Hass & Associates Online Reviews on Cybersecurity to Be a Core Part of M&A Deals

Data breaches can have a big effect on a merger's overall value.

There appears to be a worrying level of complacency toward the assessment of cyber-risks during M&A deals, despite increasing awareness of the cybersecurity risks facing businesses.

International law firm Freshfields Bruckhaus Deringer found in a survey shared with Infosecurity that 90% of respondents believe cyber-breaches would result in a reduction in deal value; and 83% of dealmakers believe a deal could be abandoned if cybersecurity breaches are identified during deal due diligence or mid-transaction.

Yet, too few tie-up architects are addressing the threat. A majority (78%) say that cybersecurity is not a risk that is currently analyzed in-depth or dealt with in deal due diligence.

“It’s surprising that dealmakers recognize the growing threat of cyber-attacks to businesses, but generally aren’t addressing that risk during deals,” said Chris Forsyth, co-head of the firm’s international cybersecurity team. “You wouldn’t dream of buying a chemicals plant without assessing environmental risk, so why would you buy a data-driven business without assessing the risks its faces around data management and cyber-security?”

The firm said that the effect of a cyber-incident on value would work both ways – a business with a good track record and robust processes could be worth more than competitors, while a business with a bad track record could be worth less.

Dealmakers’ top concerns include targets suffering cyber-attacks during deal discussions, the target being a proven victim of data or intellectual property (IP) theft by cyber-attack, and evidence of a target not handling a past breach effectively (leading to fines, damage to reputation etc.). Interestingly, acquirers (30%) are most concerned about cybersecurity issues derailing transactions, whereas 81% of sellers are unconcerned or only slightly concerned about the risk of derailment.

“It is odd that most respondents to the survey said they were concerned about cybersecurity risks, but that most respondents aren’t actually doing anything about them during an M&A process,” said Forsyth. “One possible explanation is that it is a relatively new area that is not well-understood, and buyers are hesitant about how to tackle it.”

However, awareness of the threat posed by cyber-attacks is growing, according to the survey, with 82% of dealmakers saying that the risk of cyber-attacks will change deal processes over the next 18 months.

The survey also reveals that more North American respondents (51%) than European (39%) have seen cybersecurity become a key part of due diligence in the last year. Further, the US has seen more suppliers and counterparties audited (38% to 22%), more internal cybersecurity specialists appointed (33% to 17%) and more external cybersecurity consultants engaged to review risks (28% to 17%).

“Differences in cultural attitudes and the perception of cyber risk may be reflective of the varying levels of exposure to follow-on litigation and class actions in the US compared with Europe,” said Jane Jenkins, co-head of the firm’s international cybersecurity and defense teams. “While the environment is starting to change, there is still much more emphasis on transparency in the US than in Europe, with the SEC threatening enforcement action against companies for failure to notify cyber-breaches.”

Investors and corporates are starting to wake up to cyber-risk. As demonstrated in the Target breach, more companies are being penalized by shareholders for being a victim of an attack and executives are having to step down as a result.

Edward Braham, global head of corporate, added, “The message to dealmakers – whether buyer or seller - is to evaluate cyber-risk in the same way they would any other risk that could affect the value of a target. Cyber risk presents a significant threat to the operations, reputation, and the bottom line of virtually every company, regardless of industry. While market practice is still developing in this area, buyers can use an M&A process to understand better the cyber risk a target faces.”

From the Cold War to the Code War: UK boosts spending on cyber warfare

Hass & Associates Online Reviews – UK prime minister David Cameron said that £800m would be spent on intelligence and surveillance equipment.

The UK is upping its spending on cyber defense as a report warns that the country's increasing reliance on a connected infrastructure could create new opportunities for criminals and terrorists.

Prime minister David Cameron said that £800m will be spent on intelligence and surveillance equipment, which he said "includes the latest in cyber defense technology". The Ministry of Defence (MoD) was unable to provide any breakdown of the spending or detail what projects this would include.

Cameron said: "We are equipping our armed forces for the conflicts of this century, not the last. The threats we face have changed utterly in 30 years — from the clarity of the Cold War to the complex and shifting challenges of today: global terrorism, organized crime, hostage taking, and the risk of nuclear proliferation, cyber-attack, and energy security.

"It is not massed tanks on the European mainland we need, but the latest in cyber warfare, unmanned aircraft technology and special forces capability... in the 21st century; you cannot defend the realm from the white cliffs of Dover."

The UK's National Security Strategy lists cyber-attacks as a 'tier one' threat to national security, alongside international terrorism and warns the threat from cyber-attacks "is real and growing".

