IoT is being leveraged to monitor and protect species that are integral to our global ecosystems, from rhinos to dairy cows to honeybees.
People often don’t understand the implications of their own actions on the security of their information, which can have a devastating effect on businesses.
Let’s face it, everyone wants your data. Marketers want it so they can sell you stuff. Foreign governments want it so they can monitor or target you. Criminals want it so they can steal for profit. Indeed, the brokering of personal data is a multi-billion-dollar industry.
And thanks to the proliferation of social media platforms, bad actors don’t have to work too terribly hard; people will willingly give up personal information in exchange for entertainment.
Case in point: Quizzes were all the rage on Facebook for years. Which superhero do you most resemble? What does your favorite color say about your personality? Who is your perfect mate?, and so on. Meanwhile, you won’t get your results without granting the quiz tool access to your friends, photos, timeline, email address and any other personal information housed in your Facebook profile.
Make no mistake, that’s a lot of information to share with a quiz tool created by a company most people are blissfully ignorant about.
Data Collection Galore
Turns out that many of the platforms that hosted these tools were founded by or acting on behalf of data collection companies that are paid to aggregate as much information about consumers as possible, from as many sources as possible, and sell it to third parties. They analyze your likes, comments, and online activity and begin to profile your preferences based on your online behavior.
You may be asking, “Who are these third parties?” Well, they vary from enterprises looking to sell you their goods, foreign and domestic governments, political parties, and more. Remember the Cambridge Analytica scandal? While doing work for the Donald Trump Campaign, Cambridge Analytica improperly obtained access to more than 50 million user profiles on Facebook. The scandal raised public debate about the integrity and ethics of using back-door methods to unknowingly target voters in the United States.
However, data collection companies are not the only organizations that use quizzes and entertainment- focused tools to quietly gather personal information. Hackers do it too. Facebook recently filed a lawsuit against two Ukrainian developers, Andrey Gorbachov and Gleb Sluchevsky, for allegedly creating quizzes that asked consumers questions like, “Do you have royal blood,” or “What does your eye color say about you?” in exchange for access to users’ private account data, including friends, photos, name, age, location, birthday, and more.
Consumer Trust — Unwarranted?
But it’s not just Facebook that has compromised user data. Any number of mobile apps may also be doing the same thing. Why? Because bad actors are like water; they seek the path of least resistance. And in this case, that path is leveraging seemingly innocent entertainment apps that live in trusted Apple and Android app stores.
Now, instead of giving away their Facebook profile data, consumers could be granting apps access to all the data they keep in their phone, including their digital wallet, contacts, photos, browsing history, and a wealth of Personally Identifiable Information (PII) — all in exchange for a glance at how they might look in 40 years.
That’s where FaceApp comes in. If you’ve logged into social media recently, you’ve likely seen many of your friends sharing pics via FaceApp, a facial recognition software (based on the same technology used by law enforcement) that encourages users to upload a photo and see what they might look like in 40 years.
Sounds fun, right? Well, on the surface perhaps. But FaceApp’s privacy policies and Terms of Service are extremely vague, giving the app and the company that created it rights to collect your photos and use as they see fit.
As the app grew in popularity, privacy advocates began warning people that a Russian-owned company was collecting their data. Reminiscent of Cambridge Analytica, this news sent shockwaves through the American political system, leading U.S. Senate Minority Leader Chuck Schumer to request an FBI investigation into the app. The senator expressed his concern via twitter that personal data from U.S. citizens would be shared with “a hostile foreign power.” (Unsurprisingly, the FaceApp CEO denied sharing data with the Russian government or storing it on Russian servers).
Which is all to say…how much of consumers’ trust in apps is warranted? Geoffrey Fowler at the Washington Post tested his iPhone to see exactly how much data from apps was passed on to third parties about him and the results were frightening. His experiment found 54,000 hidden data tracking apps within one week!
