Posts

Sileo Identity Theft Prevention & Online Privacy Checklist

CheckmarkIdentity theft prevention is not a one-time solution. You must accumulate layers of privacy and security over time. The following identity theft prevention tips are among those I cover in one of my keynote speeches.

  1. Review your Free Credit Report 3X per year at www.AnnualCreditReport.com.
  2. Opt-Out of financial junk mail.
  3. Stop Marketing Phone Calls at www.DoNotCall.gov.
  4. Freeze Your Credit. State-by-state instructions at www.Sileo.com/2.
  5. If you don’t want to use a credit freeze, place Fraud Alerts on your 3 credit files.
  6. Use sophisticated Identity Monitoring software to detect theft before it’s disastrous.
  7. Stop Sharing Identity (SSN, address, phone, credit card #s) unless necessary.
  8. Protect Your Wallet or Purse. Watch this video.
  9. Protect Your Computer and Online Identity. Privacy Means Profit
  10. Protect your Laptop. Visit www.Sileo.com/laptop-anti-theft for details.
  11. Bank Online: online bank statements, account alerts and bill-pay.
  12. Buy a Shredder (or 2) & shred everything with identity you don’t need.
  13. Minimize Social Networking Exposure. Privacy Means Profit
  14. Lock down your Social Networking Profiles www.Sileo.com/facebook-safety.
  15. Realize that approximately 50% of the worst ID theft crimes are committed by Acquaintances & Friends.
  16. Set up two-factor authentication with your bank.
  17. Stop Clicking on Links in emails and social networking posts that you don’t recognize as legitimate.
  18. Avoid emails/faxes/letters/calls/people promising Something for Nothing.
  19. Know that protecting Other People’s Privacy is part of your responsibility.
  20. For more tools, purchase a copy of John’s Latest Book on Information Survival, Privacy Means Profit.
  21. Subscribe to The Sileo Report eNewsletter and follow John’s Blog.
  22. Consider bringing John Sileo to speak to your organization on identity theft, cyber crime, social engineering, social media exposure and other topics of information exposure.

7 Security Secrets of Social Networking

On the surface, social networking is like a worldwide cocktail party—full of new friends, fascinating places and tasty apps. Resisting the urge to drink from the endless fountain of information is nearly impossible because everyone else is doing it—connecting is often advantageous for professional reasons, it’s trendy and, unchecked, it can be dangerous.

Beneath the surface of the social networking cocktail party lives a painful data-exposure hangover for the average business. Sites like Facebook and Twitter are now the preferred tool for malware delivery, phishing, and “friends-in-distress” scams while more business oriented sites, like LinkedIn, allow for easy corporate espionage and the manipulation of your employees.

To avoid the cocktail party altogether is both impractical and naïve—the benefits of social networking outweigh the dangers—but applying discretion and wisdom to your social strategy makes for smart business. Follow these 7 Security Secrets of Social Networking to begin locking down your sensitive data.

