What I think is amazing about all of the massive data breaches we hear about is that we know most are not reported. In other words, for every email, customer record, or financial theft in the news, there likely are hundreds that remain in the shadows.
This problem is huge and yet another incident came to light last week. A clever Lithuanian individual was able to pull a whopping US$100 million from a bunch of unnamed Internet companies using a combination of phishing tactics and fake vendors spread across a multitude of companies.
It apparently wasn’t a state-level or even organized crime-level attack, which should make you wonder how many billions hostile states and actual criminal organizations are stealing from you daily. You and I are the victims, because this activity raises costs that we pay.
The good news is that companies that no longer wish to be targets can take advantage of three broadly used technologies to stop this activity: blockchain, Inky and Varonis.
I’ll explain and then close with my product of the week: the Lenovo X1 Carbon, which may be the best business laptop currently in market.
The Lithuanian attack brought back memories of one of my most embarrassing moments during my stint running an audit team. Shortly after we completed the audit, someone else discovered that an employee in an area we’d audited had embezzled thousands from the company, and I felt personally responsible for missing it.
My boss pointed out that my team had caught the control exposure that made the theft possible, and that it simply had not shown up in our sample of vendors. Still, I was embarrassed personally and always have felt I could have done better.
When these things hit, they affect everyone up line from them. They can be incredibly hard to catch, but I think it is well worth making the effort. Being connected to something like this can follow your career, even if you had no way of catching or stopping it.
Blockchain to the Rescue
The best solution for combating false vendors likely is blockchain technology, which is why IBM has been so successful with financial institutions implementing it broadly. Developed around the digital currency bitcoin, it is a way to ensure transactions without financial institutions. It provides a robust multilevel transaction assurance process that is incredibly difficult to break.
This doesn’t mean a state or very powerful criminal organization couldn’t breach it — with enough resources, anything is possible. Short of that, however, it represents the most robust and secure trust system currently in market.
If the victim companies in the Lithuanian breach had used blockchain, the attacker likely would have chosen other firms to attack.
Everledger currently uses blockchain to ensure diamond transactions and eliminate conflict diamonds, which fund some of the most brutal wars and nastiest crimes in the world. It may be the strongest weapon currently available to eliminate this kind of crime.
The use of blockchain is evolving to ensure art and other high-value transactions as well, in both the personal and public markets.
Email Security Guard
When there is a unique exposure, a unique company often steps up to address it. Phishing, particularly spearphishing, is at the heart of many data breaches.
One of the biggest I personally ran into was a case of a criminal organization that was able to capture critical identity information of each of a targeted company’s execs over the course of a year. It then used that data to convince all of the company’s employees to send in their own financial ID credentials in order to commit identity theft at massive scale.
I see cases like this all the time now — sad stories of people who believe they got a request from their boss, CFO, or even CEO for confidential information. A duped individual supplies it, and then finds out it was a fake note and he or she is now at the heart of an IP theft case as the one who breached policy. Careers often don’t survive mistakes like this.
Inky is a relatively new email service that focuses on identity validation. Every employee has a unique key, and if the email doesn’t have that key it isn’t from that employee. You immediately can see that the email that seemed to come from the CEO didn’t. Rather than becoming a key portion of the problem and possibly ending your career, you can flag the email to security and be part of the solution.
At some point, I expect every email system will have some kind of identity validation built into it, but right not the only one I know that does is Inky.
Who’s Minding Access?
From the DNC email breach to this latest one, the problem in part has been that there was no in-depth monitoring of systems or access. When there is a breach, there is an unusual event taking place — but if you have no invasive way to monitor activity and aggressively limit access, you simply don’t have the capability to catch a breach when it occurs.
At some point during this latest breach, new vendors were being added at an unusual rate. The system should have flagged that as an anomaly, even though different purchasing agents likely were adding them. Such a flag could have resulted in identification of a breach in progress, before the millions were lost. That is why tools like Varonis, which can monitor access and alert system administrators of anomalies are a critical part of the tool kit that successful CSOs use to make sure their firms aren’t breached.
There are tools to prevent the kinds of financial and intellectual property breaches that have damaged companies and elections. At some point, boards need to start asking if these tools are in place to make sure the firms they oversee aren’t being negligent with regard to information and financial security.
As customers, we may want to start checking to see if the firms we trust to manage our own finances are well secured, because identity theft is a really nasty problem to fix — as is getting back money that was pulled from our bank accounts illicitly.
Until then, just be aware there are tools that can make both our companies and ourselves far safer. More of us may want to be pointing these out so that we’re not included in the next set of victims.
Rob Enderle’s Product of the Week
The best laptop for me may not be the best laptop for you, but I’ll bet the Lenovo X1 Carbon comes close. There are four things that stand out for a notebook used for work: light carry weight, because I already put too much crap in my backpack; good keyboard/touchpad; damage resistant, because I don’t want something that looks older than I do; and really good battery life, because I don’t want to fight or look for plugs on planes or in conferences.
The Lenovo X1 Carbon currently does the best job of hitting all those points. It weighs slightly less than two and a half pounds and is just a little more than half an inch thick, which puts it close to large tablet territory. Along with many others who have used it, I think it has the best keyboard currently in any laptop. The ThinkPad black coating has proven to be one of the most durable for decades. Finally, its battery has lasted around 16 hours in tests, which means it is working when you need it to work.
There are few laptops from anyone, let alone in this weight class, that do anywhere near as well. By the way, another nice thing that is suddenly showing up in a number of laptops is a USB-C charging port, so if you need a charger and there is anyone else with a USB-C laptop charger, you aren’t screwed. I actually think a USB-C port should be a requirement for every laptop going forward, so we aren’t forced out of our offices by a growing pile of useless chargers that don’t fit our laptops.
Granted, it isn’t a 2-in-1, but given how few of us use 2-in-1s in tablet mode? I really don’t think many would miss that feature. In addition, it doesn’t have a touchscreen, which can get a tad annoying if you are used to using one. The one real downside for me is the lack of a GPU, so I can’t play good games on it.
However, if you add a GPU you’ll gain weight and lose battery life — which even for me sometimes isn’t a good tradeoff. (I find I’m mostly gaming on a desktop machine at home these days, anyway.)
At just under $1,152, the Lenovo X1 Carbon is no cheap date. (Note: Personally, I’d buy up to the $1,300 version with the fingerprint scanner — they have really improved over the years — but it currently is sold out.) If you want what is likely the best workhorse laptop for school or business, there is to my knowledge none better, which is why the Lenovo X1 Carbon is my product of the week.