8 Effective Third-Party Risk Management Tactics

In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend.

Fig 1. Risk, Stock Image, 2019.

The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.

1) Identify All Your Vendors / Business Associates:

Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.

2) Ensure Your Vendors Perform Regular Security Assessments:

Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.

At a minimum, security risk assessments should include:

a) Evaluate the likelihood and potential impact of risks to in-scope assets.

b) Institute measures to protect against those risks.

c) Documentation of the security measures taken.

Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.|

Fig. 2. Stock Image, Third-Party Risk Mgmt Inputs, 2019.

3) Make Sure Vendors Have Written Information Security Policies / Procedures:

a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.

b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.

 4) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:

a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.

c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.

d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

5) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:

a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.

b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.

c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?

6) Ensure Vendors Have A Disaster Recovery Program:

In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.

7) Ensure Access Is Based on Legitimate Business Needs:

Fig 3. Stock Image, RBAC Flow, 2019.

It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.

8) Vet All New Vendors with Due Diligence:

a) Getting references.

b) Using a standard checklist.

c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.

d) Document and report to senior management.

Contact us here to learn more.

Watch Out for Coronavirus (COVID-19) Scams and Malware

The coronavirus disease (COVID-19) is being used in a variety of malicious/hacking campaigns including email spam, ransomware, BEC (business e-mail compromise), malware, drive-by downloads, and even fraudulent domains. The mention of current events in malicious cyber-attacks is nothing new as threat actors often use current events and popular personalities in their social engineering strategies.

Fig. 1. Nate Benson (WGRZ), 03/16/20.

89ac23c0-6408-4e68-a8ff-94f8b227e7d0_750x422

As the number of those infected continues to increase, campaigns that use the disease as a lure are likely to also increase because people tend to get excited about trending information and they click without double-checking, especially when their defenses are down in this emotional and media-hyped context. Let facts and science rule the day, not speculation and sensationalized news media. As we seek recovery and healing, the last thing we need is the double whammy of being hacked, scammed, or the victim of ransomware. Don’t let that be you, always double-check.

Here are some detailed internet hygiene and scam avoidance tips (compiled from the FTC, Trend Micro, and Symantec):

  1. Don’t click on links from sources you don’t know. They could download viruses onto your computer or device.
  2. Trend Micro identified the following exploits as of 03/16/20 and more are likely coming. Five of which were .exe or executable files – very high risk.

Fig. 1. Trend Micro Identified Cyber Exploit Files (Trend Micro, 03/16/20).

COVID 19 Exploit Files 03_17_20
  1. Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that they have information about the virus.
  2. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
  3. Symantec Identified the following Fake example:

Fig 2. Fake CDC Alert Phishing Example (Steve Symanovich, Symantec, 03/17/2020).

CDC Phishing Scam E-mail Example From Symantec 03_17_20
  1. Ignore online offers for vaccinations. There currently are no vaccines, pills, potions, lotions, lozenges or other prescription or over-the-counter products available to treat or cure Coronavirus disease (COVID-19) — online or in stores.
  2. Report any suspected product scams to the FTC here – scroll to the bottom for reporting link.
  3. Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.
  4. Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information.
  5. Never respond to email by giving your personal data.
  6. Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. But keep in mind phishers can create links that closely resemble legitimate addresses. Never go to HTTP only sites but look for the HTTPS. Use the trend micro URL checker here but know it won’t catch all bad sites but is a good start.
  7. Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email.
  8. Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
  9. When in doubt, don’t open, block, and delete.

Lastly, with so many people working from home amid the pandemic, our next podcast will deal with IAM / vendor risk mgmt., and the related work from home network security considerations — coming around April/May 2020! Follow our podcast here.

Wishing you, your family, and the greater community — strength, healing, innovation, and fast recovery. Together we can get through this.

Charles Schwab, Chase, Wells Fargo, and others Use New Voice IAM Biometrics Technology

Over the last few two years, many financial firms have introduced a new voice identity and access (IAM) management service which uses voice biometrics technology to identify you by your unique voice. This starts each customer interaction with effortless biometric authentication improving customer experience.

mobile_computing-mobile biometrics

Fig. 1. Voice Biometric Authentication Graphic, Source: Si-Gal/Getty Images, 2020.

Charles Schwab describes it this way (2020):

  • Whether you want to use our automated phone service or speak with one of our financial professionals, our voice ID service is one of the fastest and most convenient ways to securely identify yourself over the phone.
  • We know that you have a lot of passwords and pins to remember. Voice ID helps reduce the hassle of answering security questions when we can verify you by the sound of your voice.
  • When you call us, you will simply be prompted to say the passphrase “At Schwab, my voice is my password” to be securely verified. No more personal questions. No more PINs.

According to leading voice technology vendor Nuance (2020):

  • Biometric authentication delivers simpler, stronger customer authentication.
  • It reduces the average handling time (AHT) by 37 seconds.
  • Just like your fingerprint, your voiceprint is uniquely yours.

To make this work, the technology stores a digital representation of your voice using a proprietary algorithm. This unique voiceprint is created from more than 100 different physical and behavioral characteristics such as pitch, accent, shape of your mouth and vocal tract as you speak with a customer service representative. Your voice ID only works with the system you provide your voice to, etc.

Using this service requires the collation of data to know that you are you. Melissa Looker of Fast Company describes how Chase does this as follows (2019):

  • But Chase isn’t just amassing data on its customers. It’s also collecting intel on known fraudsters for so-called “voice biometric blacklists,” which keep tabs on identity thieves and credit card scammers and prevent them from accessing bank information or requesting new credit cards.
  • Of course, it’s not just JPMorgan Chase & Co. using the technology. According to the Associated Press, Wells Fargo, Barclays, and U.S. Bank all use some form of Voice ID (IAM). In 2017, Pindrop, a company that offers sound-based fraud detection tools to call centers, told Fast Company it worked with eight of the top 10 U.S. banks and two of the top 5 insurers to detect phone scams.

Although voice IAM is a good start, I think more research needs to be done to validate the long-term viability of this authentication. What if a fraudster has a recording of your voice, or can mimic your voice pattern with a computer? Also, a lot of people’s voices sound the same. According to a 2017 BBC report voice, biometric authentication was easily passed by a twin brother when they tested it, and the technology has improved little since then (Dan Simmons).

3 Key Points From “Unsecurity” By Evan Francen

UNSECURITY-1200x628-adNational author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.

Like a patriot who delays college to join the army amid dire national conflict, Francen offers a fact-based call to arms to fix the broken cybersecurity industry in his 2019 book “Unsecurity”. Having known him and his company for a few years, and having read the book and many on this subject, this content is worth sharing because too few people write or talk about how to actually make this industry better. Here are my three unbiased key points from his book.

1)    We’re Not Speaking the Same Language:

614hGPZRmJL._SY600_Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.

  1. IT: Speaks in data tables and code jargon.
  2. Cyber: Speaks in risk metrics and security controls.
  3. Business: Speaks in voice of the customer and profits.
  4. Compliance:Speaks in evidence collection and legal regulatory frameworks.
  5. Vendor: Speaks in sales and marketing terms.

Ideally, all these stakeholders need to work together but are only as strong as the weakest link. To attain better communication and collaboration between these stakeholders, all must agree on the same general security framework best for the company and industry, maybe NIST CSF with its inferred definitions or maybe ISACA Cobit. However, once you pick the framework you need to start training, communicating, and measuring against it and only it –going with its inferred definitions.

Changing frameworks in the middle of the process is like changing keys in the middle of a classical song at a concert – don’t do it. That’s not to say that once communication and risk management gets better, that you can’t have some hybrid framework variation – like at a jazz concert. You can but you need proof of the basic items first.

Later, in the chapter Francen describes the communication issue of too many translations. That’s too many people passing the communication onto other people and giving it their spin. Thus, what was merely a minor IT problem ticket turns into a full-blown data breach? Or people get tied up arguing over NIST, ISSA, ISACA, and OWASP jargon – all the while nothing gets fixed and people just get mad at each other yet fail to understand one another. Knowing one or two buzz words from an ISACA conference or paper yet failing to understand how they apply to NIST or the like does not help. You should be having a framework mapping sheet for this.

The bigger solution is more training and vetting who is authorized to communicate on key projects. The issue of good communication and project management is separate from cybersecurity though it’s a critical dependency. Organizations should pre-draft communication plans with roles and scope listed out, and then they should do tabletops to solidify them. Having an on-site Toastmasters group is also a good idea. I don’t care if you’re a cyber or IT genius; if you can’t communicate well that’s a problem that needs to be fixed. I will take the person with much better communication skills because likely they can learn what they don’t know better than the other.

2)    Overengineered Foundations:

In chapter two, Francen addresses “Bad Foundations”. He gives many analogies including building a house without a blueprint. However, I’m most interested in what he says on page 76:

  • “Problem #4 Overengineered Foundation – too much control is as bad as too little control, and in some cases, it’s even worse than no control at all.”

