7 Steps to Secure Profitable Business Data (Part I)

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Data Theft Hotspots for Meeting Professionals

Everybody wants your data, especially when you are in the business of meetings. Your data doesn’t just have a high face value (e.g., the attendee data, including credit card numbers that you collect and store in your online registration system), it also has a high resale value .

Here is how the theft is most often committed in your industry:

  • Competitors hire one of your employees and they leave with a thumb drive full of confidential files, including client lists, personally identifying information on talent and employees, financial performance data, etc.
  • Social engineers (con artists) mine your employee’s Facebook profiles to gain a heightened level of trust which allows them to manipulate your human assets
  • Cyber criminals hack your lax computer network or sniff the unprotected wireless connections you and your employees use while traveling (Starbucks, hotels, airports).
  • Mobile Computing Thieves target your digital devices (Laptop, smartphone, tablet) and other weak points while on the road.
  • Opportunistic Vendors (Cleaning services, painters, landlords) quietly collect data assets from your desks, filing cabinets, trash cans and dumpsters when you aren’t even in the office.

Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost according to the Ponemon Institute: $7.2 million) and have no idea of how to stop a repeat performance.

A Quick and Dirty Way to Calculate Your Risk as a Meeting Professional

Here is a quick ROI formula for your risk: Multiply the number of attendees, employees and executives for whom you store any one of the following pieces of sensitive identity – name, address, email, credit card number, SSN, TIN, phone number – and multiply that by $240 (the industry average per record of lost data). So, if you have identifying information on 1,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $240,000 even if you don’t lose a SSN or TIN. That is not a guess, those are real numbers.

As agencies who already stretch every resource to the limit just to stay in the game, you need to do more with less. I can’t possibly give you all of the answers to protecting your bureau or management company in a simple article, but I’d like to share 7 Data Theft Hotspots that you should address first.

  1. Start with the humans. One of the costliest data security mistakes I see departments make is thinking that this is a problem for large businesses only. It is a big problem for large businesses, but data theft is far more damaging to governmental organizations because of the increased regulation and legal scrutiny. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied at work without spending all kinds of money on a security risk assessment. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your attendee databases and intellectual property. You can do this in very simple, inexpensive ways. While this doesn’t necessarily train them on the specific tools to protect your bureau’s intellectual capital and customer data, it does increase their awareness of data theft and shows them that their self-interest is involved (i.e., their job depends on it). To get them started on protecting themselves, you are welcome to use this free Identity Theft Prevention Checklist.
  2. Immunize against social engineering. The root cause of most data loss in professional services companies like yours is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of you or your staff by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking. Strategy: Immunize your employees against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism (Hogwash J). Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., the credit card company called you, not vice versa), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. This is the key – getting them to be curious in the face of a request for sensitive information. These are some of the materials that I went through in an abbreviated fashion during IASB, but you can communicate them just as well as I can.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage in the meeting professionals world: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web. Strategy: Stop trying to keep your computer and network security in house and inexpensive – it is part of the costs of owning all of that processing power. Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, just hand a qualified technician this paragraph and continue to do what you do best (booking me J) while she earns your wisely spent dollars. While she’s there, have him do a security audit of your network, including firewall penetration, password strength, user-level access permissions, etc.Another major source of data theft (especially in the meetings industry) is Wi-Fi hotspot usage. Most Free hotspots do little to protect the data that you transmit over the wireless network. In fact, many home and company wireless networks are not set up to provide a secure connection to the internet and are, therefore, no safer than those you access for free in cafés, airports and hotels. Just say no to using free Wi-Fi hotspots, on your phone and your laptop. The most common form of exploitation associated with hotspots are “man-in-the-middle” attacks where a spy intercepts the transmission between your wireless network card and the cafés wireless router or modem. Using a legal, free and simple-to-use tool like Firesheep, a thief (or competitor/law enforcement, etc.) can sit next to you in a café and “sniff” your connections. Luckily, your Smartphone can provide a proactive way to help you protect your connection to the Internet when surfing wirelessly. Strategy: Tethering connects your computer to the Internet using a Smartphone (or Internet-enabled cell phone). It increases security because the mobile transmission between your cell phone and the cell tower is encrypted (scrambled) and hard to intercept. Therefore, when you use your Smartphone to surf the web, you are accessing a protected connection that probably can’t be sniffed. The connection might be slightly slower than a traditional Wi-Fi hotspot, but it is also much safer. Simply call your wireless provider and ask them if your Smartphone has tethering capabilities. You shouldn’t have to pay more than about $15 per month to put this solution into affect. Remember to do it for all company Smartphones as well.
  4. Eliminate the inside spy. Chances are you don’t always perform a very serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work and will discourage dishonest applicants from going further in the process. Finally, make sure that the prospect you are employing knows that you are going to these lengths to check them out. Most people who are trying to gain employment in order to defraud you are scared away when they know you are investigating them.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily in the high-travel world of the bureau and meetings industry. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person in a backpack, store it in the hotel room safe, or lock it in an office or fire safe when not using it. Physical security is the most overlooked, most effective form of protection and for people who travel as much as you do, it’s a major risk.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently. Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old W9s, invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. Also, check to make sure that these same documents are locked in a filing cabinet, safe or password-protected electronic format.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive attendee info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing meetings data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control?

