Cyber security tips for working from home #COVID19

C.I.A. is even more important now with #COVID19 – C.I.A. or confidentiality, integrity, and availability of data is even more important now that we are in the era of the novel coronavirus pandemic (known as #COVID19). As companies send their workers home to work during the pandemic for undetermined amounts of time the issue of data security becomes even more critical.

Both organisations and individuals will need to be vigilant. Since the workers are dispersed far and wide and not ensconced safely in the office and directly connecting to the corporate networks so everyone will need to step up their security consciousness and their security operations.

Organisations are about to run a real life test of their business continuity plans. Many will fail. Here are some things to watch out for.

For organisations

Here are a few tips, this is not an exhaustive list:

  • Ensure all machines have properly configured firewalls as well as anti-malware and intrusion prevention.
  • Check your Virtual Private Network and other remote access channels, ensure that they are up-to-date and access systems are fully patched (there have been a number of recent VPN exploits).
  • Test remote access solutions capacity. I suspect that many will need to increase capacity because most organisations did not plan on every single person in the company working offsite.
  • Review business continuity plans and ensure that the cyber security team is in the room.
  • Review your incident response plans and update them to accommodate the dispersed workforce and the increased risk.
  • Ensure that staff know where to find help if they need it, and have multiple channels in case of an incident.
  • Ensure that system monitoring is ready for detection and alerts of abnormal activity.
  • Implement multi-factor authentication for staff (this should ideally be done during normal business and not during a crisis).
  • Ensure that your cyber security posture is maintained. The temptation is to relax controls in response to a crisis, but make sure that any relaxation of controls is risk assessed and mitigating controls are applied.
  • Ensure that staff know how to connect with the cyber security team via different channels.

For individuals

  • Individuals will need to take care and ensure that they do not disclose any personal or corporate financial information in response to emails and text messages – even ones seeming to come from colleagues. Phishing attacks are already happening in respect of COVID19.
  • It is also important to use trusted sources, such as government or medical websites, for current and fact-based information about COVID19. I often recommend the ABC podcast called Coronacast, hosted by Dr Norman Swan, for calm fact-based information about COVID19.
  • Further, it is critical to use trusted wifi or home broadband connections with a VPN (if their company provides one, if their company does not provide one then it would be prudent to buy one yourself). DO NOT USE PUBLIC WIFI unless you have no other choice and then only with the protection of a VPN.
  • Be ready to report any concerns about cyber security or suspicious emails and text messages to their cyber team.
  • Individuals should also ensure that their anti-virus and anti-malware solutions are up to date, and turn on the firewall software on their devices.

 

Image: JohnManuel / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0)

Ransomware is coming to get us. Prepare. Beware.

There are increasing numbers of ransomware attacks on municipalities and governmental organisations in the US, with headlines like this. And Australia will not be immune to these attacks.

Towns Across Texas Hit in Coordinated Ransomware Attack

The state government and cybersecurity groups have mobilized to respond to a mass ransomware attack that simultaneously hit 23 different towns statewide. 

https://www.darkreading.com/attacks-breaches/towns-across-texas-hit-in-coordinated-ransomware-attack/d/d-id/1335567

As Lawrence Abrams noted in Bleeping Computer: “Now that ransomware developers know that they can earn monstrous payouts from local cities and insurance policies, we see a new government agency, school district, or large company getting hit with a ransomware attack every day. For example, this week the Governor of Louisiana declared a state of emergency for the wave of attacks targeting school districts in the state.”

The insurance companies are paying out on these ransomware attacks. But in the very near future insurance companies are going to demand to see evidence of measures taken by the organisation to prevent such ransomware attacks. Based on the ease with which so many cities in the US were penetrated by advanced persistent threats (APTs) they will be entirely right to do so. A good example is the recent Baltimore ransomware attack which will cost the city over $18 million.

However, many organisations are not ready to operate in this kind of world. In the olden days criminals robbed banks because that was where the money was kept. Nowadays the criminals have turned to ransomware because enterprises are the soft target.

Insurers will be under pressure as payouts increase. As was recently noted in the following article payouts are increasing – Ransomware attackers set sights on middle market firms:

“A year and a half ago, the maximum amount we paid was about $7,500, but in many cases, we weren’t paying the ransom because we had the back-ups available to restore the data,” commented Horn. “Now we’re seeing ransomware demands regularly in the seven figures, more like $1 million, $2 million, and a few weeks ago we saw one for almost $4 million.

Do not expect the insurers to continue to take all of the risk. Get organised otherwise organisations will see premiums rocket. This means that every organisation will need to be able to substantiate their preparations to prevent or address ransomware attacks.

