Tag Archive for: John Sileo

Whose Device – Yours, Mine or Ours?

Carrying multiple personal devices is a pain and, yet, the fear of giving away critical company data is a nightmare.

For most of us, being connected equals being productive. However, this simple equation becomes complex when one has to juggle personal devices with those issued by our employers. Paramount in an employer’s mind is the protection of the company’s critical and confidential business data but they don’t want to alienate employees by being too restrictive on using their personal smartphones and tablets.

Recent research has found that nearly three out of four adults don’t protect their smartphones with security software and these same people often use their devices to access social media and websites that attract cybercrooks. Poorly-secured  devices can be easily accessed by hackers who are becoming evermore sophisticated and ferocious.

This device conundrum ties directly to corporate IT culture and the question of allowing employees to use personal devices to conduct business. The solution ranges anywhere from an outright ban (which employees often ignore) to fully embracing an employee’s choice, while building corporate safeguards to block spam and corrupt application downloading. Some companies permit it with tight controls such as having the ability to wipe the gadgets clean of all information in the case of loss. Of course that means all personal data will be wiped along with business data but studies show employee satisfaction (ergo productivity) is tied to exercising personal preference of devices.

Security and legal teams wrestle with this dilemma constantly in the mobil world of today and there’s no clear cut answer. Protecting a company and its clients’ data is essential; but also, productivity, efficiency, organization and responsiveness are but a few benefits of giving employees their choice of gadget.

Arming those same employees with the safety measures to secure their devices from fraudulent activities is where IT departments can manage risk. Building a parallel strategy that serves both corporate IT and the end-user is not only necessary, it is beneficial to the bottom-line.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

 

 

 

 

 

 

 

 

 

 

Video: How a Credit Freeze Stops Identity Theft

A Simple Credit Freeze will Lock Down Your Credit

Freezing your credit is the number one way to protect against financial identity theft. If everyone in the country locked down their credit, identity thieves would quickly be out of business. At least, a major part of their business. Take 30 minutes and lower your chances of identity theft drastically (see the online Freeze links at the bottom of this post).

To go directly to placing a security freeze on your 3 bureau accounts, page down to the bottom section.

Every time you establish new credit (e.g., open up a new credit card, store account or bank account, finance a car or home loan, etc.), an entry is created in your credit file which is maintained by companies like Experian, Equifax and TransUnion (listed below). The trouble is, with your name, address and social security number, an identity thief can pretend to be you and can establish credit (i.e., spend your net worth) in your name.

A freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time. Yes, freezing your credit takes a bit of time (maybe an hour of work), can be a little inconvenient when you want to set up a new account (that said, let’s face it, businesses want to make it as easy as possible to unfreeze your credit because they benefit when you set up new accounts and spend more money) and it can cost a few dollars (generally about $10 to unfreeze, a small price compared to the recovery costs of identity theft). And it is worth it! It’s like putting locks on your doors.

Since all states don’t allow you, by law, to freeze your credit, the three credit reporting bureaus have begun to offer credit freezes on a national basis. This is a major step forward in the prevention of identity theft, even if they are offering it for profit reasons (they make money every time you freeze/unfreeze your credit). If your state does not currently offer credit freezes by law, you can now apply with each credit reporting bureau individually. Regardless of where you live, freeze your credit today.A credit freeze doesn’t affect your existing credit – it doesn’t freeze credit cards, bank accounts or loans you already have. It only freezes access to your account unless someone has a password to get in. It’s like having a PIN number on your ATM card. It also doesn’t lower (or raise) your credit score.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

John Sileo is an award-winning author and highly- entertaining keynote speaker on the dark art of deception (cybersecurity, identity theft, data privacy, social engineering). He is CEO of The Sileo Group and his clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. 303.777.3221

Child Identity Theft (Part II)

If you missed the first part of this series, please visit Child Identity Theft  (Part I).

Child Identity theft is the fastest growing sector of the identity theft “industry,” and the numbers are staggering. Although it’s difficult to estimate exactly how many children lose their identities since the crime can go undetected for years, the FTC states that 5% of identity theft cases target children, which translates into 500,000 kidnapped child identities per year, and growing. The Carnegie Mellon CyLab Report states that in 54% of the cases, the child was under the age of 14.

The identity thief is not always a stranger. In many cases, it’s a relative with bad credit who takes advantage of a child’s pristine credit. Conveniently, these family members generally have access to the information necessary to maximize the fraud with little attention. This seems absurd, but imagine a parent who is strapped for cash, has a bad credit score and needs to buy groceries. In this case, short-term thinking blinds the relative or friend to long-term consequences. In other instances, the child’s future is not taken into consideration at all.

