Connect with us

Security

FORMER WHITE HOUSE CIO THERESA PAYTON: ‘THERE ARE GRAVE CONCERNS ABOUT ELECTION INTERFERENCE’

Published

on

heresa Payton, CEO of Fortalice Solutions, is one of the most influential experts on cybersecurity and IT strategy in the United States. She is an authority on Internet security, data breaches and fraud mitigation.

She served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.

With the U.S. midterm elections fast approaching, both Payton’s observations about the current cybersecurity threat level and her advice about shoring up the nation’s defenses carry special weight.

theresa payton ceo fortalice solutions

In this exclusive interview, she also shares her views on social networking, privacy, and the changing playing field for women who aspire to leadership roles in technology.

TechNewsWorld: What is the chief cyberthreat to the upcoming midterm elections?

Theresa Payton: My biggest worry and concern is that citizens will not trust election results and that the election process will lose legitimacy. We know that the Department of Homeland Security, working with state election officials, have raced against the clock to secure voting systems. Our U.S. intelligence agencies have repeatedly been on the record stating there is no evidence that cybercriminals modified or deleted any votes in 2016.

The next area of concern is for the communications, contacts, and digital campaigns of candidates being broken into and doxed. While the news focuses on securing the votes and the voter databases of the midterm elections, there is not a lot of attention on whether or not campaigns take threats targeting their campaigns seriously. Nothing would hit closer to home for a candidate than if their election was hacked and they lost — or won.

“Cyber” is certainly a buzzword, but it’s not a word without meaning. With the onslaught of breaches, candidates should be laser-focused on cybersecurity.

TNW: What should federal officials do to shore up election security? What should state and local governments do? Where does the buck stop?

Payton: It’s crucial that elected officials on the left and right not politicize an issue in the short term that will have grave long-term consequences for national security.

Defensively, we need to harden our election infrastructure at the local level. This is the responsibility of the Department of Homeland Security.

DHS needs to continue to work at the local level with state election officials, but also to provide much more robust cybersecurity capabilities for protection and detection at the campaign level.

We also need to be sure that the intelligence and homeland security community is effectively sharing information and tools, techniques and tactics.

TNW: How serious are concerns that election interference might be caused by tampering with back-end election systems? What can federal agencies do to address the problems of outdated voting equipment, inadequate election-verification procedures, and other potential vulnerabilities? Is there an argument to be made for some level of mandatory federal oversight of state and local voter systems?

Payton: There are grave concerns about election interference and the race to secure them, globally, is under way. The idea that voter databases could be seeded with falsified data or modified has been around for decades, but the technical know-how and motive has caught up with that idea. Election officials in a race towards automation and efficiency may have helped criminals along, but it’s not too late if we act now.

Today, there are entire countries totally relying on electronic voting: Brazil, since 2000, has employed electronic voting machines, and in 2010 had 135 million electronic voters. India had 380 million electronic voters for its Parliament election in 2004.

It is easy to see why electronic voting is the wave of the future and how the United States could model its own voting system after these countries. It’s faster, cheaper and more accessible for those with disabilities. Also, would you miss the experience of, or the reporting of, the every-election-day headline of “Long Lines at the Polls Today”? Probably not. That is certainly less painful than a recount though.

We are headed towards electronic voting as the sole system we use despite these facts:

  • “The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials,” NBC News reported earlier this year.
  • Russia hacked the Democratic National Committee’s emails with the intention to “interfere with the U.S. election process,” according to the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security.
  • As far as we know, despite the scans and alarm bells, no outside entity has changed any records in the registration database.
  • Scams such as “text your vote” were more prevalent than ever, and will increase as electronic voting becomes more widespread.

The good news is our government took this very seriously. Prior to the midterm elections, the Department of Homeland Security offered state election officials “cyber hygiene scans” to remotely search for vulnerabilities in election systems. They also conducted threat briefings and onsite reviews, as well as released a memo of “best practices” — guidance how best to secure their voter databases.

Some have called for more federal oversight and moving towards a more restrictive security model, but the states own the voting process. Providing year-round briefings from DHS, FBI, CIA, and NSA would prove to be very helpful over time.