The US government has issued guidance on Steps to Safeguard Against Ransomware Attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware.

The steps that they include are simple:

  1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
  2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
  3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

 

Featured image: Motormille2 [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

IWD 2019: the possibility of balance

meowrow-catFor 2019 the International Women’s Day theme is “Balance for Better” and with Ribit’s focus on ESTEAM students and accelerating innovation in industry, I am sharing my “own personal story and experience as an employee and employer, how you jumped started your career, leapfrogged your competition into great jobs to advance your career, along with what you look for in a student to hire”

How I got started in tech

I had no plans for a career in technology, I studied arts at university and originally wanted to be an historian. Then, many years ago, I was standing in the kitchen at work chatting with the CEO and happened to mention that there was a problem with the computer system in the office.

[Pro-tip: never casually mention problems to a CEO unless you are prepared to help fix them]

She mentioned that we needed an IT manager and, since I sounded like I knew about that ‘stuff’, asked if I wanted the job.  My ‘prudent’ response (having no experience at all for this job) was “yes”. And that is the true story of how my career in IT started.

Since then I have studied various technical subjects and have done many different jobs in tech and have enjoyed a fascinating career.

How I progressed my career

In the early days I did not even realise that I had a career until a mentor asked what I was doing about my career. At once I realised that it was up to me, I was going to have to drive my career because nobody else was going to do it for me. I started to think about myself as a product, started to look at the skills and qualifications required to progress my career. I started to seek out new opportunities and to learn new technologies.  Knowing stuff is important, and knowing how to apply it is even more important.

Ability to execute is critical

Many people have great ideas, but few have the ability to execute on them. This, together with enthusiasm, is probably the key thing I look for in a new team member. The ability to execute is all about delivery, it means not taking things at their face value, following through and delivering without excuses. It also means closing the loop on things, and ensuring that the item is delivered with the best possible result. 

Decisions are made by those who turn up

This is one of the most important lessons to learn. If you are not at the table then you will not be participating in the decision making. Participation is important, especially when it is accompanied by enthusiasm and an ability to execute. 

This is the second thing I look for in new team members – folks who turn up and are reliable.

Balance?

I must confess that I am very unbalanced by some people’s standards. I work a lot, study, have startup interests, and have family and friends. That is balanced for me. You need to find what is balanced for you. Don’t let anyone else decide for you.

Sometimes you will want to focus on an opportunity and that is okay. Other times you will want to make space in your life for other things. The important thing is doing what is right for you at the time.

An important factor in maintaining balance is being yourself. This means being vulnerable, but I think that it is worth it in the long run.

Another important part of balance is being thoughtful and reflective about how you are feeling, how you are performing and how your relationships are going. This kind of regular temperature check means that you can rectify things if you are starting to get off track – because balance is not just about work.

Perhaps the most important thing in maintaining balance is ensuring that you keep up significant relationships – family, friends, partners. This will ensure that you have other parties who can also reflect on your journey together with you.

 

Critical conversations at work

Managing people is a skill

I’ve been a manager for over twenty years now, managing teams ranging in size from 2 to 263. One thing that I have learned is that if you want to do anything big then you need to work through other people to achieve at scale. And managing through other people to achieve goals is one of the biggest challenges when one shifts from being an individual performer to being a team leader or manager.

The skills of team leadership are not often taught formally to new managers, and they are often learned on the job. One of the scariest things that one is called upon to do as a new manager is to provide negative feedback to a team member. But it is important to know how to build the context around it so that it becomes part of the working relationship and not a surprise to anyone.

Critical conversations

Many problems in workplaces are caused by hesitation in initiating critical conversations. And this does not necessarily mean conversations that are focused on criticism of an individual or their work. It also means conversations that clarify the work to be done, issues and risks relating to the work, and any barriers to getting the work done.

“Know what you want. Clarity is power. And vague goals promote vague results.”
– Robin Sharma.

If teams are not having meaningful conversations with each other on an ongoing basis then, instead of small adjustments in course, it can evolve into enormous delivery and execution issues, and even escalate into an official performance management issue that can result in a job loss. Many times I have seen the performance management issue come as a complete surprise to the individual staff member involved, yet it is rarely a surprise to their team members. This is typically the result of the team leader being afraid to have a critical conversation, and the result of poor ongoing communication between the team leader and the team member.

“Often we go through an entire conversation – or indeed an entire relationship – without ever realizing that each of us is paying attention to different things, that our views are based on different information.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

This means that, as leaders, we need to create an environment where team members (including the team leader) communicate effectively about the work to be done, who needs to do what tasks, when they are needed by, and to what quality standards they need to be done in an objective manner.