So, what does this mean for our privacy? When people unknowingly sign away the right to their data for all time in exchange for a few minutes of entertainment, is the fight for consumer privacy rights already being lost?
There seems to be a continuous drip, drip, drip of cyber breaches on a daily basis. For example, last month 12 million patients may have had information exposed in a data breach from Quest Diagnostics, the world’s largest blood-testing company.
The only thing we know for sure is that tomorrow some other enterprise will be next. However, what’s new is the rising threat of state-sponsored cyber attacks on enterprises. Per the White House, cyber attacks cost the US economy between $50 million and $100 million in 2016 — the last year quantified. It’s likely significantly more today.
States Are Leading Players in the Cyber Game
Enterprises need to understand that 22 countries around the world are currently suspected of state-sponsored programs for governmental cyber attacks. And lest you believe that these are all focused on stealing nuclear codes, half of all targets for these attacks are private enterprises, NOT governmental agencies.
World governments are actively investing in building and operating cyber espionage teams to both protect their national interests as well as collect IP for their domestic industries. With this information, they are acquiring expertise, malicious botnets and cyber attack tools to further advance their craft.
Enterprises in developed nations around the world need to understand the high stakes and the need for increased protection. If a company competes based on its Intellectual property in a global marketplace, then it may be a mark for government cyber attacks.
Some nations are more direct about the domestic industries they are interested in building and are tipping their hands as to what intellectual property they are interested in acquiring from specific industries. China for example, has a position paper, “Made in China 2025“, which lays out specific industries in which it has a strategic interest in building domestic expertise.
The plan lays out a very aggressive goal of producing 70% of the content in the following industries with Chinese enterprises: IT, robotics, green energy and EVs, aerospace, ocean engineering, railroads, power, materials, medicine and med tech and agriculture engineering. These plans require domestic industries in developing countries to acquire massive amounts of new intellectual property in order to meet this 70% local content threshold.
Enterprises Don’t Have the Expertise to Fight Government Agents
In this environment, where 20-plus countries are aggressively building cyber attack organizations and pouring millions of dollars into ever more sophisticated attack technology, who is the best, most expert person to protect these businesses?
Before we answer that, let’s understand the current cyber employment context. Per an international security non-profit (ISC2), there were three million unfilled cybersecurity jobs globally in 2018. There continues to be a global STEM shortage. Job boards are bursting with open positions for IT security specialists.
Given the cybersecurity work shortage, it is neither advisable or practical for every Fortune 1000 business to try to match the security defense capabilities of nationally funded cyber attackers. Enterprises cannot spend enough money individually to have the state of the art automated defenses or hire enough security engineers to fight cyber attacks in real time.
We cannot and should not expect the Fortune 1000 to replicate the people and investment of nationally funded cyber groups to protect their most important intellectual property.
In fact, we are seeing tremendous new innovations like the UK government initiative, Cyber Skills Immediate Impact Fund that promotes neurodiversity to help close the security skills gap. This is a tremendous new initiative that taps into groups like people on the autism spectrum for their puzzle-solving prowess to improve cybersecurity through their different and valuable coding abilities. However, initiatives like this alone will take years to provide the additional security engineering talent needed today.
Service and Cloud Providers Could Be the Expert Defenders
Cloud and service providers are another story. Many of them already have Security Operations Centers (SOC)s manned 24×7 to protect themselves and their customers. Many have real-time defenses and have implemented SDN control planes with automated policy. These systems identify an attack in one part of the network and mitigate the attack, while simultaneously updating all other endpoints with the attack characteristics. They are already staffed with top security engineering talent.
Managed security solutions for virtually all enterprises need to ultimately be the answer. Cloud and service provider SOCs are the only private organization capable of protecting businesses and their most valuable intellectual property. Enterprises can never invest enough individually to have the latest tools and talent to fight the most complex real-time cyber attacks. However, the cloud and service providers have the scale to invest at the necessary level to protect from the most nefarious state-sponsored actor.
