Tag Archive for: data security

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Data Breach Expert John Sileo on Fox & Friends – Target Data Breach

Data Breach Expert John Sileo goes on Fox & Friends to discuss the 110 million records breached at Target.

Clean Up Your Online Profile with Fox and Friends

5 Disastrous Decisions that Destroy Small Business – and How to Avoid Them

Interactive Webinar, Sponsored by Deluxe Corporation, Featuring Privacy Expert John Sileo

ST. PAUL, Minn., Oct 04, 2012 (BUSINESS WIRE) — Cyber criminals sabotaged John Sileo’s business – and nearly landed him in jail. Now he’s determined to help small business owners prevent the disastrous mistakes that loom ever-larger in the age of identity theft, mobile computing and social media.

Sileo will share his story – and the lessons he learned – in an hour-long interactive webinar on Tuesday, Oct. 9 at 2 p.m. EST. Titled “5 Disastrous Decisions that Destroy Small Business,” the webinar is sponsored by Deluxe Corporation and designed to provide business owners with simple, actionable tools to help protect their operations and enhance their efficiencies.

To register for the 2 p.m. EST webinar, go to www.deluxe.com/highsecurity.

Sileo is the award-winning author of “Privacy Means Profit,” and has appeared on “60 Minutes” and “Fox and Friends.” He launched his career as a privacy consultant after thieves stole his identity and used it to embezzle nearly a half million dollars from his clients. The security breach destroyed his business and triggered a two-year legal morass.

Now, Sileo is America’s leading professional speaker on identity theft and information control. During the Deluxe’s interactive webinar, he will be joined by Susan Haider, executive director, high security product management, Deluxe Corp.

He will share insights gleaned from years of experience, including details on:

  • How Sileo’s business was destroyed by poor decision-making.
  • Mistakes other small business owners have made and how to avoid them.
  • Concrete, actionable steps you can take to minimize your risk now.Human, physical and digital threats to your business security.
  • Targeting skills you can use to design your plan of attack.We

Following the presentation, participants can get personalized advice from Sileo and Haider during a Q&A session. Participants also will receive a free copy of “Are Tax-time Identity Thieves Targeting Your Small Business? 5 Defense Strategies,” a white paper written by Sileo.

 

About John Sileo John Sileo is an award-winning author and privacy speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. His clients include the Department of Defense, Pfizer, the FDIC and Homeland Security. Watch him on Anderson Cooper, 60 Minutes or Fox Business.

His satisfied clients include the Department of Defense, Blue Cross, Homeland Security, the FDIC, Pfizer, the Federal Trade Commission and corporations, organizations and associations of all sizes.

About Deluxe Corporation Deluxe is a growth engine for small businesses and financial institutions. Over four million small business customers access Deluxe’s wide range of products and services including customized checks and forms as well as website development and hosting, search engine marketing, logo design and business networking. For financial institutions, Deluxe offers industry-leading programs in checks, customer acquisition, regulatory compliance, fraud prevention and profitability. Deluxe is also a leading printer of checks and accessories sold directly to consumers. For more information, visit us at www.deluxe.com , https://www.facebook.com/deluxecorp or https://twitter.com/deluxecorp .

SCAM ALERT: Target Texting Scam

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

 

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

“Clickjacking” and “Likejacking” – Be Aware!

None of us wants to be part of a scam that allows links to be forwarded as if from a friend, invading their privacy and endangering their sensitive  information. It’s not always easy to avoid bad sites but by just being aware of the problem, you can become more adept. The following article is a summary of an original post By Rob Spiegel, E-Commerce Times.

In its on-going effort to mitigate spam activity, Facebook filed a lawsuit against a company that allegedly ran a “likejacking” operation. “We’re hopeful that this kind of pressure will deter large scale spammers and scammers,” said Facebook spokesperson Andrew Noyes. The state of Washington is also applying pressure, having mounted a similar lawsuit against the same company. Both suits were filed citing violation of the CAN-SPAM Act, which prohibits the sending of misleading electronic communications.  Facebook and Washington state filed federal lawsuits on Thursday against Adscend Media for “clickjacking,” a form of spamming that fools users into visiting advertising sites and divulging personal information.


