Cyber Security

HIGHLIGHTS

'Cybersecurity Awareness Month' Offers Free Resources for Businesses

Whole Foods Discloses Data Breach

Twitter's Disclosure of Russian Activity Sparks Criticism From Lawmakers

Editor’s News Picks: Equifax Scammers Emerge, Post-Breach Payday, Ransomware Rises, Cisco Layoffs

Advertisement

Commentary & Analysis

‘Cybersecurity Awareness Month’ Offers Free Resources for Businesses

By Kate Fazzini

October is “National Cybersecurity Awareness Month” in the U.S.

It would probably be hard to argue that businesses are not already “aware” of many of their cyberrisks, of course. But rather than a single awareness-raising exercise, the month provides real, ample and free awareness materials, training sessions and other educational items that won’t create another line item on your cybersecurity budget.

“It’s really about reducing risk--educating employees can reduce the risk of a phishing campaign or a password issue that compromises your business. It doesn’t take an enormous budget to bring your risk profile down on this front,” said Robert Silvers, a partner in the cybersecurity practice at Paul Hastings LLP. Mr. Silvers formerly served as assistant secretary of homeland security for cyber policy with DHS, where he helped develop some of the materials.

DHS’s “Stop.Think.Connect.” campaign “toolkit” includes a planned timeline for rolling out a security awareness campaign, as well as sample blog posts, emails, newsletters, talking points and a plan for “sustained involvement” of employees in the campaign. The campaign also offers a variety of themed posters and mailers for small businesses to large businesses and a range of different industries.

The initiative, which began in 2004, is this year poised for more attention than ever amid ongoing headlines about suspected government hacking, ransomware crime sprees and other cyberattacks that have forced enterprises and individuals alike to take steps to protect themselves online.

Mr. Silvers said companies can take the free materials and, for an even more effective message, add some of their own: “You can make it even more vivid for people by showing them the real spoofed emails and phishing attempts that have been sent to the company. This can be a little bit of a wake-up call to the workforce, that some of these emails are very good and very detailed. I always find that specific examples are better.”

A number of universities, companies and government agencies also offer free help for businesses during October.

The University of Maryland’s University College is marking the month by sponsoring a series of free Facebook Live talks by cybersecurity experts. Valorie King, program chair of the university’s cybersecurity management and policy program, will discuss “What Managers and Leaders Need to Understand About Cybersecurity” on October 12. Cybersecurity Technology program chair Mansur Hasib will discuss the “Difference Between Security and Cybersecurity” on October 28.

SANS Security Awareness, a division of security training organization SANS Institute, has outlined a full month of free activities, posters, cybersecurity lunch-and-learn sessions and webinars aimed at businesses. Developed in conjunction with DHS and the National Cyber Security Alliance, the SANS line-up also includes a security awareness test, and a few advanced sessions including a “hacking challenge” which can teach participants some basic hacking skills.

Phishing defense company PhishMe Inc. uses the month as an opportunity to promote its free tools for small businesses, including “PhishMe Free,” which allows small businesses with up to 500 employees to launch up to 12 fake phishing attacks to their employees per year. When an employee “fails” the phishing simulation, he or she can be routed to a phishing training module, and the business can also see metrics of how many employees were susceptible to the simulated attack, and track progress over time. PhishMe also posted free phishing awareness infographics, office posters and presentations.

Mr. Silvers also recommends taking a more tailored approach to certain issues that are on the rise--notably, he says, business email compromise scams, which trick businesses into paying phony invoices or wiring money to criminals. “You can train your accounts payable team on this, and it’s at epidemic levels with emails that are very high quality and could fool anyone. You want to train your team that initiates wires as well for indicators of this type of fraud,” he said, pointing to the Federal Bureau of Investigation’s free educational materials on business email compromise.

The board and C-suite can also get involved, said Mr. Silvers. If they are not conducting “tabletop” exercises yet, this involvement can just start with a conversation: “Take any prominent headline attack to make it a little more tangible. This can prompt some good questions along the lines of ‘What about our company’?”

As for which prominent headline attacks, boards should find no shortage of recent examples.

(Kate Fazzini writes about cybersecurity for WSJ Pro. She has held roles in cybersecurity at Promontory Financial Group and JPMorgan Chase, and is an adjunct professor at the University of Maryland, teaching cybersecurity for business and government. Write to Kate at kate.fazzini@wsj.com.)

