Phishing: Understanding Your Cyber Adversaries

Nearly two years ago, an infamous incident occurred where stolen pictures of celebrities flooded the internet. Originally, it was thought that this was due to an iCloud vulnerability that allowed a brute force attack. But it now turns out it was because of a simple social engineering phishing hack.

Phishing usually involves sending mass emails that masquerade as legitimate communications, coming from a trustworthy source like a big bank or credit card company. The phisher seeks to trick the recipient into clicking on a link or opening an attachment that downloads malware onto the victim’s computer. The malware can then be used for criminal activity including theft of sensitive data or money. While phishers may send thousands of emails, all they need are a few or even one individual to fall for their trick to get into the IT system. It’s easy to forget that security threats aren’t always the work of sophisticated technology geniuses with malevolent intent. As in the case of the celebrity photos, the method was relatively simple. However, it still caused reputational damage.

Cyber attacks don’t appear out of nowhere. At the beginning and right through development and attack, humans are involved. Recently, we profiled half a dozen types of attackers. We call them the “Unusual Suspects.” An attack might start with the Professional working in the digital shadows seeking to make the most money possible from the damage they cause. Then you’ve got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking. There are also Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country’s government. And then there’s the Insider leaking sensitive information accidentally or on purpose with malicious intent.

bae - the usual suspects

These are all just some of personas BAE Systems recently identified as key threats to businesses and without them, cybercrime can’t exist.

Wising up to phishing attacks

In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. In the aforementioned celebrity photos case, court documents said Ryan Collins, 36, of Pennsylvania, hacked more than 100 people. According to reports in the press he used email names like ‘e-mail.protection318@icloud.com’ and asked for password details.

With these credentials, the hacker was able to go through email accounts looking for photos and videos, managing to get into around 50 iCloud accounts and 72 Gmail accounts mostly belonging to celebrities. It’s quite easy to imagine the damage hackers could cause if they got hold of corporate emails – think of the damage the 2014 Sony hack inflicted.

You can’t patch a human

Employees will always be a weak spot, and clever social engineering is leading to more examples of how this weakness can be exploited. The effects can be devastating. For example: a company that collects credit card data from its customers is at risk of a major data breach from a single employee clicking on an email leading to a website laced with malware. The financial and/or reputational damage and the related fines or compensation claims that result could be significant.

At its core, combating social engineering is a human problem that requires human solutions. In certain cases victims may violate policies, but it may often be the case that the rules or training were not clear enough for the employee to know they were doing something that could have serious consequences. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.

To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk from social engineering and what role they have in preventing it. Remember, this all has to be done in tandem with putting the right technology in place.

Defeating the Unusual Suspects

Defending against cyber threats is all well and good, but what about catching these Unusual Suspects? This is difficult, because they use sophisticated tactics to escape detection–they are located all over the world, and use secure software to escape detection and remain anonymous, often routing communications through multiple countries to avoid being caught.

Fortunately this is a case where human fallibility is a good thing–criminals will make mistakes and leave digital finger prints that sophisticated analytics and forensic analysis can pick up. Finally don’t underestimate the power of human ingenuity–thanks to the efforts of security professionals, we’re finally getting to a point where the investigation of online crime is being slowly demystified and defenses put in place to mitigate the threat.

Legal Woes Highlight Dangers of the Food Industry Supply Chain

chipotle

A spate of recent cases offers a clear warning for the food industry about the legal and reputational perils of not getting more serious about supply chain control.

On Monday, the U.S. Supreme Court declined to consider an appeal from Nestle, Archer Daniel Midlands Co. and Cargill Inc., allowing a slave and child labor lawsuit to proceed against the three food industry giants.

Three plaintiffs who claim they were trafficked from Mali as child slaves and forced to work harvesting and cultivating beans in Cote d’Ivoire, and allege that the companies aided, abetted or failed to prevent the torture, forced labor and arbitrary detention they suffered.

