https://sm.asisonline.org/Pages/Call-for-Help.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Call for Help0

 

 

https://sm.asisonline.org/Pages/Editor's-Note-Grudges.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Grudges

 

 

https://sm.asisonline.org/Pages/Leading-While-Female.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Leading While Female

 

 

https://sm.asisonline.org/Pages/An-Identity-Crisis.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465An Identity Crisis

 

 

https://sm.asisonline.org/Pages/Looking-Back-A-Year-of-Change.aspxGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Looking Back: A Year of Change

 

 

https://sm.asisonline.org/Pages/The-Unseen-Threat.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Unseen Threat2017-11-01T04:00:00Z
https://sm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Harden Soft Targets with PSIM2017-10-23T04:00:00Z
https://sm.asisonline.org/Pages/School-Lockdown-Procedure-Prevented-Tragedy-in-Rancho-Tehama.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Lockdown Procedure Prevented Tragedy in Rancho Tehama2017-11-16T05:00:00Z
https://sm.asisonline.org/Pages/Training-Your-Team.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Training Your Team2004-02-01T05:00:00Z
https://sm.asisonline.org/Pages/December-2017-Legal-Report.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465December 2017 Legal Report2017-12-01T05:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/December-2017-Legal-Report.aspxDecember 2017 Legal ReportGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Judicial Decisions.</h4><p><strong>FITNESS FOR DUTY. </strong>A nuclear power plant did not discriminate against a security guard when it fired him for failing a fitness for duty examination because he was not able to perform essential functions of his job, a U.S. court of appeals ruled.</p><p>Pennsylvania Power and Light (PPL) Susquehanna operates a nuclear power plant and is required to comply with regulations issued by the Nuclear Regulatory Commission (NRC). </p><p>One of those regulations is to implement a fitness for duty program to ensure that "individuals are not under the influence of any substance, legal or illegal, or mentally or physically impaired from any cause, which in any way adversely affects their ability to safely and competently perform their duties," according to court documents. "If an employee's fitness is 'questionable,' the employer 'shall take immediate action to prevent the individual from' continuing to perform his duties."</p><p>Another regulation PPL must comply with is maintaining an access authorization program to monitor employees who have access to sensitive areas of the plant. Before employees can be granted unrestricted access, they must undergo a psychological assessment to evaluate the "possible adverse impact of any noted psychological characteristics" of their "trustworthiness and reliability," court documents said.</p><p>After employees are granted unrestricted access, they are subject to constant monitoring as part of a behavioral observation program PPL must have to identify aberrant behaviors. If employees are reported for suspicious behavior, PPL must reassess them and terminate them if their "trustworthiness or reliability is questionable."</p><p>Daryle McNelis was hired as a PPL nuclear security officer in 2009. This role gave him unrestricted access to the plant and made him responsible for protecting its vital areas and preventing "radical sabotage." He was authorized to carry a firearm.</p><p>In April 2012, however, McNelis began experiencing personal and mental health problems. He became paranoid about surveillance, believing household items were listening devices, and telling his wife he would kill the people following him. McNelis also had problems with alcohol and coworkers began to suspect he was using recreational drugs—something he had previously admitted to, court documents said.</p><p>While this was going on, McNelis's wife moved out of their home with their children. At the same time, local police received an anonymous call warning that McNelis might attempt to come to his children's school to retrieve them, that he might be under the influence, and possibly be armed, causing the school to go into a lockdown.</p><p>After the incident, McNelis went to a psychiatric facility for treatment where an evaluation noted he suffered from "paranoid thoughts, sleeplessness, and questionable auditory hallucinations," court documents said. He spent three days there, and was later discharged with instructions to discontinue or reduce his use of alcohol.</p><p>A coworker of McNelis who was aware of the situation became concerned and reported him to a supervisor. McNelis's unrestricted access was placed on hold, pending a medical clearance. He then met with a third-party psychologist, underwent testing as required by PPL policies and NRC regulations, and was found not fit for duty "pending receipt and review of a report from the facility where he receives an alcohol assessment and possibly treatment," according to court documents.</p><p>PPL then revoked McNelis's unescorted access authorization and fired him. McNelis filed an internal appeal, which was denied, and then filed suit against PPL, alleging discrimination under the Americans with Disabilities Act (ADA) for alcoholism, mental illness, and illegal drug use.</p><p>His case reached the U.S. Court of Appeals for the Third Circuit, which ruled in PPL's favor because McNelis could not perform the essential functions of his job—maintaining an unescorted security clearance—and was not protected under the ADA.</p><p>"Although we are the first court of appeals to address the interplay between the ADA and these NRC regulations, our opinion is supported by a broad consensus among district courts that nuclear power plant employees who have lost security clearance or have been deemed not fit for duty are not qualified employees under the ADA," the court wrote. (McNelis v. Pennsylvania Power & Light Company, U.S. Court of Appeals for the Third Circuit, No. 16-3883, 2017)</p><h4>Regulations</h4><h5>United States</h5><p><strong>EQUIPMENT. </strong>U.S. President Donald Trump issued an executive order to restore a controversial program that allows local police departments to obtain military weapons and supplies. </p><p>The program, the U.S. Department of Defense's 1033 program, takes military-grade equipment that's already been purchased and repurposes it for the use of local law enforcement. The program allowed police, sheriff, and tribal law enforcement departments to apply for equipment, including rifles, armored vehicles, and body armor, that could be used by their officers.</p><p>Former U.S. President Barack Obama curbed the use of the program in 2015 after criticism about police militarization and response to protests following the shooting of Michael Brown by a police officer in Ferguson, Missouri. Obama issued an executive order to prohibit the 1033 program from being used to transfer grenade launchers, high-caliber rifles, and armored vehicles to local law enforcement.</p><p>Trump's executive order revokes Obama's actions in full and restores the program to its original status. U.S. Attorney General Jeff Sessions said in a speech to the National Fraternal Order of Police that he supported Trump's actions.</p><p>"The executive order the president will sign today will ensure that you can get the lifesaving gear that you need to do your job and send a strong message that we will not allow criminal activity, violence, and lawlessness to become the new normal," Sessions said on the day the order was signed. "And we will save taxpayer money in the meantime."