Tag Archive for: data security

13 Data Security Tips for Meeting Professionals – SGMP

I just finished delivering a keynote speech for the Society of Government Meeting Professionals (SGMP) at their annual convention on identity theft and protecting data in the meetings industry. Data security is a top concern in this industry because it is probably one of the most highly-targeted groups for identity theft, social media fraud, data breach and social engineering. Here’s why:

  1. Meeting professionals collect, store and transmit massive amounts of private data on attendees
  2. Data theft risk skyrockets when travel is involved, which is a frequent occurrence for meeting planners and professionals
  3. Meeting professionals are busy nearly 24 hours a day once they are onsite for the conference or meeting, meaning that they are highly distracted
  4. A single data breach of attendee data can put the organization responsible for the event out of business due to excessive costs and tight compliance regulations
  5. Conferences are generally collections of highly professional, highly valuable attendees who travel with laptops, sensitive intellectual property, smartphones, unsecured WiFi connections, etc.

Meeting professionals have enormous responsibilities throughout every stage of the planning process. Identity thieves target conferences because of the sheer quantity and value of data circulating around these events. Protecting sensitive attendee data before, during and after the event has become not only a nicety, but a necessity. Data stolen during the planning, execution or clean-up phases of your event can hamstring your organization with financial liabilities and a public relations nightmare. Start by taking these steps:

Meeting Security Before the Event

  • Secure Your Online Reservation System. If you are going to use online registration, invest in a system that delivers not only efficiency, but security. It is your legal, financial and ethical responsibility to protect your attendees’ personal information. Don’t try to do it all yourself. Hire a reputable technology provider to ensure that your data is protected behind firewalls, encryption, passwords, updated operating systems, security software and safe wireless.
  • Educate Attendees. Before they ever begin their travels, attendees should read through a quick 2-minute tip sheet on how to protect themselves while going to a conference. Simply making them aware of some of the risks that exist traveling (laptop theft, unprotected WiFi, smartphone hijacking, etc.) will cause them to pay greater attention on-site.
  • Minimize Data Collection. Collect only the data that you absolutely need and destroy it as soon as you are finished. Once you have processed credit cards, purge that information from your system. The quicker that you properly dispose of sensitive data, the lower your risk and liability.
  • Minimize Physical Files. Take as few physical files with you to the event (attendee lists, etc.) as these are easily misplaced when traveling and distracted. The more that you can keep behind a password protected, encrypted computer, the better.

Meeting Security Traveling to the Event

  • Protect Your Laptop. Almost 50% of serious corporate data theft occurs because a laptop computer is stolen. In addition to the standard forms of protection (passwords, encryption, anti-virus, etc.), carry as little data on your laptop as possible. And never leave the laptop unattended unless it is locked in your hotel room safe. Identity thieves target business travelers because they are generally rushed, distracted and carrying valuable data.
  • Think Twice about Free Wi-Fi. It is very convenient (and dangerous) to use a free wireless connection to the Internet provided by an airport, café or hotel. Unfortunately, it is nearly impossible to distinguish if you are on a safe network or one that allows thieves to pirate your information. Unless you are absolutely sure about the security in place, refrain from sending any sensitive material over a wireless connection that your IT department hasn’t configured or approved.

Meeting Security Onsite

  • Educate Attendees. Make frequent announcements at the start of each segment of your programming to remind attendees that they should not leave purses, laptops or files unattended. In addition, warn them to take care of their belongings in pre-conference material and encourage them to leave as much sensitive data at home or in the office as possible.
  • Room Monitors. Have room monitors that check badges as attendees are entering the room and that monitor purses and laptops that are left in the room during breaks (even if you warn people, some will still leave items). Make sure that you announce that room monitors are watching so that you let any would-be opportunists know that someone is watching. Just this one piece of information should discourage theft.
  • Control Digital Access. Make sure that only authorized users can access your onsite registration system. Don’t leave laptops or registration lists unattended, as they are a goldmine of sensitive data. Make sure you are using a VPN and secure wireless connection to connect back to your office or database server. Deactivate your USB drives so that data cannot be easily copied onto a USB thumb drive when you aren’t looking.
  • Provide Secure WiFi for Attendees. Setup secure WiFi (requiring a password) for your staff and attendees so that they are not broadcasting their private information over an unprotected network (which they are doing anytime they use a free hotspot without a password). Make sure that your contact onsite understands your security needs and concerns. That is part of the service they are providing.
  • Control Physical Access. Use a system of photo ID badges and room monitors to make sure that only authorized attendees have access to highly sensitive areas. You don’t want your biggest competitor to gain access to the meeting where you reveal next year’s strategy.
  • Shred Unneeded Documents. If you no longer need registration information on an attendee, shred it immediately. Every hotel or conference center should have shredders onsite that you are able to utilize. If they don’t, you might ask yourself how well they are protecting your data.