This is a very quick overview of some of the risks that I see as most pressing for meeting professionals. Here’s the good news… your espionage and data theft countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your agency. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, social media exposure and online reputation and is the award-winning author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets and develop information leaders.

 

13 Data Security Tips for Meeting Professionals – SGMP

I just finished delivering a keynote speech for the Society of Government Meeting Professionals (SGMP) at their annual convention on identity theft and protecting data in the meetings industry. Data security is a top concern in this industry because it is probably one of the most highly-targeted groups for identity theft, social media fraud, data breach and social engineering. Here’s why:

  1. Meeting professionals collect, store and transmit massive amounts of private data on attendees
  2. Data theft risk skyrockets when travel is involved, which is a frequent occurrence for meeting planners and professionals
  3. Meeting professionals are busy nearly 24 hours a day once they are onsite for the conference or meeting, meaning that they are highly distracted
  4. A single data breach of attendee data can put the organization responsible for the event out of business due to excessive costs and tight compliance regulations
  5. Conferences are generally collections of highly professional, highly valuable attendees who travel with laptops, sensitive intellectual property, smartphones, unsecured WiFi connections, etc.

Meeting professionals have enormous responsibilities throughout every stage of the planning process. Identity thieves target conferences because of the sheer quantity and value of data circulating around these events. Protecting sensitive attendee data before, during and after the event has become not only a nicety, but a necessity. Data stolen during the planning, execution or clean-up phases of your event can hamstring your organization with financial liabilities and a public relations nightmare. Start by taking these steps:

Meeting Security Before the Event

  • Secure Your Online Reservation System. If you are going to use online registration, invest in a system that delivers not only efficiency, but security. It is your legal, financial and ethical responsibility to protect your attendees’ personal information. Don’t try to do it all yourself. Hire a reputable technology provider to ensure that your data is protected behind firewalls, encryption, passwords, updated operating systems, security software and safe wireless.
  • Educate Attendees. Before they ever begin their travels, attendees should read through a quick 2-minute tip sheet on how to protect themselves while going to a conference. Simply making them aware of some of the risks that exist traveling (laptop theft, unprotected WiFi, smartphone hijacking, etc.) will cause them to pay greater attention on-site.
  • Minimize Data Collection. Collect only the data that you absolutely need and destroy it as soon as you are finished. Once you have processed credit cards, purge that information from your system. The quicker that you properly dispose of sensitive data, the lower your risk and liability.
  • Minimize Physical Files. Take as few physical files with you to the event (attendee lists, etc.) as these are easily misplaced when traveling and distracted. The more that you can keep behind a password protected, encrypted computer, the better.

Meeting Security Traveling to the Event

  • Protect Your Laptop. Almost 50% of serious corporate data theft occurs because a laptop computer is stolen. In addition to the standard forms of protection (passwords, encryption, anti-virus, etc.), carry as little data on your laptop as possible. And never leave the laptop unattended unless it is locked in your hotel room safe. Identity thieves target business travelers because they are generally rushed, distracted and carrying valuable data.
  • Think Twice about Free Wi-Fi. It is very convenient (and dangerous) to use a free wireless connection to the Internet provided by an airport, café or hotel. Unfortunately, it is nearly impossible to distinguish if you are on a safe network or one that allows thieves to pirate your information. Unless you are absolutely sure about the security in place, refrain from sending any sensitive material over a wireless connection that your IT department hasn’t configured or approved.

