Gladys Kravitz is Sniffing FREE WiFi Hotspots for Your Secrets

The free WiFi hotspot ritual is habitual. You head to your favorite café to get some work done “away from the office”. Justifying your $4 cup of 50 cent coffee with a Starbucks-approved rationalization (“I work so much more efficiently at my 3rd spot!”), you flip open your laptop, link to the free WiFi and get down to business. The caffeine primes your creativity, the  bustling noise provides a canvass backdrop for your artful work and the hyper-convenient Internet access makes it easy for someone else (think organized criminal) to intercept everything you send through the air.

At the table next to you, drinking a free glass of water (these guys are too smart to pay that price for a cuppa joe), sits a hacker running a piece of software that sniffs the data you send over the free (unprotected) WiFi. They watch your private data like Gladys Kravitz stalking the very bewitching and often nose-wriggling Samantha. When you log in to your webmail account, they record your username (usually your email address) and password. Since you use the same password for many different websites, they run an automated computer program that attempts to log into every bank in the world using that username and password. When it fails, the program automatically increments your email password in every way possible until it eventually cracks your banking code.

By the time you head for a latte refill, you can no longer afford it. (This is one effective way to break the Starbucks habit). Most of us have been well trained to unthinkingly connect to the FREE WiFi hotspot at cafés, airports and hotels. Wireless technology is both useful and powerful, but operating it without protection is like skydiving with a parachute that you never deploy (it’s a fun ride while it lasts…). If you connect to any WiFi hotspot without first having to log in with a unique username and password, there is nothing that masks your data as it travels through the air. (Watch the 9News Investigation Video with Jeremy Jojola for a sample).

How to use a free WiFi hotspot without crash landing

Like our previously mentioned skydiver, you want not only to put on your parachute before you jump, but to pull the cord before you taste dirt. Here are some simple steps you can take, along with a “How To” video, before you jump on your next free WiFi hotspot:

  1. HTTPS Surfing. If you absolutely must use the free WiFi hotspot, only exchange information over websites with encrypted connections. What’s an encrypted connection and how can you tell? Watch this short video to learn how to tell if you are on a safe, https internet connection. If you are, all of the data that goes between your device and the WiFi hotspot (and eventually onto the Internet), is scrambled and protected by a passcode (the encryption part) that makes it much harder to intercept. Banks (see video), Gmail and even Facebook (see video) offer HTTPS connections. Sometimes all you have to do on a website is to change your security defaults! If your connection is regular old http (no “s” at the end), just know that your data can be free for all to see (if they have the right tools).
  2. Tethering. Also known as a personal WiFi hotspot, tethering is the act of using your smartphone’s encrypted cellular connection to the Internet to surf securely from your mobile device. Tethering works for laptops, tablets and iPods and is relatively simple and inexpensive to use. To tether your computing device to your smartphone, simply contact your mobile provider (Verizon, AT&T, Sprint, T-Mobile, etc.) and let them know that you want to be able to connect your computing device to your smartphone (you want to tether). They will let you know that it costs about $15 per month (well worth the protection), will turn it on and will walk you through setting up both your smartphone and device so that they communicate with the Internet in a well-protected manner. Note: Many tablets, like the iPad, now come with cellular data access built into the device. So, for example, if you have an iPad with Wireless + Cellular capability, you can almost always connect via your cellular connection (just like your phone connects) and never even have to utilize free WiFi (though it’s still safe to use the secure Wifi in your home and office). You can do the same thing by accessing the Internet via your smartphone that is NOT connected to WiFi. Cellular surfing can be a bit slower, but it is considerably more private.
  3. VPN Software. Using a VPN (or virtual private network software), is a safer way to surf on free WiFi. Think of it like this: it takes the same protections you get when using an https connection and applies them to all of the URLs you visit. VPNs are standard gear for business users, but individuals need them just as much as corporations. One of the more popular VPNs for consumer use is Hotspot Shield VPN (this is not an educated endorsement of the product, just an example). The good part about a VPN is that it protects your data transmissions over the internet at all times, not just when using free WiFi.

Better yet, utilize all three solutions and find yourself 100% safer than the Frappuccino lover over at the next table. Mobile computing will increase your productivity, your connectivity and your flexibility. But to do it without a bit of security preparation is to court digital suicide.

