Information Protection – Tip 2

90% of all passwords are vulnerable
it takes 5 minutes to go from hackable to uncrackable… (Look I know these sound like the fundamentals but you’d be surprised at what I see people do).
In fact over a long enough timeline every passwords security drops to zero.
(Thank you for allowing me to shamelessly plagiarize this first paragraph)
Surprisingly you would think those who were brought up in the age of always having a computer nearby, The Millennials, would think this is as old hat as the advice to use condoms or not smoke (both of which many choose to ignore anyway), but the statistics show otherwise. Only 41% them and their neighbors the Gen X’ers changed their passwords ever or only when prompted.
And 55% use the same password for everything.
I could write a book on good credential hygiene, but the site for password day 2014 has several excellent suggestions.

Information Protection – Tip 1

Let’s start with the basics… It’s called phishing for a reason…
95 Percent of all successful attacks started with an attempt to get you to click on a link you shouldn’t…
Seriously people; would you knowingly drive to a questionable part of town… in the middle of the night… with your doors unlocked… your windows rolled down…  your wallet, purse or whatever sitting open on the front seat… cash and credit cards out in plain sight and easy reach…
AND THEN give all of your personal information including driver’s license number, social security number, passport and banking information to the first STRANGER you meet?
THAT’S exactly what you’re doing when you venture to those questionable websites (if you really need a lesson on the ones to which I refer dust me privately and I’ll be happy to give you my opinion), or click the link in the email guiding you to an heretofore unknown inheritance from the long lost you didn’t know you had.
Here’s my first tip… DON’T
Patient: “Doctor, Doctor! It hurts when I do this…”
Doctor: “Well, don’t do that!”

Information Protection and Privacy

This past Wednesday was national data privacy day, created by congress in 2009 to help raise awareness of need to protect personal information and data.

While it seems laughable that the same government that espouses the need to protect our data is the same body that brings us Edward Snowden-esque allegations of widespread data infiltration of its citizens by same said government; I think there is a point here worth noting…

At the risk of stating the obvious; protecting your information and identity, whether online or otherwise, IS important.

But it is also YOUR data, and therefore YOUR responsibility. Which is good because we are largely on our own. Being freeing is, in a lot of ways, freeing; we aren’t going deluded ourselves that something is happening when it’s not. (What do you mean I’m denied medical coverage?! That’s why I pay for insurance!)

Having spent a considerable amount of time in the EU, one of the things they do is take the protection and privacy seriously, the EU’s Data Protection Directive requires substantial disclosure of the use of collected personal information and levies heavy fines to those commercial enterprises that violate the directive.

The U.S. has no commensurate directive or legislation. So it becomes our responsibility to ensure our own protection.

I mentioned around Christmas time that I would be sending out ‘bite sized’ tips on protecting your information. Some of them are so obvious they seem ludicrous to even mention, but having been in my position for as long as I have (and two Masters degrees in information security), I find that 99% of protecting your information is about good personal practices (when was the last time you changed your passwords, and do you use the same or similar passwords for your banking information as you do for Amazon?)

I rest my case.



Net Neutrality and Internet Sovereignty a Match Made in Censorship


If you don’t think net neutrality and internet sovereignty are related, you better think again.

The republicans in congress are fiercely fighting the request by the Obama administration to classify broadband internet providers as a utility making them, and the Internet, subject to much stricter regulation.

At the heart of the net neutrality debate is ostensibly whether or not internet should be considered like a utility and therefore subjected to utility provider regulation similar to electric or telephone service.

Meanwhile in China, Internet Czar Lu Wei and President Xi Jinping are arguing the states right to manage and govern the the information running across it’s sovereign territory. The Internet, Wei argues, is part of the national infrastructure like roads and power and it is the states responsibility to insure infrastructure stability.

Both prescribe controlling information flow across the internet, albeit each country takes a slightly different approach. While China is more overt in controlling information; by classifying and categorizing information protocols, the proponents against net neutrality arrive at very much the same place.

The tragedy of the Charles Hebdo shootings simply underscore the stakes involved in the freedom of information debate.

We are quickly facing a world where the information we’ve taken for granted may not be as easily accessible.

Are You Really Private?


From the Snowden leaks last year, to all of the ‘cyber breaches’ and loss of personal information from large retailers in the last couple of years; we as a global village are finding out that keeping things to yourself is not as easy as it once was.

All of the social media platforms compound the difficulty of keeping our private information private, and we all struggle with the increasing importance to do so.

