Archive for September 2018
Cyber Security Chicago: Colin McKinty of BAE Systems
(Special thanks to Colin McKinty of BAE Systems for his time and insights; please be sure to read our previous Cyber Security Chicago installments with David Juniper, Marcin Kleczynski, Sandra Fathi and Joe Rogalski)
One of the best strategies that nonprofits and social enterprise organizations can implement in taking cybersecurity measures is determining their overall value. Determining that value can be complicated, yet the increasing impact on cybercrime on organizations requires a greater investment of time and effort. Our coverage of Cyber Security Chicago closes with a conversation with Colin McKinty of BAE Systems about how organizations assess risk…and the steps that mission-driven organizations can take to reduce those risks.
Cyber threats to organizations have evolved over the years, and their complexity and intricacy often make it difficult to determine an appropriate defense. Initially, cyberattacks were opportunistic and driven by individuals at the moment. Over time, cyber attacks were more planned and driven either by individuals and small groups and evolved into organized efforts by teams for hire. Eventually, hackers and funded campaigns lead to very tailored cyberattacks with a specific focus and goal. (The Bangladeshi bank heist is a great recent example of cybercrime).
In talking with Colin McKinty, one key lesson for nonprofits and mission-driven organizations is to examine the people and processes within their organization as well as the technology. Although there are numerous software packages and other tools that can protect an organization’s network against attack, securing and hiring the right people can also be critical. (Not just in the sense of avoiding the obvious glitches like sharing passwords, but also ensuring that the right person is using the right tool; it can be often easier to justify a technology spend than a spend to invest in people and processes).
Colin McKinty of BAE Systems
But as stated at the beginning of this post, Colin McKinty asserted that every organization needs to start crafting its cybersecurity strategy with an awareness of its value. For nonprofits and mission-driven organizations, their value is found in the tools, resources, and individuals needed to fulfill its mission. Those resources can include their intellectual property, their data and customer records, and internal infrastructure. (An example would be manufacturing – internally, a manufacturer needs raw materials, special tools, and other items that would be considered valuable and capable of being attacked).
As stated in our previous Cyber Security Chicago posts, a risk assessment determining the potential risks and capacity to handle them is required. Analysis of these factors can drive decision making and determine whether or not an organization can live with that risk…or develop processes to handle them. (Establishing a “business case” for handling cybersecurity risks can have an influence on higher-level executives).
One area of focus for organizations when handling cybersecurity is building on the foundations of security. Although there may be internal excitement about dealing with cyber attacks through technology, often the policies and processes of an organization get overlooked. Email can serve as a great foundational example since that serves as a conduit for many kinds of cyber attacks (including spearphishing). Examining user protocol, the technology already in place, and organizational policies can lead to greater opportunities to enhance internal security. In addition, people can often serve as advocates for greater security, especially focusing on building stronger internal resources to handle both changes in technology and process.
But most importantly, given the increasing emphasis on cybersecurity, is the idea of building a community of cybersecurity advocates. Nonprofits, social enterprise, and other mission-driven organizations have community-building as part of their approach and should be liaising with other like-minded organizations around cybersecurity. With greater efforts to build networks around data, network, and other forms of cybersecurity, this allows security to become a common language between organizations.
With greater efforts to build a community around cybersecurity (including Cyber Security Chicago), the importance of securing data and other critical information in the digital age cannot be overestimated. This is a trend that is continuing to grow…and I’m glad to have been able to cover these issues for the blog.
Thoughts? Please join the conversation on our Facebook page or in the comments below. If you have more direct questions, please use my contact form to send an e-mail.
And as always, thanks for reading!
Cyber Security Chicago: Joe Rogalski of eSentire
(Special thanks to Joe Rogalski of eSentire for his time and insights; please be sure to read our previous Cyber Security Chicago installments with David Juniper, Marcin Kleczynski, and Sandra Fathi)
When a data breach or other form of cyber attack occurs, many organizations (including nonprofits and social enterprise) have difficulty moving from detecting a threat to responding before those threats disrupt a business. But minimizing that time can be critical and as my conversation with Joe Rogalski of eSentire reveals, there are many strategies that nonprofits and social enterprise organizations can execute to minimize those threads that go beyond mere prevention
To paraphrase Joe Rogalski’s statements in his Cyber Security Chicago presentation around Minimizing The Detection to Recovery Time Frame, “Prevention is futile unless it’s tied to detection and response capability.”
