Tag Archive for: John Sileo

A.I. Deepfake Posing as the CFO Scams $25 Million: How to Protect Your Organization from the Exploding Deepfake AI Cyber Scam

Deepfakes use Artificial Intelligence (A.I) to create fake, hyper-realistic audio and video that is generally used to manipulate the viewer’s perception of reality. In most deepfakes, the legitimate person’s face or body has been digitally altered to appear to be someone else’s. Well known deepfakes have been created using movie stars and even poorly produced videos of world leaders.

Removing the malicious part of the definition, deepfakes have been used in the film industry for quite some time to de-age actors (think Luke Skywalker in The Mandalorian) or resurrect deceased actors for roles or voiceovers (think Carey Fisher in Rogue One – okay, can you tell I’m a Star Wars geek?). Cybercriminals have latched on to the technology, using AI-generated deepfakes in conjunction with business email compromise (also known as whaling and CEO fraud) to scam organizations out of massive amounts of money.

Just recently, a finance worker at an international firm was tricked into wrongly paying out $25 million to cybercriminals using deepfake technology to pose as the company’s Chief Financial Officer during a video conference. And it wasn’t just one deepfake! The fraudsters generated deepfakes of several other members of the staff, removing any red flags that it wasn’t a legitimate virtual meeting. As a subordinate, would you refuse a request from your boss that is made face-to-face (albeit virtually)? You might be savvy enough, but most employees aren’t willing to risk upsetting their boss.

The days of just sending suspicious emails to spam is no longer adequate. Our Spidey Sense (the B.S. Reflex I talk about in my keynotes) must be attuned to more than business email and phone compromise. We have entered the age of Business Communication Compromise, which encompasses email, video conferences, phone calls, FaceTime, texts, Slack, WhatsApp, Instagram, Snap and all other forms of communication. It takes a rewiring of the brain; TO NOT BELIEVE WHAT YOU SEE. AI is so effective and believable that workers may even feel like they are being silly or paranoid for questioning a video’s validity. But I’m sure as the employee who lost their organization $25M can attest, it’s way less expensive to be safe than sorry.

The solution to not falling prey to deepfake scams is similar to the tools used to detect and deter any type of social engineering or human manipulation. Empowering your employees, executives and customers with a sophisticated but simple reflex is the most powerful way to avoid huge losses to fraud. When you build such a fraud reflex, people will be less likely to ignore their gut feeling when something is “off.” And that moment of pause, that willingness to verify before sharing information or sending money, is like gold. These are the skills that I emphasize and flesh out in my newly-crafted keynote speech, Savvy Cybersecurity in a World of Weaponized A.I.

Get in touch if you’d like to learn more about how I will customize a keynote for your organization to prepare your people for the whole new world of AI cybercrime. Email contact@sileo.com or call 303.777.3221.

Cybersecurity Habits Meet Neuroscience

Bad Cybersecurity Habits

Hack your cybersecurity habits to avoid being hacked! The human element of cybersecurity is the most overlooked and underused tool for data protection. People are our strongest line of defense. In other words, your employees are your greatest asset in the fight against cybercrime, but only if you train them to be. By fortifying data at its source –us– we have a much better shot at preventing cyber disasters in our businesses.

Drawing inspiration from the book “Atomic Habits” by James Clear, we can apply his principles to reinforce best cybersecurity practices. Just as small, incremental changes lead to significant long-term results in personal growth, cultivating atomic cybersecurity habits can fortify our digital defenses. In this article, we will explore how the concepts of “Atomic Habits” can be seamlessly integrated with cybersecurity practices, empowering individuals to navigate the online world with confidence and security.

Let me hack your brain to make security simple. 

Healthy Cybersecurity Habits 

  1. Strong and Unique Passwords: Use strong, complex passwords. Avoid reusing passwords. Use a password manager to generate and store passwords.
  2. Two-Factor Authentication (2FA): Enable 2FA whenever possible. 
  3. Regular Software Updates: Keep your operating system, antivirus software, web browsers, and other applications up to date. Updates often include important security patches that address vulnerabilities.
  4. Secure Wi-Fi: Use a strong, unique password for your home Wi-Fi network. Enable encryption (WPA2 or WPA3). Avoid using public Wi-Fi networks for sensitive activities unless you are using a reliable VPN (Virtual Private Network).
  5. Phishing Awareness: Be cautious of suspicious emails, messages, or calls. Verify the legitimacy of requests and avoid providing personal information unless you are certain of the source.
  6. Regular Backups (Daily): Backup your important files and data regularly to an external hard drive, cloud storage, or other secure location.
  7. Privacy Settings: Review and adjust privacy settings on your devices, apps, and social media accounts. Limit the amount of personal information you share. Consider what permissions an app truly needs (spoiler alert: not much).
  8. Secure Web Browsing: Use secure websites (HTTPS) when providing sensitive information. Look for the padlock icon in the address bar. Be cautious of clicking on suspicious links. Avoid downloading files from untrusted sources.
  9. Device Protection: Use reputable antivirus or security software on all your devices and keep them updated. Enable device lock screens or biometric authentication (fingerprint or facial recognition). 

