New Articles

Commerce, Currency, and Credit —and What’s Next

commerce

Commerce, Currency, and Credit —and What’s Next

The notions of commerce, currency, and credit are nothing new. For centuries, we’ve found ways to barter, borrow, and repay one another through the exchange of goods, services, or credit. Exchange aside, every form of currency has an assigned value agreed upon by the individuals or organizations participating in the transaction.

Need a house or a plot of land? Everything had a price. Back then, we offered what we had…like goats, cows, or crops. In modern times and with the development of currency, we have turned to coins, paper, plastic, and other forms of credit to define the values of our exchanges.

If we begin to think about the evolution of commerce in the context of innovation, we simultaneously begin to wonder, ‘What’s next?’

As the COO of a fast-moving fintech company, I look to innovation to answer this fundamental question. It will always be top-of-mind for me, in order to ensure that our business is at the forefront of innovation when it comes to contemplating the many ways Americans — particularly those in the small business community — think about and gain access to commerce, currency, and credit.

Today, small businesses are faced with an unfavorable choice when considering taking on additional capital: curb their instinct to innovate and grow, or encumber themselves with debt. While the growth of small businesses will help our economy thrive, we can’t increase our ability to provide funding to small businesses by maintaining the status quo. So how do we inject businesses with funds, without ultimately harming that growth and innovation?  I suggest several ways: decrease our industry’s approval time and simplify the process; provide customized offers and understand the uniqueness of each business through the implementation of artificial intelligence and advanced technology, and restore the innate integrity and trust from the nascent days of commerce.

Here are three topline factors that will drive commerce, currency, and credit — and what’s next:

Convenience

If we look at the transition in the consumer payments industry as a leading indicator, we think about the emergence of fast-pay apps like Zelle, Venmo, or Apple Pay, one thing is clear: convenience is king. Even if it costs the consumer a dollar or two, it beats the basic, but now outdated steps of writing a check, (purchasing and) putting a stamp on the envelope, putting it in the mail, and making sure the mail person gets it on time. Certainly, checks have a role to play in the exchange of money — and perhaps always will — but fast cash apps represent the shift.

If we examine the ways that small businesses have historically gained access to capital, what were once nothing more than hard-copy applications followed up by mountains of paperwork issued by traditional banks that required waiting weeks or even months to hear of an approval, is rapidly evolving into what is now a full-fledged industry dedicated to providing capital in mere days or even hours  —with companies in industries ranging from online retailers to credit card processors, and more, working to deliver working capital in the near speed it takes to complete an ATM transaction. Just as odd as dropping a goat off today to pay for a good or service would seem, so too will be the long timeframe to secure small business capital via a long arduous process.  We are quickly moving to a couple of button clicks on your cell phone and capital will be delivered into your business account.

Channels

When discussing my philosophy about our business, three words colleagues often hear me use are “channel of choice.” They refer to finding our customers by identifying who they are, where they are, and what is their preferred method of communication; and of course, delivering superior user experience.

Which “channel of choice” will appeal to the busy mom-and-pop shop owner who calls us from her landline in search of new ways to gain access to capital for a new storefront facade; or to the construction company that does most of its business and banking online and prefers to be reached via the web; or, to the 20-something app developer who likes to do his business with a simple click on his phone?

Our success is contingent upon creating an appropriate environment and successful strategy for each of our customers, all of whom have varying degrees of means and preferences to interact with us.  While mobile interactions will continue the trend to dominate in preference, there will likely always be a need to handle interactions with just a simple phone call.  And delivering an intentional experience with all of those channels in mind will become the new normal

Caution

Over the past few years, the vulnerability of data, privacy, and information security systems has been exposed. As we move into a more digital environment where every piece of data is at your finger times, it’s incumbent upon us in the alternative financial services industry to evaluate the ways we protect the vast information we hold in similar ways customers expected traditional banks to hold and secure their deposits. The phrase “data is the new currency” is quickly becoming reality and expectations of security from those who provide us that information will be just as high as dropping of a deposit to your local bank. As mountains of information continue to become available, it will become a focus for all to consider how we store that information just as a bank locks up its currency in a vault.

_____________________________________________________________________

Herk Christie is the Chief Operating Officer of Expansion Capital Group, a business dedicated to serving American small businesses, by providing access to capital and other resources, so they can grow and achieve their definition of success. Since its inception, ECG has provided approximately $400 million in capital to over 12,000 small businesses nationwide.

cybersecurity

A Cybersecurity and Artificial Intelligence Forecast for 2020

As a cybersecurity and artificial intelligence innovator, we are often asked about our predictions for the year to come. AI, in all its flavors, is a hot technology and it is being applied in many fascinating and powerful ways. Our focus, of course, is on using deep learning to advance the standards in malware detection (and we see a lot of good happening in that regard) so we bring a unique perspective to these two areas.

