Customer Retention After A Security Breach: 3 Golden Tips

 

I have written many times about the need for Incident Response (IR), Disaster Recovery (DR), and Business Continuity BC) Plans before.  A lot of confusion still exists among all three of these, so here is a brief differentiator amongst all three of them:

IR:  This is a plan that has been created to immediately put out the fires from a threat variant that has just been discovered and is causing harm to the business.

DR:  This is a plan to restore the mission critical operations after a business has been with the threat variant.

BC:  This is a plan that details how the business will come back to a sense of normalcy over the long term, after it has been impacted by a security breach.

Many CISOs did not fully realize the importance of these plans until the COVID-19 pandemic hit.  But of course, back then nobody ever predicted that we would have a 99% remote workforce.  So, you might be wondering why am I mentioning all of this?  Well, think about it.  The common theme here is not only about containing a security breach but dealing with the aftereffects of it.

And one of the greatest impacts of all of this will be felt by your customer.  Unless they are extremely loyal to you, the chances are that they will stop doing business with you and go to your competitor.  To a business owner, this of course does not seem fair, but to the customer their valuable PII datasets have been stolen, and of course, they will go somewhere else where they feel that it will be protected better.

To this extent, the only thing businesses do other than notifying them about the security breach is to offer free credit monitoring for a period of up to one year.  Whenever I wrote about this, I always wondered, can’t more be done?  Well, this morning, I came across an article that addresses this very issue.  Here are some of their thoughts:

1)     Go beyond the norm:

By this, I mean that a business should do more than simply do Penetration Testing, Vulnerability Scanning, and Threat Hunting.  While these are great exercises to do, another vehicle that should be explored is the use of Bug Bounty programs.  With this, you are holding a contest and inviting people to find the gaps and vulnerabilities in your applications, whether they are hardware or software based.  Whoever finds them and offers the best solution for remediation will then be awarded a cash prize.  But there is one caveat here:  You must be careful of who invites.  For instance, some of the worst of the breed can apply, especially the Black Hat hackers.  This kind of program can prove to be beneficial, as it takes out the biasness in finding those gaps and weaknesses.

2)     Quick reporting:

If a business has been impacted by a security breach, it is their fiduciary responsibility to alert not only their customers but other relevant key stakeholders as well.  But this must be done quickly, like within hours, not days or weeks.  But the problem here is that many businesses now resort to social media to let people know what has happened.  But given this era of disinformation, it is hard to know what is real and not.  Another option would be to place immediate phone calls and text messages, but once again, with Robocalls and Phishing based SMS messages, once again it is hard to discern reality.  In this regard, the only best option would be to send a letter out via snail mail.  Or,  the business could hire a PR team and let them professionally handle notifying the customers and key stakeholders.

3)     Offer more tools:

The business should also offer something more, like giving a free license to a Password Manager.  But of course, much more must be done here, for example, the IT Security team will need to train the customers in how to effectively use it to secure their passwords.  But to me, this sends a powerful message that despite what happened, you are trying to make amends with them.  The author of the article even mentioned giving a small financial compensation, such as $200.00 or so.  But to me, this serves no purpose whatsoever.  First, this amount is paltry compared to what the real damage will be if their PII datasets have indeed been heisted, and second, paying off people can in the end seem to be pretty offensive. 

My Thoughts on This:

It has been cited that security breaches have spiked up as much as 78% since 2023 (SOURCE:  We Can Do Better Than Free Credit Monitoring After a Breach).  Therefore, doing more to help the customer after the fact is going to be of paramount importance.  As the old proverb goes: “It can take months to get a new customer, but only seconds to lose one”. 

Probably the best way to avoid this scenario is to make sure not only that you and your IT Security team have those plans in place (as reviewed in the beginning), but that they rehearsed on a regular schedule, and having them updated with the lessons learned from each practice run.

In The Face Of National Division, We Must Be United For Cybersecurity

 

I have always held one philosophy when writing my bogs.  And that is, I never try to get political and with Cyber, it can very easily get that way.  But over the last couple of weeks, as I watch the live newsfeeds from CBS, NBC, and ABC, not just me, but just everybody around the world is hearing about the deep cuts that the next administration wants to take, and yes, although I don’t think it is all going to happen, just to even hear that is scary.

