INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
Reposted from ZDNet
The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.
According to a report published today by US cyber-security FireEye, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend.
The numbers, FireEye said, were compiled from dozens of ransomware incident response investigations from 2017 to 2019.
The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.
If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.
FireEye says that most of these types of sneaky nighttime/weekend ransomware attacks are usually the result of a prolonged network compromise and intrusion.
The cybersecurity firm says that ransomware gangs breach a company's network, spend their time moving laterally to as many workstations as possible, and then manually install ransomware on all systems and trigger the infection.
The time from initial compromise to the actual ransomware attack -- known as a "dwell time" -- is, on average, three days, according to FireEye.
In all these cases, the ransomware is triggered at the attacker's behest, and not automatically once a network is infected -- which has been the old mode of operation for most ransomware strains.
Today, most ransomware gangs are in full control of their ransomware strains and they very carefully decide when it's the most suitable time to lock down a network.
Microsoft calls these types of incidents "human-operated ransomware attacks." In a report published last week, the OS maker included tips on securing networks and setting up detection rules to spot ransomware gangs during the "dwell time," and before they trigger their final payload and lock down companies.
FireEye said that since 2017, human-operated ransomware attacks have gone up 860%, and incidents now impact all sectors and all geographical locations, and not just North American companies.
In the cases FireEye investigated the most common infection vectors were:
Brute-force attacks against workstations with RDP (Remote Desktop Protocol) ports open on the internet Spear-phishing against a company's employees and using one infected host to spread to others
Drive-by downloads (employees visiting a compromised website and downloading malware-infected files).
Just like Microsoft in its report last week, FireEye is now urging companies to invest in deploying detection rules for spotting attackers during their pre-infection "dwell time."
"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection," FireEye said.
See Original Post
Reposted from ArtNet News
It is hard to believe, but it was less than five weeks ago that Madrid’s art museums were thronged with visitors and its international art fair, ARCO, was in full swing. Now, the city’s art institutions are shuttered indefinitely and the fair’s venue has been transformed into a temporary field hospital. The director of Madrid’s Reina Sofía Museum has been working to keep his institution operating remotely in the hopes that it can serve as a beacon to those looking for inspiration. He reports that although some of his staff members are sick, none have died, and that they have kept their jobs thanks in part to Spain’s governmental assistance program. Borja-Villel has led Spain’s national museum of Modern and contemporary art since 2008 and also serves as a leading member of the Institute of Radical Imagination. As experts predict the coronavirus death toll has peaked in hard-hit Spain, the curator and art historian reflects on what the pandemic might mean for society and cultural life in the future.
Nobody could imagine this a month ago. Many of us were complaining about the state of the world in general, about how the health care system had been weakened, about the need to care more for nature, but no one could have imagined the emergency would develop so quickly, and that things would go this badly. There will be a “before” and an “after” this crisis. It will be a paradigm shift, just as everything changed after World War II.
The economic effects are going to be almost like a postwar situation when it is clear that what has happened is that the system failed. Things should not be like they were before. We will need something like a Marshall Plan for society and, of course, for culture—not to rebuild things as they were, but rather to imagine new worlds in which caring for other people and other species should be central.
In the art world, there are many things that need to be reconsidered. Eventually, museums will reopen, but will people be afraid of being close to one another? Will we be able to continue developing large exhibitions that are anti-ecological? Maybe blockbuster exhibitions are over. Maybe we should think more about process and research.
When the Reina Sofía reopens—certainly to begin with—we will have to limit the number of people in the Guernica room. But in addition to managing visitor flow safely, we also need to be careful that we do not turn into a society in which people are not empathetic, in which they are afraid even to touch each other. We cannot let public spaces disappear. There is an element of joy, of learning, and of democracy in being together with other people.
Right now, we are working with l’internationale, a confederation of European museums, to curate a visual manifestation of the balcony singing that has become so popular and uplifting in Italy. We have invited 14 artists initially to participate, but everybody will be included. We are asking them to create an intervention in their window, or on their balcony. They have complete artistic freedom, of course, but we are asking them to reflect on what it means to be on lockdown, and to imagine a better future. It is important to remember that human beings cannot be separated from nature, the importance of joy, and the importance of care.
Fortunately, we have always been big believers in archives, so we have a huge resource that until now we have not been able to fully activate. We also have a radio program, we have videos, we have documents on our website. We are now working to make more of this material available for free. We always imagined that, eventually, we would make it free, so we have already paid for the rights.
At the same time, we are developing new programs online. One is a poignant lecture by the art historian José Emilio Burucúa, which he was supposed to deliver at the museum. He traveled through Paris but was caught there when the lockdown began. When he went back to Argentina, he had to go into quarantine, so we did the lecture through Zoom. It was very emotional. The title was, “Like a Bird, Hope Flies.”
Reposted from Security Management
Mechelle Vinson needed a job. So, she went into the Meritor Savings Bank and met Vice President Sidney Taylor to see if they were hiring. They were, Vinson applied, and she was hired as a teller-trainee under Taylor’s supervision.