And not to brag, but when the question came up last year we provided a modest forecast that turned out to be fairly accurate. Here’s a quick recap:

-We said that AI would be a key component to the delivery and management of 5G wireless services, which is in-line with what the industry is now saying about its roll-out.

-Our bet was behind the emergence of AI-as-a-Service. It’s comforting to know that Microsoft CEO Satya Nadella agrees, and sees a $77 billion market by 2025, according to Motley Fool.

-Last year we predicted the emergence of more sophisticated learning techniques, advancing the capabilities and efficacy of machine learning and deep learning algorithms, and that has been happening.

-We’ll even take credit for our prediction that AI in all its forms would see greater commercialization and consumerization, even though that one was probably self-evident in hindsight. Development and improvement in products like smart assistants, smartphones, autonomous vehicles, medical devices and more will continue apace now that AI is mainstream.

So what can we expect for 2020? We’re going to keep our forecast in the realm of cybersecurity and AI this year, looking at both the threat landscape and the emergence of innovative defenses. Here are five trends we see developing in the new year.

Cybercrime will focus on ransomware and cryptojacking

The focus of the global hacker community will shift to emphasize ransomware and cryptojacking. Ransomware has proven to be a lucrative source of income for hackers, and as associated malware and delivery techniques become more effective, that is only going to embolden them. Most hackers launch attacks from locations beyond the reach of U.S. authorities, and they collect payments in the form of cryptocurrency to minimize the risk factor of their illicit endeavors. And as cryptocurrency becomes more mainstream, we foresee a sharp increase in attacks intended to hijack computing resources to power the computations necessary to “mine” coins. What we’re seeing in Blue Hexagon Labs research is that cryptojacking attacks appear to have an inverse relationship to ransomware attacks. This is likely driven by hacker motivations; as the value of cryptocurrency increases, it may be more lucrative (and easier) to focus on cryptojacking than ransomware.

Malware-as-a-Service becomes increasingly sophisticated

Criminal hackers are innovators and entrepreneurial (even if they are evil, self-centered, and destructive innovators and entrepreneurs). As such, they are keen on minimizing cost and risk, and one way they are doing that is by productizing their tools and skills. As a result, Malware-as-a-Service hacking groups are now selling kits and automated services on dark web marketplaces. In March of this year, we wrote about Gandcrab ransomware-as-a-service. We will see these services increase in sophistication in the coming year–for example, the ability to select customizations such as the type of obfuscation or evasion techniques, and the way the malware is delivered. This will make it easier for anyone to get in on the malware game, creating a force multiplier effect that will increase the number of threats enterprises will face in the years to come.

First malware using AI-Models to evade sandboxes will be born in 2020

Malware developers already use a variety of techniques to evade sandboxes. A recent article explained that “Cerber ransomware runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors.”

In 2020, we believe that new malware–using AI-models to evade sandboxes–will be born. This has already been investigated in academia. Instead of using rules to determine whether the “features” and “processes” indicate the sample is in a sandbox, malware authors will instead use AI, effectively creating malware that can more accurately analyze its environment to determine if it is running in a sandbox, making it more effective at evasion. As a result of these malware author innovations and existing limitations, the sandbox will become ineffective as a means to detect unknown malware.  Correspondingly, cybersecurity defenders’ adoption of AI-powered malware defenses will increase.

The rollout of 5G networks will bring new attack vectors

The infrastructure needed to roll out and manage new 5G networks requires a more complex, software-defined architecture than older communication networks. This new architecture means services will operate within a more complex environment with a broader attack surface that requires more security diligence on the part of the service providers. In addition, the advent of 5G networks will enable more endpoint devices that will require security at the network edge. Hackers, in particular, nation-state threat actors, will work hard to find and exploit weaknesses in this architecture to intercept traffic, disrupt services, and deliver payloads to endpoints and networks.

Privacy regulations drive more spending in cybersecurity

The European Union’s General Data Protection Regulation (GDPR) has inspired a number of privacy regulations, including the new California Consumer Privacy Act (CCPA). In the CCPA, California has created a combined privacy and breach disclosure law that goes into effect on January 1, 2020. The office of the California attorney general recommends NIST (800-53 or CSF) or ISO 27001 as their standards for implementation, and uses CIS Controls for security program guidance. That means an emphasis on malware detection and prevention, and with data breach violations reaching hundreds of millions of dollars in the EU and U.S., we predict CCPA and the recent history of enforcement will drive a significant increase in cybersecurity spending.

