ICT PULSE: Cyber threats and security in the Caribbean 2018 update – Interview with Niel Harper

ICT Pulse:  Niel, thank you again for taking the time to share your insights with us. To start, give us a quick recap of what have been the most prevalent types of incidents in the Barbados and/or in the wider Caribbean region over the past year or so?

Niel Harper:  Over the past year, there has been a substantive increase in ransomware attacks in Barbados and across the Caribbean. This is pretty much in line with the global trend, where we saw massive ransomware attacks such as NotPetya and WannaCry that impacted over 500,000 organizations and resulted in damages and losses in excess of USD$400 million. Barbados and the rest of the Caribbean were not spared from the wrath of these attacks.

ICTP:  Has the threat landscape changed over the past year? Are there any particular areas of concern that you have for Caribbean organizations, or the region as a whole?

NH:  Yes, most definitely the threat landscape has changed over the last year. Firstly, there has been a shift towards attacks on the underlying Internet infrastructure. Hence, Caribbean service providers need to implement protections in their networks to address core routing and DNS security, among others. Additionally, we are seeing hackers using social media platforms as an attack vector, and such attacks are routinely compromising mobile phones. Last but perhaps most significant, state-sponsored threat actors have become more and more active. We are seeing increasing attacks against critical infrastructure and supply chains. For example, cyberwar actors will seek to attack targets that result in maximum disruption, economic upheaval, and even public safety issues (e.g. airports, public transit, power grids, nuclear facilities, smart cities, etc.). There will be continued attacks targeting democratic processes such as electronic voting machines, online voter registration, party or politician websites, and other such platforms. Sadly, Caribbean (and global) enterprises will get caught up in state-led or state-sponsored attacks, and with far-reaching economic impacts.

ICTP:  Over the past year, ransomware incidents still appeared to be occurring across the region. Are they still as huge a threat?

NH:  As stated in my earlier comment, ransomware is most definitely still a threat, and there are a couple of reasons for this. For one, there are numerous techniques available to hackers for initiating ransomware attacks such as spam, phishing, rootkits on legitimate website, traffic redirection, and others. Ransomware also remains a lucrative business for hackers. There’s also no shortage of targets for ransomware attackers, specifically when you consider that many healthcare providers, government agencies and educational institutions simply don’t have the resources to adequately respond to cyber threats.

ICTP:  Bitcoin (cryptocurrencies) and blockchain are concepts of which mass consumers are becoming increasingly aware. Are you excited or concerned about these technologies?

NH:  I am both excited and concerned about blockchain and cryptocurrencies. Blockchain provides numerous options and possibilities for changing how we work, communicate and do business. As adoption of both technologies skyrockets across the globe and throughout the Caribbean, I expect that there will be a corresponding increase in attacks. More specifically, these attacks will be mostly focused on cryptocurrency marketplaces and end user applications such as crypto wallets and crypto trading apps. Early in 2018, Japanese crypto exchange Coincheck was hacked and lost USD$500 million in assets due to poor security mechanisms in their hot wallets. We’re also seeing crypto mining malware which essentially compromises PCs and laptops and uses their resources to mine cryptocurrencies. A consequence of these attacks will be increased regulation of cryptocurrencies by governments, and there is the potential for this to stifle innovation and the network benefits of blockchaintechnologies.

ICTP:  Towards the end of 2017, we became aware of some new threats: Meltdown and Spectre, which seem to be shaking the computing and tech industry to its core. In layman’s terms, can you briefly give us a sense of what Meltdown and Spectre are about, what harm they do, and what steps (if any) we can take to better protect ourselves?

NH:  Meltdown and Spectre exploit critical vulnerabilities in system processors. These hardware-based vulnerabilities allow programs to steal data that is being processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain data stored in the memory of other running programs. Desktops, laptops, and cloud platforms are affected. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. There are patches against Meltdown for Linux, Windows, and OS X. There is also work being done to harden software against future Spectre exploits, as well as to patch software after exploitation through Spectre. Details for these solutions can be found on most all the security-focused web sites.

ICTP:  After all of what we have discussed so far, are there still new and emerging threats of which we should be more aware?

