Lisa Plaggemier, interim executive director of the National Cyber Security Alliance (NCSA), has an affinity for the automotive industry since her professional career includes time at Ford and CDK Global.
Plaggemier appeared on this episode of the Auto Remarketing Podcast to discuss the recent data breach sustained by Mercedes-Benz as well as other concerns about how dealerships and finance companies can remain secure.
To listen to the episode, click on the link available below, or visit the Auto Remarketing Podcast page.
Download and subscribe to the Auto Remarketing Podcast on iTunes or on Google Play.
Using what a trio of economists from the Federal Reserve Bank of New York considered to be the most damaging cyberattack in history, they recently updated an in-depth examination of cybercrime while offering three suggestions that could benefit finance companies and other firms that are entrenched online.
Matteo Crosignani, Marco Macchiavelli, and André Silva from the New York Fed arrived at their assertions after reviewing the incident triggered by NotPetya, which was released on June 27, 2017 and targeted Ukrainian organizations in an effort by Russian military intelligence to cripple critical Ukrainian infrastructure and caused an estimated $10 billion in damages.
The economists also pointed to other cyberattacks to happen this year, notably the ransomware demands placed on the Colonial Pipeline, when compiling their suggestions in the report titled, “Pirates without Borders: The Propagation of Cyberattacks through Firms' Supply Chains.”
To wrap up the 44-page report that can be downloaded here, Crosignani, Macchiavelli and Silva wrote: “First, our results show the crucial need for better cybersecurity. This includes more compartmentalization of the network infrastructure, more scrutiny on the cybersecurity of third-party suppliers, and at least one backup facility that is offline at any time.
“Second, firms need to improve their risk management and contingency planning with the goal of continuing activities in the event that anyone of their suppliers is unable to provide goods and services. The resilience of a supply chain rests on having multiple options for each intermediate good or service, so that no single supplier is irreplaceable,” they continued.
“Third, the intelligence community should establish credible deterrence for cyber-aggressions of the magnitude of NotPetya, so that state-sponsored hackers at least have an incentive to put in place controls to make sure that the attack does not spread beyond its intended reach,” they went on to say.
In an accompanying blog post on Liberty Street Economics, Crosignani, Macchiavelli and Silva mentioned the critical part banks can play in handling cyberattacks.
“We also point out the role of bank credit in enabling affected customers to absorb the shock. Importantly, in this specific event, banks were not hit by the NotPetya cyberattack and could provide credit to firms,” they said. “A potentially more devastating scenario could have occurred had banks been hit as well, potentially making them unwilling or unable to provide additional credit.”
Perhaps what happened to the Colonial Pipeline has you thinking about if your finance company suddenly suffered a ransomware attack and how it might cripple your originations and collections.
To help companies of all kinds, Seventh Knight recently developed an embedded solution with the MaaS360 technology powered by IBM.
The provider of unique ransomware protection solutions to Fortune 500 companies and the defense industry has a solution that can help clients secure their enterprise networks from ransomware and zero-day attacks, while also providing protection to clients of any size through its MSSP reseller program and direct sales initiative.
Seventh Knight also offers AppMoat360, a UEM Security Service to provide control and security over the growing number of mobile and IoT devices, as well as to most Microsoft Windows environments, including Windows 10, 7, XP, Virtualized, and Server variants, which the firm explained is critical to clients running a mix of modern and legacy systems.
AppMoat360 combines Seventh Knight’s unique, patented AppMoat software with technology from the IBM Unified Endpoint Management solution IBM MaaS360 with Watson.
“Having IBM as an embedded solutions partner is an important addition to Seventh Knight’s strategy to provide the highest quality products and services that specifically address Ransomware and Zero-Day threats to our clients,” Seventh Knight chief executive officer Luke Koestler said in a news release.
In a separate example, Seventh Knight shared highlights from an incident report involving what the firm called a “major North American Manufacturing enterprise” that uses AppMoat and immediately stopped a probable malware intrusion.
“The enterprise wishes to remain anonymous because once an entity is attacked in force, the bad actors typically return again and again,” Seventh Knight said.
