Tag Archive for: Protection

Deconstructing DeepSeek: AI, Censorship, and State Control

In recent weeks, the launch of DeepSeek—a new AI chatbot developed in China—has sparked concerns about its potential role in spreading state-backed disinformation. While it’s marketed as a tool for curiosity and assistance, a closer look suggests it may be more aligned with the Chinese Communist Party’s (CCP) official narrative than users might expect.

Unpacking DeepSeek’s Responses

Researchers analyzing DeepSeek have found that it frequently echoes CCP propaganda. Here are just a few documented examples:

  1. Twisting Quotes: DeepSeek reportedly misrepresented statements made by former U.S. President Jimmy Carter, making them appear more favorable to China’s stance on Taiwan.
  2. Selective Praise: When asked about Xinjiang’s policies, the chatbot claimed they have received “widespread recognition”—a stark contrast to reports from international human rights organizations detailing serious abuses.
  3. Dodging Sensitive Topics: Ask DeepSeek about Xi Jinping or major historical events like the Tiananmen Square protests, and it evades the question faster than a cat avoiding a bath.

Like OpenAI’s ChatGPT, DeepSeek relies on large language models to generate responses. However, unlike its counterparts, this AI seems to be following a playbook designed to reinforce CCP-approved narratives rather than provide an objective perspective.

Why This Matters

As more people rely on AI for information, it’s crucial to recognize the biases baked into these tools—especially when they’re backed by governments with strong authoritarian leanings. If AI is being used as a mechanism for state control, it raises serious ethical and societal concerns.

How to Stay One Step Ahead

If you’re using AI chatbots like DeepSeek, here are some ways to safeguard yourself against potential misinformation:

  • Fact-Check Everything: Don’t take chatbot responses at face value. Cross-reference claims with reputable sources.
  • Spot the Red Flags: If an AI avoids answering certain questions or downplays controversial topics, that’s a strong indication of censorship.
  • Think Critically: Approach AI-generated content with a healthy dose of skepticism. Just because it sounds polished doesn’t mean it’s true.

By staying vigilant, you can better navigate the intersection of AI and state-controlled narratives—ensuring you’re informed rather than manipulated.

Need to educate your team on the latest AI-related vulnerabilities? Let’s talk: https://sileo.com/contact-us/

Is That QR Code Safe? What You Need to Know About the Cyberthreat Quishing

 

In our fast-paced, tech-driven world, QR codes have become second nature. We scan them to check out restaurant menus, access Wi-Fi networks, or join virtual events. But beneath their convenience lies a potential cyber threat that’s catching many off guard: Quishing.

Quishing—short for QR code phishing—is a sneaky variant of the classic phishing scam. Picture this: you’re at a cozy café, scanning a QR code to browse the menu. It feels harmless, even mundane. But hidden within that innocent-looking grid could be a link to a malicious website, ready to steal your personal information or unleash malware onto your device.

How Quishing Works

Cybercriminals embed harmful links into QR codes and strategically place them in unsuspecting locations:

  • Public bulletin boards
  • Flyers
  • Transport hubs
  • Online ads
  • Even restaurant tables

These codes often redirect you to phishing sites that mimic legitimate websites. Once you’re there, you might unknowingly hand over sensitive information like passwords, credit card details, or even trigger malware downloads.

Spotting Suspicious QR Codes

Knowing how to recognize potential threats is key to staying safe. Watch out for these red flags:

  1. Unknown Origin: If a QR code appears in an unexpected location or looks unprofessional, think twice before scanning it.
  2. Too-Good-To-Be-True Offers: Scammers often lure victims with promises of amazing deals or exclusive gifts.
  3. Requests for Personal Information: If a scanned code leads you to a page asking for sensitive details right away, it’s a major red flag.

