Tag Archive for: Sileo

I Left My Credit Card @ The Restaurant, Now What?! – Privacy Project Episode #8

So I’m out to dinner with a professional speaker whose name I’ll drop so that you’ll be impressed. Larry Winget. Larry is the Pitbull of Personal Development and he’ll probably kill me for not putting a trademark after that title, because he owns it. If you have somebody in your life (kid, employee, boss) that doesn’t take responsibility for the life they lead and the work they’re supposed to do, Larry’s your man. Google his name and find out, or go to LarryWinget.com.

But back to my story. I treated Larry to dinner in Phoenix because I owe him a thousand meals for the coaching he gives me and we’re leaving the table when his wife (who is much nicer than Larry) asks if I’ve taken my credit card out of the folder. Nope. God I hate when that happens! Small oversight for someone who lives and breathes security and privacy. I left my card in the folder, on the table and was fully prepared to leave the restaurant!

Anyway, this brings up a good point. Now matter how much you know, no matter how hard you work at protecting your identity,sometimes you will slip up and be your own worst enemy. There are just simply times when identity is out of our control. But you don’t have to stress about it. A quick response solves a lost credit card without much pain. Take a look at the video for steps on what to do if you lose or misplace your card.

SCAM ALERT: Target Texting Scam

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

 

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

7 Security Secrets of Social Networking

On the surface, social networking is like a worldwide cocktail party—full of new friends, fascinating places and tasty apps. Resisting the urge to drink from the endless fountain of information is nearly impossible because everyone else is doing it—connecting is often advantageous for professional reasons, it’s trendy and, unchecked, it can be dangerous.

Beneath the surface of the social networking cocktail party lives a painful data-exposure hangover for the average business. Sites like Facebook and Twitter are now the preferred tool for malware delivery, phishing, and “friends-in-distress” scams while more business oriented sites, like LinkedIn, allow for easy corporate espionage and the manipulation of your employees.

To avoid the cocktail party altogether is both impractical and naïve—the benefits of social networking outweigh the dangers—but applying discretion and wisdom to your social strategy makes for smart business. Follow these 7 Security Secrets of Social Networking to begin locking down your sensitive data.