Seventh Knight recapped that the firm received an AppMoat alert of an unknown program running on one of manufacturers’ workstations.
“The server that initiated the alert manages communications with segmented production equipment systems and is not normally accessed by any user. The alerting server generates an encrypted tunnel between the general business network and mission crucial production equipment. If compromised it could have severely crippled operations,” Seventh Knight said.
“The bottom line: Because this enterprise added AppMoat as its final lock on the security door, this malware is not now secretly resident inside its systems, doing or preparing to do major financial, and possibly physical, damage to all its processes,” Seventh Knight went on to say.
For more information, visit https://seventhknight.com/.
“Dark patterns” evidently are not just what might appear below your eyes after a long day followed by a restless night.
The Federal Trade Commission is seeking comment on topics related to the use of digital “dark patterns,” a range of potentially deceptive or unfair user interface designs used on websites and mobile apps. The regulator is looking for this material to enhance discussions during the agency’s workshop scheduled for April 29.
The FTC is seeking comment on several topics that will be in focus at the event titled, Bringing Dark Patterns to Light: An FTC Workshop, including:
• The definition of dark patterns
• The prevalence of dark patterns in the marketplace
• The use of artificial intelligence and machine learning to design and deliver dark patterns
• The effectiveness of dark patterns at influencing consumer choice, decision-making, or behavior
• The harms dark patterns pose to consumers or competition
• Ways to prevent, mitigate, and remediate the harmful effects of dark patterns.
While the workshop is on tap for the end of the month, firms and their experts have until May 29 to share information as FTC said is particularly interested in data, studies, research and other empirical evidence addressing these issues. Officials elaborated about what they’re seeking here, including:
1. Defining Dark Patterns
What is a dark pattern? Is there an accepted definition of the term? What features do dark patterns have in common, and how do they differ? How do dark patterns differ from other types of persuasive technology and techniques (e.g., design features known as “nudges”)? How do dark patterns differ from analogous sales and advertising tactics in the brick-and-mortar context? Are they different in scale, in kind, or both?
2. Prevalence of Dark Patterns
How prevalent are dark patterns in the marketplace? Are there particular industries, subsets of industries, or stages of companies (e.g., startups) where dark patterns in general or specific dark patterns are especially prevalent or, conversely, where participants are unlikely to use dark patterns? Are dark patterns more prevalent on certain platforms or mediums (e.g., mobile apps, video games, social media platforms)?
3. Factors Affecting Dark Pattern Adoption
What factors influence a company or organization’s decision to employ dark patterns? What role has A/B and other user experience testing played in the development and spread of dark patterns? How has “growth hacking” and related strategies contributed to dark patterns? Why do many companies employ the same or similar dark patterns?
4. Dark Patterns and Machine Learning
How are artificial intelligence and machine learning affecting dark patterns? Is there empirical evidence of companies using artificial intelligence or machine learning to personalize and serve dark patterns to individual consumers or specific groups of consumers?
5. Effectiveness of Dark Patterns
How effective are dark patterns at influencing consumer choice, decision-making, or behavior? Are some dark patterns more effective than others? Which ones are most effective? What makes them more effective?
6. Harms of Dark Patterns
What harms do dark patterns pose to consumers or competition? For example, do certain dark patterns lead consumers to purchase products or services that they might not otherwise have purchased, pay for products or services without knowing or intending to, provide personal information, waste time, spend more on a particular product or service, remain enrolled in a service they might otherwise cancel, or develop harmful usage habits? Are any groups of consumers more likely than others to be affected by dark patterns (e.g., young children, teens, older adults, persons with low income)? Do dark patterns have a disproportionate impact on consumers of color or other historically disadvantaged groups? Do dark patterns have any pro-consumer or pro-competition benefits? What are they?
7. Consumer Perception of Dark Patterns
How able are consumers to detect dark patterns? Are consumers able to detect some dark patterns better than others? Even when consumers detect a dark pattern, are they likely to understand how it is influencing their behavior? Do any disclosures made in connection with dark patterns help consumers detect and avoid them?