In addition, the newly published Global Strategic Trends report by the MoD's Development, Concepts and Doctrine Centre sets the context for defense and security out as far as 2045, and warns: "As more of our work and social activities depend on a richly interconnected information and communications network (which may, in places, be extremely vulnerable to attack) there could be more opportunities for criminals and terrorists to have a greater impact on our day-to-day lives."

But, unsurprisingly, it's hard to work out how much the government is already spending on cyber defense projects. The Strategic Defence and Security Review in 2010 allocated £650m over four years for a national cyber security programmer, with another £210m added after the 2013 spending review for 2015-16.

On the cyber-offensive side, defense secretary Philip Hammond told the Conservative party conference last year: "Simply building cyber defenses is not enough. As in other domains, we also have to deter... Britain will build a dedicated capability to counter-attack in cyber-space and, if necessary, to strike in cyberspace as part of our full-spectrum military capability."

Spending on this project could reach £500m over the next few years, according to one report. On top of this, other agencies such as GCHQ are also involved with cyber warfare projects.

Hass & Associates Online Reviews: Aaron Swartz Can’t Fight the New Cybersecurity Bill, So We Must Do It

In late 2011 and early 2012, activists, progressive politicians and Internet companies led in part by Internet freedom advocate Aaron Swartz came together to defeat the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). Advertised as measures against copyright infringement, the bills would have opened any website that contained copyrighted material it was not authorized to publish on any of its pages to a forced shutdown. A site that unknowingly held a copyrighted image in a comment section, for instance, would have been eligible as a violator. Virtually everyone was susceptible to closure.

The Cyber Intelligence Sharing and Protection Act (CISPA) followed SOPA and PIPA in April 2012. CISPA was worse than its predecessors, proposing that private companies be allowed to share user information, a provision that would have violated many privacy protections of the Internet. Recognizing this, Swartz fought again. “It sort of lets the government run roughshod over privacy protections and share personal data about you,” he said of the bill at the time. Again, he prevailed.

Now, a year and a half after Swartz killed himself, there is the Cybersecurity Information Sharing Act. CISA is a lot like CISPA, but could end up being even worse. Privacy and civil rights groups including the ACLU and the Electronic Frontier Foundation are standing up to fight it. In an article about the bill, the ACLU’s Sandra Fulton wrote: CISA “poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws.” The bill has been approved by the Senate Select Committee on Intelligence and will move to the Senate soon.

Gabe Rottman, a legislative counsel and policy adviser for the ACLU, spoke with Truthdig about CISA. He said the legislation resembles not only CISPA, but the proposed Cybersecurity Act of 2012, which according to him would have been a better bill for protecting privacy and preventing government overreach. “It represented a compromise between the privacy community, industry and the folks pushing cybersecurity on the Hill,” he said of the 2012 legislation. That bill did not pass. CISA borrows some of its elements and removes its privacy and civil rights protections.

“It would allow the use of information that is shared with the government for cybersecurity purposes to be used in the prevention and investigation of crime under the Espionage Act, which includes national security leaks and whistle-blowers,” Rottman added. He said CISA would allow government intelligence agencies not only to retrieve metadata from communication companies on a “voluntary” basis, but also to collect content from emails, texts or other written communications without a warrant. Once the information is in the possession of the Department of Homeland Security, the measure would allow it to be shared with other government entities such as the NSA and the military and possibly even local police forces.

“It could quite literally become an investigative tool,” Rottman said. CISA could enable the government to approach a communications company and find bundles of communications from a number of suspects anytime a new whistle-blower is suspected. It has a provision that is meant to protect people. Personal information is supposed to be removed if it isn’t related to a cybersecurity threat, but it’s unclear how much information would actually be scrubbed.

A further problem with CISA is that it removes protections under Freedom of Information Act and state laws that would allow people to inquire whether their communications have been collected. Rottman said that “the chance you’ll find out that your information has been shared is lessened because of the FOIA exception, and there is an incentive for oversharing, and the information automatically gets shared with the rest of the government.” Furthermore, the bill protects companies that share information from being scrutinized for having done so.

Additionally, CISA doesn’t affect just whistle-blowers and those people who could be considered serious threats to intelligence agencies. It applies to anyone the government could deem a cybersecurity threat as well. This qualification for suspicion is very broad.

In the case against Swartz over his massive, unauthorized downloading of commercial academic journals from MIT, the courts used the Computer Fraud and Abuse Act of 1984 to prosecute him, alleging that downloading the journals was a violation of the network’s terms of service. Under the CFAA, violating the terms of service for any website or Internet tool is considered a criminal offense. For instance, lying about one’s age when registering with a website or accidentally breaking a rule listed in user contracts with Facebook or an email platform could make one a culprit. Under CISA, such harmless violations would make user communications legally vulnerable to government access.

