Paul Ferrillo | August 2nd, 2016
3 Fundamental Takeaways from the DNC Hack

The recent hack of a large political organization in Washington DC has set in motion more mayhem and vitriol than most hacks have in the aggregate. Without focusing at all on politics or affiliations, let concentrate on lessons learned, I.e. what can your company or organization learn from the Cybersecurity fact pattern that is coming out in the press as I type? Anyone can focus on the bad, but if history repeats itself once again (it always seems to), there are 3 very fundamental lessons that we can learn from the DNC hack:
1. Use peacetime wisely:Â A very astute man taught me this phrase along time ago (almost 10 years ago during a crisis). What does the phrase mean? It means doing your homework before class. It means planning ahead for a potential crisis well before that crisis ever occurs. It means being proactive, and not reactive. How do we apply this rule? Well, today, if your organization has any sort of high value information (e.g. The plans to a new high-powered quantum computer chip), your organization will likely be (or is already) the subject of a cyber attack. How are you planning for this certainty? How are you protecting your data? Do you have an incident response plan? Do you have an business continuity plan? Do you have a crisis communications plan? These are just the basics, but are uniquely important for Cybersecurity. In short, using peace time wisely is like the Boy Scout motto, “Be Prepared.” Because stuff happens.
2. Conduct Cybersecurity Risk Assessments: What does this mean? As explained in this article, there is a logical way to assess your Cybersecurity risk using a method designed by my friends at the National Institute of Standards and Technology. In summary, the process is pretty simple (I am heavily summarizing): 1) what are my cyber threats and vulnerabilities? (Well, there is people, employees, vendors, nation-state actors, aging computer hardware and software, and hackers for hire, for starters) 2) what am I doing about those threats and vulnerabilities? Am I training my employees not to click on the link? Am I patching my software packages in a timely fashion? Am I following a “least privileged user” policy? Is my Cybersecurity hardware state of the art, or as old as I am?, 3) how likely is it that I might be attacked via a threat or vulnerability, and 4) how bad will the damage be if I am attacked?
Have this discussion internally on these four points. Add numerical values to the risks, threats, likelihood and impact. Do the math.  And then focus your efforts on your high value risks and vulnerabilities where the impact is greatest.  Maybe you can change your risk profile by adjusting your Cybersecurity posture immediately to fit the identified risks?  Most organizations simply don’t spend enough time on Cybersecurity.  The time to spend what time you have is before the hack occurs.  Not after.
3. It’s Time to Conduct Vulnerability and Compromise Assessments (and listen to the results):Â Finally, time to call in reinforcements, meaning your Cybersecurity consultants. Have them perform both a “vulnerability” and a “compromise” assessment. Without being highly technical, a vulnerability assessment is very much like a cyber risk assessment, except that a highly trained and skilled cyber ninja (hired by you of course) tests your systems and your people looking for weaknesses and vulnerabilities that could be exploited. If there are any weaknesses, work with your cyber consultant, prioritize those risks, and start working from the top down as soon as you can. Anything you can do to lower your risk is a positive. And undoubtedly there will be some simple things (like spear phishing training) that can be done for very little cost which could help dramatically lower your risk. Listen. And learn. Stuff happens.
Also, a compromise assessment is very, very valuable. It is something which will tell you whether or not you have already been hacked. This one is so important. The sooner you know if you’ve already been hacked, the quicker you can react and try and kick the attacker off your network. The sooner you know, you can hopefully lessen the damage of the attack. And hopefully act and react before the FBI or an investigative cyber journalist comes knocking at your door with very bad news.
Use Peactime Wisely.  Stuff Happens.Â
Paul Ferrillo | August 2nd, 2016
3 Fundamental Takeaways from the DNC Hack

The recent hack of a large political organization in Washington DC has set in motion more mayhem and vitriol than most hacks have in the aggregate. Without focusing at all on politics or affiliations, let concentrate on lessons learned, I.e. what can your company or organization learn from the Cybersecurity fact pattern that is coming out in the press as I type? Anyone can focus on the bad, but if history repeats itself once again (it always seems to), there are 3 very fundamental lessons that we can learn from the DNC hack:
1. Use peacetime wisely:Â A very astute man taught me this phrase along time ago (almost 10 years ago during a crisis). What does the phrase mean? It means doing your homework before class. It means planning ahead for a potential crisis well before that crisis ever occurs. It means being proactive, and not reactive. How do we apply this rule? Well, today, if your organization has any sort of high value information (e.g. The plans to a new high-powered quantum computer chip), your organization will likely be (or is already) the subject of a cyber attack. How are you planning for this certainty? How are you protecting your data? Do you have an incident response plan? Do you have an business continuity plan? Do you have a crisis communications plan? These are just the basics, but are uniquely important for Cybersecurity. In short, using peace time wisely is like the Boy Scout motto, “Be Prepared.” Because stuff happens.
