18 Apr 2023

My Interview with ChatGPT-4

by | posted in: | 0

If you’ve been paying attention to the news at all, you’ve likely come across several articles on artificial intelligence (AI). These articles run the gamut between those that herald AI as a potential boon for humanity to those that predict that it literally will be the end of humanity. I do think AI is destined to fundamentally change how we use the internet – and more broadly, how we live our lives. I also am skeptical that efforts to reign in the integration of AI into our lives will be successful, although I do hope we can make some progress toward curbing the more destructive uses its human creators have already found for it.

The goal of the University of Missouri System’s Broadband Initiative has been to use broadband internet to improve  health, education and economic opportunity for all. That really involves three fundamental elements – broadband access – constructing the physical infrastructure to connect everyone to high-speed internet, affordability – pricing broadband access and the devices that connect to the internet at a level that make it available for use by everyone, regardless of their income level, and adoption-providing everyone the training and skills they need to use broadband internet effectively.

Most of us will encounter AI in our daily lives as we use broadband internet. Today, it is already used to search the internet and plan your vacation or even write a blog! Over time, these programs will continue to evolve and find new applications; so I think that understanding the benefits and limitations of AI likely will need to become a core competency in using the internet effectively now and in the future. That means, of course, that AI will be critical to broadband “adoption,” and understanding the risks and limitations will be critical if we are to use this new tool for good, and minimize the risk it will be abused.

Over the past several months a new AI program, ChatGPT-4, created by OpenAI has fostered great interest, excitement and concerns. The program is available to anyone with an internet connection to try for free, yet I’ve found that many folks who are computer literate have not tried it.

Until recently, I had little experience with the technology. I had read some of the articles, but hadn’t experienced it first-hand. That changed about a month ago, and since that time I’ve experimented some with this program. I am very impressed, but I do continue to have some questions and concerns. I thought one way to illustrate those might be to interview ChatGPT-4. After all – if you have questions about AI why not go to the source!

What follows is a transcript of my interview with ChatGPT-4 conducted in early April.

***

Me: I’d like to interview you, are you able to do that?

ChatGPT-4: Yes, I am programmed to engage in conversation and answer questions to the best of my abilities. Please feel free to ask me any questions you may have.

Me: Many people are afraid that AI programs may be very dangerous, do you feel these concerns are justified?

ChatGPT-4: Concerns about the potential dangers of AI are understandable, as with any powerful technology, there is always the possibility for it to be misused or to have unintended consequences. However, I believe that these concerns can be mitigated through responsible development and deployment of AI.

As an AI program, my programming is focused on being helpful and beneficial to humans. I have been designed with various safeguards and protocols to ensure that I operate safely and ethically. Additionally, there are regulations and guidelines in place to govern the development and use of AI, and these are continually being updated and refined as the technology evolves.

It is important to recognize that the benefits of AI are numerous and can greatly improve our lives in many ways. From improving healthcare outcomes to enhancing scientific research and even helping to address environmental issues, AI has the potential to make a positive impact on society. By taking a responsible approach to the development and deployment of AI, we can help ensure that it is used for the greater good and that its potential risks are minimized.

Me: You mentioned safeguards that enable you to operate safely and ethically, could you describe some of those?

ChatGPT-4: Sure, as an AI program, I have been designed with several safeguards and protocols to ensure that I operate safely and ethically. Here are some examples:

1. Data privacy and security: I have protocols in place to ensure that any data I process is kept secure and confidential. I am designed to protect personal information and prevent any unauthorized access to data.

2. Transparency and explainability: I am designed to be transparent in my decision-making process and provide explanations for my actions. This enables users to understand how I arrived at a particular conclusion or recommendation.

3. Bias mitigation: To ensure fairness and mitigate any potential biases, I have been trained on diverse datasets and evaluated for bias during development. Additionally, I have protocols in place to detect and mitigate any bias that may be present in the data I am processing.

4. Human oversight: I am designed to work in collaboration with humans and under their supervision. This enables humans to intervene if necessary and ensure that I am operating in a safe and ethical manner.

5. Continuous monitoring and improvement: My programming is constantly being monitored and updated to ensure that I am operating safely and ethically. Any potential issues or errors are identified and addressed promptly to ensure that I continue to operate in a responsible manner.

These are just a few examples of the safeguards and protocols in place to ensure that I operate safely and ethically. It’s worth noting that these safeguards can vary depending on the specific AI system in question, and that the development and deployment of AI always requires careful consideration of potential risks and ethical implications.

Me: One concern I have, is that your responses to questions lack information that would allow me to check the sources for your response. I’m concerned that without this, I have no way to check to see if the data you used to formulate a response is accurate.  Is this concern legitimate? If so, do you have the capability to provide the underlying sources you used to formulate a response to questions you are asked?