</p><p> </p><p><strong>SOFTWARE. </strong>The Acting U.S. Secretary of Homeland Security Elaine Duke issued a binding operational directive to the U.S. government to discontinue use of Kaspersky Lab products.</p><p>The directive called on departments and agencies to identify any Kaspersky products on their information systems within 30 days, craft plans to remove and discontinue using those products within 60 days, and implement those plans—unless directed otherwise—to discontinue using and remove those products from their systems.</p><p>"This action is based on the information security risks presented by the use of Kaspersky products on federal information systems," the U.S. Department of Homeland Security (DHS) said in a statement. "Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems."</p><p>DHS said it was especially concerned about ties between Kaspersky executives and Russian intelligence and government agencies. The department also expressed concern, in the statement, about Russian intelligence agencies' ability to request or compel assistance from Kaspersky to intercept communications transiting Russian networks.</p><p>"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," DHS said.</p><p>This is only the fourth binding operational directive DHS has issued, and the first done so publicly.​</p><h4>Legislation</h4><h5>United States</h5><p><strong>EMERGENCY AID. </strong>U.S. President Donald Trump signed legislation into law to grant additional aid to Hurricanes Irma and Jose victims returning to the United States from abroad.</p><p>The law (P.L. 115-57) amends the Social Security Act to increase from $1 million to $25 million for temporary assistance, which includes money payments, temporary lodging, transportation, and other goods and services necessary for the health and welfare of U.S. citizens and their dependents returning from a foreign country without available resources.</p><p>U.S. Representative Dave Reichert (R-WA) sponsored the legislation, which was passed by both chambers of Congress and signed into law in a three-day period.</p><p>"Hurricane season has left countless Americans stranded and in need of medical care or other assistance," Reichert said in a statement. "This includes American individuals and families living outside our borders who are struggling to rebuild after the destruction of Hurricane Irma and are preparing for the potential impact of Hurricane Jose."​</p><p><strong>CALIFORNIA.</strong> California legislators failed to pass legislation that would have restored broadband privacy rules once issued by the Obama administration and discontinued under the Trump administration.</p><p>The California Broadband Privacy Act (A.B. 375) mirrored the Federal Communications Commission (FCC) broadband privacy rule and would have prohibited Internet service providers from reselling or using consumer data without consumer consent. The bill would also prohibit providers from charging consumers more for service if they choose not to provide private information. </p><p>Assemblyman Ed Chau introduced the measure, which was shelved in the state's Senate chamber following opposition from tech firms, including Google.</p><h4>Elsewhere in the Courts</h4><p><strong>​Software. </strong>Lenovo agreed to implement a comprehensive software security program for its laptops for the next 20 years to settle charges by the Federal Trade Commission (FTC) and 32 U.S. state attorney generals. They alleged that, to deliver advertising, Lenovo preloaded software on laptops that compromised security protections without notifying consumers. Under the settlement, Lenovo is prohibited from misrepresenting any software features on its laptops, subject to third-party audits, and must get consumers' affirmative consent before preinstalling a similar type of software. (In the Matter of Lenovo, FTC, No. 152 3134, 2017).</p><p> <strong>Monitoring. </strong>A company violated an employee's right to privacy when it fired him after monitoring and accessing his electronic communications, the European Court of Human Rights ruled. The court found that the employer violated the former employee's rights because it did not give him prior notice that his communications might be monitored—or the degree to which they could be monitored—while at work. The court also found that Romanian authorities, whom the employee appealed to, "failed to strike a fair balance between the interests at stake," according to a press release. (Barbulescu v. Romania, European Court of Human Rights Grand Chamber, No. 61496/08, 2017).</p><p><strong>Data Breach. </strong>Yahoo! must face litigation brought on behalf of more than 1 billion users who claim their personal information was compromised in three data breaches between 2013 and 2016. In her ruling, U.S. District Judge Lucy Koh wrote that the plaintiffs had standing to sue under breach of contract and unfair competition claims. "All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information," Koh wrote. (In Re: Yahoo Inc. Customer Data Security Breach Litigation, U.S. District Court for the Northern District of California, No. 16-md-02752, 2017).</p>
https://sm.asisonline.org/Pages/Call-for-Help.aspxCall for HelpGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With more than 420,000 annual visits from patients from four states, Seattle Children's Hospital serves the largest region of any children's hospital in the United States.</p><p>The organization, made up of a research arm, a foundation, and the hospital, strives to provide robust security while making its stakeholders feel welcome and cared for.  </p><p>"As a security team, our goal is really to ensure the mission of our hospital, which is to treat patients and find cures for diseases," says Dylan Hayes, CPP, manager of the physical security program at Seattle Children's. "We do that by interfacing with our families and our patients…we're a customer-service oriented team." </p><p>A security officer staffs the emergency department around the clock, and officers also operate a security operations center for the entire hospital that is open from 6:00 a.m. to 10:00 p.m.</p><p>Visitor management is important to Seattle Children's, and the security team screens everyone who walks through the door to ensure that they have a purpose to their visit. Visitor identification is processed by a database that checks for sexual offenses and other criminal records. </p><p>"We have security teams at five different entrances during the day that greet people as they come in, find out where they are going, give them directions, and make sure that they are badged to do so," Hayes says. In addition to the daily pass, family members and loved ones who make frequent patient visits are given weekly passes. </p><p>Seattle Children's trains its employees on active shooter protocols, and has lockdown procedures in place in the event of an emergency. </p><p>"Our entrances are actually equipped to scan a badge that will lock that specific entrance, or a different badge can lock down all the entrances at the hospital," he says. "We're using a lot of security technologies these days to improve our business operations." </p><p>One of those technologies is a call tower intercom model from Vingtor-Stentofon by Zenitel, which allows anyone in distress to contact the hospital's security desk with the push of a button. In addition to contacting the security desk via a speakerphone, a flashing light is activated on the top of the tower. ​</p><p>The hospital uses call tower boxes from Talkaphone and Code Blue, which used to work over a standard telephone line. Zenitel works