“Likejacking” is similar; victims are tricked into using Facebook’s Like button to spread spam. Users believe links to spam sites are being sent to them by friends, and the advertiser collects money from clients for every user misdirected. A prominent example is the indictment in California of self-proclaimed “spam king” Sanford Wallace in August, Noyes said. “Two years ago, Facebook sued him, and a U.S. court ordered him to pay a (US)$711 million judgment. Now he faces serious jail time for this illegal conduct.” Facebook also secured a $360.5 million judgment against spammer Philip Porembski, said Noyes, which “followed an $873 million spam judgment in 2008 against Adam Guerbuez and Atlantis Blue Capital for sending sleazy messages to our users.” The Guerbuez judgment was the largest award ever under the CAN-SPAM Act, he noted.

Clickjacking is a programming technique that employs a seemingly innocent button to trick users into visiting sites unintentionally. Likejacking is a similar technique that utilizes Facebook’s Like button. The technique is also referred to as “UI redressing.” Clickjacking is “quite well understood,” Roger Kay, founder and principal of Endpoint Technologies, told the E-Commerce Times. “It is used by both legit and illegit programs.” Both clickjacking and likejacking are designed to trick users.

“When someone browsing clicks on a site, the site can execute arbitrary code in the browser,” said Kay. “It can set a cookie, say, for Amazon (Nasdaq: AMZN), or do more nefarious things, like inject malware designed to call other malware later.” Clickjacking has been prevalent for years, and likejacking has become similarly entrenched. Many users of Facebook have likely experienced it in the form of a product-related message that seemed to be from a friend. “The use of the technique is widespread,” said Kay. “Consumers need to use better judgment about which links they click on.”

Links can be forwarded as if from friends, and some come-ons are pitched just right to get around the user’s suspicions he noted.”If you’re the target of a spear phish, then the attack is tailored to you,” said Kay. “So, avoiding bad sites becomes a kind of ninja art everyone must learn.”

 

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

Whose Device – Yours, Mine or Ours?

Carrying multiple personal devices is a pain and, yet, the fear of giving away critical company data is a nightmare.

For most of us, being connected equals being productive. However, this simple equation becomes complex when one has to juggle personal devices with those issued by our employers. Paramount in an employer’s mind is the protection of the company’s critical and confidential business data but they don’t want to alienate employees by being too restrictive on using their personal smartphones and tablets.

Recent research has found that nearly three out of four adults don’t protect their smartphones with security software and these same people often use their devices to access social media and websites that attract cybercrooks. Poorly-secured  devices can be easily accessed by hackers who are becoming evermore sophisticated and ferocious.

This device conundrum ties directly to corporate IT culture and the question of allowing employees to use personal devices to conduct business. The solution ranges anywhere from an outright ban (which employees often ignore) to fully embracing an employee’s choice, while building corporate safeguards to block spam and corrupt application downloading. Some companies permit it with tight controls such as having the ability to wipe the gadgets clean of all information in the case of loss. Of course that means all personal data will be wiped along with business data but studies show employee satisfaction (ergo productivity) is tied to exercising personal preference of devices.

Security and legal teams wrestle with this dilemma constantly in the mobil world of today and there’s no clear cut answer. Protecting a company and its clients’ data is essential; but also, productivity, efficiency, organization and responsiveness are but a few benefits of giving employees their choice of gadget.

Arming those same employees with the safety measures to secure their devices from fraudulent activities is where IT departments can manage risk. Building a parallel strategy that serves both corporate IT and the end-user is not only necessary, it is beneficial to the bottom-line.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

 

 

 

 

 

 

 

 

 

 

7 Steps to Secure Profitable Business Data (Part II)

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Steps to Secure Profitable Business Data (Part I)

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Data Theft Hotspots for Meeting Professionals

Everybody wants your data, especially when you are in the business of meetings. Your data doesn’t just have a high face value (e.g., the attendee data, including credit card numbers that you collect and store in your online registration system), it also has a high resale value .

Here is how the theft is most often committed in your industry:

  • Competitors hire one of your employees and they leave with a thumb drive full of confidential files, including client lists, personally identifying information on talent and employees, financial performance data, etc.
  • Social engineers (con artists) mine your employee’s Facebook profiles to gain a heightened level of trust which allows them to manipulate your human assets
  • Cyber criminals hack your lax computer network or sniff the unprotected wireless connections you and your employees use while traveling (Starbucks, hotels, airports).
  • Mobile Computing Thieves target your digital devices (Laptop, smartphone, tablet) and other weak points while on the road.
  • Opportunistic Vendors (Cleaning services, painters, landlords) quietly collect data assets from your desks, filing cabinets, trash cans and dumpsters when you aren’t even in the office.

Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost according to the Ponemon Institute: $7.2 million) and have no idea of how to stop a repeat performance.

A Quick and Dirty Way to Calculate Your Risk as a Meeting Professional

Here is a quick ROI formula for your risk: Multiply the number of attendees, employees and executives for whom you store any one of the following pieces of sensitive identity – name, address, email, credit card number, SSN, TIN, phone number – and multiply that by $240 (the industry average per record of lost data). So, if you have identifying information on 1,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $240,000 even if you don’t lose a SSN or TIN. That is not a guess, those are real numbers.

As agencies who already stretch every resource to the limit just to stay in the game, you need to do more with less. I can’t possibly give you all of the answers to protecting your bureau or management company in a simple article, but I’d like to share 7 Data Theft Hotspots that you should address first.

  1. Start with the humans. One of the costliest data security mistakes I see departments make is thinking that this is a problem for large businesses only. It is a big problem for large businesses, but data theft is far more damaging to governmental organizations because of the increased regulation and legal scrutiny. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied at work without spending all kinds of money on a security risk assessment. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your attendee databases and intellectual property. You can do this in very simple, inexpensive ways. While this doesn’t necessarily train them on the specific tools to protect your bureau’s intellectual capital and customer data, it does increase their awareness of data theft and shows them that their self-interest is involved (i.e., their job depends on it). To get them started on protecting themselves, you are welcome to use this free Identity Theft Prevention Checklist.
  2. Immunize against social engineering. The root cause of most data loss in professional services companies like yours is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of you or your staff by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking. Strategy: Immunize your employees against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism (Hogwash J). Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., the credit card company called you, not vice versa), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. This is the key – getting them to be curious in the face of a request for sensitive information. These are some of the materials that I went through in an abbreviated fashion during IASB, but you can communicate them just as well as I can.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage in the meeting professionals world: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web. Strategy: Stop trying to keep your computer and network security in house and inexpensive – it is part of the costs of owning all of that processing power. Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, just hand a qualified technician this paragraph and continue to do what you do best (booking me J) while she earns your wisely spent dollars. While she’s there, have him do a security audit of your network, including firewall penetration, password strength, user-level access permissions, etc.Another major source of data theft (especially in the meetings industry) is Wi-Fi hotspot usage. Most Free hotspots do little to protect the data that you transmit over the wireless network. In fact, many home and company wireless networks are not set up to provide a secure connection to the internet and are, therefore, no safer than those you access for free in cafés, airports and hotels. Just say no to using free Wi-Fi hotspots, on your phone and your laptop. The most common form of exploitation associated with hotspots are “man-in-the-middle” attacks where a spy intercepts the transmission between your wireless network card and the cafés wireless router or modem. Using a legal, free and simple-to-use tool like Firesheep, a thief (or competitor/law enforcement, etc.) can sit next to you in a café and “sniff” your connections. Luckily, your Smartphone can provide a proactive way to help you protect your connection to the Internet when surfing wirelessly. Strategy: Tethering connects your computer to the Internet using a Smartphone (or Internet-enabled cell phone). It increases security because the mobile transmission between your cell phone and the cell tower is encrypted (scrambled) and hard to intercept. Therefore, when you use your Smartphone to surf the web, you are accessing a protected connection that probably can’t be sniffed. The connection might be slightly slower than a traditional Wi-Fi hotspot, but it is also much safer. Simply call your wireless provider and ask them if your Smartphone has tethering capabilities. You shouldn’t have to pay more than about $15 per month to put this solution into affect. Remember to do it for all company Smartphones as well.
  4. Eliminate the inside spy. Chances are you don’t always perform a very serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work and will discourage dishonest applicants from going further in the process. Finally, make sure that the prospect you are employing knows that you are going to these lengths to check them out. Most people who are trying to gain employment in order to defraud you are scared away when they know you are investigating them.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily in the high-travel world of the bureau and meetings industry. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person in a backpack, store it in the hotel room safe, or lock it in an office or fire safe when not using it. Physical security is the most overlooked, most effective form of protection and for people who travel as much as you do, it’s a major risk.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently. Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old W9s, invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. Also, check to make sure that these same documents are locked in a filing cabinet, safe or password-protected electronic format.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive attendee info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing meetings data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control?

This is a very quick overview of some of the risks that I see as most pressing for meeting professionals. Here’s the good news… your espionage and data theft countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your agency. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, social media exposure and online reputation and is the award-winning author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets and develop information leaders.