How to Hack your Habits

ATOMIC HABIT CYBERSECURITY APPLICATION
Use the two-minute rule: identify a small, actionable step you can take that only takes two minutes. Do it immediately.
  • Change one password.
  • Put. A. Password. On. Your. Lock. Screen. 
  • Enable two-factor authentication for one account
  • Grab your phone. Settings >> privacy >> location. Turn off location services for apps that absolutely don’t need your whereabouts. 
  • Delete 2-3 apps you do not use.
  • Unsubscribe from a few junk mailing lists
Make habits obvious: Create clear cues and reminders to engage in the healthy habit. 
  • Create a regular and recurring phone reminder to update software or add another financial site to your two-step login list. Make cybersecurity a visible part of your daily routine.
“Habit stack” for better integrations. 

Link new habits to existing ones to help them become more automatic and ingrained. 

  • Before you start browsing the internet each day, make it a habit to check for secure connections (HTTPS) or verify the legitimacy of websites. 
  • At the same time, check to make sure that your backup is working properly.
  • Monthly family/business meetings? Add a 5 min technology check-in to the schedule (updates, passwords, issues). 
Environmental design can make 

  1. desired behaviors more convenient (make good habits EASY to do)
  2. undesirable behaviors more difficult (make bad habits HARD to do)
  • Enabling fingerprint recognition on your password keeper will make it more appealing to log into.
  • Invest in a larger cellular data plan so that you aren’t tempted to join insecure free WiFi hotpsots.
Track habits to maintain motivation and measure progress.
  • Keep a log of actions such as updating software, conducting regular backups, or practicing safe browsing.
Make habits satisfying: immediate rewards increase the likelihood of habit formation. 
  • After completing any of the above, or even a thorough scan of your device for malware, reward yourself with a short break or engage in an enjoyable activity. 
Build an identity of the person who embodies desired habits. 

You are more likely to put effort into something that relates to who you are (identity) rather than what you do (behavior)

  • Embrace the identity of a proactive and security-conscious individual. Visualize yourself as someone who prioritizes protecting their digital assets. By identifying as a cyber-conscious person, you’ll be more likely to adopt and maintain good cybersecurity habits

Cybersecurity often feels like an endless journey. This is why celebrating progress is crucial to maintaining hope and momentum. By embracing the principles of “Atomic Habits,” we can forge a path towards a more secure digital future. And we can do so without burning ourselves out or becoming digital nomads (I know how tempting it may seem…). What matters is that we show ourselves some grace as we build better cyber health. 

The power lies within our daily actions—the consistent implementation of small, atomic cybersecurity habits that reinforce our protection. Just as Clear’s book teaches us to focus on the process rather than the outcome, let us concentrate on the journey of developing healthy cybersecurity habits, one smart step at a time. 

 

___________________________

 


John Sileo is an award-winning keynote speaker who educates audiences on how cybersecurity has evolved and how they can remains ahead of trends in cybercrime. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our contact form to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

John Sileo Cybersecurity Expert Top Tips

I get asked at almost every keynote speech how the audience members can protect themselves, their families and their wealth personally. So I put together a series of videos to take you through some of the first steps. I hope this gets you started, and that I am lucky enough to meet you in person at a future speech!

Freeze Your Credit

A freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

Two-Step Logins

There are three basic ways to find out whether or not your provider makes two-step logins available:

  • Call them directly and ask them how to set it up. I especially like this method when working with financial institutions, as you want to make sure that you set it up correctly and they should be more than happy to help (as it protects them, too).
  • Visit the provider’s website (e.g. Amazon.com) and type in the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Google the name of the website (e.g., Schwab.com) along with the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Visit this helpful listing (https://twofactorauth.org/) to see if your desired website appears on the list of two-factor providers.