over an IP network, and integrates with the organization's access control system, OnGuard by Lenel. </p><p>Seattle Children's originally installed the towers in 2012, and it upgraded to a newer model of the intercom technology, called Turbine Intercoms, in May 2017. There are approximately 55 towers located around the hospital grounds, mainly situated in parking lots and other outside public areas. </p><p>"We've upgraded about a third of our phones and we're in the process of upgrading the rest of them," Hayes says, noting that the Turbine model provides a clearer connection from the tower to the emergency operator. "With the older equipment the clarity is not there—you can't make out what's going on," he says. "The Turbine stations really allow for clear communication when you're in critical situations." </p><p>As far as incident types, "anything goes with these towers," Hayes says. When security receives a call, it assesses the situation and decides how to respond, usually either deploying a security officer or contacting law enforcement. Hayes adds that it's rare that police have to get involved. </p><p>"People report their cars have been damaged, or we've had reports of fires in the garage," he says. "There are so many great uses of those towers, it's just open-ended."</p><p>The integration with Lenel allows any cameras in the area to pan, zoom, and tilt toward the call tower's location, allowing security to view the scene live via monitors. Lenel also displays a map in the alarm monitoring screen that shows which tower and where the incident occurred. </p><p>Hayes says he welcomes the opportunity to improve business operations via security technology, and he was delighted when the hospital's emergency department wanted to collaborate with security by responding to any medical incidents from the call towers. </p><p>"If somebody pushes one of those buttons, our plan is to send out a security person with a respiratory therapist and an emergency department nurse if they need medical care," Hayes says. </p><p>Recently, for example, a woman fell down a flight of stairs and was injured. "The emergency call station was activated and a hospital response team, including security, responded," Hayes explains. Security brought a wheelchair and assisted the woman to the emergency room for follow-up care. </p><p>"When our emergency operations team comes to us and says, 'We want to use your technology to better serve our people,' that's a great thing to hear," he notes. "We do have an expectation to provide care because we are a hospital." </p><p>Another benefit of the Vingtor-Stentofon network is the ability to push prerecorded audio messages over the security team's two-way radios, alerting officers to any alarms such as panic buttons or door-forced-open alerts.</p><p> "When we're out in the field, we don't have that ability to do extensive alarm monitoring, and we didn't have a way to quickly get a message to our security team in an automated fashion," he says. "So, we set up Stentofon to be configured with our Motorola MOTOTRBO radio system." </p><p>Because alarm locations are preset in Lenel, the prerecorded message that goes out indicates the type of alert and where it occurred. The responding officer alerts the rest of the team that the situation is being handled. </p><p>"We could have alerts go to a pager, but then there's a two-minute delay," he says. "If we have it go to the radio, then it's instantaneous." </p><p>Hayes adds that the many uses of the call towers, along with the radio and alarm integration, have all helped improve the security team's ability to respond to incidents rapidly and effectively.</p><p>"Having that crystal-clear communication is so important to be able to deploy the right emergency response team," he says.</p><p> For more information: Kelly Lake, EndingBadAudio@Zenitel.com, https://www.zenitel.com, 800.654.3140</p>
https://sm.asisonline.org/Pages/Leading-While-Female.aspxLeading While FemaleGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Team leaders are usually managers and occupy a position of leadership in their respective companies. But even though women have made significant gains in obtaining leadership positions in the U.S. workforce, there remains a gender imbalance: women represent only 4.8 percent of CEOs in Fortune 500 companies. Women have faced challenges in this area that men generally have not.</p><p>In the field of corporate security—traditionally a male-oriented industry—women have made some progress in advancing to leadership levels. Still, there are considerably more men than women in the field of security, and fewer female role models or mentors. This is disconcerting for women when they look to other successful women forsupport, guidance, and sponsorship in advancing their careers. </p><p>A study I conducted for my doctorate in organizational leadership management at the University of Phoenix explored this issue. The study's intent was to identify themes in the stories of women leaders in the corporate security field, to better understand the factors that compelled them to enter the field, and the challenges, obstacles, opportunities, and enablers they encountered in reaching the ranks of leadership. The sample included 16 female corporate security leaders who had attained positions of leadership in the field of corporate security. The women were selected from a cross-section of industries so we could draw on different areas of business for insights.​</p><h4>STUDY RESULTS</h4><p>In the study, four major themes emerged from participants' descriptions of their experiences as security leaders: opportunities to succeed, gender diversity as a differentiator, breaking through in a male-oriented industry, and the importance of relationships and mentorships. </p><p><strong>Opportunity to succeed. </strong>The most overarching theme to emerge was that, when given the opportunity, women were able to demonstrate their value and worth to their organizations when they pursued that opportunity. </p><p>Some participants pursued security as a natural progression from law enforcement or the military; others entered the field right after college. Once in the field, opportunities to try new roles, to do more by learning new skills, to step out of a comfort zone, or to take on a new project in a familiar role helped these women expand their knowledge, experience base, and leadership skills. </p><p>In many circumstances, these women took on opportunities when they were not sure they could succeed at them. They recognized that their performance was not going to be perfect, but that they would learn. They learned to be curious, ask questions, listen more, and speak less.</p><p><strong>Gender diversity.</strong> Although these women felt a disconnect at times from their male counterparts, being a woman in a male-oriented field was a differentiating factor in their role and sometimes helped them be successful. </p><p>For example, women were able to bring to bear skills and talents that were different from those of their male counterparts, which demonstrated the benefits of gender diversity in the security field as well as in organizations. For example, one participant said: "I feel that women can be efficient in investigations and people matters. Women are good conversationalists and developers of relationships and descend into all aspects of the job. These skills are highly valued by our leadership." </p><p>From another: "We deliver messages differently and passionately. By nature, we are very good listeners and come with solutions to fixing problems."</p><p><strong>A male-oriented industry.