This is the second study Ponemon Institute has conducted on the devastating impact ransomware attacks have on small to large-sized enterprises. The first study was completed in 2017, and as revealed in this research, little progress has been made in mitigating the consequences of these threats. In this year’s research, the percentage of companies experiencing an attack increased from 51 percent in the 2017 study to 80 percent. Yet, 57 percent of respondents believe their companies are too small to be the target of ransomware. This has remained unchanged since 2017.

Ponemon Institute surveyed 659 IT and IT security professionals in small to large-sized companies in the United States. All respondents have responsibility for containing ransomware infections within their organization.  This study was sponsored by CBI and Check Point and conducted independently by Ponemon Institute.

The cost per incident will continue to increase, and the types of attacks will continue to evolve. What’s most striking is the vast majority of organizations are not doing enough to evaluate the security of their third parties. These findings should be a wakeup call and motivate organizations to evolve their ransomware mitigation playbooks

The following findings describe the costs and consequences of a ransomware attack.

• Of the 80 percent of companies that experienced one or more ransomware attacks, 53 percent of respondents say the ransom was paid and averaged over $1 million. The preferred methods of payment are bitcoin and virtual currencies.
• If companies didn’t pay a ransom, it was because they had a full and accurate backup. However, respondents also believe a full and accurate backup is not enough when experiencing a ransomware attack.
• Of the companies that paid the ransom, it was because they could not afford the downtime and had a cyber insurance policy that covered the financial consequences of a ransomware attack. Fifty percent of respondents say the cybercriminals provided a decryption key.
• Companies suffered financial consequences such as having to shut down for a period of time, losing customers, and eliminating jobs.
• According to the research, an average of 14 staff members each spent 190 hours to contain and remediate their companies’ largest ransomware incident. Based on an average hourly rate of $63.50, the average cost to assign staff to deal with the incident was approximately $170,000.
• The highest total costs resulting from a ransomware attack are from legal and regulatory actions, followed by the cost resulting from the company’s response to information misuse or theft.
• Cybercriminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. The most compromised devices are desktops and laptops; however, since 2017, mobile devices have been increasingly being targeted.
• Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
• As in the previous study, companies are reluctant to report the incident to law enforcement because of concerns about negative publicity and the potential loss of customers.

Following are the key takeaways from this research.

IoT risk awareness is rising and ransomware prevention is increasingly prioritized. Since 2017, awareness of IoT risks has risen from 58 percent of respondents in 2017 to 67 percent of respondents in this year’s research. Prevention of ransomware is becoming more of a priority, increasing 46 percent to 53 percent. Respondents say that if companies are attacked their organizations are slightly less likely to pay the ransom since 2017.

There is a lack of confidence in security controls. Companies spend an average of $6 million annually on staff and technologies meant to prevent, detect, contain and resolve ransomware attacks. However, there is only a slight improvement in confidence about security controls that prevent ransomware attacks.

Companies are increasingly relying upon third parties to deal with the prevention and consequences of a ransomware attack. Since 2017, the engagement of third parties to reduce the risk increased significantly from 58 percent of respondents to 69 percent of respondents. To remediate the incident, the use of the expertise of third parties has increased from 59 percent of respondents to 70 percent of respondents.

Despite the seriousness of ransomware, the ability to respond is low. As reported, the increase in ransomware attacks has been significant since 2017. However, the ability to respond to such attacks is very low. Companies must assess their staff, technologies, and policies to increase overall readiness.

 The severity of ransomware infections has increased over the past 12 months. Sixty-one percent of respondents say the severity of ransomware infections has significantly increased (25 percent) or increased (36 percent) since last year. In 2017, 57 percent of respondents said the severity of ransomware infections increased significantly (18 percent) or increased (39 percent) over the past 12 months.

 Companies have been receiving more ransomware alerts since 2017. As defined in this research, a ransomware alert is a notice that your system may be targeted or susceptible to a ransomware attack. These alerts are communicated via threat intelligence and law enforcement.

The number of weekly alerts has increased from 25 weekly alerts in 2017 to 34 in this year’s study. In 2017, 46 percent of these alerts were considered reliable. In this year, 51 percent are considered reliable. In a typical month, an average of 6 percent of attempted attacks trigger an alert through one or more security controls but remain undetected.

A full and accurate backup is not considered enough by 55 percent of respondents. As discussed previously, only 32 percent of respondents are confident in their security controls, indicating the need to use more effective technologies to prevent ransomware attacks.

More companies need to conduct security assessments as part of their ransomware readiness strategy. Only about half (51 percent) of respondents say their organizations regularly conduct assessments to test their ransomware prevention and recovery practices.

In some cases, cyber insurance providers are decreasing their coverage for ransomware attacks. Most companies (64 percent of respondents) do not have cyber insurance policies that cover ransomware. Of the 36 percent of respondents who say their policies cover such attacks, 40 percent say the cyber insurance provider modified its ransomware protection resulting in decreased coverage. The average annual premium for a cyber insurance policy is $17,100.

Employees are still considered the weakest link in preventing ransomware attacks. Despite employee security training awareness programs that address social engineering, spear phishing and ransomware attacks, only 30 percent of respondents are very confident (12 percent) or confident (18 percent) in their employees’ ability to detect social engineering lures that could result in a ransomware attack.

Despite the risk, only half of training programs fully cover social engineering, spear phishing and ransomware. Sixty-one percent of respondents say their companies conduct continuous employee security awareness training. Of these respondents, 92 percent say the training covers social engineering, spear phishing and ransomware attacks fully (50 percent of respondents) or some coverage (42 percent of respondents).

In addition to insider risks, companies face ransomware threats from their suppliers and third parties. Seventy-five percent of respondents say they are very concerned about the risks the supply chain poses to their company as they relate to ransomware. Only 33 percent of respondents say third parties have the necessary privacy and security practices in place to reduce the risk of a data breach involving their companies’ sensitive and confidential information.