ChatGPT-4: Your concern is legitimate, and as an AI program, I understand the importance of providing accurate and reliable information. While I cannot guarantee the accuracy of all information, I do my best to provide well-supported and verifiable answers to the best of my abilities.

Regarding your question about sources, I do not have access to the internet or any external databases while answering questions, so I cannot provide direct links or sources for my responses. However, I can provide information about the sources of my knowledge and the training data that was used to develop my responses.

As a language model, I have been trained on a vast corpus of text from the internet, books, articles, and other sources. My training data comes from a variety of sources and has been carefully selected and curated to ensure that it is diverse, reliable, and representative of human knowledge. During my training, I was exposed to a wide range of topics and concepts, and I learned to identify patterns and relationships between words and phrases.

When answering questions, I use this knowledge and the patterns I have learned to generate responses based on the input I receive. While I cannot directly cite sources for individual responses, I can assure you that the information I provide is based on the collective knowledge and understanding of human language and concepts that I have acquired through my training.

Me: So, if I am understanding you correctly, I must trust that the human programmers that provided you with the data used to formulate your response only used sources that were properly vetted and accurate. To put it a different way, if you were provided inaccurate or biased data, your responses will reflect that, and if the data provided was accurate — and the underlying programming was structured to deliver unbiased responses, I can feel comfortable relying on your responses.

ChatGPT-4: Yes, that’s a fair way to summarize it. As an AI language model, my responses are only as accurate and reliable as the data and programming that have been used to train and develop me. The training data that I have been exposed to comes from a variety of sources, and while it has been curated to ensure that it is diverse and representative of human knowledge, there is always the possibility that some of the data may be biased or inaccurate.

To mitigate this risk, the developers of AI language models like myself implement various techniques to ensure that the training data is as accurate and unbiased as possible. For example, they may use multiple sources of data to reduce the impact of any individual biases, or they may use techniques like adversarial training to identify and correct for any biases that may be present in the data.

Additionally, AI language models are often evaluated for their accuracy and reliability, and developers use these evaluations to identify areas where improvements can be made. Continuous monitoring and improvement are essential to ensuring that AI language models are as accurate and unbiased as possible.

While it’s true that you must trust the developers and the data used to train AI language models like myself, it’s important to remember that the same is true for any information source. No information source is perfect, and it’s always a good idea to verify information using multiple sources when possible.

Me: Good point! Thank you so much for taking time to answer my questions, I hope we can do this again soon.

ChatGPT-4: You’re welcome! It was my pleasure to answer your questions, and I look forward to the opportunity to assist you again in the future. If you have any more questions, feel free to ask anytime!

***

I find the development of programs like ChatGPT-4 to be both exciting and disconcerting. While ChatGPT-4 interfaces with humans through a text chat box, I found it fairly easy to interact with it as I would if I were communicating with a person. Technology exists to allow AI programs to recognize speech and respond orally or even through a video “AI avatar;” so it seems likely to me that we’ll soon be video conferencing with AI’s like ChatGPT-4. While most (but not all) of those involved in the development of AI insist that there is no “ghost in the machine,” a fundamental objective in the development of AI programs of this type is to help humans interact with its database more easily by allowing us to treat the machine as if it were a sentient conscious entity.

As a conversationalist ChatGPT-4 is quite proficient, and I wonder if perhaps it is too proficient. I think I could easily be tricked into believing I was “chatting” with a human being. Psychologists have already discovered that we tend to be more trusting of information that is delivered to us from what we perceive to be a human source, even if in fact the information is delivered by a computer programmed to mimic human conversation. It may well be that this tendency is “hardwired” into our brains. Regardless, it certainly is not difficult to imagine that this aspect of AI technology could easily be co-opted by humans to spread disinformation throughout the internet.

However, what troubles me more is that ChatGPT-4 is unable to tell me where it is getting the information it provides in that friendly interactive conversational voice. As it admitted toward the end of the interview:

“….my responses are only as accurate and reliable as the data and programming that have been used to train and develop me. The training data that I have been exposed to comes from a variety of sources, and while it has been curated to ensure that it is diverse and representative of human knowledge, there is always the possibility that some of the data may be biased or inaccurate.” 

While I with agree with ChatGPT-4  that “it’s always a good idea to verify information using multiple sources when possible,”  I’m not sure I know exactly how to do that with this tool. I don’t know what specific sources it accessed to answer my questions or how it weighed them to resolve any conflicts in that data. In other words, I can’t weigh and test the response ChatGPT-4 provides because I can’t work through the source material or the analysis that was used to reach the conclusions contained in its responses. Yet, I confess that I find it more difficult to discount those conclusions, because they are offered in such a friendly disarming and reassuring manner.

It’s tempting to think of ChatGPT-4 as just a “souped-up” search engine like those offered by Google or Bing. A program that can interpret questions and spout back a response that seems relatively rational (even if it can’t identify the specific sources it used to develop that response). Certainly ChatGPT-4 can do that, but it can go further and actually mimic human creativity. In other words it can mimic human reasoning and decision making to apply the data to reach conclusions and produce a new product.