Meeting Security Onsite

  • Educate Attendees. Make frequent announcements at the start of each segment of your programming to remind attendees that they should not leave purses, laptops or files unattended. In addition, warn them to take care of their belongings in pre-conference material and encourage them to leave as much sensitive data at home or in the office as possible.
  • Room Monitors. Have room monitors that check badges as attendees are entering the room and that monitor purses and laptops that are left in the room during breaks (even if you warn people, some will still leave items). Make sure that you announce that room monitors are watching so that you let any would-be opportunists know that someone is watching. Just this one piece of information should discourage theft.
  • Control Digital Access. Make sure that only authorized users can access your onsite registration system. Don’t leave laptops or registration lists unattended, as they are a goldmine of sensitive data. Make sure you are using a VPN and secure wireless connection to connect back to your office or database server. Deactivate your USB drives so that data cannot be easily copied onto a USB thumb drive when you aren’t looking.
  • Provide Secure WiFi for Attendees. Setup secure WiFi (requiring a password) for your staff and attendees so that they are not broadcasting their private information over an unprotected network (which they are doing anytime they use a free hotspot without a password). Make sure that your contact onsite understands your security needs and concerns. That is part of the service they are providing.
  • Control Physical Access. Use a system of photo ID badges and room monitors to make sure that only authorized attendees have access to highly sensitive areas. You don’t want your biggest competitor to gain access to the meeting where you reveal next year’s strategy.
  • Shred Unneeded Documents. If you no longer need registration information on an attendee, shred it immediately. Every hotel or conference center should have shredders onsite that you are able to utilize. If they don’t, you might ask yourself how well they are protecting your data.

Meeting Security After the Event

  • Destroy the Evidence. When the conference or meeting is over, shred any remaining physical documents you no longer need. Purge digital files from your systems, especially those containing credit card or Social Security numbers. The less you keep on hand, the lower your changes of theft.

Above all, don’t forget to educate your staff and attendees on the risks of data theft while attending a conference. Higher levels of awareness drastically reduce the incidents of attendee identity theft and corporate espionage.

John Sileo is the award-winning author of Privacy Means Profit and America’s leading speaker on identity theft prevention, social media exposure, online reputation management and information leadership. Learn more about his keynote speeches on a variety of topics or call directly on 1.800.258.8076.

 

How to Hide Yourself on Facebook (Hide on Facebook)

While delivering an internet privacy keynote presentation for a large organization that was very interested in best practices for business, I was asked a very interesting question:

Can I use Facebook to log in to other sites and to keep track of friends without allowing the social network to share my information the other direction?

In reality, it’s difficult to just up and quit Facebook completely, but it’s not that difficult to hide on Facebook. Many users want to mine the social network like the proverbial fly on the wall. They want to watch what is going on in other people’s lives without them seeing or commenting on what is going on in yours. You might use your Facebook login credentials to centralize access to other sites (e.g., log in to Twitter with your Facebook credentials). Or you may want to keep it open so that your username isn’t made available to someone else. So how do you drop off of the Facebook radar without completely closing your account? The steps below are the closest approximation we’ve come up with to going underground.

  1. First go to Facebook.com and log in.  Click the padlock symbol containing your “Privacy Shortcuts” in the top-right corner.  You will see three main options, plus a chance to “See More Settings”.
  2. Start with “Who Can See My Stuff?”, which has three subcategories.  Depending on how much you want to hide, you can select Friends or Only Me or even customize it to very specific groups.  Change by clicking on the tab next to your current setting.  This section also allows you to review old posts and things you’re tagged in and to see how others view your timeline based on the privileges you’ve set. The more items you restrict to Only Me, the less visible you become to the outside world. Please realize that Facebook reserves the right to publish certain items about you no matter how tightly you restrict your settings. Visit their Data Use Policy for details.
  3. The second category is “Who can contact me?”  You can choose basic filtering (which Facebook recommends, but won’t keep your profile very private) or strict filtering.  Here is where you also select who can send you friend requests (everyone or friends of friends).
  4. The final category is “How do I stop someone from bothering me?”  (This is the infamous “unfriend” section.)  This gives you an option to put in a specific name or email address.  This will prevent them from writing to you or from seeing anything you post.
  5. When you click on “See more settings”, you will notice some duplicate sections.  The important area here is the last one, “Who can look me up?”  It allows you to choose who can contact you with your email or phone number as well as allowing search engines to link to your timeline.

That should do it to hide on Facebook in most situations.  Remember, this is a social network, so to some degree, you will always be sharing your information with someone. To get even more in depth in creating your privacy settings, click on the arrow pointing down in the top right hand corner of your page and select “Settings”.  From here you can review everything from timelines and tagging to management of apps.  It’s fairly user friendly; just click on a category and then the bolded words or “edit” options and you’ll get a complete explanation of your options with clear-cut directions.