To reduce the risk of ransomware attacks, companies need to assess the security and privacy practices of their supply chain and third parties. As discussed, 75 percent of respondents are concerned about the ransomware risks posed by third parties. However, only 36 percent of respondents say their organizations evaluate third parties’ security and privacy practices. Only slightly more than half (53 percent) of respondents say their organizations conduct an assessment of the third party’s security and privacy practices. Currently, organizations mainly rely upon a review of written policies and procedures, according to 64 percent of respondents.

Download and read the report’s full findings here. 

Bob Sullivan

As war rages in Ukraine, big technology companies are struggling to keep up. Thousands of small decisions are being made at breakneck speed. Think, for just a moment, about the overwhelming task of sifting through propaganda-spewing social media accounts. Make yourself a tech exec right now.  What’s free speech? What’s harassment? What’s incitement to violence? Where should we disable our service?

What if….my product makes the war worse?

These are life-altering decisions — not as real as pulling a trigger or launching a bomb, but not too far behind.  I don’t envy those fighting the disinformation war right now. It’s no secret I am a frequent Big Tech critic, but it appears to me Facebook, Twitter, Google, Microsoft, etc, are all doing the best they can under the most difficult circumstances.

Makes it hard not to wonder why these firms couldn’t have been fighting disinformation this hard all along.  (In fairness, as I see the world rise up in a global effort to care for refugees, for justice, for freedom, and against war, I think we should probably all be asking ourselves that question.)

All good intentions aside, there’s a really big question to ask, one which will be with us even after the current crisis passes: Who made Facebook, Google, and Twitter judge and jury over the digital universe? You might agree entirely with every decision these firms are making right now. But one day, you won’t.  Then what?

Whether or not you realize it, Big Tech companies are running our lives in ways unimaginable just a few years ago. They tell us what to read, where to eat, what lawnmower to buy….and in many cases what mate to marry, even what cancer treatment to get.  And at each decision, they take a cut. Tech titans have amassed incredible wealth doing this — so much money that executives are dabbling in space travel the way earlier titans bought luxury cars.

It’s one thing to be rich.  But it’s another to usurp the functions of a democratic society. Big Tech has done that, and right now, there isn’t much we can do about it. Facebook broke the law, signed a consent decree, violated the consent decree, was fined $5 billion, and….well, not much changed.  After Frances Haugen’s whistleblower testimony, Facebook  — far from humbled — started nudging more pro-Facebook content onto users’ walls. That’s power.

More important, it’s unchecked power.  The notion of checks and balances is built into the fabric of our society – of any free society. But right now, Big Tech is judge and jury in so many critical situations. When you search Twitter for news on Ukraine, or search for a vacuum cleaner on Amazon, or Google prostrate cancer, who knows why you see what you see? If your Facebook post is pulled down for a “violation,” do you really expect you’ll get a decent explanation?

These are fundamental, existential questions in a democracy.  They might have seemed academic, even a week or so ago, but our time makes it clear: Big Tech is wielding almost limitless power on our lives. Unaccountable for these decisions. That’s unhealthy.  It has to change.

That is the idea behind “platform accountability.” What can be done to create a force equal to Big Tech firms, so these companies and their leaders must answer to some kind of higher power.  Yes, we’ve seen hearings in Congress.  To date, they’ve been little more than reality TV shows.   To be really accountable, Big Tech has to run into Big Limits.

I’ve been a visiting scholar at Duke University for a couple of years, looking into these issues.  As part of that work, I am helping set up a platform accountability project at the Sanford School of Public Policy. Students and faculty there are engaged in long-term research projects examining structures that might prop up some Big Limits around Big Tech.  My first contribution to this effort is a documentary podcast I’ve been working on for many months called “Protecting Democracy (and us) from Big Tech.”  Episode 1 dropped this week: It’s called Too Big to Sue.  I hope you’ve give it a try. I feel really passionately about the need for people to pick their heads up and realize all the ways, large and subtle, that technology companies are changing our lives, changing the way we relate to each other. Maybe it’s more good than bad. Maybe it’s mostly good. But a handful of super-rich executives hiding behind keyboards and rocket ships shouldn’t be making those decisions for us.  We need to be involved. We need to have real power.

I normally release podcasts at Duke as the host of Debugger — but the school has an ongoing podcast called Ways and Means, and this series is a co-production with their team. You can find out more about the entire podcast project at Duke’s Ways and Means page here.

This is a link to the Too Big to Sue episode page.

Improving an organization’s security posture can be a daunting task. Conducted by Ponemon Institute and sponsored by ReliaQuest, the research reveals that security leaders are committed to being risk-oriented and strategic but lack the fundamentals needed to achieve this objective.

More than 1,000 security leaders were surveyed in the United States (632) and United Kingdom (391) who are familiar with the organizations’ security operations and strategy. Participants in this research are knowledgeable about their organizations’ efforts in attaining a risk-oriented security posture. Most respondents are involved in implementing solutions (61 percent) followed by evaluating solutions (48 percent). This report presents the consolidated US and UK research findings.

Senior leadership and the board of directors are ill-informed about security risks facing their organization.  Only 37 percent of respondents say they are tracking the right security metrics to be able to communicate risks easily and accurately to the business executives and board. As a result, only 31 percent of respondents say senior leadership and the board are tracking cybersecurity risk as a business risk.

Respondents are committed to a stronger risk-based security posture. Priorities for respondents are the ability to migrate applications to the cloud securely, implement an integration strategy to drive holistic visibility across security tools and develop metrics to align security and lines of business with the organizations’ business goals.

The following findings reveal why organizations are at risk and indicate the opportunities for improvement.