Joe Rogalski of eSentire
As part of the service they offer to midsized clients, eSentire provides monitoring, detection, and response to cyber attacks on various organizations, including a small number of nonprofits and professional associations. Actively watching and monitoring networks, eSentire looks for events and endpoints that lay outside the norm. (Joe Rogalski referred to a “dirty dozen” of potential cyber attack incidents which include malware attacks, lost or stolen devices, and internal & external data extrusion) According to Joe Rogalski, many cyber attacks happen in the context of a “perfect storm” of conditions…
…And these conditions can result in disrupting an organization’s business processes. Upon experiencing a cyber attack, an organization’s response moves from shock and denial to depression and anger. Then arises a period of “blamestorming” and scapegoating, which is then followed by administrative issues like insurance claims and litigation. With more organizations being the target of cyber attacks (an estimated five to seven cyber attacks occur every day), it is imperative that organizations adopt consistent policies and procedures to ensure a relatively smooth response after such an attack.
The other reason for adopting a consistent response policy is that cyber attacks can have a negative financial impact on an organization. A compromised user account, for example, can result in a $750 loss on a company. Compromise an organization’s business system, and that impact rises to $25,000. An all-out data breach on a mid-sized company can result in a $122,000 loss. (You can find impact data on specific fields as well as general information via eSentire’s Resource page). Businesses could experience a total loss of approximately $500,000 as a result of a coordinated cyberattack. But as stated previously, prevention alone will not suffice.
But how can organizations minimize the risk, and ensure a relatively smooth transition from detection to response? During our conversation, Joe Rogalski outlined some basic principles and strategies that any organization can adopt:
- Executives must understand the importance of privacy and cybersecurity in their organization, as organizational leadership plays a key role in driving these policies (and may potentially be liable when a breach occurs);
- Conducting regular risk assessments and tabletop scenarios to determine and articulate what strategies are needed (and what will occur through inaction);
- Software patch management is also critical, as keeping software and network tools updated can often assist organizations in recovery from data breaches; and
- For nonprofits and social enterprise organizations, data breaches and other cyber attacks can not only have an adverse impact on their financial status but also on their reputation as well.
We will conclude our coverage of Cyber Security Chicago with a more global discussion of cybersecurity issues with Colin McKinty of BAE Systems. Please feel free to join the conversation on our Facebook page or in the section below. If you want to e-mail me directly, please use my contact form.
And see you tomorrow!
Cyber Security Chicago: Sandra Fathi of Affect
(Special thanks to Sandra Fathi of Affect for her time and insights, as well as Cyber Security Chicago for their assistance. Please check out yesterday’s interview with Marcin Kleczynski and our preview of Cyber Security Chicago with David Juniper)
When a cyber attack strikes any private or public organization, several key strategies need to be in place: securing data, modifying internal procedures, and crisis communication. Whether your organization is a nonprofit dealing with a breach of donor information or a private company handling sensitive financial information, you need to have an overall strategy. Late yesterday afternoon, Sandra Fathi of Affect discussed Managing a Hack: Orchestrating Incident Response to Preserve Brand Reputation for Cyber Security Chicago. We were able to talk with Ms. Fathi around communication issues, and we’re providing a preview of her talk.
As Ms. Fathi explained in our discussion, other types of crises (such as hurricanes, politics, and negligence) often have clear patterns of progression. Communicating these issues takes strong coordination, collaboration, and a clear sense of the issue. However, crisis communication for cybersecurity issues involves dealing with multiple unknown issues like the source of the breach, the hacker involved, or what is being done with the hacked data. However, data breaches are such a regular occurrence that most people are receiving one to two notices a month informing them of a data breach and there is less of a negative perception than a few years ago. Consumers tend to have a higher level of forgiveness, understanding, and a willingness to move on.