If you really do want to delete your Facebook account completely, here’s how.

Internet Privacy Expert John Sileo Demonstrates Why Most Keynotes Fail: Boredom

[youtube https://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael RayAnderson Cooper & Fox Business. Contact him directly on 800.258.8076.

How To Control Your Privacy Online

Identity theft is all about control. Who has control over your personal and financial information? Is it you, or the criminal on the other end of your computer using your information to apply for a credit card?  Losing control of your personal information can be all too easy online. But by taking some precautions, you can maintain privacy while safely surfing the internet.

Here are 5 tips to protect your privacy online:

1. Adjust social-network privacy settings

Facebook has been working to simplify their privacy settings, but they can still be confusing to the average users. Spend about 10 minutes a month making sure that your privacy settings are what they should be and are actually protecting your privacy.

To get there, log in to Facebook, in the top right of your screen it should say “Account” when you scroll over or click on that tab you can see you Privacy Settings. Click here for a step by step process of how to adjust your privacy settings.

Twitter, another popular social network, also lets you lock your account from public view. In settings, there’s a feature called “protect my tweets.” They have had breaches before, so it is always good to take every precaution you can to protect your information.

2. Frequently Change Passwords

It is good to rotate passwords on sites you use often. Especially sites that hold your financial information. Every 6 months or so you should change your passwords just in case someone has access to your online profile. A good way to keep track of these passwords is with a password keeper such as 1password. This way you can store your passwords to all sites in one place and use a master password to gain access.

3. Opt-out of ad tracking

Online ad networks often install a small file on the computers of people who visit certain websites. These so-called cookies can log your surfing habits, allowing advertisers to tailor ads to your interests.

If you are trying to keep some online privacy then you should opt out. In the settings panel of your web browser make sure that disable cookies from third party websites. Most advertising companies use this information to directly target you with ads of products that you use. They know what items you purchase because they see where you go on line and keep a record.

4. Use a secure Internet Connection

Don’t browse private sites and look at personal or financial information while on a public wifi connection. Never shop online at your local coffee shop because you never know who may be spying on you with that very same open internet connection. If you are making an online purchase, looking at your online banking, emailing a personal story or photo, ONLY do so on a secure password protected internet connection.

5. Think before you post

While this may seem like an obvious suggestion, many people don’t do it. Posting that you are at your local watering hole at 3pm on a Thursday after you called in sick could get you in more trouble than you planned on. Uploading an embarrassing photo of yourself may cost you a future job. I know of a company that didn’t hire a candidate for a position because when they checked out her Facebook profile her status was “I just need a job – ANY Job!”. That made her less appealing to hire than other candidates that were less vocal on their pages.

Use your brain. Posts are public, permanent and exploitable.

To learn more and begin to build your own good privacy habits order your copy of my latest book Privacy Means Profit Today!

Wiley & Sons has just announced my latest book, Privacy Means Profit, will be available in stores and online August 9, 2010.  This book builds a bridge between good personal privacy habits (protect your wallet, online banking, trash, etc.) with the skills and motivation to protect workplace data (bulletproof your laptop, server, hiring policies, etc.).

Click Here for More Information

Facebook Reveals the End of Your Privacy | Sileo

The many changes that Facebook has been making recently have users nervous. Nervous because they are lacking the control that they once had over their privacy on the social networking site. While Facebook has never been the mecca of privacy, the recent and swift changes they are making has created more of an issue for users. One by one they are voicing their concerns with the new features and why they feel Facebook is slowly revealing the end of your privacy.

Facebook and privacy issues go hand in hand.

Here are a few of the new features; although they are snazzy, they have many users concerned.

User IDs 

With only your email address on hand, data miners can easily match it with the new user ID that has been issued to you. Basically, the ID provides your name and profile picture no matter how your privacy settings are set. This can also include your hometown, photos, friends, and more depending on how strict your settings are. This gives companies the ability to advertise to you. If you are a young female living in Austin, Texas, there are literally thousands of products that can be marketed to you just using that information alone.

Face Match or Tag Suggestions

When you are uploading photos to Facebook (as shown above), they will make “tag suggestions” of who should be tagged in your photo album. In other words, Facebook has the ability to know what you look like. This feature will be gradually rolled out over the next few weeks. In order to disable your “tagability”, you need to adjust your privacy settings. Just click ‘Customize Settings’ and de-select ‘Suggest photos of me to friends.’ Your name will no longer be suggested in photo tags, though friends can still tag you manually.