NH:  Yes, I think everyone should be aware about threats associated with the Internet of Things (IoT), connected vehicles, weaponization of AI, and cyber-physical attacks. For example, AI can make spearphishing attacks cheaper, faster and more effective, and also help attackers to design malware that is more stealth and harder to discover using traditional endpoint protection tools. Another example is that researchers – and hackers – are uncovering more vulnerabilities in the onboard systems of older airplanes, trains, ships, and other transport modes that render them vulnerable. I expect to see more attacks involving ransomware that hijacks these vital systems and threatens chaotic results if owners don’t pay to regain control.

ICTP:  Finally, what are the top three (3) things businesses should be doing this year, 2018, to improve theirICTP:  network/IT security?

NH:  One of the most important countermeasures against cyber threats is greater awareness. Governments need to engage various national stakeholder groups in developing awareness programs. Such programs should incorporate information on common attack techniques/vectors, recommendations on how to put better protection measures in place (including data protection), and best practices for improved online hygiene. Businesses are key stakeholders, and they should see themselves as playing an important role in building awareness both internally to their organizations and on the broader national scale.

All businesses need to to develop cybersecurity strategies, including in key areas such as risk assessment, vulnerability management, legal & regulatory compliance, and capacity building. They need to have the right people, process and technology in place to combat cyber threats. For SMEs who have challenges with resources, there are security companies like mine who are willing to work with them to develop flexible, cost-effective solutions for cybersecurity.

As it relates to improving users’ control of their data and increasing accountability for data handlers, it is likely that legislation will be needed because corporations have not yet proven to be good data stewards. Hence, legislative instruments like the EU’s General Data Protection Regulations (GDPR) are likely to be replicated across national jurisdictions. More specifically, the roles and responsibilities of those handling data should be clarified, penalties for misuse and abuse should be outlined, and mechanisms should be put in place to reward adequate data protection and implementation of security best practices. I would advise all Caribbean nations to look at implementing data protection legislation in the very near future.

The original interview can be found on the ICT Pulse website at: https://bit.ly/2JzAFce

What is a virtual CISO? When and why should you hire one?

Chief information security officers (CISOs) are increasingly in-demand, and the very good ones are expensive and difficult to lock down. As more and more organizations who are without CISOs suffer breaches, how should they go about bringing such talent into their businesses?

Could an on-demand virtual CISO (vCISO) be the appropriate solution for them? A vCISO is essentially a security practitioner who provides their advice and insights to an organization on an outsourced and ongoing basis, usually part-time and remotely.

But why would a business engage a vCISO when they can hire a full-time CISO? The answer to this is not a simple one. Firstly, a vCISO is not a good fit for all organizations. Secondly, highly-regarded, experienced CISOs are not easily found, generally stay in a role for 2-3 years, and most importantly, come with a salary that is prohibitive for small to medium enterprises (SMEs).

vCISOs usually cost around 40% – 60% of what you would pay a full-time CISO, and their services can be delivered on-demand. Their benefits usually way exceed their costs. Virtual CISOs are highly experienced, knowledgeable, don’t have learning curve challenges, can integrate easily into a business, and won’t see the need to tiptoe or play nice when it comes to corporate politics. With this approach, it is strictly about outcomes, and a top-tier vCISO will provide critical board and executive engagement, metrics, and high-level reporting.

While different vCISOs come with varying skillsets, most should be able to deal with a plethora of activities from strategic to tactical. They can develop your information risk assessment methodology. They can create a robust framework of policies, procedures, standards, and guidelines. They can help your organization come to terms with GDPR, PCI-DSS and other compliance issues. They can address outsourced vendor risks, for example around cloud computing and IoT services. They can also assist with recruitment and establishing a high-performance team, devising the security vision and strategy, leading the RFP process for security solutions, refining incident response processes, and implementing COBIT 5.0 and ISO/IEC 27000. They might also support the coaching and training needs of newly hired CISOs and conduct awareness training and reporting to the Board of Directors.