We need to fight fire with fire and recognize the Heads of Tier 1 SOCs are the ones who should be protecting the intellectual property of enterprises worldwide. Not 1,000 different IT managers individually.
Service Providers Need to Stay Vigilant
As telco companies are racing to deliver 5G services, security has, in some cases, taken a back seat to speed. The most recent attack on telcos by the Chinese government is only the beginning. While it wasn’t especially intricate, nation state cybercriminals are proving that they are able to exploit the growing vulnerabilities that telcos leave behind as they race to 5G. As we approach the 2020 election, we will see a heightened focus as nation states leverage every vulnerability to their advantage. Telcos must be prepared, or the damage could be astronomical.
A version of this post was originally published on Light Reading.
I’ve long maintained that security can and should be leveraged as a competitive advantage, regardless of industry. But I’d like to expound upon this mantra: it holds particularly true for the financial services industry.
With consumers increasingly relying on web and mobile apps to conduct financial transactions, customer data has emerged as the new “oil” that powers financial institutions; it can be mined to upsell additional services over the long haul.
But if banks want to increase customer lifetime value, they first must protect this treasure trove of data. Why? Because privacy and security are top of mind for consumers.
This isn’t just an educated guess on my part; Radware recently conducted a survey of nearly 1,200 U.S. consumers to better understand how they view financial security, how they’d react if their data was compromised, and what it all means for financial institutions today.
Spoiler alert: Financial institutions stand to lose business if they don’t prioritize security.
The fact is, data breaches and cyberattacks increase customer churn in an age when virtual transparency, relentless competition and frictionless account transitions have made it easy for consumers to switch financial institutions. And make no mistake — they will abandon their banks if their privacy and security are better prioritized elsewhere.
I encourage you to read the full survey results report. And deeply consider how security isn’t an expenditure, but an investment in your customer lifetime value.
Read “Consumer Sentiments: Cybersecurity’s Role in the Future of Financial Institutions” today.
By this point, we know that state-sponsored cyber attacks are a thing. Time and again, we see headlines to this effect, whether it’s election hacking, IP theft, or mega-breaches. For your average consumer, it’s troubling. But for executives at organizations that are targeted, it’s a nightmare.
The accompanying PR headaches, customer churn, and operational and reputation losses are bad enough; but when big companies think they’re protected by cyber insurance only to find out they aren’t, things go from bad to worse.
Are You Really Covered?
Indeed, per the New York Times, “Many insurance companies sell cyber coverage, but the policies are often written narrowly to cover costs related to the loss of customer data, such as helping a company provide credit checks or cover legal bills.” In other words, many organizations think that because they’ve purchased cyber insurance, they are protected and will be reimbursed for any expenses related to suffering and mitigating a cyberattack.
But that’s not necessarily the case. Insurers are increasingly citing a “war exclusion” clause —which “protects insurers from being saddled with costs related to damage from war”— to avoid reimbursing losses associated with cyberattacks.
Huh? How can that be? We’ve seen the US Department of Justice identify APT-10 as a Chinese state-sponsored corporate hacking group, attacking both Hewlett Packard Enterprise and IBM.
In addition, the now infamous NotPetya (for which the U.S. assigned responsibility to Russia in 2018), affected companies are considered collateral damage in cyberwars. This is the nightmare scenario that played out for both Mondelez and Merck in 2017, after both organizations suffered hundreds of millions of dollars’ worth of damages resulting from the NotPetya attack. Unsurprisingly, both Mondelez and Merck are respectively fighting back—in court. But these cases will likely take years (and an astounding amount of legal fees) to resolve. Which begs the question: what are companies to do in the meantime when cyber insurance fails to protect the business?
Protecting Your Business
Well, first thing’s first. Prioritize security, don’t treat it as an add-on or wait until you’ve been hit with an attack to beef it up. Build it into the very fabric of your company’s foundation. As I wrote last year, doing so enables an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve. Besides, baking security into your products and/or services can be leveraged as a competitive differentiator (and therefore help produce new revenue streams).