Online Backups (for Ransomware)

You need to have an offsite backup like in the cloud or elsewhere that is well-protected that happens daily on your data. That way, if ransomware is installed on your system, you have a copy from which to restore your good data. You have the ransomware cleaned off before it enacts and you’re back up and running. Make sure it:

  1. Is updated whenever a change is made or a new file is added.
  2. Is stored somewhere different than your computer.
  3. Actually works when you try to restore a file.

My personal recommendation and the one I use is iDrive online backup (iDrive.com).  I recommend buying twice the hard disk space of the data you need to back up.

Personal VPNs

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, research the term “VPN Reviews” to get the latest research and then install a VPN on every device to cyber secure your virtual office and smartphone.

Free Credit Reports

Go to annualcreditreport.com to see your three credit reports from the three credit reporting bureaus.  Periodically request a report from one of the bureaus and cycle through each of them every three months or so.

Identity Monitoring

Ask four questions as you research your options:

  1. Does the service have a simple dashboard and a mobile app that graphically alert you to the highest risk items?
  2. Does it include robust recovery services? (How long does it take to reach a live human being in the restoration department?)
  3. Does the service monitor your credit profile with all three credit reporting bureaus?
  4. Do you have faith this company be in business three years from now?

Password Managers

A password manager is a software application that helps a user store and organize passwords. Password managers store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password that grants the user access to their entire password database.

Research Password Management services such as Dashlane, LastPass, or the one I personally use, 1Password. Google the term “Password Manager Reviews” and look for articles in a magazine you trust to find the one right for you.

Junk Mail

To opt out of pre-approved credit offers with the three main credit reporting bureaus, call 888-5-OPT-OUT (888-567-8688) or visit www.OptOutPreScreen.com.

Phone Scams

If you receive a call that triggers your scam alert reflex, HANG UP!  If you receive a call from someone supposedly from a financial institution, utility company or a government agency and they ask for personal information like your Social Security number, HANG UP! Or if someone calls from “Apple” or “Microsoft” promising to help with a computer issue, HANG UP!  You get the idea.  If you think it is a legitimate call, tell them you will call them back from a published number.  If they start making excuses, HANG UP!!!

Google Maps

  1. Go to www.google.com/maps
  2. Locate your house by typing its address into the search box and pressing Enter.
  3. Click on the small picture of your house that says Street View.
  4. Adjust Google Maps Street View by clicking the left and right arrows on the Street View image until you see your house.
  5. Click the Report a Problem link at the bottom-right corner of the Street View image or, depending on the device you are using, click on the three dots in the upper right-hand corner.
  6.  It will take you to a page to Report Inappropriate Street View.  Here you can ask to have any number of things blurred, including the picture of your house.
  7.  You will need to provide your email address and submit a CAPTCHA.

Smart Speakers

Ask yourself how comfortable you are having a corporation like Amazon or Google eventually hearing, analyzing and sharing your private conversations. Many people will say they don’t care, and this really is their choice. We are all allowed to make our own choices when it comes to privacy. But the vitally important distinction here is that you make a choice, an educated, informed choice, and intentionally invite Alexa or Google into your private conversations.

Account Alerts

To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. If you spend even a dollar at a store, you receive an email or text notifying you of the purchase.

  1. Go to the bank or credit card company website.
  2. Search for “Account Alerts” in their search window.
  3. Set up your alerts for a dollar threshold that makes sense for you.

Internet of Things

  1. Understand your exposure.  What do you currently connect to the internet?
  2. Make a list of the devices you have that connect to apps on your smart device.
  3. At a minimum, make sure you have CHANGED THE DEFAULT PASSWORD!!!
  4. Also consider disabling location services, muting any microphones and blocking any webcams.
  5. Finally, update the firmware regularly.

Tax Return Scams

If you suspect tax fraud, call 877-438-4338 or go to consumer.ftc.gov to alert them.  (They will not EVER call you or reach out via text or email!)

If you had a fraudulent deposit made directly to a bank account, contact your bank’s automated clearing house department to have it returned.  And close that bank account and open a new one while you are at it!

Safe Online Shopping Habits – Episodes 1, 2 & 3

  1. Stick to websites you know and trust. Beware of imposter websites that have a URL nearly identical to the one you mean to use.
  2. Always look for the lock icon in the browser and and “https” in the URL.
  3. Use long strong passwords.
  4. Never shop with a debit card online. It’s even better to use a dedicated credit card just for online purchases.
  5. Set up automatic account alerts on your bank account.
  6. Request a new credit card number once a year (after the busy shopping season).
  7. Set up two-factor authentication on your bank, credit card and retail accounts.
  8. Use a Personal Virtual Private Network (VPN).
  9. Download the apps for your favorite retail sites onto your smart devices and shop directly from them using your cellular connection.  This will assure you are not on a fraudulent site, you are protected by at least two passwords and your internet connection is encrypted.