According to Reuters:

The plaintiffs, who were originally from Mali, contend the companies aided and abetted human rights violations through their active involvement in purchasing cocoa from Ivory Coast. While aware of the child slavery problem, the companies offered financial and technical assistance to local farmers in a bid to guarantee the cheapest source of cocoa, the plaintiffs said.

The defendants knew about the child slavery problems in the region and offered both financial and technical farming assistance to support the agriculture methods in place, the plaintiffs claim. What’s more, they say, the defendants could have used their leverage in the cocoa market to stop or limit the alleged child labor practices and failed to do so.

According to the Wall Street Journal:

Mark Theodore, a partner at Proskauer Rose, said that the ruling reinforces to companies that they need to be socially responsible employers. And while there is no way to ever completely prevent such risks, he said the ruling is a reminder to companies that they “should be monitoring and also maybe doing a little bit of introspective thinking about their own practices to avoid these things, or prevent them from happening, or to put themselves in legally defensible position if they can’t prevent them.”

In September, the Justice Department finalized a landmark conviction of the former head of the Peanut Corporation of America, who was sentenced to 28 years in prison for knowingly shipping salmonella-tainted products that sickened 714 people and killed nine. That may be the department’s first step in a new approach to taking food industry product safety more seriously, and more aggressively pursuing wrongdoing on a criminal level. The Justice Department has now opened formal investigations into the e. coli outbreak at Chipotle and the listeria outbreak at Blue Bell Creameries, both of which sickened hundreds of consumers.

The department has already signaled a broad intention to focus more efforts on individual law-breakers in corporate crimes. Now, the government appears to be showing the food industry that things are changing in terms of corporate responsibility and food safety, according to Andrew Lankler, partner at Baker Botts. Lankler told the Wall Street Journal that the Department of Justice is signaling that whatever standard the food industry thought it needed to meet for food safety, the bar is higher. “The department is going to step up enforcement in areas where they can prove they sold tainted product,” he said.

And the trouble at Chipotle shows little sign of abating. The CDC is still investigating multiple outbreaks, and the chain has now been served a subpoena as part of a criminal probe by the U.S. Attorney’s Office and the Food and Drug Administration’s Office of Criminal Investigations regarding an isolated norovirus incident in August.

A fourth lawsuit was recently filed by a customer who claims he was sickened by the same strain of e. coli linked to Chipotle, but this case dates back to July, meaning far more people may have been affected in the outbreaks. At least nine suits have been filed by customers, and Bill Marler, a food and safety litigator in Seattle, claims more are coming from the 75 Chipotle-related clients he represents.

At this week’s ICR conference this week, CEO Steve Ells said he is hopeful that the CDC will soon declare the restaurant’s e. coli outbreak over, adding, “we know that Chipotle is as safe as it’s ever been before.”

To that end, Chipotle announced today that it will close all of its stores on Feb. 8 to have a corporation-wide meeting with all staff regarding food safety.

But customers remain extremely wary. Indeed, while it may be an e. coli cliché, it would not at all be a stretch to say public opinion about the brand remains in the toilet, with YouGov’s BrandIndex score for the company seeing a drop equal to that of GM during its crisis.

yougov poll chipotle

To combat that, the company also announced plans to launch a sizable new marketing campaign to win back customers, using direct mail and traditional advertising to attempt to win back consumer confidence. As Fortune reported, executives said the campaign will attempt to provide a “detailed story of what happened” to explain to customers why they are now safe, and that it will not focus overtly on food safety, but will have “an undertone” of humility.

Chipotle’s stock dropped nearly 42% in the wake of the outbreaks, and according to an SEC filing, sales at stores open more than a year were down 30% last month. Ells and his team admitted they could not guess how much the fallout will impact 2016 financial results, but expect it will be a “messy” year. Costs are expected to go up from the marketing campaign and new food safety measures, including processing more food through centralized kitchens in an attempt to better control the conditions of ingredients.

The company darkened its outlook for Q4 results, and As Wells Fargo Securities wrote in a recent research note, “We expect CMG to point to a hard-fought and long-tailed [same-store sales] recovery across 2016, and to stress that there is still much work to be done in assessing the sizeable costs associated with the company’s supply chain overhaul.”

