Posts

15 Data Security Tips to Protect Your Small Business

Thanks to SmallBusinessComputing.com and Jennifer Schiff for this article!

In August 2010, the Privacy Rights Clearinghouse published its latest Chronology of Data Breaches, which showed that since 2005 more than a half-billion sensitive records have been breached. Of those breached records — which contained such sensitive data as customer credit card or social security numbers — approximately one-fifth came from retailers, merchants and other types of non-financial, non-insurance-related businesses, the majority of which were small to midsized.

An equally scary statistic: approximately 80 percent of small businesses that experience a data breach go bankrupt or suffer severe financial losses within two years of a security breach, according to John Sileo, a professional identity theft consultant and speaker, who knows firsthand about the havoc a security breach can wreak on a small business.

What can a small business owner do to protect her business from a security breach? Small Business Computing spoke with two security and privacy experts and consulted the leading security and privacy sites to find out. The good news: protecting your business from a data security threat is easier than you think. It’s also much cheaper than the physical, financial and emotional cost of repairing one.

Click Here to Continue Reading……

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his financial speaker’s website.

Identity Theft's Latest Victim? Your Business.

Latest Identity Theft Trend is Stealing Your Business’s Identity to Falsify Accounts

In the past two weeks, I have been contacted separately by two local business owners to share how their business identity has been stolen and used to set up accounts with various companies on which thousands of dollars are charged and they (the actual owners) are left to pay the bills. There are no identity theft statistics on this type of crime, but I am certain that it is just coming onto the trend radar. In further proof that this is becoming a major problem for corporations, the Denver Post ran an article this morning titled “Corporate ID Thieves Mining the Store“.

Here’s how this incredibly easy form of business identity theft works:

  1. A thief scours the internet for your company information (Facebook is usually a good place to start, as is your local Secretary of State’s website). They are particularly interested in bids for government contracts, as they often contain a sample of your letterhead as well as your pertinent business information. If they can obtain the Federal ID# of your businesses, they have even more ammo to defraud you.
  2. Business name in hand, the thief logs on to your local Secretary of State’s website (the agency generally responsible for registering corporations and maintaining databases on corporations) and pays a small fee ($10) to alter the name of a corporate officer or the address of a company’s registered agent on public records. I would imagine that they generally register an identity stolen from another individual in order to cover their tracks further. In most states, there is no password to protect your official business filings from unauthorized users and changes. In Colorado, according to the Denver Post article mentioned above, officials say that “putting password protection on corporate data — where only a business owner or representative can make changes — is prohibitively expensive.”

    “In other words, the State of Colorado provides less protection for your corporate data than the average online dating service.”

  3. Now that the imposter is a “corporate officer” of your business with full authority to act on behalf of your corporation, the thief applies for a credit account in your business’s name, generally at a large national retailer (Home Depot, Lowes, AT&T, Sprint and Verizon see to be the top choices). If necessary, they use your poached letterhead to facilitate the process of setting up the account.
  4. The retailer, before extending credit, verifies with Dun & Bradstreet that you are in fact an official officer of the corporation. And where does Dun & Bradstreet get its information about your business? From the Secretary of State’s office, the very source of your illegally modified information. In other words, all parties in the process are relying upon falsified source data that remains unprotected on government websites.
  5. Using the newly established business account with terms (i.e., the thief doesn’t have to pay for what they buy, it is invoiced to the company for payment at a later date), the thief makes large purchase of equipment of services, often worth tens of thousands of dollars.
  6. Equipment in hand, the thief leaves the store never to be seen again. Your business, of course, receives the bill, and begins the arduous, time consuming and expensive process of proving that you never made the purchase, a difficult task given that the account was established by what the retailer considers to be a legitimate officer of your corporation.

Far fetched? Not at all. The problem is compounded by the fact that sales associates at many national retailers receive incentive bonuses for every sale they make. Why wouldn’t they push the sale of 50 mobile phones through the system when they receive a large commission to do so. It’s much easier than selling one handset at a time.

Both actual cases I worked with involved phone companies, and each business owner has struggled desperately to prove that they did not make the purchase and do not owe on the account. In one of the cases, the business in question already had an account established with the phone company – same company name, address, phone number, etc. – and the phone company failed to ask any questions as to why they would want a second account. In many of the cases, the thieves use the same stolen business identity over and over again in different cities (rarely do they even shop in your actual city), causing the owner untold hours of time repairing their damaged Dun & Bradstreet ratings, fighting with collection agencies and sitting on hold trying to explain to large corporations that don’t have any incentive to believe what you are saying.