  1. On social networks, possession is ten-tenths of the law.When you put your business’s information on a social network, you have forfeited your exclusive right to that information. Unlike a physical asset, information can be simultaneously recreated, stored and accessed by unlimited users at any one time, allowing it to flow like water through your fingers. Additionally, there are very few laws governing the ownership of information once it leaves your office (e.g., goes into the cloud), leaving you no legal precedence for winning back your privacy. On a personal level, for example, when you populate your Facebook profile with a birthdate, it is sold to advertisers along with your demographics, “Likes” and a map of your friend network. Similarly, in the business world, the minute you establish a Facebook page and begin to attract “fans” or a Twitter page for followers, you’ve just centralized and publicized your customer list for competitors. Solution: Create a strategic plan before you expose your intellectual property. Prior to going live with a corporate social networking profile or sharing your next post, think through how much sensitive information you are sharing, and with whom. Unlike a traditional website, social networks connect human beings, some of whom want to map your organizational structure, track your marketing initiatives, hire your star employees, breach your systems, poach your fan list or steal sensitive intellectual capital. It is imperative that you: 1. Create a strategic social networking plan that 2. Defines what information can and should be shared by executives and employees on Facebook, Twitter, LinkedIn, etc. 3. Consider using social media to attract new prospects rather than creating a following of existing (and poachable) clients. 4. Populate your profile with only publicly available, marketing-based data. 5. Keep personal comments for personal pages, as they have no place at work. 6. Don’t rely on a policy to communicate your intentions and requirements surrounding social media. The most successful companies build a culture of privacy through an interactive process that allows the entire team to co-create a solution.
  2. Lack of education, not technology, is the greatest source of risk. It’s easy to blame our data privacy woes on technology. At the heart of every security failure (technological or otherwise), is a poor human decision, generally due to a lack of awareness. For instance, an employee, not a machine, decides to spend their lunch break using their work computer to post on personal social networking sites. In many cases, they do so because the business has not established guidelines for these scenarios, nor have they educated them on the risks. For example, most employees don’t understand that more than 30% of all malware is delivered to corporate computers via social spam through personalsocial networking use conducted on work computers. Solution: Educate your team as individuals first, employees second. The most effective way to change a human being is to appeal to them emotionally, not intellectually. Most of us are more emotionally connected to our personal lives than to our jobs. Consequently, by motivating your employees to protect their own social networking profiles first (and their kids’), you are not only lowering the malware and fraud that they introduce into your computers through lunchtime surfing, you are also giving them the framework and language to protect the company’s social networking efforts. Be sure to: 1. Break the training down into bite-sized, single topic morsels that won’t overwhelm or discourage employees. 2. Allow employees to spend a few moments applying the fixes you’ve just given them. 3. Once they’ve made the changes personally, reconvene and discuss what it all has to do with your organization’s social networking strategy. They will return to the learning table with emotional buy-in and awareness. Strategies Three and Five (below) are examples of this bite-sized, personal to professional adaptation process.
  3. Most social networking risks are old scams with new twists.During a lunch break at work, you receive a Facebook post that seems like it’s from a friend. It’s impossible not to click, enticing you with captions like, “check out what our old high school friend does for a living now!” Seemingly harmless, you click on a video, a coupon, or a link to win a FREE iPad and presto, you’ve just infected your computer with malware that allows cyber thieves full access into your company network. You’ve been tricked by a repackaged version of the virus-delivering-spam-emails of five years ago. Spam has officially moved into the world of social media (thus, social spam), and is now responsible for 30% of all viruses, spyware and botnets that infect our computers. Solution: Discuss social spam self defense at your next team meeting. It’s amazing how quickly people detect social spam once they’ve been warned! After all, they’ve seen it all before disguised in other forms. In addition to giving employees visual examples of social spam, click-jacking and like-jacking, make sure that they are equipped with the following knowledge: 1. If an offer in a social networking post is too enticing, too good to be true, too bad to be real or just doesn’t feel right, don’t click! 2. If you do click and aren’t taken directly to the site you expected, make sure you never click a second time, as this gives cyber thieves the ability to download malware onto your system. 3. Deny social media account takeover by using strong alphanumeric passwords that are different for every site and that you change frequently. 4. Account takeover is easy for criminals, which means that not all “friends” are who they say they are. If you suspect foul play, call your contact and verify their post. 5. Make sure that you protect your business with the latest cyber security and anti-theft prevention tools available. I will discuss these in the next strategy.