Phishing Scams

  1. Mistrust every link in an email unless you know who it is coming from and you were expecting that link.
  2. If you’re suspicious about a link in an email, type the URL directly into the address bar of your browser to make sure it takes you to the legitimate website.
  3. Use the hover technique to see if you’re going to the real site or the site of the cyber criminals.

John Sileo, cybersecurity expert and identity theft speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.

Hackers Hot for Hotspots: Protect Your Remote Workforce


Your remote workforce is only as strong as its weakest link — which, believe it or not, may be a public WiFi hotspot. Insecure networks have been at the forefront of a recent spike in business-impacting cyber attacks, namely among organizations that have deployed a remote workforce who accessed malicious WiFi networks or hacker-enabled hotspots.

Have we become so dependent on the ubiquity and convenience of connectivity that remote employees will connect to any nearby network, so long as it looks legit? The answer is yes, and it’s the reason why 80% of security and business leaders said their organizations were more exposed to risk as a result of remote work.

Though remote work enables employees to work from anywhere, these harmful hotspots are everywhere, and many employees are simply none the wiser to the risks. The vulnerability of the remote workforce to these cyber attacks can no longer be ignored. Learn how to protect your remote workforce (and organization) from the harmful effects of network-induced cybercrime.

The Remote Workforce is Here to Stay

If 2020 was the year of remote work, 2021 was the year of the remote workforce — and recent data suggests it’s not going anywhere any time soon. While 70% of full-time workers were forced to switch to remote work in 2020, 69% still voluntarily worked remotely throughout 2021. Today, a whopping 81% would prefer a hybrid or remote working style indefinitely, even post-pandemic. 

Plus, it’s not just employees who favor a permanently remote workforce. According to the 2021 State of Remote Work, 26% of employers have voluntarily chosen to maintain a fully remote workforce and 20% have opted for a hybrid work model. Not to mention, approximately 40% of employers have either reduced or closed their physical office spaces. 

All signs point to an ongoing remote workforce. But if employers weren’t prepared for their teams to work from home in 2020, are they actually prepared now? Or will the risk of cybercrime dampen the otherwise fantastic benefits of remote work? Recent statistics suggest there’s still work to be done to protect both employees and organizations. 

But Are Remote Workers Safe from Cyber Crime? 

Are you familiar with the phrase, “One bad apple spoils the barrel?” Well, that’s a pretty accurate way to view public WiFi and free hotspots in relation to remote work. Though employees have the freedom and autonomy to dial in from anywhere in the world, they almost always require an internet connection to access company servers or internal databases. 

98% of remote workers use a personal device for work daily, yet 71% of security leaders lack high or complete visibility into remote employee home networks — which could explain why 67% of cyber-attacks directly targeted remote workers. From the local café to a hotel across the globe, it’s far too easy for employees to unintentionally connect to an unsecured network. 

A recent study, Cybersecurity in the New World of Work, found that 74% of organizations attribute recent business-impacting cyberattacks to vulnerabilities in technology put in place during the pandemic, namely migrating business-critical functions to the cloud. Two-thirds of security leaders plan to increase cybersecurity investments over the next two years, but what about right now?

So, Is Public WiFi a Trap Door for Hackers?

While security leaders scramble to implement better network practices for remote workers, this remote-work expert will let you in on a secret: Using free public WiFi is like licking the grade-school water fountain while you’re taking a drink. Sure, you get what you need out of the deal, but you open yourself up to a lot of nastiness… like, next-level gross. The same can be said for public WiFi. 

Though a public, insecure internet connection allows remote employees to access whatever they need for work, it also provides cybercriminals with access to business-sensitive or customer-centric data. A hacker can examine every piece of information a worker enters on the network, from important emails to security credentials for your corporate network.

Unfortunately, many people consider tethering their laptop to their phone as too technical or lack the appropriate data plan, so they default to a local hotspot. These hotspots are often unencrypted and require no login or password — that’s like open season for hackers! And with slim chances of tracking a cybercrime to the hotspot (or hacker) in question, they continue to be a blind problem. 

Why Public WiFi Makes a Hacker’s Job a Breeze

We as a society have become so dependent on connectivity, whether for remote work or pleasure, that the average person will connect to a random nearby network as long as it is named in a manner consistent with their place on the map. Near a café? FreeCafeWiFi it is! But why is it so easy for cybercriminals to create these malicious networks in the first place? 

