Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: Why cybersecurity influences the valuation of a fintech, how cyber attackers are after your cryptocurrency, the steps recommended by NIST to reduce the risk of ransomware, the reward offered by the US government for information about cyber attackers and terrorists, and the ongoing problem of password reuse.
This week’s action: Find out why passwords are like your toothbrush.
>>>> THREE ARTICLES <<<<<
1: Startups and cybersecurity: An oxymoron?
“[Cybersecurity] doesn’t sound very appealing to startup founders. Instead, startup founders want to inspire their employees. They want to help them dream about what their product can do for the world and they want to beat their rivals. They want to rush forward and build now, think later. There is a lot of pressure to deploy software overnight and fix bugs later, but later never comes. [..] Founders need to face the fact that creating a business without including small business cybersecurity in the planning process opens it up to major risk.
When the author states “major risk”, I see three clear risks:
- Complete business failure as a successful attack causes clients to walk away.
- Fewer sales conversions as poor defences causes prospects to walk away.
- A lower valuation if an acquirer comes knocking because of (1) and (2).
We may think that being a startup founder is all about taking risks. But the best entrepreneurs do not take crazy risks. They identify and mitigate the biggest risks that could prevent them from achieving their objectives. And cybersecurity is a big risk, according to 2700 businesses surveyed by Allianz last year.
2: US NIST guidance on reducing the likelihood and impact of a ransomware attack
NIST (National Institute of Standards and Technology, part of the US Department of Commerce) is a valuable source of guidance on cybersecurity. The NIST Cyber Security Framework (NIST CSF) is a key reference for any large organisation seeking to align to an externally-recognised cybersecurity framework.
NIST recently published a “Profile for Ransomware Risk Management”, which focuses on the security defences that can help an organisation reduce the risk (i.e. likelihood and impact) of a ransomware attack.
Their recommendations include:
- Blocking access to malicious or suspicious websites
- Only allowing authorised applications to run on devices
- Limiting the use of privileged accounts (e.g. accounts that have administrator privileges)
- Keeping software patches and anti-virus up-to-date.
- Keeping personal devices away from company networks and personal apps away from company devices.
- And to reduce the impact of an attack, they repeat the 3 B’s stated in my guide to the basics of cybersecurity: Plan B (incident recovery planning); Backups; Buddies (internal and external contacts who can help when you get attacked).
Some of these may require additional technology but each could be a valuable defence. Get in touch if you want my recommendations on specific technology solutions, or if you have any recommendations yourself.
One critical recommendation not given the prominence that I think it deserves? Staff awareness training & testing. In many (most?) attacks, the initial entry point is a staff member being fooled by an email.
3: FBI warns cryptocurrency owners and exchanges of ongoing attacks
“According to the FBI, attackers are using several tactics to steal and launder cryptocurrency, including technical support fraud, SIM swapping (aka SIM hijacking), and taking control of their targets’ cryptocurrency exchange accounts via identity theft or account takeovers .. Cryptocurrency owners are also encouraged to enable multi-factor authentication (MFA) on all their cryptocurrency accounts, deny requests to download and use remote access applications, and always contact exchanges and payment companies via official phone numbers and email addresses.”
Where there’s money, there’s cybercrime. And even in the crypto world, multi-factor authentication (MFA) is a significant security defence.
On the subject of MFA: If you have the choice between a security code sent to your phone as an SMS text message, or one generated by an application on your phone, go with the application option. If a criminal can impersonate you when contacting your network provider, they can take over your phone number (by performing a ‘SIM swap’). They will then receive these SMS security codes to their mobile phone. In other words, if you rely on security codes sent to you as SMS text messages, your security depends on the staff working for your network provider.
> TWO STATISTICS <<<<<
1: $10 million
The U.S. Department of State’s Rewards for Justice (RFJ) program is offering a reward of up to $10 million for “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure”. To put $10 million in perspective: This is the same amount offered by the RFJ program for information about all-except-one of their eight most wanted individuals in the world.
26% of people in a survey use the same password on their personal email account and their work email account. So, if they get fooled into revealing their personal email account password to a cyber attacker, the attacker could potentially gain immediate access to their work email account. Their employer may not notice as the criminal’s first attempted login will succeed. Two-factor authentication will mitigate this risk (as a password will not be sufficient to gain access). Staff training that educates staff about the dangers of using the same password on two important accounts will also help. Depending on the service you use for email, you may also be able to set up restrictions that make it harder for a cybercriminal to log in to an email account from an unusual location or from an unknown device, or set up alerts so you are at least made aware of the suspicious login.
>>>> ONE ACTION <<<<<
1: Passwords are like toothbrushes. Don’t share them.
For the 26% of people who use the same password across multiple accounts, all of these accounts could be compromised if this one password gets disclosed. In theory, you should never reuse a password – Every account should have a unique password. But at a minimum, focus on your most valuable accounts – Email, banking, and any accounts that provide access to a lot of data or could enable a bad guy to impersonate you. Password managers can help with this, and multi-factor authentication (MFA) can significantly mitigate the risks.