Five Things Small to Medium Businesses Can Do To Mitigate Cyber Risk

Small to medium businesses should evaluate their operational resilience and cyber-security practices quarterly. A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018).

b7.contentThey can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). Here are five steps you can take to shield your small business from cyber-attacks:

1) Train Staff Often

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing today because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that’s directly related to keeping their business reputation and core customer base. Here are a few more training necessities:

  1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)
  2. Use games contest and prizes to teach cyber safety – leadership must do this as well.
  3. Notify and educate staff of any current cyber-attacks – have a newsletter.
  4. Teach them how to handle and protect sensitive data – do lunch and learns.

2) Secure Wireless Networks

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

3) Control Access / IAM and Audit Access Often

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

  1. Limit access to sensitive data to only a few authorized employees.
  2. Encrypt all your sensitive data – do not over-classify.
  3. Backup your data periodically and store it in an offsite location.
  4. Protect all devices with access to your data – third party vendor implications.
  5. If you accept credit cards transactions, secure each point of sale.

5) Create a Guidebook for Mobile Security

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

  1. Ensure your equipment has the latest security software and run anti-virus/malware scans. regularly. If you don’t have anti-virus software installed, buy, and install it.
  2. Install all software updates as soon as they are available, including all web browsers.
  3. Have the latest operating systems on your devices with access to regular updates.
  4. Make sure your internet connect is protected with firewall security.
  5. Make sure your Wi-Fi network is encrypted, hidden, as well as password protected.

For more information reach out to Abstract Forward Consulting here.

Abstract Forward Consulting Now Open For Business!

AbstractFwdHzTag300

In 2016 Mr. Swenson decided to go back to graduate school to pursue a second masters degree in Security Technologies at the University of MN’s renowned Technological Leadership Institute to position himself to launch a technology leadership consulting firm. This degree was completed in 2017 and positions Swenson as a creative and security savvy Sr. consultant to CIOs, CTOs, CEOs, and other business line leaders. His capstone was on “pre-cursor detection of data exfiltration” and included input from many of the regions CIOs, CISOs, CEOs, and state government leaders. His capstone advisor was technology and security pioneer Brian Isle of Adventium Labs.

Over 14 years, Mr. Swenson had the honor and privilege of consulting at 10 organizations in 7 industries on progressively complex and difficult problems in I.T. including: security, proj. mgmt., business analysis, data archival and governance, audit, web application launch and decommission, strategy, information security, data loss prevention, communication, and even board of directors governance. From governments, banks, insurance companies, minority-owned small businesses, marketing companies, technology companies, and healthcare companies, he has a wealth of abstract experience backed up by the knowledge from his 4 degrees and validated by his 40,000 followers (from LinkedIn, Twitter, and his blog). Impressively, the results are double-digit risk reductions, huge vetted process improvements, and $25+ million on average or more in savings per project!

As the desire for his contract consulting work has increased, he has continued to write and speak on how to achieve such great results. Often, he has been called upon to explain his process and style to organizations and people. While most accept it and get on board fast, some aren’t ready, mostly because they are stuck in the past and are afraid to admit their own errors due to confirmation bias. Two great technology leaders, Steve Jobs (Apple) and Carly Fiorina (HP) often described how doing things differently would have its detractors. Yet that is exactly why there is a need for Abstract Forward Consulting.

With the wind at our backs, we will press on because the world requires better results and we have higher standards (if you want to know more reach out below). With a heart to serve many organizations and people, we have synergized a hybrid blend of this process and experience to form a new consulting firm, one that puts abstract thinking first to reduce risk, improve security, and enhance business technology.

Proudly announcing: Abstract Forward Consulting, LLC.

Company Mission Statement: We use abstract thinking on security, risk, and technology problems to move business forward!

Company Vision: To be the premier provider of technology and security consulting services while making the world a better and safer place.

Main service offerings for I.T. and business leaders:

1) Management Consulting

2) Cyber Security Consulting

3) Risk Management Consulting

4) Data Governance Consulting

5) Enterprise Collaboration Tools Consulting

6) Process Improvement Consulting

If you want to have a free exploratory conversation on how we can help your organization please contact us here or inbox me. As our business grows, we will announce more people and tactics to build a tidal wave to make your organization the best it can be!