Risk management programs are not properly assessed and measured. Fifty-eight percent of respondents say their organizations lack a risk management strategy and decision-making structure in their organizations. As a result, another 58 percent of respondents say the number one reason they are vulnerable to a data breach is because their organizations lack a well-defined security and risk management program. Only 29 percent of respondents say the risk management program is assessed by lines of business and aggregated and reported across the entire organization.

There is a lack of visibility throughout the enterprise. Fifty-eight percent of respondents say it is difficult to protect business-critical assets because of the lack of visibility and blind spots in coverage. Sixty percent of respondents say their organizations lack integrated visibility into cloud and on-premises solutions. This is considered a significant obstacle to having effective threat detection and investigation practices.

Security teams find it difficult to achieve efficiencies in the detection, investigation and response to security incidents because of the numerous tools and technologies used. According to the research, there are too few people who are responsible for too many tools and technologies used for threat detection. According to the research, 46 percent of respondents say one staff member could be responsible for between 4 and 10 tools. Eleven percent say one staff member could be responsible for more than 10 tools. As a result, it can take an average of 18 hours, or more than two days, to detect, investigate and respond to a security incident.

Metrics used are not able to reveal the risk and support a risk-based management program. Sixty-four percent of respondents say there is a lack of standardized metrics to measure progress in the risk management program.  Only 36 percent of respondents say their organizations have visibility across the IT environment, including on-premises and cloud are measured.

Confidence in the security of the cloud is low. Less than one-third of respondents say they are confident in knowing all cloud computing applications, platforms or infrastructure services in use today. Sixty-two percent of respondents say coverage gaps and lack of visibility make it very difficult and complex to secure data and applications in a multi-cloud and hybrid environment.

Fifty-one percent of respondents say misconfigurations in cloud implementations make organizations vulnerable to a data breach. Only 19 percent of respondents say their organizations measure the lack of integration due to disparity of cloud environments.

To read the executive brief of this report, visit Reliaquest.com  

Bob Sullivan

Hate pop-ups that interrupt your web browsing — and probably come with consequences you don’t fully understand? Well, there’s hope.

When Europe passed its ambitious law designed to protect consumer privacy, known as GDPR, many Internet users noticed only one impact — annoying pop-ups jammed with mini-privacy policies.  To any level-headed person, the small windows were an annoyance clearly designed to get in your way – and get a check in a box so companies could continue tracking your online travels. Consent spam, they have come to be called. Most users clicked click “agree” to get on with their day, effectively granting thousands of companies the ability to trade in intimate details of their digital lives.

A ruling by European regulators this week holds out the promise that consent spam and GDPR pop-ups will soon be gone. And so too could be gigantic databases of user information collected using this method, including giants like Microsoft and Google.

When GDPR – Europe’s General Data Protection Regulation — took effect, advertisers had to come up with a way to get user consent for data collection. The industry came up with something called the “Transparency & Consent Framework (TCF),” managed by the online advertising industry’s trade body, known as IAB Europe.  In order to prevent a massive disruption in the background magic which matches ad buyers to users several billions of times per day — a system known as real-time bidding — IAB Europe invented the system we now know as consent spam.

The pop-ups were a source of user frustration, but more critically, much sarcasm.  U.S. critics have been fond of saying GDPR made life even worse for Netizens, adding annoyance while hardly protecting their privacy.

That’s why this week’s ruling is significant to policy-makers and users alike.

Johnny Ryan, a fellow at the Irish Council for Civil Liberties and a principal complainant in the case, wrote on Twitter that the “popups were not a symptom of the law, but of the tracking industry attempt to undermine the law.” EU regulators now agree with him.

Belgian’s Data Protection Authority ruled this week that the pop-ups violated the spirit and the letter of the GDPR — Europe’s General Data Protection Regulation. The authority found: The consent spam fails to provide real transparency about what happens to user data; fails to ensure the data is kept secure and confidential; and fails to properly request consent.

In a statement, the ICCL said that the popups support “a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behavior, and the ensuing surveillance of data subjects.”

IAB Europe was fined and ordered to come up with a plan to fix its system within two months. Perhaps more important: data collected through the system must now be deleted.

When I interviewed Ryan for a podcast recently, he called real-time bidding the largest data breach of all time.  The legal finding could be very expensive for Big Tech: The ICCL says that it means “All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.”

“This has been a long battle”, Ryan said. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies”.

Indeed, privacy rulings take a long time.  The consent framework was originally found to be in violation of the GDPR back in October 2020.

IAB Europe has 30 days to appeal this latest ruling, which was supported by 27 other European privacy commissioners.

“We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry,” the IAB said. “We are considering all options with respect to a legal challenge.”

Just when might consumers start seeing fewer popups in their clickstreams? Or when might they learn their personal information, collected improperly, has been deleted? That remains to be seen. Chris Olson, CEO and founder of The Media Trust, wasn’t terribly optimistic that change would come quickly.  For starters, he’s worried the role of pop-ups might even expand as publishers try to lawyer their way into compliance with this ruling.  Also, much of the data that has been declared illegally collected has already been onpassed over and over, making it impractical to delete from the larger data collection ecosystem.

Here’s what he told me:

“With the Belgian Court’s judgment against the IAB TCF, what was once a matter of debate is now beyond dispute: the concept of CMPs does not meet the standards or spirit demanded by emerging data privacy legislation. In the long run, however, this ruling may prove to be a pyrrhic victory. First of all, users will not see consent pop-ups disappearing any time soon. The IAB has six months to revise its framework, and when it is finished, pop-ups may become even more unwieldy in the struggle to provide users with ‘sufficiently specific’ information.

“Second – while we expect big players to minimally comply with the TCF’s data deletion orders – in many cases it will be impossible to distinguish data that was gathered illegally from data that was obtained by legitimate means, and not always by accident. In all likelihood, much of the data collected under the TCF before this week will remain on the books, integrated into customer profiles, CRM and marking tools, etc. More concerning, advertisers and publishers won’t be able to control any data gathered by digital third parties without their permission.

