A new commercial has hit the airwaves in Israel. It begins with a door swinging open to reveal a beautiful seaside patio with a couple awaiting their dinners as a voiceover says, “How much have we missed going out with friends?” Well, with the Green Pass “a door simply opens in front of you” and we can “return[ ] to life.” This commercial is advertising Israel’s version of a digital vaccine passport.

Although there are still lots of unknowns, there are many countries and industries considering vaccine passport programs like Israel’s, including  Japan, the United Kingdom and the European Union, as well as airlines and some concert venues, to name a few.

Israel’s vaccine passport was released on February 21.  There, vaccinated people can download an app that displays their Green Pass when they are asked to show it. The app also can display proof that someone has recently recovered from COVID-19, which also allows passage. Other proposed ”passport systems” offer several ways to show you are not a threat, such as proof of a negative COVID-19 test. Israel hopes this technology will encourage more citizens to get vaccinated.

However, the Green Pass and other passport programs may also bring up some big privacy concerns. Orr Dunkelman, a computer science professor at Haifa University, says that the Green Pass displays more information than simply whether the individual has been vaccinated or has recently recovered from COVID-19. The pass also displays the date of the recovery and the date of the vaccine and uses outdated encryption technology that is potentially vulnerable to security breaches and hackers. Orr also says that because the app is not open source, no third parties can test whether these concerns are founded.

In the United States, PathCheck Foundation at MIT is working with Ideo on a low-tech solution that may address these privacy concerns before any kind of ”passport” is available here. The prototype uses a paper card similar to the one that individuals are currently receiving once they are vaccinated. However, to avoid fraudulent cards, the paper card being developed by PathCheck Foundation and Ideo would use multiple forms of verification such as QR codes for scanning (maybe at the gate of a concert or movie theater entrance) that only displays an individual’s vaccination status, while other entities (such as health care providers) would be able to scan the card and receive more detailed information (e.g., the type of vaccination received, the date, the location it was administered, etc.). Additionally, PathCheck Foundation points out that privacy is important to those who are undocumented or simply don’t have trust in the government, and we don’t want to create yet another repository that is hackable (and may potentially contain entire state populations).

At this point, it isn’t clear whether the United States will be able to implement a vaccine passport quickly because we don’t have a universal identity record or federal medical records system (which Israel does). However, whichever option eventually becomes widespread across the country, it will need to use a system that will be able to maintain certain individual privacy rights while also allowing businesses and venues to reopen safely.

The statistic that cybercriminals have been unleashing 18 million phishing emails laced with malware on a daily basis into cyberspace during the pandemic is mind boggling and one that executives should pay attention to when prioritizing resources for user education. Math was never my strongest subject, but the math of 18 million malicious emails targeted at all of us on a daily basis is a LOT.

A new study rolled out by Google, in collaboration with researchers at Stanford University, studied over a billion malicious emails and targets that Google had identified and blocked over a period of five months, to get more intelligence about who was being targeted and how the campaigns were targeting users. The study found that users in the U.S. were targeted more than any others in the world, followed by the United Kingdom and Japan.

The study found that the most effective phishing scams were fast and short lived, lasting one to three days. They found that over 100 million malicious emails were launched in these short time frames. In addition, they found that if a user’s email address or personal information had been previously compromised, they were five times more likely to be targeted by a phishing scheme. The study also concluded that users aged 55 to 64 were 1.64 times more likely to be targeted by cybercriminals than 18-24 year olds.

The statistic is astounding, but the results of the analysis are very informative for businesses. The take away is that the number of phishing schemes continue to rise, user education continues to be essential in protecting company data against these schemes, and education is particularly important depending on users’ age.

You executives and managers who are in my age group (that is, you didn’t grow up with mobile devices and computers) listen up. According to several studies, you pose a higher security risk to your organization than the up-and-comers you manage.

According to a new survey of 2,000 workers aged 16 to 55+ in the U.S. and U.K., OneLogin found that senior managers (42 percent) were twice as likely to share a work device with someone outside the organization than their junior counterparts (20 percent), 19 percent of senior managers said they share confidential passwords with a family member compared to 7 percent of junior employees, and senior management reported working from public Wi-Fi networks at double the rate of their junior counterparts (30 percent vs. 15 percent).