8. Market Constraints and Self-Regulation
Do market forces (e.g., competition and reputational concerns) sufficiently prevent companies from using harmful dark patterns? How responsive are companies to the potential reputational effect of being labeled as having used a dark pattern by organizations such as DarkPatterns.org? What self-regulatory measures are companies and other stakeholders taking to mitigate the harms of dark patterns? Are there any industry standards regarding the use of dark patterns? How is compliance with any such standards monitored and enforced?
9. Solutions
What would effective prevention, mitigation, and remediation of the harmful effects of dark patterns look like? What role can industry play in preventing, mitigating, and remediating the harmful effects of dark patterns? What types of dark patterns or use cases of dark patterns should the FTC and other government regulators focus on when bringing enforcement actions and engaging in other initiatives to combat dark patterns that are deceptive or unfair, or violate the law in other ways? Given that consumers may be unaware of dark patterns’ effects on their behavior and decisions and therefore less likely to complain, what can the FTC and other regulators do to identify and combat deceptive, unfair, or otherwise unlawful dark patterns?
All of the requested submissions can be submitted via this website.
Shred-it discovered noticeable jumps since 2017 in both corporate executives and small-business owners reporting that they experienced a data breach.
The information security service provided by Stericycle announced the findings when Shred-it released its 10th anniversary edition of the Data Protection Report, which outlines data security risks threatening U.S. enterprises and small businesses.
According to the report, nearly half of C-suite executives — 43% to be exact — and 12% of small business owners have experienced a data breach. Shred-it indicated those readings represent a 21% rise from 2017 among those executives and a 7% climb for those small business owners.
While companies are getting better at protecting their customers’ personal and sensitive information, Shred-it determined their focus on security training and protocols has declined in the last year. The firm cautioned that this decline could pose issues for businesses, as 83% of consumers say they prefer to do business with companies who prioritize protecting their physical and digital data.
Formerly known as The Security Tracker: State of the Industry Report, the findings are based on a survey conducted by Ipsos, shedding light on trends in data protection practices and the risks American businesses, organizations and consumers face related to keeping their data secure.
Shred-it said the findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers or external hard drives) and digital (including malware, ransomware and phishing scams), have outpaced efforts and investments to combat them.
Shred-it also noted that its report — which was completed prior to the COVID-19 pandemic starting — showed that more focus is needed around information security in the home, where executives and small business owners feel the risk of a data breach is higher.
While advancements in technology have allowed businesses to move their information to the cloud, Shred-it discovered only 7% of top executives and 18% of small-business owners operate in a paperless environment.
“Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security,” Shred-it said.
Both top executives and small-business owners indicated external threats from vendors or contractors and physical loss or theft of sensitive information are the top information security threats facing their business, according to the report.
Yet, Shred-it said the number of organizations with a known and understood policy for storing and disposing of confidential paper documents adhered to by all employees has declined 13% for those companies with top executives and 11% for those small-business owners.
In addition, the report mentioned 49% of small-business owners have no policy in place for disposing of confidential information on end-of-life electronic devices.
While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies.
According to the report, the majority of top executives (77%) and small-business owners (53%) had employees who regularly or periodically work off-site. Despite this trend, just 53% top executives and 41% of small-business owners have remote work policies in place that are strictly adhered to by employees working remotely.
“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and chief executive officer for Stericycle, the provider of Shred-it information security services.
“As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach,” Miller continued in a news release.
When it comes to training, 24% of top executives and 54% of small-business owners reported having no regular employee training on information security procedures or policies, according to the report.
Additionally, Shred-it mentioned the number of organizations that regularly train employees on how to identify common cyber-attack tactics, such as phishing, ransomware or other malicious software, declined 6% for top executives and 7% for small-business owners.
“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, vice president of data protection for Stericycle.
“To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust,” Borromeo went on to say.
To learn how organizations can better protect their business against data breaches and receive additional survey findings, download Shred-it’s 2020 Data Protection Report by going to this website.