  1. On social networks, possession is ten-tenths of the law.When you put your business’s information on a social network, you have forfeited your exclusive right to that information. Unlike a physical asset, information can be simultaneously recreated, stored and accessed by unlimited users at any one time, allowing it to flow like water through your fingers. Additionally, there are very few laws governing the ownership of information once it leaves your office (e.g., goes into the cloud), leaving you no legal precedence for winning back your privacy. On a personal level, for example, when you populate your Facebook profile with a birthdate, it is sold to advertisers along with your demographics, “Likes” and a map of your friend network. Similarly, in the business world, the minute you establish a Facebook page and begin to attract “fans” or a Twitter page for followers, you’ve just centralized and publicized your customer list for competitors. Solution: Create a strategic plan before you expose your intellectual property. Prior to going live with a corporate social networking profile or sharing your next post, think through how much sensitive information you are sharing, and with whom. Unlike a traditional website, social networks connect human beings, some of whom want to map your organizational structure, track your marketing initiatives, hire your star employees, breach your systems, poach your fan list or steal sensitive intellectual capital. It is imperative that you: 1. Create a strategic social networking plan that 2. Defines what information can and should be shared by executives and employees on Facebook, Twitter, LinkedIn, etc. 3. Consider using social media to attract new prospects rather than creating a following of existing (and poachable) clients. 4. Populate your profile with only publicly available, marketing-based data. 5. Keep personal comments for personal pages, as they have no place at work. 6. Don’t rely on a policy to communicate your intentions and requirements surrounding social media. The most successful companies build a culture of privacy through an interactive process that allows the entire team to co-create a solution.
  2. Lack of education, not technology, is the greatest source of risk. It’s easy to blame our data privacy woes on technology. At the heart of every security failure (technological or otherwise), is a poor human decision, generally due to a lack of awareness. For instance, an employee, not a machine, decides to spend their lunch break using their work computer to post on personal social networking sites. In many cases, they do so because the business has not established guidelines for these scenarios, nor have they educated them on the risks. For example, most employees don’t understand that more than 30% of all malware is delivered to corporate computers via social spam through personalsocial networking use conducted on work computers. Solution: Educate your team as individuals first, employees second. The most effective way to change a human being is to appeal to them emotionally, not intellectually. Most of us are more emotionally connected to our personal lives than to our jobs. Consequently, by motivating your employees to protect their own social networking profiles first (and their kids’), you are not only lowering the malware and fraud that they introduce into your computers through lunchtime surfing, you are also giving them the framework and language to protect the company’s social networking efforts. Be sure to: 1. Break the training down into bite-sized, single topic morsels that won’t overwhelm or discourage employees. 2. Allow employees to spend a few moments applying the fixes you’ve just given them. 3. Once they’ve made the changes personally, reconvene and discuss what it all has to do with your organization’s social networking strategy. They will return to the learning table with emotional buy-in and awareness. Strategies Three and Five (below) are examples of this bite-sized, personal to professional adaptation process.
  3. Most social networking risks are old scams with new twists.During a lunch break at work, you receive a Facebook post that seems like it’s from a friend. It’s impossible not to click, enticing you with captions like, “check out what our old high school friend does for a living now!” Seemingly harmless, you click on a video, a coupon, or a link to win a FREE iPad and presto, you’ve just infected your computer with malware that allows cyber thieves full access into your company network. You’ve been tricked by a repackaged version of the virus-delivering-spam-emails of five years ago. Spam has officially moved into the world of social media (thus, social spam), and is now responsible for 30% of all viruses, spyware and botnets that infect our computers. Solution: Discuss social spam self defense at your next team meeting. It’s amazing how quickly people detect social spam once they’ve been warned! After all, they’ve seen it all before disguised in other forms. In addition to giving employees visual examples of social spam, click-jacking and like-jacking, make sure that they are equipped with the following knowledge: 1. If an offer in a social networking post is too enticing, too good to be true, too bad to be real or just doesn’t feel right, don’t click! 2. If you do click and aren’t taken directly to the site you expected, make sure you never click a second time, as this gives cyber thieves the ability to download malware onto your system. 3. Deny social media account takeover by using strong alphanumeric passwords that are different for every site and that you change frequently. 4. Account takeover is easy for criminals, which means that not all “friends” are who they say they are. If you suspect foul play, call your contact and verify their post. 5. Make sure that you protect your business with the latest cyber security and anti-theft prevention tools available. I will discuss these in the next strategy.