During her four years with the bank, Vinson was promoted to teller, head teller, and assistant branch manager. She also endured a pattern of sexual harassment by her supervisor, Taylor.
Shortly after her probationary period at the bank was over, Taylor invited Vinson to dinner and propositioned her for sex. She initially refused but was afraid she would lose her job, so she ultimately said yes.
After that initial incident, Taylor repeatedly demanded sexual favors from Vinson and had sex with her an estimated 40 or 50 times. He also fondled her in front of other employees, exposed himself to her in the women’s restroom, and raped her.
Vinson never reported the harassment to the bank or Taylor’s supervisors because she was afraid of him. But after she was terminated for taking extended leave, Vinson filed suit against the bank claiming she was subject to sexual harassment by her supervisor—a violation of Title VII of the Civil Rights Act of 1964.
Meritor Savings Bank attempted to have the case dismissed, claiming that because Vinson never reported Taylor, the bank could not be held liable for his behavior.
Vinson’s case made its way through the court system before landing at the U.S. Supreme Court. In a landmark ruling, the Court held that sexual harassment is a form of sex discrimination that is prohibited by U.S. federal law. It also held that just because the bank had a procedure to report the harassment—and Vinson chose not to use it—does not mean that the bank was shielded from liability.
“…the bank’s grievance procedure apparently required an employee to complain first to her supervisor, in this case Taylor,” wrote Chief Justice William Rehnquist for the Court. “Since Taylor was the alleged perpetrator, it is not altogether surprising that respondent failed to invoke the procedure and report her grievance to him. [Meritor’s] contention that [Vinson’s] failure should insulate it from liability might be substantially stronger if its procedures were better calculated to encourage victims of harassment to come forward.”
Vinson applied for that job in 1974. Rehnquist wrote his opinion for the Court in 1986. And yet, decades later, sexual harassment in the workplace remains an ongoing problem. In 2018, the most recent year that data is available, the U.S. Equal Employment Opportunity Commission (EEOC) filed 41 lawsuits alleging sexual harassment occurred—more than a 50 percent increase in suits from 2017.
The EEOC also saw a 13.6 percent increase in the number of sexual harassment charges individuals filed with the commission in 2018, and it recovered nearly $70 million for victims through administrative enforcement and litigation—up from $47.5 million in 2017.
One positive, however, is that after the #MeToo Movement took off in 2017, there is greater awareness and acknowledgment of the existence of sexual harassment in the workplace.
“When #MeToo arrived, the big change was the degree that people are willing to speak up and speak out,” says EEOC Commissioner Victoria A. Lipnic. “There’s now a recognition and focus on culture. That was not the case prior to October 2017. That was something that we in our task force report in 2016 made a big, important point about—that culture more than anything matters.”
Lipnic joined the EEOC nearly 10 years ago when she was appointed by then U.S. President Barack Obama and approved by the U.S. Senate to serve as a commissioner. At the time, Lipnic says she was “appalled” at the number of sexual harassment complaints the EEOC continued to see nearly 30 years after the Vinson case—and so was her fellow commissioner, Chai R. Feldblum.
“I talked to all of our offices around the country, and they said that if the EEOC wanted to, we could have a docket of nothing but harassment cases—and more specifically, nothing but sexual harassment cases,” Lipnic says.
So in 2015, the EEOC created the Select Task Force on the Study of Harassment in the Workplace to examine the extent of harassment, what allows it to flourish, and how to prevent it. What the task force found—through interviews with stakeholders, experts, and victims—was disturbing. Almost one-third of the 90,000 charges the EEOC received in 2015 were allegations of workplace harassment. But despite the nearly 30,000 claims it received, the task force learned that most harassment is never reported.
“The least common response to harassment is to take some formal action—either to report the harassment internally or file a formal legal complaint,” Lipnic and Feldblum explained in a report released in June 2016. “Roughly three out of four individuals who experienced harassment never even talked to a supervisor, manager, or union representative about the harassing conduct.”
Most individuals chose not to report the harassment out of fear of disbelief, skepticism, or inaction on their claim. Instead, most people attempted to avoid their harasser, deny or downplay the situation, or ignore, forget, or endure the behavior.
While sexual harassment affects all people, it predominantly impacts women. The task force found that “anywhere from 25 percent to 85 percent of women report having experienced sexual harassment in the workplace,” according to the report. The percentages vary due to how questions about harassment at work are worded.
For instance, when the term was not defined in the survey, 50 percent of women said they had experienced sexual harassment, and 25 percent of women said they had been sexually harassed in the workplace. When asked if they had experienced one or more sexually based behaviors, such as “unwanted sexual attention or sexual coercion,” 60 percent of women said they had been sexually harassed, either inside or outside the workplace.
And when women do experience sexual harassment at work, they often turn to family members, friends, or colleagues for support, instead of formally reporting it.
Risk factors. To better understand why sexual harassment occurs in the workplace, the task force also looked at environmental risk factors that affect organizations.
It found that harassment is more likely to occur in homogenous workforces, where the workforce has little diversity.