Advertisement

More From Dow Jones

Whole Foods Discloses Data Breach

By Imani Moise

Whole Foods said card-payment information of customers who drank and dined in its taprooms and full-service restaurants has been hacked. CHRIS O'MEARA/ASSOCIATED PRESS

In the latest data breach involving consumer data, Whole Foods Market said card-payment information of customers who drank and dined in its taprooms and full-service restaurants has been hacked.

The grocery-store chain, now part of Amazon.com Inc., said its restaurants and taprooms use a separate checkout system and information of its grocery shoppers weren’t affected. Amazon transactions were also not accessed in the breach, Whole Foods said in a statement on its website.

The company said it has hired a cybersecurity firm to help it investigate the hack and contacted law enforcement.

“While most Whole Foods Market stores do not have these taprooms and restaurants, Whole Foods Market encourages its customers to closely monitor their payment card statements and report any unauthorized charges to the issuing bank,” the company said.

A Whole Foods spokeswoman declined to comment beyond what it stated in the release.

The sit-down restaurants and wine bars are focused in the company’s urban locations.

Whole Foods’s announcement comes after fast-food chain Sonic Corp. said earlier this week its credit-card processor notified the company about a possible hack of customer-payment data.

Credit-reporting company Equifax Inc. is continuing to deal with the fallout from a data breach, announcing Sept. 7 that names, addresses, birthdays and Social Security numbers of potentially 143 million Americans had been accessed by hackers. Also earlier this month, Charter Communications Inc.’s Time Warner Cable acknowledged that personal records of millions of subscribers were left unprotected on a server.

All but two states have laws detailing how quickly companies must report data breaches, but the laws have been largely ineffective in getting companies to be forthcoming with information. Some U.S. lawmakers are pushing for federal regulation that would simplify the rules and require companies to report breaches within 30 days.

Write to Imani Moise at imani.moise@wsj.com

Twitter’s Disclosure of Russian Activity Sparks Criticism From Lawmakers

By Georgia Wells, Byron Tau and Robert McMillan

Twitter said it suspended some of the 201 accounts it found were linked to Russian-backed Facebook pages. CHRIS RATCLIFFE/BLOOMBERG NEWS

Twitter Inc. on Thursday offered its first public information on Russian use of its platform during the U.S. presidential election, but its limited disclosure only fueled criticism from lawmakers who are pushing for greater transparency from internet companies over how their platforms are manipulated.

In presentations to congressional investigators and a post on its site, Twitter said it found 201 accounts on its service linked to Russian actors that Facebook Inc. recently identified as having run ads meant to sow political and social division. In addition, Twitter said the Russian-backed news site RT, which a U.S. intelligence report said aimed to meddle in the election, bought $274,100 of ads on Twitter last year. That compared with $152,000 that Facebook said Russian actors spent on its site.

But Twitter’s comments left unclear the extent of the problem, including how many accounts attempted to spread misinformation or violated Twitter’s rules, and how users interacted with those tweets.

Twitter in its statement identified only accounts that corresponded to the roughly 450 Russian-linked accounts that Facebook had identified as purchasing $150,000 in ads to provoke political tension.

Twitter said it found 22 accounts with corresponding Facebook accounts that Facebook said had Russian links, and another 179 with ties to those accounts. The company said it suspended some of those accounts for violating its rules. It also suspended bots that spread misleading information about voting, such as ones that said Americans could “text-to-vote.”

Mark Warner, a Virginia Democrat and the vice chairman of the Senate Intelligence Committee, said the meeting with Twitter was “deeply disappointing” and added the company had not done enough to examine the extent of Russian activity on its platform.

Mr. Warner, who has long pushed for a deeper examination of Russian activity in online communities, criticized Twitter for only analyzing accounts derivative of Facebook accounts. That showed “an enormous lack of understanding from the Twitter team of how serious this issue is, the threat it poses to the democratic institutions and again begs many more questions than they offer,” he said.

A Twitter spokeswoman declined to comment directly on Mr. Warner’s remarks.

