Insights For Success

Strategy, Innovation, Leadership and Security

Risk Management

Companies buying bitcoin to prepare for cyber extortion

GeneralEdward Kiledjian

In an uncertain world where kidnapping for ransom is an all too common occurrence, many hostage negotiators use the no-concession policy. They justify this position by explaining that paying a ransom makes it more likely that the perpetrators will try it again and often times the ransom is used to fund illegal or terrorist organizations.

Although I have seen very little empirical evidence to prove that this no-concesion approach is more desirable than paying the ransom, this mentality was brought into the digital age when cyber-ransoms, cyber-extortions and crypto-malware became prevalent. 

More and more companies though have started to take a different approach and are now prepared to pay ransom in exchange for saving their networks, devices and information. To meet these demands quickly, some companies have started to store bitcoin as a risk mitigation strategy.

Why this change of heart? Many of the most popular well written malware was actually designed to ensure victims could recover their data when the ransom was paid. This attention to detail and solid customer service by the bad guys, means victims are now relatively certain that they will be saved if they pay the ransom. 

Sure paying the ransom means funding organized crime and will likely fuel the next wave of crypto-malware but companies have a duty to protect their organization (rather than take the moral high ground).

This change in mindset is so pronounced that traditional physical K&R (kidnap & ransom) negotiation experts have started to test the cyber-extortion and cyber-ransomware negotiation space. 

True verifiable numbers are hard to find but firms like Recorded Future ( a cyber intelligence company) has stated that it believes the cyber-ransom market has now reached the 1B$ mark. Kaspersky says a company is cyber-attacked every 40 seconds.

Obviously crypto-malware can be counter-acted by proper, regular offline backups but many companies don't start a robust recovery program until it's too late. They either pay the ransom or lose their data. Its that plain and simple.

Right now the advantage is with the attacker. Corporate information security groups have to bat 100% to keep the company safe. This is expensive, time consuming and not always achievable. The attacker just need to infect 1 machine on the network and then can propagate and move laterally from there. 

Companies have started to jump on the Ransomware protection bandwagon. An EDR &"next-generation AV" company called Cybereason offers a free product called RansomFree. They claim it protects against 99% of ransomware by monitoring how applications interact with files on your computer. Did I mention RansomFree is free? I haven't used their product and thus can't recommend it but it does seem to be useful and could really help the average consumer ensure they don't end up getting victimized.

It is clear that this malware is written by extremely skilled and determined threat actors. This isn't code written in somebody's basement but rather a professional extortion company with developers, quality assurance and even customer support to ensure a paying customer is taken care of. 

So the question is will your company prepare by buying and storing bitcoin? If you will, how much should you store? that is the new question.

9 most important questions to determine if a project is worthwhile

GeneralEdward Kiledjian

George H Heilmeier was a DARPA director and developed 9 questions to help the agency determine the worthiness of project being submitted to it for funding. These 9 powerful questions as referred to as the "Heilmeier Catechism" and have become a core operating paradigm for DARPA [Defense Advance Research Projects Activity] And IARPA [Intelligence Advance Research Project Activity].

These questions are so powerful, they are used in the business world day in and day out. I first learned about these questions while having lunch with a VC in San Francisco. He explained that many of his peers also use these questions when determining the funding worthiness of a proposal.

There have been variations to the questions but I recommended sticking with the original 9:

  1. What are you trying to do? Articulate your objectives using absolutely no jargon.  What is the problem?  Why is it hard?
  2. How is it done today, and what are the limits of current practice?
  3. What's new in your approach and why do you think it will be successful?
  4. Who cares?
  5. If you're successful, what difference will it make?   What impact will success have?  How will it be measured?
  6. What are the risks and the payoffs?
  7. How much will it cost?
  8. How long will it take?
  9. What are the midterm and final "exams" to check for success?  How will progress be measured?

This is a variation on the journalists who, what, where, when, why and how strategy. Obviously answering these questions will not change the world or guarantee the success of a project. They will greatly reduce the risks you take by ensuring the key concepts are thought off and understood

Every project manager should be performing a pre-mortem

ManagementEdward Kiledjian

As a business leader, I have participated in and managed hundreds of post-mortem reviews for projects and deals. It is a sound strategy to identify the elements that failed or that could be optimized/

Those who cannot remember the past are condemned to repeat it.
— George Santayana

But what if you could gain all of the benefits of this activity before the initiative fails thus potentially saving it? A pre-mortem (or premortem) basically is a role playing game where participants assume the project has already failed and then determine why it failed and how failure could have been prevented. 

Why this works

Issues rarely "just happen". Typically there are warning signals that show up prior to any failure. Typically these are:

  • You know you are not undertaking the required maintenance which will likely lead to failure (project monitoring, follow-ups, etc)
  • You can "feel" the project deviating from its core purpose
  • You start noticing "out of the ordinary" or unexpected results 

An ounce of prevention is worth a pound of cure

Instead of retrospectively looking at why the project failed, why not take the time to foresee what could go wrong and fix it?

The best way is to invite a core group of knowledgeable experts and ask them to imagine the project failing then lead the group to identify possible preventative measures. It sounds easy because it is.

The Pre-Mortem Process

Step 1 - Doom and Gloom

Lock up your key people in a room and ask them to imagine every possible way the project could fail. Big or small it should be written down individually on a sheet of paper. Remind the team that no failure is too big or too small. Every issue should be started with "what if"

  • What if the supplier doesn't deliver the part
  • What if the supplier goes out of business
  • What if the price of the part shoots up significantly
  • What if...
  • what if...
  • what if... 

As a moderator, your role is to ensure everyone spends this time thinking about problems and not solutions. No judgement and no logical thought. We don't want participants making risk judgements to eliminate possible failures. 

Step 2 - Prioritization

Share all of the failure possibilities with the participants and narrow down the list to the top 10, top 20 or whatever other number you are comfortable with. For most projects, I typically like top 10 lists. For more critical or larger projects, I may go to a top 25 list.

When reviewing the list (collectively), remind the participants that there are really 3 things to consider in this step

  1. Choose failures whose realization will have a severe and catastrophic impact on the project. 
  2. Choose failures who are likely to happen. There could be some debate but the threat of a comet hitting your datacenter could probably be crossed off the list.
  3. Choose failures that are in your span of control. Some failures are outside of your control and cannot be mitigated by you. Chuck those out.

Step 3 - Solutioning 

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.
— Abraham Lincoln

If the first 2 steps where done properly and diligently then this last step should be fairly easy and straightforward. Assigned the final problems to owners and each owner must:

  • Come up with a plan to prevent the failure from occurring
  • Come up with a backup plan in case prevention doesn't work

The final step is to ensure every action item is given an owner and a due date. These should be tracked as part of the master project plan and reported on weekly.