</strong> Female security professionals' feelings of belonging influenced decisions that were made throughout their journey. Study participants felt that they had to consistently demonstrate their skills and talents to continually prove themselves and fit in in a way that was different from their male counterparts. Still, each one of the participants expressed a high level of satisfaction with a rewarding career in the security industry. None of the participants felt that the challenges were so great that they would have to give up; instead, they felt empowered to do more.  </p><p><strong>Relationships and mentorships. </strong>All participants expressed the importance of relationships and mentorships, experiences that gave them a major boost in pursuing their security careers. Identifying the right mentors was absolutely influential in shaping their security careers. An interesting finding was that almost all participants had male mentors who were advocates of career growth for women in security. </p><h4>RECOMMENDATIONS</h4><p>The following recommendations are organized around the four emergent themes of the findings. For many of these recommendations, the most ideal time for implementation is when young women leave academia to pursue a career opportunity in either public or private security. The path for growth for these young people should be better outlined to address organizational culture, inclusion, career development, and perceptions of equity surrounding issues of pay.</p><p>Leadership programs. Organizations should institute a leadership development program that sets out succession planning goals and career paths for young professionals. Additionally, they should align young professionals with a coach and mentor. Young women who will be the future leaders in these fields will need a better system for identifying role models and advocates.</p><p>Dedication to diversity. Organizations usually reap strategic and financial benefits from gender-balanced leadership. Given this, organizations should cultivate women right out of college and continue to do so throughout their careers. Management must recognize the importance of including women and minorities in key leadership positions, and maintaining a diverse leadership slate of qualified candidates. </p><p>Retention strategies. Organizations should build a retention strategy within their recruitment process that includes identifying key talent, including female employees, early on in their careers and then follow them through their career progression. Organizations should consider that promoting a woman to a key leadership role sends a message to the rest of the firm and to the security industry at large that women can fill the roles that were once predominantly filled by men.</p><p>Mentoring programs. Organizations should adopt a mentoring program to create an environment in which new talent can navigate a large organization. At the very least, each new employee should be assigned a relationship partner upon joining the firm, and that person can help the employee find her way during the first year or two of starting a new role. </p><p>Female leaders should never give up, no matter their perceptions of the odds. This was confirmed by the recurring stories about the challenges and opportunities that helped to shape these women who became leaders in the security field. And leaders interested in furthering their careers should invest in developing others. It is through the act of giving back that the true learning of leadership takes place. </p><p><em>Rose Littlejohn is managing director of business services at PricewaterhouseCoopers.</em></p>
https://sm.asisonline.org/Pages/A-New-Social-World.aspxA New Social WorldGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While a senior executive was on a business trip to Europe, someone took intimate photographs of the businessman and posted them on Twitter and Reddit. In the photos, the married executive is not clothed and he is not alone.</p><p>Within hours, the tweets start. They include the company's name. The executive reaches out to the security department for help because the company's new quarterly earnings are set to be announced within days. There's also a merger under discussion. Who does security call first—IT or legal?</p><p>Fortunately, that case never came out in the news because the security team kept it under wraps internally and had the Twitter posts removed. </p><p>But the potential crisis raises several questions: What legal responsibility did the organization have to the employee, if any? What rights did the employee have? Were any of these spelled out in a company social media policy?</p><p>The adoption phase of social media is over. Now the scary part is beginning—the rapid development of new innovations in social media to keep users engaged. Social media is a communications tool of convenience. This makes it potentially detrimental to companies.</p><p>In 2016, public consumers were nearly twice as likely to recall a company's social media campaign as to recall a print advertisement. That's good news for social media, but bad news for any organization experiencing a crisis there.</p><p>Lululemon and the NFL are just two organizations that had to invest significant resources to manage social media-fueled scandals in recent years.</p><p>After Lululemon company founder Chip Wilson told Bloomberg TV that "some women's bodies just actually don't work" with Lululemon pants, social media outrage from customers led him to step down.</p><p>To protest the way NFL Commissioner Roger Goodell  handled former running back Ray Rice's domestic abuse scandal, an activist group hired an airplane to fly a banner over the stadium with the hashtag "#GoodellMustGo" printed on it. The hashtag was widely shared on social media, and more than 50,000 people signed an online petition demanding that the NFL change its policies—which it later did.</p><p>Workplace sexual harassment accusations are increasingly being made on blogs and other digital publishing platforms, then amplified on Facebook, Twitter, and Snapchat. A blog post and an iPhone video recently sparked such a massive crisis at Uber that its biggest investors insisted that Uber's cofounder and CEO Travis Kalanick resign, which he did. </p><p>"Social media is a part of everyone's life, and while using social media, the line between one's personal and work activities can sometimes be blurred," says Nancy L. Gunzenhauser, an associate in the employment, labor, and workforce management practice in the New York office of Epstein Becker & Green. "Social media allows employees to network, support their employer's recruiting, and build a company brand.</p><p>"A strong social media policy will set parameters to help employees use social media effectively while protecting the company's confidential information and the reputation of its products and services." </p><p>Accessibility to social media at work may lead to various forms of workplace misconduct, says Scott L. Vernick, a partner at Fox Rothschild LLP who specializes in technology. For instance, employees could use social media to violate privacy laws (such as the U.S. Computer Fraud and Abuse Act), disclose trade secrets, open the company to Title VII exposure, violate labor laws, authorize deceptive endorsements, or violate workplace policies.</p><p>To reduce the risk of employer liability, Vernick recommends that organizations create clear employee guidelines and policies that set forth parameters of proper social media use.</p><p>For instance, employers should consider whether employees should be allowed to use social media at all, and if so, when. If employees are allowed to use social media at work, employers should consider what limitations to impose on posts.