In a spiraling economy, taking your eye off the ball can mean you lose the game. In the meantime, you can take these steps to being affecting change and protecting your valuable business data:

  1. Contact your local Secretary of State’s Office and encourage them to resolve the issue as quickly as possible. You just might be the first person to let them know that this problem exists. At minimum, ask them to begin protecting your corporate data with a password that only the verified and legitimate corporate officers of your corporation can access.
  2. Review your corporate filing with the Secretary of State’s Office regularly to make sure that there is no altered or false information in their database. If there is, contact them immediately.
  3. While in your corporations’ listing on the Secretary of State’s website, make sure that you set up any security measures they have provided. For example, if they have email alerts anytime your profile changes, make sure you take them up on it and have a current email address in the profile. This will send you an alert anytime someone changes your file.
  4. Monitor your Dun & Bradstreet account regularly to make sure that no liens or encumbrances have been placed on your credit profile. If there is incorrect or unrecognizable data on your report, contact D&B’s fraud department immediately at 1.800.234.3867.
  5. Set up a Google Alert for your corporation’s official name, TIN and any DBAs to monitor unexpected internet activity on behalf of your organization.
  6. If you are a contract-based vendor, include a clause in your contract prohibiting the publication of your TIN/EIN/SSN in any electronic or internet form without your prior written consent.
  7. Protect your TIN, letterhead and company information as if it were currency, because it is.

Check back over the next few days for information on how to recover from this crime if you are a victim.

John Sileo speaks professionally to organizations that wish to avoid the costs associated with identity theft, data breach, social media exposure and insider theft. His satisfied clients include the Department of Defense, Blue Cross Blue Shield, the FDIC, Pfizer and hundreds of corporations of all sizes. Learn more about his entertaining and effective presentations on identity theft, data breach and fraud training or contact him directly on 800.258.8076.

Business Identity Theft Radio Interview, Part II

John recently did a second radio interview on business identity theft for New Construction Strategies hosted by Ted Garrison. The construction industry, like most industries, battles with data theft on a daily basis. Insider theft, cyber crimes, social networking exposure – these are just a few of the areas that businesses need to defend against in the information economy. Listen to the interview to learn more.

“Privacy Means Profit” John Sileo with Ted Garrison

Data breach, identify theft, and corporate espionage can cause huge damage if you don’t stop them upfront because the impact goes right to your bottom line.  “We spend thousands of dollars on our computers but we don’t necessarily put the money into protecting the data that is on them,” reports identity theft expert John Sileo. Listen Sileo explain how this can destroy your company and how to prevent this disaster.

LISTEN NOW

Business Identity Theft Radio Interview, Part I

John recently did a radio interview on business identity theft for New Construction Strategies hosted by Ted Garrison. The construction industry, like most industries, battles with data theft on a daily basis. Insider theft, cyber crimes, social networking exposure – these are just a few of the areas that businesses need to defend against in the information economy. Listen to the interview to learn more.

“DODGING THE HIT FROM IDENTITY THEFT: WHY YOU SHOULD CARE”
John Sileo with Ted Garrison

Data breach, identify theft, and corporate espionage can cause huge damage if you don’t stop them upfront because the impact goes right to your bottom line. Listen to John Sileo, author of Stolen Lives, describe the horrors of not protecting yourself as well as what you must do to protect yourself.

LISTEN NOW


FTC Red Flags Rule: Is Your Business Ready?

FTC Red Flags Rule Goes into Effect June 1st, 2010

The FTC  will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

This includes:

  • Any Business that Extends Credit
  • All Banks
  • Most Brokerage Firms
  • Credit Card Companies
  • Mortgage Lenders
  • Non Traditional lenders (utilities, dealerships, health care providers)

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan consists of four main parts:

  1. Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
  2. Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.
  3. Response: The plan needs to include a process of responding to red flags as they are detected.
  4. Revision: The plan should specify the process the organization will use to periodically update sections 1-3 as the threat landscape changes

The plan must cover how your organization will ensure that any company to which you are outsourcing to will be compliant. Every organization’s senior employees or board of directors must approve the initial plan and train the appropriate employees.

The FTC has also identified five main categories that an organization’s Red Flags might fall under. They are:

  1. Alerts, notifications, or warnings from a consumer reporting agency.
  2. Suspicious documents.
  3. Suspicious personally identifying information (PII).
  4. Suspicious activity relating to a covered account.
  5. Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

As with any new plan or program there will be bumps in the road. The FTC won’t be actively auditing organizations, but it will be investigating on the basis of reported issues, and the costs of being found non-compliant can be staggering.  Since most older and more mature organizations already have an Identity Theft Prevention Program in place, it won’t be a huge change. We have already begun to see a connection between the Red Flags Rule and a decrease in the ease with which identities are stolen out of businesses. Hopefully, this trend will continue.

In the meantime, you should get started on designing and implementing your identity theft prevention plan. For help understanding the process and other privacy issues that your and your business face, attend the Privacy Survival Boot Camp for Small Businesses hosted by John Sileo, America’s Top Identity Theft Expert.

_______________________________________________________________________

Bulletproof Your Business Against Data Breach, Identity Theft, and Corporate Espionage

Join John September 17th in Denver, Colorado for his Privacy Survival Boot Camp for Businesses. You will walk away with the Privacy Best Practices Kit:

  • John Sileo’s latest book, Privacy Means Profit
  • A Sample Privacy Policy to guide you through creating your own
  • Guidelines for establishing Social Networking Best Practices
  • A Mobile Data Protection Checklist for your laptop, smart phone, etc.
  • An Action List for Implementing Red Flags Rule compliance

Seats are going fast so don’t miss this opportunity to learn first-hand how to immediately protect your profits!