Protect Yourself from Quishing

A few proactive measures can go a long way in keeping you safe:

  1. Verify the Source: Only scan QR codes from trusted entities, such as well-known brands or official communications.
  2. Use Secure QR Scanners: Many modern smartphones come with built-in security features to detect malicious links. Take advantage of these tools.
  3. Close Suspicious Websites: If a scanned QR code leads to a dubious website, close it immediately. Avoid clicking on any links.
  4. Keep Software Updated: Regularly update your device’s operating system and apps to ensure they’re equipped with the latest security patches.

Real-World Quishing Scams

Quishing isn’t just theoretical—it’s happening now. Here are two notable examples:

  • Public Transport Scam: In one major city, scammers replaced QR codes on transport kiosks with their own malicious codes. Commuters who scanned them were directed to phishing sites that stole credit card information.
  • Concert Fraud: Fake posters for a popular concert included QR codes leading fans to a bogus ticketing site. Attendees paid for tickets that never arrived, losing both money and trust.

Stay One Step Ahead

In this digital age, vigilance is your best defense. If a QR code seems suspicious or makes you hesitate, trust your gut. By learning to spot the signs of quishing and practicing safe scanning habits, you can outsmart cybercriminals and keep your personal information secure.

So the next time you’re tempted to scan a QR code, ask yourself: Is it worth the risk? A little caution today can save you a world of trouble tomorrow.

PS: In addition to freely scanning any QR code that pops up, make sure you’re not committing these Bad Cybersecurity Habits:  https://sileo.com/bad-cybersecurity-habits/.

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Sileo Identity Theft Prevention & Online Privacy Checklist

Identity theft prevention is not a one-time solution. You must accumulate layers of privacy and security over time. The following identity theft prevention tips are among those I cover in one of my keynote speeches.

  1. Review your Free Credit Report 3X per year at www.AnnualCreditReport.com.
  2. Opt-Out of financial junk mail.
  3. Stop Marketing Phone Calls at www.DoNotCall.gov.
  4. Freeze Your Credit. State-by-state instructions at www.Sileo.com/2.
  5. If you don’t want to use a credit freeze, place Fraud Alerts on your 3 credit files.
  6. Use sophisticated Identity Monitoring software to detect theft before it’s disastrous.
  7. Stop Sharing Identity (SSN, address, phone, credit card #s) unless necessary.
  8. Protect Your Wallet or Purse. Watch this video.
  9. Protect Your Computer and Online Identity. Privacy Means Profit
  10. Protect your Laptop. Visit www.Sileo.com/laptop-anti-theft for details.
  11. Bank Online: online bank statements, account alerts and bill-pay.
  12. Buy a Shredder (or 2) & shred everything with identity you don’t need.
  13. Minimize Social Networking Exposure. Privacy Means Profit
  14. Lock down your Social Networking Profiles www.Sileo.com/facebook-safety.
  15. Realize that approximately 50% of the worst ID theft crimes are committed by Acquaintances & Friends.
  16. Set up two-factor authentication with your bank.
  17. Stop Clicking on Links in emails and social networking posts that you don’t recognize as legitimate.
  18. Avoid emails/faxes/letters/calls/people promising Something for Nothing.
  19. Know that protecting Other People’s Privacy is part of your responsibility.
  20. For more tools, purchase a copy of John’s Latest Book on Information Survival, Privacy Means Profit.
  21. Subscribe to The Sileo Report eNewsletter and follow John’s Blog.
  22. Consider bringing John Sileo to speak to your organization on identity theft, cyber crime, social engineering, social media exposure and other topics of information exposure.

iPad Vampires: 7 Simple Security Settings to Stop Data Suckers

Information is the currency and lifeblood of the modern economy and, unlike the industrial revolution, data doesn’t shut down at dinnertime. As a result, the trend is towards hyper-mobile computing – smartphones and tablets – that connect us to the Internet and a limitless transfusion of information 24-7. It is an addiction that employers encourage because it inevitably means that we are working after hours (scanning emails in bed rather than catching up with our spouse).