A former executive vice president of Toyota recently was invited to join the board of Cyber Security Cloud (CSC), which provides web application security services worldwide using leading cyber threat intelligence and artificial intelligence.
CSC highlighted that it brought Yoshio Ishizaka to join its board of directors in order to further improve services and contribute to the information revolution. By doing so, CSC plans “to work harder than ever” to strengthen its governance and provide its customers with services that help create a secure cyberspace, not only in Japan, but also around the world.
After serving as president of Toyota Motor Sales USA, Ishizaka was appointed as executive vice president of Toyota Motor Corp. in 2001. He led the overseas development of Toyota, including the launch of Lexus.
After serving as an adviser to the Toyota board and as a senior adviser at Roland Berger since 2008, he was awarded the Blue Ribbon Medal of Honor in 2011. He is also the author of The Toyota Way in Sales and Marketing.
In recent years, CSC pointed out the number of cyber-attacks is on the rise and the threat of cyber-attacks on enterprises has become a serious issue with direct implications on business risk. Against this backdrop, CSC looks to provides web application security services that leverage world-leading cyber threat intelligence and AI technology.
“It is a great pleasure to welcome Mr. Yoshio Ishizaka, a leading figure in the global automotive industry, to join our team as an outside director of our company Cyber Security Cloud president and chief executive officer Hikaru Ohno said in a news release.
“We are confident that he will be able to provide us with useful advice on our products and global business expansion based on his management skills and knowledge of overseas operations cultivated at Toyota Motor Corporation,” Ohno continued. “In addition, Mr. Ishizaka's appointment will further strengthen the company’s governance and enable it to provide even higher quality services as a listed company.
Ishizaka offered his perspective on why he joined CSC’s board.
“I am pleased to be appointed as an outside director of Cyber Security Cloud. As IoT, 5G, and the Internet becomes indispensable in our lives, we are also becoming more and more familiar with the dangers of the Internet,” Ishizaka said.
“In response to the increasing cyber-attacks around the world in recent years, I decided to take up this position because I strongly empathize with the Cyber Security Cloud's philosophy of creating a secure cyberspace that people around the world can use safely,” he continued.
“In the future, I would like to make use of the experience I have gained at Toyota to contribute to the further growth of the Cyber Security Cloud, which was listed on the stock exchange on March 26 and to the preservation of an Internet environment that customers can use with a peace of mind,” Ishizaka went on to say.
FIS played a role in compiling critical guidance to help financial services companies handle cyber-risk oversight.
Chief risk officer Greg Montana co-authored the incident response section of the seventh edition of the Director’s Handbook on Cyber-Risk Oversight recently released by the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD).
The guidebook, available on four continents and in five languages, provides comprehensive guidance and tools to help boards enhance their oversight of cyber risks, including management of insider threats, mergers and acquisition due diligence and supply chain risk management.
The incident response section of the toolkit outlines steps that boards should take to ensure their organizations have an effective program in place for monitoring and quickly responding to cyber-related incidents and events. Montana, a board member of the ISA, co-authored the section with General Electric chief information security officer Nasrin Rezai.
“In today’s interconnected, always-on global marketplace, all organizations, large and small, need to be prepared to respond quickly to cyber events and incidents that could have a material impact on their operations and reputation,” Montana said in a news release.
“The Director’s Handbook on Cyber-Risk Oversight is a practical guidebook for board members to ensure they have the information and tools they need to provide effective cyber-risk oversight,” Montana continued. “I am honored to have had the opportunity to co-author the Incident Response section with Nasrin Rezai of GE.”
The ISA-NACD Director’s Handbook on Cyber-Risk Oversight, which was developed in collaboration with the U.S. Department of Homeland Security and the U.S. Justice Department, is applicable to board members of public and private companies as well as non-profit organizations.
NACD members can download a copy of the handbook by going to this website.
On Wednesday, LexisNexis Risk Solutions highlighted three primary findings from its Cybercrime Report covering activities from July through December of last year.
The company indicated the findings crystalize how fraud has increasingly become borderless on a global scale. As the report analysis showed, LexisNexis Risk Solutions said cybercrime is a well-organized, global endeavor powered by networks of fraud.