Additionally, there are several other steps to take to help protect your organization against large scale cyberattacks:
- Install comprehensive DDoS and application security protection. Such solutions will optimize business operations, minimize service degradation and help prevent downtime.
- Educate employees. This can’t be emphasized enough; employers should educate their employees about common cyberattack methods (like phishing campaigns), and to be wary of links and downloads from unknown sources. This may sound simplistic, but it’s often overlooked.
- Manage permissions. This holds particularly true for organizations operating in or migrating to a public cloud environment; excessive permissions are the number one threat to your cloud-based data.
- Use multi-factor authentication. Again, this is low-hanging fruit, but it bears repeating. Requiring multi-factor authentication may seem like a pain, but it’s well worth the effort to safeguard your network.
And, as always, let the (security) experts handle the (cybercriminal) experts. Don’t hesitate to engage third-party experts in your quest to provide a secure customer experience.
Humans aren’t the only ones consumed with connected devices these days. Cows have joined our ranks.
Believe it or not, farmers are increasingly relying on IoT devices to keep their cattle connected. No, not so that they can moo-nitor (see what I did there?) Instagram, but to improve efficiency and productivity. For example, in the case of dairy farms, robots feed, milk and monitor cows’ health, collecting data along the way that help farmers adjust techniques and processes to increase milk production, and thereby profitability.
The implications are massive. As the Financial Times pointed out, “Creating a system where a cow’s birth, life, produce and death are not only controlled but entirely predictable could have a dramatic impact on the efficiency of the dairy industry.”
From Dairy Farm to Data Center
So, how do connected cows factor into cybersecurity? By the simple fact that the IoT devices tasked with milking, feeding and monitoring them are turning dairy farms into data centers – which has major security implications. Because let’s face it, farmers know cows, not cybersecurity.
Indeed, the data collected are stored in data centers and/or a cloud environment, which opens farmers up to potentially costly cyberattacks. Think about it: The average U.S. dairy farm is a $1 million operation, and the average cow produces $4,000 in revenue per year. That’s a lot at stake—roughly $19,000 per week, given the average dairy farm’s herd—if a farm is struck by a ransomware attack.
It would literally be better for an individual farm to pay a weekly $2,850 ransom to keep the IoT network up. And if hackers were sophisticated enough to launch an industry-wide attack, the dairy industry would be better off paying $46 million per week in ransom rather than lose revenue.
Admittedly, connected cows aren’t new; IoT devices have been assisting farmers for several years now. And it’s a booming business. Per the FT, “Investment in precision ‘agtech’ systems reached $3.2bn globally in 2016 (including $363m in farm management and sensor technology)…and is set to grow further as dairy farms become a test bed for the wider IoT strategy of big technology companies.”
But what is new is the rollout of 5G networks, which promise faster speeds, low latency and increased flexibility—seemingly ideal for managing IoT devices. But, as we’ve previously discussed, with new benefits come new risks. As network architectures evolve to support 5G, security vulnerabilities will abound if cybersecurity isn’t prioritized and integrated into a 5G deployment from the get-go.
In the new world of 5G, cyberattacks can become much more potent, as a single hacker can easily multiply into an army through botnet deployment. Indeed, 5G opens the door to a complex world of interconnected devices that hackers will be able to exploit via a single point of access in a cloud application to quickly expand an attack radius to other connected devices and applications. Just imagine the impact of a botnet deployment on the dairy industry.
I don’t know about you, but I like my milk and cheeses. Here’s to hoping dairy farmers turn to the experts to properly manage their security before the industry is hit with devastating cyberattacks.