“Today, the biggest risk to users’ data privacy does not come from advertisers who are struggling – however unsuccessfully – to comply with GDPR: it comes from unregulated vendors who neither seek consent, nor respect it. Until now, third parties have been an afterthought in most data privacy legislation, if they are even mentioned at all. Going forward, they must become a key part of the push to assure consumers of digital safety and trust.”

Meanwhile, for more: Ryan’s Twitter thread makes the ruling easy to digest

If you are more ambitious, you can read the full decision here.

Click to register for Larry’s webinar about supply chain security on Wednesday, Feb. 9, 2022 at 2 p.m. ET.

The Kaseya supply chain compromise has demonstrated the threats to supply chains that ransomware groups pose. The supply chain compromise of SolarWinds Orion network management due to the SUNBURST malware has also underscored how vulnerable supply chains are to attacks. According to participants in this research, these compromises and the increase in supply chain and IoT attacks require organizations to rethink supply chain and product security processes.

Sponsored by Finite State, Ponemon Institute surveyed 632 IT and IT security practitioners in the U.S. who are familiar with their organizations’ approach to securing embedded and connected devices and have complete or partial responsibility for setting and/or implementing their supply chain security strategies. The research targets device and connected device manufacturers in highly regulated industries.

Larry Ponemon will present findings from the study at a webinar on Wednesday, February 9, 2022, at 2 p.m. ET. Also presenting: Rich Nass,Executive Vice-President, Brand Director, Embedded Franchise, OpenSystems Media. Register for the webinar at this link

Seventy-three percent of respondents say their organizations are very committed (40 percent) or committed (33 percent) to achieving a secure supply chain. Twenty-seven percent of respondents say their organizations are only somewhat committed.

While respondents are aware and very concerned about the threats to their organizations’ supply chain based on recent compromises, only 39 percent of respondents say there is a direct risk assessment of the security of the supplied hardware and/or software, such as penetration testing, vulnerability scanning, requests for Software Bills of Materials and requests for security reports. Further, only 43 percent of respondents say their organizations conduct a risk assessment of the security development lifecycle for third-party vendors.

The following findings reveal why organizations are not making supply chain security as important as it should be.

• Product security is not a priority. Only 41 percent of respondents say their organizations make it a priority despite the finding that 76 percent of respondents say the security of an IoT device is very important

• Executives and boards of directors are not involved as they should be in their organizations’ product security practices. Only 27 percent of respondents say the leadership requires assurances that product security is being assessed, managed and monitored appropriately.

• Product security processes and programs are not reviewed frequently. Only 24 percent of respondents say such a review occurs frequently to address evolving supply chain risks. 

• Lack of resources and in-house expertise are obstacles to achieving a strong security posture. When asked what is preventing the development of secure IoT/embedded products, 62 percent of respondents say it is a lack of resources and 60 percent of respondents say it is a lack of in-house expertise. 

• Organizations need more resources to improve product security. Fifty percent of respondents say their organizations are not increasing investments for product security. As mentioned above, the number one obstacle to improved product security is the lack of resources.

• Organizations find it difficult to manage supply chain risks. Sixty percent of respondents say their organizations find it difficult to rapidly respond to new vulnerability disclosures that may affect their devices.

To read the full report, The Importance of Securing Connected and Embedded Devices In the Supply Chain, visit Finite State’s website.

Bob Sullivan

I’ve been thinking a lot about distraction lately.  We are all living lives of grand distractions these days, with one eye over our shoulder keeping track of Covid and its consequences.  The constant drumbeat of cases and science and conspiracy and bickering never ends.  If you are lucky enough that so far Covid has been just a distraction — and not something worse for you or your family — perhaps you managed to keep it together through nearly two years of remote everything. But right now, as our gas tank for pandemic tolerance is nearing empty, Omicron has arisen, seemingly to finish us off.  Sure, try to focus on that big work project, or the book you are reading, or on getting healthy, or getting your finances in order, or even the conversation you are having with a loved one, with everything else going on.

This is not a new problem.

I’ve been interested in distraction for a long time — since at least the 1990s, when a computer science researcher at Xerox Parc named Mark Weiser turned me onto the issue. I do believe it is the crisis of our time. Attention is our most precious commodity and it is under relentless attack right now. I tried to write a book about the problem about 10 years ago, but I couldn’t get publishers to focus on it. (Really!)  I did write an op-ed for The New York Times called “Brain, Interrupted,” which is still among the most popular piece I’ve written.

The digital age is the age of interruptions. Gadgets surround us, constantly beeping and blinking and popping up to get in our way, bringing whatever we might be doing to a screeching halt. Billions of dollars in research have been spent hacking your brain, and mine, to learn just how to steal your attention — and ultimately sell it to someone for a price. Think about it: if we live in the attention economy, then grabbing someone’s focus without their consent is theft.  The phrase is “pay attention,” after all. A new book called Stolen Focus: Why You Can’t Pay Attention by Johann Hari makes this argument, too, and cites some of my earlier research.

The cost is very real. About 10 years ago, when writing our book The Plateau Effect, I helped plan a distraction study at Carnegie Mellon University. You can read the details in my op-ed, but basically, students who received text messages during tests performed about 20% worse.  Other studies show that people who are interrupted for even just a few moments at work can languish for 20 or 30 minutes before regaining focus on whatever it was they were doing.

Constant task-switching robs our brains and hearts of the satisfying feeling that “stick-to-it-ive-ness” brings, the dopamine hit we get for setting a goal and completing a task. It robs us of intimacy, too. Try talking to someone who glances at their smartphone every 15 seconds, and you understand how every dancer in history has felt when they catch their partner looking around the club for someone more attractive.

Today I want to mention another cost of distraction, however. Crime.