What he is saying here is that an organization can get so busy in non-real world spreadsheet assessments and redundant evidence gathering that their heads are in the sand for so long that they don’t see to connect the dots that other things are going array and thus they get compromised. Keep in mind IT and security staff are already overworked, they already have many conflicting dials and charts to read – amid false alarms. To bog them down in needless busywork must be weighed against other real-world security tasks, like patch management, change management, and updating IAM protocols to two-factor.

If you or your organization have an issue figuring this out, as Francen outlines, you need to simplify your risk management to a real-world foundational goal that even the company secretary can understand. It may be as simple as requiring long complex (multicharacter) passwords, badge entry time logs for everyone, encrypting data that is not public, or other basics. You must do these things and document that they have been done one at a time, engraining a culture of preventative security vs. reactive security.

3)    Cultivate Transparency and Incentives:

In chapter five, “The Blame Game” Francen describes how IT and business stakeholders often fail to take responsibility for security failings. This is heavily influenced by undue bias, lack of diversity, and lack of fact-based intellectualism within the IT and business silos at many mid-sized and large organizations. I know this is a hard pill to swallow but its so true. The IT and business leaders approving the bills for the vendors doing the security assessments, tool implementations, and consulting should not be under pressure to give a favorable finding in an unrealistic timeframe. They should only be obligated to give timely truthful risk prudent advice. Yet that same advice if not couched with kid gloves can get a vendor booted from the client – fabricating a negative vendor event. Kinda reminds me of accounting fraud pre-Sarbanes Oxley.

The reason why is because risk assessors are creating evidence of security violations that the client does not agree with or like, and thus you are creating legal risk for them – albeit well justified and by their own doing. From Francen’s viewpoint, this comprehensive honest assessment also gives the client a way to defend and limit liability by disclosing and remediating the vulnerabilities in a timely manner and under the advisement of a neutral third party. Moreover, you’re going to have instructions on how to avoid them in the future thus saving you money and brand reputation.

Overall, transparency can save you. Customers, regulators, and risk assessors view you more positively because of it. That’s not to say there are not things that will remain private because there are many, trade secrets, confidential data, and the like. My take on Francen’s mention of the trade off’s between transparency and incentives in a chapter called “The Blame Game” is that it’s no longer acceptable to delay or cover up a real security event – not that it ever was. Even weak arguments deliberately miscategorizing security events as smaller than they are will catch up with you and kick your butt or get you sued. Now is the time to be proactive. Build your incident response team ahead of time. It should include competent risk business consultants, cyber consultants, IT consultants, a communication lead, and a privacy attorney.

Lastly, if we as an industry are going to get better we’re going to have to pick up books, computers, pens, and megaphones. And this book is a must-read! You can’t be passive and maintain your expert status – it expires the second you do nothing and get poisoned by your own bias and ego. Keep learning and sharing!

The Six Most Impactful Cyber and Business Tech Trends of 2019 and What it Means for 2020.

By Mamady Konneh, MSST, and Jeremy Swenson, MBA, MSST.

Minneapolis, MN — Every year we like to review and commentate on the most impactful security technology and business happenings from the prior year. Those likely to significantly impact the coming year in unique ways. Although incomplete, these are six trends worth addressing in order of importance.

Fig 1. (Cyber Trend Mashup Overlay, + Stock Image, 2019).
76a23722-c088-4067-92b7-1b2e7f357148

1) The Media Disinformation War Continues Embracing Artificial Intelligence:

With the advancement of communications technologies, the growth of large social media networks, and with the “appification” of everything — users have morphed beyond merely consuming information to being distributors and sometimes contributors. This ripens the ease and capability of disinformation.

Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies and control public opinion (Shelly Banjo, Bloomberg, 05/23/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram (Fig. 2). Yet even state-sponsored and private news organizations are increasingly the weapon of choice — creating a false sense of validity. Undeniably, the battlefield is wherever a large number of followers are.

We all know that false news spreads faster than real news most of the time, largely because its sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues, it’s a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it, which in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion.

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace its source and to stop it. Further complicating this phenomenon is the amount of app (application) to app permissions. For example, the CNN and Twitter app having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions.

Fig 2. News, Social Media, and Puppet Master of Disinformation (Right, Chandrajit Banerjee, Left Marc Creighton, 2019).
Purported Russian Disinformation Flow

Disinformation campaigns attempted to influence U.S. elections in 2016 — presidential, and 2018 — congressional (Fig. 2). The effects are not fully known to this day yet there is some undeniable impact, with debates on both sides. This taken in conjunction with outdated electoral policies and poor public-to-private partnerships support the conclusion that disinformation capabilities are on the rise leading up to the U.S. presidential election in 2020. In fact, according to one report, the number of countries engaged in disinformation increased from 48 to 70 or 150% from 2018 to 2019 (Samantha Bradshaw and Philip N. Howard, Oxford Internet Institute, 09/04/19). This is not about politics, this is about truth, appropriate technology, security improvements, and better public-private partnerships.

Fig. 3. Purported Russian Disinformation Flow (Samuel Morales, 11/08/19).

Purported Russian Disinformation Flow

Moving on, large technology companies are increasingly under scrutiny to secure their platforms from disinformation campaigns. One recent example is as follows, “Twitter announced that it had removed more than 88,000 accounts that it said were engaged in “platform manipulation” originating in Saudi Arabia” (Aaron Holmes, Business Insider, 12/20/19). Since platforms like this have so much activity to monitor, many campaigns like this go on unaltered. Yet, let us not forget about the free speech rights of users and the many claims that certain tech companies are overreaching in their screening content to the level of undue bias. Resolving these two extremes is indeed a work in progress.

Another example which used AI (Artificial Intelligence) enabled disinformation is as follows: ‘“On December 20, 2019, Facebook took action against a network of over 900 pages, groups, and accounts on its own platform and on Instagram that were associated with “The Beauty of Life” (TheBL), reportedly an offshoot of the Epoch Media Group (EMG). These assets were removed for engaging in large-scale coordinated inauthentic behavior (CIB)”’ (Ben Nimmo, C. Shawn Eib, L. Tamora, et al; Graphika & the Atlantic Council’s Digital Forensics Research Lab, 12/2019). Many of these profiles were created with AI generated fake profile photos. The group amassed about 55 million followers, so their disinformation efforts largely worked.

Considering these disinformation events this past year, we think small and mid-size companies are likely the next target of disinformation campaigns. Such campaigns may aim to steal their customers, tarnish their reputation, or otherwise combine disinformation with advanced malware or other cyber fraud. They may be a direct target or a pass through medium. Small businesses are not immune from these risks even if never targeted before. While a large company could sustain several disinformation attacks, a small company could be easily run out of business by just one.

Imagine fraudulent Yelp reviews from a dental competitor who hires a non-U.S. based hacking group to have a bot army create 1,000 negative dental reviews on Yelp. Now the victim of this attack has a mess to clean up. Being a dental office, they are not tech experts, so they have to hire a tech consultancy. Yet even when hired, the full damage can never be undone. The stress and cost could drive them to shut down. Then there is the question of who pays for it? This begs the question of cyber insurance, do you have the correct coverage, is there any way your claims can be denied?

Overall, disinformation is a double-edged sword because if one country is using disinformation against another country, then that country is very tempted to use disinformation against them in response. Then when the public sees this state originated disinformation, they and their NGO (non-governmental organization) groups respond whether they believe the disinformation or not —of course with different responses. The same scenario could apply in a company to company context.

Disinformation is indeed a vicious cycle that encourages lies, ignorance, all the while damaging the value of what journalism means. In 2020 we as journalists, thought leaders, consultants and citizens must not be afraid to confront these fallacies and hidden distortions for future generations — a quality based truthful pen is a powerful sword!

2) Ransomware Doubles Attacking More Government Entities:

Ransomware heavily hit hospitals, businesses, and universities in 2019, but local governments were the top target. It attacked at least 103 local U.S. government agencies, mostly at the city and county levels (Emsisoft Malware Lab, 12/12/19). Further validating this conclusion is Barracuda Networks who found more broadly that two-thirds of all known 2019 ransomware attacks in the U.S. targeted U.S.governments (Alfred Ng, C-NET, 12/05/19). Specifically, these ransomware attacks originate mostly from phishing emails. Then the attackers implant malicious code in the targeted entities’ network, after which they encrypt their files making them inaccessible. These are for the most part not federal offices like the FBI, NSA, DOD, or the FAA — these offices have bigger budgets and better defenses.

In August 2019 twenty-three Texas cities were struck by a large coordinated ransomware attack. This overwhelmed them SO they were forced to seek advanced state assistance (Kate Fazzini, CNBC, 08/20/19). Also in 2019, seven Florida cities were struck in a similar attack: River City, Riviera Beach, Lake City, Key Biscayne, Stuart, Naples, and recently Pensacola (Rachael L Thomas, Naples Daily News, 08/20/19 & CISOMAG, 12/27/19). Moreover, the city of Baltimore, Maryland sustained two ransomware attacks in 14 months (Kate Fazzini, CNBC, 08/20/19). Fig. 4. shows the defaced City of New Orleans website which left citizens out of some services and information.