Frankly, it doesn’t take much to get the crime underway; all a criminal needs is the child’s name and Social Security number. These pieces of personal information are exposed in a variety of ways:

  • When registering for daycare, schools and recreational sports
  • On medical, dental and hospital records
  • When joining organizations like the Girl Scouts, Boy Scouts, etc.
  • When the above information is permanently stored and accessed by volunteers or employees
  • When one of the above organizations is breached by a hacker or malicious software
  • When an adult befriends your child on a social networking site (MySpace, Facebook) and eventually socially engineers private information out of them

The Three Basic Types of Child Identity Theft

  1. Financial identity theft occurs when the name and Social Security number is used to establish new lines of credit.
  2. Criminal identity theft happens when the criminal uses the child’s identity to obtain a driver’s license or substitutes the child’s identity if caught in a criminal act.
  3. Identity cloning entails using a child’s identity (via information collection or a black market ‘purchase’ of personal information) for medical, financial, criminal and governmental purposes. The most common form of cloned identity theft is committed on behalf of undocumented workers looking for an identity that will keep them working in this country.

For parents, cleaning up the disaster of identity theft for their children is costly and incredibly time consuming. Getting a new Social Security number is almost impossible, and rarely the best option.

Taking steps right now to protect your child from this horrible crime is one of the greatest investments you will ever make in their financial and emotional future.

Protecting Your Children

Acting now on behalf of your child will protect them from consequences common to child victims:

  • Starting adulthood with a credit rating low enough to scare away the hungriest of loan sharks
  • Being denied a first loan, credit card or apartment rental because of a crime committed 10-15 years earlier (the passage of time makes this crime very hard to clear up)
  • Being denied access to college or a new job
  • Having a warrant out for her arrest for crimes that she didn’t commit

In the same way that you can’t protect your children from every bruise and scrape, you can’t entirely remove the risk of identity theft. You can, however, prevent or soften the fall if it does happen. Take these steps first:

  1. Watch for mail in your child’s name. This is a potential sign that credit has been established using their identity. The most common types of mail that signal identity theft are financial (pre-approved credit cards, etc.).
  2. Consider ordering a free credit report for your child. If you suspect foul play, write to the three credit reporting bureaus (Equifax, Experian and TransUnion) to see if your child has a credit profile (no profile, no chance that it is being used illegally). If they do have an active credit profile, you will need to resolve this with the specific credit bureau. Please note that requesting your child’s credit report repeatedly can actually establish a credit profile in their name. For a more convenient option, use an identity monitoring service for you and your family that alerts you when credit is established in any of your names.
  3. Stop giving out your child’s personal information. Until you are confident that it is absolutely necessary to receive the services desired, withhold their personal information. More than 80% of organizations that ask for your child’s Social Security number don’t actually need it to establish services. If you must give it, ask them how they will use it, how long they will keep it and how it will be protected while they have it.
  4. Protect your child’s identity documents. Birth certificates, passports, bank account information, wills and trusts involving children should all be locked securely in a fire-safe or bank’s safety deposit box. Physical document theft is one of the most prevalent ways kid’s identities are stolen.
  5. If you find evidence of fraudulent activity, contact the police, the source of the fraud and all three credit bureaus. Filing a police report helps to establish your child’s innocence in an official way.Have the credit bureaus FREEZE your child’s credit for maximum protection. Keep detailed records of all correspondence between yourself, the police, the merchant and the credit bureaus. It will come in handy should you ever find yourself in court, as I did.
  6. Educate your children on the importance of protecting their personal information. Teach them about the value of their personal information: their name, address, phone numbers, email address, Social Security Number and any passwords and PIN numbers. Reinforce that they own their private information and that it should not be shared with friends, over the internet or with anyone whom they don’t know or trust.Education is absolutely the best financial gift you will ever give to them.

In the case of child identity theft, an ounce of prevention is worth a lifetime of financial security. Don’t let the center of your universe become just another statistic. Because you love and protect your children as much as I do, start this process immediately.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com.

iPad Vampires: 7 Simple Security Settings to Stop Data Suckers

Information is the currency and lifeblood of the modern economy and, unlike the industrial revolution, data doesn’t shut down at dinnertime. As a result, the trend is towards hyper-mobile computing – smartphones and tablets – that connect us to the Internet and a limitless transfusion of information 24-7. It is an addiction that employers encourage because it inevitably means that we are working after hours (scanning emails in bed rather than catching up with our spouse).