First and foremost, it’s because you don’t have to hack a public network, you just have to imitate one. With an average iPhone, anyone can set up an “evil twin” WiFi network at the nearest café, airport, or hotel, and sniff any unsecured traffic that passes through. Most people don’t know the difference between the various WiFi or tethering symbols on their phone, so they’re in the dark about the inherent risks.

With slightly more sophisticated equipment and the right software, a true “evil twin” can be set up in a matter of seconds. In fact, when I’m in the field as a cybersecurity speaker, I often rename my iPhone to the name of the hotel or conference center hosting the event, like !SECUREMarriotWiFi. This naming convention makes the hotspot rise to the top of the list, and I regularly have attendees joining my hotspot to collect their email, log in to work, and more.

It’s that easy, friends. And it’s not always criminals doing the involuntary data grab: Retailers have been known to offer free WiFi with the specific purpose of learning more about their customers, meaning even “legitimate WiFi” can be a risk. The average café or retailer doesn’t actually care about the safety of your data, they are just keeping expenses low and connections convenient. 

Cybersecurity Expert Tips to Protect Your Remote Workforce 

Would you trust and inject a vaccine someone handed you at your favorite Starbucks? Don’t delude yourself. Working on free WiFi with sensitive material will never be as safe as using a secure hotspot or WiFi connection you own. If your remote workforce is spread across the city, state, or country, there’s no way they can all access a company-backed Internet connection.

So, you must do the next-best thing — educate your team on how to safely work remotely. Here are five tips, as told by a cybersecurity expert who has seen behind the curtain, to improve your Wi-Fi safety and protect your business. 

1. Connect (Work Remotely) via Cellular Data 

When remote employees are working on something sensitive or confidential (read: internal data), it’s best to connect to the internet via cellular data connection whenever possible. Connection from a smartphone to a personal device is encrypted and far more secure than any free WiFi.

If they don’t have a dedicated hotspot, tether a smartphone to a laptop and use that to communicate instead. In many cases, an available 5G network is faster than what the free WiFi will be. 

2. Utilize a Virtual Private Network (VPN)

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, install a VPN on every worker’s device to cyber secure your virtual office

For the remote workforce, a VPN is an excellent method to add security to employee communication, especially when leveraging an insecure connection like public WiFi. Even if a hacker accesses an employee’s device, the data will be strongly encrypted and is more likely to be discarded than run through a lengthy decryption process. 

3. Always Use HTTPS 

Take a look at your browser bar. Right now, the current web address should begin with https:// — that’s on purpose. HTTPS (Hypertext Transfer Protocol Secure) is an extension used for secure communication over a computer network. The majority of trustworthy sites will leverage HTTPS to encrypt communication, especially those that require log-in credentials. 

Entering those credentials in an unencrypted manner could open the door to a hacker, who can then repurpose those details to access your corporate or client network. So, be sure to personally enable (and encourage employees to enable) the “Always Use HTTPS” option of frequently-visited sites. Alternatively, install a web extension like HTTPS Everywhere for Chrome, Firefox, and Opera to essentially force each website you visit to connect using HTTPS. 

4. Safeguard All Settings

The settings on a personal device are the difference between leaving the backdoor wide open for cybercriminals or dead-bolting that door shut. When your remote workforce connects to the internet at a public place, be sure their settings have been optimized to prevent a cyber attack as much as possible. 

For one, turn off sharing from the system preferences or Control Panel. It’s unlikely your team has anything to share with the other patrons of a café, save the hacker lurking in the corner. Secondly, turn off Auto Connect for WiFi networks and log out of the WiFi when you leave, as many of today’s devices will automatically connect to the closest available network, without regard for safety.

5. Verify Legitimacy Whenever Possible 

Lastly, if you or your remote workforce ever find the dire need to use public WiFi, make sure to verify with the business that any WiFi hotspot you join is the legitimate one — not the “evil twin” — and make sure it requires a password to join. Confirm details such as the connection’s name and IP address before connecting any personal devices to the business’s network. 

Stay Protected with a Cybersecurity Overhaul 

Even a remote workforce that takes every possible precaution against third-party networks can encounter a cybercriminal. That’s just a risk of doing business in this increasingly digital age. As cybercriminals continue to evolve, cybersecurity best practices will also progress; and it’s up to business leaders to continue to upgrade their security practices to remain protected.

Don’t let the threat of cybercrime impact the longevity or productivity of the remote workforce. Take action today by empowering your remote workforce with the tools they need to remain safe, even when dialing in from halfway around the globe. Now is the time to invest in a cybersecurity crash course, if not for the safety of your business, for the protection of your employees and customers. 