</p><p>"An effective social media policy will be updated regularly, enforced uniformly, and will clearly state what is expected of employees and what the consequences will be for any violation of that policy," says Christine Rafin, a partner in the law firm of Kent, Beatty & Gordon, LLP, who specializes in technology-related legal issues. </p><p>Additionally, employers should define what is prohibited conduct on social media—such as offensive, demeaning, defamatory, discriminatory, harassing, abusive, inappropriate, or illegal remarks, as well as personal gripes. </p><p>And employers should create limitations on the use of company names in postings or identities, such as limiting the use and mention of competitors, employees, or clients in postings, as well as prohibiting the unauthorized dissemination of company material.</p><p>For example, adidas has a two-page social media policy for employees that includes a variety of requirements.</p><p>"Do not comment on work-related legal matters unless you are an official spokesperson, and have the legal approval by the adidas Group or its brands to do so," the policy says. "In addition, talking about revenues, future products, pricing decisions, unannounced financial results, or similar matters will get you, the company, or both, into serious trouble. Stay away from discussing financial topics and predictions of future performance at all costs."</p><p> Employers should be clear that violations of prohibited conduct will result in disciplinary action. However, employers must avoid prohibiting protected activity under the U.S. National Labor Relations Act, which allows employees to post or engage in conversations on social media about wages and working conditions.</p><p>"Employers should be careful not to craft their policies in a way that may be seen as attempting to chill employee speech entirely," Rafin says. "Policies that prohibit employees from posting statements online that may be harmful to the company's reputation have been held to be overbroad and unlawful by the National Labor Relations Board."</p><p>Employers should also be clear that employees should have no expectation of privacy in the use of social media or communications prepared on a company computer, even if those communications are deleted. Employers should also have a program in place to monitor employee use of social media. </p><p>"This is not always an easy or inexpensive task, however," Rafin says. "It may impact employee morale and lead some employees to find creative ways to get around the monitoring, including by setting up dummy profiles and enhancing the privacy settings on their posts."</p><p>Employers should be mindful, Rafin adds, that several U.S. states have enacted laws that prohibit employers from requesting employees' usernames and passwords to their personal social media accounts, or requiring employees to log in to those accounts in the employer's presence.</p><p>"Of course, exceptions may apply in certain situations—such as when the employer has reason to believe that the employee violated the law," Rafin says.</p><p>Employees who blog should also be reminded that they need to comply with the terms of use for their sites and refrain from exercising their personal opinions in a way that can be construed to be the company's opinion.</p><p>Whether employees are the cause, source, or target of such issues, understanding and amplifying your organization's social media policy is as essential as having both IT and legal on speed dial.</p><p><em>Don Aviv, CPP, PCI, PSP, is president of global corporate intelligence and security consulting firm Interfor International and vice-chair of the ASIS Security Services Council. Shannon Wilkinson is CEO of online reputation management firm Reputation Communications and a contributor to </em>The Wall Street Journal'<em>s "Crisis of the Week" column. She is an expert presenter on reputation management in The Hetty Group's Coptics: The Optics of Policing in the Digital Age initiative and a member of the ASIS Women in Security Council.</em></p>
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspxAn Identity CrisisGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was "A Case of Identity." Mary Sutherland's fiancé, Mr. Hosmer Angel, had disappeared on what was to be their wedding day, and she needed Sherlock Holmes's help to find him.</p><p>Angel, however, was a bit of a mystery. Sutherland knew very little about him, just that he worked in an office on Leadenhall Street and sent her letters that were typewritten via a post office box. He also only visited Sutherland in person when her stepfather, James Windibank, was out of town.</p><p>Through logical reasoning, and some minor investigatory work, Holmes deduced that Angel was not who he claimed to be. Based on in-person observations in the physical world, Holmes deduced that Angel was Windibank in disguise, and could not marry Sutherland.</p><p>The same circumstances surrounded the verification of an individual's identity for most of the 20th century. Most transactions, legal actions, and meetings occurred in the physical world. People saw those they were doing business with, looked at physical copies of their driver's license or passport, and used that to verify their identity. </p><p>They could also use an individual's Social Security number—the most common numbering system in the United States—to help ensure that the person was the person they claimed to be, based on all the information associated with that specific number.</p><p>And to steal sensitive data that could verify identity in the physical world from millions of people would have required a network of people willing to break into businesses that store that information. Their odds of getting caught would have been high.</p><p>But in today's digital world, it's much simpler to carry out a major heist of sensitive information. And the building blocks that are used to create an identity online and verify it are regularly being compromised, making it more difficult than ever before to prove who anyone is online.</p><p>The latest example of this is the mega data breach of credit reporting agency Equifax, in which hackers accessed and stole data on 145.5 million people—mostly U.S. citizens but individuals from Canada and the United Kingdom, as well.</p><p>Along with names and telephone numbers, the hackers gained access to Social Security numbers and the extensive information the agency collects on individuals and uses to verify their identities, such as previous residences, relationship and employment history, and financial histories.</p><p>This information is often used to compile a credit report, which can be shared with employers, leasing institutions, and others, to verify an individual's identity as part of a screening process.</p><p>"The Equifax hack is highly disturbing not only because of its massive scope, but also because of the specific type of personal data that was stolen," wrote U.S. Representative Ted Lieu (D-CA) in an op-ed for Slate. "Credit reporting agencies are supposed to be one of our lines of defense in data security and privacy protection—and Equifax failed in its core mission."</p><p>No one has claimed responsibility for the Equifax breach, and experts expect an increase in fraud using the information that was stolen, especially during the upcoming holiday season.