Fig. 4. City of New Orleans Website Down (NOLA.gov, City of New Orleans, 12/23/19).

City Of New Orleans Hack

Foolish as it may sound local governments are more frequently opting to pay the ransomware rather than rebuild their systems. After seeing Atlanta spend $2.6 million in 2018 to restore its systems rather than pay the $52,000 ransom (Lily Hay Newman, Wired, 04/23/18) — many officials have decided that it’s cheaper to pay the hackers. One researcher confirmed this as follows; ‘“These government organizations are not always well-equipped on cybersecurity concerns, which makes them easy targets,” said Kevin Latimore, enterprise malware removal specialist for security software provider Malwarebytes. “Not only do they have the potential to pay, but they are a soft target”’ (Alfred Ng, C-NET, 12/05/19). More examples of this include Lake City, Florida who paid $426,000 to hackers via Bitcoin, and Riviera Beach Florida who paid hackers $600,000 via Bitcoin in 2019. Much of this will be covered by their cyber insurance but it complicates future payouts making denials and premium increases more likely (Scottie Andrew and Saeed Ahmed, CNN, 06/27/19).

For the coming year, this means that local governments need to harden their networks, better train their staff and hire private-sector talent. If they have paid ransom ware once they should expect and prepare for another attack soon, yet this does not rush onboarding of new vendor tools as vendors need to be risk assessed. Moreover, they outsource key IT tasks when they cannot meet the required service or security. Lastly, paying ransomware is not a long-term solution and it increases the likelihood of another attack, plus there is no guarantee they have not copied your data.

3) Insurance Companies Paying Ransoms Are Likely Encouraging More Attacks for Profits:

When organizations have cyber insurance, they are more likely to pay ransom demands. This results in ransomware being more profitable than it would otherwise be and thus incentivizes more well-funded attacks (Emsisoft Malware Lab, 12/12/19). Yet if insurance companies did better due diligence reviewing prospect customer cyber risk processes, tools, SOC reports and the like — there would likely be less grounds for claims denials and fewer simple claims like ransomware, etc. In some cases, the customer is incented to prove their cyber due diligence to justify a favorable risk rating and lower insurance premiums. However, the rigor of this due diligence is inconsistently applied in favor of sizeable companies where more dollars and complex risk exists. Yet can you imagine being a large insurance company asking a government entity for any documentation like this… it might be difficult. Even small county governments often have many unhelpful bureaucrats who are overconfident thus choking the needed risk management process. Private companies have the same issue, but they have less bureaucratic insulation. Overall, better public-private partnerships are needed.

This year we confirmed that cyber liability insurance risk assessment is still a contradictory mess. The carriers are profit-driven while they often confuse customers on what a policy means, especially small and medium-sized businesses that are not tech-focused. The risk assessment standards are immature, not organization specific, and they are outdated with current technology. If ransomware incentivizes cyber insurance, then what about the likely situation where an organization gets hit with ransomware, then the carrier pays it less the deductible, but then the ransomware demands a second payment. Carriers, adjusters, risk assessors, and even companies have not thought this through well enough. Most likely the carrier will deny the second payment demand and often in tandem with costly litigation.

Whatever the size or your organization, you should undergo strict security reviews in the insurance underwriting process. If the carrier does not ask anything or much about your technology or security, you might as well not pay for the coverage because it’s weak at best. Whatever risk diligence completed in underwriting the coverage, you should not publicly disclose that you have such coverage because cyber extortionists could then view you as a target. Cyber insurance should not be considered as an alternative to adequately funded and resourced security programs, rather it’s a failsafe. Our related article from this summer clarifies some of these complexities 10 Things IT Executives Must Know About Cyber Insurance!

Fig. 5. Cyber Security Spending Greatly Outpaces Cyber Insurance Spending, (Gartner, Munich Re, Microsoft, Marsh, 2019)

Cyber Security Spending Greatly Outpaces Cyber Insurance Spending 2019

Lastly, we observed that cyber insurance spending is not growing as fast as cybersecurity spending from 2018 to 2019 (Fig 5). While for 2019 to 2020 there is a $116 billion dollar estimated difference (Fig 5.). This trend is generally good because you cannot insure away what you have not built securely in the first place. In physical security terms, that would be like a bank having wide open doors and windows often yet wanting to get robbery insurance when they are incenting robbery. Of course, this is far more complicated in cyberspace and insurance companies and risk assessors are moderately speculative at best. We anticipate more partnerships with tech-savvy insurance brokers in 2020, more cyber insurance training, and perhaps new FinTech insurance startups can reduce risk and drive efficiencies while the legislators and large companies catch up.

4) Mobile Ecosystem Security Considerations Multiply:

Since the release of the first iPhone in 2007, the appification of everything is the new norm. Since computing power and memory on smartphones nearly doubles about every two years (Gordon Moore’s Law, 1958); the information security risk on these devices gets more complicated and multiplies with each new app installed.

Here are some recent top metrics from one independent blog study (Ian Blair, BuildFire, 2019):

  1. There are 2.8 million apps available for download on the Google Play Store — More apps equals more risk exposure.
  1. The Apple App Store has 2.2 million apps available for download.
  2. Mobile apps are expected to generate $189 billion in revenue by 2020.
  3. 49% of people open an app 11+ times each day.
  4. 21% of Millennials open an app 50+ times per day.
  5. 57% of all digital media usage comes from mobile apps.
  6. The average smartphone owner uses 30 apps each month — Touching many or all of the mobile ecosystem components in Fig. 6. — Thereby increasing complexity.

Fig 6. Mobile Ecosystem Components (Rohit Kumar, 2019).
Mobile Ecosystem 2019

The Apple App Store has a closed API (application programming interface) and thus less apps, unlike the Google Play App Store which has an open API and more apps. Thus, in prior years Apple’s App Store was regularly perceived as more secure than Google’s Play Store. However, in the fall of 2019, a reported 18 malicious apps were able to bypass Apple’s vetting system. Wired described it as follows, “it started small. Wandera’s security software flagged some unusual activity on a client’s iPhone. A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue” (Brian Barrett, Wired, 10/25/19).

Although the new iPhone 11 has no CPU power increase from the prior version, the new Samsung Galaxy S 11 includes a CPU that raises the bar in some ways for both phones. The new CPU is the Qualcomm Snapdragon 865 and will come with the new Galaxy S 11 in 2020. This CPU is 5G enabled while older chips are not. It also supports up to 8K HD video which has an ultra-high resolution that translates into very large files (Jessica Dolcourt, C-Net, 12/19/19). This enables better video chat, HD gaming, and professional level photo capabilities.

Additionally, the Snapdragon 865’s two-finger biometric unlocking feature has been improved for the Galaxy S 11 thereby challenging the new iPhone 11. The CPU’s 3D Sonic Max fingerprint reader is large enough to register two fingers as one commentator detailed: “This means it’s faster to unlock, and more secure when matching up more unique data points in the form of the ridges, valleys, and pores unique to your fingers. On phones, you might get the option to set up one or two-finger unlocking, or perhaps choose to use dual-finger authentication for mobile payments only, or select apps like your banking app” (Jessica Dolcourt, C-Net, 12/19/19).

Faster CPUs in the mobile ecosystem means that there is more room for malvertising, rootkits, viruses and other exploits to hide. Combine that with the increasing number of apps users download, the permissions they give them, etc. The complexity of this increases privacy and security risk. There is a very fine line between a hacked system and consented to app permissions, yet most users have few details on what this means or how many apps they have on their mobile devices.

For 2020, we see education and awareness around the review and removal of non-essential mobile apps as a top priority. Especially for mobile devices used separately or jointly for work purposes. This begs the questions: 1) what is the best BYOD (bring your own device) policy 2) and good containerization to separate company vs. personal use apps? This requires better understanding around geolocation, QR code scanning, in text ads, micropayments, Bluetooth, geofencing, readers, and HTML5. It thus goes without saying that we feel more holes will be exposed with BYOD tools and policy as they gain more adoption 2020.

5)  Cloud Adoption Raises Privacy and Compliance Concerns:

Cloud computing grew in 2019 and is expected to grow in the coming years. Many industries are opting for cloud computing because it is less costly than on-premises and the service quality is generally better. This especially applies to small and medium businesses that often don’t have the technology resources to build their own infrastructures. According to one study, “83% of enterprise workloads will be in the cloud by 2020” (LogicMonitor, 2019). As a result, many industries are increasing their investment in cloud computing and the costs are likely to go down as cloud providers improve — the services are being democratized via niche cloud service tool startups. At present, “50% of enterprises spend on average of $1.2 million dollars on cloud services annually” (LogicMonitor, 2019).

Although cloud computing might seem cheaper than on-premises solutions, it has its downsides when it comes to security and privacy. Moving to the cloud is accepting the risk of having your data in someone else’s warehouse. Of course, the service level agreement and vendor risk assessment compliance documents will address most of this, but it’s not comprehensive. This is because cloud vendors are selective about what they disclose to customers in their annual or quarterly vendor risk review. This is because they are protecting their own privacy and the privacy of their many other clients where shared infrastructure is relevant. If you want complete privacy and control, build your own cloud but accept the higher cost.