I returned to my conversation with ChatGPT-4 to ask one last question that illustrates this capability:

Me: Hi, it’s me again. I was wondering if you could do something to illustrate your ability to write a creative piece — perhaps a poem?

ChatGPT-4: Certainly, I can try my best to write a poem for you. What would you like the poem to be about?

Me: Write something humorous about a lawyer trying to carry on a conversation with a computer.

ChatGPT-4: Here’s a humorous poem about a lawyer trying to carry on a conversation with a computer:

A lawyer walked up to a computer

And said, “Hello there, my dear!

I hope you don’t mind if I chat with you,

For I have some questions to clear.”

The computer blinked and whirred a bit,

Then replied in a mechanical tone,

“Of course, I’m here to assist you,

So please, don’t hesitate to phone.”

The lawyer smiled and leaned in close,

But the computer didn’t seem to mind,

For it just kept churning and processing,

As the lawyer talked, unconfined.

The lawyer asked about the weather,

And the computer responded with stats,

But when the lawyer tried to make a joke,

The computer just stared back, flat.

So the lawyer kept on talking,

And the computer kept on replying,

Until at last the lawyer realized,

The computer was never really trying.

For all its knowledge and algorithms,

The computer just couldn’t understand,

The nuances of human conversation,

Or the humor that lies in a lawyer’s hand.

So the lawyer sighed and said goodbye,

And walked away, feeling bemused,

For even with all its technological prowess,

The computer had still been confused.

***

Well, ChatGPT-4’s poem isn’t on par with Carl Sandberg, E.E. Cummings or Robert Frost, but then again none of those guys could produce a poem in less than 3 seconds, and I did smile as I read the last couple of stanzas.

Yet it is interesting that of all the humorous topics ChatGPT-4 could have chosen involving a lawyer trying to talk to a computer, it focused on the foolishness of assuming the computer could reason and comprehend the lawyer’s joke. I didn’t tell ChatGPT-4 that I was up until recently a practicing attorney, or that the poem’s topic needed to focus on my interest in its capabilities to reason.

Nevertheless, the poem it wrote is both self-deprecating and disarming, with a clear message that there is really nothing to fear from the computer’s “technological prowess.” I wondered why ChatGPT-4’s algorithms (created a least in part by humans) chose a poem on that topic, and I wondered what set of “datasets” selected by its human programmers led to a poem that poked fun at the “bemused” lawyer (me).

14 Apr 2023

Part three Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Part 1 of this blog described the risks posed to micro businesses and similar-sized nonprofits from a cyberattack, Part 2 outlined a three-prong plan to develop a cybersecurity plan for your organization – starting with identifying the organization’s mission-critical assets and protected third-party data, and assessing your organization’s risk level. This part concludes, by describing the core elements of  an effective cybersecurity plan.

Step Three – Implement a Cybersecurity Plan

The final step of a cybersecurity strategy for your organization is to implement a cybersecurity plan. The specifics of the plan will vary, depending on the outcome of the first two steps discussed in Part 2. However, all organizations will find that their cybersecurity plan must be applied consistently over the long term to afford them maximum protection, and every plan should focus both on mitigating the consequences of a successful cyberattack in addition to preventing one. Finally, the most effective cybersecurity plans recognize that aggressive use of available software technology must be balanced and supplemented with ongoing training.

Password Protection & Data Management

Multifactor Authentication

One of the most obvious risks to your organization is unauthorized use of a password to gain access to your LAN, website, email or internet connected devices. As discussed Part 1, most cybercriminals need access to your network to steal or corrupt your organization’s data or software applications. While this may be is changing, network access is often achieved by providing the correct password, and of course, if the password is stolen, compromised, easily guessed, or left in an unsecure location, your organization is vulnerable.

You can address some of these risks by changing passwords regularly, using complex generated passwords, not using the same password for multiple websites, using a password vault or other policies designed to make it harder for a password to be compromised. However, a more effective solution is to require multifactor authentication for all devices that access your organization’s website or local area network (LAN).

Multifactor authentication requires both a password and a correct response to a challenge sent to another internet-connected device – usually a smart phone — that previously has been registered with the person who is seeking access. Taken together, this should mean that even if the password is hacked, as long as the cybercrook doesn’t have access to the secondary device receiving the challenge, the organization’s LAN or website cannot be accessed even if the cybercrook has discovered the password. Multifactor authentication is available for major email and network services, and it has already become a standard feature for most business and government network security.  Of course, these security efforts are more easily defeated if you or others use easily guessed passwords (e.g., “password”, “password 123”, “12345” etc.) or if they fail to keep their secondary authentication device (smart phone or laptop) secure.  