Privacy and civil rights groups also contend CISA does not contain any provisions to protect Net neutrality. Where the Cybersecurity Act of 2012 maintained that terms like “cybersecurity threat” could not be used to inflict damage on open Internet rules, CISA contains no such language.

The ACLU, Electronic Frontier Foundation and many organizations believe CISA would be a boon to the NSA and other intelligence agencies, as well as a serious threat to privacy and protection from warrantless investigation. The Fourth Amendment is meant to protect Americans from such monitoring, but CISA could erase that civil right. Swartz led the fight against the death of our privacy, an open Internet and protection from persecution online. In his absence, others are stepping up to the plate. People continue to be outraged over the revelations made by NSA whistle-blower Edward Snowden, but the government continues to pump steroids into the spy agency’s far-reaching arms.

Hass & Associates Online Reviews: Fraud lurks in shadows of changing digital advertising landscape

The automation of the advertising industry was supposed to reduce waste. But in a quest for greater efficiency, marketers have exposed themselves to a new challenge: fraud.

The uncomfortable truth about the $120bn digital advertising market is that the fastest-growing and most innovative part of the sector – open exchanges – is increasingly being exploited by criminals.

With concern among its clients mounting, WPP, the world’s biggest ad agency, last month said it would stop buying ad slots through such exchanges. These technology platforms, operated by Google, Facebook, AOL and Yahoo, allow marketers to place ads on hundreds of thousands of sites across the internet. But in doing so they have left the industry vulnerable to fraudsters.

Many worry that if unchecked, fraud will undermine confidence in digital advertising. That could hinder the industry’s efforts to capture the $400bn that brands spend on traditional media advertising such as television and newspapers.

“Everyone who deals in internet advertising realises that there’s a huge opportunity that hasn’t unleashed itself,” says Cameron Hulett of Undertone, a company that helps brands advertise online.

“The more that marketers hear about [online fraud], the more it makes them think ‘let’s stick with TV advertising’,” he says.

The trouble is that hidden among the multitude of honest publishers plugged in to the exchanges are sites operated by rogues. The most sophisticated fraudsters operate networks of automated computer programmes – known as bots – which they direct to their websites to attract advertisers. The bots mimic cursor movements and mouse clicks, giving the impression that a person is visiting the sites.

As the Financial Times reported in May, part of a Mercedes-Benz online campaign was viewed more often by bots than by human beings. Other techniques used by fraudsters include inserting large numbers of invisible ad units into web pages, which rack up costs for advertisers but are never actually seen, and generating traffic through malware installed on hijacked computers.

Vivek Shah, chairman of the Interactive Advertising Bureau, warned this year that fraud had “reached crisis proportions”.

His fears are supported by findings from ComScore that more than a third of web traffic is originated by robots or other “non-human” activity. ComScore also found that the majority of ads appear in parts of a web page that cannot be seen by a consumer, rendering them useless.

For Group M, WPP’s media buying division, the solution is to avoid open exchanges entirely. The company, which spends about $10bn a year on digital advertising, instead plans to buy all its digital ad slots through direct deals with big publishers such as Facebook, Hulu and Fox.

“It’s extraordinarily important that our clients have complete trust in the ad inventory that they buy,” says Rob Norman, chief digital officer of GroupM. “Fraud is a binary issue where the only good number is zero.”

But GroupM’s rivals believe it is making a mistake.

Buying ad slots through exchanges accounted for just $12bn of the $516bn global ad market last year, according to eMarketer. But that spending is forecast to double in size over the next two years.

Brands such as American Express, Netflix and Procter & Gamble are increasingly spending through automated platforms.

Arun Kumar of Mediabrands Audience Platform, part of Interpublic Group, says that marketers are pouring money into advertising on the “long tail” of sites available through exchanges because doing so produces good results.

Abandoning exchanges would be like not surfing the internet just because it is possible to catch a virus, he says. “Exchanges are a bit like the wild west today, but they’re evolving.”

Indeed exchanges and other intermediaries are ramping up their investments in technology to detect nefarious activity, responding to brands’ growing concerns about fraud.

Google this year acquired Spider.io, a London-based start-up that has exposed scams such as the Chameleon botnet that defrauded advertisers of $6m a month.

AppNexus, one of the biggest platforms for online advertising, now employs 20 people “to seek and destroy bad actors”, says its chief executive Brian O’Kelley. “It’s a constant fight,” he adds.

Meanwhile, specialist online media verification companies such as DoubleVerify, White Ops, and Integral Ad Science are also developing new solutions to detect deception. But according to Telemetry, the company that exposed the bots that targeted Mercedes, fraudsters are developing new techniques at a much faster pace than the companies tackling them.

