Sharks are in the water for our data! Are you worried?

Earlier this year, I attended a Security Summit here in Seattle. There was a statistic sited that placed Cyber Security and Privacy Policy into the top three concerns for CEOs in America. PWC, sited this statistic in a recent 2019 CEO Survey (2) Also, only 38% of CEO’s surveyed, felt comfortable with their respective Cyber Security posture.

I know when I formed my first Security Program Office in the early 2000’s, I never observed security and/or privacy on the list of my peers and top leaders of the organizations. However, today security has become top of mind. Many leaders are now worried about their respective jobs as well as their companies’ reputation.

Unforunately, at Ascension, we have leaders calling us, after such a breach or security incident has happen. It is difficult to watch CxO’s asking themselves, “What happened? Why did I get targeted?” Assessment is the first step to preventing this situation.

Feel free to comment: “Are you worried about CyberSecurity?

Please do not give company or personal specifics, unless you wish to call me.

Have a great day! Paul Scott

CItations:

(2) Price Waterhouse Cooper (2019 Published). US CEO agenda 2019. Retrieved from https://www.pwc.com/us/en/library/ceo-agenda/ceo-survey.html

Seattle employee at the center of major Data Breach

Copy of Compliant Header filed July 27, 2019

This morning over a cup of coffee, I gazing at the front page of my Wall Street Journal. Casually scanning the stories. Something caught my eye; the Wall Street Journal stated that a Seattleite is at the center of a Major Data Breach. Here from Seattle, a former Amazon employee has been arrested, in connection with the Capital One Breach affecting 106 Million Card Applicants. Wow

Estimating the cost to the company is typically, at least $100 to $150 per user, it would be easy to estimate the initial cost to Capital One will be well over $100M, and most likely upward of $200M, when you factor in all the internal remediations and legel cost that are never recovered by any company.

CyberSecurity seems like an impossible task. I will grant you that it is not an easy task; but I will say that focus and diligence is our best tactic so far. We cannot hide our faces in the sand anymore. We must confront these issues and do our best to protect both our companies information as well as our customer’s data. I believe we should all ponder how to become more secure and act accordingly in an expeditious fashion. This wordgram may help you ponder and reflect on this issue.

At Ascension, we are working to insure ourselves and our clients are protecting both corporate and individual data. Again, I think we need to ask ourselves, are we doing enough to protect customer and/or business information? Ponder this question and free free to comment. Thank you

CyberSecurity – The next 9/11?

We see many new clients that have to deal with cybersecurity breaches and/or issues of non-compliance with security standards. Today, I was reading about CEO’s concerns over cybersecurity may be the “biggest Threat to the world’s economy.” I believe they are correct. CNBC article: Cybersecurity is the biggest threat to the world economy over the next decade, CEOs say

Unforunately, many firms still have not realized the benefits of CyberSecurity Standards. These standards are not a fullproof remedy for breaches; however, it is the best defense for companies to protect themselves. To summarize, companies need to consider standards and procedures for:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk Management
  • Identity Management, Authentication and Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes
  • Response & Analysis
  • Mitigation
  • Improvements
  • Recovery Planning
  • Improvements
  • Communications

Paul Scott, CEO Ascension

Infrastructure

Now that the 2018 elections are over (well except Florida), leaders in both political parties are looking for legislation they can pass to show their constituents positive accomplishments.  Setting aside rancor between Democrats and Republicans, the two topics where both sides agree something can and must be done are infrastructure and the opioid crisis.  Improving our nation’s infrastructure is sorely needed.  The American Society of Civil Engineers (ASCE) 2017 Report Card gives the United States an overall grade of D+.  Repairing transportation, water systems, and schools should be at the top of the list, but upgrading our infrastructure is also an investment in the future.  The Dwight D. Eisenhower National System of Interstate and Defense Highways (AKA Interstate Highway System) is the most famous example of this type of infrastructure investment project.

What type of project can we invest our infrastructure dollars to improve connectivity in the United States, like the Interstate Highway System?

The program that immediately comes to mind is Connected Cities (AKA Smart Cities).  The parallels between the Interstate Highway System and Connected Cities are obvious, which makes this an ideal infrastructure project.  The Interstate Highway System brought together a disparate and inefficient road system and built an interconnected network.  This is exactly the same goal as Connected Cities, bringing together disparate and inefficient networks to function together.  The highway system also brought people together by facilitating travel across the country, which is the purpose of Connected Cities, to connect people.