Even though the overall theme of these predictions suggests increasing threats and risks to the enterprise, we do see cause for optimism. Our experience with the application of deep learning to meet the challenges of threat detection and prevention give us hope that, as our efforts and those of other innovators continue and build momentum, we are confident that 2020 will be regarded as the year our industry finally turned the tide against hackers.

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

C-TPAT

C-TPAT DRIVES SUPPLY CHAIN SECURITY AND TRADE COMPLIANCE

In today’s ever-chaining business environment, organizations are faced with ongoing security challenges. It’s crucial for shippers to understand any potential risks to their supply chains and establish security plans to avoid disruption. One significant way for shippers to proactively protect their operations is by becoming a member of the Customs-Trade Partnership Against Terrorism (C-TPAT) program.

Established in 2001, as a direct result of the September 11 terror attacks, the C-TPAT program is part of the U.S. Customs and Border Protection’s (CBP) multi-layered cargo enforcement strategy. Through this voluntary program, the CBP works with the importers, shippers, carriers, brokers and logistics providers to implement best practices for ensuring a safe, secure and expeditious supply chain. Today, there are more than 11,400 certified C-TPAT partners in the program, and these companies account for more than 52 percent of the products imported into the U.S.

C-TPAT Member Benefits

In addition to promoting supply chain security, participating in the C-TPAT program can yield significant benefits for shippers and transportation providers, including:

Fewer customs inspections – C-TPAT certification offers companies the opportunity to decrease customs inspections and documentation reviews. According to the CBP, C-TPAT members are 3.5 times less likely to incur a security or compliance examination. 

Faster border crossings – Members have access to special Free and Secure Trade (FAST) lanes at border crossings, and can move to the front of the line during inspections. This can significantly expedite border crossings at many Canada/Mexico land border ports.

Quick response time – Following a national emergency, companies participating in the C-TPAT program are eligible to resume business first. 

Enhanced reputation – Participating in a national security program reflects a company’s ongoing commitment to safety. Some companies will only do business with importers that are C-TPAT certified–giving members a competitive edge. 

Cost avoidance – By decreasing potential supply chain disruptions, C-TPAT members can avoid costs associated with delayed shipments. Additionally, organizations penalized in any way is eligible to receive up to a 50 percent reduction on the imposed fine. 

Joining C-TPAT

While almost every organization that is involved in the import and export business can enroll in the C-TPAT program, eligibility requirements vary by business type. But to achieve certification, all companies are required to:

-Conduct a risk assessment

-Implement a supply chain security management system that complies with C-TPAT requirements

-Submit a detailed application

 -Meet with CBP representatives to verify security measures

In addition to obtaining their own certification, organizations can support the C-TPAT program by working with third-party logistics (3PL) providers that are also C-TPAT certified. C-TPAT-certified 3PLs act as an additional layer of protection against supply chain attacks, because they operate as an extension of the company’s established security procedures, essentially building a stronger company brand. 

A 3PL with active participation in the Mexican and Canadian markets also brings a portfolio of carriers and companies that are approved by C-TPAT, or that comply with minimum requirements for C-TPAT partners, essentially giving shippers a competitive advantage. 

Addressing Evolving Supply Chain Risks


As supply chain risk continues to evolve, so too do the C-TPAT requirements. In May, the CBP announced that it has added Minimum-Security Criteria (MSC) requirements to the C-TPAT guidelines to help further mitigate risks. Some of the areas that were incorporated and updated in the program’s new criteria included:

-Issues related to cyber security

-Protection of the supply chain from agricultural contaminants and pests

-Prevention of money laundering and terrorism financing

-The proper use and management of security technology, such as intrusion alarms and security camera systems

-Members are expected to implement the new criteria throughout the remainder of 2019, and validation of the new MSC will begin in early 2020.

Support Supply Chain Safety

With security risks threatening supply chains around the globe, it is important for companies to support initiatives that aim to tackle and prevent supply chain risks. By obtaining C-the certification, businesses have the unique opportunity to take an active role in supporting national security while improving their own supply chain operations. 