Fig. 7. Public Cloud Challenges Influencers Survey (LogicMonitor, 2019).

Public Cloud Challenges Influencers Survey LogMonitor 2019The above survey by a vendor Logic Monitor confirmed that security, governance and compliance, and privacy were top challenges in 2019. We think these challenges will hold steady in 2020, while costs will likely decrease for basic use cases. If organizations continue to struggle with cloud trained employees, it will negatively impact vendor lock-in. This can be bad from a failover perspective. We think organizations should spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add ons, but it also mitigates risk and makes vendors bid more competitively.

6) Supply Chain Cyber Security Threats Increase:

All organizations depend on other entities for goods and services. Everything from manufacturers, distributors, marketers, attorneys, drivers, resellers, software providers, accountants, and more. The flow of this from start to finish is called the supply chain, and vendor management is the biggest part of it. As a result, it becomes challenging for organizations to identify and assess the security of every vendor they do business with. In fact “at least 59% of organizations have suffered from cyberattacks through third-party companies” (Olivia Scott, Supply Chain Brain, 10/09/19). Depending on the vendor and the connection point there may be more or less steps. More steps increases complexity and often decreases transparency, which in turn often increases risk.

Every aspect of supply chain has an internet-connected component from UPS Package scanners, to invoice creation, inventory management, quality control, and more. Vendors who say or suggest they are not internet-connected are usually wrong because they forgot one thing like utility applications, HVAC applications, coffee machine apps, navigation apps, payment processing apps, and their own 3rd parties that have access to customer data via the vendor, etc.

People often need clarification on what is a 4th party vendor. They are the vendors that your 3rd party vendor contracts with to meet your needs. With a 4th party vendor, you will have less insight into their infrastructure and process, if at all. Most likely any risk documentation you get from them with come via your 3rd party vendor. A lot of misinformation and hidden risk is here. Vendors managers need good communication skills and business tact to deal with this.

In the context of cybersecurity, supply chain is posing a growing threat because most of the parts of our computers and smartphones are made in other parts of the world, including the software used to run these machines. For example, iPhone chips are made by Taiwan Semiconductor Manufacturing Company (TSMC) who works with other vendors for even the smallest of components in a highly complex supply chain, acting as a manufacturer and assembler. If there is a security hole in one of the iPhone components, the customer Apple may not be the first to know because TSMC or their 3rd and 4th party vendors may not know about it or may not disclose it. This negatively impacts Apple and iPhone users.

Observing this paradox, security pioneer Bruce Schneier stated, “the computers and smartphones you use are not built in the United States. Their chips aren’t made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a backdoor into the final product” (Bruce Schneier, New York Times, 09/25/19). Thus the supply chain path needs to be scrutinized for security compliance regularly, especially in the context of large-scale hardware manufacturing for data-centric products like smartphones, cars, computers, and medical devices — few devices are not data-centric these days.

In sum, supply chain is here to stay because organizations will need to collaborate with one another in order to conduct their business efficiently. According to the Ponemon Institute, 3rd party misuse was the second-biggest security threat in 2019 (Olivia Scott, Supply Chain Brian, 10/09/19). Yet we need a reminder that supply chain is no longer merely transportation and inventory management, even if we are a goods and services company like a small construction company with no website. We need to rethink of supply chain as more digital and more data-centric than we did in prior years. It is a part of core business operations.

Thus, supply chain security should be a top priority for organizations in 2020 with a focus on 3rd party risk ranking and 4th party identification. Lastly, for big entities like government and corporate conglomerates who have many different internal organizations they interact with. They would be well advised to think of their own internal procurement process as “external supply chain” in an effort to better training and internal defenses — they are often their own worst enemy.

About the Authors:
Mamady Konneh and Jeremy Swenson 2020
Mamady Konneh (left) is a senior information security professional, speaker and mentor with 10+ years of relevant experience in security, risk management, and project management in the healthcare, finance, and retail industries. He is a dynamic team player who leads by taking initiatives in developing efficient risk mitigation and situational awareness tactics. He is proficient at assessing the needs of the business and providing the tools to resolve challenges by enhancing the business process. He holds an MSST (Master of Science in Security Technologies) degree from the U of MN where he researched global I.D. card best practices for the country of Guinea.

Jeremy Swenson (right) is a senior IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. He has been employed by or consulted at many banks, insurance companies, retailers, healthcare orgs, governments, and so on over 14 years. He has an MBA from St Mary’s Univesity of MN and MSST (Master of Science in Security Technologies) degree from the U of MN.

Cybersecurity Firm Imperva Discloses Data Breach

Imperva, formally Incapsula, disclosed on 08/27/19 a data breach impacting its many customers. The company focuses on cyber-security and DDoS mitigation and consulting, heavily via its cloud web application firewall (WAF).

Fig. 1. Imperva, 2019.incapcloud

The breach was discovered 08/20/19 via a third-party. Unfortunately, the exposure goes back to 09/15/17 which means they were compromised at least in part for more than two full years! Clearly, this is evidence of poor internal controls. The exposed data includes customer email addresses, hashed and salted passwords; and API keys and customer-provided SSL certificates — for a partial portion of the exposed data.

Don’t count on cyber security and software firms to be more secure than any other type of company. This breach is likely to negatively impact sales, product design, and will trigger a few investigations, and at least one lawsuit. Additionally, the insurance claim question is a loaded one — and is dependant on how much due diligence the company did before the breach.

To learn more about how to stop data breaches like these at your organization consider attending the Cyber Security Summit this fall.

  • The Ninth Annual Cyber Security Summit, “Pushing the Cyber Security Envelope,” takes place Oct. 28-30, 2019, at the Minneapolis Convention Center in Minneapolis, Minn.
  • The Summit has given awards to top leaders in industry, government and academia since 2015. However, for 2019 the awards program was expanded to include a wider array of visionaries.
  • New this year, women in Cyber, PLUS 16 Tech Sessions, along with Healthcare & Med Device Cyber Security.  Check out this Star Tribune piece from Summit co-chair Catharine Trebnick and colleague Kyle Bauser on this very important topic.
  • To stay up to date on the Summit and top cyber security issues, follow the Cyber Security Summit on social media: TwitterFacebookLinkedInYouTube. Follow the hashtag #cybersummitMN for the latest conversations on this top matter.

As Summit co-founder Eileen Manning stresses in a well-circulated cover story for Upsize Magazine, cyber security is fundamental for small businesses that work with larger companies, which require it – not to mention for pure survival.

Data breaches like the one at Impervia are likely to increase so interested parties should come together to learn, debate, and flesh out solutions for a more secure future!

10 Things IT Executives Must Know About Cyber Insurance!

cyber-liability-coverage-1Most organizations view IT as a cost center that generates business data which is increasingly used to make business decisions. As a result, these assets need to be vigorously protected from both internal and external threats. Cyber liability insurance is an undeniable but imperfect way to protect these assets. 

  1. Cyber Liability Insurance Defined:
    • Cyber liability or data breach liability insurance is designed to reduce the risk of civil litigation and other penalties after a hack or data breach occurs. It helps cover the costs of public relations, identity protection solutions, forensic investigation, legal work, and more depending on the coverage you select.
      • Business interruption is the most common type of loss from a cyber indecent.
    • You want data breach coverage in place because fast action is required to help restore the public’s confidence if your business is victimized by a hack or data breach.
      • Note: each carrier and industry will define it uniquely.

  2. Executives and Managers Have a Heightened Duty to Protect Systems and Data – No Exceptions:
    • Boardrooms are concerned with comprehensive information security, data protection, brand reputation, broad management liability and compliance.
    • Senior executives realize that the decisions they make impact shareholders and stakeholders; and that they can be held responsible for a hack or breach.
    • It is essential that IT teams provide the board with real-time compliance and information security status, so they can assess the current cyber risk profile (changes often) to make well-reasoned fact-based decisions.
    • One of the risk transfer decisions is how much cyber insurance to have, then selecting the correct endorsements and exclusions based on the industry, other insurance coverages, prior events, and the like.
    • Observing this complexity, IT and business executives need to understand cyber insurance and what role they play in defining cyber coverage. IT involvement is a critical aspect of the organization’s overall cyber risk management strategy for digital and even physical assets.

  3. Your Assets, Risks, and Needed Coverages Must be Detailed and Ongoing:
    • What are your company’s greatest assets – including in hidden areas?
      • Have you had any bad events, business or technology related?
        • Were they documented and reported?
        • They could impact current coverage and future coverage.
      • What concerns keep you up at night, or consume more than their share of your attention in the day?
    • What are your key processes? 
      • Do you have any procedures that are not tied to computers?
      • What is the 15% of your business that is not central to the operation, but is crucial because it distinguishes your company from others and opens the door for more clients to new markets? 
    • Are your backup systems in place and ready to be activated at a moment’s notice?
    • Do your insurance coverages, business or technology related, match your risks and cover your assets?