“For example, sexual harassment of women is more likely to occur in workplaces that have primarily male employees, and racial/ethnic harassment is more likely to occur where one race or ethnicity is predominant,” according to the report. “Workers with different demographic backgrounds from the majority of the workforce can feel isolated and may actually be, or appear to be, vulnerable to pressure from others.”
Milk tea restaurant chain Tapioca Express and two of its franchises in San Diego, California, were recently charged with allowing the owner to harass young Filipino female employees, taking advantage of time alone with them to make unwanted sexual advances.
Tapioca agreed to pay $102,500 to settle charges brought by the EEOC that all three companies failed to prevent and correct the harassing behavior.
“We commend the young women for coming forward to shine a light on the harassment to which they were subjected,” said Christopher Green, director of the EEOC’s San Diego Local Office. “Their strength may give courage to other young people or those in the Asian American and Pacific Islander community who may be suffering harassment or discrimination in the workplace to come forward as well.”
However, the task force found that workplaces that are “extremely diverse” are also at risk because workers from different cultural backgrounds may be “less aware of laws and workplace norms,” which can allow harassment to occur.
Another risk factor is workplaces where workers do not conform to workplace norms, such as a male employee acting more feminine in a male-dominated work environment. The task force also found that “coarsened social discourse”—even outside the workplace—can make harassment seem more acceptable.
“For example, after the 9/11 attacks, there was a noted increase in workplace harassment based on religion and national origin,” the report explained. “Thus, events outside a workplace may pose a risk factor that employers need to consider and proactively address, as appropriate.”
Other risk factors include organizations with a high number of young employees who may not understand that their actions are a form of harassment; workplaces with significant power disparities, such as factories with plant managers and assembly line workers, or the military; organizations that rely on customer service and client satisfaction; and workplaces where employees are engaged in monotonous tasks because boredom may lead to bullying or harassment.
Chipotle Mexican Grill, Inc., recently agreed to pay $95,000 to settle EEOC sexual harassment and retaliation charges that stemmed from Austin Melton, a 22-year-old manager at a San Jose Chipotle store at the time, who endured physical and verbal harassment from his female supervisor.
Melton’s supervisor propositioned him and his then-girlfriend for sex, “touched him inappropriately, and posted a ‘scoreboard’ in the main office to track the staff’s sexual activities,” according to the EEOC. “When Melton reported the harassment, he faced further mistreatment including being locked in a walk-in freezer…. After Chipotle failed to adequately address the harassment, Melton quit.”
The position at Chipotle was Melton’s first job after high school, and in an EEOC press release he said he found it hard to speak up about the harassment at work and to report it to the EEOC when no action was taken to stop it.
“Austin was simply trying to do his job, as he worked to support himself and his girlfriend,” said EEOC Trial Attorney James H. Baker. “He faced conditions that no employee should have to accept in exchange for a paycheck.”
The task force also pointed out that isolated workspaces, decentralized workplaces, workplaces that tolerate or encourage alcohol consumption, and workplaces with high value employees are also risk factors for harassment.
“Superstars” are individuals seen as bringing high value to their employer, such as high-earning investment traders, surgeons, professors, or law firm partners who attract lucrative clients, the report explained.
“These workplaces provide opportunities for harassment, since senior management may be reluctant to challenge the behavior of their high value employees,” the report said. “The high value employees, themselves, may believe that the general rules of the workplace do not apply to them. In addition, the behavior of such individuals may go on outside the view of anyone with the authority to stop it.”
For instance, in December 2019 rideshare company Uber entered into a nationwide agreement to strengthen its business culture against sexual harassment and retaliation—and pay $4.4 million to resolve charges brought by the EEOC.
The commission began investigating Uber in 2017 and found reasonable cause to believe it permitted a culture of sexual harassment and retaliation against individuals who complained about the behavior. As part of the settlement, Uber agreed to create a system to identify employees who have been the subject of more than one harassment complaint. The system will also identify managers who do not respond to concerns of sexual harassment in a timely manner.
“In particular, employers should take note of Uber’s commitment to holding management accountable and identifying repeat offenders so that high-performing, superstar harassers are not allowed to continue their behavior,” said EEOC San Francisco District Director William Tamayo in a statement. “The tech industry, among others, has often ignored allegations of sexual harassment when an accused harasser is seen as more valuable to the company than the accuser.”
Prevention. While organizations need to have procedures to report and investigate claims of sexual harassment in the workplace, they can also take steps to proactively prevent the behavior in the first place.
In its research, the task force found that to effectively do this, organizations need to have commitment from leadership to create a diverse, inclusive, and respectful workplace. Not only is this the right thing to do, but it is also financially beneficial to the organization.
“At the tip of the iceberg are direct financial costs associated with harassment complaints,” according to the EEOC report. “Time, energy, and resources are diverted from operation of the business to legal representation, settlements, litigation, court awards, and damages. These are only the most visible and headline-grabbing expenses.”
Other expenses, which cannot always be calculated, include decreased workplace performance and productivity, increased employee turnover, and reputational harm.
