Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



MY TAKE: Why the SEC’s reporting guidance, Yahoo’s $80M payout will shake up board rooms

By Byron V. Acohido

The most encouraging thing about the U.S. Securities and Exchange Commission formally issuing cybersecurity reporting “guidance” for public companies last month was, ironically, commissioner Kara Stein’s disappointment that her colleagues did not go much further.

Related video: Howard Schmidt’s 2015 observations on board involvement

Stein said she would have liked to have seen the commission do a lot more than rehash staff-written best practices suggestions that have been laying around since 2011. Her assertive stance resonated just a few days later when Yahoo agreed to settle a milestone securities case, for a cool $80 million.

Data thieves stole personal records for 1 billion individuals from Yahoo. So now the portal giant will pay a legal settlement that’s more than four times the $18.5 million payout Target had to cough up losing data for  41 million customers.

Yahoo’s poor practices — neglecting to  encrypt and sufficiently protect data; failing to detect and disclose the breach in a timely manner; bulling ahead with the sale to Verizon — resulted in exponentially more victims than Target.

More crucially, unlike the Target case, the Yahoo case was pressed by plaintiff’s attorneys representing consumers  in securities-related lawsuit. (Attorney generals from 47 states sued Target.)  And the private attorneys hit the jackpot. In addition the $80 million for injured consumers, the plaintiffs’ attorneys have asked the court to order Yahoo to pay $20 million in legal fees, and up to $750,000 as reimbursement for other work.expenses.

Buck stops with board

Together the SEC’s freshly-minted advice, the Yahoo settlement shines a bright light on D&O liability. It’s now crystal clear that board directors and senior executives can be held accountable for any major data breach that occurs on their watch. …more

NEWS WRAP-UP: Russian bots conduct social media blitz to discredit Trump-Russia probe

By Byron V. Acohido

Week ending Jan. 26, 2017. The use of Russian bots and trolls in social media  propaganda blitzes continues. Counter terrorism expert Malcolm Nance minced no words in lambasting the latest deployment of Russian botnets to influence American politics.

Related article: Trump is top bait used in spam campaigns

Nance appeared on the Stephanie Miller radio show to decry as ‘treasonous’ the bold move by House Republicans to spread word of — but no details from —  a top secret memo purportedly discrediting the FBI’s Trump-Russia investigation.


This move was accompanied by the unleashing of Russian bots and trolls to hype the #Releasethememo campaign on Twitter and other social media platform. This appeared to be an attempt to add validity to the memo in question — by suggesting a cover-up.

Lest we forget, Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump. This week’s blitz represents another level of finesse.

Insurance halo effect

Here’s more evidence that the insurance industry is aggressively seeking to nurture the anticipated $20 billion-plus market for cyber liability insurance policies. Insurance carriers and underwriters need to figure out how to triangulate complex cyber risks —  not as easy as setting actuarial tables for fires or earthquakes. …more

MY TAKE: Rising hacks on energy plants suggest ongoing global cyber war has commenced

By Byron V. Acohido

We all fret over the smorgasbord of cultural and geopolitical controversies complicating our daily lives. That being the case, not enough public attention is being paid to the increasingly plausible scenario of an ongoing global cyber war.

I say this because in recent months there has been a series of public disclosures about progressively more sophisticated hacks into power plants and other critical infrastructure. These intrusions clearly are nation-state sponsored, as they require significant resources to orchestrate, and there is no clear financial motivation behind them.

Related podcast: How Russia’s election meddling relates to plant hacks

And one more important thing: each of the power plant hacks we know about to date seem to be mainly about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state.

The ‘Triton’ hack is a case in point, disclosed on Dec. 14 by security vendor FireEye, a global security company with an extensive threat intelligence team (obtained via its acquisition of Mandiant) and a long history of tracking nation-state cyber groups.

Hackers caused an operational outage at a critical infrastructure site by deploying a new form of sophisticated malware. They were able to stealthily – for a while at least — take control of the plant’s Schneider Electric Triconex Safety Instrumented System (SIS). Such systems are used to automatically shut down industrial processes when operating parameters approach a dangerous state. …more

MY TAKE: Why ‘Meltdown’ and ‘Spectre’ portend a banner year for malicious hackers

So you think 2017 was a bad year for cyber exposures? It is clear to me that we are about to commence an extended run of cyber incursions of unprecedented scale and sophistication.

Four days into 2018 and the world must deal with the disclosure of an all-new class of vulnerability built into the processors of virtually every computing device in active use.

Researchers today announced two distinct hardware flaws – dubbed ‘Meltdown’ and ‘Spectre.’ The good news is that Meltdown and Spectre were discovered by the good guys, who responsibly disclosed the weaknesses to the culpable parties. Prior to today’s disclosure, substantive effort was put into preparing workarounds and patches.

Now the race is on to protect as many devices and …more

PODCAST: The case for rethinking security — starting with smarter management of privileged access logons

By Byron V. Acohido

Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.

Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.

Related podcast: Much stronger security can come from simple ‘Identity Access Management’ improvements

At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.


C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times –  a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems. …more

GUEST ESSAY: What ‘Fight Club’ taught me about protecting my online personas

By Thomas Yohannan

Dissociative identity disorder, AKA multiple personality disorder, is a human condition by which the victim’s personality becomes fragmented into two or more distinctive states.

DID has long been a rich topic for Hollywood screen writers. The movie Fight Club, in which Edward Norton and Brad Pitt portray polar opposite personalities of the main protagonist, is a classic example.

Related podcast: Phil Lieberman calls for resetting the C-suite mindset

DID sufferers subvert themselves in self-contained sets of memories, behaviors, attitudes, even perceived age. This is done so that the victim can insulate certain fragile areas of his or her psyche, and thus is able to function with a sense of security in otherwise threatening environments, psychologically speaking.

It may not be a bad idea …more

MY TAKE: Why Uber’s flaunting of disclosure laws should ignite security regulations

Think it was a mere coincidence that Uber disclosed its catastrophic data breach late in the afternoon on the Tuesday before Thanksgiving?

Fat chance. Uber’s new CEO Dara Khosrowshahi almost certainly calculated the diminished notoriety to be gained by announcing the hack on the eve of the year’s most distraction-packed, four-day weekend.

Related article: The implications of Deloitte breach on heels of SEC, Equifax hacks

Uber discovered it had been breached 14 months ago, in October 2016. The ride-hailing pioneer has admitted losing personal information for 57 million customers (myself included) and 600,000 drivers.

(UPDATE. 6 am, Nov. 29, 2107. Uber has clarified that it lost personal information for about 50 million passengers and 7 million divers, some 600,000 U.S. drivers. That includes losing the driver’s license numbers for all 7 million drivers. On that basis, Washington Attorney General Bob Ferguson has filed a multimillion-dollar lawsuit against Uber. Under Washington’s data loss disclosure law, companies must notify victims of any loss of driver’s license numbers. “Washington law is clear, when a data breach puts people at risk, businesses must inform them,” Ferguson said, in announcing what he billed as a multimillion-dollar lawsuit. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”)

A lot of water has gone under the bridge in 14 months. Uber officials could not have missed the fireworks surrounding high-profile breach disclosures by Equifax, the U.S. Security and Exchange Commission, Deloitte, Yahoo, fast food chain Sonic and international law firm Appleby.

As those organizations bit the bullet, Uber took these steps behind closed doors:

•Paid the hackers $100,000 to delete the data and stay silent about the theft

•Head-hunted, recruited and hired a new CEO, namely Khaosrowshahi

•Tossed its chief security officer, Joe Sullivan, and his deputy, under the bus …more