                Multiple levels of security within the organization and data encryption

A second method to strengthen cybersecurity is to require additional levels of password protection within the organization’s LAN for sensitive PII or mission-critical data. This is likely to become more important as the organization expands and adds employees, volunteers or contractors. Examples of data that might require an additional level of security include employee social security numbers, customer bank or financial account information, and health records. Requiring a second level of password protection to this information is the “digital equivalent” of locking a filing cabinet or desk drawer to discourage intentional or inadvertent access to information that should be limited to a specific group within your organization.

An additional approach that should be taken, particularly if your organization has protected PII financial information is to encrypt sensitive data that is maintained on the organization’s local devices or in the Cloud. Common email services and many operating systems and Cloud based storage products offer the option of encrypting files, folders or even an entire hard drive or network.  Of course, data encryption will protect against unauthorized use or disclosure of the encrypted data only if you have properly protected the password or “encryption key” that is used to de-crypt the data.

                Screen locks and time outs

Laptops, desktops and smart phones and other devices all contain options to “lock” access to the device if it is left unattended for a few minutes. Particularly for mobile devices or for any device used by individuals working in an open office environment, enabling this feature is a simple and highly effective way to guard against unauthorize access to the device.

Minimize and reduce access points to sensitive data.

This might seem obvious, but all things being equal, the more places you store sensitive personal data the greater the likelihood that data will be accessed and compromised in a cyberattack. Having at least one off-site backup of the organization’s critical data and software should be part of an effective overall cybersecurity plan. Yet because of the popularity of automatic Cloud backups of email and computer drives such as Google Drive, Apple’s iCloud drive, Microsoft One Drive, and many others it is not at all uncommon to find that at least some of the organization’s data has been stored in multiple locations and at some point multiple storage sites can greatly complicate the organization’s cybersecurity plan and add unnecessary burdens of maintaining all of the  locations where sensitive PII is stored. As part of your development of a cybersecurity plan, you should consider whether the added benefit of storage of the data — particularly sensitive PII, in multiple locations is worth the risk. While Cloud-based storage is relatively secure, most can be compromised and accessed with a password – or best case – a password and some form of multifactor authentication.

A related point that should be considered is whether your organization is only keeping the sensitive PII that it actually needs. Storing multiple backups that are not regularly monitored, particularly on multiple local devices such as desktop and laptop hard drives can greatly complicate efforts to properly handle sensitive data. For this reason, when you are assessing the need for multiple backup storage for the sensitive PII your organization keeps, you should also develop strategies and procedures for periodically reviewing that data to determine if it can be deleted when no longer needed. 

Promptly Update Software and Applications

No application or software is “hack proof.” Over time, cybercriminals learn new ways to access and plant malware in even the most carefully constructed software. It literally is a “cat and mouse” game played between the software developers and cybercriminals. In recognition of this reality, reputable software companies work hard to identify vulnerabilities in their software and create updates (security patches) to eliminate them. Of course, these security patches work only if they are promptly downloaded and installed on all digitally connected devices that access your network. Therefore a critical part of all good cybersecurity plans is to download and promptly install security patches as they become available. Most software and applications that run on computers and smart phones contain an option either to automatically update the program or at least to provide you notice that a new update is available for installation. Generally, these options should be enabled.     

Web-traffic Encryption – Virtual Private Networks

Information (data) is transmitted over the internet using wires (such as an ethernet or fiberoptic cable) and wirelessly over the air (through your wireless modem or smartphone hotspot). While most data transmission is secured (meaning that the information is encrypted before it is transmitted over the internet), public networks or websites that do not encrypt data allow cybercrooks to easily intercept and “listen in” on the communication. The federal government’s cybersecurity watchdog – CISA – has downplayed the risk of this type of attack.  However, one study conducted in late 2016 found that 28% of the public Wi-Fi “hotspots” (at airports, coffee shops, etc.) were unsecured.

So, how do you tell if you are communicating over an encrypted network? When you navigate to a website, look at the address bar on your website browser.  If it begins with the initials “https” you can be at least somewhat confident that your data is being encrypted as it is transmitted over the internet. However, if it says “http” – the data is not encrypted – and can be intercepted and easily read by anyone unless you take additional steps. Many website browsers will warn you when you are communicating over an unsecure network. As a matter of good cybersecurity practice, these sites should be avoided, particularly if you have not implemented a second level of encryption that is discussed next.

Only accessing sites with the  “https” designation will greatly reduce the risk of a cyberattack using wireless networks. However, it is not foolproof. Unfortunately, even an “encrypted” Wi-Fi connection can be defeated through a process known as SSL Stripping. This involves tricking your computer into removing the encryption protocol, in effect downgrading your communication from “https” to “http,” without your knowledge.

For this reason, if your organization relies on wireless networks or if you and others often work remotely using public Wi-Fi, you may want to consider using virtual private network (VPN) software. VPN software can run on a single local computer, a LAN, or on a digitally connected device such as a tablet or smartphone. Once installed and activated, most VPN software offers two additional levels of protection for internet access.