  4. General Liability Coverage Won’t Cover Data Breaches and Hacks:
    • Cyber insurance is almost always excluded from general liability policies unless you pay extra for and specifically define your cyber coverage needs.
    • Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services or operations.
      • Many business owners overstate the risk of a workplace slip and fall injury and fail to adequately quantify cyber risk at all because it is a newer digital risk and you can’t see or touch it.

  5. Cyber Liability Insurance Typically Covers Both First-Party and Third-Party Losses:
    • First-party losses include the breach response costs a company would incur to notify and communicate with the people impacted by a breach, conducting forensic analysis, hiring legal counsel and a crisis management team.
    • First-party cyber coverage may also pay for the loss or restoration of digital or network assets, trade secrets, intellectual property and business interruption expenses.
    • First-party coverages are often subject to a deductible.
      Fig. 1. Hartford Cyber Liability Coverages, Terms, and Exclusions Generally.hartford-cyber-liablity-209
    • Cyber extortion (Ransomware) is another first-party coverage that pays the costs to terminate incidents in which criminals hold (or threaten to hold) a company’s network hostage in exchange for a ransom.
    • Many policies cover income you lose and extra expenses you incur to avoid or minimize a shutdown of your business after your computer system fails due a covered peril. The perils covered may be the same as those covered under Damage to Electronic Data. The loss of income and extra expense coverages afforded under a cyber liability policy differ from those provided under your commercial property policy.
    • Network security liability insurance covers lawsuits against you due to a data breach or to the inability of others to access data on your computer system. Coverage may apply if the data breach or inability to access your system is due to a denial of service attack, a virus, malware or unauthorized access and use of your system by a hacker or rogue employee. Policies may cover lawsuits alleging that you failed to adequately protect data belonging to customers, clients, employees or other parties.
    • Network privacy liability insurance covers lawsuits based on allegations that you failed to properly protect sensitive data stored on your computer system. The data may belong to customers, clients and other parties. Some policies cover liability arising from the release of private data (such as social security numbers) belonging to your employees.
    • Electronic media liability insurance covers lawsuits against you for acts like libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement.

  6. Providing Timely Notice of Claim Is Key:
    • Claims-made coverage responds when a “claim,” as defined in the policy, is first made against an insured, irrespective of when the underlying incident occurred. Discovery-triggered coverage responds when the insured develops a reasonable belief that a first-party loss potentially covered by the policy may have occurred, even if the nature and extent of the loss are unknown (Jeanne Deni and Andrew Moss, 2019).
    • Notice is generally required as soon as practicable after a claim is made or loss discovered, and policies may require that notice be received during the policy period. In addition to timely notice, some cyber policies may require a sworn proof of loss statement within 90 to 180 days after discovery of certain first-party losses.
      • It is thus critical that company personnel in a position to detect potentially covered claims or losses have a working understanding of the scope of coverage and how it is triggered so that information is promptly communicated to management responsible for notifying the company’s insurance carriers. Notice should also be given to any excess insurers at the same time as the primary. (Jeanne Deni and Andrew Moss, 2019).

  7. Pre-Select Breach/Hack Counsel and Vendors:
    • Normally cyber insurance policies require underwriter approval of the use of breach/hack vendors. (FSSCC, Cyber Insurance Buying Guide, 2016).
    • Pre-selection is critical because the last thing an organization should be worried about is whether their insurance provider will approve their selected breach counsel and forensics firm. It also helps you document your incident response plan (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).

      Fig 2. You Should Be Scared If you Have Not Planned For This, Stock, 2019.
      8eefef464d9b5799f0256c64bd6d3aa4_Fotolia_48155256_Subscription_Monthly_M-1-800-320-c
  8. Prepare for Likely Coverage Exclusions/Sub-limits:
    • Portable Electronic Device Exclusion
      • If the device leading to a cyber breach is portable, many policies could exclude coverage completely for any resulting loss (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
    • Intentional Acts Exclusion
      • What is intentional and by whom is highly confusing, and what about mere negligence viewed as intentional – easy denial case for the carrier.
      • A crime or fidelity policy generally covers first-party loss to the Insured even where such loss is caused by the Insured, while liability policies generally provide for damages or losses the Insured causes to a third party (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016). Most cyber insurance policies do not adequately provide for both first-party and third-party loss. For example, liability policies typically exclude coverage for damages or losses intentionally caused by an Insured. Thus, if an employee accidentally caused a cyber breach, the resulting loss would be covered (either under a general liability or umbrella policy that does not exclude cyber perils or under a stand-alone cyber policy). However, if a different employee caused the exact same cyber breach intentionally, the resulting loss would be denied under a general liability policy if this exclusion is present (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
    • Nation/State, Terrorism, Cyber Terrorism Exclusions/Acts of God
      • Acts of God exclusions can result in coverage being precluded simply based on who or what caused the breach to occur. For example, if a terrorist attack resulted in an explosion at an organization’s facility or a tornado caused massive damage to an organization’s power source, the resulting losses may not be covered under a standard cyber policy. Fundamentally, companies expect cyber insurance to cover their losses whenever a cyber breach happens, regardless of who caused it or why
    • Negligent Computer Security Exclusion
      • Some policies exclude coverage if data is unencrypted or if the Insured has failed to appropriately install software updates or security patches.
    • Data on unencrypted devices or BYOD
      • Some policies do not cover devices that are unencrypted or non-company-owned devices.
    • Territorial limits
      • Some coverage is limited only to incidents that occur in the United States and an organization may need additional coverage depending on where data is stored.
    • Sub-limits
      • Many policies also have sub-limits that may apply for things like breach notification costs, forensic expenses, credit monitoring costs, business or Post-Breach Services. Some insurers are starting to partner with cybersecurity specialists to assist customers who experience a cyber breach with forensic investigations, proactive incident response strategies, and training as they realize the benefit both to the customer and themselves in responding as quickly and efficiently as possible to a cyber breach to keep resulting costs, claims, and damages as low as possible.

  9. Insurance Companies Tend to Deny Cyber Liability Issuance or Claims Coverage When One or More of These Items Are Present:
    • Inadequate cybersecurity testing procedures and audits.
      • It should be independent and auditable.
    • Inefficient processes to stay current on new releases and patches.
      • Patch management should be based on a qualitative and quantitative method.
    • Inadequate cyber incident response plans.
      • It must be detailed, written, up to date, and it must have been practiced.
    • Inadequate backup processes and recovery procedures.
      • This assumes you have a data classification scheme and network segmentation.
      • This requires that you have tested the speed of your back up.
    • Inadequate policies concerning the security of vendors and business partners.
      • How you measured their risk and criticality to your business
        • Then put mitigating controls in place or cut the vendor.
    • Poor-quality security software and employee training.
      • Training on phishing, social engineering, and acceptable use of company data and technology.
    • Lack of adherence to a published security standard.
      • Your policies and procedures should generally conform to the standard that most closely fits your industry and company.
        • Cobit 5, NIST CSF, ISO 27001, etc.

  10. Evaluating Cyber Liability Carriers:
    • The way to compare carriers is via their A.M. best rating, time in business, market share, S&P credit rating, industries excluded from coverage, premium cost, and amount of premium written.
    • You can also ask a broker for their assessment since they get feedback from many clients, etc.
    • Also, consider the country of legal jurisdiction.
    • Here are two carrier examples below.
    1. Chubb Insurance of Switzerland (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
      • The world’s largest publicly traded property and casualty insurance company and the largest commercial insurance provider in the United States.
      • The company launched its first “cyber risk” product in 1998.
      • Direct premiums written: $316.3 million
      • Market share: 17.0 percent
      • S&P rating: AA
      • A.M. Best rating: A++ (Superior)
      • Most risk classes eligible for at least $10 million in limits; maximum capacity of $100 million available through Chubb’s Global Cyber Facility.
      • Cyber Insurance product descriptions
        • Enterprise Risk Management (ERM) product is for large organizations in a wide array of industries.
        • DigiTech ERM offers enhanced protection tailored to the needs of technology companies, consultants and systems integrators, data processors and software developers. Integrity+ offers separate policies for claims made by customers, vendors, suppliers and other third parties.
        • ForeFront Portfolio 3.0 is tailored for private companies and includes crime insurance, kidnap ransom and extortion insurance, workplace violence expense insurance, and several other kinds of insurance, in addition to cyber insurance.
    2. Beazley Insurance of London (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
      • This insurance company offers marine, political, accident and contingency, property, reinsurance (insurance for insurers) and specialty products, which includes its cyber insurance business.
      • Founded in 1986, it is headquartered in London and does business in the U.S. Europe, Canada, Latin America and Asia. In 2018, it won multiple awards including Launch of the Year for Beazley Smart Tracker, Risk Carrier of the Year, Innovative Initiative for Weather Guard, Insurance CEO of the Year and Insurer of the Year.
      • Direct premiums written: $95.0 million
      • Market share: 5.1 percent
      • S&P rating: A+ (Strong)
      • A.M. Best rating: A (Excellent)
      • Limits: Up to $15 million with BBR, but additional coverage is available through BBR Boost.
      • Beazley has been providing cyber insurance since 2009.
      • Product description
        • Beazley calls its cyber insurance Beazley Breach Response (BBR). The company claims that it offers 360-degree protection against all cyber risks. That protection includes BBR Services, a business unit dedicated to helping organizations manage their response to incidents. It includes forensics experts, specialized lawyers and public relations professionals who can help organizations address breaches. Through a partnership with Lodestone Security, it also offers pre-breach services.