In the work we do to change the culture of privacy inside of organizations, we have discovered a dilemma: iPads are not as secure as other forms of computing and are leaking significant amounts of organizational data to corporate spies, data thieves and even competing economies (China, for example, which would dearly love to pirate the recipe for your secret sauce). Do corporations, then, sacrifice security for the sake of efficiency, privacy for the powerful touch screens that offer a jugular of sensitive information?

Of course not! That’d be like driving a race car minus seat belts and air bags.

iPads provide a competitive advantage, and like generations of tools before it (the cotton gin, the PC), individuals and organizations alike will be forced to learn how to operate this equipment safely or risk the bite of intellectual property vampires. Here are 7 Simple Security Settings to help you lock down your iPad much like you would your laptop.

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, so stop treating it like a glorified book. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app like 1Password to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. Don’t jail-break your iPad to download apps outside of iTunes. Short-term gain equals long-term risk.

Believe it or not, these simple steps begin to give you a level of security that will discourage casual data vampires. After implementing the Simple 7, move on to 5 Sophisticated Security Settings for iPads for even more robust data defense.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. He helps organizations build successful cultures of privacy. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com or contact him directly on 1.800.258.8076.

College Identity Theft Speaker

I’ve got a neighbor who’s going back to college this week and reminds me that this is by far the highest risk group for identify theft and it’s for a couple of reasons.  When these kids are going off to college, it’s the first time they are getting true financial independence, which might never have been trained to handle.  They have access to credit cards, to new bank accounts, and they’re managing it themselves.  That’s a huge red flag that there’s going to be trouble.  Number two, they’re going into an environment where their stuff is not particularly protected.  They’re in a dorm room, they’ve got roommates that may need extra cash; they know they can take advantage of them.  So it’s kind of a high risk environment.  The third reason is because they do so much online.  There’s so much social media interaction and that’s where ton of information is stolen. So you need to take some of these steps that are in this blog post.  Help your students take them.  It will help them out not just this year in college but helping them build their financial future going forward.  Your identity is pretty much everything in terms of your net worth. You got to take care of it now.

John speaks professionally about social media privacy and identity theft to college students.

College Students Destroy Financial Future with Poor Choices

College is the perfect period of life to begin sound financial practices including protecting privacy. Not only are college students vulnerable, but they are impressionable and well positioned to learn strong habits that will last them a lifetime. As students launch into independence, we, as parents, hope to give them the best tools possible to insure a bright future. One of the most vital tools is to establish healthy habits that will guard their financial and personal identities for the rest of their lives. People ages 18 -24 are the least able to spot identity theft according to the BBB. That age group needed more than four months to realize someone had damaged their credit history or used their identity. By taking a few precautions, a young adult can avoid the crushing job of trying to recover from having given away the keys to their financial future, which is especially overwhelming while navigating life away from home for the first time.

Identity thieves don’t care a whit if the student has a dime – they just want a clean financial record in order to commit crimes using their credit and future buying power. Unfortunately, thieves are often someone the student trusts: a friend, dorm mate, co-worker, or someone who poses as a sanctioned person on campus.  Identity thieves may use personal information to open credit card accounts, access financial accounts, rent an apartment or even commit larger cases of fraud, implicating the student. Here are some tips to get you and your student started down the road to protecting their financial future:

  • Have all sensitive mail sent to parents’ homes only. School mailboxes are not secure and are easily accessed in a dorm or apartment.
  • Store Social Security cards, passports, bank statements, credit card statements and other important documents in a small fire safe in their dorm.
  • As soon as you are done with any documents that have financial information (financial account statements, medical bills,  insurance forms, charge receipts, university tuition payments), shred the documents rather than putting them in the trash in order to foil dumpster divers.
  • Set up account alerts with your credit card companies and banks to notify you via email whenever a transaction occurs. Because it is fresh in your mind, it takes only a few seconds to verify the transaction unlike weeks later when you try to recall each transaction while paying your bill or reconciling your bank statement.
  • Always check credit card bills and bank statements and question unknown purchases. The sooner you catch a breach, the less likely you’ll have complicated financial ramifications.
  • Limit the applications you load on your smartphone or tablet. Many of these apps siphon data off of your device back to unwanted companies and individuals.
  • Never loan a credit or debit card to anyone, even your best friend. Don’t co-sign a loan for a friend as you will be responsible for missed payments.
  • Date of birth is one of the key pieces of information that many companies use to confirm identity. Refrain from sharing your correct date of birth on Facebook or any place online. Friends who you want to know your birthday should learn that from you personally. Even putting only the month and day is risky as it’s pretty easy to ascertain the year based on your profile.
  • Use long passwords with a mix of letters, numbers and characters (e.g., &63DB4x%gX); According to Gibson Research, a password that is 10 characters is vastly harder to crack than one containing nine characters. If you need help remembering them, use a password protection program.
  • Update antivirus and spyware software on personal computers. Identity thieves rely on special programs, transferred to personal laptops and computers from numerous websites, to duplicate people’s passwords, user ID’s and bank account information.
  • Check credit reports for free three times a year at www.AnnualCreditReport.com. Request a report from a different credit union every four months and you’ve got the year covered.
  • Get off mailing lists for pre-approved credit offers, which are a goldmine for identity thieves. To opt out of financial junk mail, call 888-5-OPTOUT or visit www.OptOutPreScreen.com to remove your name from national lists. Be prepared to provide your Social Security number (in this case, that is a risk worth taking).
  • Never click on links sent in unsolicited emails or postings on social media. In addition to installing malware on your computer, many of them are phishing schemes that trick you into entering your Social Security number, user name or account passwords.
  • Never give out financial or account information to unsolicited callers, even if they say they are from your bank (you are not in control of the call when it’s incoming).
  • Do not share phone numbers or list your residence hall names and/or floor number designations online – or anyplace. Identity thieves frequently show up on campus pretending to represent a legitimate company, possibly using the school’s logo or colors on the credit card. Once the scammers get students’ personal information, they can then use it themselves or sell it for a profit.