Also, we have to remember elections are decentralized. Sometimes there is security in obscurity. Each state in our country, plus the District of Columbia, run their own election operations, including voter databases. A hostile nation state could not feasibly wipe out each system with one wave of their magic wand.

How we vote, though, is just one-way our elections could be compromised. Another concern going forward must be disruption of Internet traffic, as we saw occurred just days before the last presidential election cycle on Oct. 21st, 2016, when the Mirai botnet crippled part of the Internet for hours.

A massive Distributed Denial of Service (DDoS) attacked a host server causing major disruptions to some of the most highly visited websites in the United States. The attack was in two waves, first on the East Coast and then on the West Coast.

As our country votes on Election Day in different time zones, and polling stations close at different times, the similarity is chilling.

However, we need everyone to turn out to vote. The focus on bolstering our election security defenses is reassuring. What we know is the warning signs are there. As we move towards the future, and focus on creating and protecting a new system to collect our votes, we need to protect the one we already have.

Two things you can be sure of after this year’s election: Eventually, every vote you cast in a United States election will be electronic, and one of those elections will be hacked. No doubt about it. But the recount in 2016 in Wisconsin reminds us all why we need a backup.

TNW: What are some ways candidates and campaigns can shore up their cybersecurity without draining their war chests? What are some of the practices they should implement in the very early days? A campaign that’s very secure ultimately might lose due to lack of visibility. How can campaigns strike the right balance?

Payton: Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals. Credit card numbers, bank account information, addresses, online identities. The assets go on and on, and cybercriminals are just like bank robbers in the old days: They follow the money.

That is why in today’s day and age, if you are on a campaign, whether it be state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers — also known as constituents and voters.

Anyone on a tight budget can follow these guidelines to protect their campaign assets:

  1. Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user IDs and passwords from the campaign. For example, your campaign domain might be VoteSallySue.com, but donor details would be stored at MustProtectDetails.com.
  2. Using that same practice, run all of your internal communications on a domain name that’s not the campaign name — i.e., email addresses should not be [email protected] but rather [email protected] Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications, such as Signal or Threema.
  3. Also, be sure to encrypt all of your campaign’s donor data. We have yet to hear a report of a campaign’s donor data being hacked and used for identity theft, but we will — of that I am sure. It would be too lucrative not to try. Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank or organization who has recently been hacked, and they will tell you. I don’t even need to use their names, you know the headlines.
  4. Train technology and campaign staff to spot spearphishing emails and scams. Oh, sure, you think everyone knows not to “click on that link,” but recent studies illustrate doing just that is the No. 1 cause of breaches among employees.
  5. Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don’t you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. Don’t you want the electorate to feel the same way?
  6. Finally, post a privacy policy that’s easy to read, easy to find, and you’ll find voters have more confidence in just your agenda.

TNW: How well — or poorly — have Facebook, Twitter, Google and other tech companies addressed the problems that surfaced in 2016?

Payton: I was encouraged to hear that with less than three weeks to go for the U.S. mid-terms, that Facebook has stood up a war room to combat social media community manipulation as the world heads into elections this fall and winter.

They have also said they have war-gamed a number of scenarios to ensure their team is better prepared for elections around the globe. Much is at stake, so the fact that Facebook also integrated the apps they have acquired — such as WhatsApp and Instagram — into the mix of the war room is a great idea.

If I were to give them advice, I would suggest that another great step to take would be to create a way to physically embed representatives from law enforcement, other social media companies — including Twitter, Linkedin and Google — and to allow election officials around the globe to have a “red phone” access to the war room.

TNW: What are some of the most pressing cybersecurity problems facing social networks, apart from their use as political tools?

Payton: The ability to change their business and moderator models, in real time, to morph quickly to shut down fake personas, fake ads, and fake messaging promoting political espionage, even if it means higher expenses and loss of revenue. Social media companies have made a lot of progress since the 2016 presidential elections and claims of global-wide election meddling, but the criminals have changed tactics and it’s harder to spot them.

On the heels of the August 2018 news that Microsoft seized six domains that Russian Internet trolls planned to use for political espionage phishing attacks around the same time that Facebook deactivated 652 fake accounts and pages tied to misinformation campaigns, Alex Stamos, the former Facebook security chief, posted an essay in Lawfare, and stated that it was “too late to protect the 2018 elections.”