Lastly, we will be doing a cyber liability podcast to talk through these items in detail soon. See our podcast here.

By Greg CoonTim Olish, and Jeremy Swenson (Lead Writer & Editor).

© Abstract Forward Consulting, LLC. 2019. All rights reserved. Contact us here.

Disclaimer:  This article does not represent the views of former or current employers and / or clients. Non-public information will not be disclosed. Information obtained in this article may be materially out of date at or after the time of the publication. This article is not legal, accounting, audit, health, technical, or financial advice.

Five Unique Tech Trends in 2018 and Implications For 2019

By Jeremy Swenson, MBA, MSST Angish Mebratu, MBA.

Every year we like to review and commentate on the most impactful technology and business concepts from the prior year. Those that are likely to significantly impact the coming year. Although incomplete, these are five areas worth addressing.

5. 5G Expansion Will Spur Business Innovation

Fig. 1. 1G to 5G Growth, Stock, 2018.

2018 was the year 5G moved from hype to reality, and it will become more widespread as the communications supply chain adopts it in 2019. 5G is the next iteration of mobile connectivity and it aims to be much faster and more reliable than 4G, 3G, etc. Impressively, data speeds with 5G are 10 to 100 times faster than 4G. The benefits of this includes enabling: smart IoT connected cities, seamless 8K video streaming, improved virtual reality styled gaming, self-driving cars that communicate with each other without disruption thereby enhancing safety and reliability, and improved virtual reality glasses (HoloLens, Google Glass, etc.) providing a new way of looking at the world around us.

As emerging technologies such as artificial intelligence (AI), blockchain, the Internet of Things (IoT), and edge computing — the practice of processing data near the edge of the network where the data is being generated, not a centralized data-processing repository — take hold everywhere, 5G can offer the advancements necessary to truly take advantage of them. These technologies require 5Gs bolstered data transfer speeds, interoperability, and its improved reliability. Homes will get smarter, hospitals will be able to provide more intelligent care, the Internet of Things will go into hyperdrive — the implications of 5G are massive. Yet most importantly, 5G has much less latency, thereby enabling futuristic real-time application experimentation.

“There’s no doubt that much of the recent 5G activity has been focused on investments from service providers and equipment manufacturers,” Nick Lippis, co-founder and co-chairman of the Open Networking User Group (Kym Gilhooly, BizTech, 11/08/18). “However, more IT leaders are starting to make plans for 5G, which includes determining its impact on their data center architecture, procurement strategies and the solutions they’ll roll out”(Kym Gilhooly, BizTech, 11/08/18). 

AT&T is one of the leaders in 5G distribution and as of 12/27/18 they have service up and running in these 12 cities: Atlanta, Charlotte, Dallas, Houston, Indianapolis, Jacksonville, Louisville, Oklahoma City, New Orleans, Raleigh, San Antonio and Waco (CNN Wire, 12/27/18). Verizon has a similar initiative in an earlier phase in some cities. While Google has Google Fiber is some cities, but there is lots of debate about if its better or worse than 5G – time will tell. More data and faster speeds derive more connected devices which need security, data protection, and privacy — failure to protect it aggressively derives to much risk at high costs.

Fig. 2. Likely 5G Use Cases in 2020, Stock, 2018.

4. Browser/Device Fingerprinting Growth Will Spur Better PET (Privacy Enhancing Technologies)

Browser fingerprinting is a method in which websites gather bits of information about your visit including your time zone, set of installed fonts, language preferences, some plug-in information, etc (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). These data elements are then combined to form a unique fingerprint that identifies your browser or more. The next step is to identify your specific device, and then you individually.

Fig. 3. Browser Finger Printing Data, Stock, 2018.

Device fingerprinting overcomes some of the inefficiencies of using other means of customer-tracking. Most notably, this includes cookies installed in web browsers, which businesses have long used monitor user behavior when we visit their websites (Bernard Marr, Forbes, 06/23/17). Employers do this at a much more invasive level, but the pay is the tradeoff. Yet when employees use their own mobile device for work-related things, protection of their personal data is best achieved via data containerization tools like AirWatch and Centrify. Even on these devices, the problem is that cookies can be deleted whenever we want. Its relatively easy for us to stop specific sites, services or companies from using them to track us — depending on how technical we are. Device fingerprinting doesn’t have this limitation as it doesn’t rely on storing data locally on our machines, instead, it simply monitors data transmitted and received as devices connect with each other” (Bernard Marr, Forbes, 06/23/17).

This type of data exploitation, even with the user’s consent, allows for more complexity and thus higher malware or SPAM/advertising risk. Antivirus makers are challenged to stay ahead of these exploits. The GDPR (General Data Protection Regulation) unequivocally states that this kind of personal data collection and user tracking is not permitted to override the “fundamental rights and freedoms of the data subject, including privacy” and is, we believe, not permitted by the new European regulation (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). The high courts will validate this over time.

Further complicating the matter is the terms of service on data-centric technology platforms such as Facebook, Twitter, LinkedIn, WordPress, Instagram, Amazon, etc. Their business models require considerable data sharing with third and fourth-party business entities, who gather elements of specific user data and then combine them with other browser and device fingerprinting data elements, thus completing the dataset. All the while the data subject and interconnected entities are mostly clueless. This further complicates compliance, erodes privacy, but is great for marketers — many people appreciate that Amazon correctly suggests what they often desire. Yet that is not always a good thing because this starts to precondition a person or a culture to norms at the expense of originality. In the past we saw tobacco companies do this unethically targeting young people, and there are more examples — think for yourself.

This begs the question of who owns these datasets and at what point in their semblance, where are they stored, how are they protected, and to what extent can informed consumers opt out if practicable — observing there is be some incidental data collection that has business protection. This paradox spurs competition and the growth of privacy enhancing technologies (PETs). Existing PETs include communication anonymizers, shared bogus online accounts, obfuscation tools, two or three-factor authentication, VPNs (virtual private networks), I.P. address rotation, enhanced privacy ID (EPID), and digital signature algorithms (encryption) which support anonymity in that each user has unique public verification key and a unique private signature key. Often these PETs are more useful when used with a fake account or server (honeynet). This attempts to divert and frustrate a potential intruder but gives the defender valuable intelligence.

Fig. 4. VPN Data Flow Diagram, Stock, 2018.

Opera, Tor and Firefox are leading secure browsers but there is an opportunity for better security and privacy plugins from the Chrome (Google) browser, while VPN (Virtual Private Network) technologies should be used at the same time for added privacy. These technologies are designed to limit tracking and correlation of users’ interactions with third-party entities. Limited-disclosure (LD) often uses cryptographic-techniques (CT) which allows users to retrieve only data that is vetted by providers, for which the transmitted data to the third party is trusted and verified.

3. Artificial Intelligence Will Grow on The SMB (Small and Medium Business) and Individual Market

In the past artificial intelligence (AI) has been primarily the plaything of big tech companies like Amazon, Baidu, Microsoft, Oracle, Google, and some well-funded cybersecurity startups like Cylance. Yet for many other companies and sects of the economy, these AI systems have been too expensive and too difficult to roll out effectively. Heck, even machine learning and big data analytics systems can be cost and time prohibitive for some sects of the economy, and for sure the individual market in prior years. However, we feel the democratizing of cloud-based AI and machine learning tools will make AI tools more accessible to the SMB and individual market.

Fig. 5. Open Source TensorFlow Math AI, Google, 2018.

At present, Amazon dominates cloud AI with its AWS (Amazon Web Services) subsidiary. Google is challenging that with TensorFlow, an open-source AI library that can be used to build other machine-learning software. TensorFlow was the Machine Learning behind suggested Gmail smart replies. Recently Google announced their Cloud AutoML, a suite of pre-trained systems that could make AI easier to use (Kyle Wiggers, Venture Beat, 07/28/18). Additionally, “Google announced Contact Center AI, a machine learning-powered customer representative built with Google’s Dialogflow package that interacts with callers over the phone. Contact Center AI, when deployed, fields incoming calls and uses sophisticated natural language processing to suggest solutions to common problems. If the virtual agent can’t solve the caller’s issue, it hands him or her off to a human agent — a feature Google labels “agent assist” — and presents the agent with information relevant to the call at hand” (Kyle Wiggers, Venture Beat, 07/28/18). 

The above contact center AI and chatbots can both be applied successfully to personal use cases such as medical triaging, travel assistance, self-harm prevention, translation, training, and improved personal service. Cloud platforms and AI construction tools like the open source TensorFlow will enable SMBs to optimize insurance prices, model designs, diagnosis and treat eye conditions, and build intelligence contact center personas and chatbots, and much more as technology evolves in 2019.