How can Connected Cities infrastructure projects improve safety, commerce, and quality of life?

Another parallel between the two projects are public safety and security.  The Interstate Highway System was also designed as a Strategic Highway Network to facilitate troop mobility to air and sea ports.  Connected Cities contributes to public safety and security by providing early warning for disasters.  The California Department of Forestry and Fire Protection determined at least 17 of the 21 recent major fire in Northern California were caused by power lines, poles and other equipment.  (CAL FIRE)  One of the features of Connected Cities is placing sensors on light fixtures to detect fires and seismic activity, which would immediately alert firefighters and enabled them to suppress forest fires much quicker and easier.

Connected Cities can also make everyday life easier by tying networks together.  Before the Interstate Highway System, navigating roads in the United States was difficult, every state had a different numbering system.  Today, navigating through the various municipal and state government networks is very difficult.  You must have a different accounts and logins in for the DMV, voter registration, taxes, etc.  The concept of Information City, which is part of Connected Cities, will develop technology and communications to bring together social, economic, and governments networks.

We are at a precipice for emerging transportation technology, which means municipalities will soon have to develop revolutionary solutions to control traffic.  Autonomous automobiles are on the horizon and the proliferation of drones makes this a three-dimensional problem.  Connected Cities will have a great advantage by integrating sensors to control traffic and communicate with autonomous vehicles.

The United States will have to address our infrastructure challenges.  This is a great opportunity to not only repair our roads and bridges, but also make fundamental improvements on public safety, commerce, and quality of life for the future.  Ascension Technology Group is a leader in technology solutions for municipalities to help their citizens navigate through a complex network of services.  The fundamental concept of Connected Cities is knowledge-based urban development.  Now is the time to integrate infrastructure investments with the development of Smart Cities.

 

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was passed on June 28, 2018.  The CCPA grants consumers the right to request businesses disclose the personal information, sources, and purposes businesses collect about consumers.  It also enables consumers to learn what information is shared with and sold to third parties.  The California legislature passed the bill in a relatively short period of time, largely because of an impending resolution that would have placed the issue on the ballot in the upcoming election on November 6, 2018.  The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR), which took effect earlier this year.  One major difference in the two laws is the GDPR has an opt in clause, while the CCPA has an opt out clause, which means companies doing business in the EU must give citizens the option of allowing personal information to be collected, whereas citizens in California must request businesses delete personal information.  Regardless of the differences, these privacy laws are going to profoundly impact the way businesses handle information about consumers.

The clock is now ticking for the CCPA as the law takes effect on January 1, 2020.  One of the lessons learned from the GDPR is once the ball drops on New Year’s Eve 2020, there will be advocates waiting to pounce on businesses that do no comply with the CCPA.  The European Center For Digital Rights filed lawsuits against Google and Facebook (as well as Facebook subsidiaries:  WhatsApp & Instagram) on the first day the GDPR became law.  The potential fines could total 7€ Billion.  NOYB  Although the California law does not place a fine on businesses based on a percentage of total annual global revenue (like the GDPR) , it can fine a company up to $750 per incident, so a company with millions of customers could potentially face fines in the hundreds of millions of dollars.

The CCPA requires businesses to establish at least two communications methods (most likely website and telephone) for consumers to contact the company to request what personal information the company has about them and how to opt out.  Interestingly, the law does not require a consumer to establish an account with the company before opting out.  Therefore, even if a business does not have an account with a consumer, they are still responsible for protecting the privacy of citizens who are not customers.  So, if a customer signs onto a company website to shop, but never buys anything and company collects personal information, they must comply with the CCPA.

The CCPA does give businesses some leeway in collecting personal information.  After all, companies must collect personal information to conduct business transactions and maintain security.  Businesses still have a need to collect consumer information for marketing and research.  The CCPA allows businesses to collect and retain consumer data by pseudonymizing or de-identify personal information.  In other words, privacy is maintained because the consumers’ data is not identifiable to a specific person.  However, pseudonymization and de-identification must be a one-way process.  This is a very important point, companies cannot have the ability to collect information, put it into an anonymizing database and then be able to reconstruct the personal information.