AT&T and Verizon are committed to an aggressive, multi-city roll out plan in a race to be the first carrier to implement national 5G deployment. We see this competition play out almost daily in the news: AT&T’s “5G E” is slower than Verizon 4G, Verizon declares 5G war on AT&T, Verizon inks a deal with the NFL to bring 5G to stadiums, and so forth. And yet, despite this newsworthy competition between telecom giants, we still have a limited understanding of the benefits and risks of 5G.
There are the obvious benefits – faster service, for one – and risks, like insufficient security infrastructure. But what about other, less considered factors that can impact 5G (both positively and negatively), such as net neutrality and wearable devices? How do they play into the risks and rewards of this communications (r)evolution?
Currently, net neutrality in the U.S. is embroiled in partisan politics and it’s unclear whether these regulations will be reinstated. But operating under the current status, in which net neutrality rules are suspended, service providers stand to profit from 5G.
As we’ve previously discussed, 5G allows for service providers to “slice” portions of a spectrum as a customizable service for specific types of devices and different customer segments—and without net neutrality, carriers can conceivably charge premium rates for higher quality of service. In other words, service providers could profit by charging select industries that require large bandwidth and low latency – like healthcare and manufacturing, for example – higher premiums.
This premium service/premium revenue model represents a significant ROI for carriers on their 5G infrastructure investment. Not only does slicing provide flexibility for multi-service deployment, it enables the realization of diverse applications on that physical resource, which helps recoup cost for the capital investment.
However, because implementation will be patchy, with initial focus on high-density, urban areas (versus rural populations), the so-called digital divide may very well deepen, not just for consumers but for rural industries like healthcare and agriculture as well.
IoT devices have outpaced the human population for the first time in history. And 5G will undoubtedly fan the flames of interest in wearable devices, due to its projected speed and availability of data.
While these devices can certainly make life easier, and even potentially healthier (think about the ECG app on the Apple Watch!), they also carry enormous risk. Why? Because they’re hackable – and they contain a treasure trove of sensitive data, like your location, health stats, and more. And the risk doesn’t only impact the individual wearing an IoT device; enterprises are likewise at risk when their employees wear devices at work and transmit data over office WiFi.
With the ever-changing nature of internet regulations and the explosion of wearable devices, security must be top-of-mind for service providers. Not only is security advantageous to end users, but for the carriers as well; best-of-breed security opens the possibility for capturing new revenue streams.
No matter the complexity of securing 5G networks, there are solutions. For example, service providers should consider differentiated security mechanisms, offering security as a service to vertical industries, and segregating virtual network slices to safeguard their networks. And of course, let the (security) experts help the (carrier) experts.
Much of the buzz surrounding this year’s Mobile World Congress has focused on “cool” tech innovations. There are self-driving cars, IoT-enhanced bee hives, smart textiles that monitor your health, realistic human chatbots, AI robots, and so forth. But, one piece of news that has flown relatively under the radar is the pending collaboration between carriers for 5G implementation.
A Team Effort
As Bloomberg reported, carriers from Vodafone Group Plc, Telecom Italia SpA and Telefonica SA are willing to call “a partial truce” to help each other build 5G infrastructure in an attempt “to avoid duplication and make scarce resources go further.”
Sounds great (who doesn’t love a solid team effort?!)…except for one thing: the pesky issue of competing for revenue streams in an industry fraught with financial challenges. As the Bloomberg article pointed out, “by creating more interdependent and overlapping networks, the risk is that each will find it harder to differentiate their offering.”
While this is certainly a valid concern, there is an obvious solution: If carriers are looking for differentiation in a collaborative environment, they need to leverage security as a competitive advantage.
Security as a Selling Point
As MWC19 is showing us in no uncertain terms, IoT devices—from diabetic smart socks to dairy milking monitors—are the way of the future. And they will largely be powered by 5G networks, beginning as early as this year.
Which is all to say, although carriers are nervous about setting themselves apart while they work in partnership to build 5G infrastructure, there’s a huge opportunity to differentiate themselves by claiming ownership of IoT device security.