Yes, our Federal Government is extremely bureaucratic and slow to get things done, and in some ways, I applaud the efforts that are being thought of.  But going to extremes and threatening people is not the way to go about it all.  We need to be a United States than can come together and heal our divisions.  In my lifetime, I have never seen anything like this, nobody has. 

But one thing that has not been mentioned at all (and it is good news?) is that there has been no talk about slashing Cybersecurity budgets.  Although there is no centralized department for this, there are a lot of agencies that are mingled about here and there. 

Some typical examples of these include the National Security Agency (NSA), FBI, as well as Cybersecurity and Infrastructure Security Agency (CISA).  They are all devoted in some way to Cybersecurity, and making sure that threat intel is available to the public to keep us all informed.

One typical example of this is what is known as the National Vulnerabilities Database (NVD). This was started back in 1999, started by NIST.  While there are other threat intel tools that are out there, an incredibly unique feature about this one is that it has a huge repository of known IT software as well as hardware vulnerabilities, and even the signature profiles of known Cyberattacker. 

While the average American may not care too much about this, it is an extremely valuable source of information for those people that participate in Penetration Testing, Threat Hunting, and doing Threat Research.

The NVD originally started out as a research project of sorts, and it grew quite a bit over time until February of this year, when NIST suddenly cut off the funding for it.  There was no warning for this, and of course, it upset the workflows of a lot of people in Cybersecurity.  Because of this, the Federal Government found some financing in its ever-complex budget, which brought the NVD back to life yet again.

My Thoughts on This:

To begin with the financial support from NIST to the NVD was always underfunded.  Now while there may be some areas of the Federal Government in which certain things can be let go, Cybersecurity is not one of them.  We need to fund these agencies, like NIST, so that they can keep up with the valuable work they do in Cybersecurity.  Of course, Cybersecurity is always an underfunded initiative, especially in the private sector.

The common mentality here is that if a business has not been hit, we will never be hit.  This is far from the truth, because in the end, this will end up in a self-fulfilling prophecy.  Yes, money is needed to support Cybersecurity related efforts and projects in order to keep the hackers at bay, but as a consultant, I often tell people this one simple fact of life:  The cost of recovering from a security breach will far outweigh an cost of deploying the right tools and technologies. 

This is so true for small businesses.  They have this same kind of thinking as I just described, and if they do not take an initiative-taking stance, the costs of recovery will make them go bankrupt.  Because of this all the years of the sweat, blood, and tears that they put into growing their business will totally evaporate in just a matter of a short period of time. 

We are all prone to becoming a victim of a threat variant, nobody is ever 100% immune from it.  But the key is to take an initiative-taking stance now to mitigate this risk of happening to you personally, or even your business.

This quote nicely sums this up: “The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts.”

(SOURCE:  Presidential Transition Task Force).

While I hope and pray that all divisions in the United States, until it does happen, we must now and forever stand united as a Great Nation when it comes to staying one step ahead of the Cyberattacker.

8 Golden Ways To Combat The Cyber Risks Of Open Source Platforms

 

Back in the day, when I was a graduate student at BGSU, I also worked full time for the university in their computer services department.  While my job was primarily involved with dealing with faculty, staff, and students about which IBM or Apple computer they should buy, I also dealt a lot on the hardware side as well.  But the one thing that I was lacking was a knowledge of software.

But that problem was soon more or less solved when met a fellow worker there. He became one of my best friends until his untimely death.  His name was Dr. Morgan Deters, one of the sharpest and most intelligent people I have ever known. 

He introduced me to what is known as Open-Source Software, especially in the way of Linux.  Although I did not get all of what he was saying (after all, he was a computer scientist), I did get that OSS has certain benefits over the Closed Source Platforms, such as Windows.