Thanks to the community for your support!

Founder and CEO: Abstract Forward Consulting, LLC.

Jeremy Swenson, MBA MSST (Master of Science In Security Technologies)

The Danger of Thinking Title Makes You A Leader (expanded)

socrates_fiorina_kodak

Leadership is about enabling the potential in others and getting out of the way so their dreams can enable something bigger. Having people paid to report to you does not mean you are a leader but more likely a manager, which is a very respectable and worthwhile career path but it is not leadership. It is not even close to leadership! When people choose to follow you without money or title, that is leadership. In this context, the title is derived from results and action first. As a leader, you are responsible for incubating synergies to get three out of two. Leadership is about influence, not title. Title is a mostly meaningless word that constantly changes in todays amorphous corporate culture.

Title without great external influence is not title at all. How can you move someone’s cheese when you can’t even move your community. Leadership STARTS at the community level and its nuclear power resides there. Community based leadership has overthrown a lot of ruthless dictators, leading scammers, and corporate bullies. Real leaders understand the value of academic inquiry (formal or informal), history, change, and that these things together are the precursor to innovation. They also understand that innovation is a team thing and they don’t seek to steal the spotlight.

Former H.P. CEO and Presidential candidate Carly Fiorina said it best this way, “leadership is about changing the order of things”. Changing the order of things is dangerous because it has many unknowns and it ruffles the feathers of those presently holding power. If you are truly a leader or aspire to be one, get ready to be attacked multiple times. All TRUE leaders are different and DO NOT FIT IN with most people or the status quo, and they are bullied, harassed and attacked, and that is the life they know. They can lead in times of great stress and controversy while the vast vast majority of people in the world could never even get close, and would break like a generic toothpick at the sign of light criticism.

Carly Fiorina On  Management Vs. Leadership – Stanford Univ. 2007.

Although a lot of executives say or believe they are leaders, their actions contradict that. All too often, they can’t handle the criticism that comes with true leadership and they are very often afraid of change, or people with abstract cultural personas. In many parts of their personal lives, they could not even pass the simplest leadership test of helping someone less fortunate than them when nobody else will in a disaster situation. Very often they insulate themselves with simple minded yes-sayers, fire people who question them, and are more often concerned with the superficial status that comes with being wined and dined by vendors that serve their vertical. Types like these are fools masquerading as leaders but there is plenty of them.

The real life of a leader is lonely and some think you’re crazy. The people (mostly fools) who think you’re crazy don’t understand diversity, the evolution of culture, true creativity, and they most likely could never connect the dots to realize any type of noteworthy synergy.  Yet they often hype up all kinds of useless nonsense to promote their fallacious status:

1) You can’t argue with me, I am a Director, therefore I am right. Truth: Delusional.
2) I am a VP, therefore, my ideas are innovative. Truth: No one credible declares innovation.
3) I am a 27-year-old director and won’t make time for you because I am in a leader development program. Truth: Leader development programs have next to no track record and teach corporate conformity. A leader development program would not have helped Bill Gates, Martin Luther King Jr., or Mark Zuckerberg.

With great respect for everyone, in my experience, the people making these types of arguments are the biggest fools of all and they are usually one trick ponies – good at one or two things only and for a short period of time. If you fall for them you have been scammed.

Examples of true leaders include Billy Corgan (alternative rock music pioneer), The Wright Brothers (building and flying the first airplane) William Kunstler (landmark civil rights attorney), John McAfee (anti-virus pioneer), and Steve Jobs (computer pioneer). These people were all criticized in their early years and pushed many people away from their inner circle. Although this criticism and isolation may have broken some people it did not break them.

Most often, real leaders don’t fit in with most people and unless they get fame or money they are ostracized. So many in our society are overly focused on fame, media hype, and money. Yet real leaders are not distracted by these immoral fallacies for they have nothing to do with life satisfaction, moral progress, or any type of synergy. Real leaders undeniably inspire movements, better people, processes, and with their vision and advocacy – society, business, and/or technology gets to heights never dreamed possible. Very few people see this at the time, though many are happy to jump on the bandwagon decades after its validated as cool by the masses.