TNW: What role should the government play in protecting citizens’ privacy online?

Payton: As the Internet evolves, laws and regulations must change more rapidly to reflect societal issues and problems created by new types of behavior taking place online. Never before has the world had access to statements, pictures, video and criticism by millions of individuals who are not public figures.

The Internet provides us with places to document our lives, thoughts and preferences online, and then holds that material for an indefinite period of time — long after we might have outgrown our own postings.

It also provides places where we can criticize our bosses, local building contractors, or polluters.

This digital diary of our lives leaves tattered pages of our past that we may forget about because we cannot see them, but they could be collected, collated, and used to judge us or discriminate against us without due process. The government needs to think ahead and determine which laws need to be enacted to protect our right to opt in and out of privacy features and to own our digital lives and footprints.

TNW: What is your opinion of Europe’s “right to be forgotten” law? Do you think a similar law would make sense in the United States?

Payton: The European Union’s “right to be forgotten” sets an interesting precedent, not just for its member countries but for citizens around the world. It is too early to know what the long-term impacts of the EU’s decision to enforce a “right to be forgotten” with technology companies will be. However, it’s a safe bet the law will evolve and not disappear.

There are concerns that giving you or organizations more control of their Internet identity, under a “right to be forgotten” clause, could lead to [censorship] of the Internet. Free-speech advocates around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe, delinking news stories and other information upon an individual’s request.

A quick history lesson of how this law came about: A Spanish citizen filed a complaint with Spain’s Data Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since “delete is never really delete” and “the Internet never forgets,” the personal data about his financial matters haunted his reputation online.

He requested that Google Spain and Google Inc. be required to remove the old news so it would not show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union’s Court of Justice.

Here is an excerpt of what the May 2014 ruling of the EU Court said:

“On the ‘Right to be Forgotten’: Individuals have the right — under certain conditions — to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing… . A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant.”

In the U.S., implementing a federal law might be tempting, but the challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup will be crushed under compliance and therefore innovation and startups will die before they can get launched.

However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues but it’s a complex web of laws that apply to the Internet. Technology changes society faster than the law can react, so U.S. laws relating to the Internet will always lag behind.

We have a Better Business Bureau to help us with bad business experiences. We have the FTC and FCC to assist us with commerce and communications. Individuals need an advocacy group to appeal to, and for assistance in navigating online defamation, reputational risk, and an opportunity to scrub their online persona.

TNW: What is your attitude toward social networking? What’s your advice to others regarding the trustworthiness of social networks?

Payton: Social networking can offer us amazing ways to stay in touch with colleagues, friends and loved ones. It’s a personal decision as to how involved you are online, how many platforms you interact with, and how much of your life that you digitally record or transact online.

If you want to be on social media but don’t want to broadcast everything about you, I tell my clients to turn off location tracking — or geolocation tools — in social media. That way you aren’t “checking in” places. Cybercriminals use these check-ins to develop your pattern of life and to track your circle of trust. If a cybercriminal has these two patterns, it makes it easier for them to hack your accounts.

Register for an online service that will give you a phone number, such as Google Voice or Talkatone. Provide that number on social media and forward it to your real cellphone. Avoid personality surveys and other surveys — they are often very fun to do, but the information posted often gives digital clues to what you may use for your password.

Always turn on two-factor authentication for your accounts, and tie your social media accounts to an email address dedicated to social media. Turn on alerts to notify you if there is a login that is outside your normal login patterns.

The amount of personal information you choose to share is up to you — and everyone has to find that limit of what is too much — but at the very least, never give out personally identifiable information like your address, DOB, financial information, etc.

TNW: As the first woman to serve in the role of CIO at the White House, under President George W. Bush, how did you feel about becoming an instant role model for girls and young women interested in tech careers?

Payton: It’s an honor to think about the opportunity to give back and to help along anyone that wants to pursue this career path, especially young women. Candidly, we need everyone to fight the good fight. My heart breaks when I see computer and engineering classes with very few women in them.

