As the COVID-19 pandemic has forced much of the global workforce to work from home, many have suddenly started to work full-time outside the protections of corporate security programs. Just as we have all become experts in social distancing and hand washing, we also need to be just as vigorous about our “cyber-hygiene”. As we all pull together to “flatten the curve”, many high net worth individuals and small businesses need to quickly get up the learning curve to become more cyber-secure. This article is an interview with cybersecurity expert and policy advisor Megan Stifel (Executive Director, Americas at the Global Cyber Alliance – the “GCA”) about how to do exactly that and the direction of cybersecurity policy around the globe.
1. Understanding the Global Cyber Alliance
● What is the mission of the Global Cyber Alliance and why was it established?
MEGAN: The short answer is we are a global not-for-profit organization dedicated to eradicating cyber risk. We do this by uniting global communities, scaling cybersecurity solutions, and measuring the impact.
● Are there other organizations or government bodies out there with a similar mandate and how would you differentiate yourselves?
MEGAN: There are a number of cybersecurity not-for-profits, and a significant number of not-for-profits that work on cybersecurity in addition to their other activities. Few of them are dedicated to closing the gap created by misaligned market incentives that reward “first-to-market” rather than “secure-to-market” products and services.
In many cases not-for-profit work focuses on addressing policy weaknesses and the service gaps these weaknesses create. Our focus is on cyber hygiene, getting users to implement available solutions that have been identified by experts but are suffering from low uptake. We work to help users implement effective solutions and measure that impact.
● How and why did the City of London Police and the NY District Attorney pick GCA?
MEGAN: I might turn it around, to say they helped found GCA. The City of London and the City of Manhattan are two of the world’s financial capitals. The District Attorney of New York County (Manhattan), Cyrus Vance, recognized it’s far better to prevent a crime than to prosecute it, and contributed a significant amount of funding to establish GCA with the goal of preventing cybercrime broadly by enhancing cyber hygiene.
● How did you, Megan, end up in this field and what are some highlights of your experience that make you an expert in the field?
MEGAN: I transitioned from being primarily an operational attorney focused on counterterrorism within the National Security Division at the Department of Justice to a policy attorney just as then President George W. Bush issued an executive order directing the government’s efforts to address cybersecurity. My work at the intersection of technology and law, primarily in the context of counterterrorism investigations, well positioned me to understand much of the legal framework for online investigations, as well as the scale and scope of the internet, as a force for good and evil.
Working within the government, including at the White House, to advance policies and laws to unleash the power of the internet for good has been the highlight of my professional career. I had the benefit of working with the committed civil servants who work on these issues across the Executive Branch and internationally in partner governments and institutions, as well as with industry.
2. Risk to High Net Worth (HNW) Individuals
● How real is the risk of identity theft and/or other cybercrime to high net worth individuals?
MEGAN: A 2017 report found that ⅓ of surveyed family offices and family businesses had experienced a network or account intrusion, often unnecessarily and incorrectly referred to as a cyber-attack. At that time, family offices were failing to see these intrusions as a threat to their reputation; despite the fact information compromised from the incident can result in blackmail, extortion and smear campaigns, to name but a few of the possible consequences.
Above I said many account “intrusions” are often unnecessarily and incorrectly called “cyber-attacks” because most of the time a data breach or network intrusion results from the failure to undertake known best practices, like patching software and using two-factor authentication (discussed below). Rather than describing these types of incidents as “attacks”, which has led to a high degree of distrust with everyday online activities, those covering these issues need to be more careful in their language. A true “attack” in this space does happen, such as when computers and other connected devices become overtaken (as a result of poor cyber hygiene) and become part of a group of similarly compromised devices known as a botnet. A well-known attack of this nature is known as the Mirai botnet, which, in 2016, limited Internet connectivity on the East Coast of the United States for several hours.
● Are high net worth individuals particularly susceptible to cyber-attack relative to business or governments for example?
MEGAN: Those who fail to practice good hygiene are at risk to malicious cyber activity. High net worth individuals are at higher risk for certain types of this activity, such as efforts to gain access to bank accounts, which criminals may have identified them as the owners of through social media posts and link analysis, or, through the compromise of accounts where such information has been stored, e.g., a non-profit or payment processor that itself failed to implement good hygiene.
● What are potential risks to my personal cyber security?
MEGAN: Re-used passwords, using products with out-of-date software, clicking on links from unknown sources, and over-sharing on social media are top my list.
● What are common scams/breaches and how can I avoid falling victim to them?
MEGAN: Social engineering, the practice of eliciting information from people to advance a criminal activity, often opens the door to a person becoming the victim of malicious cyber activity. One method of social engineering is phishing. Phishing is the practice of crafting emails to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.
The U.S. Department of Homeland Security (DHS), among others, have issued guidance to help consumers avoid falling victim to these tactics. They include, being suspicious of unsolicited phone calls and emails, not sharing personal information over email, or until after checking the security of a website by looking for the lockbox or addresses with an S after http, e.g., https://www.ballastrock.com/.
An additional best practice is to call an organization purportedly behind a communication to verify they are in fact the sender; the phone number should be one identified outside the suspicious communication. Criminal groups are very crafty and can register domain names and phone numbers that they then use in their phishing emails.
Reporting suspected phishing emails helps reduce a user’s risk of being targeted again, and helps others avoid becoming the victim of phishing. DHS has additional information on the reporting process here.
● If I think I’m being hacked/scammed what should I do first and who should I contact?