  4. Cyber thieves follow the path of least resistance by looking for open doors. Data thieves aren’t interested in delivering malware to just anybusiness (using social networking as their primary delivery device); they specifically target organizations that have done the least to protect their computers, networks, mobile devices, Wi-Fi and Internet connection. Why burgle a house with deadbolts and an alarm when you can attack the home down the street that left the front door wide open? In business, the “open door” usually comes in the form of poor computer security. Solution: Create a Path of Strategically Elevated Resistance. Thieves get discouraged (and move on to other victims) when you put roadblocks in their way. Keeping your network security up-to-date is the smartest way to quickly and effectively elevate your defenses against cybercrime. Follow these simple steps: 1. Hire a professional to conduct a security assessment on your network; the investment will pay for itself hundreds of times over. During the assessment and follow-up process, make sure that the IT professional: 2. Installs a security suite like McAfee on every computer, including mobile devices that travel, 3. Sets up your operating system and critical software for automatic security updates, 4. Enables and configures a firewall to block incoming cyber criminals, and 5. Configures your Wi-Fi network with WPA2+ encryption. To cover all of your bases, make sure that 6. You are prepared for a breach if it does happen. Deluxe, in partnership with EZShield, provides state-of-the-art identity protection and recovery services for businesses. It’s like health insurance for your information assets.
  5. Data criminals systematically exploit our defaults. Another way to create a path of strategically elevated resistance is to take away the “broadcast” nature of social networking exploited by thieves and competitors. Instead of inviting everyone to your cocktail party, only allow people you know and trust. When users set up a new social networking profile, the tendency is to accept the “default” account settings. For example, when you establish a Facebook account, by default, your name, birthdate, photo, hometown, friend list and every post you makeare available to more than one billion people. Solution: Change your defaults! It only takes minutes to modify every Privacy and Security setting offered by a social network. On a personal level, 1. Consider limiting who can view your hometown, friend list, family, religious affiliation and interests to Friends Only or even Only Me and 2. Disallow Google to index and share your profile on its search engine. Businesses will want to 3. Leave the indexing feature On to maximize search engine traffic. 4. Post updates to categories of friends (friend groups), not to the entire world. This isn’t only safer personally, it also makes for more targeted and appreciated customer service. 5. Make sure to update your defaults regularly, as social networking sites tend to make frequent changes. Many businesses with Facebook Fan Pages, for example, have not updated their profile in accordance with Timeline, meaning that their page is outdated and unprofessional.
  6. Social engineers mine social networks to build trust and exert influence. The greatest social networking threat inside of your organization isn’t malware or information scraping. Your greatest risk comes from a data spy’s ability to get to know youand your co-workers through your online footprint. Social engineering is the art of manipulating data out of you using emotional triggers such as similarity, likeability, fear of offending, authority, etc. A social engineer’s greatest tool of deception is to gain your trust, which is easy once they know your likes, friends and updates that you publish daily. After a month or so of cultivating what appears to be a legitimate relationship, social engineers begin to manipulate you for information. Solution: Verify, then trust. In the information economy, where data is quite literally currency, you must verify someone’s intentions and credibility before you begin to trust them. Here’s how: 1. Don’t befriend strangers; your ego wins, but you lose. 2. Before you accept a second-hand friend, verify that your existing network actually knows and trusts that person. Too many users accept friends indiscriminately, so you need to investigate their credibility before you hit the Accept button. 3. Don’t believe everything you read on social networking sites. In fact, don’t believe anything of substance until you verify it with reputable, primary sources like a national newspaper, ethical blogger or noted expert. 4. Never send money to a friend in need, download an entertaining app or give away sensitive information via social networking unless you know beyond a shadow of a doubt that the request is legitimate and that your communication is private and secure.
  7. In social networking, there are no secrets. The title of this paper was intentional – people want exclusive access to knowledge that others don’t have. We all want to know the secret, and I used that human desire in a gentle form of social engineering to get you to read the article. But in social networking, there are no secrets. The instant you hit the post button, your information becomes public, permanent and exploitable. It’s public because you have little control over how it is forwarded, accessed by others or subpoenaed by law enforcement. In the blink of an eye, your information is backed up, re-tweeted and shared with strangers. Digital DNA has no half-life; it never disappears. And as you’ve seen above, it can be used against you. Solution: Don’t just read, act! Reading is not enough; you must act on what you have read: 1. Revisit the information you over-share on your social networking profiles and remove it. 2. Modify your account privacy and security defaults so that you share only with the people you trust. 3. Educate your team from a personal perspective first and then apply it to your organization’s needs. 4. Strategically elevate your defenses by securing your computer network with software like McAfee, and recovery services like EZShield. 5. Research advanced fraud and social engineering tactics to protect yourself and your company.