For example, I learned that it was free to use and distribute, and licensing was not an issue.  Also, you could collaborate with other people around the world in case you needed help with the coding.  Well fast forward from back then, 1999 to the present, which is almost 2025.  Today, we are seeing the explosion of OSS being used everywhere, especially when it comes to creating mobile apps and web-based applications.

But because of this, security has been very much lacking.  Probably the best example of this is the use of APIs.  You may be wondering what it is, but to keep things simple, it is the bridge between the backend (such as the database) and the front end (which is the Graphical User Interface [GUI]). 

If one were to try to develop this kind of code on their own, it would take a long time to accomplish.  So the idea of the API is to have some baseline source code in it, so that the software developer can tweak it to their own requirements.  The primary benefit of this is that of time savings, especially when a project must be delivered to a customer.

But because of the Cyber Threat Landscape of today, software developers are under the gun to make their source code as secure as possible.  But even with this, it is not done on a regular basis, either because they simply do not understand what Cybersecurity all is about, or simply they just do not care. 

Well, if you lead a team of software developers, here are some tips that you can employ to make sure that security is of topmost priority:

1)     Effective Communications:

No matter how large or small your team might be, instill an environment where open communications is fostered.  Let your software developers talk freely with one another about the separate modules that they are working on.  By taking this effort, you will also be eliminating silos in which software developers feel comfortable working in.

2)     Have Documentation:

Even though software developers hate writing (at least from the ones I know of), keeping detailed notes as to how the source code is being developed, and most importantly tested is of paramount importance.  That way, if an issue ever develops, you will have a record that you can fall back on.  In a worst-case scenario, you can always hire a technical writer who has experience in APIs to collaborate with your team to create this documentation.

3)     Have Ownership:

By this, hold each software developer both accountable and responsible for each source code module that they create.  In this regard, make sure that they are checking off the list when it comes to security stuff that they need to be testing for, and audit all of this.  If they fail to comply with all of this, then you need to ask them some serious questions as to why items were ignored.

4)     Be Initiative-taking:

Although this can be very much a subjective term in how you define it, when it comes to your software development team and using OSS, you must instill a sense amongst them that security is of topmost importance.  But as I have alluded to before, they simply may not understand just how Cybersecurity is.  One of the best ways to resolve this is to have training sessions to teach them about it.  Here are some topics to include:

Ø  Understanding the differences between weakness, vulnerability, and exploitation.

Ø  Explaining what a threat variant is, and the amount of damage that they cause, especially from a monetary standpoint.

Ø  Teach about the tools that they can use to find the holes in their source code, such as Penetration Testing and Threat Hunting.

Ø  Also teach them about the oldest threat variants and how they are being used today, such as Phishing, SQL Injection Attacks, Trojan Horses, etc.

Ø  Explain to your team the Cyber Risks that each kind of programming language brings to the table.

My Thoughts on This:

Some other, more technical ways in which you can make your software development team maintain a strong level of “Cyber Hygiene” as they use their OSS platforms and create the source code include:

Ø  Implement a DevSecOps Team:  This is an acronym that stands for “Development, Security, and Operations”.  You are taking members from each of these respective areas to make sure that the source code and APIs are as secure as possible before final delivery to the customer.  One of the greatest benefits of taking this kind of approach is that there will be more sets of eyes looking at the modules to make sure that the software development team is fully complying with the security requirements.

Ø  Teach your software developers how the customer will use the final product, and the risks they face in case a security breach occurs because of a flaw in the application that they have developed.  This is also called “Contextual Awareness”, and it can go a long way in terms of the huge risks that a threat variant can carry.

Ø  Consider using Generative AI as another means to check for the security of the source code.  While this should not be relied on in its entirety, it can help with the automation of the more routine and mundane tasks that the software development team may face.

One of the major weaknesses in the source code as it is being developed, is that “Backdoors” are often left behind by the software developer.  This is a point of entry for the developer to get into to run the needed Quality Assurance (QA) checks.  Many times, these are often forgotten about, and this leaves an extremely easy spot for the Cyberattacker to sneak into and stay in covertly for extended periods of time.  These also need to be checked.

Beware Of That IoT Device You Are Going To Give As A Gift!!!