Virtual CISOs are best suited to startups and growing companies, and are an ideal approach for bolstering the already in-place management team or basically leveraged as a short-term solution. The best vCISOs must be good communicators – vertically and horizontally, and especially at the board level. They must be able to work with companies across diverse industries and with varying risk profiles and backgrounds. They must be capable of communicating clearly what business risks companies are exposed to as it relates to cybersecurity. An effective vCISO must also be adaptable and quickly learn about the unique business environment their customer operates in. And once these things are known, the vCISO needs to bring their knowledge and skills to bear in terms of aligning the cybersecurity strategy with the business’ strategic objectives.

As they generally operate without budgets or responsibility for implementation, it is best if vCISOs are viewed as advisors and not as auditors or change managers. Cybersecurity is largely a business of relationship management, and traditional CISOs must win the hearts and minds of the executives and organizational leaders if they’re to move the enterprise forward. vCISOs don’t necessarily need to do this, as they are not visible and likely won’t be around for the long-term.

vCISO Services are included in the service portfolio of my company Octave Consulting Group.

Why Bitcoin Will Not Solve the Caribbean’s Financial Inclusion Woes

What is Bitcoin? Is it electronic money?

There’s a deluge of hype around Bitcoin and blockchain technologies right now, and policymakers and regulators in the Caribbean are doing their best to wrap their heads around the advantages and disadvantages of this virtual currency. Similar questions are being contemplated in the ICTs for development (ICT4D) community, taking into account that electronic money (e-money) platforms such as Safaricom’s M-PESA have essentially solved the financial inclusion quandary for millions of people in Kenya. The service has now even expanded to Eastern Europe, Afghanistan, and India.

Besides sharing the characteristic of being digital, how do Bitcoin and e-money compare, especially with regards to reaching individuals who have previously been unable to access traditional financial services? Presently, there appear to be more differences than similarities between the two, and it’s critical not to confuse virtual currency with e-money.

Blockchain, in brief, is a record of digital events, distributed across multiple participants. It can only be updated by consensus between participants in the system, and when new data is entered, it can never be erased. The blockchain contains a true and verifiable record of each and every transaction ever made in the system. Launched in 2009, Bitcoin is a virtual, private currency that uses blockchain as an underlying, immutable public ledger. Bitcoins are ‘mined’ using distributed processing power across a global network of volunteer software enthusiasts. The supply mechanism is designed to grow slowly and has an upper limit of 21 million units as determined by a built-in algorithm. There is no central authority that controls blockchain or Bitcoin. There are no central banks that can be politically manipulated; and no way to inflate the value of a national currency by simply printing more money. Economic libertarians are ecstatic at the very thought of this. However, competing virtual currencies can be created that could have the net effect of devaluing the original.

Contrastingly, e-money is not a separate currency and is overseen by the same national regulatory authority that governs the printing of fiat money – as is the case with M-PESA and the Central Bank of Kenya. It’s an extension of a national currency like Jamaican dollars or Netherland Antilles guilders for use over digital networks to reduce the costs associated with handling physical cash. More specifically, it’s a one-to-one electronic store of value pegged to the cash receipt of the equivalent amount. To mitigate against risks like money laundering, terrorist financing, consumer protection, etc., the cash against which e-money is issued most often has to be deposited with fully regulated financial institutions.

The issue of financial exclusion

The issue of financial exclusion can be summarized into two categories: unbanked and underbanked. Unbanked individuals do not have an account at a regulated financial institution, while underbanked individuals have accounts, but frequently use alternative or unregulated financial services.

Before elaborating on the key factors behind financial exclusion, it is important to detail the effects of being unbanked to illustrate the severity of the problem. Unbanked individuals are faced with a heavy economic burden when conducting even the most basic financial transactions. For example, cashing a cheque can cost the average person with full-time employment as much as USD$20,000 over his/her lifetime. Retailers, which several people use for check cashing, charge non-trivial fees. For example, charges can be as high as USD5$ for cashing a check. Other alternative financial services providers employ even more extortionary fee structures. Western Union, as an example, charges as much as USD$42 to send a USD$500 remittance to Barbados. ‘Underground’ alternative financial service providers levy as much as USD$10 on every USD$100 transferred. All in all, fees for conducting basic transactions can accrue large costs. And given that the majority of unbanked households are low- and medium-income families, this significantly reduces the monies available for daily consumption.