Ransomware Attack: What if this were your Billion $ mistake?

No one has ever heard of your company. Let’s call it, COMPANY X. And you like it that way. In 57 years, you’ve never once shut down your mission-critical operations that fuel the US economy. YOU are an honest, satisfied employee of Company X, and although your security team hounded you with preachy posters in every ELEVATOR to never use the same password twice (because passwords are like dirty underwear), you still did. You used the same totally UNGUESSABLE 10-character password for your work login and hotel loyalty program. Which got breached. You changed the stolen password on the hotel website, but forgot about your work login. And your company doesn’t require two-step logins, even though they bought the technology after a dashing keynote speaker SCARED the crap out of them.

In mid-February, you receive a promotion, and with it, a new login to the system. In spite of a $200 million per year IT budget, your company never decommissions your old login credentials, leaving access as wide open as the BACK DOOR into a college-town liquor store.

On April 27, DARKSIDE, (yes, even hackers have a sense of humor) a ransomware attack ring protected by EMPEROR PUTIN, buys your stolen loyalty credentials for approximately five cents and uses artificial intelligence to insert them on every login page on the Company X website, which they know you work at from your snappy LinkedIn profile. While outdated on the hotel site, your username and password still work for your vacated role at Company X.

By April 29, DarkSide has loaded ransomware onto your computer, which happens to be in the master control room of Company X. Company policy states that any sign of ransomware triggers an automatic shutdown of all operations, which suggests that Company X isn’t clear on how closely their business I.T. systems are tied to their operational or O.T. systems. PARTY FOUL.

And that’s how Colonial Pipeline, supplier of 45% of the East Coast’s fuel supply, shut down all operations for 6 days. 2.5 million barrels of fuel per day, stuck in Texas because of your single password that opened the company to ransomware attack. Ok, I realize this isn’t really your fault, but what if it was? What if you were the one who caused FLORIDIANS to queue at gasless gas stations as if KRISPY KREME and In & Out Burger had just merged?

Colonial chooses to defy the FBI DIRECTIVE to never pay a ransom (research says that doing so just invites the cybercriminals to come back for seconds) and pays DarkSide $4.4M dollars in untraceable bitcoin to get their pipes back in the game. Well, not totally untraceable, as the FBI HELPS Colonial retrieve half of its bitcoin. But don’t expect them to come to your rescue, as you probably don’t supply the East Coast with half of its carbon emissions. Even after the blackmail is complete, fuel doesn’t flow for 6 more days. Which causes Billions in damage to the US economy and Millions in reputational damage to Colonial. Because of a password. From one person.

Here’s what this ransomware attack means for you:

  • Every employee matters: One weak password can bring an organization to its knees
  • Don’t let your company get cocky, because it CAN happen to you.
  • The ransomware get-out-of-jail price tag is now often in the tens of millions.
  • Security is an obsessive, continuous pursuit, so make a long-term game plan.
  • Never forget to deactivate old user accounts.
  • Require two-step logins to minimize the impact of poor passwords.
  • Have a foolproof, off-site, offline backup of your data.
  • None of this works without a healthy underlying culture of security.

If you’re confused about how to prepare for a ransomware attack, consider a leadership crash course in cybersecurity. Because one small cyber mistake, and everyone will know your company.

_____________________________

John Sileo hosts cybersecurity crash courses that target the human element of cybersecurity. His clients include Amazon, the Pentagon and Charles Schwab, but his most fulfilling engagements are for smaller organizations and associations that can affect immediate change. 303.777.3221

 

Is WhatsApp Privacy a Big Fat Facebook Lie? What You Need to Know.

WhatsApp privacy policy

WhatsApp Privacy: Facebook’s New “Data Use” Policy

I have been getting a ton of questions on the privacy of your personal data that is sent through WhatsApp. Is Facebook, who owns WhatsApp, sharing everything you write, including all of your contacts, messages and behaviors? It’s not quite that simple, but neither is Facebook.

Facebook announced a new WhatsApp privacy policy recently which created A LOT of confusion and user backlash. The changes caused such an uproar that they ultimately have decided to delay release of the new WhatsApp privacy agreement from Feb. 8 to May 15 while they sort themselves out. So let me give you a head start!

Behind all of this, WhatsApp is trying to break into the world of messaging for businesses (to compete with Slack and other programs). That way, when you communicate with a business, Facebook will see what you’re saying and use that information for advertising purposes.