  4. Cyber thieves follow the path of least resistance by looking for open doors. Data thieves aren’t interested in delivering malware to just anybusiness (using social networking as their primary delivery device); they specifically target organizations that have done the least to protect their computers, networks, mobile devices, Wi-Fi and Internet connection. Why burgle a house with deadbolts and an alarm when you can attack the home down the street that left the front door wide open? In business, the “open door” usually comes in the form of poor computer security. Solution: Create a Path of Strategically Elevated Resistance. Thieves get discouraged (and move on to other victims) when you put roadblocks in their way. Keeping your network security up-to-date is the smartest way to quickly and effectively elevate your defenses against cybercrime. Follow these simple steps: 1. Hire a professional to conduct a security assessment on your network; the investment will pay for itself hundreds of times over. During the assessment and follow-up process, make sure that the IT professional: 2. Installs a security suite like McAfee on every computer, including mobile devices that travel, 3. Sets up your operating system and critical software for automatic security updates, 4. Enables and configures a firewall to block incoming cyber criminals, and 5. Configures your Wi-Fi network with WPA2+ encryption. To cover all of your bases, make sure that 6. You are prepared for a breach if it does happen. Deluxe, in partnership with EZShield, provides state-of-the-art identity protection and recovery services for businesses. It’s like health insurance for your information assets.
  5. Data criminals systematically exploit our defaults. Another way to create a path of strategically elevated resistance is to take away the “broadcast” nature of social networking exploited by thieves and competitors. Instead of inviting everyone to your cocktail party, only allow people you know and trust. When users set up a new social networking profile, the tendency is to accept the “default” account settings. For example, when you establish a Facebook account, by default, your name, birthdate, photo, hometown, friend list and every post you makeare available to more than one billion people. Solution: Change your defaults! It only takes minutes to modify every Privacy and Security setting offered by a social network. On a personal level, 1. Consider limiting who can view your hometown, friend list, family, religious affiliation and interests to Friends Only or even Only Me and 2. Disallow Google to index and share your profile on its search engine. Businesses will want to 3. Leave the indexing feature On to maximize search engine traffic. 4. Post updates to categories of friends (friend groups), not to the entire world. This isn’t only safer personally, it also makes for more targeted and appreciated customer service. 5. Make sure to update your defaults regularly, as social networking sites tend to make frequent changes. Many businesses with Facebook Fan Pages, for example, have not updated their profile in accordance with Timeline, meaning that their page is outdated and unprofessional.
  6. Social engineers mine social networks to build trust and exert influence. The greatest social networking threat inside of your organization isn’t malware or information scraping. Your greatest risk comes from a data spy’s ability to get to know youand your co-workers through your online footprint. Social engineering is the art of manipulating data out of you using emotional triggers such as similarity, likeability, fear of offending, authority, etc. A social engineer’s greatest tool of deception is to gain your trust, which is easy once they know your likes, friends and updates that you publish daily. After a month or so of cultivating what appears to be a legitimate relationship, social engineers begin to manipulate you for information. Solution: Verify, then trust. In the information economy, where data is quite literally currency, you must verify someone’s intentions and credibility before you begin to trust them. Here’s how: 1. Don’t befriend strangers; your ego wins, but you lose. 2. Before you accept a second-hand friend, verify that your existing network actually knows and trusts that person. Too many users accept friends indiscriminately, so you need to investigate their credibility before you hit the Accept button. 3. Don’t believe everything you read on social networking sites. In fact, don’t believe anything of substance until you verify it with reputable, primary sources like a national newspaper, ethical blogger or noted expert. 4. Never send money to a friend in need, download an entertaining app or give away sensitive information via social networking unless you know beyond a shadow of a doubt that the request is legitimate and that your communication is private and secure.
  7. In social networking, there are no secrets. The title of this paper was intentional – people want exclusive access to knowledge that others don’t have. We all want to know the secret, and I used that human desire in a gentle form of social engineering to get you to read the article. But in social networking, there are no secrets. The instant you hit the post button, your information becomes public, permanent and exploitable. It’s public because you have little control over how it is forwarded, accessed by others or subpoenaed by law enforcement. In the blink of an eye, your information is backed up, re-tweeted and shared with strangers. Digital DNA has no half-life; it never disappears. And as you’ve seen above, it can be used against you. Solution: Don’t just read, act! Reading is not enough; you must act on what you have read: 1. Revisit the information you over-share on your social networking profiles and remove it. 2. Modify your account privacy and security defaults so that you share only with the people you trust. 3. Educate your team from a personal perspective first and then apply it to your organization’s needs. 4. Strategically elevate your defenses by securing your computer network with software like McAfee, and recovery services like EZShield. 5. Research advanced fraud and social engineering tactics to protect yourself and your company.