Switch Account

In a recent and unintentional Facebook leak, many users reported seeing a switch account tab. This feature gives you the ability to go back and forth between different accounts without having to log in and out. While this is easy for people who are administrators for certain pages, it is a privacy issue for users who want to have many pages in order to play out a scam.

Facebook Privacy Concerns

Facebook was built on the idea that users connect and share personal information with each other. It is up to the users to decide how much and to whom. The more you share, the stronger Facebook becomes and the easier it is to share that information with friends, strangers and advertisers.

While Facebook is consistently rolling out more features, users are having to update their privacy settings.  With so much personal information sharing, the real cost to our privacy is still unknown.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube https://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

Cyber-Bullying and Social Networking Identity Theft

With the meteoric rise in cyber-bullying, parents are desperate to find a way to shield their children. Unfortunately, most parents are far behind their child’s proficiency with technology. Many don’t text, aren’t on Facebook, and are oblivious to the many ways in which kids can taunt each other with technological ease. Although children may be quick and nimble with technology, they lack the maturity to understand its consequences.

A recent article in the New York Times on Digital Bullying (read the MSN version here) addressed these very issues and gave true and heart-wrenching accounts of how parents were left helpless at the hands of their children’s online bullies. “I’m not seeing signs that parents are getting more savvy with technology,” said Russell A. Sabella, former president of the American School Counselor Association. “They’re not taking the time and effort to educate themselves, and as a result, they’ve made it another responsibility for schools.”

Kids have a great deal of anonymity on the internet if they want it, and can easily impersonate another child or steal their identity. This modified form of identity theft (character theft, I tend to call it), allows the bully to hide behind his or her computer with no real consequences for what they are saying. A scathing remark made in passing by one child can haunt another child for the rest of their lives.

In a recent case, a young boy was taunted at school by classmates that claimed he was in turn bullying them on Facebook. He quickly became socially withdrawn until his mother looked on Facebook to see that someone with his name and picture was in fact taunting other students online. Except, of course, that it wasn’t him. Some fellow classmates had stolen his Social Networking Identity and set up a false Facebook account as if they were him. The bullies then berated other kids, attracting negative attention to the victim. The victim’s mother found out that it’s not so easy to stop this cycle.

For one thing, Facebook doesn’t make it easy to reclaim one’s identity. In the previous case, the mother had to contact police, who went through a process to subpoena both Facebook and the internet service provide to uncover the bullies’ identities. Only then were they able to shut down the account, but the damage to the victims reputation had already been done.

Some parents prefer to resolve the issue privately, by contacting the bully’s family. Although psychologists do not recommend that approach with schoolyard bullying, with cyber-bullying, a parent’s proof of cruel online exchanges can change that difficult conversation. So what do you say?

Approaching another parent can be awkward. Most parents see their children’s actions as a direct reflection of their ability to raise their child. This means they can easily become defensive and almost submissive of the actions. As quoted in the Times article, experts recommend you follow a script like:

“I need to show you what your son typed to my daughter online. He may have meant it as a joke. But my daughter was really devastated. A lot of kids type things online that they would never dream of saying in person. And it can all be easily misinterpreted.”

In most situations, the reporting parents should be willing to acknowledge that their child may have played a role in the dispute. To ease tension, suggests Dr. Englander, an expert on aggression reduction, offer the cyber-bully’s parent a face-saving explanation (like that it was probably meant as a joke). If they are willing to accept what happened, they are more likely to take action.

Parents need to be mindful that their children might be victims of cyber-bullying, and they need to be just as aware that their kids might be the cyber-bullies. Here are some steps to get you started down the right track with your kids:

  • Have short, frequent coversations over dinner about what it means to be cyber bullied
  • Establish a no-tolerance stance on your child bullying anyone, in person or on line
  • Friend your child and if possible, your child’s friends to keep tabs on the dialogue taking place. Let them know that you are interested and observant by communicating with them using social networking. If you are more fond of the stick approach, post a sticky note on your monitor (like another parent in the article did) that says “Don’t Forget That Mom Sees Everything You Do Online.”
  • Be open and honest with your child. Communicate the real issues of cyber-bullying and how in some cases this leads to very negative consequences, like suicide
  • Encourage your children to talk with you if they have any concerns about their online life
  • For more answers and background on keeping yourself and your kids safe, take a look at the Facebook Safety Survival Guide below.