For more about food safety crises and product recall, check out the following articles from Risk Management:

Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot

Food Safety Updates Stalled by Funding

Maximizing Coverage for a Product Recall

Chipotle Food-Borne Illness Outbreaks Highlight Supply Chain, Reputation Risks

For the past month, Chipotle Mexican Grill has been mired in a food safety crisis. An e. coli outbreak linked to Chipotle has sickened at least 52 people in nine states. In a seemingly unrelated outbreak, 120 people in Boston – most of them students at Boston College – also fell ill after contracting norovirus from eating at the quick-service chain.

While food safety and product recall concerns are always a major liability for industry players, the spate of infections poses even more of a threat to Chipotle as the company has built its reputation on the foundation of a healthy, responsible supply chain, boasting its use of fresh produce, meat raised without antibiotics, and a network of hundreds of small, independent farmers. As Bloomberg put it, the company’s biggest strength is suddenly its biggest weakness. Given the chain’s 1,900 locations and the rate at which it has expanded (about 200 new locations every year), its supply chain is already under significant pressure. When an audit found unacceptable practices earlier this year, the company suspended a primary pork supplier, pulling carnitas from the menu at about a third of its restaurants nationwide. The company pointed to its decisive action as proof of its commitment to sustainable agriculture, but many analysts said it highlighted the company’s inherent vulnerability to supply chain issues.

“You can never eliminate all risk, regardless of the size of suppliers, but the program we have put in place since the incident began is designed to eliminate or mitigate risk to a level near zero,” Chris Arnold, the company’s director of communications, told Bloomberg.

Now, as the number and geographical spread of E. coli cases grows, the company has closed dozens of restaurants for what it promises will be thorough investigation and cleaning. Steve Ells, the company’s co-chief executive, went on the “Today” show to publicly apologize and vow that reforms currently being put into place would turn Chipotle into a leader in food safety. “The procedures we’re putting in place today are so above industry norms that we are going to be the safest place to eat,” he said.

But consumers are not so sure, leading sales to fall 16% in November, and its stock price has dropped almost 30% since the outbreak was first detected, the Washington Post reports. Analysts and the company itself have said they expect the outbreak to continue to cause a drop in sales. Take a look at how the ongoing crisis has impacted the company’s stock:

chipotle stock e coli

These doubts may have long-term impacts on Chipotle and may even extend to other food industry stakeholders.

“Fast-food companies are 100 percent reliant on their food supply to send them something that is pathogen-free, but the supply chain is still extremely reluctant to test every [food] product it provides,” food safety consultant Mansour Samadpour told the Washington Post. “Many companies are starting to do it, but the reluctance is real and it’s problematic — and that’s getting in the way of food safety.”

“I worry that [consumers] look at food safety from the organic, non-GMO, sustainability, animal welfare standpoint,” Bill Marler, a lawyer specializing in food-borne illness, told the Post. “And a lot of people in that space, in that agricultural movement, tend to believe that because they do those things their food is automatically safer than food that’s served at McDonald’s or Jack in the Box or Walmart. But that’s just not the case.”

For more about food safety crises and product recall, check out the following articles from Risk Management:
Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot
Food Safety Updates Stalled by Funding
Maximizing Coverage for a Product Recall

Balancing Risk and Compassion: Life Sciences Companies Face New Risks from Expanded Access

Pharmaceutical companies operate with a singular objective: bring drugs to market. This is how they profit, how they ensure that their products help the most people, and how they maintain the resources to continue innovating.

The lifecycle of drug development can be complex and onerous, despite improvements to the regulatory approval process over the past several years. Now, a trend sweeping the industry is forcing many pharmaceutical companies to decide under which circumstances they’re willing to divert resources from their mission of helping the masses.

Expanded Access, or “Compassionate Use,” refers to the use of an experimental drug not yet approved by the FDA to treat a critically ill patient outside of a clinical trial. The FDA received more than 1,800 requests for access to experimental drugs last year and, over the last five years, it has approved 99% of these requests.