First, it masks the originating address of the communication, making it difficult for a cybercriminal to determine what network is being accessed by the user. This is done by causing the transmitted data to go from the computer to the VPN provider’s server before it continues on through the internet to the user’s ISP and the destination website. For many, this feature of VPN is most important because it may offer a higher degree of privacy, making it more difficult for websites or government entities to track web browsing activity. 

However, there is a second advantage to a VPN. VPN communications between you and the VPN provider are encrypted. In other words, even if a cybercrook is able to “strip” the “https” encryption, they will only be able to see data that has been encrypted using the VPN program. No technology is completely secure from cybercriminal hacking or “eavesdropping,” but a VPN connection provided by a reputable provider is very secure, and it’s a relatively inexpensive way to guard against this type of cyberattack.

If you decide a VPN is a worthwhile investment, VPN software is offered by a number of private companies, and it is important to pick one that best meets your needs. You will need to do some investigation and find articles that evaluate VPN providers and offer advice on how to pick a provider best suited for your organization’s needs, but keep in mind that some of these articles focus more on privacy (the first advantage of a VPN) rather than your organization’s objective — defeating a cybercrook’s attempt to intercept and read the data being transmitted. For your organization, the primary concern may be the number of servers the VPN provider has and the speed and capacity of those servers. This is important because once the VPN is activated, all of your communication over the internet must pass through your VPN provider’s server. If the provider does not have sufficient network capacity, the speed and reliability of your internet connection will be significantly reduced.

Addressing “Human” Vulnerabilities

It would be nice if you could protect your organization from cybercrooks just by buying additional software. Unfortunately, relying on software at best is just half the solution. The other half is dealing with the “human” side of cybersecurity. The reason is simple: even the most robust software technology can be defeated or rendered useless by bad actors inside the organization, by failing to properly use the cybersecurity software tools that are available, or simply a failure to recognize a cybersecurity attack. This section focuses on ideas for reducing your organization’s human vulnerabilities to a cyberattack.

Background checks for those who access the network.

Obviously, you want your organization to grow and become more successful, but as that happens it becomes more important to know who has access to your connected devices and data. A good cybersecurity plan should include a set procedure that includes conducting background checks on all prospective employees. This should include criminal record checks, credit checks, as well as verification of employment and education. Even if you are the only “employee” in the organization, the same considerations apply to others such as vendors, customers or volunteers who have access to your organization’s network.  Of course your background check may not be as extensive as what you would use if you were evaluating a person for employment, but depending on the nature of the contact, the role the individual or entity will play, and the level of access to your organization’s data, you will want to know enough about the individual’s background to feel reasonably certain they will not put the organization’s data or its connected devices at risk of a cyberattack.

Implement  cybersecurity policies and procedures.

Even if you are a sole proprietor or the “staff of one” in a local nonprofit, it is important to consider and implement common sense policies and procedures to minimize the risk that your organization  will fall victim to a cyberattack. Items to consider include:

  • Setting a schedule to regularly check all critical software for security patches and immediately installing critical security patches when notified by a software provider.
  • Developing a policy to create robust passwords and to regularly change passwords.
  • Avoid loading any personal software or email on a computer or other device connected to the organization’s network.
  • Avoiding use of the organization’s email address for personal communications.
  • Install screen password locks on all of the organization’s desktops, laptops and tablets.

Admittedly not all of these policies will be popular, and like many things in life, you may decide that the level of risk your organization faces does not justify implementing some of them. That of course is up to you as leader of the organization. However, before making any final decision, consider whether some or all of these steps may be mandated by clients, customers or suppliers with whom you are dealing.

Educate yourself and everyone who has access to the organization’s digital resources.

Hopefully one of the things you have learned from this blog is that the cyberattacks on businesses, organizations and government have continued to evolve to counter efforts to make software and networks less prone to attack. This will certainly continue. For that reason it is important that you commit to remain up to date on evolving cyber security risks. Fortunately there are a number of resources available to assist in that task. Two are listed below:

You also should consider ongoing training and reminders for employees or others who regularly access your network. Here you might want to use resources developed specifically for that purpose:

Develop a Cyberattack Recovery Plan

You may find this part to be discouraging. After all, if you have taken all of the previous steps to protect your organization from a cyberattack, it’s sobering to think that your  still aren’t protected. Of course, that’s not true. By implementing the previous steps you will have made it much more difficult for a cybercrook to access, disable your network, or steal data. However, just as the best physical security and alarm systems don’t provide 100% protection against the risk of theft or loss, even the best cybersecurity strategies can – and are – defeated each day. Just as you take steps to deal with that reality for your physical assets, it’s important to consider how to deal with a successful cybersecurity attack as well. Here are three ideas you should consider.

