Why Your Survey Won’t See the Light of the Media Day

I wrote this piece with Greg Matusky, the head of the Gregory FCA agency.

As a marketer of a security firm, you know that surveys can serve as high-impact marketing tools when shared with clients, used to power top-of-the-funnel lead gen campaigns, punch up sales literature, incorporated into white papers, and create great content for any number of channels.

But when it comes to gaining media attention for your survey, well, that can be a struggle. The media is inundated with corporate-funded surveys and often turn a jaundiced eye to them precisely because of their inbred biases.

Gaining exposure in the media or by having the results “go viral” on social media requires you to create surveys that deliver results that withstand media scrutiny. But these surveys also must meet the definition of what is new, what is newsworthy, and what is interesting to an audience eager to better understand the changing world of cybersecurity. Above all, you need to put away your marketer’s hat and assume a reporter’s perspective in order to create results welcomed, not ignored by the media. Here’s what you need to know.

Man Bites Dog. Findings should be unexpected, counter-intuitive, unusual, or all three.

Having a survey that repeats common wisdom is a sure way for reporters to instantly hit the delete key.

This Barracuda survey found that 74 percent of respondents stated that security concerns restrict their organization’s migration to the public cloud and have prevented widespread cloud adoption. So tell me something new! The results might have been news back in 2000, but not now.  A great survey breaks new ground. It adds to the common knowledge and doesn’t just repeat it. Push your organization to formulate questions that produce the unexpected, counter-intuitive findings that media love.

Bigger is Better!

Sample sizes need to be big enough to impress – and be meaningful. Sample sizes of a few hundred participants, based on some non-random selection, such as people filling out a SurveyMonkey form, isn’t going to cut it. You can’t fool the media. They want statistical validity and the credibility that comes from large sample sizes.

Want a prime example? Consider Kaspersky Lab and B2B International release of a survey that drew on 5,000 companies of all sizes from 30 countries. Now that carries heft, and indeed, the results were cited in several places, including that the average cost of a data breach for enterprise businesses in North America is $1.3M. Another survey from Bitdefender interviewed 1,050 IT professionals in several countries to find out their cloud security purchase decisions. Both of these surveys are keepers.

Compare those surveys to a Beyond Trust study of nearly 500 IT professionals and concluded the “5 Deadly Sins” within organizations that ultimately increase the risks of a data breach. Yes, that will be conclusive – not. You are cherry picking the results here for sure.

But sample size isn’t enough. Take for instance a recent survey conducted by One Identity. It asked 900 IT security professionals for their thoughts. Seems like a promising sample size. But the results talk about inadequate IT processes around user access by disgruntled former employees and other nefarious actors — providing a widespread opportunity to steal usernames and passwords, risking the infiltration of their entire IT network. That brings us to our next point.

Blind them with science!

Make sure you ask the right evidence-based questions. Many surveys focus on “soft” assessments, such as “Do you believe your cybersecurity is better/worse this year when compared to last year?” Can anyone really answer that question with hard facts? Probably not. To win media coverage, show the reporters the evidence behind the questions, or ask for specific information that can be based on more than just a “feeling.” As an example of what not to do: “Most organizations are worried that the technical skills gap will leave them exposed to security vulnerabilities,” which is from a Tripwire survey.

Here is another result from that same Tripwire survey that doesn’t really have any solid data behind it: “Seventy-nine percent believe the need for technical skills among security staff has increased over the past two years.” Where did they get their beliefs from?

And then there is this survey from ABI Research, which finds that 40% of respondents believe that data security is the leading barrier to adopting innovative technologies. Again, how did the participants rank their beliefs and come up with this conclusion? This survey says nothing.

Consider the source of the discontent.

Sometimes having surveys come from surprising places, such as academic researchers, is a sexy way to interest media. Third parties make the findings more newsworthy and citable. Here is a report about the relative security of swiping patterns versus a six-digit PIN code that was done for the US Naval Academy. They surveyed more than a thousand people to find out that “shoulder surfers” (busybodies who look over our shoulders at crowded places) can remember the swipe patterns better than the numeric PINs. It also provides an unexpected result too. Could your organization team with a similarly credible third party to tell its story?

The best surveys use data that isn’t easily available.

Data such as server logs or actual threat data that show particular trends is useful and notable. Many security vendors now report on data from their own networks, using their monitoring tools that track what is actually being observed “out in the wild.” There is no belief system required: This is cold, hard data. The king of these kinds of surveys is the Verizon Data Breach Investigations Report, which has been coming out for the past decade. This report examines the actual attacks and isn’t asking for anyone’s opinion or feelings. It is encyclopedic, comprehensive, thoughtful, and analytical. Because it has been around for so long, the analysts can pull together trends from its historical records. And, at least until Verizon was itself breached, the data came from a solid brand too.