But ultimately, once requests are approved by the FDA, it’s up to manufacturers to provide the drug to these patients, many of whom are children, and many of whom have just months left to live.

Companies are then faced with a choice: to provide an unapproved drug to individual patients, which can delay the process of making the drug widely available, or to deny the request and risk backlash from the public, who see only a dying patient and the pharmaceutical company that could save them. In several cases, the latter has fueled social media campaigns demonizing companies for withholding potentially life-saving medicines.

How a company handles expanded access requests can affect its reputation and financial stability. Pharmaceutical executives often operate under a microscope, where patient outcomes are the key to keeping investors on board. As expanded access patients often do not qualify for clinical trials, they may be higher-risk candidates, so reporting their results to the FDA could potentially prolong approvals and market availability. On the other hand, a company that denies an expanded access request can face significant reputational damage and even legal action if investors believe that management decisions hindered the company’s progress.

Small and mid-size life science firms in particular may fear that they don’t have the resources to navigate expanded access cases. But requests for experimental drugs are on the rise: the FDA saw a 92% year-over-year increase in requests in 2014. Companies need to prepare their approach and policies before they find themselves in the throes of a difficult decision with pressures mounting from both sides. Here are four ways they can set themselves up to make informed decisions about balancing risk with compassion:

Monitor the Regulatory Environment

Over the last year, the FDA has been working to simplify the process for physicians requesting access to experimental drugs on behalf of patients. In February 2015, the agency streamlined the application form, which now requires physicians to submit just eight types of information, as compared with 26 types in the previous form.

The FDA has also been working with life sciences companies to find alternative solutions to expanded access when needed, such as designing expedited open-label trials for these patients.

Additionally, as of August 2015, 24 states have introduced right-to-try bills, which allow physicians to request experimental drugs without going through the FDA’s application process.

With both federal and state governing bodies paving the way for easier access to experimental drugs, the decision to provide these drugs falls squarely on the shoulders of corporate leadership at pharmaceutical companies. These firms also ought to keep in mind the need to prioritize building and maintaining relationships with the FDA, which can be key in developing a creative solution.

Update Your Crisis Management Plan

Crisis management plans are sometimes written in broad strokes. In preparing for expanded access cases, risk managers need to bring together leadership from various departments—senior management, investor relations, finance, human resources, etc.—to weigh in on the specific risks associated with experimental drugs. Many firms will seek outside counsel to guide the process.

At a basic level, a crisis plan should map out vulnerabilities across all risk areas. For example, companies need to consider the process for securing their facilities, fielding press inquiries, addressing social media backlash, managing investor concerns and navigating potential lawsuits.

Most importantly, companies need to develop the principles that will guide decisions in crisis situations. Rather than scrambling for direction in the heat of public scrutiny, companies should establish a clearly-stated policy and set of guidelines for participation in expanded access programs. This will serve as the foundation of a response if an issue arises. Management must then be prepared to defend that position to all stakeholders, including employees, investors, patients, physicians and potentially press.

Evaluate and Re-evaluate Your Insurance Policies

Organizations need to consider which financial risks they can transfer to their insurance policies. Not everything will be insurable, but a strong policy can provide protection if an expanded access case threatens a company’s financial stability.

This starts with a comprehensive review of a company’s insurance portfolio with the issue of expanded access in mind. Oftentimes, risk managers revisit their policy language through the lens of a specific issue and realize that their expectations for coverage don’t accommodate current events. This can be the case with expanded access.

When reviewing their policies, companies need to understand the intent of the language relevant to expanded access and work with their broker to make sure the coverages are as granular as possible.

Lead the Way

This year, Johnson & Johnson created a Compassionate-Use Advisory Committee composed of doctors, bioethicists and consumer advocates to evaluate expanded access requests and make recommendations to the company’s clinicians. While many have hailed this as a creative solution for maintaining ethical standards, smaller companies with fewer resources cannot as easily take such an approach. These firms have an opportunity to set the standard for managing expanded access cases by developing thoughtful policies, collaborating with regulators and academics and, of course, addressing risks to business from the onset.