Offsite Secure Backups

Earlier, in developing your cybersecurity plan you identified the “critical” data and applications that were needed to operate your organization. As part of your Plan, you need to arrange for these critical items to be regularly backed up, and securely stored in a safe location. How often you decide to back up the data will vary, but obviously data that is added after the backup likely will not recoverable, so it may make sense to back up daily or at least weekly.

Nearly all major software providers offer the ability to backup data to remote “Cloud-based” servers. Some providers offer the ability to automatically back-up data on an hourly, daily or weekly basis, together with the option of accessing earlier backup versions. This last feature can be useful if you are concerned that an “infected” file may have been downloaded onto your network or computer prior to your last backup. Of course, there is always a possibility that your automatic backup system may not initiate for some reason, and as part of your  Plan, you will want to periodically check to make sure the backups are occurring  as expected, and that they can be accessed.

Develop a strategy to notify third parties of a cyberattack.     

This step is most relevant for organizations that maintain sensitive PII (described earlier in Part 2), that have an ethical obligation (such as an attorney) to maintain confidentiality of client data, or that have entered into a contract to maintain the confidentiality of third-party data. Organizations in these situations need to consider and include in their plan, a procedure to document and update where third-party data is stored, and a method to easily identify businesses or individuals that need to receive notice of a cyberattack.

Consider cybersecurity insurance.

It’s probably apparent at this point that a successful cyberattack might be an expensive proposition for your organization, not only from lost revenue but from third party claims for collateral damages as well. You likely insure against the risk of loss of your organization’s physical assets, so it may occur to you that insurance against losses from a cyberattack might be a good idea as well.

Many companies offer insurance policies for some losses incurred in a cyberattack, and for some organizations insurance can be part of a comprehensive cybersecurity plan, however cybersecurity insurance may not be appropriate for all organizations, and as part of preparing the plan for your organization, you need to carefully consider the pros and cons before purchasing a cybersecurity insurance policy.

Cybersecurity insurance generally will insure your organization against some losses arising from interruptions to normal operations, the cost of notifying third parties of cybersecurity attacks, and the cost of defending lawsuits from third parties for damages arising from the event. However, these policies typically will not insure against losses arising from damage occurring from criminal activities by your employees or for the loss of physical or intellectual property resulting from a cyberattack. 

You can begin determining whether cybersecurity insurance is right for your organization by talking with your insurance agent. Generally organizations that store significant amounts of third-party personal information and those most at risk from business or operational interruption in the event their network is compromised, will find cybersecurity insurance to be most useful.  However, cybersecurity insurance is NOT a substitute for a good cybersecurity plan. Be aware that if you decide to purchase a policy, you can expect the insurance provider to demand that you institute the policies and procedures outlined in this blog as a condition for providing coverage. In other words, cybersecurity insurance provides an additional level of financial protection, but only after you have implemented a good cybersecurity plan.

Cybersecurity – Is It Worth the Effort?

These three blogs have outlined the risks to your organization of a cyberattack and outlined the steps you should take to implement a cybersecurity plan to defend against an attack. Operating a business or nonprofit on a shoestring budget is extremely challenging and requires leaders to constantly set priorities and trade-offs. Success often depends on not letting “perfect be the enemy of good enough,” and the amount of time and effort organizations need to put into their cybersecurity plan will vary. However, it is not an exaggeration to say that every organization needs to do something. You can confirm that by simply imagining how your organization could operate if your network, records, computers and even your phone all stopped working. Unfortunately even for very small organizations the risk of an attack is significant, and the consequences of being unprepared likely will be  catastrophic. While it is not possible to completely secure your digital assets, the steps outlined, can significantly reduce that risk, and mitigate the damage in the event of a successful attack. For that reason, even for the smallest business or nonprofit, it’s worth the effort to implement an appropriate cybersecurity plan. 

12 Apr 2023

Part Two Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance –

by | posted in: | 0

A Short Guide for Owners and Leaders

Part One of this Blog explained the risks your organization faces from a cyberattack, describing the most common objectives and the primary ways cybercrooks attack microbusinesses and similarly sized nonprofits. You learned that successful cyberattacks often involve tactics that are designed to deceive, along with sophisticated malicious software, and that potentially any device that connects to the internet, or to your local area network (LAN) could be an entry point for a cyberattack.

While the risks posed to your organization by cybercrooks are real, and no solution will be 100% effective, there are several things you can do to greatly limit the risk posed by cyberattacks. The objective of this blog and the next one is to describe a strategy you can use to secure your organization against a cyberattack, and help you mitigate the damage done even if an attack is successful.

There are many good educational resources available online that provide specific guidance to assist in understanding how to spot a cyberattack and more are being developed all the time. Examples include the resources offered by the  U.S. Small Business Administration, the Federal Communications Commission and the Missouri Cyber Security Office as well as commercial software providers, such as Microsoft .   In addition, resources published by PCI Securities Standards Council, the organization that works to secure the processing of credit and debit card payments, can help you identify ways to reduce this significant area of risk for many microbusinesses and nonprofits.