</p><p>"We're going to see an uptick in fraud, synthetic IDs, and accounts being compromised—busting out credit cards, taking fraudulent loans across multiple channels of products," according to James Heinzman, senior vice president of financial services solutions for ThetaRay. </p><p>In addition to fraudsters, nation-state actors are also likely to acquire the information compromised in the Equifax breach, says Rick Holland, vice president of strategy at cybersecurity firm Digital Shadows. </p><p>China, for instance, would find the data very valuable combined with what it allegedly stole in the U.S. Office of Personnel Management (OPM) breach, Holland explains, because it would allow China to create a broader data set on individuals it might already be targeting.</p><p>"You could see [China] leveraging and purchasing this sort of data for types of activity that it would conduct, such as social engineering," Holland says. "I would expect nation-states across the board to try to acquire this data, as well as the defenders. I wouldn't be surprised to see the U.S. government try to acquire this data to understand the implications of it from a counterintelligence perspective."</p><p>Those implications could be widespread because the information compromised in the Equifax breach is not ephemeral—Social Security numbers and personal histories do not change—creating a serious problem with how identity is constructed and verified online.</p><p>Because of this, Lee Munson, a security researcher and blogger with Comparitech and senior associate, information security training and awareness at Re:Sources UK, says he now thinks there is no way for a victim of identity theft to 100 percent prove they are who they are over the Internet.</p><p>"The ironic thing for me is that one of the first bits of advice you give to identity theft victims is to go get copies of their credit report from people like Equifax," Munson says. "Now you've got to ask, 'Can you trust them?'"</p><p>Victims have "the option of sending emails, copying documents and sending copies of their Social Security numbers and passports, but those could easily be faked," he explains. Victims can also go to their local police department to get documents saying they're a victim of identity theft, but this places the onus on victims to prove their identity after it's already been stolen.</p><p>Instead, organizations might need to rethink what kind of data they collect on people to uniquely identify them and consider no longer using Social Security numbers as identifiers. Almost every legal U.S. resident has one issued on a card from the Social Security Administration that is then shared with financial institutions, employers, healthcare providers, and more to connect the resident's documents with that number. </p><p>"Which in retrospect seems like the worst idea ever," says Lance Cottrell, chief scientist of Ntrepid. "Here's this piece of paper. It's got a number printed on it. You're going to give it to everyone, and yet, keeping it secret is the key to security. It's an inherently paradoxical approach to things."</p><p>Instead of using Social Security numbers and other static information, Cottrell says he thinks we'll begin to see a push for greater use of biometrics to identify individuals. Prior to the Equifax breach, Apple debuted new facial recognition technology that iPhone users will soon be able to take advantage of to unlock their devices.</p><p>"Things like the iPhone are showing how a lot of this is going to move," Cottrell says. "The biometrics and the secure enclaves in these locked down physical devices are allowing for authentication."</p><p>Biometrics are not a silver-bullet solution, however. Apple has announced that its facial recognition technology is only 98 percent accurate.</p><p>"That means one in 50 people in the population could unlock your phone," Munson says. "And previous facial recognition systems that are more mature have been tricked by high-resolution digital photographs. Even though it's theoretically sound, in practice it may still not prove that the person on the other end of that device is who they say they are."</p><p>Despite a possible increase in the use of biometrics, however, Cottrell says that the United States is not ready for what some call smart IDs—a form of identification card that contains biometric data, such as a DNA sample, to identify the carrier. </p><p>He also thinks it's likely that for some interactions with government agencies or businesses online, there will be a renewed emphasis on using notaries. For instance, to interact with a business online a person would physically have to go to a notary, show ID, and get a document notarized that will then be sent to the business to verify the individual's identity.</p><p>"Not that you can't fake physical documents, but it doesn't scale," Cottrell says. "It's a lot more work. It needs to be done in person in the United States. And one of the characteristics of Internet-based attacks is that they can be launched outside your jurisdiction at scale."</p><p>And focusing on scale is what's important because limiting the number of people that can be compromised per attack helps keep fraud at a manageable rate so it can be identified and mitigated, much like the Sherlock Holmes case.</p><p>"The goal doesn't need to be eliminating fraud and eliminating these kinds of crimes; it's making sure that the fraud rates are manageable," he explains. "I think, unfortunately, the Equifax breach may be pivoting things towards fraud and attacks that can be launched at scale, and that's a problem." ​</p>
https://sm.asisonline.org/Pages/Held-Hostage-.aspxHeld HostageGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Most ransomware demands lean towards the lower end of the scale to encourage victims to pay. But that was not the case when cyber criminals targeted South Korean Web-hosting company Nayana and demanded an initial ransom payment of roughly $4.4 million.</p><p>The attackers had leveraged a variant of Erebus ransomware that exploits a flaw in the Linux operating system, which Nayana used, according to a blog post by security firm Trend Micro. After assessing the ransomware, Nayana was able to negotiate with the attackers to lower the ransom to decrypt its files to approximately $1 million—still an astronomical amount in the world of ransomware payments.</p><p>"It was a huge sum of money; you normally get $200 to $2,000 per machine being asked for," says Michael Marriott, a research analyst at Digital Shadows. "The chief actor really targeted its approach to this organization."</p><p>And this is a trend that organizations can expect moving forward as ransomware continues to be the most prevalent form of malware spreading across the globe—because people continue to pay ransoms. </p><p>Organizations make their own decisions based on what makes sense for them, Marriott explains. "In the Nayana case, it really makes you think, if threat actors see that, they're going to be quite spurred on to target specific organizations."</p><p>Ransomware, sometimes called cryptoware, is the process of encrypting a user's files and then demanding payment to decrypt them. It is not new to the scene and gained widespread awareness following a string of highly visible campaigns in early 2017 with the WannaCry and NotPetya ransomware attacks.</p><p>In fact, EUROPOL considers ransomware to be the "most prominent malware threat," surpassing data stealing malware and banking Trojans, according to its 2016 Internet Organised Crime Threat Assessment. </p><p>"Whereas each variant has its own unique properties, many are adopting similar anonymization strategies, such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions," the assessment said. "While most traditional and 'commercially available' data stealing malware targets desktop Windows users, there are many more applicable targets for ransomware, from individual users' devices, to networks within industry, healthcare, or even government."