Facebook Safety Survival Guide
Includes the Parents’ Guide to Online Safety

This Survival Guide is an evolving document that I started writing for my young daughters and my employees, and is an attempt to give you a snapshot of some of the safety and privacy issues as they exist right now.

Social networking, texting, instant messaging, video messaging, blogging – these are all amazing tools that our kids and employees use natively, as part of their everyday lives. In fact, they probably understand social networking better than most adults and executives. But they don’t necessarily have the life experiences to recognize the risks.

I’d like to make their online vigilance and discretion just as native, so that they learn to protect the personal information they put on the web before it becomes a problem. Social networking is immensely powerful and is here for the long run, but we must learn to harness and control it.

Identity Theft Expert John Sileo on 60 Minutes


Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

For starters, let’s assume your business is strong, maybe even profitable in these tough economic times. In the spirit of Sun Tzu and The Art of War, you’ve dug in your forces, preparing for a lengthy battle: you’ve reduced costs, maximized your workforce, and focused on your most profitable strategies. As your competitors suffocate under market pressure, you breathe stronger as a result of the exercise. But like Achilles, your survival through adversity blinds you and even conditions you to ignore pending threats. You begin to think that your overall strength translates into an absence of weaknesses; and in general, you might be right. But Achilles didn’t die because of his overall strength, which was significant; he died because he ignored critical details. What details are you and your company ignoring?

Information, like Achilles himself, is power. And maintaining control and ownership of your information is quite possibly the most threatening Achilles’ heel any data-reliant business faces. Companies that don’t actively take control of their data are prime targets for identity theft, social engineering, data breach, corporate espionage, and social media exploitation. Regardless of your title, you have a great deal to learn from Achilles’ mistakes, and a significant opportunity to protect your own corporate heel.

Achilles 3 Fatal Mistakes and How to Avoid Them

Admit Your Vulnerabilities. Achilles forgot that he was human, failing to take inventory of his weakness in spite of superior strength. Though his faults were limited — a small tendon at the base of his foot — his failure to protect himself in the right spots proved fatal. When protecting data, it is imperative to understand that your greatest vulnerabilities lie with the people inside of your company. No matter how secure your computer systems, no matter how much physical security you deploy, humans will always be your weakest link. The more technological security you implement, the quicker data thieves will be to attempt to socially engineer those inside your company (or pose as an insider) to capture your data. Admitting vulnerabilities doesn’t have to be a public, embarrassing act. It can be as simple as a quiet conversation with yourself and key players about where your business is ignoring risk.

The three greatest human vulnerabilities tend to be: 1. Unawareness of the risks posed by data loss, 2. Lack of emotional connection to the importance of data privacy (personally in professionally) and it’s affect on profitability, and 3. Misunderstanding that in a world where information is power, it’s no longer about whom you trust, but how you trust. These symptoms suggest that your privacy training has either been non-existent or dry, overly technical, policy related and lacking a strong “what’s-in-it-for-me” link between the individuals in your organization and the data they protect every day.

If this is true inside of your business, rethink your training from this perspective: Your audience members (employees) are individuals with their own identity concerns, not just assets of the company who can be forced to follow a privacy policy that they don’t even pretend to understand. By tapping into their personal vulnerabilities regarding private information (protecting their own Social Security Number, etc.), you can develop a framework and a language for training them to protect sensitive corporate information. Like in martial arts, where you channel your opponent’s energy to your favor, use your employee’s humanness to your advantage. Pinpoint these vulnerabilities and shine the light of education on them.

Fight Prevention Paralysis. One of the most unfortunate and destructive character traits among humans is our hesitation to prevent problems. It is human nature to invest time to prevent tragedy only after we’ve experienced the pain that results from inaction. We hop on the treadmill and order from the healthy menu only after our heart screams for attention. We install a home security system only after we’ve been robbed. Pain motivates action, but the damage is usually done. You can bet that had he the chance to do it all over again, Achilles would slap a piece of armor around his heel (just like TJMAXX would encrypt their wireless networks and AT&T would secure their iPad data).