While there are no costs associated with joining the C-TPAT program, companies often have to invest in improving their practices to meet the minimum-security requirements and effectively maintain a compliant program. However, this investment goes a long way in helping companies mitigate risk, avoid supply chain disruptions and drive greater efficiencies for cross-border transport.  

______________________________________________________________

Linda Bravo is the Corporate Customs Broker at Transplace, where Sergio Flores is the Safety and Security Coordinator. Transplace is a 3PL provider offering logistics technology and transportation management services to manufacturers, retailers, chemical and consumer packaged goods companies. Learn more at Transplace.com.

automotive

Automotive Industry Cyber Attacks: Trends and Threats to Watch Out For

A report released from Upstream Security estimates the automotive industry is at risk for losing $24 billion within five years all due to cyber hacks. The company specializes in cloud-based security and took reported cases at a granular level to understand cyber threats and trends to combat in 2019.

The findings were confirmed through a study conducted that analyzes over 170 cyber cases reported between 2010-2018. The study also revealed different ways hackers attack including physical and long-range and wireless strategies.

“With every new service or connected entity, a new attack vector is born” said Oded Yarkoni, Head of Marketing at Upstream Security. “These attacks can be triggered from anywhere placing both drivers and passengers at risk.

“Issues range from safety critical vehicle systems, to data center hacks on back-end servers, to identity theft in car sharing, and even privacy issues. The risk is immense. Just one cyber-hack can cost an automaker $1.1 billion, while we are seeing that the cost for the industry as a whole could reach $24 billion by 2023.”

Key highlights from the report include:

-Back-end application servers are directly involved in 42 percent of automotive cyber security incidents

-Tier 1 suppliers, fleet operation, telematic service providers car sharing companies and public/private transportation providers are experiencing increased threat rates for cyber security issues.

-Multi-layered security tactics such as in-vehicle, automotive cloud security and network security are recommended to reduce risk.

-Fraud and and data privacy are primarily impacted by the two new cyber attack methods.

To read the full report, visit Upstream Security.

Source: Upstream Security

Sepio Systems, Tech Data & SHI Partner for Cybersecurity

Hardware-based attacks are at the center of the tri-partnership recently announced between Sepio Systems, Tech Data, and SHI International Corp.

Tech Data channel partners and SHI customers benefit from the partnership as they are granted the option to bundle Sepio’s solutions addressing issues in cybersecurity. In addition to providing simplified deployment options for Sepio Prime/Sepio Agent security management offerings, specific network threats within uncontrolled peripheral devices and accessories are focal points customers and partners benefit from.

“As part of our continuous effort to ease our customer’s process of complying with the NIST standards and guidelines for securing Information Systems, we are excited to team with Tech Data and SHI,” said Yossi Appleboum, CEO of Sepio Systems Inc.

“Packing Sepio’s deep visibility capabilities into devices and hardware assets together with a granular policy enforcement tool greatly reduces the cyber risk organizations are facing. For the first time, Tech Data customers and partners can deploy a simple and robust software solution that addresses more than 15 controls from the NIST 800-53 Special Publication,” Appleboum concluded.

Sepio Systems currently identifies hidden hardware attacks related to rogue peripherals, invisible network devices, and manipulated firmware. The software-only based solution, Sepio Prime, currently boasts a presence in the U.S., Brazil, Singapore, and Israel.

How To Ditch The Techie Jargon And Improve Your Organization’s Cybersecurity

An office memo that tosses around terms like DRM, botnet, FTP, spear phishing and worm could be a quick, easy read for the head of the IT department.

But for everyone else in the organization it may or may not be one big mass of confusion.

And with that bewilderment comes potential danger, says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.embedded-knowledge.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

“There’s a serious gap in communication skills between cybersecurity pros and their general audiences, and it’s essential for the people on the IT side to bridge it,” Campos says. “Increasingly complex security threats demand that cybersecurity professionals use plain language when they are communicating with those less familiar with tech talk.”

Otherwise, he says, an organization could be vulnerable to hackers even if the staff had been warned about what to look for, simply because the employees didn’t understand the language behind the warning.

After all, cyber threats aren’t just a technology problem – they are a people problem, says Campos, who worked on cyber threats as a former employee of Microsoft.

“People are the weakest link in computer security and many companies don’t promote a company philosophy of ‘computer security is everybody’s business, ” he says.

Campos suggests a few ways to improve communication between those in charge of cybersecurity and everyone else in the organization:

Incorporate this need into the hiring process. When hiring new staff for your IT and cybersecurity team, look for experts who have not only tech skills, but also the skills necessary to comfortably interact socially and clearly communicate in lay terms with all the stakeholders in the organization.