2. Conduct Cybersecurity Risk Assessments: What does this mean? As explained in this article, there is a logical way to assess your Cybersecurity risk using a method designed by my friends at the National Institute of Standards and Technology. In summary, the process is pretty simple (I am heavily summarizing): 1) what are my cyber threats and vulnerabilities? (Well, there is people, employees, vendors, nation-state actors, aging computer hardware and software, and hackers for hire, for starters) 2) what am I doing about those threats and vulnerabilities? Am I training my employees not to click on the link? Am I patching my software packages in a timely fashion? Am I following a “least privileged user” policy? Is my Cybersecurity hardware state of the art, or as old as I am?, 3) how likely is it that I might be attacked via a threat or vulnerability, and 4) how bad will the damage be if I am attacked?
Have this discussion internally on these four points. Add numerical values to the risks, threats, likelihood and impact. Do the math.  And then focus your efforts on your high value risks and vulnerabilities where the impact is greatest.  Maybe you can change your risk profile by adjusting your Cybersecurity posture immediately to fit the identified risks?  Most organizations simply don’t spend enough time on Cybersecurity.  The time to spend what time you have is before the hack occurs.  Not after.
3. It’s Time to Conduct Vulnerability and Compromise Assessments (and listen to the results):Â Finally, time to call in reinforcements, meaning your Cybersecurity consultants. Have them perform both a “vulnerability” and a “compromise” assessment. Without being highly technical, a vulnerability assessment is very much like a cyber risk assessment, except that a highly trained and skilled cyber ninja (hired by you of course) tests your systems and your people looking for weaknesses and vulnerabilities that could be exploited. If there are any weaknesses, work with your cyber consultant, prioritize those risks, and start working from the top down as soon as you can. Anything you can do to lower your risk is a positive. And undoubtedly there will be some simple things (like spear phishing training) that can be done for very little cost which could help dramatically lower your risk. Listen. And learn. Stuff happens.
Also, a compromise assessment is very, very valuable. It is something which will tell you whether or not you have already been hacked. This one is so important. The sooner you know if you’ve already been hacked, the quicker you can react and try and kick the attacker off your network. The sooner you know, you can hopefully lessen the damage of the attack. And hopefully act and react before the FBI or an investigative cyber journalist comes knocking at your door with very bad news.
Use Peactime Wisely.  Stuff Happens.Â
- Brand
- The Final Episode of M*A*S*H
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- Can Capitalism Really Be “For Humanity?”
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- Here We Come
- Corporate Revolt Over Campaign Donations Shakes Political World
- What Happens Next?
- CSR & Sustainability
- Public Perception & the Biden Transition
- WATCH: Reputation Management with PRSA
- Over the River and Through The Woods
- Why Non-Profits are so Vulnerable to Crisis Risk
- Communications
- The Final Episode of M*A*S*H
- The Regulatory Hall of Fame
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Day the Music Died
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Reflections on a Turbulent Year: 2020
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- Here We Come
- The Ministry of Common Sense
- Why Should I Apologize? Lawyers vs. Communicators
- What Happens Next?
- CSR & Sustainability
- Company News
- The Final Episode of M*A*S*H
- Reflections on a Turbulent Year: 2020
- Here We Come
- Recent Awards & Recognition
- Won’t You Be My Neighbor?
- What’s a Director to Do?
- LEVICK Announces Partnership with BCG
- A New Look
- Albert Krieger, 1923-2020
- LEVICK Announces Partnership with Jipyong
- Speaking to In-House Counsel
- Childhood Lessons
- Crisis
- The Final Episode of M*A*S*H
- The Regulatory Hall of Fame
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Price of Courage
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- The Day the Music Died
- GameStop: The Buck Starts Here
- The Risk of CEO Activism
- Top Crises of 2020
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Reflections on a Turbulent Year: 2020
- 3 Tech Lessons Businesses Must Learn From COVID-19
- Finance
- Can Capitalism Really Be “For Humanity?”
- GameStop: The Buck Starts Here
- Here We Come
- The Threat to Free Markets
- Advisory & Insurance Services
- WATCH: Revolutionizing Litigation Finance
- Litigation Finance: Revolutionizing Litigation
- Consumer-Focused Solutions for Financial Health
- Event: Consumer-Focused Solutions for Financial Health
- Sports: Power and Money in a New Age of Social Justice
- The Balancing Act: The Role of Whistleblowers in American Commerce and Government
- The Evolving and More Powerful FARA
- Guest Column
- Guest Blog: The Mainstream Media Gets an A for Intellectual Arrogance, an F for Journalism
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- South Africa: The Slow Decline of the ANC
- Why CSR Fails and How to Fix It
- What to Expect Following the European Elections?
- Buhari Inaugurated. What Now for Nigeria?