In the work we do to change the culture of privacy inside of organizations, we have discovered a dilemma: iPads are not as secure as other forms of computing and are leaking significant amounts of organizational data to corporate spies, data thieves and even competing economies (China, for example, which would dearly love to pirate the recipe for your secret sauce). Do corporations, then, sacrifice security for the sake of efficiency, privacy for the powerful touch screens that offer a jugular of sensitive information?

Of course not! That’d be like driving a race car minus seat belts and air bags.

iPads provide a competitive advantage, and like generations of tools before it (the cotton gin, the PC), individuals and organizations alike will be forced to learn how to operate this equipment safely or risk the bite of intellectual property vampires. Here are 7 Simple Security Settings to help you lock down your iPad much like you would your laptop.

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, so stop treating it like a glorified book. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app like 1Password to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. Don’t jail-break your iPad to download apps outside of iTunes. Short-term gain equals long-term risk.

Believe it or not, these simple steps begin to give you a level of security that will discourage casual data vampires. After implementing the Simple 7, move on to 5 Sophisticated Security Settings for iPads for even more robust data defense.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. He helps organizations build successful cultures of privacy. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com or contact him directly on 1.800.258.8076.

College Students Destroy Financial Future with Poor Choices

College is the perfect period of life to begin sound financial practices including protecting privacy. Not only are college students vulnerable, but they are impressionable and well positioned to learn strong habits that will last them a lifetime. As students launch into independence, we, as parents, hope to give them the best tools possible to insure a bright future. One of the most vital tools is to establish healthy habits that will guard their financial and personal identities for the rest of their lives. People ages 18 -24 are the least able to spot identity theft according to the BBB. That age group needed more than four months to realize someone had damaged their credit history or used their identity. By taking a few precautions, a young adult can avoid the crushing job of trying to recover from having given away the keys to their financial future, which is especially overwhelming while navigating life away from home for the first time.

Identity thieves don’t care a whit if the student has a dime – they just want a clean financial record in order to commit crimes using their credit and future buying power. Unfortunately, thieves are often someone the student trusts: a friend, dorm mate, co-worker, or someone who poses as a sanctioned person on campus.  Identity thieves may use personal information to open credit card accounts, access financial accounts, rent an apartment or even commit larger cases of fraud, implicating the student. Here are some tips to get you and your student started down the road to protecting their financial future:

  • Have all sensitive mail sent to parents’ homes only. School mailboxes are not secure and are easily accessed in a dorm or apartment.
  • Store Social Security cards, passports, bank statements, credit card statements and other important documents in a small fire safe in their dorm.
  • As soon as you are done with any documents that have financial information (financial account statements, medical bills,  insurance forms, charge receipts, university tuition payments), shred the documents rather than putting them in the trash in order to foil dumpster divers.
  • Set up account alerts with your credit card companies and banks to notify you via email whenever a transaction occurs. Because it is fresh in your mind, it takes only a few seconds to verify the transaction unlike weeks later when you try to recall each transaction while paying your bill or reconciling your bank statement.
  • Always check credit card bills and bank statements and question unknown purchases. The sooner you catch a breach, the less likely you’ll have complicated financial ramifications.
  • Limit the applications you load on your smartphone or tablet. Many of these apps siphon data off of your device back to unwanted companies and individuals.
  • Never loan a credit or debit card to anyone, even your best friend. Don’t co-sign a loan for a friend as you will be responsible for missed payments.
  • Date of birth is one of the key pieces of information that many companies use to confirm identity. Refrain from sharing your correct date of birth on Facebook or any place online. Friends who you want to know your birthday should learn that from you personally. Even putting only the month and day is risky as it’s pretty easy to ascertain the year based on your profile.
  • Use long passwords with a mix of letters, numbers and characters (e.g., &63DB4x%gX); According to Gibson Research, a password that is 10 characters is vastly harder to crack than one containing nine characters. If you need help remembering them, use a password protection program.
  • Update antivirus and spyware software on personal computers. Identity thieves rely on special programs, transferred to personal laptops and computers from numerous websites, to duplicate people’s passwords, user ID’s and bank account information.
  • Check credit reports for free three times a year at www.AnnualCreditReport.com. Request a report from a different credit union every four months and you’ve got the year covered.
  • Get off mailing lists for pre-approved credit offers, which are a goldmine for identity thieves. To opt out of financial junk mail, call 888-5-OPTOUT or visit www.OptOutPreScreen.com to remove your name from national lists. Be prepared to provide your Social Security number (in this case, that is a risk worth taking).
  • Never click on links sent in unsolicited emails or postings on social media. In addition to installing malware on your computer, many of them are phishing schemes that trick you into entering your Social Security number, user name or account passwords.
  • Never give out financial or account information to unsolicited callers, even if they say they are from your bank (you are not in control of the call when it’s incoming).
  • Do not share phone numbers or list your residence hall names and/or floor number designations online – or anyplace. Identity thieves frequently show up on campus pretending to represent a legitimate company, possibly using the school’s logo or colors on the credit card. Once the scammers get students’ personal information, they can then use it themselves or sell it for a profit.