John Sileo not only uses free WiFi hotspots (wisely), he is an internationally recognized keynote speaker on how to keep your employees from making poor data security decisions regarding identity, privacy and reputation protection. His happy clients included the Department of Defense, Pfizer, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.  Tyler Tobin, the CEO and Chief Hacker for Tobin & Associates LLC, is a world renowned Professional White Hat Hacker. His firm specializes in performing compliance, GLBA and full-blown security assessments. His customer base is both regional and global. Assessments include social engineering, external and internal vulnerability and penetration testing and compliance examinations (SEC, SOX, SSAE and GLBA).

Do you have the right cyber security training to take a joke?

What does cyber security training have to do with jokes, you ask? Well, you’re sitting at work when someone sends you an email that promises funny pictures, a joke or a viral video. You go ahead and click, forgetting everything you learned in your company’s cyber awareness sessions …but your company may be tricking you into training.

For many, the negative outcomes of ineffective cyber security remain invisible until they hit close to home. A large number of breaches to security occur not just because of the efforts of hackers, but also because of the naïve practices of employees. Anyone can compromise their workplace’s security unintentionally if they aren’t careful. Fortunately, one company named PhishMe is using this as an opportunity to call us out on our bad habits.

This business basically sends fake spam emails to your employees in order to teach them a better approach to privacy (and reveal how easy it is to give up your info). One such campaign, reported in the Wall Street Journal, involved a promise of cute cat photos. You might be thinking “Oh, come on. I wouldn’t fall for that!” But the potential is out there, and it only takes one careless second. And PhishMe has seen the behaviors of millions corrected because of its services. It’s just one of a few companies taking part in an effort to help corporations step up their game by using the methods of hackers against us as a sort of practice ground.

Anticipating the activities of hackers can be as difficult as accurately predicting the weather, but there are measures that companies can take to help bulk up their capabilities. Consider the advantages of proper cyber security training before you – or someone you work with – falls for one of these for real.    

John Sileo is a cyber security training expert and keynote speaker on reputation, privacy and cyber data protection. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business. 

SCAM ALERT: Target Texting Scam

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

 

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

“Clickjacking” and “Likejacking” – Be Aware!

None of us wants to be part of a scam that allows links to be forwarded as if from a friend, invading their privacy and endangering their sensitive  information. It’s not always easy to avoid bad sites but by just being aware of the problem, you can become more adept. The following article is a summary of an original post By Rob Spiegel, E-Commerce Times.

In its on-going effort to mitigate spam activity, Facebook filed a lawsuit against a company that allegedly ran a “likejacking” operation. “We’re hopeful that this kind of pressure will deter large scale spammers and scammers,” said Facebook spokesperson Andrew Noyes. The state of Washington is also applying pressure, having mounted a similar lawsuit against the same company. Both suits were filed citing violation of the CAN-SPAM Act, which prohibits the sending of misleading electronic communications.  Facebook and Washington state filed federal lawsuits on Thursday against Adscend Media for “clickjacking,” a form of spamming that fools users into visiting advertising sites and divulging personal information.


“Likejacking” is similar; victims are tricked into using Facebook’s Like button to spread spam. Users believe links to spam sites are being sent to them by friends, and the advertiser collects money from clients for every user misdirected. A prominent example is the indictment in California of self-proclaimed “spam king” Sanford Wallace in August, Noyes said. “Two years ago, Facebook sued him, and a U.S. court ordered him to pay a (US)$711 million judgment. Now he faces serious jail time for this illegal conduct.” Facebook also secured a $360.5 million judgment against spammer Philip Porembski, said Noyes, which “followed an $873 million spam judgment in 2008 against Adam Guerbuez and Atlantis Blue Capital for sending sleazy messages to our users.” The Guerbuez judgment was the largest award ever under the CAN-SPAM Act, he noted.

Clickjacking is a programming technique that employs a seemingly innocent button to trick users into visiting sites unintentionally. Likejacking is a similar technique that utilizes Facebook’s Like button. The technique is also referred to as “UI redressing.” Clickjacking is “quite well understood,” Roger Kay, founder and principal of Endpoint Technologies, told the E-Commerce Times. “It is used by both legit and illegit programs.” Both clickjacking and likejacking are designed to trick users.

“When someone browsing clicks on a site, the site can execute arbitrary code in the browser,” said Kay. “It can set a cookie, say, for Amazon (Nasdaq: AMZN), or do more nefarious things, like inject malware designed to call other malware later.” Clickjacking has been prevalent for years, and likejacking has become similarly entrenched. Many users of Facebook have likely experienced it in the form of a product-related message that seemed to be from a friend. “The use of the technique is widespread,” said Kay. “Consumers need to use better judgment about which links they click on.”