While consumers enjoy access to goods and services from all over the world, LexisNexis Risk Solutions explained fraudsters are able to harness stolen identity data to launch corresponding cross-border fraud attacks.
This global, networked pattern of cybercrime is further reflected in mobile attack rate growth, which is heavily influenced by a global bot attack targeting mobile app registrations.
Fraudsters are migrating attacks to exploit the mobile channel: Of the 19 billion transactions recorded by the LexisNexis Digital Identity Network in this six-month period, for the first time, mobile attacks outpaced desktop attacks, with a 56% growth in the mobile attack rate year-over-year.
Experts elaborated about those key findings from the LexisNexis Risk Solutions Cybercrime Report, including:
Global networked fraud
LexisNexis Risk Solutions acknowledged the threat of networked cybercrime grows daily. Experts said fraudsters are working in hyperconnected, global networks, targeting businesses across country borders and industries.
In just one month, the report indicated 73,000 devices associated with a fraudulent event at one organization were later recorded at another organization within the Digital Identity Network.
Experts indicated all of the fraud networks identified in the recorded period involved organizations from more than one region and more than one industry. They explained this development confirms the global nature of networked fraud and illustrates how cybercriminals launder the proceeds of their crimes throughout the digital economy for maximum financial gain.
Globally connected bot attacks target new account creations
Over the period examined, LexisNexis Risk Solutions pointed out bot volumes saw strong growth from key regions, as fraudsters use automation to maximize success.
Experts conceded bot volumes can be very volatile given that one bot attack can represent millions of individual attacks. Analyzing regional growth can provide an alternative view of attack growth targeting specific industries and regions.
The Digital Identity Network recorded strong growth in bot attacks from Canada, Germany, France, India and Brazil. Furthering the notion of fraud without borders, LexisNexis Risk Solutions noted bots from Canada, France and Germany all targeted the same group of organizations, which were mainly in financial services and media.
Growing mobile attack rate
While attack rates targeting desktop transactions (2.7%) and mobile transactions (2.5%) are almost identical, LexisNexis Risk Solutions noted the mobile attack rate grew 56% while the desktop attack rate fell 23%, confirming the growing shift toward mobile fraud.
Within the mobile space, experts explained there are also nuanced differences between browser and app attacks.
Mobile browser transactions are attacked at a higher rate — 4.2% compared with 1.9% for apps — but the report mentioned mobile app transactions realized a greater growth in attack rate, up 171% compared with a steadier growth rate of 14% for browsers.
LexisNexis Risk Solutions emphasized that sharing information about known fraudsters across industries and geographies is more important than ever. The company explained that businesses can combat networked fraud by utilizing solutions like networks and consortia to share intelligence related to cybercrime.
“The ability to harness intelligence related to devices, location, identity and behavior to combat fraud is critical, given the globally connected fraud that permeates the global digital economy,” said Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions.
“Today, fraudsters are able to attack with unprecedented ease and speed and it is not enough for businesses to focus their fraud mitigation efforts on individual attacks,” Moody continued in a news release. “To mitigate the hyperconnected nature of global cybercrime, businesses need access to a shared view of risk that can operate across channels, across industries and across country borders.
“The layering of next-generation fraud defenses creates the opportunity to slow the onslaught of cybercrime,” Moody went on to say. “With tools like behavioral biometrics, consortium-based data sharing, bot data management and risk intelligence signals, LexisNexis Risk Solutions has developed the necessary innovations to help organizations stay ahead of fraudsters.
“Now more than ever, it is necessary for businesses to implement these advanced global solutions that can truly prevent the evolving nature of fraud,” she added.
To download a copy of the LexisNexis Risk Solutions Cybercrime Report, July through December 2019, go to this website.
A trio of experts at the New York Federal Reserve constructed a variety of scenarios connected with how banks and payment networks would be impacted if a widespread cyberattack happened.
Thomas Eisenbach, Anna Kovner and Michael Junho Lee released their findings in a 37-page report this week, detailing how the response could vary depending on the size of the institution.