There are some logical explanations for this, none of which are comforting or justified. According to OneLogin, some of the explanation is that those of us who did not grow up with technology find it difficult to learn how to use and we are intimidated by it. I have no sympathy for those who refuse to try to learn or try to get around security measures because they are intimidated. It’s not that hard and is vital to the security of your organization.

The second reason is that executives are trying to perform at a high level, and think security measures, like multi-factor authentication or logging into a VPN take too much time. That reason is also rubbish. The entire purpose of implementing security measures is to protect the user and the organization. Trying to figure out a work-around takes more time and resources than just implementing sound security practices. Executives and managers should be thinking about the consequences of a security incident caused by them first and foremost.

Here are some tips for organizations to address this issue:

  • Don’t wait for executives and managers to admit they don’t understand how to implement or use technology. Give them one-on-one training/education so you are sure they are using the security measures and are comfortable with them
  • Provide executives and managers with pointed educational sessions on data security so they are aware of the risks they pose to the organization if they do not adhere to data security practices
  • Be strong when executives and managers ask for work arounds. Instead of allowing the work around, take the time to show them how to use the security measures one-on-one and counsel them on why the measures are so important in layman’s terms
  • Make adherence to security measures part of executives’ and managers’ (for that matter, ALL employees’) performance evaluation. If they don’t follow security measures, that should be documented and considered in compensation and bonus decisions. This will certainly get their attention.
  • Don’t let them get away with it. If they cause an incident, there should be consequences.

As I always say, data security is a team sport. If the captains of our teams aren’t engaged, the plays won’t work and organizations will lose the game.

The GEO Group, Inc. (GEO), a publicly held company located in Boca Raton Florida, announced on November 3, 2020, that it is beginning to notify individuals following a ransomware attack that “impacted a limited amount of personally identifiable information and protected health information for some inmates and residents contained on certain servers for a small number of facilities including the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and a now close facility in California. The incident also impacted two corporate servers with employee data.”

According to the statement on its website, the GEO Group is “not aware of any fraud or misuse of information as result of this incident.”

The ransomware attack was discovered by GEO on August 19, 2020. It thereafter launched an investigation with cybersecurity firms and law enforcement. According to the website notice, “the company recovered its critical operating data and, based on its assessment and on the information currently known and obtained through the investigation, the Company does not believe the incident will have a material impact on its business, operations or financial results.”

GEO is a publicly traded organization that “is a fully integrated equity real estate investment trust specializing in the design, financing, development and operation of secure facilities, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom. GEO is a leading provider of enhanced in-custody rehabilitation, post-release support, electronic monitoring, and community-based programs.” It owns or manages 123 facilities totaling approximately 93,000 beds and employing approximately 23,000 professionals. Its website states that its “diversified services platform provides unique capabilities for the delivery of educational and vocational programs, cognitive behavioral and substance abuse treatment, and faith based services across the entire corrections spectrum.”

Based upon the statement, it appears that GEO is notifying affected inmates, residents and employees of the incident.

The UK National Cyber Security Centre (NCSC) issued an alert on October 16, 2020, to raise awareness “of a new remote code execution vulnerability (CVE – 2020 – 16952)”, which affects Microsoft’s SharePoint product. According to the alert, “successful exploitation of this vulnerability would allow an attacker to run arbitrary code and to carry out security actions in the context of the local administrator on affected installations of SharePoint server.”

The NCSC recommends applying security updates promptly, “but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities…against UK organisations…NCSC is issuing this alert to ensure that system owners are aware of this vulnerability and to ensure remediation actions are taken.”

According to the alert, the vulnerability affects:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint server 2019

It is important to note that SharePoint online, which is part of Office 365 is not affected by the vulnerability.

The NCSC “strongly advises that organisations refer to the Microsoft guidance…and ensure the necessary updates are installed in affected SharePoint products. It is also important to keep informed of any possible updated future updates to the guidance…”