Links can be forwarded as if from friends, and some come-ons are pitched just right to get around the user’s suspicions he noted.”If you’re the target of a spear phish, then the attack is tailored to you,” said Kay. “So, avoiding bad sites becomes a kind of ninja art everyone must learn.”

 

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

Whose Device – Yours, Mine or Ours?

Carrying multiple personal devices is a pain and, yet, the fear of giving away critical company data is a nightmare.

For most of us, being connected equals being productive. However, this simple equation becomes complex when one has to juggle personal devices with those issued by our employers. Paramount in an employer’s mind is the protection of the company’s critical and confidential business data but they don’t want to alienate employees by being too restrictive on using their personal smartphones and tablets.

Recent research has found that nearly three out of four adults don’t protect their smartphones with security software and these same people often use their devices to access social media and websites that attract cybercrooks. Poorly-secured  devices can be easily accessed by hackers who are becoming evermore sophisticated and ferocious.

This device conundrum ties directly to corporate IT culture and the question of allowing employees to use personal devices to conduct business. The solution ranges anywhere from an outright ban (which employees often ignore) to fully embracing an employee’s choice, while building corporate safeguards to block spam and corrupt application downloading. Some companies permit it with tight controls such as having the ability to wipe the gadgets clean of all information in the case of loss. Of course that means all personal data will be wiped along with business data but studies show employee satisfaction (ergo productivity) is tied to exercising personal preference of devices.

Security and legal teams wrestle with this dilemma constantly in the mobil world of today and there’s no clear cut answer. Protecting a company and its clients’ data is essential; but also, productivity, efficiency, organization and responsiveness are but a few benefits of giving employees their choice of gadget.

Arming those same employees with the safety measures to secure their devices from fraudulent activities is where IT departments can manage risk. Building a parallel strategy that serves both corporate IT and the end-user is not only necessary, it is beneficial to the bottom-line.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

 

 

 

 

 

 

 

 

 

 

4 Critical Steps to Mobile Security (iPhones, iPads, Laptops)

Is your favorite gadget burning your bottom line?

No, I’m not referring to the unproductive hours you spend on Angry Birds. I’m talking about mobile security.

Why is Mobile Security So Vital?

Think about the most indispensable gadget you use for work – the one without which you cannot survive. I’m taking a calculated guess here, but I bet your list doesn’t include a photocopier, fax or even a desktop computer. Business people have become highly dependent on digital devices that keep them connected, efficient, flexible and independent no matter where they are. In other words, we are addicted to our mobile gadgets: iPhones, Droids, BlackBerrys, iPads, tablets, laptops and the corresponding Wi-Fi connections that link us to the business world.

To stay nimble and ahead of the game, we must be able to respond to any request (a call, email, social media post, text message), research anything (a client’s background, solutions to a problem) and stay current on what’s happening in our field of influence (breaking news, tweets) even when we are out of the office.

But the same gadgets that give us a distinct competitive advantage, if left unprotected, can give data thieves and unethical competitors a huge and unfair criminal advantage. The net result of organizational data theft can be devastating to your job security, your bottom line, and your long-term reputation. The solution, of course, is to proactively protect your mobile office, whether it’s digital, physical or both. Mobile security is not optional.

Data Thieves Target Mobile Offices

What is a mobile office? If you own any of the gadgets listed above and use them even in minor ways for work (checking email, surfing, social media), you have a mobile office. Smartphones and tablets are more powerful than the desktops of just three years ago. Laptops are the bull’s eye for data thieves, though their attention is quickly moving to smaller, easier-to-steal gadgets. If you work out of your car, travel for your company or have a home office in addition to your regular workplace, you are a mobile worker.

Ignoring the call to protect these devices is no different than operating your office computer without virus protection, passwords, security patches or even the most basic physical protection.  If you do nothing about the risk, you will get stung, and in the process, may lose your job, your profits and potentially even your company. The threat isn’t idle – I lost my business because I refused to acknowledge the power of information and the importance of protecting it like gold.