Meeting Security After the Event

  • Destroy the Evidence. When the conference or meeting is over, shred any remaining physical documents you no longer need. Purge digital files from your systems, especially those containing credit card or Social Security numbers. The less you keep on hand, the lower your changes of theft.

Above all, don’t forget to educate your staff and attendees on the risks of data theft while attending a conference. Higher levels of awareness drastically reduce the incidents of attendee identity theft and corporate espionage.

John Sileo is the award-winning author of Privacy Means Profit and America’s leading speaker on identity theft prevention, social media exposure, online reputation management and information leadership. Learn more about his keynote speeches on a variety of topics or call directly on 1.800.258.8076.

 

Dropbox a Crystal Ball of Cloud Computing Pros & Cons

Dropbox is a brilliant cloud based service (i.e., your data stored on someone else’s server) that automatically backs up your files and simultaneously keep the most current version on all of your computing devices (Mac and Windows, laptops, workstations, servers, tablets and smartphones). It is highly efficient for giving you access to everything from everywhere while maintaining an off-site backup copy of every version of every document.

And like anything with that much power, there are risks. Using this type of syncing and backup service without understanding the risks and rewards is like driving a Ducati motorcycle without peering into the crystal ball of accidents that take the lives of bikers every year. If you are going to ride the machine, know your limits.

This week, Dropbox appears to have altered their user agreement (without any notice to its users), making it a FAR LESS SECURE SERVICE. Initially, their privacy policy stated:

… all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. Quote from PCWorld

Currently, the privacy policy says that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement. Why is that important? Because it means that the encryption keys that keep your files private are actually stored on Dropbox’s server, not on your own computer. This puts the keys to your data (and every other Dropbox user) in the hands not only of Dropbox employees and law enforcement, but vulnerable to hackers. When the encryption key is located on your computer, at least the risk is spread over Dropbox’s user’s network.

But there is an even bigger issue that this exposes about the world of cloud computing in general: anytime your data lives on a device that you don’t own, you lose a certain amount of control over what happens to it. Here is just a sampling of factors that can affect the privacy and confidentiality of your cloud-stored data:

  • The cloud service provider changes their Terms of Service (like Dropbox just did) to cover their legal bases, making your data less secure without your even being alerted. This happens almost every week with Facebook, which changes privacy terms constantly. When you log back into your account, you are automatically agreeing to the new Terms of Service (and probably not reading the tens of pages of legal jargon).
  • The provider is bought out by a new company (possibly one overseas) or has its assets liquidated (the most valuable assets are generally information), that has different standards for data security and sharing. You, by default, are now covered by those standards.
  • The security of your data is weak in the first place. Security costs money, and many smaller cloud providers haven’t invested enough in protecting that data, leaving the door wide open for savvy hackers. SalesForce.com might be well protected, but is the free backup service or contact manager that you use?
  • Your data exists in a more public domain than when it is stored on internal, private servers, meaning that it is subject to subpoena without your being notified! In other words, the government and law enforcement has access to it and you will never know they were snooping around. This isn’t a concern for most small businesses, but it is still a cautionary note.

So does this mean we should all shut down our Dropbox, Carbonite, iBackup accounts? No. Does this mean that corporations should not implement the highly scalable, dramatically efficient solutions provided by the cloud? No. It means that both individuals and businesses must educate themselves on the up and down sides of this shift in computing. They can  begin the process by realizing that:

  1. Not all data is created equal and that some types of sensitive data should never be placed in someone else’s control. This is exactly why there are data classification systems (I subscribe to those used by the military and spy agencies: Public, Internal, Confidential and Top Secret).
  2. Not all cloud providers are created equal and you must understand the privacy policy, terms of service and track record of each one individually (just like you would choose a car with a better crash-test rating for your family).
  3. Anything of immense power comes with costs, and those costs must be calculated into the relative ROI of the equation. In other words, the answer here, like most complex things in life, exists in the gray area, not in a black or white, one-size-fits all generalization.

John Sileo writes and speaks on Information Leadership, including identity theft prevention, data breach, social media risk and online reputation. His clients include the Department of Defense, Homeland Security, the Federal Reserve Bank, FDIC, FTC and hundreds of corporations of all sizes. Learn more about his motivational data security events.

iPhone and Droid Want to Be Your Big Brother

Remember the iconic 1984 Super Bowl ad with Apple shattering Big Brother? How times have changed! Now they are Big Brother.