There are numerous interwoven reasons, both from the customer and supplier end, which contribute to the overall dilemma of financial exclusion. Fundamentally, the decision on whether or not to open a bank account can often be attributed to the volatility and quantity of the individual’s earnings. This means the more volatile a person’s income is, the higher the chance they are unbanked. Simply put, they are large numbers of Caribbean nationals who do not have enough money to maintain a bank account. As the majority of banks require a mandatory minimum deposit to open an account, as well as an average balance to avoid monthly services fees, an inadequate and/or inconsistent flow of income automatically serves as a barrier to using banking services for low-income earners who live paycheck to paycheck. Initially, this may seem paradoxical as alternative financial services are very expensive, yet they are primarily used by low-income individuals. Nonetheless, it must be acknowledged that alternative financial services do not have strict requirements for maintaining a consistent account balance, and consequently are easier to access up front. The high costs of alternative financial services accumulate due to prolonged usage, or at the conclusion of a lending agreement, whereby the interest rates are regularly double or triple of those offered by traditional banks. Basically, the cost of regular bank accounts is known in advance of setting up an account, whereas the true cost of alternative financial services emerges over time. This is a major reason that alternative financial services are more appealing to low-income households.

Another reason for unbanked individuals is attitudinal and behavioral; they really do not trust banks. A large percentage of them believe that banks are not in any way interested in serving their needs. This sentiment may not be all that unfounded, as a number of the banks across the Caribbean region have been reducing the teller services that unbanked individuals are familiar with and prefer, forcing more (non-technical) customers to online channels, or even more abhorrent (at least in the eyes of the common man), looking to divest their retail operations in favor of corporate banking and wealth management business units. Even though the commercial reasons may be legitimate, these types of actions are not improving the already unfavorable views of traditional banks.

However, it must be emphasized that the reasons for being unbanked are not restricted to consumers. The actions, or rather inaction, of private sector commercial banks play just as large of a role in the issue. The prior discussion of low-income households being unable to obtain bank accounts due to the high minimum balances highlights the unavailability of inexpensive banking options for this specific market segment. The commonly held belief is that banks lose too much money in servicing accounts for low-income individuals to make them a valuable market. Actually, one can forcefully contend that banks are pricing their products intentionally to keep these customers away. For example, as of June 2017, CIBC FirstCaribbean charges a $15 monthly service (in addition to various other transactional fees) and offers to waive the fee for customers who can maintain an average balance of $1,000. These types of pricing structures and expectations are difficult for poor people to meet.

Why Bitcoin isn’t a financial inclusion panacea

Bitcoin currently has no formal strategy or roadmap to guarantee, for instance, that even at its current rate of adoption, it can replace the variety of fiat currencies across the region. Investment is key to solving these types of problems. However, in quantitative terms, investment in the Internet at its nascent stages was several orders of magnitude greater by comparison.

There is a lot of controversy around attempts to regulate Bitcoin. It is not very clear to what social and economic areas and most importantly, to what extent the state or agencies will be admitted into the development process to design compliance into the system. One theoretical problem lies in the fact that blockchain’s main strengths (security, legitimacy, privacy, safety and availability) are patterned off a set of algorithms — math, cryptography and distributed computing.

Renowned writer and amateur cryptographer Edgar Allan Poe once stated “… it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve… Thus, what is encrypted by one person, can always be decrypted by another.” Similar thought processes have led many security experts to claim that Bitcoin is one major hack away from total failure (can anyone say ‘quantum computing’?). My concerns about Bitcoin’s future, and more importantly its status as a solution for financial inclusion, is nowhere close to being so ominous or skeptical. In the sections that follow, I will fully outline why I think Bitcoin has a long way to go before it solves the financial inclusion dilemma in the Caribbean region.