Every company I’ve consulted to that has experienced a data breach wishes that they could “go back in time”. Why? Because recovery is often 10-100 times more expensive than prevention, and because data breach causes customer flight, bad press and depreciated value. Companies that prepare for the coming onslaught of social networking fraud will escape relatively unaffected. Businesses that are unprepared will suffer extensively. According to the Ponemon Institute, the average cost to a business of any size that experiences a data breach is $7.2 million, which explains why so many small businesses go bankrupt after a data loss event, as they are unable to pay the recovery costs. That gives you 7.2 million reasons pay attention.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Anderson Cooper Targets ID Theft in New Year's Resolution

Anderson Cooper’s 1st show of the year brought a panel of experts to discuss New Year’s resolutions, why we make them and how we can better keep them. Identity theft expert John Sileo closed out the show with 3 Tips for Avoiding Scams in the new year. Click on the video to the left to view the segment. Anderson and John discuss smartphone stupidity, passwords and social networking privacy.
Identity Theft Expert John Sileo Appears on the Anderson Cooper New Year’s Resolution Special.

John Sileo is an award-winning author and speaks internationally on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply results and increase performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his keynote or media appearances on Anderson Cooper, 60 Minutes or Fox Business. Contact him on 800.258.8076.

Top Tips to Stop Travel Identity Theft – Sileo on Fox Business

Identity theft increases a great deal when you are on the road. Start protecting yourself with these Top 5 Identity Theft Tips while traveling:
  1. Travel Data Light. If you don’t have to take it with you, increase your safety and leave it at home. This includes checkbooks, debit cards, excess credit cards, Social Security cards and any excess digital gadgets. Simplicity is Security!
  2. Guard Your Devices. Smartphones and tablets are as powerful as laptops. Turn on the auto-lock passcode to keep others out of your information.
  3. Surf Protected. Stop using the free WiFi hotspots in cafes, airports and hotels, as they are constantly sniffed by cyber criminals. Instead, setup tethering between your mobile phone and tablet or laptop so that you are surfing safely.
  4. Privacy Please! Instead of leaving loads of data unprotected in your hotel room (a major source of theft), hang your privacy sign on the door and let house cleaning know that you do not want to be disturbed. Lowering traffic lowers risk.
  5. Mind the Lions at the Watering Hole. Take a minute to watch the video to the left to understand how increasing your awareness in airports, hotels, conferences and restaurants can save you tons of time and money.
Remember, protecting identity on the road isn’t just about you, it’s also about the data you handle in your business every day. It’s one thing to put your own identity at risk, it’s an entirely different affair to jeopardize the security of customer data, employee records or intellectual capital owned by the organization that pays you.
John Sileo is an author and recognized keynote speaker on how identity theft prevention bolsters your bottom line. Learn more about how he can inspire your organization to care about data security, social media privacy, identity management and trust leadership. Contact him directly on 800.258.8076. 

iPad Vampires: 7 Simple Security Settings to Stop Data Suckers

Information is the currency and lifeblood of the modern economy and, unlike the industrial revolution, data doesn’t shut down at dinnertime. As a result, the trend is towards hyper-mobile computing – smartphones and tablets – that connect us to the Internet and a limitless transfusion of information 24-7. It is an addiction that employers encourage because it inevitably means that we are working after hours (scanning emails in bed rather than catching up with our spouse).

In the work we do to change the culture of privacy inside of organizations, we have discovered a dilemma: iPads are not as secure as other forms of computing and are leaking significant amounts of organizational data to corporate spies, data thieves and even competing economies (China, for example, which would dearly love to pirate the recipe for your secret sauce). Do corporations, then, sacrifice security for the sake of efficiency, privacy for the powerful touch screens that offer a jugular of sensitive information?

Of course not! That’d be like driving a race car minus seat belts and air bags.

iPads provide a competitive advantage, and like generations of tools before it (the cotton gin, the PC), individuals and organizations alike will be forced to learn how to operate this equipment safely or risk the bite of intellectual property vampires. Here are 7 Simple Security Settings to help you lock down your iPad much like you would your laptop.

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, so stop treating it like a glorified book. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app like 1Password to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. Don’t jail-break your iPad to download apps outside of iTunes. Short-term gain equals long-term risk.