Every company I’ve consulted to that has experienced a data breach wishes that they could “go back in time”. Why? Because recovery is often 10-100 times more expensive than prevention, and because data breach causes customer flight, bad press and depreciated value. Companies that prepare for the coming onslaught of social networking fraud will escape relatively unaffected. Businesses that are unprepared will suffer extensively. According to the Ponemon Institute, the average cost to a business of any size that experiences a data breach is $7.2 million, which explains why so many small businesses go bankrupt after a data loss event, as they are unable to pay the recovery costs. That gives you 7.2 million reasons pay attention.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Use a Credit Freeze to Stop Financial Identity Theft and Secure Your Wealth


Freezing your credit is the number one way to protect against financial identity theft. If everyone in the country applied for a Credit Freeze, identity thieves would quickly be out of business. At least, a major part of their business. Take 30 minutes and lower your chances of identity theft drastically (see the online Freeze links at the bottom of this post).

To go directly to placing a security freeze on your 3 bureau accounts, page down to the bottom section.

Every time you establish new credit (e.g., open up a new credit card, store account or bank account, finance a car or home loan, etc.), an entry is created in your credit file which is maintained by companies like Experian, Equifax and TransUnion (listed below). The trouble is, with your name, address and social security number, an identity thief can pretend to be you and can establish credit (i.e., spend your net worth) in your name.

A credit freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time. Yes, freezing your credit takes a bit of time (maybe an hour of work), can be a little inconvenient when you want to set up a new account (that said, let’s face it, businesses want to make it as easy as possible to unfreeze your credit because they benefit when you set up new accounts and spend more money) and it can cost a few dollars (generally about $10 to unfreeze, a small price compared to the recovery costs of identity theft). And it is worth it! It’s like putting locks on your doors.

Since all states don’t allow you, by law, to freeze your credit, the three credit reporting bureaus have begun to offer credit freezes on a national basis. This is a major step forward in the prevention of identity theft, even if they are offering it for profit reasons (they make money every time you freeze/unfreeze your credit). If your state does not currently offer credit freezes by law, you can now apply with each credit reporting bureau individually. Regardless of where you live, freeze your credit today.A credit freeze doesn’t affect your existing credit – it doesn’t freeze credit cards, bank accounts or loans you already have. It only freezes access to your account unless someone has a password to get in. It’s like having a PIN number on your ATM card. It also doesn’t lower (or raise) your credit score.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348credit-freeze
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach) or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

College Students Destroy Financial Future with Poor Choices

, ,

College is the perfect period of life to begin sound financial practices including protecting privacy. Not only are college students vulnerable, but they are impressionable and well positioned to learn strong habits that will last them a lifetime. As students launch into independence, we, as parents, hope to give them the best tools possible to insure a bright future. One of the most vital tools is to establish healthy habits that will guard their financial and personal identities for the rest of their lives. People ages 18 -24 are the least able to spot identity theft according to the BBB. That age group needed more than four months to realize someone had damaged their credit history or used their identity. By taking a few precautions, a young adult can avoid the crushing job of trying to recover from having given away the keys to their financial future, which is especially overwhelming while navigating life away from home for the first time.

Identity thieves don’t care a whit if the student has a dime – they just want a clean financial record in order to commit crimes using their credit and future buying power. Unfortunately, thieves are often someone the student trusts: a friend, dorm mate, co-worker, or someone who poses as a sanctioned person on campus.  Identity thieves may use personal information to open credit card accounts, access financial accounts, rent an apartment or even commit larger cases of fraud, implicating the student. Here are some tips to get you and your student started down the road to protecting their financial future:

  • Have all sensitive mail sent to parents’ homes only. School mailboxes are not secure and are easily accessed in a dorm or apartment.
  • Store Social Security cards, passports, bank statements, credit card statements and other important documents in a small fire safe in their dorm.
  • As soon as you are done with any documents that have financial information (financial account statements, medical bills,  insurance forms, charge receipts, university tuition payments), shred the documents rather than putting them in the trash in order to foil dumpster divers.
  • Set up account alerts with your credit card companies and banks to notify you via email whenever a transaction occurs. Because it is fresh in your mind, it takes only a few seconds to verify the transaction unlike weeks later when you try to recall each transaction while paying your bill or reconciling your bank statement.
  • Always check credit card bills and bank statements and question unknown purchases. The sooner you catch a breach, the less likely you’ll have complicated financial ramifications.
  • Limit the applications you load on your smartphone or tablet. Many of these apps siphon data off of your device back to unwanted companies and individuals.
  • Never loan a credit or debit card to anyone, even your best friend. Don’t co-sign a loan for a friend as you will be responsible for missed payments.
  • Date of birth is one of the key pieces of information that many companies use to confirm identity. Refrain from sharing your correct date of birth on Facebook or any place online. Friends who you want to know your birthday should learn that from you personally. Even putting only the month and day is risky as it’s pretty easy to ascertain the year based on your profile.
  • Use long passwords with a mix of letters, numbers and characters (e.g., &63DB4x%gX); According to Gibson Research, a password that is 10 characters is vastly harder to crack than one containing nine characters. If you need help remembering them, use a password protection program.
  • Update antivirus and spyware software on personal computers. Identity thieves rely on special programs, transferred to personal laptops and computers from numerous websites, to duplicate people’s passwords, user ID’s and bank account information.
  • Check credit reports for free three times a year at www.AnnualCreditReport.com. Request a report from a different credit union every four months and you’ve got the year covered.
  • Get off mailing lists for pre-approved credit offers, which are a goldmine for identity thieves. To opt out of financial junk mail, call 888-5-OPTOUT or visit www.OptOutPreScreen.com to remove your name from national lists. Be prepared to provide your Social Security number (in this case, that is a risk worth taking).
  • Never click on links sent in unsolicited emails or postings on social media. In addition to installing malware on your computer, many of them are phishing schemes that trick you into entering your Social Security number, user name or account passwords.
  • Never give out financial or account information to unsolicited callers, even if they say they are from your bank (you are not in control of the call when it’s incoming).
  • Do not share phone numbers or list your residence hall names and/or floor number designations online – or anyplace. Identity thieves frequently show up on campus pretending to represent a legitimate company, possibly using the school’s logo or colors on the credit card. Once the scammers get students’ personal information, they can then use it themselves or sell it for a profit.

Heartily impress upon your students (and yourself!) to guard identity with a vengeance and save untold time and money attempting recovery. Doing so might be the most profitable education they receive.

7 Steps to Secure Profitable Business Data (Part II)

, , , ,

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

 

7 Steps to Secure Profitable Business Data (Part I)

, , , , ,

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

Celebrity Identity Theft – Fraud from the Inside

This morning, I delivered a fraud training speech in Beverly Hills. As you can imagine, the famous and the wealthy tend to suffer more than the average person from information overexposure and fraud. They are, after all, public figures, worth a great deal, and the focus of over-zealous fans and media. The rich and famous are the perfect storm for information abuse, and we have much to learn from the way they protect their privacy. Dishonest people want to be them, at least long enough to drain their sizable resources, and their family and friends aren’t often far behind. Identity theft and other types of fraud, unfortunately, allow this fantasy to become a reality in the hands of a clever impostor.

The rich and famous are the perfect storm for information abuse, and we have much to learn from the way the protect their privacy.

Oddly, many cases of celebrity identity theft or privacy exposure I come across are committed by acquaintances of the star. It’s the brother-in-law of the franchise quarterback who feels like they deserve a cut of the action. It’s the movie star’s house guest who justifies pilfering financial assets using virtual methods (electronic bank transfers, credit card theft, investment fraud, medical insurance fraud, data resale). Or it’s the medical facility treating an ailing actress that sells information to the paparazzi. But no one, including the most self-absorbed celebrity or athlete, deserves to lose their privacy, their data or their wealth at the hands of a thief. Wealth and status do not exempt the famous from the violative consequences of these crimes.