Focus on training. Cybersecurity teams can be trained to become solution designers who can connect the dots, Campos says. They can then capture, clarify, and address all stakeholders’ concerns, helping them to determine and keep their goals aligned. Such cybersecurity pros enable success by listening to everyone involved before sharing their own viewpoints.

Realize this is an ongoing process. It’s important to ensure that the improved communication is sustained over the long haul, and people don’t revert to old ways down the road, Campos says. “You will want to monitor the situation so that you can quickly spot and head off any problems,” he says. “You can create a feedback loop so that the employees are encouraged to let you know how things are working.”

“Data breaches, data ransom plots, and email hacks intimidate us all,” Campos says. “Cybersecurity teams themselves feel hard-pressed enough to prepare themselves for the onslaught of these gremlins, let alone to accomplish the challenging task of communicating to stakeholders about how to mitigate and deal with cybersecurity risks.”

“But for organizations to keep their information and systems safe, that communication needs to be done, and in a way everyone can understand.”

About J. Eduardo Campos

J. Eduardo Campos is co-author with his wife, Erica, of From Problem Solving to Solution Design: Turning Ideas into Actions. Campos spent 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad.  His consulting firm, Embedded Knowledge Inc. (www.embedded-knowledge.com), works with organizations and entrepreneurs developing customized business strategies and forming partnerships focused on designing creative solutions to complex problems.

GlobeNet Steps Up Cyber Security with Anti-DDoS Gold Mitigation Service

Following successful implementation of the Silver Anti-DDoS Mitigation Service, GlobeNet announced the launch of the latest version of the offering. The Gold Anti-DDos Mitigation Service will formally address diverse and complex customer demands while combating the significant increase in DDoS attacks – reported to have increased 500 percent since 2017.

The upgraded cyber-security solution’s features include a wide range of capabilities that enable customers to operate with fewer limitations and proactive measures to ensure their success, security, and overall efficiency in protection.

Features such as unlimited clean bandwidth and mitigated attack volume, protection policy flexibility, dynamic detection and neutralization of attacks, early detection of malicious traffic, and more provide clients with the peace of mind knowing the overall risk of downtime is reduced. Ultimately, clients have more options to secure their networks based on their specific needs.

“GlobeNet’s Anti-DDoS Gold and Silver levels provide an effective solution to the growing scale of modern DDoS attacks,” said Eduardo Falzoni, CEO of GlobeNet.

“With this new service, our customers now have the enhanced flexibility to choose the option that will best suit their needs. Both services provide 24/7 network protection without the need for organizations to make costly capital investments in their own anti-DDoS solutions. As a result, we ensure peace of mind for our clients’ mission-critical infrastructure and traffic.”

The Best Weapon Against Cyber Threats Is Not Better Tech – It’s People

When a company’s computers are hacked, management’s first impulses often are to invest in better software, better virus protection packages, better computers or even entire networks.

But they may be putting the emphasis in the wrong place.

“The problem’s root cause is usually not the technology, but people,” says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.eecampos.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

Campos, who worked as Chief Information Security Officer (CISO) in large international corporations, says “organizations that take a simplistic approach, assuming “computer hacks are an IT department’s problem” are headed for trouble. “Cybersecurity is everyone’s job,” he cautions.

For lasting results, Campos harnesses the power of solution design techniques to develop cybersecurity systems and protocols, based on the I.D.E.A.S. framework, outlined in his book:

Identify: Get to the root cause of the problem. Step back, take a breath, and assess the situation, so that you will ensure you are treating not just the symptoms.

Design To avoid security breaches, take time to determine the options that can be used to address all the problems related to these issues.

Engage. Confirm that everybody who is impacted by a new cybersecurity program or effort is on board with the changes before they are implemented.

Act. Implement mandatory training for all employees to explain the common ways hackers enter the system, including how phishing works.

Sustain. Design metrics to keep cybersecurity policies in place and implement an easily accessible system for employees to identify and report incidents.

“The company that truly engages all of its employees, suppliers, vendors and other stakeholders to be knowledgeable and aware of basic cybersecurity protocols,” Campos says, “will have a much better chance of countering criminals.”

 

About J. Eduardo and Erica Campos

Eduardo Campos and Erica W. Campos are co-authors of From Problem Solving to Solution Design: Turning Ideas into Actions. They have a combined tenure of over fifty years solving complex problems for global organizations. J. Eduardo is an expert in strategic, human-centric solution design with a background in cybersecurity and business development. He has worked on four continents, tackling intercultural and multinational problems, and spent the last 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad. His consulting firm, Embedded-Knowledge Inc. (www.http://www.eecampos.com), works with organizations and entrepreneurs to develop customized business strategies and to form partnerships focused on designing creative solutions to complex problems.