We did not reach out to the women early enough, and when I talk to young women in high school and college about considering cybersecurity as a career, many of then tell me that since they have had no prior exposure they are worried about failing, and that it’s “too late now to experiment.” To which I tell them that it’s always a great time to experiment and learn new things!

theresa payton ceo fortalice solutions

Prior to taking on the role at the White House, I had been very active in women in technology groups and was passionately recruiting young women to consider technology careers. At the time I was offered the role and accepted, I candidly didn’t have an immediate aha moment about being a role model for women because of that specific job. I was most focused on making sure the mission was a success. I see it now and it’s an honor to be able to be a role model and I strive to live up to that expectation.

The cybersecurity industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, hackers, both ethical and unethical, are often depicted as men wearing hoodies over their faces, making it difficult for women to picture themselves in that role as a realistic career choice, because they don’t think they have anything in common with hackers.

Studies show that women want to work in professions that help people — where they are making a difference. When you stop a hacker from stealing someone’s identity, you’ve made a difference in someone’s life or business. At the end of the day, the victims of hackers are people, and women can make a tremendous difference in this field. This is something the industry as a whole needs to do a better job of showing women.

TNW: You’re now the CEO of a company in the private sector. Can you tell us a little about what Fortalice Solutions does, its mission, and your priorities in guiding it?

Payton: Fortalice Solutions is a team of cybercrime fighters. We hunt bad people from behind a keyboard to protect what matters most to nations, business and people. We combine the sharpest minds in cybersecurity with active intelligence operations to secure everything from government and corporate data and intellectual property, to individuals’ privacy and security.

At Fortalice, our strengths lie in studying the adversary and outmaneuvering them with our human-first, technology-second approaches.

TNW: How have attitudes toward women in powerful positions changed — for better or worse — in recent years?

Payton: Although thankfully this is beginning to change, I am typically the only woman in the room — and that was common in banking as well as technology. I had to learn how to stand up for myself and ensure my voice was heard. I’ve had more than my fair share of times when my technical acumen has been discounted because I’m female.

I’ve learned that grace and tact go a long way, and I’m very, very proud to say that my company is nearly dead-equal male/female. We even started an organization called “Help A Sister Up” — you can find us on LinkedIn — that’sdedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, interesting articles, avenues for discussion. Please join us!

TNW: What’s your advice to girls and women entering technological fields about whether to seek employment in the private or the public sector? What are some of the pros and cons, particularly from the standpoint of gender equality?

Payton: An April 2013 survey of Women in Technology found that 45 percent of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].”

It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem — we don’t have enough women in cyber because there aren’t enough women role models in cyber.

While connecting with other women has had its challenges, there are wonderful women in cyber today. Look at Linda Hudson — currently the chairman and CEO of The Cardea Group and former president and CEO of BAE Systems Inc. — shattering the glass ceiling for women behind her. Also, up-and-comer Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my next point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube.

You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack.

There are some excellent security frameworks and guidance available for free online, such as the NIST framework, CIS Critical Security Controls, SSAE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You must be a constant student of your profession in this field.

Security

The Ultimate Beginners Guide to GDPR Compliance in 2019

Published

on

By

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many VPN’s have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing tt may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

GDPR statistics 2018

  • Around 59% of UK businesses know the implications that GDPR will have on them.
  • On average, 73% felt that they were prepared when it came to documents and print management.
  • Only 6% of UK businesses made GDPR a priority. This is compared to 30% in France.
  • CNIL (French data protection regulator) reported a 50% increase in the number of complaints since GDPR came into force on 25th May.

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

Continue Reading

CEO's

Bezos Selfie Controversy Triggers Alarm For Billionaires Worldwide

Published

on

By

Even the world’s richest person couldn’t stop a nude selfie leak.

When Jeff Bezos alleged in a blog post Thursday that he was the victim of blackmail attempts by the publisher of the National Enquirer, he underscored risks particular to billionaires in the digital age.

“The perception among very affluent people is often ‘I have this level of wealth, I’m untouchable,’” said Mark Johnson, chief executive officer of Sovereign Intelligence, a McLean, Virgina-based risk analytics firm. “But the systems they have in place for protecting their personal identifiable information are very weak.”

Ask any family office about its biggest fears and cybersecurity is near the top. Personal protection no longer involves just bodyguards and a top-notch alarm system. The internet age has seen a massive shift in people storing their most sensitive and personal data online, where it’s vulnerable to hacking and intrusion.