The CCPA presents new challenges for businesses to protect personal information.  This law of course does not stop at the California border; it impacts commerce across the United States.  Ascension Technical Group has experience in maintaining privacy and security for businesses and consumers and we would like to help your company prepare for the new privacy law standards that are long overdue.

 

 

"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

Change Management in Rapidly Changing Business Cycles

One of the toughest jobs I had in the military was the Chief of Current Intelligence Operations at U.S. Central Command (CENTCOM).  I was responsible for managing all intelligence forces in the CENTCOM area of responsibility (AOR), but specifically I orchestrated deployments tens of thousands of intelligence personnel to Afghanistan, Iraq, and the Horn of Africa between 2006-2010.  This was a period of heavy insurgency and piracy activity in the AOR.  President Bush and Congress authorized surge operations in the region to defeat the Taliban, al Qaeda, and Somali Pirate threats, which meant a rapid increase in requirements for intelligence forces throughout the region.  I distinctly remember the initial reaction from leaders on the ground; give us more troops.  However, they did not define the capabilities they needed.  There are of course a finite number of intelligence airmen, marines, sailors, and soldiers in the military and CENTCOM already had the bulk of intelligence resources since 9/11.  Moreover, counter insurgency operations were fluctuating in Iraq and Afghanistan, which meant commanders on the ground in Operations Iraqi Freedom (Iraq) and Enduring Freedom (Afghanistan), as well as Navy commanders in Operation Ocean Shield (Somalia) were arguing for the same resources.  The challenge was to find practical means to source requirements during a period of immense and rapid expansion, with competing internal requirements.

Perhaps the most practical solutions we devised was to use unit sourcing to fill requirements.  Instead of trying to provide a scores of individual teams, we could provide a battalion or brigade size unit to satisfy the commanders’ needs.  Even though an intelligence battalion is much larger, it was a win-win-win solution because ground commanders had a unit they could command and control, the battalion/brigade commanders could much easier prepare their units for deployment, and the force providers could write orders for whole units, instead of trying to fill hundreds of four of five soldier teams.

In times of rapid expansion, business leaders are faced with similar dilemmas.  They face tough decisions about where to expand their business operations while trying to balance internal competing opportunities.  One solution may be to outsource a requirement to another company that already has the full capability to get the job done. This is very similar to our methodology at CENTCOM of trying to find a unit sourcing solution.  There are several advantages to this approach, such as rapidly standing up a new capability, reducing the internal disruption, and having the ability to set limits on the time commitment to a new project.  However, the cost may of course be higher.

Another big dilemma in change management during rapidly changing business cycles is balancing competing requirements.  We all want to hire strong leaders who have a desire to succeed.  When business owners have competing, passionate leaders, who believe their own project is the key to success for the company, it is very difficult to choose one course of action over another, especially when emotions run high, which invariably they will.  This may seem counterintuitive, but while we were trying to satisfy competing requirements a CENTCOM we resisted the strong push to set priorities between the competing commands in Iraq and Afghanistan.  We did not do this for two reasons.  First, we knew if we set priorities the force providers would not source all our requirements and may only provide troops for 70-80% of our needs.  Second and more importantly, if we set priorities for one command over another, we would lose the neutral, decision-making authority to evaluate requirements.  Leadership in business is usually all about setting priorities, but sometimes you must enable the competing parties fight it out and let the team that makes the best argument win the case.  In these situations, the role of business leaders must be to ensure a level playing field.

At Ascension, we can be your trusted, independent advisors to help you make tough change management decisions.  We can help set up the ground rules to have a fair and impartial decision-making process.

‘Caveat Emptor – Buyer Beware’ 50Million accounts exposed…

As I began to read numerous news feeds and reports, regarding FaceBook’s apparent hack of over 50 Million user account.   I remembered an insightful debate in my graduate Business Law class, years ago.  Vaguely recalling, my law Professor contemptuously pontificating that Caveat Emptor should be applied to all business–not just between buyer and seller–rather “everyone should be skeptical” in all manner of business.

With that memory prominent in my thoughts, I became very concerned regarding the clear use of FaceBook content for social engineers to profile subjects; you and me.  Over 50 million pseudo-psychological blueprints of our behaviors–likes, “un” likes, visual photography and many more artifacts, directly tied to us.  A mother, child, father, friend–pick your own labels, most all apply to this situation.