Some techniques that I have used to create this kind of environment include the use of specific language. For instance, a team member will often give updates in terms of “I hope to deliver it by Tuesday”.  I make it very clear that hope is not a delivery strategy, and often reply that:

“We don’t hope. We provide a percentage confidence level it will done on time and budget, so what is your confidence level for this task?”

By shifting the language used by the team to talk about delivery and relating it to the reality of getting things done this creates an opportunity to discuss issues and barriers to getting the task done.

Performance management

Once this kind of environment is in place, in the normal course of things, there is little reason for the manager to intervene. However, when it becomes evident that a team member is unable to deliver assigned tasks at the required quality standard and to the relevant timeframe, the manager needs to intervene.

As a manager it is important to have ongoing conversations with team members. Performance issues rarely pop up overnight. They develop over longer periods and there are usually warning signs. If critical conversations happen early and often enough then the issues can be addressed and performance can be  improved. However, it is necessary to understand why people sometimes do not do what they are supposed to do.

Reasons why employees don’t do what they are supposed to do

The starting point for this is to work out why the person is not performing as required. Former Columbia Graduate School professor, Ferdinand Fournies,  interviewed nearly 25,000 managers asking them why, in their experience, direct reports did not accomplish their work as assigned. Here are the top reasons Fournies reported :

  1. They don’t know why they should do it.
  2. They don’t know how to do it.
  3. They don’t know what they are supposed to do.
  4. They think your way will never work.
  5. They think their way is better.
  6. They think something else is more important.
  7. There is no positive consequence to them for doing it.
  8. They think they are doing it.
  9. They are rewarded for not doing it.
  10. They are punished for doing what they are supposed to do.
  11. They anticipate a negative consequence for doing it.
  12. There is no negative consequence to them for poor performance.
  13. Obstacles beyond their control.
  14. Their personal limits prevent them from performing.
  15. Personal problems.
  16. No one could do it

Why Employees Don’t Do What They’re Supposed To and What You Can Do About It

It is always one of these types of issues that is at the root of poor performance. But lack of clarity around tasks and acceptable quality standards has been the most common reasons in my experience, and this is the most easy to remedy.

Healthy workplace conversations

This list above is a good starting point for conversations about performance. But performance is also a result of the team culture, high performing teams tend to experience a lot less poor performance.

Most of the issues listed by Fournies can be discovered by having meaningful conversations among the team about goals and objectives, and open discussions about roadblocks.

“difficult conversations are almost never about getting the facts right. They are about conflicting perceptions, interpretations, and values.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

Don’t wait until someone is performing poorly, look out for the early indicators of problems and initiate conversations about the issues early. Provide relevant feedback, both positive and negative in timely manner – it is much better when the feedback is delivered close to the action.

It is important that it is a conversation too, that is, a dialogue between two human beings – with give and take. So listening as well as speaking is critical. Building a relationship with your team member is important too. If you have taken the time to build a relationship with your team member then the difficult conversation becomes somewhat less difficult.

Some good questions to ask at regular catchups

Here are some questions to prompt the types of conversations we need to have to build healthy and productive workplaces:

  • How are you going?
  • Are there any road blocks you need help with?
  • Is there anything you need me to do?
  • Who are your key stakeholders? What are their issues? How are your relationships with them going?
  • Does that align with the culture we’re building here?
  • Does that align with team/individual KPIs or should you be doing something different?
  • How do you plan to achieve that objective?
  • Are you on track with that?

Resources about difficult conversations

Carmichael, S. G. (2017, May 02). Difficult Conversations: 9 Common Mistakes. Retrieved from https://hbr.org/2010/10/difficult-conversations-9-common-mistakes

Dowling, W. (2014, July 23). 7 Tips for Difficult Conversations. Retrieved from https://hbr.org/2009/03/7-tips-for-difficult-conversat

Fournies, F. F. (2007). Why employees dont do what theyre supposed to do – and what to do about it. New York: McGraw-Hill.

Patton, B., Stone, D., & Heen, S. (2011). Difficult conversations: How to discuss what matters most. London: Portfolio/Penguin.