The report recommends that leaders create a “sense of urgency” about preventing harassment in the workplace, such as assessing risk factors that can predicate harassment.
“For example, if employees tend to work in isolated workspaces, an employer may want to explore whether it is possible for the work to get done as effectively if individuals worked in teams,” the report explained.
Organizations should also have policies and procedures in place to address harassment, and conduct training so the policies can be followed. This means putting resources—money and time—towards this effort.
“Employees must believe that their leaders are authentic in demanding a workplace free of harassment,” according to the report. “Nothing speaks to that credibility more than what gets paid for in a budget and what gets scheduled on a calendar.”
One organization that is putting these recommendations into practice is Deloitte, which hosts an annual Inclusion Summit to bring together individuals from different backgrounds and experiences to hear from leaders and experts about advancing inclusion within Deloitte itself.
In 2019, Deloitte held a Day of Understanding across its U.S. offices to create a space for candid conversations around diversity, inclusion, and unconscious bias.
Deloitte also made a concentrated effort to diversify its cybersecurity workforce—one-third of which are female, including its recently promoted principal, Deborah Golden, who is the first woman to lead the company’s U.S. cyber practice.
“I’ve been here for 24 years, and we’ve always had some form of women in business, diversity, and inclusion program—and we’re continuing to evolve those programs,” Golden says.
This is not always the case across industry, she adds, but Deloitte made a commitment at the leadership level to create a diverse organization where is everyone is welcome.
“Deloitte 100 percent does that,” she says, adding that Deloitte participated in a Pride Ride and other activities in June 2019 to mark LGBT Pride Month. “It’s not only something our executives support—but actively participate in.”
And once leadership makes its commitment to creating a diverse and harassment-free workplace, it then needs to hold those who violate the policies and procedures accountable.
“These accountability systems must ensure that those who engage in harassment are held responsible in a meaningful, appropriate, and proportional manner, and that those whose job it is to prevent or respond to harassment, directly or indirectly, are rewarded for doing that job well, or penalized for failing to do so,” according to the report.
Frontline supervisors have an especially important role because they are often the first to observe behavior at work. They are also often the first people to whom individuals will complain.
“They have to know how to correctly respond—that they don’t just brush it off,” Lipnic says, meaning they need to be trained on how to handle allegations of harassment. And security professionals have a doubly important role to play.
“I’ve spent years on this topic now, and it’s struck me that it’s a coincidence of our legal system that harassment is considered a form of discrimination—that’s just how the law developed,” she explains. “But on a very practical level, it’s a safety issue. And there’s such an opportunity for people who are engaged in the safety of workplaces to gain greater depth on the topic, demonstrate greater engagement, and work on a partnership basis with the leadership of organizations.”
For instance, Lipnic says security professionals can take an active role in conducting climate assessments of their organization so they understand how employees feel about their safety or factors that could encourage harassment.
It is also critical for security officers to have this understanding because they need to have firsthand knowledge of what situations employees find themselves in that impact their safety. This understanding is especially valuable when organizations are planning special events, such as a company party where clients and alcohol might be present—both factors that could increase the risk of sexual harassment. (See “The Intoxication Issue,” Security Management,February 2019)
“Security officers are trained to recognize risk, and if we have learned anything from the #MeToo Movement, I hope that it’s the degree of risk that so many people are in in all kinds of workplace environments,” Lipnic adds.
Reposted from Protocol
Cybersecurity experts fear that the chaos caused by coronavirus provides an opportunity that hackers will take advantage of — and there's already evidence that foreign adversaries, including Russia and China, are launching coronavirus-related cyberattacks.
Companies are increasingly vulnerable to cyber intrusions due to various disruptions caused by the coronavirus outbreak. Many are making sweeping changes to their networks, asking most or all employees to work from home, and may have to deal with critical IT workers getting sick or having to juggle work with taking care of kids. It all adds up to an opportunity that the most sophisticated hackers have been waiting for, said Nico Fischbach, global CTO of cybersecurity firm Forcepoint.
"Nation states play the long game — they have their list of targets and wait for the right moment to get in their systems … This is the perfect time. There's so much noise and so much change," he said.
Those fears were amplified earlier this week after reports of an apparently unsuccessful attempt to compromise the Health and Human Services Department's computer systems. In a Monday press briefing, a reporter asked HHS Secretary Alex Azar if the attack originated from a foreign country like Iran or Russia. Azar said that HHS is investigating the source of the activity, but he didn't want to speculate. Attorney General William Barr told the Associated Press there would be swift and severe action if the attack is linked to a foreign government.
Ben Read, senior manager for cyber espionage analysis at FireEye, said there are already signs that some countries are taking advantage of coronavirus fears. FireEye has been involved in investigating some of the most high-profile nation-state attacks in recent years, including the 2014 attack against Sony that was linked to North Korea and the 2016 attack on the Democratic National Committee that was attributed to Russia.
Since late February, FireEye has observed two Chinese groups targeting entities in Vietnam, the Philippines, Taiwan and Mongolia with phishing attacks that use legitimate statements by political leaders and authentic statistics and advice for people worried about the disease. Malicious files included in the emails carry various payloads that can do things like log a user's keystrokes or provide a backdoor into a device, allowing the hackers to access it at a later time.