To obtain Bitcoin, you must already be “economically included” — both in terms of Internet and financial access. Let’s be very honest here; the average unbanked or underbanked individual is not mildly interested in the highly technical and costly process of mining Bitcoin. In terms of investing in Bitcoin, individuals participate based on trust in the private currency and at their own risk (speculative investment is usually not the realm of low- to medium-income earners). The exchange rate of Bitcoin to US dollars has fluctuated wildly in its short existence. Once you have discretionary income available and use debit or credit cards to purchase Bitcoins on a cryptocurrency exchange such as Coinbase or BitStamp, Bitcoin has two characteristics of traditional money: when you buy products or services at participating merchants, transactions are largely anonymous and irrevocable. Again, free market advocates love this, but it garners unnecessary attention from tax agencies and law enforcement.

Anonymity is a deliberate choice for the unbanked. Simply put, the unbanked live in a cash-driven economy. They prefer to remain anonymous for a bevy of reasons: immigration status, tax purposes, fear, or general mistrust of banks. One of the ways to remedy this is to overhaul the burdensome regulations linked to closed networks like Western Union and MoneyGram to permit the unbanked to utilize completely anonymous platforms. Onerous rules are stymying advancements in digital movement of money because they were developed for a bygone era. For the cloud over the industry to disappear, efforts need to be made to vanquish the idea that anonymous money sending is only for terrorists and criminals. Allowing $100 in cash to move anonymously helps a poor farmer a lot more than it does an ISIS jihadist. The belief of libertarians that money will become totally anonymous, absent of any oversight or intervention by government and regulators, is illusory. The ultimate objective is to deploy technology that empowers individuals, but in tandem we need common institutions like the judiciary and regulators that protect consumers and the integrity of the currency that drives the economy. At the end of the day, millions of people aren’t going to discard the existing financial system in favor of Bitcoin on faith alone.

Predatory businesses are convenient where the unbanked live. Rural areas like Trelawny, Jamaica or Mayaro, Trinidad are home to large swathes of unbanked households. Traditional banks don’t see a viable business cases for locating a branch or satellite office in such districts. This means that check cashing and money changing businesses that charge exorbitant rates are the only real means of conducting transactions. New concepts like human ATMs are popping up in locations such as Hong Kong where low-income individuals can send money home, and where several minor Bitcoin remittances players have been successful. However, like rural areas in the Caribbean, these are small markets that are in no way appealing to large banks or major investors. Kenya’s M-PESA succeeded because it leveraged an existing network of agents and vendors. Bitcoin does not preclude the need for extensive networks of agents in remote locations who can provide physical cash to those seeking remittances in a local currency. There are also questions about the viability of Bitcoin in countries with poor technology infrastructure (i.e. poor cellular coverage or lack of broadband Internet in rural areas).

Traditional banks need to come to the table. Traditional banks in the Caribbean have shown little to no interest in embracing Bitcoin or distributed ledger technologies. They see it as a threat to their monopoly over transaction-based services, instead of as an opportunity to revolutionize their operations. Globally, mobile banking is overtaking branch-centered activity more and more – for example, in Norway, 91% of the population use online banking channels. The explosion of fintech companies that are ‘unbundling’ traditional banking functions, added to the maturity of the first generation of Internet banking solutions, are hastening this trend. Consequently, the amalgamation of omni-channel banking, fintech platforms, and open APIs are obscuring the lines between traditional and alternative finance. New banking institutions such as Skandiabanken, are making strides towards accepting Bitcoin and its altcoins as trustworthy assets. If this trend is sustained, expect cryptocurrencies to become more firmly implanted in the evolving fintech landscape. Legislators will then be under tremendous pressure to develop comprehensive proposals for regulating a new asset class. It will also have the net effect of encouraging the development of the next generation of cryptocurrency-based services.

Bitcoin maybe better off as a back-office solution. The transparency and auditability features of distributed ledger technologies like Bitcoin could address a number of different challenges in the financial services industry. It could address the de-risking issues that are seriously impacting the Caribbean region. It could reduce compliance expenses, given that banks and other financial institutions need such personnel to ensure that regulatory requirements are being met or to respond to regulator audits. It serves up the potential of instantaneous movement and settlement of funds, which is appealing to merchants with regards to working capital requirements, given they presently have to wait 2-3 days for each payment. As it pertains to customer service costs, fraud reduction decreases the number of incoming calls, and improved auditability lends to faster responses to customer queries. For instance, utilizing Bitcoin at the core of a payment gateway that integrates with existing core banking applications to facilitate international wire transfers, would result in significant cost savings (it would also eliminate the need for correspondent banks and provide real competition for the monolith that is SWIFT). Combining these savings with others would allow financial institutions to better service lower income customers. Akin to the underlying protocols behind email, Bitcoin can drive common services, and users will never have to interface with it.

