In a world ever-increasingly dependent on technology, millions of people have turned to mobile dating apps in an attempt to find that “special someone.”
Lisa Plaggemier knows there’s another group of people who are using dating apps for a whole other reason. Dating apps, Plaggemier said, have become “incredibly popular” targets for scammers.
And she should know. Plaggemier is the executive director of the 21-year-old nonprofit National Cyber Security Alliance, which promotes online safety and cybersecurity awareness and offers a variety of programming to do just that.
How prevalent are they? Plaggemier spent Valentine’s Day 2023 in a radio studio instead of with her husband so she could educate people.
“It’s a really popular topic … Everybody is using them,” Plaggemier said of dating apps. “And so it’s also a really popular topic for scam artists in China. Dating scams are incredibly, incredibly prevalent, more prevalent than you’d realize.”
The National Cyber Security Alliance was founded by a group of big-tech, financial services and telecommunications professionals in the wake of 9/11.
According to Plaggemier, the DHS along with companies like Symantec, Microsoft, AT&T and Cisco decided the best way to educate the public was through a nonprofit fueled by public-private partnerships – funded partly by the businesses and partly by the government to “get the word out.”
With a grant from DHS’s Cybersecurity and Infrastructure Agency, the group started Cybersecurity Awareness Month, which has been observed every October since 2004.
The education hasn’t stopped since. Plaggemier said the organization runs programs “year-round,” revolving around nearly any topic, from real estate fraud to senior-citizen scams.
This summer, she said, the NCSA did a campaign on real estate scams (their campaigns are available on the NCSA website, Home – National Cybersecurity Alliance, and on its social media sites).
“We talked about all the different ways when you’re buying or selling a house that somebody can try and steal your money,” said Plaggemier, who before joining NCSA was Chief Marketing and Strategy Officer for MediaPRO: Cybersecurity & Privacy Education (before it was acquired by KnowBe4). “And it’s not just somebody sending you that weird looking-email that looks like a title company saying, ‘Oh, we changed our account number.’ There’s more than that.
“That can happen and people can lose their life savings, their whole down payment,” she added. “We’ve talked to victims that were in their 50s and 60s who lost a down payment, and that’s a substantial down payment because they’ve accumulated all that equity over the years.”
Among other campaigns the NCSA runs are back-to-school security tips and safe holiday online shopping advice.
“You name it, if it has to do with consumers’ interaction with security, we’re trying to cover it,” Plaggemier said.
There was the incident back in August when a story broke in the news about a massive social security number breach. The NCSA put up an article cautioning people that “everyone is affected” by such a breach.
“You should think about that as a consumer … and what you need to do as a result of that, because the news stories never seem to include helpful advice that’s easy to understand,” Plaggemier said. “It’s more about scaring people. So we put out an article right away that just said, ‘here’s what you need to do. You don’t be afraid, but you might need to do a few things to make sure you’re safe.’ And we got 15,000 clicks in the first couple of hours.”
Plaggemier moved around early in her career – including working in Germany – and eventually ended up in Austin, Texas, working for DP Dealer Services, which had just acquired a small startup in Austin.
When the incident involving the hack of Jeep on the road happened back in 2015, Plaggemier said the folks at DP Services decided that, being a financial services firm, talking thought leadership on security topics was a good idea.
“It really set the bar for our security program,” she said. “We felt like we had a better security program than our competitors … so the marketing team thought, ‘We should be doing thought leadership on this.”
Manufacturers were starting to ask about its security program. Plaggemier, who had begun working with the company’s chief information security officer (CISO), snagged the team a spot at the JD Power Automotive Conference talking about the effect … on the brand.
When DP got spun off and became CDK, that CISO took Plaggemier with him, which seemed to catch her a little by surprise.
“He said, ‘I need somebody with your skillset on a security team,” and I’m like, ‘I don’t understand the details of this stuff. I’ve never written a line of code in my life. I don’t know how to configure a router. Why do you want me?’” she said with a laugh.
She did a “lot of translation between the technologists and the business people,” and then training and awareness. But she put her own stamp on the training program.
“I told him … people hate that stuff,” she said. “If my name’s going on it, then we’re going to do something different.”
Armed with what she said was a “healthy budget,” she developed a program that utilized “fun” videos and a game-show concept. They filmed 16 two-minute videos and took it on the road. The series has drawn more than 8 million views.
“It’s called a cubicle series, and it’s part of my reputation of doing crazy stuff in the security world to try and explain these things to people,” Plaggemier said. “We’ve been really excited about it.”
The problem, as Plaggemiere sees it, is a disconnect between the professionals and the general public. People in the security world have “incredible stories to tell, but we’re bad at telling them,” said Plaggemier, who sits on an advisory board for the Secret Service. “You’re missing out on all the intrigue and the human interest and the stuff that can help you understand this, which then can motivate you to make some changes in your own behaviors to better protect yourself. We need to be better at that part.”