 

As we fast track now into Thanksgiving and the Holidays, gift giving is going to be the norm yet once again.  To me, I think it should be plain and simple, and luckily for me, most of my close friends are happy with getting a nice gift card to their favorite restaurant. 

But for many other people, and especially those with families with kids, electronic items seem to the be premier choice for gifts.

While this may be nice, there is one thing you need to take into serious consideration.  And that is, Cybersecurity that is in the electronic item that you are giving.  A long time ago this was an unheard thought, but nowadays, you must be careful. 

One such instance in which you need to pay incredibly careful attention to is when you give a gift that falls under the realm of the “Internet of Things”, also known as “IoT” for short.  While some of us have a general concept of what it is, here is a technical definition of it for those who may not have heard of it:

“The Internet of Things (IoT) refers to a network of physical devices, vehicles, appliances, and other physical objects that are embedded with sensors, software, and network connectivity, allowing them to collect and share data.”

(SOURCE:  What is the Internet of Things (IoT)? | IBM)

Although the definition primarily refers to physical devices, it can also refer to those that are virtual as well.  Probably one of the best examples of the IoT is what is called the “Smart Home”.  In this set up, all your appliances (or just some of them) are interconnected together. 

So, when you get up in the morning, and want to start brewing that first cup of coffee, you can simply tell your digital assistant to do it, and it will start.

But despite these neat advantages, IoT devices, at least those that are used in the home environment, possess a number of Cyber risks to them, which are as follows:

Ø  If you have multiple IoT devices all connected, you are simply creating a large surface for the Cyberattacker to covertly penetrate. Once they are in one device, they can quite easily move into the others as well, causing havoc in your home.

Ø  The network communications that IoT devices are not encrypted.  They primarily use RFID transmissions, which can easily get hacked into with a simple network sniffer.

Ø  Any information or data that you have on your IoT devices are saved in a plaintext format.  Meaning, if you have your password stored on one of them, that is how it will exactly appear to the Cyberattacker after they get into it – your password will be in plain English.

Ø  Many of the vendors that manufacture IoT devices for the home typically do not take Cybersecurity into consideration in the design of it.  For instance, they often tell customers that simply relying on the default security settings they have in place are enough – which is a blatant lie.

Ø  Customers of IoT devices can easily fall prey to a scam – such as buying a fake product on Amazon or eBay.

But the good news here is that governments, and even here in the United States, are stepping up to the plate in creating and enacting legislation intended to help protect consumers.  Some of examples of these are as follows:

Ø  The passing of the Cyber Resilience Act by the European Union (EU).

Ø  The passing of the Cybersecurity Bill 2024 by Australia.

My Thoughts on This:

If you still decide to purchase an IoT device as a gift, consider these safety tips:

Ø  Make sure of the authenticity of the device you are buying.  Although it is quite tempting to get a cheaper one from Amazon or eBay, remember the adage that “you get what you pay for”.

Ø  If you decide to make this purchase online, make sure you do it on the ecommerce store of a reputable vendor.

Ø  Go through the Google reviews for those IoT devices you are interested in buying.

Ø  If possible, contact the vendor directly to see what kind of Cyber safeguards they put into the device.  If you do not feel comfortable with what they are telling you, then that should be a huge red flag to you to avoid getting it all together.

Ø  Once you have made that purchase, make sure to tell the person to whom you are giving it as a gift to make sure that they do not use the default settings, but rather put it in the highest thresholds that are possible.

Ø  Also, remind them of the need to download the relevant software patches, upgrades, and even the firmware onto the device as they come out.

Ø  Remind them not to store personal data on the device.  If a Cyberattacker can get hold of this, it will be sold on the Dark Web or worse yet, even be used in an extortion attack.

Just remember that in the end, trust your gut.  If something does not feel right, look for another IoT device that you are more comfortable with giving away as a gift. 

Cybersecurity, as it relates to the IoT, is not just confined to the home – it also has a strong bearing on the Critical Infrastructure as well.  But this will be examined in a future blog.