Smaller countries do not have Bitcoin liquidity. Many fintech startups have failed because emerging economies – especially small island developing states (SIDS) – have serious challenges with Bitcoin liquidity. For example, there are some realistic obstacles that weaken Bitcoin’s efficacy as an apparatus for remittances. Remittances demand that a liquid market exists between Bitcoin and the receiving nation’s currency. Liquid currency markets tend to be strongest in countries with robust market institutions and entrenched local intermediaries. Countries that depend on remittances usually don’t have such institutions for their national currency, far less a totally new virtual currency. This is why the leading mobile money players are focusing on airtime top-ups, bill payment, and peer-to-peer (P2P) transfers. These are alternative forms of value that can surface in countries lacking adequate infrastructure or access to cryptocurrencies and immediately help the poorest. Many of these applications can run on feature phones and use basic SMS technology to enable movement of digital value. It will take a long time before the really poor become familiar with Bitcoin, and even longer for them to actually care about it. Conversely, it ought to be the shining star in the constellation of financial inclusion, and fintech should be engaging in the heavy lifting to develop policies today that will positively impact everyone, not just the wealthy.

Financial inclusion is more than remittances. If I got a dollar for every Bitcoin enthusiast who waxes poetically about ‘Bitcoin’, ‘financial inclusion’ and ‘remittances’, I would be a wealthy man. The truth of the matter is that financial inclusion is a complex issue, difficult to evaluate due to the diverse viewpoints that have to be considered to understand and quantify it. While there is no de facto definition of financial inclusion, there are three elements that are most important: access, use, and quality of financial services. Moreover, besides remittances, financial inclusion also includes micro-credit, micro-insurance, cooperatives, peer-to-peer lending, rural/agricultural credit, mobile money, mobile vouchers, and a number of other alternative financial services. Financial inclusion is multi-faceted, and Bitcoin has yet to distinguish itself in any of the aforementioned categories. What it does is position itself as a potential alternative payments system, but it has yet to effectively demonstrate how it will deliver financial inclusion tangibly and comprehensively.

From the architecture and engineering perspectives, Bitcoin is not a ‘finished product.’ The cost of Bitcoin transactions depends on network demand and capacity at a given time. While the number of transactions employing Bitcoin have gradually risen in the last couple of years, the processing capacity of the network (that is, the volume of transactions that can be processed per second) has remained static. In layman’s terms: If transaction volumes continue on this steady trajectory without a corresponding increase in processing capacity, transaction fees will quite possibly surpass those of traditional banking services. Additionally, wait times for transactions to be completely processed have become increasingly unreliable. Contributing to these performance issues are the built-in limits on the number of transactions that can be processed at a given time. Bitcoin was not built to successfully scale, due to all their transactions and smart contracts existing on a single public blockchain, rather than on state channels. State channels are a two-way transaction channel between users or between machines. The problem of how to increase the processing capacity of the network, while simultaneously preserving its critical decentralized features, is one that needs a near-term resolution. These early ‘teething problems’ emphasize some of the important architecture and engineering decisions that have to be made before Bitcoin can be viewed as a reliable platform for the world’s poorest.