Heartily impress upon your students (and yourself!) to guard identity with a vengeance and save untold time and money attempting recovery. Doing so might be the most profitable education they receive.

7 Steps to Secure Profitable Business Data (Part II)

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

7 Steps to Secure Profitable Business Data (Part I)

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

Online Privacy: 5 Good Habits

People will do something—including changing their behavior—only if it can be demonstrated that doing so is in their own best interests as defined by their own values.
—Marshall Goldsmith, What Got You Here Won’t Get You There

People don’t change bad habits until they have a compelling reason. Too often that compelling reason is the result of a habit’s negative outcome; but the promise of positive rewards resulting from the establishment of good habits can be a strong motivator. In the workplace, aligning responsible information stewardship with personal and professional gain can set the stage for good privacy habits.

Here are 5 steps you can take towards perfecting your own Privacy Habits:

  1. Tighten up online passwords. Use a password management software like 1Password, Dashlane, LastPass or Keeper to create, protect and share long, strong, alpha-numeric-symbol passwords.
  2. Use Two-Step Logins. Watch this video about two-factor authentication for one of the best tools to protect your online accounts.
  3. Secure your Facebook. Tighten up the privacy settings and make your profile only available to your friends. We do a lot of posts on Facebook Privacy Settings because they have a tendency to change frequently. Watch the site and subscribe to our newsletter to stay current on how to protect yourself and your profile on Facebook.
  4. Opt-Out. Take the time to call 1-888-567-8688 or visit www.OptOutPreScreen.com
    to stop financial junk mail from ending up at your house and inevitably – your trash. Those mailers give thieves an easy way to set up credit card accounts in your name without your consent. They spend money on the card and default on the balance, leaving you with the mess of proving that you didn’t make the purchases.
  5. Order your free credit report. By law, you are entitled to one free report from each agency once a year. The easiest way to get a report is to visit www.annualcreditreport.com or call 1-877-322-8228. Make sure that you request your free annual credit report from one credit agency only, as you can order the other two reports throughout the remainder of the year. By spreading the reports out over time, you will be monitoring your files consistently and frequently.

 

Identity Theft Prevention in a Hotel

I just finished giving an identity theft prevention and data privacy speech for Pfizer and one of the questions I received was how to protect your laptop, passports, client files, etc. when you leave them behind in your hotel room. I’ve blogged on this before, but thought that I would post a quick video reminder on protecting your identity in a hotel room. We are at such a greater risk of identity theft when we are traveling that it is worth taking a second look at your habits.

For more tips of this type, please visit my YouTube Identity Theft Expert Video Channel at www.YouTube.com/JohnSileo. It is relatively new, but my office is working diligently to add content every week. Some people like to read, some like to watch, so I will continue to add blogs of both types. Travel wisely this summer.

John Sileo
Motivational Identity Theft Speaker