Sandra Fathi of Affect
However, many organizations share a common error when dealing with a data breach: a lack of internal communication. If an IT professional finds a hole while monitoring an organization’s network, servers, and data, they may opt to simply “fix” it without communicating that result to other departments. As a result, internal departments may not be aware that a breach has occurred due to the lack of communication. It may also be determined that this incident may not have risen to the level of warranting public disclosure and may result in various organizational departments forgetting a critical communications piece.
(Thankfully, there are now laws in most states about data breach disclosure, but in some cases, what could be a potential breach can potentially be seen as merely fixing a problem. The end result is that an organization may be found to be noncompliant with legal requirements around data breach disclosure).
However, Ms. Fathi outlined some preventative measures for nonprofits, social enterprise, and other mission-driven organizations for handling these types of crises. (Organizations need to act as if data breaches are not a question of if they happen but rather when they happen). There are four “R”s when dealing with cyber attacks:
- Readiness – Preparation and monitoring for data breaches (even with simple tools like social media and Google alerts), but also anticipating potential threats/crises, discussing appropriate actions, and mapping out a crisis plan. As Ms. Fathi assured me, “The better you plan, the faster you respond”;
- Response – Determining how internal communication will work during such a crisis, focusing on what and how;
- Reassurance – Informing customers/clients what had occurred and executing the crisis plan; and
- Recovery
Developing a crisis communication plan around data breaches should be a part of any business function (which includes nonprofits and social enterprise organizations). Ms. Fathi advocated that having a plan in place should not only be part of an organization’s best practices around communications, but it should be updated on a regular basis. This plan is as much internal as it is internal, and organizations should engage their own employees about how to share information with the public and social media, emphasizing that all inquiries need to go through management.
Crisis communications around data breaches are never easy, but thanks to Sandra Fathi’s insights, nonprofits and social enterprise have a greater insight into how to proceed.
Tomorrow’s post will focus on another great speaker from Cyber Security Chicago, and we hope you’ll join us then.
Cyber Security Chicago: Marcin Kleczynski of Malwarebytes
(Special thanks to Cyber Security Chicago for complimentary access to the conference and its attendees. For an overview of Cyber Security Chicago, please check out yesterday’s preview with David Juniper, Director of Events)
As a teenager in his basement in Bensenville, Marcin Klecynski was looking for a way to remove malware from his family’s shared computer. After looking through a variety of message boards with volunteer “superheroes”, he found plenty of antiviral programs but little resources for malware. Teaching himself how to program, he developed software that was initially geared towards consumers, but then also leaned towards enterprise solutions. Those efforts grew into the Chicago-based company Malwarebytes, focusing on half consumer and half enterprise solutions.
Later this morning, Marcin Kleczynski will present at Cyber Security Chicago. His presentation, titled Is the New Cybercriminal Mafia Winning? Recruitment, Retention and the Hire, focuses on a hiring gap around cybersecurity. As the event description states:
“… cybercriminals are taking notice and capitalizing on white hat shortcomings…(and) it’s becoming increasingly hard to hire the right people with the acumen, training and know-how to protect today’s enterprises from security threats”
As Marcin explained to me, there is a scarcity of “white hat” professionals since universities are not graduating enough trained talent. Many larger business organizations are poaching talent from smaller organizations resulting in some security tasks being outsourced. This scarcity of trained professionals is becoming a growing threat and many larger companies (like Amazon) will pay double for such talent. An ethical dilemma also arises: if someone can earn greater income working as a “black hat” professional, why not?
Without “white hat” professionals, data breaches have a negative impact on both the reputation of companies with their customers as well as compromising customer data. Although customers are impacted through possible identity theft, we are trending quickly towards potential infrastructure attacks such as airlines and nuclear power. (To paraphrase Marcin Kleczynski, the first death due to a cybersecurity issue is near). This gap in cybersecurity hiring is more difficult for nonprofits and social enterprise organizations since they are challenged to invest in hiring talent. Smaller businesses have a more difficult challenge in attracting and retaining such talent.