If you grew up anywhere near New York City in the 1970s and 80s, you know who Crazy Eddie is (His prices are INNNNNSAAAAAANE!). The ubiquitous electronics store with the never-ending TV ads succeeded for one reason: Crazy Eddie was a cheater.  He eventually was convicted of tax fraud and went to jail. His brother, Sam Antar, former company chief financial officer and also convicted of fraud, later became a forensic accountant. He also gives a mighty fine speech about how white-collar criminals commit crimes. They create diversions.  “The distraction is more important than the lie,” he says over and over. He’s right.

You’ve seen it on TV, if you haven’t seen it yourself in person — pickpockets often bump into their victims to cause a distraction, then use that moment to steal a wallet or purse.  That’s the simple version.  Antar, speaking on the Bloomberg Odd Lots podcast a couple of years ago, explains how such distractions can work at scale. I won’t steal his material, it’s well worth the 10-minute watch on YouTube.  But Eddie’s real talent wasn’t lying about sales taxes. It was distracting the auditors when they came every year.

Distractions have been a key tool for ripoff artists throughout history. Car dealers sneak fees into loans while chatting about cupholders.  Real estate agents gloss over the cost of flood insurance while they describe how great the big garage will be for loading and unloading the kids’ car seats. Websites nudge you into trial subscriptions with a single click, then require a 30-minute call to cancel. (The FTC is finally taking on that one!) It’s up to consumers to refocus, constantly, on the bottom line, and on what matters. That’s a fair fight, I guess, or at least it can be. It’s a fight made much harder by endless fine print, dark patterns on websites, automated payments, and other gadget-driven intrusions.

But now, digital distractions are only half the problem. Covid has made so much of our lives a daily battle.  Did I forget my mask? Are we out of toilet paper? Should I book that vacation? That dental appointment?  Why is that person ignoring the guidelines / taking the guidelines too seriously?

We are all living lives of constant distraction. And that makes us all vulnerable. Charlatans smell this kind of distraction and go in for the kill. Early in the pandemic, we saw criminals steal billions of dollars from unemployment benefits programs.  TV characters and politicians are using this moment to incite hatred and distrust, to consolidate power, and most of all, to make money.  Whatever TV channel you watch, I challenge you to spend an hour or two paying more attention to the advertisements than the “content” and ask yourself how you feel supporting those products.

I wish I had a silver bullet or even some good-enough words of advice for this dark time. All I know is this: attention is indeed the most valuable commodity in the world. That’s what I learned from Mark Weiser at Xerox Parc when I wrote about it decades ago. Attention is like time; we just can’t make any more of it. We have what we have, and we decide how to use it.  At this time of crippling distractions, try to take things a little more slowly. Find some extra time to make big financial decisions if you can. Be gentle with yourself and with others as they try to find their focus.  And from my perch as a consumer reporter, beware people and things that interrupt you from doing what’s really important.

Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies. Going forward organizations are extremely bullish on adopting passwordless authentication.

The purpose of this research is to understand the state of workforce passwordless authentication, the motivations and results when organizations transition to the use of passwordless authentication. Based on the experiences of organizations represented in this research, passwordless authentication can help remediate many concerns around cybersecurity posture caused by password and traditional MFA authentication approaches, sustained cyber threats and pandemic shifts to greater remote work.

Organizations that have adopted passwordless authentication say the main motivation was to improve the end-user experience and operational efficiency. The growing remote workforce also influenced these organizations’ decision to adopt passwordless authentication.

A key takeaway regarding economic efficiencies is that the use of passwordless authentication can reduce the financial consequences of attacks involving employees’ passwords and help desk costs due to password problems or resets by an average of $1,871,780 over a two-year period.

With sponsorship from Secret Double Octopus, Ponemon Institute surveyed 663 IT and IT security professionals in the United States. All respondents are familiar with their organizations’ approach to employee authentication and have some level of involvement in managing and making decisions about their organizations’ IT security strategy.

The following findings reveal the state of workforce passwordless authentication, its drivers and benefits: 

• Phishing attacks are pervasive. Phishing is the number one password-based attack according to 63 percent of respondents. An average of only 44 percent of all phishing emails are detected. 

• The shift to a remote workforce during the pandemic is driving the adoption of passwordless authentication. Fifty-five percent of respondents say their organizations use passwordless authentication for at least some use cases. Of these 55 percent of respondents, 79 percent say a growing remote workforce influenced passwordless adoption. 

• Remote working negatively affects employees’ and help desk productivity. Another reason to adopt passwordless authentication is that 75 percent of respondents say password authentication issues because of remote working has increased employee downtime. Seventy-four percent of respondents say it has decreased the productivity and increased the stress of the help desk team. 

• Organizations stand to save significant costs in both breach-related financial expenses and productivity with passwordless authentication. 

• Adoption of passwordless authentication is gaining traction. Forty-five percent of respondents say their organizations exclusively use conventional passwords. However, of these respondents, 66 percent of respondents expect to adopt passwordless authentication in the next six months (33 percent), within the next year (21 percent) and within the next two years (12 percent).

Part 2. Key Findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. The findings are organized according to the following topics.

• Concern and vulnerability run high with respect to password-related cyber threats
• Remote work shifts are driving passwordless authentication adoption amidst security and productivity challenges
• Passwordless authentication cost savings totaled an average of $1.9M over 2 years per organization
• Opportunity and optimism remain high around passwordless authentication

Concern and Vulnerability Run High with Respect to Password-related Cyber Threats

The most prevalent password-based attacks are phishing. Some 63 percent of respondents say their organizations had attempted or successful phishing attacks in the past two years.  However, according to the research, cybersecurity teams can detect an average of only 44 percent of phishing emails. Seventy-one percent of respondents say phishing emails and employees’ misuse of passwords is increasing the risk of a targeted and successful attack.

 Organizations also experienced ransomware (57 percent of respondents) and credential stuffing or dictionary attacks (57 percent of respondents).