​</p><h4>Ransomware Basics</h4><p>On an average day in 2016, more than 4,000 ransomware attacks occurred—a 300 percent increase over the approximately 1,000 attacks per day in 2015, according to a U.S. government interagency report issued early in 2017.</p><p>The report, Protecting Your Networks from Ransomware, was crafted by several government agencies—including the U.S. National Security Agency (NSA), the U.S. Department of Homeland Security (DHS), the FBI, and the CIA—to inform CIOs and CISOs at critical infrastructure entities about ransomware and how to best respond to it.</p><p>"Since 2012 when...ransomware variants first emerged, ransomware variants have become more sophisticated and destructive," the interagency report said. "Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers."</p><p>Ransomware authors also continue to improve ransomware by using Tor—a free software for anonymous communication—and Bitcoin to collect ransom payments. In March when the report was released, the top five ransomware variants targeting U.S. companies and individuals were CryptoWall, CTB-Locker, TeslaCrypt, MSIL/Samas, and Locky.</p><p>CryptoWall, for instance, was the first ransomware that accepted ransom payments only in Bitcoin, with ransoms ranging from $200 to $10,000.</p><p>"Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world," the report said. "Between April 2014 and June 2015, [the Internet Computer Crime Center] received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million."</p><p>While these were the top ransomware variants at the time the report was compiled, new variants are being created on a regular basis. </p><p>One of those is the WannaCry ransomware, which spread across the globe by leveraging a vulnerability allegedly discovered and used by the NSA to infiltrate targets. The vulnerability, called EternalBlue, exploited a component within Microsoft Windows, says Eldon Sprickerhoff, founder and chief security strategist at cybersecurity firm eSentire.</p><p>A group of hackers, dubbed the Shadow Brokers, claimed that it stole EternalBlue from the NSA and leaked it online in the spring of 2017. In response, Sprickerhoff says Microsoft issued a "megapatch to close up the hole." </p><p>But not everyone who should have patched did, and in May 2017 hackers exploited that vulnerability on unpatched systems to spread WannaCry ransomware across the globe to infect approximately 200,000 computers. </p><p>"I call it Amazonian evolution," Sprickerhoff says. "There's nothing that is propagating and evolving as quickly as the ransomware category. There's no chance this will stop. We're seeing, I think, the biggest threat from a malware perspective."</p><p>While ransomware is a threat to all businesses, it hits small and medium-sized businesses especially hard. In its second annual survey, cybersecurity firm Malwarebytes Labs surveyed 1,054 small to medium-sized businesses in Australia, France, Germany, Singapore, the United Kingdom, and the United States about their experiences with ransomware.</p><p>"Among small to mid-sized organizations that have experienced a successful infiltration of the corporate network by ransomware, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue," the survey said. "In a similar study conducted last year among businesses of all sizes, only 19 percent of enterprises had to cease operations immediately."</p><p>It's not the ransom, however, that is so devastating for smaller organizations—it's the downtime. Malwarebytes found that most ransoms were $1,000 or less, but that "for roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours," the survey explained. Nine percent of those surveyed reported only up to one hour of downtime.</p><p>Adam Kujawa, director of malware intelligence for Malwarebytes, says that ceasing their operations has a major impact on small to medium-sized businesses, and that downtime can make recovering from a ransomware attack more expensive for them. </p><p>"Larger enterprises should have some kind of redundancy, so downtime isn't a huge factor," he explains. "But when you think about big organizations that deal with millions of customers, they plan for things like power outages, natural disasters; they should have something in place to make sure their operations don't completely shut down because there's bad weather in the area."</p><p>But many smaller businesses don't have the resources—financial or staff—to put such contingency plans in place. Small to medium-sized businesses "don't have the resources to protect themselves as well as large organizations do, or to recover from an attack," Kujawa adds. </p><p>"A small business that deals with health records or financial information could not only lose face with customers but could also end up dealing with government penalties for allowing their data to be stolen, as the result of a ransomware attack."​</p><h4>The Hackers</h4><p>Ransomware was first used in 1989. In 2016 Symantec detected a 36 percent increase from 2015 in ransomware infections with the number of new ransomware families uncovered more than tripling to 101, according to its Internet Security Threat Report.  </p><p>"Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $249 a year earlier," the report said. "Attackers have honed a business model that usually involves malware hidden in innocuous emails, unbreakable encryption, and anonymous ransom payment involving cryptocurrencies. The success of this business model has seen a growing number of attackers jump on the bandwagon."</p><p>However, that doesn't mean that all attackers are created equal, Marriott says.</p><p>"A lot of it comes down to people's level of skill," he explains. Open source ransomware is widely available and doesn't cost anything "and you might see people releasing a variant based off that and they've tweaked a few things, but it's largely based on stuff that's already out there so it's not massively innovative."</p><p>Then you have the attackers who use ransomware as a service model. These attackers can't create their own infrastructure to support the ransomware and collect ransom payments.</p><p>"It's not quite as simple as getting ransomware into a computer and then you make money," Marriott says. Instead, attackers need to have the ransomware, somewhere to host their payment site that's resilient to attacks, and a way to cash out the money after a ransom is paid.</p><p>Attackers using ransomware as a service pay someone else to set this infrastructure up for them, to make it a more affordable criminal enterprise. And the service models have drastically improved over the past few years to make them more attractive and easier to use.</p><p>"You've got pre-filled fields, so you can say, 'I want this message. I want to charge this amount of money,' and the more advanced ransomware as a service will even let you specify where you want to send it," Marriott says. "You can see which targets you've hit, your successes, and your payouts all in one savvy dashboard, with customer support."</p><p>The elite ransomware attackers, such as those behind the Serba or Spora ransomware variants, have their own infrastructure. These attackers operate their own campaigns and sell their versions of ransomware as a service to other attackers. </p><p>"It's not just your traditional ransomware," Marriott says. "You're also making it available as ransomware as a service, and you've got a nice user interface, customer support. It's very appealing to people because it's all in one place, and it's backed by a team that is constantly developing and improving the variants to get ahead of the people who are creating decryption keys."