FireEye said it also intercepted a similar phishing email sent to Ukranian entities from an espionage group that supports Russian interests. The content of the email appeared to be copied from a legitimate document. Another phishing attack directed at a South Korean nongovernmental organization was linked to North Korean hackers. That email, sent in late February, included governmental health-related instructions and was titled "Coronavirus Correspondence."
It's impossible to know how successful these and other attacks have been so far, but Read suspects organizations are falling for it. "If something isn't working they would usually change things up, and we've seen these kinds of attempts increase, not decrease, so I assume it's working." He added that other factors, like the fact that "every company you've ever given your email address to is emailing you to tell you what they're doing" makes it more likely that people have their guard down when spotting phishing attempts. "People are very hungry for information right now," he said.
Some organizations might find out that they've been compromised only when an attack is carried out, Fischbach said. "It's very likely that we'll find out six to 12 months from now [that many organizations have been breached]," he said.
One bright note is that the attacks don't seem to be more technologically sophisticated than the ones companies typically deal with, Read said. Standard security procedures, anti-malware tools, and phishing email detection software will still prevent many of these attacks, he said. But additional user education is needed to help identify suspicious emails that carry legitimate coronavirus information. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency recently warned companies of such attacks, and advised them on how to improve their cybersecurity posture during the pandemic.
Although FireEye has identified coronavirus-related attacks from China, Russia and North Korea, it hasn't noticed any linked to Iran, Read said. That could be because Iranian phishing attempts haven't been detected, or because the virus has hobbled the country's hacking apparatus. "There are big questions in my mind that we don't have answers to. How do these outbreaks affect Iranian cyberespionage if the people behind the keyboards are getting sick?" he said. "We're still seeing Chinese activity, but you might see more of an impact in Iran because they have a pretty severe outbreak and fewer resources than the Chinese government."
Reposted from Politico
As the novel coronavirus reshapes virtually every facet of American life, it’s also coloring how aspiring terrorists plot attacks. And that shift has caught the attention of American national security officials.
Law enforcement and intelligence officials are watching the virus’s impact on potential terrorist threats — how it is accelerating the plans of some would-be attackers, while presenting macabre new targets of opportunity to others.
Homegrown violent extremists are a particular worry. In an interview, John Demers, the assistant attorney general for national security at the Justice Department, said the department and the FBI are closely monitoring how the virus is shaping their plans.
“They do get ideas about, ‘How can I try to weaponize this virus?’” he said. “It’s something we’re focused on, together with the FBI — and making sure on the intel side that we’re on top of whatever’s showing up.”
Officials are also tracking the way the pandemic could influence terrorists’ strategies on timing and targets for more conventional attacks, Demers said.
“Are they going to accelerate any of their plans?” he said. “Are they going to see windows of opportunities? Obviously a lot of public places are less crowded, but others, like hospitals, are more crowded. Are they going to see these windows of opportunity to take advantage of?”
International travel has gotten particularly complicated because of the pandemic, with the U.S. closing its borders to a host of countries and airlines slashing their flight schedules as demand plummets. Transportation Security Administration (TSA) data shows it checked one-tenth as many travelers on Thursday as it did a year earlier.
“We still have a few cases of people who want to travel to other countries and engage in terrorist activities,” Demers said. “How is this impacting travel plans? Is it accelerating them or deferring them for folks as flights shut down?”
The questions aren't merely theoretical, according to Demers, who suggested that authorities are already observing terrorists change their behavior as the virus alters transportation patterns.
The Justice Department last week charged a Pakistani doctor with trying to help ISIS. The doctor, who was temporarily working in the U.S., initially planned to get to Syria by flying into Amman, Jordan. But, according to a DOJ press release, his plans changed when Jordan closed its borders because of the pandemic. He then decided to fly to Los Angeles and, from there, travel to Syria on a cargo ship. He was arrested at the Minneapolis-St. Paul International Airport on March 19.
Demers said the virus could also give terrorists new ways to attack.
“There are worries that people could try to weaponize their own illness by trying to infect other people,” he said.
Joshua Geltzer, a terrorism expert who previously worked in the National Security Division and is now at Georgetown Law, concurred that the virus may provoke threats in new ways.
Social distancing might raise the risk of homegrown radicalization, he noted, as isolated people with loads of free time get pulled down disinformation rabbit holes online.
“The idea that that can lead to particularly deranged interpretations of events and generate an extreme response, even violent action –– I think that threat gets magnified given the social isolation that we as a country are understandably adopting,” Geltzer said. "I feel like the past month and this virus have taken a dangerous information environment and really ratcheted up how lethal, how directly lethal it can be."
by Stevan P. Layne, CPP, CIPM, CIPI
All individuals and institutions are experiencing significant impacts from the COVID-19 pandemic (and, most likely, the worst part isn’t over). If we continue to head in the same direction, with closed businesses, rising unemployment, and little or no income, people will inherently become increasingly desperate. Federal, state, and local governments are stepping in to assist where they can, but resources are limited on all fronts. Will assistance efforts put food on the table (and for how long)? It’s important to look at statistics, as well as human nature. When people become desperate, criminal activity increases. Even previously law-abiding citizens may resort to drastic measures to feed their families.