According to recent Wall Street Journal findings, Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit your locations back to Apple and Google, respectively. This new information only intensifies the privacy concerns that many people already have regarding smartphones. Essentially, they know where you are anytime your phone is on, and can sell that to advertisers in your area (or will be selling it soon enough).

The actual answer here is for the public to put enough pressure on Apple and Google that they stop the practice of tracking our location-based data and no longer collect, store or transmit it in any way without our consent.

You may ask, “don’t all cell phone carriers know where you are due to cell tower usage?” Yes, but Google and Apple are not cell phone carriers, they are software and hardware designers and should have no real reason (other than information control) to be tracking your every move without your knowledge. Google and Apple are not AT&T or Verizon, therefore they should not be recording, synching and transmitting your location like it appears they are.

Both companies are trying to build huge databases that allow them to pinpoint your exact location. So how are they doing it? By recording the cell phone towers and WiFi hotspots that you pass and that your phone utilizes. This data will ultimately be used to help them market location based services to their audience, which is a market that is expected to rise $6 billion in the next 3 years.

The Wall Street Journal found through research by security analyst Samy Kamkar, the HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It transmitted the name, location and signal strength of any nearby WiFi networks, as well as a unique phone identifier. This was not as personal of information like what the Street-View cars collected that Google had to shut down some time ago.

So what do we do now? According to the Wall Street Journal, neither Apple or Google commented when contacted about these findings, so it is hard to know the extent of how they are using the data collected. Right now, there really isn’t much you can do to stop GPS tracing of your location without your consent. Of course you could power down your phone, but we are all way too additcted to these handy little digital Swiss Army Knives to do that. You can turn of GPS services, but again, that makes it impossible to use maps and other location-based apps.

The actual answer here is for the public to put enough pressure on Apple and Google that they stop the practice of tracking our location-based data and no longer collect, store or transmit it in any way without our consent.

While this may be the future of privacy, it is better that we are aware of what may come rather than remain in the dark about the possibilities of technology.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.

Information Offense – How Google Plays

Google recently offered $20,000 to the first person who could hack their web browser, Chrome. Without question, a hacker will crack it and prove that their browser isn’t as mighty as they might think.

So why waste the money?

In that question, ‘why waste the money?’ lies one of the root causes of all data theft inside of organizations. Google’s $20,000 investment is far from a waste of money. Consider:

  1. The average breach inside of an organization costs $6.75 million in recover costs (Ponemon Study). $20,000 up front to define weak points is a minuscule investment.
  2. Chrome is at the center of Google’s strategic initiatives in search, cloud computing, Google Docs, Gmail, displacing Microsoft IE and mobile OS platforms – in other words, it is a very valuable asset, so Google is putting their money where their money is (protecting their profits).
  3. By offering up $20,000 to have it hacked IN ADVANCE of successful malicious attacks (which are certain to come), Google is spending very little to have the entire hacker community beta test the security of their product.

I would bet that there will be tens or hundreds of successful hacks into their browser, all of which will be fixed by the next time they commission a hack.

Anticipating the inevitable attacks and investing in advance to minimize the chances and resulting costs of a breach is a perfect example of Information Offense. Instead of waiting for your data to be compromised (defense), you take far less costly steps up front to deflate the risk. Only the most enlightened leaders I work with inside of corporations understand the value of spending a little bit on security now to reap huge benefits (in the form of avoided losses) down the road.

Too many leaders are so focused on the revenue side of the model (most of them are from a sales background) that they lack the depth of seeing the entire picture – the long-term health and profitability of the company. You know the saying… an ounce of prevention being worth a pound of cure. Just think of the ounce being loose change and the pound being solid gold.

Marshall Goldsmith, the executive coach, nails the behavior behind this phenomenon in his book, What Got You Here Won’t Get You There,

Avoiding mistakes is one of those unseen, unheralded achievements that are not allowed to take up our time and thought. And yet… many times, avoiding a bad deal can affect the bottom line more significantly than scoring a big sale… That’s the funny thing about stopping some behavior. It gets no attention, but it can be as crucial as everything else we do combined.”

Listen to Google and Mr. Goldsmith, and avoid the mistakes before you make them by asking yourself this simple question: How can I refocus my efforts and resources on playing offense rather than defense?

John Sileo’s motivational keynote speeches train organizations to play aggressive information offense before the attack, whether that is identity theft, data breach, cyber crime, social networking exposure or human fraud. Learn more at www.ThinkLikeASpy.com or call him directly on 800.258.8076.