Riegel, D. G., Healey, T., Roberts, J., Knight, R., & Whitehurst, J. (2016, June 30). When to Skip a Difficult Conversation. Retrieved from https://hbr.org/2016/03/when-to-skip-a-difficult-conversation

Rowland, D. (2016, April 14). What’s Worse than a Difficult Conversation? Avoiding One. Retrieved from https://hbr.org/2016/04/whats-worse-than-a-difficult-conversation-avoiding-one

Sharma, R. (undated). The Giant Achievement Method [and free worksheet]. Retrieved from https://www.robinsharma.com/article/the-giant-achievement-method-and-free-worksheet

Data is the engine of the fourth industrial revolution

“Data is the new resource and we are in the midst of the fourth industrial revolution that is driven by the internet of things. The old fossil fuelled industrial revolutions are in their dying days and we are seeing the birth of a new era that will reshape everything that we know.”
– Kate Carruthers

Last week at the 2018 Stanford University Women in Data Science Conference in UTS Sydney I spoke on a panel along with Theresa Anderson,  Ethel KarskensNicole Dyson , Aurelie Jacquet,  Joanne Cooper, and Angela Chin. 

As first speaker I got to set the scene for the remaining speakers, here is a summary of my remarks.

My remarks

One thought to start with. I am currently the Chief Data & Analytics Officer at UNSW Sydney, and this job did not exist when I left school, and this job did not exist when I graduated from university. So, do not worry about educating kids for the jobs of the future when we probably cannot even imagine what those jobs will be. We’re at an exciting point now where people can’t be trained for the jobs they’ll have in the future because they don’t exist yet. Of all the things that I have studied, history, philosophy and anthropology have been among the most useful. And they have actually been a good grounding for an unknown future.

Data is the new resource and we are in the midst of the fourth industrial revolution that is driven by the internet of things. The old fossil fuelled industrial revolutions are in their dying days and we are seeing the birth of a new era that will reshape everything that we know. We’ve had industrial revolutions before, this is just the next one.

Data scientists are the currently the new high priests, but not for long, as algorithms take over from them. Data engineers are the new coal miners, preparing the data ready for use in new applications which are only now emerging.

This is the next stage of the digital revolution. It includes VR/AR and the internet of things. Everything will change. Things that were impossible will become possible.

Things that will change

Among the things that will change are:

  • Education is on the brink of changes, and it will make the way that we were educated so divergent from the modern world. Technologies such as VR and AR will drive change in the place and nature of education and the role of educators are shifting from chalk and talk to technology and facilitation of discovery.
  • Science and Engineering will bring us new technologies such as quantum computing and CRISPR-Cas9 genome editing technology that will revolutionise everyday life.
  • Medicine is at the start of a new world of genomic medicine powered by data, AI and machine learning.
  • Home life with intelligent devices like Google Home and Alexa are reshaping how we manage our homes.
  • Autonomous vehicles are becoming a reality faster than I had imagined a few years back.
  • Jobs will change – some jobs will go, for example truck drivers, and new jobs will emerge as things like autonomous vehicles become the norm.

All of this is powered by data and enabled by the internet of things.

The people who are educated in data will be well placed in this new economy. Data science and cybersecurity grads will be well placed, and we are already seeing this in the graduate outcomes.

Challenges

We still face big challenges with things such as privacy and identity management. There is still no one ring to rule all in identity. The threats to privacy and data security are increasing. With biometric data being stored by companies in the cloud, our identities with our unchangeable features such as voice and finger prints, are now more at risk than ever.

Also, we face threats such as the increasing corporatisation and creation of proprietary goods from our data. As folks say if you’re not paying then you are the product.

And this means that old fashioned things like ethics will become increasingly important in both education and in business.

I’m particularly (and increasingly) interested in digital ethics. I think that we will need to develop customary practices that embed ethics into software development. Ideas like privacy by design and security by design will need to become commonplace.

There are huge opportunities offered by this new industrial revolution. There will be winner and losers. And the higher education sector has an important role in both inventing this future and in preparing young people to be a part of it. It is certainly an interesting time to be alive.

Thank you.

Image: By DARPA (Defense Advanced Research Projects Agency (DARPA)) [Public domain], via Wikimedia Commons

Data governance and cybersecurity

The connection between data governance and cybersecurity might not be immediately apparent. But if one considers the ‘5 knows of cyber’, it becomes obvious that cybersecurity is all about data, and data is all about information, and we want information to be secure.

I use the ‘5 knows’ as the foundation of our data governance framework, because it really helps people to understand why data governance is important and how it can help them. And if people can understand the why then they can move towards controlling their data more effectively. And once we move towards managing our data then we can start to manage information.

Cybersecurity is very much a team sport, it is a collaboration between teams – Data & Information Governance, Cybersecurity, Risk Management, IT Operations, and the business units. There is no way any single group can manage security, especially with the emerging threat landscape.

But the fundamentals of data governance are an essential starting point for the collaboration:

  • policies, standards, procedures and guidelines for data governance
  • governance groups to coordinate activities
  • data classification
  • data handling guidelines
  • system classification
  • an information security management system