Where outright theft is concerned, over 90 percent of losses from cultural institutions involve someone connected to the institution. These losses, as far as we know, are not generated by desperate people. Internal theft is mostly committed out of greed or opportunity.
Remember, valuable collections are not the only assets that warrant strict protection. Theft can include cash, merchandise, computers, tablets, audio-visual equipment, electronics, supplies, and other expensive assets. Small objects are most easily removed without detection. Large objects are vulnerable as well, if someone has the time and opportunity to make proper arrangements.
What this means to management is that our protection efforts need to be absolute. Perimeters must be impenetrable, at every point. Intrusion and access control alarms must be tested regularly, and performing as intended. Every member of proprietary and/or contract security staff must be properly screened, hired, trained, and monitored. A responsible member of management that understands the entire security program must be designated to monitor all protection activity and security officer performance.
During current institutional closures, all persons (staff, volunteers, contractors), regardless of rank or position, should be thoroughly screened/identified upon entering or leaving facilities. Every parcel, bag, and container should be professionally searched upon entry and exit to mitigate internal theft.
Video surveillance is a valuable tool, if properly specified, selected, placed, installed, monitored, and tested. While video surveillance, and security and fire protection alarms perform a valuable function, technology alone cannot take the place of an alert, well-trained, and properly supervised patrol officer (in terms of reliability and effectiveness). With the current and significant decrease of regular staff working within our institutions, the importance of proper security inspections, patrols, and physical searches becomes even more critical.
We are all particularly vulnerable during closures, and disrupted operations. Please stay safe and diligently maintain recommended health practices.
Contact us if you have concerns about your unique facilities or assets. We can help directly, or refer you to someone who can.
Crisis response hinges on two factors: what the organization does and what the organization says. When these halves align, it results in trust and a more positively received and effective response. When they conflict, organizations struggle to recover. In a pandemic, ensuring these elements are carefully calibrated is more essential than ever, says Helio Fred Garcia, a professor of crisis management at New York University and Columbia University. While an organization’s actions during crises depend largely on the circumstances, its communications can rely on a few essential best practices.
Garcia, who is also president of Logos Consulting Group, adds that crisis response around pandemics is inherently different from responding to a natural disaster or a data breach. Natural disasters in particular deeply affect a limited number of people in a specific geographic area. COVID-19, he adds, potentially affects everyone worldwide.
There are six dimensions to the current coronavirus pandemic crisis, Garcia says. It is simultaneously a crisis of public health, business, economics, information and trust, government competence, and society.
“We need to keep all six of these dimensions in mind because this is a moment where people are hungry for understanding what is happening, but also for comfort in their fear,” Garcia says. “Leaders at every level need to find the balance between conveying a sense of urgency and triggering a panic. And that's a very delicate line, especially as people are feeling personally vulnerable—not only on the public health side and in their work, but also in terms of the economy. And any given stakeholder, at any given time, is simultaneously processing all six of these things. And that makes this crisis unusual.”
In addition, this is the pandemic in the social media age, which fundamentally changes the nature of crisis response, Garcia tells Security Management. This means organizations and crisis managers must prepare for the rapid spread of misinformation, panic, and criticism. It also presents opportunities for self-reflection, benchmarking against other organizations’ responses, information gathering, and outreach to people affected by the crisis.
Pivoting classic crisis communications practices to pandemic-appropriate ones requires a shift in perspective: Ask not “what should we do,” but instead “what do reasonable people—from the board to employees to the public—expect us to do?” The coronavirus pandemic also adds another layer to this decision-making process: evaluate what other organizations or similar groups are doing, Garcia says.
One of the most valuable assets an organization has during a crisis is trust, both from internal and external stakeholders and customers. Trust is primarily established based on three factors, Garcia says: promises fulfilled, expectations met, and when an organization’s stated values are lived experiences. For the former, be careful of what promises the organization makes to the public or to employees; in a rapidly evolving situation, those promises might need to be broken. For the latter, he explains, if an organization declares that it has a mission of kindness and charity, but acts in an unkind or uncharitable way, people lose trust in that organization.
Regarding meeting expectations, “we need to be deeply attentive to the quickly evolving expectations that reasonable people have,” Garcia adds. In an environment where it’s easier to see what other institutions are doing—whether through social media or news outlets—the public can quickly evaluate new standards of care and judge organizations accordingly. Once large-scale events started to cancel in response to the spread of COVID-19, for example, people expected other events to follow suit.
Organizations can help set expectations by clearly establishing who holds what role during crisis response and whom people should expect to hear from with new directions or updates. Without absolute clarity on who is involved and where to turn for information, the response can be perceived as confusing or even untrustworthy—even if the crisis managers have matters well in hand.