The trio explained that it modeled how a cyberattack may be amplified through the U.S. financial system, focusing on the wholesale payments network. They estimated that the impairment of any of the five most active U.S. banks will result in significant spillovers to other banks, with 38% of the network affected on average.
“The impact varies and can be larger on particular days and in geographies with concentrated banking markets,” they said in the report.
When banks respond to uncertainty by liquidity hoarding, Eisenbach, Kovner and Lee acknowledged the potential impact in forgone payment activity is “dramatic,” reaching more than 2.5 times daily gross domestic product.
In a reverse stress test, the report authors said interruptions originating from banks with less than $10 billion in assets are sufficient to impair a significant amount of the system.
Additional risk emerges from third-party providers, according to Eisenbach, Kovner and Lee.
“Our analysis demonstrates how cyberattacks on a single large bank, a group of smaller banks or a common service provider can be transmitted through the payments system,” they wrote. “A cyberattack on any of the most active U.S. banks that impairs any of those banks’ ability to send payments would likely be amplified to affect the liquidity of many other banks in the system.
“The extent of the amplification would be even greater if banks respond strategically, which they are likely to do if there is uncertainty about the attack,” they continued. “The impact on geographies with concentrated banks may be even larger.
“We also identify other ways that the system may become impaired that highlight the importance of all banks in the network, not just the largest banks,” the authors added. “First, if a number of small or midsize banks are connected through a shared vulnerability, such as a significant service provider, this would likely result in the transmission of a shock throughout the network.
“Similarly, banks with a relatively small amount of assets but large payment flows also have the potential to impair the system,” they went on to say.
A recent survey by Synopsys further reinforced the challenge the financial services industry is having with maintaining its cybersecurity and other matters related to fraud and the compromising on consumer data.
Based on a survey of global financial services organizations conducted by Ponemon Institute, Synopsys’ report highlighted the industry’s security posture and its ability to address security-related issues.
The study found that more than half of the surveyed organizations have experienced theft of sensitive customer data or system failure and downtime because of insecure software or technology.
The report titled, The State of Software Security in the Financial Services Industry, also noted that many organizations are struggling to manage cybersecurity risk in their supply chain and are failing to assess their software for security vulnerabilities before release.
“While the financial services industry is relatively mature in terms of their software security posture, organizations are grappling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries,” said Drew Kilbourne, managing director of security consulting for the Synopsys Software Integrity Group. “There is no single right approach to software security, but this study clearly shows that there is a significant need for improvement in supply chain risk management.
“There is also an opportunity for many organizations to expand the scope of their software security programs to cover all their business-critical applications and shift their efforts further left in the software development life cycle (SDLC),” Kilbourne continued.
Synopsys commissioned Ponemon Institute, a leading IT security research organization, to examine current software security practices and risks in the financial services industry (FSI). Ponemon surveyed more than 400 IT security practitioners in various sectors of the financial services industry, including banking, insurance, mortgage lending/processing, and brokerage firms.
The respondents’ roles included development, installation, and implementation of applications for the financial services industry.
Other key findings from the study included:
—The majority of FSI organizations are ineffective at preventing cyberattacks.
More than half of respondents have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology. The study showed that more organizations are effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).
—Many FSI organizations are struggling to manage cybersecurity risk in their supply chain.
Nearly three-quarters (74%) of respondents were concerned or very concerned about the security posture of third-party software and systems. Despite this concern, only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems. Furthermore, only 43% of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.
—FSI organizations are failing to assess their software for security vulnerabilities before release.
While most organizations follow a secure software development life cycle (SDLC) process, respondents reported that their organizations test, on average, only 34% of all financial software and technology developed or in use by their organization for cybersecurity vulnerabilities. For the software and technology that is tested for vulnerabilities, only 48% of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.
To download a free copy of the report, go to this website.
Kilbourne and Larry Ponemon of the Ponemon Institute also are hosting a free webinar to discuss the report in more detail. The event is set for Sept. 12 at 1 p.m. ET. Registration for the session can be completed here.