To protect yourself and your company from becoming victims of mobile data theft, start with the 4 Critical Steps to Defend Your Mobile Gadgets:

  1. Make sure that employees aren’t installing data hijacking apps (like the Chess app that was pulled from the Android Marketplace because it was siphoning bank account logins off of users’ smartphones) on their smartphones and tablets thinking that they are harmless games.
  2. Implement basic mobile security on all mobile devices, including: secure passwords, remote tracking and wiping, auto-lock, auto-wipe and call-in account protection.
  3. Only utilize protected Wi-Fi connections to access the web. Free hotspots are constantly monitored by data sniffers looking to piggyback into your corporate website.
  4. Don’t ignore non-digital data theft risks like client files left in cars, hotel rooms and off-site offices. The tendency to over-focus on digital threats leaves your physical flank (documents, files, paper trash, etc.) exposed.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach) or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Anderson Cooper Targets ID Theft in New Year's Resolution

Anderson Cooper’s 1st show of the year brought a panel of experts to discuss New Year’s resolutions, why we make them and how we can better keep them. Identity theft expert John Sileo closed out the show with 3 Tips for Avoiding Scams in the new year. Click on the video to the left to view the segment. Anderson and John discuss smartphone stupidity, passwords and social networking privacy.
Identity Theft Expert John Sileo Appears on the Anderson Cooper New Year’s Resolution Special.

John Sileo is an award-winning author and speaks internationally on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply results and increase performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his keynote or media appearances on Anderson Cooper, 60 Minutes or Fox Business. Contact him on 800.258.8076.

Top Tips to Stop Travel Identity Theft – Sileo on Fox Business

Identity theft increases a great deal when you are on the road. Start protecting yourself with these Top 5 Identity Theft Tips while traveling:
  1. Travel Data Light. If you don’t have to take it with you, increase your safety and leave it at home. This includes checkbooks, debit cards, excess credit cards, Social Security cards and any excess digital gadgets. Simplicity is Security!
  2. Guard Your Devices. Smartphones and tablets are as powerful as laptops. Turn on the auto-lock passcode to keep others out of your information.
  3. Surf Protected. Stop using the free WiFi hotspots in cafes, airports and hotels, as they are constantly sniffed by cyber criminals. Instead, setup tethering between your mobile phone and tablet or laptop so that you are surfing safely.
  4. Privacy Please! Instead of leaving loads of data unprotected in your hotel room (a major source of theft), hang your privacy sign on the door and let house cleaning know that you do not want to be disturbed. Lowering traffic lowers risk.
  5. Mind the Lions at the Watering Hole. Take a minute to watch the video to the left to understand how increasing your awareness in airports, hotels, conferences and restaurants can save you tons of time and money.
Remember, protecting identity on the road isn’t just about you, it’s also about the data you handle in your business every day. It’s one thing to put your own identity at risk, it’s an entirely different affair to jeopardize the security of customer data, employee records or intellectual capital owned by the organization that pays you.
John Sileo is an author and recognized keynote speaker on how identity theft prevention bolsters your bottom line. Learn more about how he can inspire your organization to care about data security, social media privacy, identity management and trust leadership. Contact him directly on 800.258.8076. 

iPad Vampires: 7 Simple Security Settings to Stop Data Suckers

Information is the currency and lifeblood of the modern economy and, unlike the industrial revolution, data doesn’t shut down at dinnertime. As a result, the trend is towards hyper-mobile computing – smartphones and tablets – that connect us to the Internet and a limitless transfusion of information 24-7. It is an addiction that employers encourage because it inevitably means that we are working after hours (scanning emails in bed rather than catching up with our spouse).

In the work we do to change the culture of privacy inside of organizations, we have discovered a dilemma: iPads are not as secure as other forms of computing and are leaking significant amounts of organizational data to corporate spies, data thieves and even competing economies (China, for example, which would dearly love to pirate the recipe for your secret sauce). Do corporations, then, sacrifice security for the sake of efficiency, privacy for the powerful touch screens that offer a jugular of sensitive information?

Of course not! That’d be like driving a race car minus seat belts and air bags.

iPads provide a competitive advantage, and like generations of tools before it (the cotton gin, the PC), individuals and organizations alike will be forced to learn how to operate this equipment safely or risk the bite of intellectual property vampires. Here are 7 Simple Security Settings to help you lock down your iPad much like you would your laptop.

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, so stop treating it like a glorified book. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app like 1Password to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. Don’t jail-break your iPad to download apps outside of iTunes. Short-term gain equals long-term risk.

Believe it or not, these simple steps begin to give you a level of security that will discourage casual data vampires. After implementing the Simple 7, move on to 5 Sophisticated Security Settings for iPads for even more robust data defense.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. He helps organizations build successful cultures of privacy. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com or contact him directly on 1.800.258.8076.

7 Steps to Secure Profitable Business Data (Part II)

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.