Martin Luther King Jr. was one such leader and he paid the ultimate price but inspired a civil rights revolution that redefined America – William Kunstler defended him. Philosopher and teacher Socrates was unjustly condemned to death for questioning the current status quo of Athenian politics and society and for teaching students to do the same thing for a better world. Today his ideologies and approach have proven to be the foundation for much of Western philosophy and education. His name is associated with the Socratic Method, which means questioning everything. It is the hallmark of how law schools teach students throughout most of the world and it is a methodology that has proven to save the lives of thousands.

Yet some corporate leaders do not like to be questioned by even the most validated intellectuals. Case in point, when credible writer and analyst Bethany Mclean was questioning Enron CEO Jeff Skilling in 2001 about Enron’s public financials, he blew her off and created a smoke screen to cover up large scale fraud. It’s no surprise that Enron is now defunct, Skilling is in prison, and Mclean has been proven as the real leader. Having met her, having read her works, and having correspondence with her, I know she is everything that makes up a great leader. Great leaders have no problem taking questions from validated individuals of all walks and ranks because they have nothing to hide (including insecurities) and they can use the dialogue to advance their innovative mission. In the data-centric democracy of the United States, business and technology fads come and go, and now is about the new – false leadership will be short lived.

Socrates Condemned to Death Speech – 399 B.C.

I will take the person with the best ideas and passionate followers over someone who gloats about how prior titles prove anything. Titles by themselves and even with experience do not prove much at all. In the evolving and constantly changing landscape of technology, titles, for the most part, do not matter. Results, creativity, and inspirational empathetic leadership are what matter – emphasis added!!

If you focus too much on title, the guy or girl with the right idea will run you out of business and you and your whole team with be left with little money and no title. Please think long and hard about this, if you are claiming to be a leader. You don’t want to be like Kodak and fail to see digital cameras are the future, and you don’t want to be the leader who failed to see a data breach. You don’t want to be an overconfident leader who self-declares your morality over subordinate objections but who years and perhaps decades later is deemed as greatly immoral. You don’t want to be that executive whose peers support you only because they are paid to but really don’t respect you, and are not at all inspired by you. This happens a lot and this faulty leadership under good governance will be short lived.

Lastly, to that person who gloats about their V.P., Director, SVP title, or the like, ask them how many people would follow them passionately without money in times of great challenge while others criticize them. Likely, they will be confused, because most leaders are below the surface working to make the world a better place while the above fakers seek status and “yes” cliques. They know nothing about leadership or moral courage. To think that titles are a right-of-passage to leadership is one of the most dangerous fallacies in society to date. It has caused wars to be lost, inspired political violence, caused elections to be lost, technologies to be missed, and it is a solvable irony for a society as advanced and gifted as the human race. What are you doing to be your own best leader for the greater good of others? I assure you it has nothing to do with title.

If you want to talk more about these and related concepts, please contact me here.

Why Would Salesforce Pay Billions More for LinkedIn?

In June Microsoft agreed to buy LinkedIn for $26.2 billion in the largest acquisition of its time, betting the professional social network can recharge the company’s software offerings despite recent difficulties.
Microsoft LinkedIn Deal
Microsoft never had a good social media platform and their search and web analytics still can’t shake a stick a Google’s.  Although Microsoft has done well with the Surface, Office 365, and business software tools like SharePoint, OneDrive/Cloud, and Azure, they have struggled with their Nokia phones running on Windows – wasting money.  LinkedIn is fiercely respected among recruiters and job seekers, and had great income streams in prior quarters.  Yet they have scaled back what they offer to free members, removed their events feature years ago, and have made many user and cosmetic changes that have forced some people to use LinkedIn only as a tool to promote their own sites which they can directly control and monetize – thus driving their revenue and market appeal down.