As I recently wrote, IoT devices are especially vulnerable because of manufacturers’ priority to maintain low costs, rather than spending more on additional security features. If mobile service providers create a secure environment, they can establish a competitive advantage and reap financial rewards.
Indeed, best-of-breed security opens the possibility for capturing new revenue streams; mobile IoT businesses will pay an additional service premium for the peace of mind that their devices will be secure and can maintain 100% availability. And if a competing carrier suffers a data breach, for example, you can expect their customer attrition to become your win.
My words of advice: Collaborate. But do so while holding an ace—security—in your back pocket.
If you’re looking to find a date in 2019, you’re in luck. Dozens of apps and sites exist for this sole purpose – Bumble, Tinder, OKCupid, Match, to name a few. Your next partner could be just a swipe away! But that’s not all; your personal data is likewise a swipe or click away from falling into the hands of cyber criminals (or other creeps).
Online dating, while certainly more popular and acceptable now than it was a decade ago, can be risky. There are top-of-mind risks—does s/he look like their photo? Could this person be a predator?—as well as less prominent (albeit equally important) concerns surrounding data privacy. What, if anything, do your dating apps and sites do to protect your personal data? How hackable are these apps, is there an API where 3rd parties (or hackers) can access your information, and what does that mean for your safety?
Privacy? What Privacy?
A cursory glance at popular dating apps’ privacy policies aren’t exactly comforting. For example, Tinder states, “you should not expect that your personal information, chats, or other communications will always remain secure.” Bumble isn’t much better (“We cannot guarantee the security of your personal data while it is being transmitted to our site and any transmission is at your own risk”) and neither is OKCupid (“As with all technology companies, although we take steps to secure your information, we do not promise, and you should not expect, that your personal information will always remain secure”).
Granted, these are just a few examples, but they paint a concerning picture. These apps and sites house massive amounts of sensitive data—names, locations, birth dates, email addresses, personal interests, and even health statuses—and don’t accept liability for security breaches.
If you’re thinking, “these types of hacks or lapses in privacy aren’t common, there’s no need to panic,” you’re sadly mistaken.
The fact is, dating sites and apps have a history of being hacked. In 2015, Ashley Madison, a site for “affairs and discreet married dating,” was notoriously hacked and nearly 37 million customers’ private data was published by hackers.
The following year, BeautifulPeople.com was hacked and the responsible cyber criminals sold the data of 1.1 million users, including personal habits, weight, height, eye color, job, education and more, online. Then there’s the AdultFriendFinder hack, Tinder profile scraping, Jack’d data exposure, and now the very shady practice of data brokers selling online data profiles by the millions.
In other words, between the apparent lack of protection and cyber criminals vying to get a hold of such personal data—whether to sell it for profit, publicly embarrass users, steal identities or build a profile on individuals for compromise—the opportunity and motivation to hack dating apps are high.
Dating is hard enough as it is, without the threat of data breaches. So how can you best protect yourself?
First thing’s first: Before you sign up for an app, conduct your due diligence. Does your app use SSL-encrypted data transfers? Does it share your data with third parties? Does it authorize through Facebook (which lacks a certificate verification)? Does the company accept any liability to protect your data?
Once you’ve joined a dating app or site, beware of what personal information you share. Oversharing details (education level, job, social media handles, contact information, religion, hobbies, information about your kids, etc.), especially when combined with geo-matching, allows creepy would-be daters to build a playbook on how to target or blackmail you. And if that data is breached and sold or otherwise publicly released, your reputation and safety could be at risk.
Likewise, switch up your profile photos. Because so many apps are connected via Facebook, using the same picture across social platforms lets potential criminals connect the dots and identify you, even if you use an anonymous handle.
Finally, you should use a VPN and ensure your mobile device is up-to-date with security features so that you mitigate cyber risks while you’re swiping left or right.
It’s always better to be safe and secure than sorry.