like <a href="http://home.mcafee.com/root/campaign.aspx?cid=132126">McAfee LiveSafe™</a> service, which protects your data and identity on all your PCs, Macs, tablets and smartphones.</li></ul><p>Keep your devices RAT free!</p><p><a href="https://blogs.mcafee.com/author/robert-siciliano"><em>Robert Siciliano</em></a><em> is an Online Security Expert to </em><a href="http://home.mcafee.com/"><em>McAfee</em></a><em>. He is the author of </em><a href="http://www.amazon.com/Robert-L.-Siciliano/e/B0035CH602/ref=ntt_athr_dp_pel_1"><em>99 Things You Wish You Knew Before Your Mobile was Hacked!</em></a><em> </em><a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/"><em>Disclosures.</em></a></p></div>Moble Betting News: Mobile Crime & Fraud Riskshttps://globalriskcommunity.com/profiles/blogs/moble-betting-news-mobile-crime-amp-fraud-risks2011-09-09T14:56:43.000Z2011-09-09T14:56:43.000ZJacques LeDiscohttps://globalriskcommunity.com/members/JacquesLeDisco<div><div>According to a 2011 McAfee report on second quarter threats, there were 12 million unique samples of malware for the first half of the year, up 22 percent over 2010, making 2011 the busiest six months in malware history.</div><div>As smartphones are used increasingly for mobile payments, and mobile betting, mobile crime exposes mobile operators to business risks from unauthorized account access, fraud, and financial crime.</div><div>“Smartphones are an attractive target for criminals as “there is a lot of money involved, it is an easy job, and it is low risk.” <br />- Eugene Kaspersky, Founder of Kaspersky</div><div><span style="text-decoration:underline;">Features</span><br /><strong>38 Mobile Phone Crime and Fraud Risks</strong><br />38 Cybercrime and Theft Risks<br />38 Mobile Phone Theft Crime Wave<br />39 Recycled Mobile Data Risk<br />39 Mobile Network Vulnerability<br />40 Subscriber Data Risk<br />40 Prepaid Mobile Phone Risks<br />41 Mobile Authentication<br />42 Cyber Attacks<br />42 Mobile Cybercrime Risks<br />44 App Store Risk<br />44 iOS Vulnerability<br />45 Android Vulnerability<br />45 Mobile Security Measures</div><div><span style="text-decoration:underline;">Metrics</span><br />48 Mobile Security App Download Survey-August 2011</div><div>Available to subscribers, or as a single-issue purchase ($99).</div><div>Jacques LeDisco<br />Mobile Betting News<br /><a href="mailto:blackjax777@gmail.comhttp://www.amazon.com/dp/B005J044TO">blackjax777@gmail.com</a></div><a href="mailto:blackjax777@gmail.comhttp://www.amazon.com/dp/B005J044TO"></a><div><a href="http://www.amazon.com/dp/B005J044TO">http://www.amazon.com/dp/B005J044TO</a></div></div>