Remote Work Shifts Are Driving Passwordless Authentication Adoption Amidst Security and Productivity Challenges

 The remote workforce is decreasing organizations’ security posture.  According to 60 percent of respondents, a remote workforce reduces the security of the cloud infrastructure, makes connections to the domain less secure (56 percent) and increases the attack surface (49 percent).

The help desk is not immune from password authentication problems created by remote working. Some 74 percent of respondents say productivity has decreased and increased stress significantly (40 percent) or decreased productivity and increased stress (34 percent) of help desk workers.

 Passwordless Authentication cost savings totaled an Average of $1.9M Over Two Years

 Passwordless authentication significantly reduces the economic loss due to attacks involving employees’ passwords. Organizations with conventional authentication methods averaged $5.6 million in total economic loss from attacks involving employees’ passwords over the past two years vs. $4.2 million in organizations with passwordless authentication. Respondents were asked to include IT costs, downtime, lost business, damaged reputation, fines and legal fees, stolen proprietary data and ransoms paid in the total cost.

Opportunity and Optimism Remain High around Passwordless Authentication

In this section, only organizations that have adopted passwordless authentication are represented. In the context of this research, authentication is defined as the process of verifying the user’s identity by asking for a secret (e.g., password) possession of an item (e.g., USB dongle) or inherent attribute (biometrics). Passwordless authentication is any authentication method that does not require users to know their password.

Most organizations are still dependent upon traditional passwords at some level. However, 55 percent of respondents say their organizations use passwordless authentication for most or all use cases (11 percent), some use cases (19 percent) or only for specific use cases (25 percent).

Almost half of respondents rate the user experience and security of passwordless authentication far higher than conventional passwords. Respondents were asked to rate the quality of the user experience using passwordless authentication and conventional passwords on a scale from 1 = low quality to 10 = high quality. They also rated the security from 1 = low security to 10 = high security. Figure 15 shows the 7+ responses on the 10-point scale.

We found that 47 percent of respondents rate the quality of the user’s experience with passwordless authentication as high. However, only 26 percent of respondents rate the quality of conventional passwords as high.

To read the rest of this study and view the accompanying charts, visit DoubleOctopus.com

Bob Sullivan

When we talk about Facebook’s bad behavior, it’s easy to get bogged down in the details. Don’t. We should focus more on the outright fraud enabled by its platforms.

There’s been near constant talk about Facebook’s misbehavior lately, reaching a new crescendo after whistleblower Frances Haugen told Congress the firm knowingly makes software that hurts kids.  But as Haugen herself pointed out this week, regulators risk talking themselves into circles as they get bogged down in the details about how to react to Facebook’s various transgressions.  Debate on Section 230 could easily last into the next century, I think. And Facebook’s role in the 2016 election? Well, that’s destined to fill up talk radio show hours with never-ending prattle.

That’s why I wish there were much more focus on the outright fraud that Facebook enables. The case there is much more clear, as a the pillowcase-couch above suggests.

Facebook’s advertising platform got some of the attention it deserves this week after a story by Donie O’Sullivan at CNN showed the social media giant has taken payment for anti-vaxx ads, including a set that compared the U.S. vaccine program to the Holocaust. Facebook has publicly taken the stance that it has not contributed to anti-vaccine sentiment in the U.S., but anti-vaxxers have contributed to Facebook’s bottom line, the report found. Unsavory? Sure. Illegal? Probably not.

Look deeper into Facebook ads, and you’ll find far more dubious activity.  Earlier this year, I reported on a lawsuit filed in California that alleges Facebook has earned billions of dollars from advertisements it knows, or should know, are fraudulent. The social media giant makes it easy for criminals to target consumers who are not only likely to click on certain kinds of ads, but also likely to follow through with purchases, the case claims.  The firm is “actively soliciting, encouraging, and assisting scammers,” the suit claims.

Many of these highly-targeted ads on Facebook and Instagram promise consumers great deals on novelty products that seem specifically-tailored for them. Instead, credit card payments go to firms — many based in China — that never send the item or send something worth only pennies.  Criminals are using Facebook’s algorithms to micro-target victims, or as I like to say, to hack people. And steal their money.

The lawsuit seeks class-action status, and contains only allegations. But a Better Business Bureau report published this week by Steve Baker ads to the evidence that Facebook’s empire is built with the help of fraud, much of it originating in China.

BBB solicits complaints from Internet users through its Scam Tracker, and said on Thursday that the largest target of these complaints — 40% of the total – involve victims of online ads found on Instagram and Facebook.  While deceptive ads theoretically violate Facebook’s terms of service, the firm doesn’t seem to care much.

“Consumers tell BBB that Facebook and Instagram are often not helpful in addressing violations
of their own policies when consumers receive nothing at all, counterfeit goods, or items that were inferior to what was advertised and purchased,” BBB wrote. “These encounters often take place after seeing enticing social media ads placed by operations in China.”

Many of the crimes are blatant and obnoxious. A Canadian anti-fraud official told the BBB that he
has seen “accounts of people buying a cordless drill online but only receiving a screwdriver from China.”

The accusations in the lawsuit, and the BBB report, are not new. Buzzfeed News reported one year ago that internal Facebook research found 30% of ads placed in China violate the site’s terms of service.  The story also quotes a Facebook employee saying the company intentionally looks the other way, fearful that a crackdown might slow the flow of dollars from China.

Facebook told Buzzfeed for that story that it invests heavily in keeping deceptive and low quality ads off its site — given the scale of its ad business, that is no doubt true. But it also seems obvious the firm still isn’t investing nearly enough to fight fraud.  Last month I wrote about a disturbing example of criminals forcing victims to make “hostage-style” videos endorsing scams in a desperate attempt to regain control of their social media accounts. If Facebook hired enough people to assist consumers who were in trouble, there’d be no such desperation.

Another key piece of the puzzle revealed by the BBB study: Facebook and Instagram play a key role in connecting scammers to victims who weren’t even shopping online. BBB found that victims
who were not actively looking for a product, but lost money in the transaction, began with Facebook or
Instagram 70% of the time.

