December 17, 2016: With the constant drumbeat of headlines about the Russians attempting to influence the US Election via electronic espionage, or just plain hacking, we’re all more attuned to the risks associated with our convenient communication methods. Yahoo added this past week a few more beats to that message. Closer to home, in the past month I’ve had two email intrusions in the biomedical company I’m working with.
Nothing we have in our email accounts is as interesting as John Podesta’s, and neither of the attacks appears to have caused any immediate damage other than some loss of time and a degree of aggravation. All data related to the software that operates our business is highly secure and HIPAA compliant, and we keep no financial data on our customers. We’re as buttoned up as we can be where it really matters.
The email attacks were very cleverly designed spoofs. It was almost as if someone were watching over my shoulder and capturing my very tone of voice and that of others in the company. One tried to extract a wire transfer prior to my seeing the invoice, but the amount was large enough that we all figured out we were being impersonated before we let any funds get away. The second one sprang from an expected Docusign from a trusted party, with links that checked out, and it replicated and forwarded itself to some address lists.
One does feel violated in these types of situations, as you often read. It’s like having a burglar roaming around your home when you’re away and stealing your prized possessions. I personally didn’t expose anything that could trigger a financial transaction from one of my accounts. Perhaps someone got my Social Security number off a document, but I’ve long since figured that was out there on the Dark Web anyway. Here it is: 678-34-0976. (Just kidding. I’m not the LifeLock guy.)
Heck, I even have a Bleacher Report account, which I had long since forgotten, and I had to change its password this morning per instructions from Yahoo, it’s owner.
Suffice it to say that we have gone to two-factor sign-ins on email and will be even more vigilant about sending around links or opening them, even among our internal working groups. I will insert no links in TechDrawl, as has been my custom, for some time to come. The hackers are just getting too clever and too good. I am under no delusion that this problem will go away or that I won’t be a victim again, no matter how deep are the layers of vigilance.
It has always been my policy that anything put in an email might become public information through hacking. It’s certainly discoverable in legal actions. You may remember the old adage that, if you can’t say something nice about somebody, you should say nothing. In communications media that may long outlast our mortal lives, that’s doubly true.
There’s enough inherent danger in any startup without having these cyber security distractions. At this time of year, most of us are evaluating where we are against plan and thinking ahead to 2017. What are we going to do differently, and better? Where did we have failings in the year now closing? One can’t help but muse about all that as the calendar turns.
The AngelSpan team here in Austin invented and owns the “transparency” space in the startup world. Nothing focuses management and comforts investors better than full and timely reporting of the good news and the bad. The end of a quarter, and especially a year, is a time when all of your stakeholders expect to hear from you. When you actually need them to do something for you, like invest more dollars or approve a transaction, they’ll be much more accommodating if they’ve been kept in the loop all along the way. Most startup investors look for psychic income in addition to a dollar return. They want the thrill of the experience and the great feelings that derive from helping create something of consequence. If you keep them informed, you’ll provide that extra bonus that attracted them to startup investing in the first place.
Joe Milam, the founder of AngelSpan, has talked to me in depth about his philosophy of how transparency de-risks a startup portfolio. I completely buy that concept and applaud his efforts in that direction. You may not be able to control how your customers behave or when they make the decisions you want, but you can easily control the information you disseminate and can reap the benefits from that action. There aren’t many other givens in startup life that you can so easily accomplish and that are so routinely expected and welcomed by your better investors.
With those thoughts, I will close by wishing you all the Happiest of Holidays.
And, for me, I’ll spend the rest of the afternoon for my next essay researching my fake news sources – primarily all the fake Twitter accounts I follow. At least in those the brilliance that might have been directed at hacking is going to an entertaining purpose; most are better characterizations than the real accounts of the target personalities, living or dead.
<Poster of Burglars Wanted from the Nova Scotia Archives via Wikimedia Commons, no copyright restrictions.>