The Caribbean region has serious online trust issues. Trust is a social, economic and political binding instrument. When trust is absent, all kinds of societal afflictions unfold – including paralyzing risk-aversion. In 2016, OAS and IDB published a report titled, ‘Cybersecurity: Are We Ready in Latin America and the Caribbean?’ Researchers conducted assessments of 13 Caribbean nations, including Bahamas, Barbados, Jamaica, and Trinidad & Tobago. The methodological framework covered ‘Culture & Society’, and one of the key findings that emerged was the extremely low levels of online trust in the region. More specifically, very high percentages of the populations in the countries surveyed did not trust the Internet as a whole. When you drill down into the data, the findings are even more alarming: Caribbean people do not trust that their online activities aren’t being monitored, they do not trust their service providers, they do not trust social networks, they do not trust their search engine provider, they do not trust companies to keep their personal data safe and secure, and most relevant — they do not trust online and mobile banking platforms. Culture is extremely difficult to change; it comprises an interlocking set of goals, roles, processes, values, practices, attitudes and assumptions. It is essentially the DNA of a country. Tossing all other issues aside, getting the residents of Caribbean nations to trust in Bitcoin may be the hardest obstacle to overcome.

Conclusion

History has shown that two factors affect how a foundational technology and its commercial applications evolve. The first is novelty – the extent to which any technological use case is new to a market or to the world at-large. The more novel it is, the more effort needs to be expended on ensuring that consumers understand what problems it realistically solves. The second is complexity, characterized by the amount of ecosystem coordination required – the quantity and diversity of actors and stakeholders that must collaborate to create value with the technology. For example, a social network with a single member is useless; its value increases only when your friends, family, colleagues, etc. have signed up. Other users of the application must be ‘converted’ to generate value for all involved. The same holds true for distributed ledger technologies like Bitcoin. And, as the scale and impact of such applications increase, large scale uptake will necessitate major social, legal, and political change.

Virtual currencies must be perceived as simple, instinctive, and easy to use even in the most functionally and financially illiterate parts of the world. Talking heads often promote financial literacy and educational programs as the lynchpin in transitioning poor people to technology-based money. But the most effective adoptions happen when people learn by imitation. So, to truly demonstrate its value, Bitcoin must become ubiquitous. People should observe its use by rich and poor alike, and in developed and developing countries, in really similar ways. No one offered Internet literacy classes or programs when the technology was introduced 30 or so years ago, but Internet usage skyrocketed as the costs fell sufficiently low. Now more people use the Internet than any other technology ever known to man. Along the same vein, Bitcoin is likely to grow when middle-class consumers start using it regularly, even when transacting with the poor. My fear is that Bitcoin and its value chain are not up to the task.

Bitcoin is a commercial application or use case, but blockchain is the foundational technology (like TCP/IP which is at the core of the Internet). And similar to the Internet in the late 1990s, we have no clue how the blockchain will evolve, but I am certain that it will. Much like the Internet, blockchain must also be permitted to grow without restrictions. This will require awareness, competency, and recognition that the core technology and the applications that run on it are not the same. TCP/IP enables several financial applications that are regulated, but TCP/IP is not regulated as a financial instrument. Blockchain should be treated similarly. While the most popular and pervasive use case for blockchain today is Bitcoin, this will not be the case in a couple of years. Had Internet regulation been heavy-handed in the initial stages, humanity would have been deprived of many innovations that have become embedded in our daily existence. Blockchain is no different. Disruptive technologies seldom fit neatly into the confining spaces of regulatory oversight, but inflexible regulatory frameworks have continually stifled innovation. Chances are that innovations in distributed ledger technologies will outpace legislation. Let’s not retard their progress.

The State of Cybersecurity 2017 – Simplicity 2.0 Podcast

“Cybersecurity is a constant challenge for businesses. Niel Harper, Managing Director of Octave Consulting Group, shares tips to protect your company’s infrastructure from security threats, and offers ways to stay a step ahead of malware, hacking, and other attacks.”

I recently sat down with the Economist Group and Laserfiche (Simplicity 2.0 Podcast) to discuss the management of cybersecurity risks. These types of interviews tend to get very abstract, so I purposely wanted to touch on topics that would resonate with both corporations and end users.

The podcast in its entirety can be found here.

6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC):https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at: http://bit.ly/2qMuQ4U

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

  1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
  2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
  3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.
  4. Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.
  5. Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.
  6. Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).
  7. Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.
  8. Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon’s acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a ‘show stopper’ for a merger or acquisition.

Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective – the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization’s overall security posture. The most damaging misstep organizations can make – and often do – is relegating this function to an understaffed and underfunded IT department.