And all this fraud causes collateral damage, too. Many small businesses see their photos and product descriptions copied by criminals and used for deceptive ads.  Often, consumers blame the small businesses when they discover the crime. One art dealer in Dallas says he’s spent hours per week fighting this kind of copyright theft, and Facebook was quite unhelpful.

“Facebook will not take down these obviously related ads, but instead forces him to challenge the
ads one at a time,” the report says.

And victim consumers who report fraud in an effort to prevent future crimes told BBB they often don’t get results. One purchased a table based on a clever video that popped up on his Facebook feed. When he received nothing, said he contacted Facebook dozens of times about this fraud, and “they responded that the video did not violate their policies. The ad remained running for several months,” the BBB report says.

Fraud trend stories like this are always tricky: For years, credit card processors would respond to every story about online fraud by saying the actual fraud rate at e-commerce sites was very small, far less than one percent. That was cold comfort to victims, and it was also hard for external observers and policy-makers to evaluate. How much fraud is too much? At what rate should additional safeguards — safeguards that would add friction and probably impact revenue — be required?   Has fraud on Facebook reached that point? I cannot say. I can say the  Department of Homeland Security has warned that “e-commerce business models have a variety of new actors that aid, abet, or assist the transactions, including payment processors, social media websites, and online marketplaces.”

And I can say that Facebook simply doesn’t answer the phone when there’s an ongoing crime on its platform. Their online process for dealing with a serious consumer problem, such as an account takeover or a fraudulent ad, is severely lacking. Users should be able to get immediate help with issues like that. You’ll often hear defenders of the firm say that kind of support doesn’t scale. To that, I’d say that means their business doesn’t scale. If they can’t operate without enabling fraud, and can’t quickly help victims, their business model is fatally flawed.

The BBB tells me that Facebook did not take the opportunity to respond to its report. Facebook did not respond to my request for comment, either.  It did respond to the California lawsuit, however. With this straightforward defense: We are immune!

“The Court should dismiss all of Plaintiffs’ claims with prejudice because the Communications Decency Act, 47 U.S.C. § 230 (“Section 230”), shields interactive computer service providers such as Facebook from liability arising from content created by third parties,” the motion for dismissal says. “Plaintiffs have not—and could not—allege any facts that take their claims outside a plain and straightforward application of that statutory immunity.”

Section 230 reform is a multi-tentacled beast and my own opinions on what to do about it are still evolving. But I interviewed a law professor recently who told me that blanket immunity always causes problems, and this example makes it pretty clear.  Facebook is saying it’s not responsible for fraud it enables by matching criminals with victims because it has been granted immunity by Congress. That kind of license for bad behavior sounds chilling to me.  And the next time a Facebook spokesperson says the firm cares about fraud, remember that this defense.

A primary challenge to improving the security of organizations’ Industrial Control System (ICS) and Operational Technology (OT) environments, as revealed in this research, is the need to overcome the cultural and technical differences between OT and IT teams. Ideally, organizations should work toward establishing a unified IT and OT approach to addressing the threats and closing the gaps in security that leave organizations vulnerable to cyber attackers. Sponsored by Dragos, Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices within their organizations.

In the context of this research, OT represents the programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples include industrial control systems (ICS), building management systems, safety control systems, and physical access control mechanisms.

ICS encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system components such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components that act together to achieve an industrial objective.

The cultural divide between IT and OT teams affects the ability to secure both the IT and the ICS/OT environment. Because of the lack of alignment between an organization’s cybersecurity policies and procedures with OT and ICS security objectives, only 35 percent of respondents say their IT and OT teams have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities. Only 39 percent of respondents say IT and OT teams work cohesively to achieve a mature security posture in both the IT and OT environments.

The risks created by the cultural divide between the IT & OT Teams 

• Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity program. However, only 21 percent of respondents say their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions. A fully mature program also means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment and a cross-functional team of IT and OT SMEs work together cohesively. 

• As the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats. Sixty-three percent of respondents say their organizations had an ICS/OT cybersecurity incident in the past two years. 

• For the first time, this research calculates the cost of one cybersecurity incident in the ICS/OT environment. The average cost per cybersecurity incident research is $2,989,550 (the calculation is shown in Table 1 of this report). An average of 316 days is spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT and IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382. This equals the average total cost of $2,989,550. 

• The majority of respondents say senior management lacks an understanding about the cyber risks in the ICS/OT environments. As a result, not enough resources are allocated to defend the ICS/OT environments. Paradoxically, according to 56 percent of respondents, the primary blocker for investing in ICS/OT cybersecurity is that ICS/OT cybersecurity is managed by the engineering department, which does not have security expertise followed by 53 percent of respondents who say ICS/OT security is managed by an IT department without engineering expertise. 

• The Director/Manager of IT and the VP of Engineering are the functions most respondents in this study report to. However, by far the VP of Engineering is most accountable for the security of the ICS/OT program. Only 12 percent of respondents say the CISO is most accountable for the security of ICS/OT program. Further, only 35 percent of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41 percent say such reporting takes place only when a security incident occur.

• Only 38 percent of respondents say the security safeguards in place to protect the ICS and OT environments are covered during board meetings and only 36 percent of respondents say the effectiveness and efficiency of security programs and measures are presented.

• Cultural and technical differences must be overcome to have OT and IT teams work cohesively. The challenges often are not caused by a competition for budget dollars and new security projects (only 32 percent of respondents). Rather, it is the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors that cause conflicts between these two functions (50 percent and 44 percent of respondents, respectively).

• Only 46 percent of respondents say their organizations are effective in gathering intelligence about threats to the ICS/OT environment and 45 percent of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle.

To read the full report, visit, Dragos.com. 