Buying LinkedIn cost Microsoft $196 per share, a 50% premium from their before sale announcement price.  This is a win for LinkedIn shareholders, and is likely a win for Microsoft in the long run.  Once Microsoft integrates its systems with LinkedIn it will have a giant CRM like Salesforce.com or Oracle.  This CRM will be used to tastefully listen and market Microsoft subscription solutions to LinkedIn users, among related items.  Yet even if that effort backfires it does not matter because LinkedIn by itself produces good income.  Thus, with some user experience tweaks, for example, bringing back the event feature which will allow them to see what interests and products can be inferred from event registrations.  Facebook presently does a good job at this.  Even if a person does not go to the event they have still indicated interest by registering, and that is valuable data especially when cross referenced with other LinkedIn data.  The key is data mining, analytics, cloud services, and tastefully cross marketing and selling these and yet unknown services.

Observing the above, it’s of no surprise that Salesforce was one of the early bidders to buy LinkedIn but it is a surprise that they lost out since they like Oracle have such a nasty track record of successful acquisitions.  Recently in a securities filing, LinkedIn disclosed an email from Salesforce CEO Marc Benioff in which he says that Salesforce would have increased its bid and restructured its offer had it been giving an opportunity by LinkedIn.

“Reflecting on the additional proposals it made after LinkedIn and Microsoft agreed to exclusivity, the email indicated that Party A would have bid much higher and made changes to the stock/cash components of its offers, but it was acting without communications from LinkedIn,” the filing says. “The Transactions Committee also considered the contractual provisions contained in the definitive merger agreement with Microsoft, including those relating to discussions with third parties, and determined not to respond.” (Salesforce’s Benioff says he would have paid more than $26B for LinkedIn).

Yet after carefully reviewing how it handled the bidding process to make sure it wasn’t legally exposed, LinkedIn’s deal teams decided not to respond to the email.  Although, the Benioff email didn’t say how much more he would have offered – many new sources are speculating $4.2 to $4.7 billion more than Microsoft.  Let’s hope both companies continue to compete to make the industry better.

By Jeremy Swenson

Infrastructure-As-A-Service Shifts To The More Economical and Flexible OpenStack Platform

OpenStack was founded by Rackspace Hosting and NASA in 2011. Since then it has become a global collaboration of developers and cloud computing technologists creating a universal open source python based cloud computing IaaS (infrastructure-as-a-service) platform for public and private clouds. OpenStack aims to deliver solutions for all types of clouds by being easy to implement, massively scalable, and by having lots of features – all managed through a dashboard that gives administrators control while empowering users to provision resources through a web interface (Fig. 1).

Fig. 1. OpenStack System Flow
OpenStack Image 1

Over the last three years OpenStack has been deployed at about 10% of the Fortune 100 and has become a niche play mostly for public cloud providers. Today these companies see a range of growing use cases from running simple web servers to using hundreds of cores for high-throughput computing. Other benefits include more secure servers, segregated environment infrastructure for research and deployment based projects, and outsourcing of infrastructure to reduce risk and cost. Cloud services like Google Compute Engine, Amazon Web Services (AWS), and Microsoft Azure are proprietary platforms that automatically lock users into their platform while the benefit of OpenStack is that they do not.

Fig. 2 (OpenStack Kilo Demo).

OpenStack just had its 13th major release with the 14th due late this year. They have over 10,000 community members and over 1,000 active code contributors. Customers can expect new enhancements in major releases every six months for the foreseeable future. AT&T recently committed to 500,000 OpenStack nodes between now and 2020. Volkswagen has committed to deploy the world’s largest OpenStack network. Verizon, Walmart, and NASA use it; while Intel has been a power user and collaborator for some time (Fig. 3.).

Fig 3. Intel OpenStack-Summit-Session, Nov 2013
intel-open-stacksummitsessionnov13final-10-638
Locally Target has three OpenStack clusters and 120 server nodes in total. It’s likely to grow to 360 nodes this year. FICO has eradicated all but a few VMware (virtual machine) servers. Thomson-Reuters is in the process of deploying 500 servers of OpenStack. Digital River has said “no” to their VMware ELA (enterprise license agreement) and will replace 600 VMware servers and all of their Cisco switching with OpenStack and software-defined networking in the next 24 months with an estimated $6,000,000 in software savings. Best Buy and 3M also have active OpenStack deployments in progress. OpenStack is the fastest growing open source project on the planet and is likely to inspire new competitors.With this track record many pundits and users project very high adoption in the Fortune 100 within the next five years.

