It’s time to take hacking personally, John Sileo says.
Whether you’re a victim because Equifax lost your entire credit profile, or because Russians hacked your data from Facebook, the way to start securing your life and your business against cybercrime is to take it personally.
Sileo knows this from bitter experience.
Sixteen years ago Rosemary, a woman in Florida, bought a house in his name and drained his family’s accounts. She then defaulted on the mortgage and declared bankruptcy — also in his name.
Sileo, who had just bought his own home in Denver and settled in with his wife and daughters, was blissfully unaware a stranger had stolen his identity until it was much too late.
“I found out when I walked into my bank on Broadway one morning. Not only had our life savings vanished, but I was physically escorted out of that bank by security for crimes Rosemary had committed in my name,” he recalled.
“Rosemary owned me. She banked as me, she bought as me and she stole as me. In that moment, standing there embarrassed in the bank … I started to take all of this a little bit more personally.
“But here was my mistake: I never took what I learned personally and applied it professionally.”
One hellish year later, right when Sileo believed the FBI had made a breakthrough in his tangled case, a special agent appeared at his door with a subpoena — and the news that Sileo was facing up to a decade in prison for electronically embezzling $298,000 out of his software customers’ accounts.
But it wasn’t the woman in Florida who’d put Sileo on the hook as a felon. This time, it was his best friend.
“It was Doug. A man I loved like a brother stole and used my banking login credentials to embezzle from our software clients,” Sileo said, “and used my identity to cover his cyber crimes. Doug manipulated my trust to fund some really sick habits — and then he cut the rope, letting me take the fall.”
Doug’s crimes cost Sileo his $2 million software company, the family business he’d taken over from his parents, and three years of his life as he fought to stay out of prison and clear his name.
“I’m not sure I can express the anger that I felt,” he said, “having lost so much money, so much time, and to be betrayed like that by a best friend.”
Sileo spoke at the 2018 Cyber Symposium, flanked by towering screens lit with “Hope for the Future,” the symposium’s theme. Listening to his story unravel, along with his life, it’s difficult at first to see where hope comes in.
But Sileo, now the CEO of data security think tank The Sileo Group, says there is hope — and it lies in helping people to see cybercrime as personal, not abstract. Hope lies in helping people to understand that cyber defenses are about protecting real things that are precious to real people. Hope lies in teaching everyone to have an emotional response to hacking as they would to burglary or theft, and to avoid it just as diligently.
“I share my story in detail because I have learned from experience what brain scientists in this topic learn over and over again through research: That knowledge alone, our awareness of these threats alone, does not create enough change. But our emotions do — our personal connection to how this is relevant and relates to our lives,” Sileo said.
People will change their behavior “when they start to understand that ultimately it is their fireflies that we are all protecting,” he added, using the nickname for his daughters. “In other words, when they begin to take it personally. …
“My message is simple: In business, in work, as in life, you have to proactively protect what you value most. You need to define whatever data that is inside your entity, your organization, and protect it as if it were your own. Because the alternative is for us, as individuals, to continue to be hacked and threatened.”
Sileo presented the “Hacker’s Black List” to help businesses focus on the most critical threats and take concrete steps to protect their data and their customers’ data.
An email gateway with spam filters will get rid of most phishing emails, and segmenting users from your critical assets helps stop malware from spreading — but that’s not enough.
“What we find over and over is that the people who get that 1-in-100 final phishing email that makes it through haven’t been trained to say, ‘BS, slow down, I’m not sure this is real, I should not click on that link, I should flag it,’” Sileo said.
“She banked as me, she bought as me and she stole as me.”
— John Sileo
The problem isn’t that people don’t know about cybersecurity threats, he said. It’s that they don’t know how to put that awareness into action; they don’t know how to make skepticism a reflex.
“If you can get your people to have a ‘BS’ reflex [it also stands for ‘Be Skeptical,’ he says] which is what’s missing in 90 percent of the hacks we see, the entire calculus of security changes.”
Whaling is a cyberattack that targets a CEO, CFO or senior executive. Also known as business email compromise, these attacks hinge on normal, innocent-looking emails that appear to come from a colleague but hide a malicious link or attachment that launches unstoppable malware.
In the wire transfer fraud version of whaling, hackers skilfully pose as a CEO or CFO asking a colleague to urgently authorize a large payment. The money goes to an unknown account, Sileo says, and the cybercriminal can retire.
Again, what’s missing is suspicion, skepticism, and the ability to hit pause to figure out what’s real and what’s a trap.
“The problem that we see is not that you don’t have the data backup system,” Sileo said. “The problem that we see is it’s never been live tested. You’re not able to restore the data to get rid of the ransomware to start all over again. … You’ve got the backup; it just doesn’t work. You haven’t done … a live scenario of putting it back on the system. That’s where it fails. Once again, it’s the human element, not the technological element.”
Bad password habits can be solved by password managers or password lockers (Dashlane and LastPass are prominent examples). However, Sileo says, “the average institution has not implemented password management; they’re still forcing their people to change it constantly, so they put it back to their pet’s name, their kids’ birthdates, their date of graduation” — and right back into the hands of hackers.
5. Hotspot sniffers
“They’re the people that sit in hotels like this, conferences, airports, cafés, and they ‘sniff’ your Wi-Fi connection” waiting for people to connect to the Wi-Fi hotspot they’ve set up, Sileo said. “You think that because it’s free Wi-Fi that it is the hotspot that is free; but it is your data that is free.”
Once you connect to one of these bogus hotspots, your emails, passwords and private information can be monitored — and stolen — with simple software.
6. Blockchain security
Blockchain is “a very promising security movement,” Sileo said, “but I have to tell you that there are issues with it.”
The problem: Not all blockchain applications are built with integrity.
“A lot of it is just a slow database that somebody is selling by calling it ‘distributed ledger technology,’” Sileo said. “The key thing is you have to look at who the architect of the chain is. … You have to take a look at who built the blockchain and how it is secured.”
7. Disinformation campaigns
“This is the No. 1 threat that I see coming up …” Sileo said. “And part of the problem is we don’t have great answers. This is something to pay attention to, particularly for government officials, because it is coming to the business world and it is coming to the governmental world and there are not great solutions yet, other than being prepared with a disinformation breach plan.”