As you can see, there are some surveys that are worthwhile. The best ones take time and cost money to pull off properly. But they are worth it in terms of great media coverage.

Read More
How to protect your emails using Inky Phish Fence

Inky Phish Fence is an anti-phishing platform available for many email systems and can detect and defend against many types of suspicious emails and phishing attacks. It comes as an add-in for Outlook for Exchange/Office 365 accounts. It is also available for G Suite and Gmail as a Chrome extension. Enterprise users would most likely use a purely server-side gateway version where the checks are performed automatically and the warnings get inserted into the actual email. The consumer add-ins are free, the corporate version starts at a few dollars per month per user with quantity discounts available.

I tested the product in November 2017.

 
Read More
SecurityIntelligence blog: The history of ATM-based malware

I haven’t used a bank ATM for years, thanks to the fact that I usually don’t carry cash (and when I need it, my lovely wife normally has some handy). I still remember one time when I was in Canada and stuck my card in one of the cash machines, and was amazed that Canadian money was dispensed. I was amazed at how the machine “knew” what I needed, until I realized that it was only loaded with that currency.

Well, duh. Many of you might not realize that underneath that banking apparatus is a computer with the normal assortment of peripherals and devices that can be found on your desktop. The criminals certainly have figured this out, and have gotten better at targeting ATMs with all sorts of techniques.

Back as recently as three years ago, most ATM attacks were on the physical equipment itself: either by placing skimming devices over the card reading slot to capture your debit card data or by forcing entry into the innards of the ATM and planting special devices inside the box. Those days are just a fond memory now, as the bad guys have gotten better at defeating various security mechanisms.

For many years, almost all of the world’s ATMs ran on Windows XP. Banks have been upgrading, but there are still a lot of XP machines out there and you can bet that the criminals know exactly which ones are where.

But there is a lot happening in new ATM exploits, and my post for IBM’s Security Intelligence blog on the history of ATM malware hacking talks about these developments. In fact, ATM malware is now just as sophisticated and sneaky as the kind that infects your average Windows PC, and ATM malware authors are getting better at emptying their cash drawers. For example, malware authors are using various methods to hide their code, making it harder to find by defensive software tools. Or they are taking a page from the “fileless” malware playbook, whereby the malware uses legit OS code so it looks benign.

There is also a rise in network-based attacks which exploit lax banking networking topologies (segmentation seems to be a new technology for many of them), or rely on insiders that either were willing or had compromised accounts. Some of these network-based attacks are quite clever: a hacker can command a specific ATM unit to reboot and thereby gain control of the machine and have it spit out cash to an accomplice who is waiting at the particular machine.

Sadly, there are no signs of this changing anytime soon and ATM malware has certainly become mainstream.

Read More
Life imitating art

One of my favorite sci-fi books was Card’s Ender’s Game series, which chronicle smart kids who play video games and end up controlling an interstellar war. There is a lot more to the books and well worth your time if you haven’t read any of them, and even the movie was decent. The same basic plot point was part of a movie called The Last Starfighter made many years ago. Now the Pentagon has taken a cue from the idea and is writing its own video game called Operation Overmatch, according to this piece in DEFENSE ONE. The game, which is still in its early development stages, will help train soldiers in warfighting tactics and methods. It includes six types of armored vehicles playable across four different urban levels. When you think about this, it makes a lot of sense, given that many of their recruits are probably FPS fans. The article talks about some of the issues involved in designing a realistic simulation that teaches critical thinking and decision-making skills that could have life and death consequences.

That isn’t the only item in the news this past week that got me thinking about the notion of life imitating art. A group of Brazilian researchers has compiled an open-source blockchain-related database of discretionary expenditures and reimbursement by members of their Parliament. The project is called Serenata de Amor, which means love serenade. Brazil passed a mandatory financial disclosure law just a few years ago in an attempt at making their government more transparent and accountable. Like in the States and elsewhere, public servants have accounts that they can get reimbursed for their business expenses, but sometimes this “slush fund” can be abused. The most infamous case of this happened more than 20 years ago in Sweden when a public official was found to be buying groceries on her government credit card account and was dubbed The Toblerone affair. These Brazilian coders got together to try to stop this abuse.

The disclosures are searchable and the code has been written in English to facilitate international collaboration. Here is a post on Medium that describes the project and how people can contribute.

What does this have to do with life imitating art, you ask? If you have read the book or seen the movie called The Circle, you immediately recognize one of the major plot points about transparency in government. Instead of a blockchain database, people wear body cameras that stream their activities 24×7 and develop their own online audiences that watch their every move. If a Congressperson is continually broadcasting their daily meetings, there are no longer any backroom deals.