Your Data That Can Be Accessed By Facebook

Facebook contends that your private messages will remain encrypted end-to-end, including to them, but Facebook & WhatsApp will have access to everything they’ve had access to since 2014:

  • Phone numbers being used
  • How often the app is opened
  • The operating system and resolution of the device screen
  • An estimation of your location at time of usage based on your internet connection

Purportedly, Facebook won’t keep records on whom people are contacting in WhatsApp, and WhatsApp contacts aren’t shared with Facebook. Given Facebook’s miserable history with our personal privacy, I don’t actually believe that they will limit information sharing to the degree that they promise. I think that this is one of those cases where they will secretly violate our privacy until it is discovered and then ask forgiveness and lean on the fact that we have no legislation protecting us as consumers. But please be aware that if you utilize Facebook, you are already sharing a massive amount of information about yourself and your contacts. WhatsApp may just add another piece of data into your profile.Watch The Social Dilemma on Netflix if you’d like to learn more about how you are being used to power their profits.

Highly Private Messaging Alternatives to WhatsApp

So, while it is mostly a “cosmetic change” to the WhatsApp privacy policy, if you are uncomfortable using it, you may want to consider the following:

    • There are alternative messaging apps, including Signal and Telegram, both of which have seen huge new user sign-ups since the announcement. I personally use Apple Messages (daily communications) and Signal (highly confidential communications).
    • WhatsApp says it clearly labels conversations with businesses that use Facebook’s hosting services. Be on the lookout for those.
    • The feature that allows your shopping activity to be used to display related ads on Facebook and Instagram is optional and when you use it, WhatsApp “will tell you in the app how your data is being shared with Facebook.” Monitor it and opt out.
    • If you don’t want Facebook to target you with more ads based on your WhatsApp communication with businesses, just don’t use that feature.
    • Trust the WhatsApp messaging app as much as you trust Facebook, because ultimately, they are the same company.

John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado

iPhone Security Crash Course: 13 Hacker-proofing Tips

 

iPhone Security In the Mid/Post-Pandemic World

We are no longer just addicted to our iPhones; we are officially in a committed relationship, thanks to the pandemic. We mobile office from them, bank from them, attend doctor’s appointments, kids’ classes and Zoom happy hours from them. And in the midst of all of this critical and effective use, we are dropping our guard when it comes to iPhone security. 

But there is good news! Changing your default privacy and security settings keeps you from being shark bait (because hackers usually go for the easy kill). Even for iPhone users, who often mistakenly believe that all security is taken care of by Apple. Spoiler – it’s not. Smartphone security takes mindful tweaks on your part – even if Apple does a good job of rooting out malicious apps. Here is a short description of what steps I would take first to to defend your phone (other than never losing it). 

Too much reading? Check out the webinar – in less than an hour I’ll walk you through HOW to do it all for less $ than an Apple dongle!


smartphone privacy

iphone Security Webinar: Wednesday, June 24 @ 1pm ET

Cost: $29

Register: Sileo.com/webinar

Course Description: iPhone Security – See Below (Note: Android OS will not be covered)

 