Learning to anticipate fraud and avoid the inside job takes rigorous in-person training like that sponsored by City National Bank this morning, but in the meantime, here are some steps that you (celebrity or otherwise) can take to lower your public profile:

  1. De-list yourself from your local phone company White Pages and directory assistance. Local directory listings are one of the primary sources of all phone, address, and reverse look-up databases. Stop it locally and you will drastically limit your exposure globally. Note that you will probably have to pay your phone company to opt out of directory services.
  2. Remove your house from Google Maps Street View. Why advertise what you are worth to virtual criminals? Make them drive by if they want a look.
  3. Remove your phone number from Google’s Reverse Phone/Address Lookup. This is one of the first tools thieves use to turn your phone number into an address.
  4. Implement the Identity Theft Prevention Checklist I discussed during the speech.
  5. Use cash, which is non-digital, untraceable and anonymous.
  6. Limit your use of Loyalty Discount Cards (like at the grocery store), which track, aggregate and sell your purchasing habits.
  7. Customize your Facebook Privacy Settings.
  8. If you are ultra serious about privacy, consider Deleting Your Facebook Account.
  9. Email me if you would like a copy of my presentation slides. These slides are restricted to members in yesterday’s audience, so please include the name of the room in which the meeting was held.
  10. Sign up for my Privacy Project Newsletter (once a month – privacy and information survival updates).
  11. For further tips and details on protecting your data, your privacy and your profits, read Privacy Means Profit (Wiley, 2010).

John Sileo speaks around the world on identity theft, privacy, social networking exposure, cyber crime, social engineering and other topics of information survival. His clients include the Department of Defense, Blue Cross, FDIC, Pfizer and hundreds of organizations of all sizes. He also coaches select clients on information survival. Contact him directly on 800.258.8076.

Tyler Clementi Doesn't Care About Cyber-Bullying Policies

,

Guest Blogger: Kathleen Keelan, Prevention Consultants, LLC

Tyler ClementiI have a hard time telling the parents of a cyber-bullied student that their school “has a policy.”  I have a hard time explaining to a child that even though they feel like their whole existence is being shattered every day, all day and all night, that their school district really does care about them.    It’s hard to explain to a cyber-bullied student and their parents that the school truly cares that they feel safe.

This I know for sure: the policy is only as good as the people who enforce it.

School officials are scrambling right now due to the “epidemic” of suicides from cyber bullying.  Law enforcement is scrambling right now to define their role in this growing phenomenon.  The National Crime Prevention Council is happy that physical bullying amongst children has declined.  However, the rate of cyber bullying is increasing at an alarming rate.  Right now the NCPS found that among teenagers, more than 43% are victims of cyber bullying.

Do you think that 50% of the kids care about a national law against cyber bullying?  I stood in front of a group of parents last night and tried to explain to them that although there is no program to teach about cyber bullying prevention in their school, there is a policy.  This I know for sure: the policy is only as good as the people who enforce it.  As one mom of a teen who was ruthlessly cyber bullied screamed at the top of her lungs at a school board meeting, “Don’t wave that cyber bullying policy in my face and tell me that is what you are doing to help my son.”

Ellen DeGeneres tearfully proclaimed on her now famous video October 3, 2010 that “Things will get better, and you should be alive to see it.”  We have got to stop hiding behind policies and help assure kids we care that they are alive to see the policies actually help those who are being cyber bullied.

Sileo: Kathleen Keelan is a dear friend of mine and an expert in this subject matter. Kathleen’s point that policy does not automatically guarantee action and even more importantly, that policy is never a replacement for action is one that I deal with every day in the corporate world. Having a policy isn’t good enough. You have to build a culture around that policy that weaves a belief system of action into the very fabric of the organization. Whether we are trying to protect data, our employees or our children, a policy without follow through is but an empty set of words. If you need help with cyber bullying in your school, please contact her on 303-521-5427 or learn more about Prevention Consultants, LLC at their website.