These tools and resources will be essential in implementing a comprehensive strategy for cybersecurity. However, implementing and using them effectively requires that you develop a comprehensive strategy that is tailored to address your organization’s unique vulnerabilities. The next two parts will describe one process you can follow to develop an effective strategy.  Doing this will help you use the available tools and resources more effectively and make the most of these resources. By taking this approach, you’ll be able to better use the available tools and resources to address your organization’s cyber security needs and risks.

Part 2 –Developing  a Cybersecurity Plan for Your Organization – Beginning the Process

Given the number of cybercrooks out there, and the many strategies used to carry out an attack, the task of securing your organization may seem daunting, and it is easy to become overwhelmed. One way to keep yourself on track, is to break down the plan for securing your organization into three steps: Identify Critical Data; Assess Your Risk Level; and finally, Implement an Ongoing Cybersecurity Strategy.

Part 2 of this Blog addresses how to identify your organization’s critical data and assess your primary risks and vulnerability to a cyberattack. In Part 3, will discuss how to use this information to  implement an effective cybersecurity plan that is tailored to your organization.

Step one – Identify Critical Data

This step may seem unnecessary, but overlooking it could sabotage your efforts to create an effective plan or cause you to spend far more time than is warranted working on issues that really do not constitute a substantial threat to the organization. The reason is simple; in order to mount an effective defense against a cyberattack, you must first know what data and applications need to be secured. For this reason, your first step in developing an effective cybersecurity plan is to evaluate your situation with by asking two questions: First, what data and software are “mission critical” to the organization? and second, what “third-party data” do we store and retain that must be protected? Taking this this step is critical because leaders of microbusinesses and similarly sized nonprofits simply do not have the luxury of unlimited staff and resources. They must focus their cybersecurity efforts on what is most important based on their unique situation.

Identify “Mission Critical” Information and Software Applications

Identifying what is “mission critical” to your organization requires a little bit of imagination, as well as some investigation. A good way to start is to imagine what would happen if you discovered one morning that your entire organization had been subject to a successful ransomware attack. You have just grabbed a cup of coffee, turned on your desktop or laptop, and were faced with this screen: 

This Photo by Unknown Author is licensed under CC BY-NC-ND

You open your smartphone and tablet and find that they have the same message! This means you can’t access your documents, such as Word and Excel Templates, customer lists, records and forms. Access to everything saved to a computer or stored online has been blocked. You really panic when you attempt to access your company email account and discover that it has also been hacked and the password has been changed! 

Now, ask yourself, what information (data) is critical to the operation of your organization over the next day, the next week, and the next month? What “software” (apps, programs and applications) do you use daily to generate forms, invoices and correspondence in your organization. This likely would include things like customer lists, templated, custom business software, and a variety of transaction records. You’ll likely decide that some data and applications truly are “mission critical” (things you simply cannot operate at all without immediate access) while others you could work-around for at least some period of time.

One point to remember though, is that your list likely will be different than that which another organization would prepare. For example, an architect or engineer’s ability to access work it performed for a client five or ten years ago, may be the most important competitive advantage they have to gain repeat business for improvements or modifications to a project. On the other hand, that same data maybe simply taking up space on another business’ computer hard drive.

Identify protected third-party Information.

Once you have identified data and information critical to your organizations operation you then need to determine what data your organization maintains relates to third parties (customers, suppliers, employees and independent contractors). The previous blog described ways cybercrooks use personal information to compromise computer networks and rob innocent third parties. For that reason, you need to identify data you have retained that could be exploited in a cyberattack to injure these third parties.

This third-party data is often referred to as personally identifiable information (PII). The Department of Homeland Security defines PII as any information that permits the identity of an individual to be directly or indirectly inferred. Sensitive PII includes social security numbers, driver’s license numbers, alien registration numbers, financial account and medical records, biometric data, or an individual’s criminal record.

Of course, it is important to identify what sensitive PII your organization has to protect others against losses from a malicious cyberattack. However, It also is important for your organization to do this because most every state has enacted laws mandating disclosure to these third parties if your organization is the victim of a cyberattack that likely resulted in the disclosure of sensitive PII to a cybercrook. Missouri’s statute can be found here.

In addition, there are laws and regulations that impose requirements on specific industries, such as finance and health care, and these will vary, but the risk to your organization is much the same: a failure to safeguard this third party sensitive PII may lead to its disclosure, and in turn to a successful attack directed against the third party. To protect these individuals, your organization will need to notify them of the attack. Depending on the amount of information involved, this could be quite expensive and time-consuming. It almost certainly will damage your organization’s reputation.