MEGAN: In part it depends on the information leading someone to think this is the case: if the credit card company calls or sends email, or in most cases uses all means of communication possible (email, text message, phone call), one of the primary parties has been advised. Financial institutions should also be advised of suspected criminal activity on an account. The account credentials (username and password) of the compromised account should be changed and the account closely monitored to ensure no further criminal activity occurs.
One tactic to prevent accounts being opened as a result of identity theft is to freeze one’s credit. The Federal Trade Commission has information on credit freezing here.
● Are losses in my bank/securities accounts due to cyber theft largely covered by my bank/credit card?
MEGAN: Credit card losses generally are, but it will depend on the fine print and the manner in which data or funds were compromised. It is an important question to ask of existing and future institutions offering accounts.
● Should I buy explicit cybersecurity insurance?
MEGAN: This also depends on a variety of factors including the individual or organization’s risk profile, which the insurance organization can assist in evaluating. But insurance is not a Band-Aid for poor hygiene. In fact, if organizations lack adequate security, they will find their premiums are higher. Some underwriters will offer cyber insurance to individuals, but it is always important to read the limits of coverage as some malicious activity may not be covered.
● What are some simple steps that I could take to reduce my cyber risk?
MEGAN: While GCA’s Cybersecurity Toolkit is labeled a toolkit for small business, the actions it guides users through are not unique to small businesses, they apply to individuals and large institutions as well. They include:
○ Use two factor or multi-factor authentication for accounts that involve sensitive actions, e.g., email, banking, bill-paying, social media
○ Don’t recycle passwords, use a password manager to develop and maintain complex passwords
○ Use a protective domain name service to prevent you from going to malicious websites
○ Use antivirus services
○ Keep devices up to date - regularly check for and install software updates when they are available
○ Regularly back up your data
○ Securely destroy information on a device before donating or recycling it
● What are periodic cyber security “health check-ups” that I should perform to make sure I’m covered?
○ Look to ensure your phone and computers are up to date
○ Check that passwords have not been compromised
○ Change passwords once an account has been compromised (someone other than the intended user has accessed it, which you might learn through the use of two-factor authentication)
● What are the most overlooked cyber security defense mechanisms or habits?
MEGAN: Two factor or multi-factor authentication requires a criminal to know not only your username and password, but also information sent to you at the time you’re trying to access an account, and when properly configured sent to you or generated for you by a means other than the device or app you’re trying to access. One recent Microsoft study found that MFA stopped 99% of account compromise attacks - where someone takes over an email or other communications account.
3. Cybersecurity Policy
● Many have now seen the work of the vigilante white-hat hacker "Jim Browning” (click here), do you know of any government efforts to attack/prosecute international hackers?
MEGAN: At the national level, the Department of Justice works with investigators at the FBI, Secret Service, state and local level, and internationally to investigate and prosecute cybercrime - crimes committed online or that involve the internet in effecting a criminal act. Indeed, I worked in both sections of DOJ that lead these efforts, which are not unique to the United States, but instead have been evolving internationally for decades. An existing multilateral instrument (aka Treaty), the Budapest Convention, governs how countries interact to facilitate the investigation of cyber-crimes.
● I believe you have a lot of policy experience in this field, what are some of the large national policy changes that you see coming in the field over the years to come?
MEGAN: In the financial sector, regulations exist that have established a baseline set of cybersecurity capabilities organizations must have. Breaches of personal data and large networks still occur, e.g., Equifax, but more often than not the headlines involve organizations outside this sector. It is the unregulated or lightly regulated sectors where attacks often happen or begin. Over the years calls have grown for minimum security requirements across all major economic sectors. These calls have been put down, quite rightly many would say, in favor of risk informed approaches developed with the use of government supported tools such as the Cybersecurity Framework. Rather than having the government establish a one-size fits all approach and requiring it by regulation, in the United States industry has championed the use of this Framework in its own risk management, including with suppliers and key partners.
At the individual and small business level, and even at the large enterprise level, it’s critical to ensure the basics are being used, and the core elements of the Framework can help with that: identify, defend, detect, respond, recover. These functions also form the central elements of GCA’s Toolkits.
So, although additional regulation establishing minimum security requirements for organizations has largely been avoided, there is a growing call for regulation of internet connected devices, also referred to as IoT or Internet of Things, discussed below.
● How might cyber security attacks change over the years to come?
MEGAN: As more devices connect to the internet, every company has to become a technology company. There’s currently a skills gap in individuals trained to appropriately build and protect devices and networks from vulnerabilities. Industry has responded to this imbalance with voluntary measures to better secure products but only time will tell if this approach adequately protects consumers or if regulations become the next step, which would also likely involve some form of liability and limitations thereto for conforming products.
● What policy change has the GCA championed/pioneered?
MEGAN: GCA champions the basics, like email hygiene. A capability exists, called DMARC, that reduces the risk of phishing and business email compromise. These are two leading attack methods that have led to financial losses in personal and corporate accounts, often via the diversion of payroll funds. DMARC is not a 100% solution to this risk, but together with other capabilities can significantly reduce it. Due in large part to GCA’s efforts, in late 2018 a government-wide directive required the use of this capability by all civilian U.S. government departments and agencies. The UK and the Netherlands have similar requirements.
At Ballast Rock we help originate and distribute countercyclical and recession resilient real estate funds. Please feel free to connect to learn more about how we work with experienced real estate professionals to offer investors the opportunity to invest in income producing assets with a positive social impact.