The Next Great Cyber Threat In 2025: Interconnectivity

 

It is hard to believe that that there are only now two months left in this year.   But now as we approach December, this is the time now that many Cybersecurity pundits start to predict what they think the big threat variants will be for 2025. 

I usually hold off on making my predictions, until closer to the New Year.  But in this blog, I will give you a blatant hint as to what I think of the big issues will be for next year: the level of interconnectivity that exists in the world today.

One of the side effects of this are what is known as the “Supply Chain Attacks”.  I have written about this before, but to refresh your memory, it can be technically defined as follows:

“A supply chain attack uses third-party tools or services — collectively referred to as a ‘supply chain’ — to infiltrate a target’s system or network. These attacks are sometimes called “value-chain attacks” or “third-party attacks.””

(SOURCE:  What is a supply chain attack? | Cloudflare)

And as the definition points out, it is typically a mechanism that is used by a third-party supplier that is in turn used by the Cyberattacker in which to infect thousands of endpoints.  The best examples of these are the Solar Winds and CrowdStrike hacks. 

They have many customers obviously, and of course they cannot update each of one their systems individually, it would simply take way too long. 

So instead, both companies have created specialized platforms in which updates can be sent to all the customers in just one shot.  Solar Winds calls theirs “Orion”, and CrowdStrike calls their “Falcon”. 

While is an efficient process, the problem here is that if there is just one weakness in them, the Cyberattacker can easily insert a malicious payload through that point of entry, and from there it will be deployed all over the world in just a matter of minutes.

Yes, this is a very scary situation.  But it is also important to put things in some perspective.  Of course, both companies should have kept checking their respective platforms. The truth of the matter is, both situations simply illustrate just how fragile the infrastructure of the world has become. 

And this is all due to the elevated level of connectivity that everything has with each other.  But as we advance further in technology, especially with that of Generative AI, this level of connectivity is only going to expand, and in manner of speaking, get worse.

The bottom line is that this is simply increasing the attack surface.  This can be easily compared with the defense perimeter a company has.  For instance, if they have too many network security devices from many different vendors, then of course their level of attack surface will be that much more proliferated.

So now you may very well be asking at this point, how can you avoid this situation happening to your business?  Well, the bottom line is that we are all at risk from being impacted by a security breach.  The key takes away here is how to mitigate or reduce that level of risk.  Here are some tips for you:

1)     Conduct a Risk Assessment:

Let us use the example I just set up.  If you know that you have too many network security tools, take inventory of what exactly you all have.  From there, create a visualization of where they are all located at.  If they are scattered all over the place, then try to consolidate them down, and place them strategically, as where they are needed.  For instance, instead of using ten firewalls, try to condense that down to five or fewer.  Another key point to remember here is to try to procure any future security tools that you may acquire through just one or two vendors at most. 

2)     Test the patches:

If your business relies upon someone like Solar Winds or CrowdStrike, do not have them deployed automatically into your production environment!!!  Instead, get the patches, and test them in a sandbox like environment first, to make sure that they will work with the systems that you already have in place.  Also, this will give you some extra time in case the vendors notice that there is even flaw with the updates that they have sent over to you.  This will help you avoid what is known as a “Zero Day Attack.”.

3)     Deploy the Zero Trust Framework:

This is a methodology where you segment your entire IT/Network Infrastructure into different “zones”, with each one of them making use of Multifactor Authentication (MFA).  The basic idea of this is that if the Cyberattacker breaks through one line of defense, the odds of them going deeper becomes statistically zero.

4)     Have the IR Plan:

This is an acronym that stands for “Incident Response”.  Having this kind of plan in place, and regularly practicing it is of utmost importance.  This kind of document will allow you and your IT Security team to respond to and contain a security breach quickly.

5)     Use EDR solutions:

This is also an acronym that stands for “Endpoint Detection and Response”.  These are solutions that are typically deployed on the devices that your employees use to conduct their daily job tasks, whether they are remote or hybrid.  They can be used to monitor and contain any threat variants that are incoming into these devices.

So, there you have it, my first prediction of what the Cyber Threat Landscape could look like in 2025.  Stay tuned for more of them.