Maintaining trust is significantly easier than regaining it. It is unlikely that organizations—and countries—that lost their stakeholders’ or citizens’ trust will regain it during the coronavirus pandemic, Garcia adds.
In every crisis, Garcia says, stakeholders expect leaders to care; an expression of empathy is a necessary first step to demonstrating a commitment to fulfilling that expectation.
“One of the things that people are looking for is ratification of their feeling of emotional fragility,” he notes. “And when I look at the best statements, whether it's from CEOs or from university presidents or others, one of the things that I find that is most helpful is a statement that begins with an acknowledgment of people's anxieties, fears, or uncertainty and feelings of vulnerability. When they do that first, the communication tends to work reasonably well.”
Even if the message includes an acknowledgment or wish for wellbeing or health later on, people will likely have tuned out or stopped reading by that point, Garcia says. Start with an empathetic statement, then outline the big picture and action items needed to realize it.
The tone for crisis communications must be set at the top, Garcia adds, but communication from the top alone is insufficient. Consider an organization like a series of concentric circles, with the CEO in the center to the customers or employees on the outer ring, he says. The CEO communicates out across the organization, but that message is followed by communication from the next ring, and the next, and the next, radiating outward in persistent, aligned messages that drive action as well as cohesion.
When in doubt, Garcia says, over-communicate.
“Some people won’t have seen or heard the first few messages that you did but will need to hear from you at some point, whether you’re the CEO or the head of security or others,” he says. “The communication needs to be empathetic; it needs to be aligned with the rest of the institution’s communication, at least thematically; and it needs to be clear and avoid euphemism. One of the common missteps is to refer to ‘this unfortunate circumstance,’ as supposed to ‘one of our people has been diagnosed with COVID-19.’ The use of euphemism—which is perceived as an evasion of responsibility by some—has the tendency to confuse, and if we’re already in an information crisis, we need to avoid using communication that would create confusion.”
Garcia notes that “one of the best practices in crisis response is to name the problem with clarity.”
In addition, be mindful of emotions. According to a Kaiser Family Foundation survey conducted in mid-March 2020, four in 10 Americans say their life had been disrupted “a lot” or “some” as a result of the pandemic, and many worried that they or a family member would get sick (62 percent), that retirement or college savings would be negatively affected (51 percent), or that they would be unable to afford testing or treatment for COVID-19 (36 percent). Among workers, especially those in lower income households, 53 percent said they were worried they would lose income due to a workplace closure or reduced hours. These sorts of concerns trigger emotional reactions, which can hamper effective crisis communication.
“People who are emotionally wrought need to be connected with emotionally first,” Garcia says. “You can’t meet emotion with reasoned facts or data. You can only meet emotion with emotion and move people with you.”
The challenge is to be direct and factual after creating an emotionally safe connection. For security professionals, this is especially difficult, seeing as they are often seeking to convey the significance of a threat without panicking the CEO.
“That requires a certain degree of artfulness in the communication,” Garcia says. “People in the C-suite are feeling fragile and vulnerable. They know they’re not going to make their numbers this year. They know that they’re going to have to change a whole bunch of operations. They know that their employees are not productive anymore. So there’s a fair amount of institutional anxiety at the top of the institution, and people at the top may be struggling with feelings of powerlessness.”
By meeting those feelings with acknowledgment and empathy, as well as a solutions-focused attitude instead of a hopeless one, good communications can drive crisis response forward.
“Emotions are contagious. Panic is contagious. Fear is contagious. Anger is contagious,” Garcia says. “But comfort is also contagious. Expression of sympathy is also contagious. Expressions of empathy are also contagious. Expressions of kindness are also contagious. And so the challenge is to be direct, factually, after creating an emotionally safe connection.”
Reposted from Dark Reading
Cybercriminals are capitalizing on the spread of COVID-19 with new phishing emails that pretend to offer information about the virus or request money or data from concerned victims.
The FBI Internet Crime Complaint Center (IC3) issued an alert late last week to warn people of fake emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other healthcare organizations, pretending to share information about the virus. Officials advise not to open attachments or click links in these emails, and to be wary of websites and apps that claim to track COVID-19 cases. Criminals are using such websites to infect and lock computers.
Some of these emails ask victims to verify personal data so they can receive an economic stimulus check from the government, the FBI says. It emphasizes that while these checks have been mentioned in the news cycle, government agencies are not sending out unsolicited emails asking for private information. Other phishing campaigns may mention charity contributions, airline carrier refunds, fake cures and vaccines, and fake COVID-19 testing kits, officials note.
People are also urged to be on alert for attackers selling products that aim to prevent or treat COVID-19, as well as counterfeit sanitizing products and personal protective equipment (PPE). More information on PPE can be found via the CDC, FDA, and EPA.
Read more details here.
Reposted from the Wall Street Journal
As millions of U.S. workers frantically pivoted to remote work last week, putting new strains on their computer networks, federal officials warned that hackers smelled blood.
But the fallout from coronavirus-related breaches may not become clear for weeks, months or even longer, experts say. The expected delay highlights how confusion from the pandemic has created long-term security risks that could eat up precious resources as the economy hurtles toward a recession.