In a world where EVERYTHING is ‘out there forever’ as soon as it’s set in to the wild, and where almost everything is subject to discovery in our increasing litigious society; I see an increase in the number of secure messaging apps aiming to help keep conversations private; for example;

Sicher, Silent Circle, CyberDust, Signal, et al. all use end to end encryption and data destruction to provide a means for groups of people to communicate with each other securely and privately.

Even WhatsApp, the popular text messaging replacement application is starting to use end to end encryption.

But I’ve noticed another trend unique to these secure applications; while they have provided a means of ‘hiding from prying eyes’ they have fostered a new sort of social media platform.

For example one of my favorite new apps is CyberDust (available on iOS, Android, and Windows Phone). CyberDust not only provides secure person to person messaging because everything runs over an encrypted channel, and the messages self destruct after a short period of time AND are NEVER stored on their servers or any endpoint; CyberDust also provides a sort of ‘Twitter-Like’ platform where a person can ‘Blast’ a message to a group of subscribed followers.

I’ve been using CyberDust to sort of ‘Pre-Publish’ posts, as a platform that allows me to get something ‘out-there’ quickly without a lot of editing, and in somewhat longer format than the Twitter limit of 140 characters.

I find this feature incredibly useful, because I can send raw unedited posts to my followers without worrying too much about the editorial content, grammar, and so forth; and since I save my posts to Evernote, I can come back at a more convenient time, clean them up and post them on LinkedIn or my blog (
But I’ve noticed as I’ve used CyberDust, something more disturbing occurring; many of the people I follow, some of them professionals, are posting pictures and comments I believe they would think twice about posting if the platform they were using was as open as Facebook, or Twitter.

Let me say before I continue, that I’m neither Polly Anna nor prudish about this subject, and I am in NO WAY making a judgment about anyone I follow; I publish a number of posts that are all raw, unedited, and sometimes incendiary.

What I am saying is; even with a platform that leaves no physical nor virtual evidence of pictures, posts or comments; when we intentionally broadcast a message to a group of people, do we not leave with our audience, followers and listeners a residual impression of who we are; whether or not evidence exists?

This subject goes beyond privacy issues and quickly is an issue of reputation management. The fact of the matter is regardless of whether or not the platform is secure and encrypted, I am sending a post out to the public, i.e. more than one person to whom I have no personal relationship other than they follow me, rather than one or two people with whom I have a relationship and where the conventional social contract of confidentiality is the norm.

I believe in the right to personal expression and exercise said personal expression frequently, I am also acutely aware of the consequences of my actions, and of the things I publish or portray.

My point is that this message becomes a cautionary tale to everyone (most of all myself) that we leave a lasting impression of who we are and what were about with the people around us; even if the evidence self destructs after 30 seconds.

Three people can keep a secret, if two of them are dead.” – Benjamin Franklin

Telling The Hero’s Tale

Haiku Deck (and Nancy Duarte’s Book – Resonate) has changed the way I present content in and speaking; I hope to see them at SXSW 2014 – Unlocking Inspiration for Visual Storytelling –

Does SOX Change Company Culture?

This afternoon I read an interesting question on Quora (…

Is there a documented case where a company believes its culture was materially changed because of restrictions imposed by Sarbanes-Oxley?

Theoretically, and this might sound a bit Pollyanna; anything that's done as part of an internal control environment should be done because it's the right thing to do for the business (public or private), and not because of a regulatory requirement like SOX. So if your organizational culture is that of business and process excellence; then your organizational culture won't materially change because of an implementation of internal controls. If your organization doesn't have the mindset of process management, then your organization is in for a harsh awakening.

For example, you stop at a red traffic light in a busy intersection because it's a good idea and you don't want an accident, not because the law tells you to.

In the same vein, we have a segregation of responsibilities between the person who can approve a payment to a supplier, and the person who writes the check because it's a good idea and we don't want to have someone paying themselves and defrauding the company (exaggerated for effect), not because SOX tells us to.

We control and document programming changes in an IT environment because it's a good idea, not because SOX tells us to.

What burdens an organization with a mindset of business excellence when it comes to regulatory compliance isn't the process change, or cultural shift, it's the shear weight of the audit function, and potentially overwhelming documentation required to support the audit function (but that's a tale for a different day).

Interestingly enough, Grant Thornton, did a survey in January 2013 of corporate general counsels for their clients; the survey, on the largest threats to organizational growth, showed the overwhelming response from the GCs… regulatory compliance. Go figure.

You can find the survey here.