Why implement OpenStack? It saves and makes companies money by the wheelbarrow full. Through lower software, hardware, operational labor costs and faster time to market with more innovation through automation. It also provide risk reduction via virtual segregation, and offers an unlocked platform unlike most of the establishment competition as noted above. But companies need help. They need to understand the costs and the risks involved in a deployment.

To learn more about how your company can innovate and save with OpenStack reach out to Storm Enterprises, a noteworthy and growing MN based implementation consultancy for this and related technologies.
Storm Enterprise Logo

 

Four PMBOK Inspired Tips For Success On Complicated Projects

imagesCMHQ1JHK1) Stakeholder Management: Attain clear support from the executive stakeholders from the beginning of the project and schedule regular check-in meetings with them ahead of time as they tend to be very busy and are often pulled in many directions.  Set the tone that their participation is needed and that they will need to approve change requests which is not uncommon.  You should also use clever people skills and empathetic listening skills as you interview the many high-level stakeholders in the early part of the project so as to diffuse conflict and get consensus on disagreements about scope, business goals, order, and to find out who will be the thorn in your back as the sooner you know that the better.  Also, accept that stakeholders will be different and they may not even directly work for your company which is ok as those ones tend to offer specialized expertise and are often very creative.

2) Communications Management: It’s common to have one or two stakeholders who are difficult, protesting the project through their actions, or who are otherwise egotistical, and/or just plain difficult to deal with.  As a project manager, project consultant, or business analyst, it is your responsibility to deal with these people and situations.  One way to do this is to understand the communication styles of all project stakeholders early on in the project and document this.  Strength Finders, DISC, and many other communication style tests can help with this or you could consult a person who has a lot of international travel experience – they are often helpful understanding group communication dynamics.  You should also know when to be direct, indirect, and/or silent in your communications.  Communication is mostly about listening and perception and as project manager you are not the direct boss of the project team members so your ability to drive tasks is heavily based on your communication and motivational skills – so ask all team members what you can do to clear their roads either yourself or in partnership with other stakeholders.  This reduces surprise road blocks down the road and encourages silent people to speak up.

Project Mgmt3) Quality Management: Having worked on many complex projects in highly regulated industries over the last 5 years I have noticed a shift towards agile methodologies vs. waterfall.  From my perspective this is really about quality and timely flexibility.  Aligning the project tasks in small pieces allows you to test the results independently and faster, and if the results are bad that’s a good thing because it’s just one piece of the project and you can learn from it – getting an early warning.  Yet to get better quality out of an error you need to have documented what went into the error from beginning to end and you need intelligent consensus.  On SDLC projects there will be many small errors which then raise questions about other systems and how they relate to the business rules.  Yet with good process flows, screen shots, and JAD sessions with key people, you can ensure that these errors are nothing more than normal bumps in the road.  Every project has its bumps but the real test is having above average quality on budget and on time at the projects end thus creating a reusable plan others can learn and be inspired from.

imagesRIPQVZGS4) Risk Management: In this new era where almost everything is in the cloud and hackers are targeting large and mid-sized companies to steal and sell their data, every risk analysis document/plan should take into consideration data security, customer privacy, access controls from the project team, and there should be an independent audit plan – often out of scope of the project and done by a different group for checks and balances.  No project has no data so data is always a part of a project, sometimes more and sometimes less.  Question number one is who should have access to the data and at what point?  In today’s environment you should embrace a need to know policy and you should document that to reduce risks.  You should also imagine a worst case scenario and be prepared for it and run this by the executive project sponsors, and/or risk officer if your company has one.

Another common risk is project delay.  Have you analyzed how a one or two month delay would affect your critical path and logical task order?  For some projects it may not matter and for others it may cost your project millions more.  It may harm another dept. or a related project thus in your project risk document you should list the longest delay your project could handle and the dependencies of that delay.  Delays on projects, especially SDLC projects, do happen and are not necessarily bad and they can be dealt with but your project team needs to be ready for it and the sooner they know the better.

If you want to hire me to speak at your next event or consult for your company on these and related topics concerning project risk, process improvement, project management, and related areas please contact me.