 

5 Key Considerations for your Cyber Security Strategy

Cyber security. Not only do all organizations need it, but most organizations need to improve it. As hackers and all other manner of cyber criminals get increasingly crafty, the average cyber security team is struggling to keep pace. As it turns out, the road to hell is paved with well-intentioned but somewhat unfocused cyber security efforts.


Therefore, developing a cyber security strategy is a good foundational step for obtaining the level of cyber security necessary to protect your business, employees, customers and reputation. And taking attention of these five key considerations is a good foundational step for developing a cyber security strategy.

Set out clear objectives

All organizations need cyber security, but what works for one organization could be a disaster for another. This is not the place to attempt to implement a one size fits all approach. To begin to understand what your cyber security objectives should be, you need a solid understanding of the threat landscape as well as where your organization and critical business operations fit into it. Does your organization need to better protect customer data? Become fully compliant with new regulations? Incorporate a cyber security mindset across all aspects of business operations and functions? Become more resilient to attacks? Before a strategy can begin to take shape, you need to know what you’re working towards.

Identify your assets to establish cyber security priorities

The first part of this step is putting together a comprehensive list of the organization’s most important databases, networks, applications and any other assets. What are they? Where are they? What is currently protecting them? What are they connected to?

The second part of this step involves completing a nerve-wracking exercise, but it’s something that needs to be done over and over again if you’re going to have a solid cyber security strategy: assess your organization from the attacker point of view. Of all those assets in the list, what are most attractive to potential attackers? What could inflict the most damage to your organization if it were compromised? What would interrupt the largest number of business processes? Look at this from every possible angle, from the profit-driven hacker to the attackers hired by underhanded competitors to politically-motivated hacktivists – which of your assets are the biggest targets? These are your cyber security priorities.

Determine where you’re vulnerable

This is where you once again need to get proactive. Hacking simulation, penetration testing and other offensive-minded approaches are necessary to find your organization’s weak spots and vulnerabilities as well as figure out exactly how deep someone could get into your networks, systems and databases if they made it in. This serves to help you:
1) Shore up those vulnerabilities as much as possible and…
2) Put in place monitoring measures that help detect and respond to suspicious activity as quickly as possible – a managed security operation center (SOC) might be the best option for organizations that don’t have a robust in-house SOC. 

Make sure you have the right technology and personnel in place

As much as you might hope differently, it isn’t enough to simply invest in the best cyber security technology. Think of it like having an F-35 in your driveway. It’s a marvel of technology, but what good is it going to do if you don’t have a pilot to operate it? What your organization needs is a combination of the right technology, processes and the people who have the skills to orchestrate it.


To get the right cyber security team in place you need to consider your organization’s objectives as well as priorities and vulnerabilities. The team you need could include security engineers and architects, analysts, incident responders, ethical hackers, pen testers, forensic experts, auditors and a chief information security officer, to name a few possible positions, and all these employees need to be able to operate at a high enough level to deal with the threats your organization is facing. If it isn’t possible to staff an in-house team at the level your organization requires, it may once again be time to consider a managed cyber security solution.


Whether you’ve got an in-house team or a managed solution, you then need to ensure you’re working with the right vendors to arm your team with the technology they need to keep your assets protected, otherwise you’ll have the stealth fighter pilot but no F-35.

Assess the overall organization’s cybersecurity awareness

You can have the right cyber security people combined with the highest rated technology and the ideal offensive-minded approach to cyber security for a top-notch security operation center, but it won’t matter if your overall organization is not educated on cyber security threats.


From malware, spear phishing attacks to weak passwords and mishandled credentials, the current cyber security landscape is rife with attackers who know that organizational cyber security awareness and education is lacking and know exactly how to capitalize. From top to bottom, your employees need to be educated on the threats that exist, trained on what they must do to protect your organization, and the potential consequences to the organization if they don’t.


Getting ahead

No one said developing and following a cyber security strategy would be easy, but when done well, it’s one of the most worthwhile investments of time, effort and money an organization can and should make.
The threats aren’t going to let up and in fact will only grow in size, scale and sophistication. With a proactive cyber security strategy, you can stay one step ahead of even the most talented attackers, and one step ahead is the only place you want your organization to be.

Source: CyberHat