</p><p>These attackers are also agile at incorporating new exploits as they are released to target new victims and generate more revenue. </p><p>"What makes a really good ransomware variant is how quickly you have ways to deploy it," Marriott explains. "If you can have it all in one, not only will it be a type of encryption that's very hard to break but you've got a large array of people to send spam emails to, exploit kits you can use to get into networks, and all those things will make it a more successful variant."</p><h4>Motivations</h4><p>Cyber criminals who use ransomware can turn a profit, which is a major incentive to use the malware on targets. Some hackers are also using ransomware as another method to monetize data that's being breached for a separate purpose.</p><p>One example of this was a banking Trojan called GameoverZeus. Its primary purpose was to find financial information on a victim's computer to gain access to his or her bank accounts. If the Trojan didn't find that information, however, it would install CryptoLocker to encrypt the victim's computer files and then demand a ransom for them.</p><p>The hackers took the approach of "can I make money this way? If not, let's just encrypt stuff and see what happens, we can maybe get a bit of money out of it," Marriott explains. "Criminals want to make money from data, and it's not necessarily siloed into one tactic. They'll take different tactics to monetize that data."</p><p>There are also cyber criminals who aren't interested in making money, but in sowing disruption. For instance, RamScam and Hitler-Ransomware just encrypt files and then delete them. </p><p>"They're basically encrypting people's files just for the fun of it," Marriott says. "They didn't want any money. They were just people who were a bit bored and wanted to cause a bit of mayhem."</p><p>Politics can also motivate; some cyber criminals encrypted files of Israel-based firms and organizations, demanding a free Palestinian state in return for file access. </p><p>"It was not a particularly sophisticated variant, as I understand, but it's interesting that it's not always about the money—just disruption is also a valid motivation for cyber criminals or malicious actors," Marriott says.</p><p>And while financially motivated ransomware campaigns will continue to operate at the forefront, Marriott says that it is feasible that ransomware will be used as a disruption or hacktivism method in the future. </p><p>One possible recent example of this might be the NotPetya ransomware campaign, which did not generate high profits for the cyber criminals behind it and appeared to target numerous Ukrainian organizations. </p><p>"One theory and hypothesis was that because it was heavily Ukrainian in the targeting and the timing was around the Ukrainian independence holiday…it lent itself towards the conclusion that it could have been a nation-state that wasn't particularly fond of Ukrainian independence," Marriott says.</p><p>But because no one has claimed responsibility for the ransomware attack, there's no guarantee that it was politically motivated.</p><p>"There are so many kinds of smoke and mirrors using ransomware and propagation worldwide to distract people," Marriott says. "NotPetya could be that, but at the same time, it could just be cyber criminals that aren't very good—that make mistakes."</p><h4>Response</h4><p>None of the experts <em>Security Management </em>spoke to expect ransomware to go away any time in the near future, and EUROPOL says ransomware is likely to morph into new variants used to target mobile devices, as well as computer files. </p><p>"Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms," the EUROPOL report said. "Given the scale of mobile device ownership (with many more mobile devices than people) there is no shortage of fertile ground for the proliferation of ransomware."</p><p>EUROPOL also predicts that ransomware is likely to spread to other smart devices, including smart televisions. </p><p>"Following the pattern of data stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth," according to the EUROPOL report.</p><p>In an attempt to make it more difficult for attackers to infiltrate systems and spread ransomware, international law enforcement has focused on raising awareness about the threat and encouraging companies to adopt proactive defense measures.</p><p>For instance, the U.S. interagency report recommends a series of preventive measures for organizations to take—including implementing awareness and training programs for employees, enabling strong spam filters to prevent phishing emails from reaching users, scanning all incoming and outgoing email, managing privileged accounts, configuring firewalls to block known malicious IP addresses, and patching operating systems.</p><p>Regularly patching systems is critically important, as shown with the WannaCry ransomware attack, but it is something many organizations continue to struggle with, Sprickerhoff says. </p><p>"It's a sad sort of situation—it isn't sexy. Nobody brags about how awesome their patch rigor is," he adds. "It's not very interesting, but it is so necessary."</p><p>One reason that companies struggle with staying up to date on patching is that it's impossible to be proactive. A company's IT team has to wait for a vendor, such as Microsoft, to release a patch to fix a vulnerability in its system. The team then has to test the patch to ensure that it doesn't disable other features in the system, and then it has to be installed. </p><p>"And it's a monthly occurrence where Microsoft has Patch Tuesday," Sprickerhoff says. "They release some big patch bundle and you have to do it all over again, every month. Rinse, repeat. And so a lot of people say 'I'm going to do it once a quarter unless things are really crazy and I feel like I need to do this.'"</p><p>In addition to taking preventative cybersecurity measures, organizations should also have a response plan in place for if they are infected with ransomware. And while experts don't recommend paying the ransom to get data back, if an organization is going to pay, Kujawa says it should negotiate with the hackers for a better rate.</p><p>"With ransomware, you're dealing directly with the victim," he explains. "The payment goes straight to you; there's no middle man. The problem, for the criminals, is that if they don't get paid by the victim, they're not getting paid at all. There's no guarantee of value for the criminals, so it's in their best interest to make sure that people can pay."</p><p>One example of this was when Hollywood Presbyterian Medical Center in California paid a ransom to get some of its data back after being hit by a ransomware attack. The original ransom amount was more than $1 million, but the hospital needed just one endpoint decrypted.</p><p>The hospital negotiated with the criminals and was able to decrypt the information it needed for just $17,000 to get operations back up and running.</p><p>"At the end of the day, criminals want to ransom stuff to you," Kujawa says. "You can say, 'No, you're not getting any money,' and then they're left out to dry. If you say, 'We'll give you a little bit of money,' they may be a little more interested in following along because at least they're getting something."  </p>

 UPCOMING EVENTS AND EDUCATION

05 December 2017
Putting Mobile to Work For You​ (Webinar)​​

06 December 2017
CPTED #3: Designing Out Crime (Webinar)

13 December 2017
Policies and Procedures--A Workshop​ (Webinar) ​

20 December 2017
Creating a New Culture in Response and Recovery​ (Webinar)


​More Events>>​​​
​​​