‘Absolute Disconnect’

Ultra-wealthy individuals are particularly susceptible because so much of their data are often centralized through family offices, which typically lack the robust firewalls and encryption capabilities of banks and large corporations.

Johnson, a former case officer with the Naval Criminal Investigative Service, said he’s worked with clients with more than $40 billion in assets who had a “Secret Service-type physical security — probably even better — and yet there was an absolute disconnect between that physical security and the digital protection.”

It’s unclear how the tabloid obtained Bezos’s texts. The Amazon.com Inc. founder, who has a net worth of $133.9 billion, said in his blog post that he’d authorized security chief Gavin de Becker “to proceed with whatever budget he needed” to get to the bottom of the leak.

Security experts say potential entry points for a digital invasion are numerous.

‘Legacy Risks’

“We all have devices we carry and they each have their own point of vulnerability,” said Kris Coleman, founder of intelligence-services firm Red Five Security.

Banking information, identity data, even health information and travel schedules can expose someone to a breach. Those in billionaires’ inner circles are a particular risk for the information they have access to and could share, either maliciously or inadvertently.

“Private, affluent families need to consider themselves targets that are on par with nation states,” Coleman said.

Coleman and Johnson are both members of RANE, a network of risk-management professionals from banks, law firms, family offices and corporation.

The wealthy aren’t just at risk of losing money through hacks. Their brands, reputations — or, in family office parlance, “legacy” — also can be damaged. On Tuesday, news website Splinter published a trove of racist emails sent and received by TD Ameritrade Holding Corp. founder Joe Ricketts that included anti-Muslim slurs and conspiracy theories. Ricketts, whose family owns the Chicago Cubs, issued a statement on his personal website, apologizing for remarks “that don’t reflect my value system.”

Protecting Zuckerberg

Providing security services to the growing ranks of the super-rich is an expanding field. Federal agents and military personnel, including former Navy Seals, Secret Service and Mossad agents, SWAT team operators and Scotland Yard detectives, have found second careers protecting billionaires, where they can earn double what they did working for the government.

Facebook Inc. spent $7.3 million in 2017 on personal security for CEO Mark Zuckerberg, an expense the company defended as necessary considering his “position and importance.” Last year, the firm said it would give him an additional $10 million annually to beef up his security. Its executive protection program is run by an ex-Secret Service agent, according to her LinkedIn profile.

Amazon spent $1.6 million last year on security for Bezos, according to regulatory filings. His Bezos Family Foundation also has taken physical precautions. For example, the foundation’s mailing address is a post office box in a nondescript strip mall in the Seattle area.

De Becker, a best-selling author, made his name as a security consultant to Hollywood celebrities and co-created MOSAIC, an assessment tool that was originally used to analyze threats against Supreme Court justices and members of Congress. He describes himself on the firm’s website as “the nation’s leading expert on the protection of public figures.”

Red Five’s Coleman didn’t express shock that Bezos’s racy text messages were vulnerable.

“My message to affluent families: don’t assume you’re OK,” Coleman said. “Because most of them aren’t.”

Continue Reading

Security

Keep an eye out around the house with the Netgear Arlo 6-camera security system on sale for one day only

Published

on

By

This is the largest Arlo camera package and includes all you need to get set up.

Home security is super important, and something you should take seriously. Arlo’s security cameras are a very popular option, and right now you can pick up a 6-pack for just $359.99 at Woot, which is 28% less than the list price and beats the next best price of $405 at Amazon right now.

These cameras can be use both indoors and outdoors, which makes them extremely versatile. The kit is the original Arlo series, not the Pro, but it has been updated particularly to work with Amazon’s Alexa. The base station it comes with allows you to add on more cameras, even more advanced versions like the Arlo Pro 2 if you want. The Arlo camera is 100% wire free and has a fast-charging battery. It has two-way audio thanks to a built-in mic and speaker. You can also use Arlo Smart to add things like customized alerts, zone detection, and the ability to contact emergency services right away.

Unlike many Woot deals, this is for a brand new product and includes a one-year warranty is with the purchase. Shipping is free for Amazon Prime members.

Continue Reading
Advertisement

Trending