Heartily impress upon your students (and yourself!) to guard identity with a vengeance and save untold time and money attempting recovery. Doing so might be the most profitable education they receive.

How Secure is Your Gmail, Hotmail, YahooMail?

I just finished an interview with Esquire magazine about the security of webmail applications like Gmail, Windows Live Hotmail and YahooMail. Rebecca Joy, who interviewed me on behalf of Esquire, wanted to know in the wake of the Rupert Murdoch phone-hacking scandal, how secure our photos and messages are when we choose to use free webmail programs.

The simple answer? Not very secure. Just ask Vanessa Hudgens (nude photos), Sarah Palin (complete takeover of her email account) and the scores of celebrities and power figures who have been victimized by email hacking.

Think of using webmail (or any web-based software, including Facebook, Twitter, Google Docs, etc.) as checking into a hotel room. Unlike a house, where you have tighter control over your possessions, the same is not true of a hotel. While you definitely own the items you bring into a hotel room (laptop, smartphone, wallet, passport, client files), you don’t have nearly as much control as to how they are accessed (maids, managers, social engineers who know how to gain access to your room). In short, by using webmail to communicate, you are exchanging convenience for control.

Here are the five most common ways you lose control:

  1. The password on your email account is easy to guess (less than 13 characters, fail to use alpha-numeric-symbol-upper-lower-case, don’t change it often) and someone easily hacks into your webmail account, giving them access to your mail, photos, contacts, etc.
  2. Someone inside of the webmail company is given a huge incentive to leak your private information (tabloids that want access to a celebrity’s photos and are willing to pay hundreds of thousands for it).
  3. You populate your password reminder questions (What high school did you go to?) with the correct answers instead of using an answer that is not easily found on your Facebook, LinkedIn or Classmates.com profile.
  4. You fail to log out of your webmail while on a public computer (hotel business center, school, library, acquaintances house), allowing them to log back in to your email account using the autosaved username and password (which by default tends to stay on a system for up to two weeks).
  5. You continue to deny the fact that when you store your information in places that you don’t own, you have very little actual control.

If you are sending sensitive information of any sort (text, photos, identity, videos or otherwise), don’t use webmail or social networking to send it. Use a mail program that resides on your own computer and encrypt the sensitive contents using a program like PGP. That gives you a much stronger form of protection than ignorantly exposing your information for all to see.

John Sileo is the award winning author of Privacy Means Profit and a professional speaker on data security, privacy, identity theft and social networking exposure.

 

7 Steps to Secure Profitable Business Data (Part II)

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Steps to Secure Profitable Business Data (Part I)

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Data Theft Hotspots for Meeting Professionals

Everybody wants your data, especially when you are in the business of meetings. Your data doesn’t just have a high face value (e.g., the attendee data, including credit card numbers that you collect and store in your online registration system), it also has a high resale value .

Here is how the theft is most often committed in your industry:

  • Competitors hire one of your employees and they leave with a thumb drive full of confidential files, including client lists, personally identifying information on talent and employees, financial performance data, etc.
  • Social engineers (con artists) mine your employee’s Facebook profiles to gain a heightened level of trust which allows them to manipulate your human assets
  • Cyber criminals hack your lax computer network or sniff the unprotected wireless connections you and your employees use while traveling (Starbucks, hotels, airports).
  • Mobile Computing Thieves target your digital devices (Laptop, smartphone, tablet) and other weak points while on the road.
  • Opportunistic Vendors (Cleaning services, painters, landlords) quietly collect data assets from your desks, filing cabinets, trash cans and dumpsters when you aren’t even in the office.

Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost according to the Ponemon Institute: $7.2 million) and have no idea of how to stop a repeat performance.

A Quick and Dirty Way to Calculate Your Risk as a Meeting Professional

Here is a quick ROI formula for your risk: Multiply the number of attendees, employees and executives for whom you store any one of the following pieces of sensitive identity – name, address, email, credit card number, SSN, TIN, phone number – and multiply that by $240 (the industry average per record of lost data). So, if you have identifying information on 1,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $240,000 even if you don’t lose a SSN or TIN. That is not a guess, those are real numbers.

As agencies who already stretch every resource to the limit just to stay in the game, you need to do more with less. I can’t possibly give you all of the answers to protecting your bureau or management company in a simple article, but I’d like to share 7 Data Theft Hotspots that you should address first.

  1. Start with the humans. One of the costliest data security mistakes I see departments make is thinking that this is a problem for large businesses only. It is a big problem for large businesses, but data theft is far more damaging to governmental organizations because of the increased regulation and legal scrutiny. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied at work without spending all kinds of money on a security risk assessment. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your attendee databases and intellectual property. You can do this in very simple, inexpensive ways. While this doesn’t necessarily train them on the specific tools to protect your bureau’s intellectual capital and customer data, it does increase their awareness of data theft and shows them that their self-interest is involved (i.e., their job depends on it). To get them started on protecting themselves, you are welcome to use this free Identity Theft Prevention Checklist.
  2. Immunize against social engineering. The root cause of most data loss in professional services companies like yours is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of you or your staff by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking. Strategy: Immunize your employees against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism (Hogwash J). Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., the credit card company called you, not vice versa), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. This is the key – getting them to be curious in the face of a request for sensitive information. These are some of the materials that I went through in an abbreviated fashion during IASB, but you can communicate them just as well as I can.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage in the meeting professionals world: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web. Strategy: Stop trying to keep your computer and network security in house and inexpensive – it is part of the costs of owning all of that processing power. Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, just hand a qualified technician this paragraph and continue to do what you do best (booking me J) while she earns your wisely spent dollars. While she’s there, have him do a security audit of your network, including firewall penetration, password strength, user-level access permissions, etc.Another major source of data theft (especially in the meetings industry) is Wi-Fi hotspot usage. Most Free hotspots do little to protect the data that you transmit over the wireless network. In fact, many home and company wireless networks are not set up to provide a secure connection to the internet and are, therefore, no safer than those you access for free in cafés, airports and hotels. Just say no to using free Wi-Fi hotspots, on your phone and your laptop. The most common form of exploitation associated with hotspots are “man-in-the-middle” attacks where a spy intercepts the transmission between your wireless network card and the cafés wireless router or modem. Using a legal, free and simple-to-use tool like Firesheep, a thief (or competitor/law enforcement, etc.) can sit next to you in a café and “sniff” your connections. Luckily, your Smartphone can provide a proactive way to help you protect your connection to the Internet when surfing wirelessly. Strategy: Tethering connects your computer to the Internet using a Smartphone (or Internet-enabled cell phone). It increases security because the mobile transmission between your cell phone and the cell tower is encrypted (scrambled) and hard to intercept. Therefore, when you use your Smartphone to surf the web, you are accessing a protected connection that probably can’t be sniffed. The connection might be slightly slower than a traditional Wi-Fi hotspot, but it is also much safer. Simply call your wireless provider and ask them if your Smartphone has tethering capabilities. You shouldn’t have to pay more than about $15 per month to put this solution into affect. Remember to do it for all company Smartphones as well.
  4. Eliminate the inside spy. Chances are you don’t always perform a very serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work and will discourage dishonest applicants from going further in the process. Finally, make sure that the prospect you are employing knows that you are going to these lengths to check them out. Most people who are trying to gain employment in order to defraud you are scared away when they know you are investigating them.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily in the high-travel world of the bureau and meetings industry. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person in a backpack, store it in the hotel room safe, or lock it in an office or fire safe when not using it. Physical security is the most overlooked, most effective form of protection and for people who travel as much as you do, it’s a major risk.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently. Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old W9s, invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. Also, check to make sure that these same documents are locked in a filing cabinet, safe or password-protected electronic format.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive attendee info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing meetings data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control?

This is a very quick overview of some of the risks that I see as most pressing for meeting professionals. Here’s the good news… your espionage and data theft countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your agency. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, social media exposure and online reputation and is the award-winning author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets and develop information leaders.