Information Security Speaker: 5 Information Espionage Hotspots Threatening Businesses

, , ,

You and your business are worth a lot of money, whether your bank accounts show it or not. The goldmine lies in your data, and everyone wants it. Competitors want to hire the employee you just fired for the thumb drive full of confidential files they smuggled out. Data thieves salivate over your Facebook profile, which provides as a “how to” guide for exploiting your trust. Cyber criminals are digitally sniffing the wireless connection you use at Starbucks to make bank transfers and send “confidential” emails.

Every business is under assault by forces that want access to your valuable data: identity records, customer databases, employee files, intellectual property, and ultimately, your net worth. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost: $6.75 million) and have no idea of how to stop a repeat performance. These are clear, profit-driven reasons to care about who controls your data.

Information Espionage Hotspots

Here are 5 Information Espionage Hotspots that your business should address now:

  1. Lousy training. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property. See the video above for an example of bridging the worlds of personal privacy and corporate data security.
  2. Human weakness. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses. Strategy: Immunize your workforce against social engineering and poor decision making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontier that thieves are exploiting are your employees social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation. 
  3. Wireless surfing. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unprotected data being sent from your computer to the web. Strategy: Have a security professional configure the wireless router in your office. Here is your laundry list of things to ask her to do. She will understand the terminology: Utilize WPA-2 encryption or better; Implement MAC-specific addressing and mask your SSID; While she’s there, have her do a security audit of your network; To protect your connection while surfing on the road, purchase an encrypted high-speed USB modem from one of the major carriers (Verizon, Sprint, AT&T) and STOP using other people’s free/fee hotspots.
  4. Inside spies. Chances are you rarely perform a serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out a “digital door” when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check using a product like CSIdentity.com’s SAFE before you hire instead of wasting much more money cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background jump starts your intuition and discourages dishonest applicants from the outset.
  5. Mobile data. In the most trusted research studies, 36-50% of data breach originates with the loss of a laptop or mobile computing device (smart phone, thumb drive, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily. Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. In addition, physically secure this goldmine of data down when you aren’t using it. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption, and remote laptop-tracking and data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it.

Your espionage countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your profit margins. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, data breach and social networking exposure, and is the author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

53 Charged in New Jersey Identity Theft Crime Ring

,

According to  as September 16th news release, the U.S. Department of Justice charged 53 individuals in connection with a widespread identity theft and fraud ring in New Jersey.

“The sheer scope of the fraud – and the organization that allegedly committed it – is remarkable,” U.S. Attorney Paul Fishman, was quoted in a news release. “This type of crime puts all of us at risk, not just because of the cost to our financial institutions, but also because of the threat posed by fake identification documents.”

The release goes on to describe the crime ring.

Sang-Hyun Park, a resident of Palisades Park, N.J., was the leader of a criminal organization headquartered in Bergen County, N.J. Park and his co-conspirators (the “Park Criminal Enterprise”) obtained, brokered, and sold identity documents to customers that were used to commit credit card fraud, bank fraud, tax fraud, and other crimes. The 43 defendants charged in connection with the enterprise played various roles as Park’s staff, identity brokers, credit build-up team, and collusive merchants, as well as customers seeking fraudulent services. Members of the Park Criminal Enterprise obtained social security cards, most beginning with the prefix “586,” from various brokers.

Take the necessary steps to defend your identity:

  • Check your free credit report at www.AnnualCreditReport.com to make sure there are no fraudulent accounts. Often times fraud like this can happen and continue for years without the victim even knowing. The sooner you catch it the easier it is to repair your credit history and in some cases your financial future.
  • Opt out of financial junk mail (pre-approved credit cards, etc.) at www.OptOutPreScreen.com. If you eliminate the problem at the source, it can never bite you.
  • Utilize sophisticated identity monitoring services and catch fraudulent activity before it bankrupts you.
  • Learn more about protecting yourself, your family and your business in Privacy Means Profit.

John Sileo became America’s top Identity Theft Speaker after he lost his business and more than $300,000 to identity theft and data breach. His newest Book Privacy Means Profit – Prevent Identity Theft and Secure You and Your Bottom Line, has just been released. His clients include the Department of Defense, the FTC, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.