Believe it or not, these simple steps begin to give you a level of security that will discourage casual data vampires. After implementing the Simple 7, move on to 5 Sophisticated Security Settings for iPads for even more robust data defense.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. He helps organizations build successful cultures of privacy. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com or contact him directly on 1.800.258.8076.

How Secure is Your Gmail, Hotmail, YahooMail?

I just finished an interview with Esquire magazine about the security of webmail applications like Gmail, Windows Live Hotmail and YahooMail. Rebecca Joy, who interviewed me on behalf of Esquire, wanted to know in the wake of the Rupert Murdoch phone-hacking scandal, how secure our photos and messages are when we choose to use free webmail programs.

The simple answer? Not very secure. Just ask Vanessa Hudgens (nude photos), Sarah Palin (complete takeover of her email account) and the scores of celebrities and power figures who have been victimized by email hacking.

Think of using webmail (or any web-based software, including Facebook, Twitter, Google Docs, etc.) as checking into a hotel room. Unlike a house, where you have tighter control over your possessions, the same is not true of a hotel. While you definitely own the items you bring into a hotel room (laptop, smartphone, wallet, passport, client files), you don’t have nearly as much control as to how they are accessed (maids, managers, social engineers who know how to gain access to your room). In short, by using webmail to communicate, you are exchanging convenience for control.

Here are the five most common ways you lose control:

  1. The password on your email account is easy to guess (less than 13 characters, fail to use alpha-numeric-symbol-upper-lower-case, don’t change it often) and someone easily hacks into your webmail account, giving them access to your mail, photos, contacts, etc.
  2. Someone inside of the webmail company is given a huge incentive to leak your private information (tabloids that want access to a celebrity’s photos and are willing to pay hundreds of thousands for it).
  3. You populate your password reminder questions (What high school did you go to?) with the correct answers instead of using an answer that is not easily found on your Facebook, LinkedIn or Classmates.com profile.
  4. You fail to log out of your webmail while on a public computer (hotel business center, school, library, acquaintances house), allowing them to log back in to your email account using the autosaved username and password (which by default tends to stay on a system for up to two weeks).
  5. You continue to deny the fact that when you store your information in places that you don’t own, you have very little actual control.

If you are sending sensitive information of any sort (text, photos, identity, videos or otherwise), don’t use webmail or social networking to send it. Use a mail program that resides on your own computer and encrypt the sensitive contents using a program like PGP. That gives you a much stronger form of protection than ignorantly exposing your information for all to see.

John Sileo is the award winning author of Privacy Means Profit and a professional speaker on data security, privacy, identity theft and social networking exposure.

 

Identity Theft Expert John Sileo on 60 Minutes


Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a
deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

For starters, let’s assume your business is strong, maybe even profitable in these tough economic times. In the spirit of Sun Tzu and The Art of War, you’ve dug in your forces, preparing for a lengthy battle: you’ve reduced costs, maximized your workforce, and focused on your most profitable strategies. As your competitors suffocate under market pressure, you breathe stronger as a result of the exercise. But like Achilles, your survival through adversity blinds you and even conditions you to ignore pending threats. You begin to think that your overall strength translates into an absence of weaknesses; and in general, you might be right. But Achilles didn’t die because of his overall strength, which was significant; he died because he ignored critical details. What details are you and your company ignoring?

Information, like Achilles himself, is power. And maintaining control and ownership of your information is quite possibly the most threatening Achilles’ heel any data-reliant business faces. Companies that don’t actively take control of their data are prime targets for identity theft, social engineering, data breach, corporate espionage, and social media exploitation. Regardless of your title, you have a great deal to learn from Achilles’ mistakes, and a significant opportunity to protect your own corporate heel.