Congressional leaders, probing how Russians sought to manipulate public opinion during the election on Twitter, Facebook and Alphabet Inc.’s Google, have called on the companies to disclose their findings in public and private meetings. Twitter met with the House and Senate Intelligence Committees behind closed doors Thursday for several hours for the first time on the topic of foreign interference. Both panels are conducting probes of Russian activity during the election. Russia has denied interfering in the election.

Twitter’s announcement is likely to further heighten tensions between technology companies and regulators for how their platforms are used to spread misinformation and affect the democratic process, in ways that the companies struggle to grasp.

“With hundreds of millions of Tweets globally every day, scaling these efforts continues to be a challenge,” Twitter said in a statement Thursday.

Facebook said earlier this month that it identified 5,200 Russian-backed ads. In July, the company said it had no evidence that Russian entities bought ads targeted at Americans on the platform during the election season.

“I don’t want anyone to use our tools to undermine democracy. That’s not what I stand for,” Facebook Chief Executive Mark Zuckerberg said in a statement last week.

Last week, Facebook said it was sharing more data with other tech companies related to attempts to interfere with elections. “It’s almost certain that any actor trying to misuse Facebook will also be trying to abuse other internet platforms too,” Mr. Zuckerberg said in his statement.

Congressional investigators said Twitter appeared to be having more difficulty in tracking activity on its platform, given that it allows users anonymity and pseudonymity—unlike Facebook, which has a policy requiring that users operate under their legal names. People close to Twitter say the company is months behind Facebook in determining the scope of nefarious bot activity on its social network.

“I think there are challenges for Twitter in its forensic investigation because Twitter users don’t provide the same background information that Facebook users do,” said Rep. Adam Schiff (D., Calif.), the top Democrat on the House Intelligence Committee. “And at the same time, I don’t think we have more than scratched the surface in our understanding of how the Russians may have used that platform.”

The manipulation of Twitter by bots, automated accounts that can be programmed to pump up chosen topics, is widespread, researchers say.

Emilio Ferrara, a assistant research professor in computer science at the University of Southern California, said that bots on Twitter were an important part of the election discussion. “Twenty percent of the tweets that people saw during the one month leading up to the election—those were generated by bots,” he said.

Twitter said in its statement the company estimates that false or spam accounts represent less than 5% of its monthly users.

Following Facebook’s lead last week, Twitter pledged to review its political advertising disclosure policy. Social-media companies aren’t held to the same standards of public disclosure of political ads as other media platforms, such as television and radio.

In addition, Twitter said it plans to toughen its approach to spam and suspicious activity.

“We will continue to strengthen Twitter against attempted manipulation, including malicious automated accounts and spam,” Twitter said.

Write to Georgia Wells at Georgia.Wells@wsj.com, Byron Tau at byron.tau@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com

Advertisement

Editor's News Picks

Equifax Scammers Emerge: The number of email scams promising to provide “secure” messaging between recipients and firms like Bank of America, TD Bank and others has surged since the Equifax breach, according to new research obtained by the Washington Post. The messages aren’t an indication that those banks have been breached, though the number of attempts could correlate with the near-universal knowledge about the Equifax incident. For scammers, financial uncertainty represents an opportunity.

Post-Breach Payday: Richard Smith, the outgoing chief executive of Equifax, will depart the credit monitoring company with a paycheck worth roughly $90 million, according to Fortune magazine. Mr. Smith was at the helm of the company when a data breach compromised information on 143 million U.S. citizens. While Mr. Smith forfeited his 2017 bonus and retirement package under the separation agreement, he’s still due a substantial salary and unvested stock options.

Ransomware Rises: “Ransomware has eclipsed most other cyberthreats with global campaigns indiscriminately affecting victims across multiple industries in both the public and private sectors.” So states Europol’s 2017 Internet Organized Crime Threat Assessment, which provides guidance on how law enforcement, international governments and users should respond to hacking incidents. That will be no surprise to the countless victims infected by the WannaCry and Petya viruses this year, but there is some positive news in the Europol report, as well: Global police agencies have begun to arrest more suspected cybercriminals behind many of the most common attacks.

Cisco Layoffs: Businesses struggling to identify and recruit qualified security staffers might benefit from a round of scheduled layoffs at Cisco.The technology giant confirmed to CRN.com it intends to let 310 employees go as part of a larger restructuring plan the company is going through to prepare for the cloud. The majority of cuts will be in software, engineering and other technical positions.

Cyber Security