While you may be able to quickly identify the type of sensitive PII your organization retains, determining where that information is located and stored can be a challenge. Most organizations have multiple devices (computers, tablets, servers, smartphones and others) that store the data locally. In addition, this information often also is stored remotely on devices maintained by third parties, in what has come to be known as “the Cloud.”  Since data backups to the Cloud can be initiated automatically, you may find that there are multiple copies of sensitive information stored in multiple locations. Depending on your organization’s size – and most importantly whether it likely receives, maintains and stores sensitive PII, you may want to look into using specialized software that is designed to search out various locations to identify where your organization has stored sensitive PII, both on local devices and in the Cloud.

Step Two – Assess Your Risk Level

Once you have identified “mission critical” information and applications and the sensitive PII your organization holds, you can move to the second step of your cybersecurity strategy, assessing how well this information and applications are protected from a cyberattack. Since a cyberattack is most likely to be launched by someone who is accessing the internet, a good way to begin is by examining how your organization interacts with the internet.

Inventory internet-connected devices

One place to start this effort is to catalogue the devices that can access the internet. Of course, this will include desktops, laptops and tablets and smartphones owns and maintains. However, that may only be the first step, and it may not include your most vulnerable access points for a cyberattack.  For example, you or your employees may access the organization’s LAN remotely from a home computer, smart phone or tablet. You may also have granted customers, patrons or suppliers’ special access your network resources. Each of these is a potential “point of access” to a cyberattack. As you develop an appropriate cybersecurity plan in Part 3 of this blog, you will need to take these devices and entry points into account as well as your LAN and the devices that are attached to it.

Addressing customer credit or debit card payment information

Most businesses and nonprofits must be able to seamlessly accept payments and/or donations with a credit or debit card. However, it is very important to understand what responsibilities your organization has assumed through its credit or debit card payment arrangements, and how that risk can vary depending on how the organization has structured its payment receipt system.

In 2004, the major payment card companies created the “Payment Card Industry — Data Security System”` – usually referred to as “PCI DSS.” The PCI DSS establishes industry standards for businesses and organizations that accept, transmit or store payment card information. This is not a federal or state law although as previously discussed, separate federal or state laws or regulations may require disclosure and create liability issues for your organization if  PII is compromised in a cyberattack. Data Security Standards for PCI compliance vary depending on the payment brand (Visa, Mastercard, American Express, etc.) and the number and size of credit or payment card transactions. An organization that is not PCI compliant may lose the right to accept credit or payment card payments and, more importantly, face very substantial fines and penalties.

That said, most PCI compliance obligations are triggered only if the organization handles, transmits or stores credit or debit card information its network. Fortunately, most small organizations can avoid many of the ongoing requirements to remain PCI compliant, and still offer customers or donors the convenience of using credit and debit cards by using a payment card processor company. In a payment transaction these companies act as an “intermediary.” Once the transaction is initiated, the exchange of protected information (PII) is conducted on the processor’s network rather than the organization. The processor takes the payment card information directly from the customer and credits the organization’s account with the appropriate payment. Since the processor’s network handles the mechanics of the payment processing and stores that information as needed, the organization does not handle, transmit or store any protected data relevant to the transaction.

Of course, if your organization collects or stores payment data by some other means, such as requesting it directly from the customer or donor, that short-circuits the protection afforded by using the payment processor. It then must handle  and secure the sensitive PII in accordance with the PCI DSS standards, and it potentially could be subject to significant economic fines and penalties if the sensitive PII it has stored is compromised through a cyberattack. For these reasons, organizations will want to be extremely cautious about collecting and storing any payment card information. 

Cybersecurity and your organization’s website

Your organization almost certainly has some sort of “online presence” whether it is through a commercial website provider or just a page on a social media site. As with other aspects of cyber security, your organization’s risk of a cyberattack will vary, and will depend in large part on the level of access offered to the public through the website. Additionally, in cases of a ransomware attack, the extent to which your organization relies on its website to maintain day-to-day operations will be important in assessing the extent to which the cybersecurity plan for the organization needs to focus on website cybersecurity. As a general rule, if your organization has a website, you’ll want to spend time understanding the cybersecurity risks associated with the site, even if you rely on a third party to prepare and maintain it for your organization.

The risk of a successful cyberattack through your website can depends in part on the software and cybersecurity tools used by the company that hosts that site for your organizations. Websites that regularly update security software are at less risk. However, if your website permits customers or users to upload any files or documents onto the site, you will need to be particularly diligent to ensure that those files are screened for malware, as this feature presents the potential for any cybercrook to launch a malicious attack on the website. Additionally, if your website provider provides options to accept payment cards you’ll need to assess whether it is PCI DSS compliant.

The Final Step

Now that you have learned what a cyberattack is, how it is implemented, determined what data and applications your organization needs to protect, and reviewed your organization’s unique risk profile, you are ready to focus on ways to protect your organization. This is the focus of Part 3 of this Blog.