Achilles 3 Fatal Mistakes and How to Avoid Them

Admit Your Vulnerabilities. Achilles forgot that he was human, failing to take inventory of his weakness in spite of superior strength. Though his faults were limited — a small tendon at the base of his foot — his failure to protect himself in the right spots proved fatal. When protecting data, it is imperative to understand that your greatest vulnerabilities lie with the people inside of your company. No matter how secure your computer systems, no matter how much physical security you deploy, humans will always be your weakest link. The more technological security you implement, the quicker data thieves will be to attempt to socially engineer those inside your company (or pose as an insider) to capture your data. Admitting vulnerabilities doesn’t have to be a public, embarrassing act. It can be as simple as a quiet conversation with yourself and key players about where your business is ignoring risk.

The three greatest human vulnerabilities tend to be: 1. Unawareness of the risks posed by data loss, 2. Lack of emotional connection to the importance of data privacy (personally in professionally) and it’s affect on profitability, and 3. Misunderstanding that in a world where information is power, it’s no longer about whom you trust, but how you trust. These symptoms suggest that your privacy training has either been non-existent or dry, overly technical, policy related and lacking a strong “what’s-in-it-for-me” link between the individuals in your organization and the data they protect every day.

If this is true inside of your business, rethink your training from this perspective: Your audience members (employees) are individuals with their own identity concerns, not just assets of the company who can be forced to follow a privacy policy that they don’t even pretend to understand. By tapping into their personal vulnerabilities regarding private information (protecting their own Social Security Number, etc.), you can develop a framework and a language for training them to protect sensitive corporate information. Like in martial arts, where you channel your opponent’s energy to your favor, use your employee’s humanness to your advantage. Pinpoint these vulnerabilities and shine the light of education on them.

Fight Prevention Paralysis. One of the most unfortunate and destructive character traits among humans is our hesitation to prevent problems. It is human nature to invest time to prevent tragedy only after we’ve experienced the pain that results from inaction. We hop on the treadmill and order from the healthy menu only after our heart screams for attention. We install a home security system only after we’ve been robbed. Pain motivates action, but the damage is usually done. You can bet that had he the chance to do it all over again, Achilles would slap a piece of armor around his heel (just like TJMAXX would encrypt their wireless networks and AT&T would secure their iPad data).

Prevention doesn’t get the proper attention because its connection to the bottom line is initially harder to see. You are, in essence, eliminating a cost to your business that doesn’t yet exist (the costs of a future data breach: restoring and monitoring customer credit, brand damage, stock depreciation, legal costs, etc.). This seems counterintuitive when you could be eliminating costs that already exist. But here is the flaw in that method of thinking: the cost of prevention is a tiny fraction of the cost of recovery. When you prevent disaster, you get a huge return on your investment (should a breach ever occur). Statistics say that a breach will occur inside of your organization, which means that by failing to invest in prevention you are consciously denying your organization a highly profitable investment. Why would you insure your business against low percentage risks (fire), but turn the other way when confronted with a risk that has already affected 80% of businesses (data breach) and has an almost guaranteed double digit ROI? It is your responsibility to demonstrate how the numbers work; spend small amounts of money preventing, or vast sums of time and money recovering.

Harden the Riskiest Targets. Once you have admitted to and cataloged your vulnerabilities and allocated the resources to protect them, it is time to focus on those solutions with the greatest return on your investment. A constant problem in business is knowing how to see clearly through information overexposure and pick the right projects. Just think of how much stronger Achilles would have been had he placed armor over his heel (which was human) rather than his chest (which was immortal). There is no financially responsible way to lower your risk to zero, so you have to make the right choices. Most businesses will gain the greatest security by focusing on the following targets first:

  1. Bulletproof Your People. Most fraud is still committed the old fashioned way – by manipulating trusting, unsuspecting people inside of your organization. Train your people for what they are: the first line of defense against fraud. Begin by preventing identity theft among your staff and then bridge this personal knowledge into the world of professional data privacy.
  2. Protect Your Mobile Data. Laptops, smart phones and portable drives are the most common sources of severe data theft. The solution to this very powerful and ubiquitous form of computing is a quilt-work of security including password strengthening, data transport limitations,  access-level privileges, whole disk and wireless encryption, VPN and firewall configuration, physical locking and human decision making (e.g., don’t leave it unattended the next time you get coffee at your corporate conference).
  3. Prevent Insider Theft: Perform thorough background checks, reference verification and personality assessment to weed out dishonest employees before they join your organization. Implement an ongoing “honesty meter” for your employees that ensures they haven’t picked up bad or illegal habits since joining your company.
  4. Classify Your Data. Develop a system of classification that includes public, internal, confidential and top secret levels, along with secure destruction and storage guidelines.
  5. Anticipate the Clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. You must be aware of who owns that data, today and in the future, when your storage company is bought out or goes bankrupt.

We have much to learn from the foresight of New Zealand; they are an excellent example of how organizations should defend their Achilles’ heel. To begin with, they have begun to acknowledge their vulnerabilities in advance of the problem (in fact, their chief vulnerability is that dangerous form of innocence that comes from having very few data theft issues, so far). In addition, they are taking steps to proactively prevent the expansion of identity theft and data breach in their domain (as evidenced by the corresponding educational story on 60 Minutes). Finally, they are targeting solutions that cost less and deliver more value. I was in New Zealand to instruct them on data security. Ironically, I gained as much knowledge on my area of expertise from them as I believe they did from me.

John Sileo speaks professionally on identity theft, data breach and social networking safety. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

Geotag, You’re It! Disabling GPS Coordinates

Geotagging allows others to track your location even though you don’t know it.

With the increased use of Internet-enabled mobile devices such as the Blackberry, Droid and iPhone, geotagging has seen a huge increase in popularity. When social media users take a picture or video and upload it to their page, they are probably transmitting far more data than they think. With the ability to quickly add GPS information to media, smartphones make geotagging a simple task.

So What is Geotagging?

Simply, geotagging is where location or geographical information, such as your GPS coordinates, are added and embedded to different types of media (.jpg, .mov files, etc.). Invisible to the naked eye and the casual observer, geotags are part of the meta-data, or underlying data about the data, that accompanies each file. Examples of meta-data include when the file was created or modified, by whom, using what device and software. This data is often loaded on to your computer along with the original file.  Browser plug-ins and certain software programs can reveal the location information to anyone who wants to see it.

Twittervision makes great use of geotagging. Twittervision is a web mashup combining Twitter with Google Maps to create a real time display of tweets across a map (see photo above).  It also has a 3D mode that displays a globe of the Earth which spins to pinpoint arriving messages from Twitter.

So, who would want to know where you are?

While most of the uses are not fully apparent yet, your real-time location can reveal your home address, work address, places you visit often and at what time of day. It can reveal if you go to the doctor, a lawyer, a court date, or any other type of private meeting. Geotags make it very easy for friends, relatives, bosses, spouses, parents, enemies, law enforcement, stalkers, and thieves to know exactly where you are.

Telling everyone on your Facebook status that you are out for the evening can invite burglars; geotagging can do the same without you updating your status in any way.  By taking a picture at the Barry Manilow concert and uploading it to your twitter account, you are broadcasting the fact that you are probably over 40, away from home and, thanks to the geotag, exactly how far away you are.

If you’ve never seen Minority Report with Tom Cruise (where ads are served up to you on giant screens based on biometrics and your current location as you walk through the city ), it’s worth your time. Of course the movie exaggerates reality, that is one of the hallmarks of science fiction. But it does so in order to make you think about the possibilities and future realities. And that is exactly what corporations are doing. Using geotags that you upload into social networks (photos, videos, check-ins), they can see that you enjoy Starbucks and live in a certain neighborhood, so they may purchase a billboard in the area or more likely, target an ad to you on your Facebook wall. Although this can seem harmless, it will eventually raise larger concerns on consumer privacy.

In this fast paced electronic world, more and more people are using smartphones and therefore we can expect an increased use of geotags in the future. The problem with geotagging is that since it is not visible to the naked eye, most people don’t even realize they are sharing their location data. So what if you don’t want to transmit your location data?