Bob Sullivan

A California woman who thought she was helping an old friend pay for a kidney transplant has been caught up in an Instagram hacking scheme with a nightmarish twist —  criminals drained her bank account via Zelle and then forced her to make a hostage-style video endorsing a get-rich-quick scheme in an attempt to get some of it back.

I found her “hostage” video online, which was posted by an Instagram account containing hundreds of similar videos endorsing a scheme promising 1,000 percent% on investments; many seem to be coerced.

Makaylah Lervold wrote to me on Friday desperately seeking help getting a refund after her bank account was hacked and criminals sent themselves about $3,000 of her money. The hack followed a chain of events that began with an old friend reaching out over Instagram messages saying he’d finally found a kidney donor match after a four-year search.  Lervold had met the sick friend several years ago at work, but hadn’t stayed in touch, though she was aware that he was indeed seeking a transplant.  His search was public; I’ve been able to confirm it through local news coverage.  Lervold said she messaged with the writer, whom she now knows was an imposter, and agreed to take a phone call from a hospital representative who would provide instructions on how to contribute.

She sent $1,000 to the caller’s account via Zelle, thinking it was a donation. Instead, the money was sent to a criminal’s account. The caller gleaned enough information — she asked for Lervold’s authentication codes — that the criminal or someone else was able to transfer nearly $3,000 more out of Lervold’s account through a series of additional Zelle transactions.  Lervold provided a screenshot of those transactions to me. Then, using stolen credentials, someone hacked into Lervold’s Instagram account and locked her out. The criminal subsequently threatened Lervold with more financial crimes unless she produced a video endorsing an investment scheme.

“Hi everyone. It’s Makaylah,” she says in the video. “I’m just here. I want to let you know about a huge opportunity. I just invested $1,500 with [name removed] and she turned my $1,500 investment into $15,000. Don’t miss out on this opportunity. I’m so grateful. Thank you [name removed]. Hit her up. She will invest your money. And turn it into a huge profit. You won’t regret it.”

Other videos on the “investment” Instagram account page contain similar messages. The account has more than 1,500 followers and has made 1,700 posts, dating back well into last year.

Posing as an old acquaintance, I contacted the hijacked account that originally belonged to Lervold’s sick friend, offering congratulations for finding a kidney match. The response came quickly: “Thank you so much sweetheart and I was about to ask you if you’d be interested in making some extra money.” Then later in our exchange, the imposter wrote, “Can you help me out $300 until tomorrow morning. I was short on a bill…I’m actually at the hospital.”

That victim declined to respond to a request for an interview.

Joseph Cox at Motherboard reported last week on a victim who was also forced to make a hostage-style video after being coerced into a bogus bitcoin investment. It’s unclear if these incidents are related, but my concern is the compelling tactic of forced video endorsement.

Lervold said the experience was terrifying.

“I’m so distraught…it was really scary,” she said. They drained all the money that I had saved for my wedding in June. It’s devastating. …  They forced me to make a video just like the last video they posted on my friend’s hacked account. …  They said if I didn’t do it they would completely drain my account. It was the scariest situation I have ever been in.”

Worse yet, when she contacted me, the criminals were using Lervold’s hijacked account in an attempt to scam her friends, she said.

“Now they are trying to scam my friends and inviting people from my Instagram to our wedding and are asking for money,” Lervold said.

She provided me with screen grabs of a dialog between a friend and the hacker in which the criminal offers to invite the friend to the wedding…then tries to convince the friend to send in money for the investment scheme.

“Did you see my ad? I actually made $15k from the investment. I posted it,” the message from the criminal, posting as Lervold, says. “Was wondering if you’d like to tap in.”

Last week, I reported that there was a large increase in consumers reporting that their Instagram accounts had been attacked by hackers. This complex scheme…involving trusted friend relationships, and hopping from one hijacked account to another, armed with intimate knowledge of each hacked victim…shows why hacked Instagram attacks can fetch nearly $50 on the digital black market.

Lervold said she reported that her Instagram account had been hacked to Facebook late last week; she has not yet heard back from the company. On Facebook, she can be seen pleading for friends to unfollow her Instagram account and asking them to report it as fraudulent so they would not be deceived by her video.

Monday afternoon I reported her account to Facebook’s media relations deparment, along with the account hosting the hostage videos.  Facebook has not yet returned my request for comment, but by Tuesday morning, Lervold’s account and the account hosting the hostage videos were both taken offline.

“Apparently each scam is different,” Lervold said. “They were messaging me already knowing I was (the kidney patient’s) friend. Which is why they knew I would donate. Other people they have used this investment scam saying they can turn a certain amount of money and turn it into a huge profit. Like the videos. You can turn $1,000 into $10,000. They took over my account and are asking people for money to help with my wedding. They must have read personal messages and are using that to get to my Instagram friends…the read back years in my messages.”

Eva Velasquez, CEO of the Identity Theft Resource Center, said her agency has been tracking the large increase in Instagram scams.  She said she was very concerned about the hostage video trend.

“It’s a new twist on ransoms,” she said. “Instead of asking for money, they are asking for videos.”

Her message to the public: Don’t make coerced videos. Paying the “ransom” doesn’t work.

“Do not make these videos endorsing something to get your money back or your account back because it’s not going to happen, you’re not getting it back,” she warned.  “Just walk away from the account.”  Work through the social media companies to get account access restored she said, admittedly an “arduous process.”

She warned that victims would suffer even deeper emotional consequences than those who send money to criminals — because their accounts and their words can be used to scam friends.

“When you add a layer that you were an instrument of victimization involving people you know and love, who are part of your personal network. that just adds another layer of emotional grief,” she said.

Velasquez also reminded users never to share authentication credentials — including two-factor text message codes  — with anyone.

I’ve decided that those SMS codes should no longer be used; it’s time that users switch to an authentication app for two-factor needs.  There are too many stories about criminals accessing text messages through hacking or coercion.