But for job seekers or people seeking to transition, there are a great number of resources and approaches. Various certifications, programs, and books can aid those already working in information technology. For those who are looking to enter the field as a potential “white hat”, having IT and engineering skills are important, but communication is also critical. (We’ll talk more about that tomorrow). Potential cybersecurity issues are not only a technical issue but a communication issue, and the ability to communicate and manage change can enhance a professional’s status as a “security organism”.
However, finding the right “white hat” professional is also a challenge for many organizations because they may not know what they need. Many organizations usually react rather than proact, and may not invest in data security until it impacts them directly. In order to determine their needs, Marcin suggested that organizations take on a philosophy of “defensive pessimism”. One of the examples Marcin Kleczynski sited was a large company that took proactive steps in preparing for a data breach which included
- Creating a wide variety of “what if” scenarios that could occur;
- Scoping out the cost and impact of these scenarios on their organizations;
- Running these scenarios and determining how the company would respond; and
- Implementing appropriate changes
Many organizations can take simple measures to avoid breaches even without planning. These include
- Downloading and installing appropriate software patches;
- Regularly using antivirus software;
- Never reusing passwords; and
- Regularly backing up data
Despite the hiring gap, there are various measures which job seekers and organizations can adopt simple cybersecurity measures. One skill, however, has been highlighted for “white hat” IT professionals – communication.
Tomorrow’s Cyber Security Chicago post will focus on how organizations can communicate data security issues more effectively.
Until then, please feel free to leave comments below. You are also more than welcome to join the conversation on our Facebook page. If you wish to contact me directly, please do so via this online form.
And thanks for reading!
Cyber Security Chicago: Preview With David Juniper
Last year, I was fortunate enough to earn complimentary press credentials for Cyber Security Chicago. With its focus on technology and cybersecurity, it was a great opportunity to learn about the field for the blog…and although I could only attend a single day, I wanted to return. Fortunately, I was able to acquire press credentials (as well as access to several presenters which I will be blogging about in the next few days), but one question remained on mind…
Why hold a cybersecurity conference in Chicago?
To get that answer, I spoke with David Juniper, Director of Events at Cyber Security Chicago. Not only did he provide great context for how the conference came to Chicago but provided a slight preview of what attendees can expect.
Examining the technology landscape and increasing news of data breaches, the organizers of Cyber Security Chicago sought out many cities and regions that could most benefit from such a conference. With its growing tech scene, Chicago made an ideal site for one of the conferences (with other cities like Atlanta hosting a similar conference) and providing a more creative alternative than the usual East Coast/West Coast/Las Vegas sites. Rather than focus on an overarching theme, Cyber Security Chicago focuses on a wide variety of topics related to data security and safety. (This year, various topics will focus on protecting businesses, issues around artificial intelligence and blockchain, and how machine learning might impact the future of cybersecurity).
One of the main advantages of attending Cyber Security Chicago is the accessibility of the material. For nonprofit/social enterprise professionals (and volunteers) who are interested and/or work directly with data, the conference provides multiple avenues for understanding. (Thankfully, Cyber Security Chicago was well attended last year, and this year content theaters will be larger to accommodate more attendees.) With a wide variety of presenters and vendors, Cyber Security Chicago provides a unique entry into how organizations can approach cybersecurity.
What’s extremely important, though, is that Cyber Security Chicago wants this to become a premier event for the city. With its numerous amenities and thriving tech scene, Chicago is an ideal site for the conference where Cyber Security Chicago can reach the greatest number of individuals who have a stake in information technology. With its wide array of topics and ease of understanding, Cyber Security Chicago provides an excellent opportunity for professionals to learn more about cybersecurity issues and network with other like-minded individuals.
But don’t worry – there are more highlights to come via this blog.
If you have comments or questions, please feel free to leave them below. You’re more than welcome to join the conversation on our Facebook page.