- Marketing- It’s Up To You…
- Crisis Management lessons from the air-crash investigation model
- The Future of War
- Health
- Reflections on a Turbulent Year: 2020
- Food Issues & the Biden Administration
- Covid-19: The Pandemic that Never Should Have Happened
- Pharma’s Post-Pandemic Policy Outlook
- Keeping Hope Alive
- Real Herd Immunity
- The Fiction of College Sports Amateurism
- Mac Summit: Crisis Communications in a Post-Covid, Post-Election World
- Travel Industry Communications in the Age of Covid-19
- Track of Time
- Is C-19 Taking Women Lawyers’ Careers Back to the 1950s?
- Post-Pandemic PR Strategy
- In Memoriam
- Snider’s Super Foods: Locally World Famous
- Speak Truth With Love, Not Anger
- In Memoriam: Stephen Susman
- Letter to the Movement
- John Lewis’ Life Bridged the Best of America
- Albert Krieger, 1923-2020
- In Memoriam of Marcia Horowitz
- Jim Lehrer Passes Away
- Martin Luther King, Jr.
- Harold Burson Passes Away
- Interviews
- CommPRO: Ruth Bader Ginsberg’s Life & Legacy
- Richard Levick on “My Wakeup Call”
- Primerus Webinar: Into the Wind
- The Future of Baseball Post-Pandemic
- Webinar: The End of Brand Neutrality
- Thought Leadership & Organic Growth
- Man & Superman
- LEVICK Announces New Webinar Series with Turbine Labs
- Navigating Coronavirus Challenges in the Insurance Industry
- VIDEO: How to Anticipate & Avoid a Crisis
- What’s Next? with Julie Chase
- What’s Next?: California Electoral Behavior
- Law Firms
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- The General Counsel’s Dilemma
- A First Look at the Google Antitrust Suit
- The Latest Top Class Actions
- Trust on Trial: How Communicators Succeed in a World No Longer Trusted
- The Latest Settlements, Class actions, Investigations & More
- Litigation
- Buyers’ Guide to In-House Tech
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- A Conversation with Abbe Lowell
- Leveraging Legal Expertise in Communications
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- The General Counsel’s Dilemma
- WATCH: Revolutionizing Litigation Finance
- Our Work
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- Recent Awards & Recognition
- The Cyber Bad Guys Are Getting Worse
- Crisis Communications & The Age of Cancel Culture
- Standing on the Shoulders of Giants
- Video: Conversations with American Legends
- Staying Ahead of the Crisis
- A New Era of Insurance Marketing
- Infographic: Judgment Free Zone
- Infographic: Barriers to Entry
- Infographic: History Meter
- Assistance for Law Firms Engaged in Pro Bono
- Public Affairs
- The Regulatory Hall of Fame
- Richard Levick on U.S.-China Relations
- The Price of Courage
- Can Capitalism Really Be “For Humanity?”
- GameStop: The Buck Starts Here
- Impeach, Indict, Heal? A Discussion of Post-Trump Washington
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Trump’s pardons undercut a decade of foreign lobbying law enforcement. What now?
- Fighting for the Rule of Law with Marshall Harris
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- What to expect as the clock approaches midnight
- How to Stop the Madness
- Risk
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Price of Courage
- Ingredients of Decency
- ESG Performance and Credit Markets
- The Coronavirus Saga is Just Beginning
- No. 1 Risk of the Decade
- The Risk Evolution of Corporate Risk
- Extend Risk Management Reach
- Collective Action
- Risk Identifying Software
- The New Risk of Doing Nothing
- Political Unrest In Hong Kong
- Social
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Price of Courage
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- The Ministry of Common Sense
- How to Stop the Madness
- A Remembrance of Tommy Raskin
- No ‘justice’ in rep’s vote
- A Call for Orderly & Peaceful Transition of Power
- Recovering from the Greatest Sacrifice
- CSR & Sustainability
- A New Year’s Resolution
- Dropping the Mic
- Technology
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- 3 Tech Lessons Businesses Must Learn From COVID-19
- Constella Intelligence Announces Hunter for Improved Investigation Capability
- Cyber Risk Institute Expands Its Profile
- Digital Politics: The Future of Voting Technology
- Ethics in Electronics
- The Cyber Bad Guys Are Getting Worse
- A First Look at the Google Antitrust Suit
- The Pause
- Cybersecurity Incidents of the Summer
- The Changing Digital Economy and Cyber Risks
- This Week
- A Remembrance of Tommy Raskin
- A New Year’s Resolution
- Over the River and Through The Woods
- Dropping the Mic
- Won’t You Be My Neighbor?
- The Cyber Bad Guys Are Getting Worse
- What We Hear
- Track of Time
- Video: Conversations with American Legends
- Conversations with American Legends
- A New Era of Insurance Marketing
- American Legend