CALL US: 216-397-4080  | CLIENT HELP DESK: 216-539-3686

Thoughts From My Inbox

September 30th, 2022

Skyscrapers, Backups, and Checking Boxes

My mom always used to ask me why I couldn’t remember my schoolwork as well as I could remember baseball statistics (maybe because my schoolwork wasn’t on the back of all the baseball cards I collected?). And my son used to like to tell me that [fill in the blank] percent of statistics were made up. Regardless, I like statistics (not the kind I had to study in college), whether they be baseball, cyber security, or otherwise.

 

The image below is a great example as to why you always have to verify your sources, or at least question them. One of the articles I have this week states that a ransomware infiltration “probably wasn’t due to employee error.”  Which reminded me of the Stanford U. stat I saw last week stating that 88% of data breaches were due to human error.  So, either the ransomware attack in question wasn’t deemed a data breach, or the speaker of that opinion is trying to cover for somebody.  Anyhow, I reran the search that gave me that 88% number, and on the same search results page had four different numbers, claiming that anywhere from 52-95% of breaches are due to human error.  Just a reminder that samples vary quite a bit and that you should consider the number you’re repeating.

 

Something About…

 

$35M Morgan Stanley Fine

Morgan Stanley recently ‘agreed’ to pay a $35M fine as imposed by the SEC for not properly destroying hardware devices containing personally identifiable information (PII). What does that mean?  Lots of used disk drives loaded with Morgan Stanley client data were sold online even though they weren’t properly wiped clean.  There’s no mention of it in the article but I would imagine that if you’re a Morgan Stanley client, it might be worth asking your rep for a little more information.  Meantime, if you were curious- all the drives that we send out for recycling are wiped and we are presented a certificate, including serial numbers of the hardware in question.

 

Skyscrapers

Over the years and across our travels as a family, we’ve been to the tops of The Eiffel Tower, Empire State Building, CN Tower, whatever the John Hancock Building is now called, the London Eye, and numerous others.  And with every one, my wife Nancy says “a tall building looking over a city is the same as any other tall building looking over a city.”  So, this article jumped out at me as it describes all of the different things you can now do atop those buildings, aside from just having a looksee.

 

Proper Backups
We used to tell people that as long as they had good data backups that are easily recoverable, there’d never be a need to pay a ransom.  Now that criminals are not only encrypting data (to collect a ransom) but selling it online (double extortion), that theory doesn’t always hold true.  If your data hasn’t been stolen (or if you don’t care what happens to it), then a good backup still prevents you from paying a ransom.We still agree with the FBI in that you should never pay a ransom.  It doesn’t guarantee recovery of your data, and only perpetuates the crime.  And, as a Colorado community just proved, good backups go a long way in helping to make your decision.
Paying Yourself

I’ve never used Zelle for electronic payments and since Bank of America (which owns Zelle) doesn’t have much physical presence in Cleveland, I’ve never banked with them. The news of a recent Zelle scam came through my inbox this week, however, and since it’s such a popular tool, I figured I’d share it.  There’s a new scam in which Zelle users are being convinced that they need to transfer money to their own accounts to stop scammers from taking that money.  The problem is, the money is being transferred right to the scammers.  Zelle has gone so far as to set up a website with information on how to avoid being scammed, and I wonder if that might be due in part to the class action suit filed against BofA, claiming that the bank knew the Zelle platform was open to scams of this sort.

Data Destruction
There’s a new type of ransomware that’s starting to rear its ugly head.  Instead of the old standby where a hacker encrypts your data and requires payment for a decryption key (which still doesn’t guarantee return of all of your data), this new one actually employs data destruction to coerce you into making a payment.  Once the hackers gain access to your network, they extract your data onto their servers and destroy it on yours.  In theory, your only hope is to pay them to give your data back.  Unless, of course, you have proper backups that are easily recoverable (see above).All of the backups that we manage are disconnected from the internal domain, for starters.  On top of that, they all go to our datacenter.  So, even if a hacker were to steal your data (they’d have to get past Sophos, first), we would still just recover your data from our data center.  There’s a lot to be said for having good backups that are tested and verified on a regular basis!
Venture Capital Opportunity

Looking to raise some VC funding or sell your business?  Then you might want to get into cyber security.  Cyber security firms have received more than $12B in investments so far this year, and while that’s down from $24B last year, it’s still a pretty sizable market.  And if you’re questioning the need for cyber, Google just completed a $5.4B acquisition of an incident response provider, while Thoma Bravo (which owns our security solutions provider, Sophos) just finalized a $6.9B deal on an identity management company.  Lots of need for cyber security and lots of money being thrown around…

Checking The Boxes
I asked one of my cyber insurance connections on Wednesday for a sample checklist that insurance carriers use for underwriting cyber policies.  (We work with our clients on a regular basis to make sure that they have all measures in place for the purpose of placing or renewing coverage.)  The list I received was two pages long with 13 sections and a total of 68 bullet points.  The section on multi-factor authentication included seven bullet points covering items such as remote access, Microsoft 365, data backups, remote desktop protocol (RDP) and more.Why do I bring this up?  Because Travelers Insurance recently sued to have a policy rescinded when it was determined that the customer had lied about their use of multi-factor authentication.  Travelers was on the hook for $1M due to a ransomware loss until the discrepancy was discovered.  My point is that the checklists for insurance are getting longer and longer, and we’ve come across plenty of companies who just check the boxes, not knowing (not caring?) whether they actually have all the proper measures in place.
One last thing to mention before we roll into the weekend.  Ashton is one of the sponsors of this year’s Wine, Women, and Shoes event to benefit Ronald McDonald House Charities of Northeast Ohio.  This is our first year involved with the event, and it sounds like a great afternoon. If you’re interested in attending or sponsoring, you can do so here.  And also on the topic of RMHC, we have a couple of Ashton team members and a handful of clients participating in tomorrow’s Pulling for Kids event, which is a day of sporting clays.  We did this one last year, and (pardon the pun) it was a blast!

 

I’m spending the weekend in Happy Valley, PA.  No, I haven’t changed my college football allegiance… this is an annual get together with old (literally) college buddies. Trout fishing on the Little Juniata river and Penn State/Northwestern football.  Hopefully I’ll have some good stories for you next week.

 

Have a great weekend!

 

Abbey

Related Posts