2. Useful Big Data Will Make or Break Organizational Competitiveness

Developed economies increasingly use big data-intensive technologies for everything from healthcare decisioning to geolocation to power consumption, and soon the world will to. From traffic patterns, to music downloads to web service application histories and medical data. It is all stored and analyzed to enable technology and services. Big data use has increased the demand for information management companies such as, Oracle, Software AG, IBM, Microsoft, Salesforce, SAP, HP, and Dell-EMC — who themselves have spent billions on software tools and buying startups to fill their own considerable big data analytics gaps.

Fig. 6. Big Data Venn Diagram, Stock, 2018.

For an organization to be competitive and to ensure their future survival a “must have big data goal” should be established to handle the complexity of the ever-increasing massive volume of both, structured (rows and table) and unstructured (images and blobs) data. In most enterprise organizations, the volume of data is too big, or it moves too fast or it exceeds current processing capacity. Moreover, the explosive growth of the Internet of Things (IoT) devices provides new data, APIs, plugins/tools, and thus complexity and ambiguity.

We know there are open source tools that will likely improve reliability in big data, AI, service, and security contexts in 2019. For example, Apache Hadoop is well-known for its capabilities for huge-scale data processing. Its open source big data framework can run on-prem or in the cloud and has very low hardware requirements (Vladimir Fedak, Towards Data Science, 08/29/18). Apache Cassandra is another big data tool born out of Facebook around 2010. It can process structured data sets distributed across a huge number of nodes across the world. It works well under heavy workloads due to its architecture without single points of failure and boasts unique capabilities no other NoSQL or relational database has. Additionally it features, great liner scalability, simplicity of operations due to a simple query language used, constant replication across nodes, and more (Vladimir Fedak, Towards Data Science, 08/29/18).

For 2019 organizations should consider big data a mainstream quality business practice. They should utilize and research new tools and models to improve their big data use and applications — creating a center of excellence without being married to buzzwords or overly weak certifications that all too often squash disruptive solutioning. Lastly, these centers of excellence need to be dominated not by the traditional IT director overloads. Rather, the real people between the cracks who know more and have more creative ideas than these directors who often build yes clichés around themselves and who are often not the most qualified — great ideas and real leaders defy title.

1. Election Disinformation and Weak U.S. Polling Systems Harms Business and Must Be Fixed

The intersection of U.S. politics and media can be at times nasty, petty, selfish, or worse outright lies and dirty smear campaigns under shadow proxies who skirt campaign finance laws by being either a policy advocacy group – non-political, or worse yet, a foreign-sponsored clandestine intelligence agency of an enemy to the nation whose only rule is to disrupt U.S. elections. Perhaps Russian, North Korea, or even China affiliated groups.

Innovations in big data and social media, browser proxies and fiber optic cable, 5G, in conjunction with the antiquated and insecure U.S. polling system, makes election news and security complicated, fragile and highly important. At present, there are few people and technology companies that can help resolve this dilemma. For a state-sponsored hacker group altering a U.S. election is the ultimate power play.

Respect for all parties is a must and disinformation of any type should not be tolerated. Universities, think tanks, startups, government, and large companies need to put time and money into experimenting as to how we can reduce disinformation and better secure the polling systems. The first step is public awareness and education on checking purported news sources, especially those from digital media. The second step is more frequent enforcement of slander laws and policies. Lastly, we should hold technology companies to high media ethics standards and should write to their leaders when they violate them. 

As for securing the polling systems, multi-factor authentication should be used, and voting should be done digitally via secure encrypted keys. If Amazon can securely track the world’s purchases of millions of products with way more data and complexity, and with service a moon shot better than your local state DMV (driver and motor vehicle) office, than the paper ballot and OCR (Optical Character Recognition) scanners need to go. There are many Android and iOS applications that are more secure, faster, and easier to use than the current U.S. polling system and they are doing more complex things and with more data that is changing at an exponentially faster rate. They were also made for less money. Shame on the U.S. OCR election system.

Business should not be afraid to talk about this, because, like a poisonous malware, it will spread and be used to easily run businesses out of business – often due to greed and/or petty personal differences. Examples of this include hundreds or thousands of fraudulent negative Yelp reviews, driving a competitor’s search rankings down or to a malicious site, redirecting their 1-800 number to a travel scam hotline, spreading false rumors, cyber-squatting, and more. Let 2019 be the year we stand to innovate via disruptive technologies for a more ethical economy.

About the Authors:

Fig. 7. Swenson and Mebratu.

Jeremy Swenson, MBA, MSST & Angish Mebratu, MBA meet in graduate business school where they collaborated on global business projects concerning leadership, team dynamics, and strategic innovation. They also worked together at Optum / UHG. Mr. Swenson is a seasoned (14 years) IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. Over 15 years Mr. Mebrahtu has worked with various fortune 500 companies including Accenture and Thomson Reuters, and he is currently principal quality engineer/manager at UnitedHealthcare. He is also an expert in software quality assurance, cybersecurity technologies, and design and architecture of technology frames.

Nine Third Party Risk Management Tactics That Work Well!

dd8_Fotor-300x180In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend. Thus, it’s not surprising that a 2017 Ponemon Institute vendor risk management survey across many industries concluded that 17% of the participants were not at all effectively managing these security risks (Maureen McKinney, 2018).

Fig. 1. Third Party Risk Mgmt Inputs.

third-party-riskThe key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.

1)    Identify All Your Vendors / Business Associates:
Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.

2)    Ensure Your Vendors Perform Regular Security Assessments:
Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.

At a minimum, security risk assessments should include:

a)  Evaluate the likelihood and potential impact of risks to in scope assets.

b)  Institute measures to protect against those risks.

c)  Documentation of the security measures taken.

Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.

3)    Make Sure Vendors Have Written Information Security Policies / Procedures:
a)  Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.

b)  Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.

4)    Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:
a)  Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.

b)  When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.

c)  It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?

5)    Ensure Vendors Have A Disaster Recovery Program:
In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.

6)    Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:
a)  Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

b)  High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.

c)  Medium Risk: Vendors (1) whose access to customer information is limited; and / or (2) whose loss of services would be disruptive to your organization.

d)  Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

7)    Ensure Access Is Based on Legitimate Business Needs:
It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.

Fig 2. RBAC Flow.
Role Based Access Control In Action

8)    Vet All New Vendors with Due Diligence:
a)  Getting references.

b)  Using a standard checklist.

c)  Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.

d)  Document and report to senior management.

9)    Ensure All Contracts Are Reviewed with Legal and Risk Counsel:
a)  Requirements to keep system and data secure per best practices and industry standards.

b)  Requirements to provide you access to audit documents.

c)  Confidentiality and privacy requirements – GDPR, CA, and NY privacy rules.

d)  Requirements to notify you of security breaches, incidents, and vulnerabilities. Quantify what these terms mean as there is lots of ambiguity dependent on the industry and use case. Identify who is the decider of if something is an event or incident.

e)  Requirements to undergo independent penetration tests and vulnerability (scans) assessments.

Contact us here to learn more.

Eight Tips to Detect Crypto Mining Scams

Whether it’s Power Mining Pool today or Bitconnect yesterday, the crypto space is festering with parasitic scams and opportunistic swindlers. The conditions are ripe for them and there’s money to be made.

Fig. 1. BTCProMiner Free Scam research, 2018.
BTCProminer.png

Among the dangers, Bitcoin mining scams are a tough one to identify and parting the good from the nasty can be tricky. Mining scams are wrapped up in an already technically demanding task of Bitcoin mining. They are billed as a consumer-friendly method for building exposure to Bitcoin mining, and when run like this, they really do provide value for investors looking to diversify.

Legit Bitcoin cloud mining pools are too often buried in search results and outranked by throngs of fly-by-night operations. Finding the legit pools can be a tall order and require sifting through Reddit posts and Bitcointalk forum entries. With that said, there are legit mining operations out there. As always, do your own research and stay skeptical as we settle and develop this wild frontier. For now, let’s take a look at what a crypto mining scam looks like to hopefully better prepare us to identify the key red flags.

What’s a Cloud Mining Pool?

A cloud mining pool is the most hands-off version of crypto mining you can get. They allow a participant to rent or lease hashing power not directly owned by themselves. The rented hashing power is then pooled and paid out proportionally to the members (after fees and operational costs).

A traditional mining pool instead requires participants to supply their own hashing power and pool it with other miners. The participant owns and operates their own hardware and contributes to the pool’s overall hashing power. The critical difference between a cloud mining pool and a traditional mining pool is the ownership of the hardware.

Cloud mining: you don’t own the hardware (hashing power).
Traditional mining: you own hardware (hashing power).

Why pool at all? In short, block rewards become more difficult to obtain as overall hashing power of a particular blockchain increase. Take Bitcoin as an example. There was a time in Bitcoin mining when a standard CPU could mine whole blocks itself. Gone are those days. Bitcoin mining is now big business with plenty of stakeholders leveraging their resources into the security of the blockchain. Miners with serious hashing power make it improbable for small miners to reasonably expect block rewards. Their hashing power is just not enough to compete.