Sci-fi is always ahead of reality in some interesting ways. A noted example was the first geosynchronous satellites, which were thought of by Arthur Clarke back in 1945, 20 years before they actually became a reality. But it does seem lately things are getting more interesting.

Read More
Book review: The Selfie Generation

Alicia Eler once worked for me as a reporter, so count me as a big fan of her writing. Her first book, called The Selfie Generation, shows why she is great at defining the cultural phenomenon of the selfie. As someone who has taken thousands of selfies, she is an expert on the genre. Early on in the book she says that anyone can create their own brand just by posting selfies, and the selfie has brought together both the consumer and his or her social identity. The idea is that we can shape our own narratives based on how we want to be seen by others.

Do selfies encourage antisocial behavior? Perhaps, but the best photographers aren’t necessarily social beings. She captures the ethos from selfie photographers she has known around the world, such as @Wrongeye, Mark Tilsen and Desiree Salomone, who asks, “Is it an act of self-compassion to censor your expression in the present in favor of preserving your emotional stability in the future?”

Are teens taking selfies an example of the downfall of society? No, as Eler says, “teens were doing a lot of the same things back then, but without the help of social media to document it all.”

She contrasts selfies with the Facebook Memories feature, which automatically documents your past, whether you want to remember those moments or not. She recommends that Facebook include an option to enable this feature, for those memories that we would rather forget.

Eler says, “Nowadays, to not tell one’s own life story through pictures on social media seems not only old-fashioned, but almost questionable—as if to say ‘yes, I do have something to hide,’ or that one is paranoid about being seen or discoverable online.”

Eler mentions several forms of selfies-as-art. For example, there is the Yolocaust project, to shame those visitors to the various Holocaust memorials around the world who were taking selfies and make them understand the larger context. And the “killfie,” where someone taking a picture either inadvertently or otherwise dies.

This is an important book, and I am glad I had an opportunity to work with her early in her career.

Read More
HPE Enterprise.nxt blog: CEO cybersecurity 101: Improve your executives’ security hygiene

Chances are, your CEO doesn’t have the best data security hygiene. And too often that’s the case among other executives as well. Everyone’s current favorite, Equifax, had execs using poor password choices that failed to follow best security practices, among other bad practices.

Although they may not all make headlines, companies with poor security habits are (unfortunately) plentiful. The 2017 Verizon Data Breach Investigations Report found 81 percent of hacking-related breaches use either stolen or weak passwords. In other words, the breaches resulted from easily compromised identities.

You can read my story on HPE’s blog here about some suggestions on how to improve security posture in the C-suite and bring our execs up to par. They should be leading by example in this area.

Read More
FIR B2B #83: Making better B2B podcasts

I have been producing various podcasts for more than a decade. I got interested in them back in the day when I had a long commute and listened to Adam Curry’s Daily Source Code and Mark Nemcoff’s PCH podcasts. After a long hiatus, podcasts are again on the rise, and you might be interested in reading this piece about the three fundamental moments that have contributed to podcasts’ recent resurgence.

As you know, many of my podcasts were done with my partner in crime Paul Gillin. We took some time on a recent episode of our show FIR B2B to look at what corporate marketers should do to make better podcasts.

First, you need to think about podcasts as one part of your overall online media and brand-building effort, and not just a one-off. You want to build an audience over time and complement what you are doing with blogs, social media, and other content.

All successful podcasts contain multiple voices and aren’t just a single person talking; those get boring quickly. Use multiple elements, such as listener mail, headlines, short takes, offbeat items and quizzes. Find a theme that can work across multiple episodes. The theme doesn’t have to be “brand promotion,” indeed, podcasts work best if that isn’t your theme. And while you are thinking up a theme, find some royalty-free (what is called podsafe) music intro and outro that you can use to punch it up and make it sound more professional. Amazon is one of many places where you can find low-cost podsafe music.

The optimum length is tough to predict. Some podcasts run out of steam at five minutes, while others can hold your attention for 45 minutes. Factors to consider include the number of topics to cover, the depth of the discussion, the chemistry of the speakers and the attention span of the audience. Ask your listeners for feedback.

As you can see here, show notes add keywords to your posts, which helps to increase search engine traffic. Add ID3 tags to your audio files for the same effect, because search engines can’t read audio.

If you are looking for a good list of hosting providers, check this one out. Really, any hosting provider that allows you to FTP your audio should be fine.