Prevention doesn’t get the proper attention because its connection to the bottom line is initially harder to see. You are, in essence, eliminating a cost to your business that doesn’t yet exist (the costs of a future data breach: restoring and monitoring customer credit, brand damage, stock depreciation, legal costs, etc.). This seems counterintuitive when you could be eliminating costs that already exist. But here is the flaw in that method of thinking: the cost of prevention is a tiny fraction of the cost of recovery. When you prevent disaster, you get a huge return on your investment (should a breach ever occur). Statistics say that a breach will occur inside of your organization, which means that by failing to invest in prevention you are consciously denying your organization a highly profitable investment. Why would you insure your business against low percentage risks (fire), but turn the other way when confronted with a risk that has already affected 80% of businesses (data breach) and has an almost guaranteed double digit ROI? It is your responsibility to demonstrate how the numbers work; spend small amounts of money preventing, or vast sums of time and money recovering.

Harden the Riskiest Targets. Once you have admitted to and cataloged your vulnerabilities and allocated the resources to protect them, it is time to focus on those solutions with the greatest return on your investment. A constant problem in business is knowing how to see clearly through information overexposure and pick the right projects. Just think of how much stronger Achilles would have been had he placed armor over his heel (which was human) rather than his chest (which was immortal). There is no financially responsible way to lower your risk to zero, so you have to make the right choices. Most businesses will gain the greatest security by focusing on the following targets first:

  1. Bulletproof Your People. Most fraud is still committed the old fashioned way – by manipulating trusting, unsuspecting people inside of your organization. Train your people for what they are: the first line of defense against fraud. Begin by preventing identity theft among your staff and then bridge this personal knowledge into the world of professional data privacy.
  2. Protect Your Mobile Data. Laptops, smart phones and portable drives are the most common sources of severe data theft. The solution to this very powerful and ubiquitous form of computing is a quilt-work of security including password strengthening, data transport limitations,  access-level privileges, whole disk and wireless encryption, VPN and firewall configuration, physical locking and human decision making (e.g., don’t leave it unattended the next time you get coffee at your corporate conference).
  3. Prevent Insider Theft: Perform thorough background checks, reference verification and personality assessment to weed out dishonest employees before they join your organization. Implement an ongoing “honesty meter” for your employees that ensures they haven’t picked up bad or illegal habits since joining your company.
  4. Classify Your Data. Develop a system of classification that includes public, internal, confidential and top secret levels, along with secure destruction and storage guidelines.
  5. Anticipate the Clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. You must be aware of who owns that data, today and in the future, when your storage company is bought out or goes bankrupt.

We have much to learn from the foresight of New Zealand; they are an excellent example of how organizations should defend their Achilles’ heel. To begin with, they have begun to acknowledge their vulnerabilities in advance of the problem (in fact, their chief vulnerability is that dangerous form of innocence that comes from having very few data theft issues, so far). In addition, they are taking steps to proactively prevent the expansion of identity theft and data breach in their domain (as evidenced by the corresponding educational story on 60 Minutes). Finally, they are targeting solutions that cost less and deliver more value. I was in New Zealand to instruct them on data security. Ironically, I gained as much knowledge on my area of expertise from them as I believe they did from me.

John Sileo speaks professionally on identity theft, data breach and social networking safety. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

Google Maps Street View: Removing Your House

https://vimeo.com/248003552′ format=’16-9′ width=’16’ height=’9′ av_uid=’av-2aeoki’

According to Google CEO Eric Schmidt, if you are looking for more privacy, then you should move.

His callous remark came during a discussion on Google Maps Street View cars, which were found to be illegally collecting e-mails, passwords and surfing habits while photographing your neighborhood. Appearing on CNN’s Parker Spitzer a week ago, Schmidt made a bold statement that was eventually edited out of the broadcast. He said that said individuals who did not want the Street View cars to snap photos of their homes should “just move.” Schmidt then told The Hollywood Reporter, “As you can see from the unedited interview, my comments were made during a fairly long back and forth on privacy. I clearly misspoke. If you are worried about Street View and want your house removed please contact Google and we will remove it.” You can have your house removed from Google Maps Street View. Here’s how (see video):

  1. Go to www.google.com/maps
  2. Locate your house by typing its address into the search box and pressing Enter.
  3. Click on the small picture of your house that says Street View.
  4. Adjust Google Maps Street View by clicking the left and right arrows on the Street View image until you see your house.
  5. Click the Report a Problem link at the bottom-right corner of the Street View image or, depending on the device you are using, clic k on the three dots in the upper right-hand corner.
  6.  It will take you to a page to Report Inappropriate Street View.  Here you can ask to have any number of things blurred, including the picture of your house.
  7.  You will need to provide your email address and submit a CAPTCHA.