The Lucky 13 –  iPhone Security & Privacy Tweaks   

  1. Prune Your Apps. You have far more apps on your phone than you use regularly. Outdated and extraneous apps are a backdoor into your privacy. Delete those you don’t use often (Apple can help automate this) and reinstall when needed. Before you install a new app, find trusted reviews online to determine the company’s privacy and security record.
  2. Auto-Update Your iOS. Turn on automatic updates for your iOS operating system so that security patches are installed immediately upon release. This protects you from something called zero-day exploits, which I will explain as I demo how to turn this on during the webinar). Safari is part of the operating system, and just as vulnerable to hacking  as on your computer, making these updates even more critical.
  3. Hide Your Location. Your flashlight app (not  the Apple one) may be spying on you.Third-party apps often request access to iPhone features and data they don’t really need, like your location, camera, contacts, and microphone. Turn off location sharing on most apps, and set it to “Only While Using App” on most of the rest. Bring your app-specific location questions to the webinar.
  4. Hide Your Contacts, Photos & Conversations. Many apps have access to your contacts, calendar, photos, Bluetooth, microphone, camera and health data. Customize these settings to only allow access to apps that you trust or that have to have access to work.
  5. Robustify Your iPhone Passcode. Four digits is not enough! Six-digit numeric codes are still vulnerable to cybercriminals. Even if you conveniently unlock your iPhone with a thumbprint or facial recognition, the passcode behind the biometric is what gives it all of its strength! Lengthening codes is a bit confusing, so I will save it for the online demonstration.
  6. Password Manage Your Online Accounts. Mobile password aggregators help you create unique, long and strong passwords for all of your online accounts. The iPhone integrates with many common password managers to make logging in to critical sites faster and safer than the old fashioned way. Happy to make “endorsement-free” product recommendations if you need them.
  7. Double Your Passcodes. When you turn on two-step logins (aka, two-factor authentication), a hacker’s ability to break into your online accounts plummets. Having a passcode you know (the one you memorize to get into your phone) and a passcode you have (from a passcode authenticator app or text message), makes you exponentially safer. Enable this on every cloud service you use, from email to banking, health sites and business logins to social media. And make sure you turn it on for iCloud, which stores a backup of everything on your phone.
  8. Backup Your Phone. Whether you back up to a physical computer or to iCloud, this is the best way to recover from ransomware or a lost, stolen or hacker-scrambled phone.
  9. Stop Brute Force Logins. If you’re worried about your device falling into the wrong hands, you can prevent an attacker from brute-force break-ins using the “erase data” option. This automatically deletes all data on your phone after 10 consecutive failed login attempts. Just don’t ever forget your code, and be careful that your kids don’t erase your data by entering the wrong code too many times!
  10. Shut Down Eavesdropping Advertisers. Many websites use cross-site tracking to monitor your surfing habits so that marketing companies and advertisers can push products and services tailored to your interests. This can be turned off in Safari for iOS. It is also possible to block pop-ups, enable fake website warnings, disable location-based and interest-based ads and switch from Google’s search engine to a more private source like DuckDuckGo.
  11. Enable Location Tracking and Wiping
  12. Secure Your Free Wi-Fi Hotspots (VPN)
  13. Disable Creepy Photograph Tracking

If you are looking for a bit of hand/phone holding, join my webinar, where I will walk you through HOW to implement all 13 iPhone Security Steps.


Webinar: iPhone Security Crash Course: 13 Ways to Keep Hackers & Advertisers Out

Every website you visit, location you frequent and app you use on your iPhone can be tracked, hacked and abused. By default, your smartphone is open to cellular providers, digital advertisers and cybercriminals. Until, of course, you proactively take steps to minimize how your private data is being captured, shared and sold. 

In this iPhone-specific workshop, John will perform a live demonstration of 13 critical iphone security and privacy settings. Bring your iPhone to the webinar, as you will be actively changing settings during the presentation. 

Smartphone Privacy & iPhone Security Tools Covered Will Include:

  1. App pruning and vetting
  2. Operating system patches and automatic updates
  3. Limiting location tracking performed by Apps
  4. Keeping hackers out of contacts, photos and voice recordings
  5. Hack-proof passwords (almost)
  6. Implementing a password manager
  7. Turning on two-step logins on vital online accounts
  8. How to back up your phone in case of loss or ransomware
  9. Eliminating brute-force logins
  10. Disabling advertising tracking and sharing
  11. Enabling location tracking and wiping in case of loss
  12. Installing and utilizing a VPN to protect Wi-Fi usage
  13. How to disable creepy photo location tracking
    If time permits:
  14. Evaluating of the Pros/Cons of biometric passwords (fingerprints and facial recognition)
  15. A discussion on the security of Apple Pay and Wallet options
  16. Banking and investing vulnerabilities on you smartphone

By the end of this webinar, your iPhone will be 99% more secure than the average smartphone user. Time for Q&A with John will be provided at the end of the demonstration.

Is Document Shredding Still a Thing in This Digital Age?

Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents.  If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?

In case you have the same questions, here are my thoughts:

Is Identity theft via paper still an issue in this digital age?

Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).

Do people still need to shred all of their paper documents? 

The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.

Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?

For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.

The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.

In other words, how paranoid should we still be about shredding documents?

Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.

So what are the basic reasons behind document shredding?

  • Prevent identity theft
  • Protect your customers and your employees
  • It’s the law (under the Data Protection Act)
  • It saves space
  • It’s “green”! Shredded paper makes recycling much easier

What documents should you shred?

  • Medical records and bills (keep for at least a year after payment in case of disputes)
  • Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
  • Old photo IDs
  • Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
  • Credit card offers and expired credit and debit cards
  • Canceled or voided checks
  • Pay stubs
  • Copies of sales receipts
  • Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
  • Junk mail that contains personally identifying information (watch for barcodes)
  • Mail related to your children or their school

Remember, shredding isn’t only for large companies.  As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.

About Cyber Security Keynote Speaker John Sileo

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Local Government Cyber Security: Our Next Big Threat

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.