Keeping location data private can be difficult, but here are some places to start:

  • Understand that anytime you take a picture, video or post an update from a networked device (somehow connected to the internet), your location is probably being appended to the file, even though it is hidden from you. As with all things technological, there are advantages and disadvantages to all features. Location based services also allow you to use handy tools like maps; give you Big Brother-like power in tracking your kids’ whereabouts, and allow thieves to burgle you when no one is home using tools like Foursquare and Facebook Places.
  • Disable geotagging application by application on your iPhone 4. In your phone, go to Settings, General, Location Services. Here you can set which applications can access your GPS coordinates, or disable the feature entirely (which could cause you problems using maps, restaurant finders, etc.)
  • Disable geotagging for photos on your BlackBerry. Go into picture-taking mode (HomeScreen, click the Camera icon), press the Menu button and choose “Options”. Set the “Geotagging” setting to “Disabled”. Finally, save the updated settings.
  • Disable geotagging for photos on your Droid. Start the Camera app (this is the menu on the left side of the camera application; it slides out from left to right). Select “Store Location” and make sure it is set to “Off”.
  • Although Facebook does remove geotags from uploaded photos, other social networking sites do not. Look into your privacy settings and turn off location sharing. As mentioned above, you can generally turn this feature off in your camera or phone as well.
  • Take particular care if you are uploading photos to a website where strangers will see them — such as Craigslist or Ebay.
  • Consider installing a plug-in on your browser to reveal location data – such as Exif Viewer for Firefox or Opanda IExif for Internet Explorer, so you can see geotagged data for yourself.
  • Take the time to stay informed about geotagging and other types of new technologies. By knowing what is out there, you can ensure the next photo or piece of media you upload won’t share your location with the World Wide Web.

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.

Identity Theft for Businesses: Mobile Data Breach

Mobile Data Theft

Technology is the focal point of data breach and workplace identity theft because corporations create, transmit, and store so many pieces of information digitally that it becomes a highly attractive target. This book is not intended to address the complex maze that larger organizations face in protecting their technological and digital assets. Rather, the purpose of this book is to begin to familiarize business employees, executives, and vendors with the various security issues facing them.
The task, then, is to develop a capable team (internal and external) to address these issues. In my experience, the following technology-related issues pose the greatest data-loss threats inside organizations:

  • Laptop Theft: According to the Ponemon Institute, 36 percent of reported breaches are due to a lost or stolen laptop.
  • Mobile Data Theft: Thumb drives, CDs, DVDs, tape backups, smart phones
  • Malware: Software that infects corporate systems, allowing criminals inside these networks
  • Hacking: Breaking into your computer system from the outside, using networks, wireless connections, remote access, and your Internet pipeline
  • Wireless Theft: Wireless connections to the Internet in airports, hotels, cafes, and conferences
  • Insider Theft: When someone in the IT department (or elsewhere) decides to make extra money by selling your data

According to the Ponemon Institute, ‘‘Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing, or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study, the per-victim cost for a data breach involving a lost or stolen laptop was just under $225, over $30 more than if a laptop or mobile device was not involved.’’ Continue Reading….

The post above is an excerpt from John’s latest book Privacy Means Profit. To learn more and to purchase the book, visit our website www.ThinkLikeASpy.com.

Privacy Means Profit

Prevent Identity Theft and Secure You and Your Bottom Line

This book builds a bridge between good personal privacy habits (protect your wallet, online banking, trash, etc.) with the skills and motivation to protect workplace data (bulletproof your laptop, server, hiring policies, etc.).

In Privacy Means Profit, John Sileo demonstrates how to keep data theft from destroying your bottom line, both personally and professionally. In addition to sharing his gripping tale of losing $300,000 and his business to data breach, John writes about the risks posed by social media, travel theft, workplace identity theft, and how to keep it from happening to you and your business.