An investigation into Google’s accidental practice of collecting identity information has been opened in France, Germany,  Spain, as well as in the U.S. Google claims that it will delete the sensitive information as soon as possible, but in the meantime, victims remain helpless. John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076. [youtube https://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

Geotag, You’re It! Disabling GPS Coordinates

Geotagging allows others to track your location even though you don’t know it.

With the increased use of Internet-enabled mobile devices such as the Blackberry, Droid and iPhone, geotagging has seen a huge increase in popularity. When social media users take a picture or video and upload it to their page, they are probably transmitting far more data than they think. With the ability to quickly add GPS information to media, smartphones make geotagging a simple task.

So What is Geotagging?

Simply, geotagging is where location or geographical information, such as your GPS coordinates, are added and embedded to different types of media (.jpg, .mov files, etc.). Invisible to the naked eye and the casual observer, geotags are part of the meta-data, or underlying data about the data, that accompanies each file. Examples of meta-data include when the file was created or modified, by whom, using what device and software. This data is often loaded on to your computer along with the original file.  Browser plug-ins and certain software programs can reveal the location information to anyone who wants to see it.

Twittervision makes great use of geotagging. Twittervision is a web mashup combining Twitter with Google Maps to create a real time display of tweets across a map (see photo above).  It also has a 3D mode that displays a globe of the Earth which spins to pinpoint arriving messages from Twitter.

So, who would want to know where you are?

While most of the uses are not fully apparent yet, your real-time location can reveal your home address, work address, places you visit often and at what time of day. It can reveal if you go to the doctor, a lawyer, a court date, or any other type of private meeting. Geotags make it very easy for friends, relatives, bosses, spouses, parents, enemies, law enforcement, stalkers, and thieves to know exactly where you are.

Telling everyone on your Facebook status that you are out for the evening can invite burglars; geotagging can do the same without you updating your status in any way.  By taking a picture at the Barry Manilow concert and uploading it to your twitter account, you are broadcasting the fact that you are probably over 40, away from home and, thanks to the geotag, exactly how far away you are.

If you’ve never seen Minority Report with Tom Cruise (where ads are served up to you on giant screens based on biometrics and your current location as you walk through the city ), it’s worth your time. Of course the movie exaggerates reality, that is one of the hallmarks of science fiction. But it does so in order to make you think about the possibilities and future realities. And that is exactly what corporations are doing. Using geotags that you upload into social networks (photos, videos, check-ins), they can see that you enjoy Starbucks and live in a certain neighborhood, so they may purchase a billboard in the area or more likely, target an ad to you on your Facebook wall. Although this can seem harmless, it will eventually raise larger concerns on consumer privacy.

In this fast paced electronic world, more and more people are using smartphones and therefore we can expect an increased use of geotags in the future. The problem with geotagging is that since it is not visible to the naked eye, most people don’t even realize they are sharing their location data. So what if you don’t want to transmit your location data?

Keeping location data private can be difficult, but here are some places to start:

  • Understand that anytime you take a picture, video or post an update from a networked device (somehow connected to the internet), your location is probably being appended to the file, even though it is hidden from you. As with all things technological, there are advantages and disadvantages to all features. Location based services also allow you to use handy tools like maps; give you Big Brother-like power in tracking your kids’ whereabouts, and allow thieves to burgle you when no one is home using tools like Foursquare and Facebook Places.
  • Disable geotagging application by application on your iPhone 4. In your phone, go to Settings, General, Location Services. Here you can set which applications can access your GPS coordinates, or disable the feature entirely (which could cause you problems using maps, restaurant finders, etc.)
  • Disable geotagging for photos on your BlackBerry. Go into picture-taking mode (HomeScreen, click the Camera icon), press the Menu button and choose “Options”. Set the “Geotagging” setting to “Disabled”. Finally, save the updated settings.
  • Disable geotagging for photos on your Droid. Start the Camera app (this is the menu on the left side of the camera application; it slides out from left to right). Select “Store Location” and make sure it is set to “Off”.
  • Although Facebook does remove geotags from uploaded photos, other social networking sites do not. Look into your privacy settings and turn off location sharing. As mentioned above, you can generally turn this feature off in your camera or phone as well.
  • Take particular care if you are uploading photos to a website where strangers will see them — such as Craigslist or Ebay.
  • Consider installing a plug-in on your browser to reveal location data – such as Exif Viewer for Firefox or Opanda IExif for Internet Explorer, so you can see geotagged data for yourself.
  • Take the time to stay informed about geotagging and other types of new technologies. By knowing what is out there, you can ensure the next photo or piece of media you upload won’t share your location with the World Wide Web.

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.