One mistake businesses make, she said, is thinking the company’s security is “an IT thing.”
“They kind of bubble ’em together in their heads and they feel like, well, I have an IT guy who does that stuff,” she said. “The reality is anybody working in security at a large organization will tell you that most of the problems are created by your IT because they don’t understand enough about security and they don’t ask the security team.
And so it’s things like misconfigurations of tools, it’s things like identity and access management, like basic IT hygiene,” she added. “Doing the basics well in IT is probably the biggest thing you can do to be more secure.”
One benefit introduced into the cybersecurity world has been multifactor authentication, something she recently talked about in a presentation to the Consumer Federal Protection Bureau.
She said many businesses are using “really bad, weak, reused and recycled” passwords.
“The best defense against that is MFA,” Plaggemier said. “If somebody has your password or they’ve hacked it, they can’t get into your account. That’s important for businesses, too.”
How important is it? Salesforce, a San Francisco-based cloud-based software company that provides customer relationship management software and applications focused on sales, customer service, marketing automation, e-commerce, analytics, artificial intelligence, and application development, has mandated MFA’s for nearly all of their customers.
“That was a huge thing to do,” Plaggemier said. “They’re a very visible company. They’re ubiquitous. Everybody’s using a Salesforce product.”
The NCSA thought it was such a significant move, they posted an article to their website “about why they did it, how they did it, how they overcame the obstacles to do it … we thought we would talk about companies doing the right thing.”
One of those “right” things, at least in Plaggemiere’s mind, is establishing a chief information security officer. The key, she said, is to make sure the CISO is working for the right person.
In too many companies, the CISO reports to the chief information officer, who is “all about supporting the business and delivery and keeping all the trainings running on time and doing everything the business asks you to do,” but too often doesn’t have any kind of security background.
Some also report to the legal department, still others report to the chief financial officer.
“I have seen situations where a CISO was asked to work for a CIO who had zero security expertise,” Plaggemier said. “I just think that, in this day and age and depening on what you’ve judged the risk to your company to be, there’s a really good case to be made for CISOs reporting directly to the CEO.”
Companies would also do well to put a battery of strong cybersecurity policies in place. Chad Paalman, the founder and CEO of NuWave Technology Partners, a technology consulting firm, calls it practicing “cyber resiliency,” and likens it to the way residents in Florida are resilient in the face of the annual hurricane season.
Florida residents know that, statistically speaking, they’re probably going to get hit by a hurricane. People aren’t naive enough, Paalman said, to think they’ll never get hit, so they think about how to build a structure that is hurricane resistant, but “they know there’s nothing they can do to completely protect themselves.”
“I coach business leaders to have that same mindset when it comes to cybersecurity,” he said. “There’s no amount of money, no number of tools you can put in place to protect yourself completely from a cybersecurity event.”
Paalman urges business leaders to work with their IT team ― whether it’s an internal team or outside the organization ― to “pick a framework and use it to put cybersecurity best practices” in place.
According to Paalman, they’re going to need it.
“This is the single biggest threat all organizations face today,” Paalman said. “If you know statistically it’s the most probable catastrophic thing that’s going to happen, why don’t you have … those plans in place and test those plans.
“Put all the cybersecurity best practices in place that your budget will allow and at the same time have a plan in place, so that if you have a cybersecurity event you can recover and continue to operate your business,” he added. “My biggest message is, be cyber resilient, have a plan in place, test your plan and continue to make investments in bettering your security at the same time.”
Policies provide a set of oversights and controls that identify how the IT and business teams go about their day-to-day operations.
Paul Kennedy, senior manager for technology solutions for Rehmann, a professional advisory firm that provides accounting and assurance, business solutions and outsourcing, specialized consulting, and wealth management services, pointed out in an article posted to the company’s website, that organizations definitely benefit from what he called “thoughtful, comprehensive policies.”
Policies, Kennedy wrote, should include, among other things:
• Governance strategy and cybersecurity program (cybersecurity policy) – Guide your cybersecurity program by identifying leadership, how much risk you will accept and the key areas of your cybersecurity program.
• Data management and protection strategy – Identify the assets that matter to your organization and the security in place for each, including who should have access, backups and other key safeguards.
• Risk assessment – Identify which assets are most critical so you can prioritize where to deploy protections.
• Incident response plan – Make sure you have a plan for how the organization responds when you are attacked.
• Business continuity plan – Build alternative processes that identify how you will continue to provide key business functions and continue to serve customers during a disaster or cybersecurity incident.
• Disaster recovery plan – Have a plan in place for how you will restore your business to normal operations when responding to a disaster or cybersecurity attack.
• Vendor management – Know how your relationships with key third parties impact your organization so you can make sure you have well defined and appropriate contract management processes and security service level agreements.