Then a second question began to surface, which led me down the road to how FaceBook’s Authentication systems works?  Could it be fully breached?  Does anyone really know how many third-party applications use the FaceBook Authentication system for access?  I know of many…..but how many?  Let’s just say, a lot!

Where does this road end?  I’m not a big facebook user, however, I use it to keep up with a few friends.  We all know that a majority of users, over the years, have shared and accumulated a considerable amount of personal information and actual behaviors on FaceBook?

This specific situation may have significant impact on busineses.  Because these users, these persons, are employees–employees having access to the crown jewels of our businesses.

I think my professor was correct, “Omnis Cave — Everyone beware”*

Please feel free to comment and/or contact me to discuss.

Paul Scott

 

*Google latin translator.

Scaling Cybersecurity for Smaller Organizations

When hackers successfully breach large organizations, such as the U.S. Office of Personnel Management or Sony Pictures, and steal massive amounts data, it quickly becomes front page news.  Therefore, multinational companies spend millions of dollars and hire thousands of security professionals to protect their networks and information.  However, it is a common misperception to believe the threat is greater to larger businesses because cybercriminals can get more information from these sources.  In fact, almost 60 percent of all cyber-attacks are directed against small business, according to Verizon’s 2018 Data Breach Investigations Report.  Hostile cyber actors, whether they are criminal organizations, insider threats, or industrial espionage agents, look for what they perceive to be softer targets.  Small businesses have limited resources to devote to network security.  So, how can a medium to small company or organization protect their intellectual property?

Well the simple answer to that question is risk management, but of course that is easier said than done.  There are several risk management formulas to calculate risk, such as:

Threat x Vulnerability = Risk

Probability x Loss = Risk

(Threat + Vulnerability) – Mitigation = Calculated Risk

Throughout my 37-year Army career, I have used many variations of these models and each methodology can be effective.  However, almost universally, the risk management strategy gets bogged down because the right people or stakeholders are not involved in the assessment process.  Typically, a single staff officer would write the risk management strategy for the entire organization or enterprise.  Vice versa, in some situations everyone would try to play a part in the process to protect their own interests, without adhering to the bigger picture.  Therefore, decision makers would not have trust in the risk management process or strategy.

At Ascension Technical Group we can help your organization develop a tailored and cost-effective risk mitigation strategy to help protect your intellectual property.  More importantly, we can also help establish and implement lasting risk mitigation processes, which will enable your company to adapt to both changes in your business and counter emerging cyber threats.

Verizon Research Report, 2018 Data Breach Investigations Report, accessed September 12, 2018. 

"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

All I Really Needed to Know (about Project Management) I Learned in Ranger School

Agile, Scrum, PMP, Lean Six Sigma, Gantt Charts, PERT Diagrams, TQM, and MDMP are a few of the project management techniques I have learned and used in the Army.  Each of them has helped me solve a myriad of complex and challenging problems.  Nevertheless, I learned more about preparing and completing a mission (project) during Ranger School than any other time in the Army.

Leadership.  The first line in the Ranger Handbook states, “Leadership is the most important element of combat power.”  If you ask any soldier who has completed Ranger School, they will tell you fundamentally, it’s about leadership.  Similarly, the first and most important interpersonal skill required for a successful project manager is leadership, according to the Project Management Institute.

Troop Leading Procedures.  Time is unequivocally the most important commodity in Ranger School.  There was so much training and activity jammed into the 60-day Ranger School that I do not recall getting more than four hours of sleep in a single day, usually we were lucky to get two hours and sometimes went 48-hours straight without sleep.  Therefore, effective time-management is essential, and Ranger School teaches troop leading procedures to help leaders prepare their unit to accomplish a mission.  Time management is a principal component of project management.  Defining activities and developing the schedule are key project management tasks.  Above all, the project manager must tightly control the schedule, much like the patrol leader must control the troop leading procedures.

Battle Drills.  In Ranger School we learned battle drills to react to commonly established situations.  The lesson here is that project managers can use common Knowledge Areas that are used on most projects most of the time.  Project management uses well-established processes to help project managers to complete their projects.  While there are several types of process groups, it is important to select the appropriate processes required to meet the project objectives.

Ascension has the experience to help improve your organization’s project management procedures.