The solution: gather together all these smaller players and pool their hashing power. Miners in a pool no longer compete for blocks of their own, instead, they work together and proportionally share the booty.

What’s a Ponzi Scheme?

It’s theft, let’s just clear that up. If you’re in a Ponzi scheme you are either being robbed or doing the robbing yourself. A typical Ponzi scheme involves enticing participants to invest their money into a fund or investment strategy that has seemingly guaranteed returns. In reality, and with variation, the returns are not gained by real-world trading or superior business acumen. Conversely, new investments to the funds are distributed around existing investors and represented as market returns.

Fig 2. General Ponzi Scheme Principles, 2018.
bitcoin-ponzi-games.jpgPonzi schemes require a constant flow of new investment to keep the machine moving. Once things fall apart or new investment slows, the scheme is often revealed for what it is. In the world of crypto Ponzi schemes, a collapsing Ponzi scheme is followed by a hasty exit scam.

Case in point; “A New York federal court has ordered cryptocurrency hedge fund Gelfman Blueprint, Inc. (GBI) and its CEO Nicholas Gelfman to pay over $2.5 million for operating a fraudulent Ponzi scheme, according to an official announcement published Oct. 18. GBI is a New York-based corporation and denominated Bitcoin (BTC) hedge fund incorporated in 2014. As stated on the company’s website, by 2015 it had 85 customers and 2,367 BTC under management. The order is the continuation of the initial anti-fraud enforcement action filed by the U.S. Commodity Futures Trading Commission (CFTC) against GBI in September 2017. The CFTC charged GBI for allegedly running a Ponzi scheme from 2014 to 2016, telling investors that it had developed a computer algorithm called “Jigsaw” which allowed for substantial returns through a commodity fund. In reality, the entire scheme was a fraud” (, Cointelegraph.com, 10/19/18).

Keep in mind that Ponzi schemes thrive in times of economic expansion and speculative bubbles. Capturing collective optimism is pivotal to its success. Bitconnect is a choice example of the market fervor getting the best of investors.

Identifying the Red Flags of a Cloud Mining Ponzi Scheme

Firstly, the duck test. If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. The duck test isn’t scientific by any standard but can be used to leverage your gut feeling to identify early warning signs. Ponzi schemes, whether in Wall Street, Main Street or Bitcoin mining pools, all share very common characteristics. If the opportunity you’re looking at is checking off the same boxes that previous Ponzi schemes had, it’s probably a duck.

Let’s take a look at some criteria or common characteristics of Bitcoin cloud mining Ponzi schemes.

**Much appreciation to Puppet on the BitcoinTalk forum for their work on this template to review Bitcoin cloud mining operations. Until this type of vetting is part of the investor process, crowd-sourced community led investigation is paramount.**

Red flags of a cloud mining Ponzi scheme (adapted from Puppet’s Criteria)

  1. No public mining address / Users unable to select own pools
    When you rent hashing power from a cloud miner, you are only renting hashing power. This means that the pool you contribute to should be your own choice. The cloud mining operator you rent from may also have a pool for convenience but should not require you to use it. There is no reason for a mining pool to hide their public mining address, it just doesn’t make sense.
  2. No endorsement from hardware/ASIC provider
    With the overwhelming amount of cloud mining operations being Ponzi schemes, the industry virtually requires a shout-out from their hardware provider to ensure customers that there really are miners buzzing away on their behalf. If your cloud mining company can’t prove they own their hardware (without raising more questions) then you should reconsider.
  3. No pictures or recordings of their hardware or datacenter
    It is common practice for miners to be closed lipped about where their data centers are located. So, don’t expect to get robust images or recordings that dox the facility or owners. However, some evidence should exist and beyond their location, the pictures or video shouldn’t look to be hiding anything.
  4. No limits on how much hashing power you can lease
    Cloud mining providers will have a limited inventory of hashing power on hand at any time. Furthermore, expanding an operation’s inventory takes time and can be limited by the market supply of ASIC’s and other factors. It’s questionable for a cloud miner to not share their inventory supply with their customers. Most concerning, offenders will promise you instant and limitless scalability.
  5. Referral payouts schemes
    Often, mining Ponzi schemes will also feature a form of multi-level marketing to encourage members to bring on new investments. Members are incentivized to grow their own teams, and each new member they bring in increases their rewards.
  6. Anon operators
    If the owners are anonymous, move on. There is little-to-no reason to be an anonymous operator of a cloud mining service. If they provide identification, double check it, ask around, and do some due diligence. Is the owner hidden behind private registration? Has the domain been registered for less than six months? (You can find this information by searching for the platform’s URL registration details on a site like WHOis.net). The more information you can find about the people/company behind a website, the better.
  7. No clear path for divesting
    There should be well-defined methods for withdrawing funds or closing rental contracts.
  8. Guaranteed profits
    Quack, quack, quack!

If any of these red flags are present in the cloud mining business than take a moment and consider why.

Power Mining Pool: A Case Study for Cloud Mining Ponzi Schemes

Power Mining Pool was a typical Bitcoin mining pool Ponzi scheme and even included a multi-level marketing (MLM) styled referral system. Looking back it is a lot easier now to see the red flags that were present then. Hindsight is twenty-twenty. When a company expects you to send them money, but refuses to disclose any information about itself, you’re almost certainly being scammed. A WHOIS checkup shows that PowerMiningPool.com domain was registered on June 27, and the mining pool website launched online on September 4, 2017.

BitCoin Mining Scam

Red Flag #1 Power Mining Pool didn’t have a public mining address and didn’t allow for mining outside their own pool.

Red Flag #2 No endorsement or sign of approval from hardware suppliers. Nothing to be found on Reddit, Telegram, BitcoinTalk, and so on.

Red Flag #3 A serious lack of informative images. An archive of the Power Mining Pool shows a website riddled with stock images and vague copywriting. In addition to the generic images, there is a video that provides no additional insight into the company.

Red Flag #4 No limits to how much you can invest. Power Mining Pool sold hashing power in the form of shares, which any investor could purchase without limit. Shares would not only be your claim to the guaranteed returns but also provide you with more ability to climb the ranks of the MLM reward system.

Red Flag #5 From Associate to President Millionaire, members could climb the ranks by both acquiring new shares in the pool and successfully referring new members. At each new rank in membership, you received bonuses and higher returns. For you to move up in ranks, however, your referrals also needed to move up. Not only do you need to bring in new successful members, but your referrals do too. Sound familiar?

Red Flag #6 The founders of Power Mining Pool are brothers and live in central Europe. And that’s all the information available. Searching their names, Andrew and Mike Conti, is about as helpful as the caricatures of themselves on their about page. Additionally, a WHOIS search of the company’s domain shows the admin contacts hidden behind a domain name privacy service.

Red Flag #7 After the cease and desist, Power Mining Pool has up and left with members’ principal investments. Initially, there were accounts of members receiving their daily mining profits as promised. However, it’s common for early adopters of Ponzi schemes to see earnings while their principal investments are siphoned off.

Red Flag #8 “Every share you purchase will earn you €70.” That’s a promise plucked directly from the former subpage subtly titled opportunities. Each share costs members €50 which means Power Mining Pool is guaranteeing 40 percent returns.

Power Mining Pool is only one example of a Bitcoin cloud mining service riddled with red flags and warning signs. In fact, there are breadcrumbs of evidence linking Power Mining Pool to other operational Bitcoin cloud mining scams. Battling these schemes is a game of whack-a-mole: closing down one just creates three more.

Conclusion

The code is what makes the cryptocurrency work, and most legitimate cryptocurrency teams will make their codes ‘open source’. This means it is published openly, so anyone can read it, edit it, and check it is what the founders say it is. Of course, just because you can’t read the code yourself doesn’t mean not being able to see it is OK. If a cryptocurrency team is keeping their code secret, it should set off alarm bells.  Unless they have validated I.P., what are they trying to hide, but even then they would have long legal paperwork and patient documents they could show…..

Just because red flags are present doesn’t always mean you have identified a scam. They are early warning signs and alarms telling us to look a little deeper, investigate further, and remain skeptical. Questions and suspicions are not inherently dangerous themselves but ignoring them is. Power Mining Pool was peppered with reasons to raise concern and seek clarity. The answers provided to these questions should support unique technological offerings, business savvy, and this should all be logically connected. If operators don’t directly answer most of these questions see if they have other commonalities with know crypto scams as it may be another example in a long line of Bitcoin cloud mining Ponzi schemes. BitClub Network, HashOcean, Coinmulitplier Club, MinersLab, and Bitcoin Cloud Services are just a handful of other examples. Unscrupulous operators are swindling and cheating people out of their money. If you see reasons to be concerned, then share it with the community, ask the operators for clarity, and be cautious. Don’t keep it a secret.

Editor Jeremy Swenson
Writer Marshall Taylor