“Very well-organized criminal organizations or nation-states—they can wait,” said Nicolas Fischbach, chief technology officer of Forcepoint LLC, a cybersecurity firm that specializes in data protection. “They get to more data. They can learn more about the environment.”
Overstretched IT teams might not be able to keep up with updating their networks, experts say, while nonessential businesses that have effectively closed shop could prove to be easy targets. Those challenges come as workers’ use of private devices and services give attackers ample opportunity to avoid employers’ detection tools.
The public and private sectors already have faced an array of threats. The Federal Bureau of Investigation warned of an uptick in phishing scams against businesses. The World Health Organization told Reuters that hackers targeted it with a malicious look-alike website. And the U.K.’s National Crime Agency confirmed to WSJ Pro Cybersecurity that it is investigating an alleged ransomware attack against Hammersmith Medicines Research Ltd., a drug-testing company that has carried out trials for the ebola vaccine and other treatments.
While some attackers use ransomware for an immediate payout, more sophisticated groups could use the upheaval to penetrate networks and quietly search for bank account numbers, trade secrets or personally identifiable information that is financially or politically valuable, Stephen Breidenbach, a cybersecurity and privacy lawyer at Moritt Hock & Hamroff LLP, said in an email.
“They’ll then start siphoning off those resources as inconspicuously as possible, or wait to hit all the assets in one fell swoop when the company is most vulnerable,” Mr. Breidenbach said, adding that attackers could lie dormant for years. “Some hackers even try to get money from the stock market using nonpublic information they acquire.”
The question is whether companies and governments can also play the long game. Widespread office closures over the past two weeks have overloaded some virtual private networks with remote workers, according to cybersecurity experts. Mr. Fischbach, of Forcepoint, said the most common question clients had last week was how to scale up VPNs to handle the surge in traffic.
Debbie Gordon, chief executive of Cloud Range Cyber LLC, which works with businesses to war-game cyberattacks, said IT teams will continue to be pulled between helping employees maintain productivity and aggressively policing potential breaches. That balancing act—let alone new security investments—might prove difficult for businesses tightening their budgets amid an economic slowdown.
“Their focus might not be on the proactive patching and maintenance of the networks as well,” Ms. Gordon said.
The Cybersecurity and Infrastructure Agency at the Department of Homeland Security has urged public- and private-sector workers to patch their systems, be on the lookout for abnormal activity and ensure machines have properly configured firewalls.
But the added wrinkle is that many remote workers may turn to their own computers, email and file-sharing accounts in a pinch, said Paul Martini, chief executive at iboss Inc., a cloud security firm. Often accessed through the public internet, those private tools increase the surface area for attacks and make successful data breaches more difficult for intrusion-detection tools and cybersecurity teams to see.
“My suspicion is we’re going to see a big uptick in terms of the amount of data on these public, information-sharing sites that shows up on the dark web,” Mr. Martini said.
Reposted from Cyberscoop
Coronavirus-themed scams show no signs of letting up as hackers have tried to breach mobile phone users in Italy and Spain, the two countries with the most deaths from the virus.
Attackers laced mobile apps with malware to try to steal data from, or otherwise compromise, Italian and Spanish residents looking for updates on the pandemic, according to Slovakian antivirus firm ESET. The phony apps posed as legitimate ones offering updates on the spread of the novel coronavirus and how to assess your risk of infection.
“Because of the current situation, many [hacking] campaigns are either migrating to a COVID-19 theme or new campaigns are created with a COVID-19 theme,” said Lukas Stefanko, an Android security specialist at ESET.
The apps were available for download for a couple days, Stefanko said. It is unclear how many people downloaded them. The malicious app targeting Spanish users is no longer available; it is unclear whether the Italian app still is.
It is a reminder of the cruel opportunism with which many cybercriminals approach the crisis. When people turn to their phones for information on the deadly virus, hackers see an opening.
As of this writing, the novel coronavirus had killed 7,503 people in Italy and 4,089 in Spain, according to Johns Hopkins University data. Hospitals have been overwhelmed with patients, forcing health care workers to erect makeshift facilities.
The malicious Android app targeting Spanish users is a banking trojan — code designed to steal financial information — that emerged last year. It was available on a third-party malicious website and not the authorized Google Play store, ESET said.
SoftMining, the Italian company that created the legitimate app for COVID-19 tracking, has warned users that “some hackers are sending counterfeit versions of our app in which they have injected malicious code.”
Stefanko doesn’t know who is behind the attempts to hack these particular users. The two campaigns do not appear to be related, he said.
The malicious activity is part of a broader surge in COVID-19-related fraud and phishing in recent weeks. Some are using attention on the Johns Hopkins COVID-19 map to distribute malware. U.S. Attorney General William Barr has vowed that prosecutors will crack down in response.
It’s not just criminals who are exploiting the crisis. Surveillance-minded hackers from Libya to China are also tailoring their activity to COVID-19 fears.
In response to the increased cyber activity, many security professionals are volunteering their time to protect medical organizations from hacking.
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection. All Rights Reserved