Please join us tomorrow for our focus on one of the presenters at Cyber Security Chicago.
Meet Your Neighbor: WITS Chicago
(Special thanks to Brenda Langstraat of WITS Chicago for her time and insight)
At a time when immediacy and brevity of digital and social media drive our discourse, literacy can be easily dismissed…but the volunteers and staff of WITS Chicago work hard to promote a love of reading – and literacy – in Chicago youth. I had the opportunity to speak at length with Brenda Langstraat, CEO of WITS Chicago, to discuss their work and how they are making a positive impact on the city.
Founded 27 years ago, WITS Chicago partners with Chicago Public Schools to connect with students to foster a love of reading and learning. With an extremely large volunteer corps over 1500 literacy mentors, WITS Chicago merged with a school literacy development professional development program for teachers four years ago. As a result, WITS Chicago has a unique model that not only encourages one-on-one reading in youth but also fosters the idea of teachers as “microcosm librarians” in their classroom. Working in 90 schools, WITS Chicago has the largest imprint in the CPS system. Teachers are not only free to develop best practices but also mentor each other and transform the classroom into an ideal place to drive literate activities.
Brenda Langstraat
CEO of WITS Chicago
(Since WITS Chicago is privately funded, they are relatively immune to budget cuts since they do not charge for their services)
Located in the Literacenter in the West Loop, WITS Chicago runs two primary programs: a year-long program focusing on kindergarten through eighth grade (focusing on reading) and a summer program focused on pre-kindergarten youth (focused on classroom readiness). Most WITS Chicago mentors come from the corporate sector, with 70 corporations providing both financial and volunteer support for WITS Chicago’s efforts. Whether heading to school during class to work with third graders or seeing fourth through eighth graders during afterschool programs, corporate volunteers become civic-minded to the point where their employers “adopt” schools (much like Chicago Charity Challenge participants “adopt” nonprofits). Combined with the search for financial resources, WITS Chicago maintains a consistent effort to foster literacy and reading skills in Chicago Public School students.
But what makes WITS Chicago unique is its philosophy, which Ms. Langstraat summarized in a single phrase:
“Literacy leads to equity”
As Ms. Langstraat emphasized throughout our conversation, becoming literate is a community activity since books act as a kind of social/emotional capital. “Being literate,” Ms. Langstraat explained, “is not to be in isolation“. With increasing questions about libraries being relevant in the digital age, WITS Chicago promotes the idea that literacy – like digital excellence – is a human right that has increasing relevance in modern times. Literacy helps individuals process information more efficiently and allows them to understand and perceive their usefulness. Through their mission, WITS Chicago works to strengthen literacy skills in Chicago’s youth.
And WITS Chicago is not alone in that idea – their work with Chicago Public Schools (especially with CEO Janice K. Jackson) shows a strong commitment to fostering community ties and bolstering the idea that literacy is not just a social issue, but also a public safety and public health issue. (After all, literacy allows people to develop and understand empathy and a greater connection to the outside world). Like Chicago’s public libraries, schools are anchor institutions which provide a great number of opportunities to build and strengthen communities in our neighborhoods. (Ms. Langstraat cited Commissioner & Chief Brian Bannon’s innovative approach which sees the library system as a community hub, as well as CPL’s reputation as the best library system in the nation and the third best in the world). As a member of the Chicago Literacy Alliance, WITS Chicago engages in its philosophy of literacy fostering community.
WITS Chicago is more than just an organization or an institution; it is a movement of educators, volunteers, and other concerned individuals supporting communities by collaborating towards fostering and providing the skills that Chicago area students need. On November 3rd, WITS Chicago will hold its annual Blackboard Affair fundraiser from 5:30 to 11:30 pm at Revel Fulton Market to fund its efforts.
When it comes to promoting literacy, WITS Chicago is seeing huge returns on investment…and if you wish to donate your time or other resources, reach out. They’re doing good work.
Comments? Questions? Please feel free to leave them below. Join the conversation on our Facebook page.
And as always, thanks for reading.
One Cause At a Time - Archive 