Fighting fraud requires more than just developing better detection systems, says Marco Bertozzi of VivaKi, the digital ad buying division of Publicis. A big problem, he says, is that the entire advertising industry is too fixated on chasing cheap slots, even if that means “fishing in a cesspool”. Advertisers need to start looking much more closely at the quality of what they are buying, he says.

For now though, money is continuing to pour through the exchanges, particularly into video ads. Video ads cost about ten times more than banner ads, which has made them a prime target for fraud. Last month, DoubleVerify uncovered a fraudulent scheme involving 500 sites and 1 per cent of all video ad impressions across the internet.

Keith Eadie of Tube Mogul, an online video buying platform, says the arms race against unscrupulous operators shows no sign of slowing. “It’s like viruses,” he says. “They become more sophisticated each day.”

Hass & Associates Online Reviews on Malware Poisons One-Third of World's Computers

Nearly one-third of the world's computers could be infected with malware, suggests a report released last week by the Anti-Phishing Working Group.

Malicious apps invaded 32.77 percent of the world's computers, a more than 4 percent jump from the previous quarter's 28.39 percent, the report estimates.

The increase in infected computers has come hand-in-hand with a jump in the appearance of malware samples, said Luis Corrons, technical director of PandaLabs, the research arm of Panda Security, one of the sponsors of the APWG report.

"The creation of malware samples is skyrocketing," Corrons told TechNewsWorld. "It has doubled from the last quarter to the first quarter of this year."

In the last quarter of 2013, some 80,000 malware samples a day were discovered by Panda researchers. In the first quarter of 2014, that number jumped to 160,000.

Hiding in Numbers

By far, most of the new malware strains (71.85 percent) and malware infections (79.70 percent) are Trojans. Less than a quarter of new malware strains (22.70 percent) and malware infections (12.77 percent) are viruses and worms.

"At the end of the day, malware is created to steal information," Carrons explained. "Trojans are the most suitable malware to do that."

The primary motivation behind creating so many new malware strains is to avoid detection by antivirus programs. Those programs use signatures to identify malicious software. Since each new bad app strain contains a new signature, constantly introducing new strains extends the time a malicious app can remain virulent.

"In the old days, they might be able to infect 1,000 users with a Trojan," Corrons said. "It was easy for antivirus to catch that. Now you'll have 1,000 users infected with 1,000 different Trojans."

The number of phishing sites in the world increased quarter-over-quarter by 10.7 percent, from 111,773 to 125,215 -- the largest site total for a quarter seen since 2012, the APWG report noted.

A slight uptick in brands targeted by phishers also was spotted by APWG researchers -- from 525 in the fourth quarter of 2013 to 557 in the first quarter of this year.

The Dragonfly Campaign

An international gang of hackers has been surreptitiously planting Remote Access Trojans on the systems of energy companies in Spain, the United States, Japan, France, Italy and Germany, security researchers and CERT's ICS team revealed last week.

The campaign, called "Dragonfly" by Symantec, could pose grave risks to a nation's energy infrastructure.

"Depending on how deep the attackers can get into the energy infrastructure, the damage could be great," Adam Kujawa, head of malware intelligence at Malwarebytes, told TechNewsWorld.

"Intelligence gained from cyberespionage could be very useful in the right hands -- and if passwords, IP addresses and user names have been pulled from infected systems, that could allow attackers onto more secure networks and obtain direct control of energy resources," he said. "The damage done would be very serious."

Dragonfly is a painful reminder of a dilemma every nation is facing.

"There is a nasty convergence happening as we speak: Our lives are getting ever more dependent on reliable and available energy, but at the same time, the infrastructure of energy companies is getting more complicated," RedSeal Networks CTO Mike Lloyd told TechNewsWorld.

"This complexity adds weakness and multiplies the pathways attackers can exploit," he added.

Hass & Associates Online Reviews: 10 Cyber Security Tips for Small Businesses

Broadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cyber security threats are real and businesses should use the best tools to protect themselves, their customers and their data.

Here are 10 key tips for small businesses:

1. Establish basic security practices and policies for employees, such as requiring strong passwords. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers and networks from cyber-attacks by using the latest security software, web browser and operating system.

3. Provide firewall security which prevent outsiders from accessing data on a private network.

4. Require mobile users to password protect their devices, encrypt their data and install security apps to prevent criminals from stealing information while the phone is on public networks.

5. Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files and accounts receivable/payable files. Store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended.

7. Make sure your Wi-Fi network is secure, encrypted and hidden. To hide it, set up your wireless access point or router so it does not broadcast the network name. Password protects access to the router.

8. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate payment systems from other, less secure programs, and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data they need for their job, and limit authority to install software.

10. Require employees to use unique passwords, and change passwords every three months.