Finally, don’t despair about measurement and metrics. While you can measure downloads, that doesn’t tell you whether someone actually listened to the entire episode. David uses Wistia metrics on his screencast videos to track all sorts of granular activity, but there’s no tool that we know of to measure actual listenership.

You can listen to our episode here:

Read More
Do you need a chief trust officer in your c-suite?

I recently read this blog post which talks about having a chief trust officer as part of your executive team. This is a different kind of title from someone working at a bank that actually involves managing financial instruments with that name, so it is a bit confusing at first. But what the post talks about is someone being in charge of overall data and customer trust relationships.

The author says, “In our internal discussions, security is not the sole realm of the CISO. The concepts of trust, reliability, and security figure into every aspect of our business.“ Informatica moved its CISO from its IT organization to its R&D group and gave him this new title as a way to increase transparency and improve overall security and communications. Certainly the recent events surrounding Equifax and other data breaches have brought these issues to the forefront.

Certainly, having new kinds of staff titles is a growing trendlet. We have chief people officers (which used to be called HR), chief fun officers (now that is a job that I could do), chief curator (this one decides what content to put on a corporate home page), and chief amazement officer or chief troublemaker (who both turn out to be the company’s founder). Certainly, some of these titles are just annoyingly cute, and could be more confusing that clarify any particular corporate role.

But I think the chief trust officer is actually a title worth thinking about, if you dive into understanding why you are giving it to someone.

I spoke to Drummond Reed, who is an actual Chief Trust Officer for the security startup Evernym, about why he calls himself that. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three subjects is “to build and support trust. So for a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Reed makes an important point: the title can’t be just an empty promise, but carry some actual authority, and has to be at a level that can rise above a technology manager. The chief trust officer has to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust.”

That brings up something else. How many businesses don’t depend on trust? Those that are out of business, it seems. I think it is appropriate to signal not just that someone is in charge of infosec or privacy issues, but covers everything in the trust workflows and lifeblood of the business.

So whether you have trendy titles in your company or not, think about having a chief trust officer. If you are serious about building (or in the case of a post-breach, rebuilding) trust with your customers and staff, it might make sense. And dollars, too.

Read More
Bike fundraising with my sister

I started riding my bike like most suburban teens and took my first long trip with my friend Karl when we were 16, riding 250 miles in five days to the end of Long Island, camping along the way. Since then, I have always been a big bicycling person. After college, I led a couple of biking trips for teens for one of the hosteling groups, and then to get to grad school I rode my bike across Canada for a summer-long course of about 2500 miles. After grad school I was working in DC and led the effort to get bikes on board the subway trains there. So I wasn’t just a rider, but a biking advocate.

In my late 40s, I decided to take up bike charity fundraising, and started doing a series of annual rides. My first ones were to benefit AIDS research and went from NYC to Boston. I later did rides to benefit diabetes, cancer and MS research, and thanks to many of you, was able to be one of the top fundraisers for my rides.

My sister Carrie’s experience though with riding was completely different. She didn’t touch a bike until after she turned 55. “I figured I survived breast cancer, I might as well tackle a bike.” So she taught herself to ride, got a pretty new bike and signed up for the 24 Baltimore ride and started a team with me and another couple. Carrie and I had done several multi-day breast cancer walking events over the years in different cities. We try to find an event that has some meaning to us, challenging and exciting. One year we did one of the Avon walks in Philadelphia: it was so cold and rainy that we had to be evacuated from our campground to a local high school, where we spent the night sleeping on the floor. At least it was warm and dry.

When we signed up for the 24 ride, I didn’t realize that it would be such a benefit for helping Carrie learn how to be a better bike rider. She had limited experience using gears, for example, and tackling hills. Since she got her bike, she has fallen several times and cracked a few ribs. I am amazed that after these experiences she would want to get anywhere near a bike. But that is the kind of person she is.

This photo of us then represents something very unusual: both of us on bikes, going through the “finish” line on one of our laps. After doing so many of these events with and without her, it is the first time we have been together on two wheels.

The structure of the 24 ride is doing a tight 2+ mile loop over and over again. While it can get tedious, it turned out to be just the right thing for a beginner such as Carrie. This is because she got to try out her gearing and her climbing strategy over the series of laps. Many of the other riders saw that she was a newbie and gave her lots of encouragement, and it was fun to be on my bike with her throughout the day. No, we didn’t go all 24 hours, but we still did more than 25 miles around the course.

I was very proud of her prowess, and how much she enjoyed the event. And glad that we got to do this together too.

Read More
Interview with Yassir Abousselham, Okta CSO

I spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.

When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.

“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”

“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.

Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.

How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.

Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”

 

Like what you are reading?

Subscribe to Inside Security!



Read More
1 2 3 196