‘Business’ Articles

The following is an excerpt from John’s latest book Privacy Means Profit. To learn more and to purchase the book, visit our website www.ThinkLikeASpy.com.

Locking up sensitive documents is one of the most important and underutilized ways to protect company data. Of the individuals surveyed by the Ponemon Institute, 56 percent state that over 50 percent of their company’s sensitive or confidential information is contained within paper documents. Since 49 percent of all breaches involved paper, locking up what cannot be eliminated or destroyed is essential. To get you firmly into the business mind-set of thinking like a spy, start with this simple three-step classification process:

1. Classification: Set up a classification scheme. For example, you might have four levels of access: public, internal, classified, and top secret.

• Public documents are the only documents meant to be seen by outsiders (the public). This might include sales and marketing materials, websites, public filings, and the like.
• Internal documents are those appropriate for employees of the company to see, but inappropriate for outsiders. These are generally not high-risk documents, still it’s better to keep them confidential, just in case.
• Classified documents are a security risk if the wrong people see them, either internally or externally. Only certain employees and executives would have access to these documents (see step 2). Classified documents might include human resource files,customer lists, product development papers, department financials, strategy frameworks, and so on.

By Mickey Murphy

Information security. Identity theft. Black hat hackers. This all sounds like three-alarm lingo from some old DC comic book: “Immediately sign over all of your wealth, or I will hack you and steal your identity!” What do these oblique, non-intuitive terms mean? Here is how Wikipedia defines them: Information security — “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.” Identity theft — Fraud that involves someone pretending to be someone else in order to steal money or get other benefits.” Black hat hackers (also known as crackers) — “Hackers who specialize in unauthorized penetration” of computer systems, as opposed to white hat hackers who test computer systems for companies to determine their penetrability.

However we characterize them, information security, identity theft and so on represent major challenges today.

A prime example of consumer vulnerability came last year when federal authorities indicted three men on charges of hacking into computer systems at numerous Dave & Buster’s restaurants and stealing

credit card information. The federal government accused the men of stealing “Track 2” magnetic stripe data — which includes account numbers, expiration data and security codes — from customers’ credit cards, and then selling this information to others who used it to make fraudulent purchases.

During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.

A few months ago, Google got caught sniffing unencrypted wireless transmissions as its Street View photography vehicles drove around neighborhoods and businesses. It had been “accidentally” listening in on transmissions for more than 3 years – potentially viewing what websites you visit, reading your emails, and browsing the documents you edit and save in the cloud.

Public opinion blames Google, because Google is big and rich and and scarily omnipotent in the world of information domination. It’s fashionable to blame Google. What Google did was, to me, unethical, and they should eliminate both the collection practice and their archive of sniffed data.

But the greater responsibility lies with the businesses and homes that plugged in a wireless network and did nothing to protect it. Don’t tell me that you don’t know better. When you beam unencrypted data outside of your building, it’s no different than putting unshredded trash on your curb – YOU NO LONGER OWN IT. In fact, when you take no steps to protect the data that flies out of your airwaves and into the public domain, you really have no claim against someone taking it. It’s like finding a $100 bill on an abandoned sidewalk – you can claim it or the next lucky person will. Tom Bradley of PC World agrees:

Steve Jobs unveiled Apple’s new iPhone 4 on June 7 in San Francisco. While the new features keep the iPhone at the forefront of technology, they also cause some privacy concerns.

One concern that carries over from previous iPhone models is the Always-on iPhone Apps that track your every move through the GPS navigation system. Back in April, Apple began allowing location-tracking applications to run in the background.  So, for example, companies like FourSquare, Yelp, and Facebook can continuously track your location, providing automatic notifications  to your friends when you are less than 1/2 mile away from them, if you allow them.

For example, I just had a highly confidential client meeting at the client’s corporate headquarters. To the  uninitiated, that means that the company I was visiting is probably having data theft issues (and has brought me in to help). If the media finds out that they are having these issues before the company has had a chance to start the damage control process, their stock will drop far faster than if they have prepared for the news to go public. If Facebook or FourSquare is broadcasting my whereabouts, my followers already know which company is having the problem, their competitors know it (if they are following my GPS broadcasts), and the media sits and waits for me to enter the building. Luckily, I’m not well-known enough for anyone to care, but just in case, I don’t broadcast my whereabouts. Other, far more influential people, do so without thinking twice about it. Which goes to show you that there are ways to utilize all of the cool new technology without letting it control you. With the right knowledge, you can take control of how your information is utilized.

FTC Red Flags Rule Goes into Effect June 1st, 2010

The FTC  will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

This includes:

• Any Business that Extends Credit
• All Banks
• Most Brokerage Firms
• Credit Card Companies
• Mortgage Lenders
• Non Traditional lenders (utilities, dealerships, health care providers)

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan consists of four main parts:

1. Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
2. Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.

Your business-class photocopier is essentially a computer that can be hacked. It has a hard drive and saves an image of everything you copy. Customer data, invoices, employee records, intellectual capital, personal identity. This is not new information – we’ve been writing about it for years. But the press is finally beginning to pay attention because they have seen for themselves the type of data that can be extracted from corporations by purchasing their used copiers (see the excellent CBS video to the left).

If you’ve attended on of my Privacy Survival Boot Camps or have seen me speak for your organization, you will recognize the spy terminology used below that I use to train on effectively evaluating privacy risks.  Here is a brief primer to help you get started on protecting your business from this threat:

Stopping Photo Copier Information Leakage

1. Verify whether or not your existing copier has a hard drive. You should contact the business that sold you the copier for details. If you do have a hard drive, ask them if it is password protect and encrypted (unless you paid something extra when you bought it, it is not).
2. Ask them how you can take control of the situation. Is there a way to regularly scrub the hard drive (e.g., after each copy job, once the hard drive is through speeding up that particular job)?

The number of identity theft victims rose 22% last year! Although it’s important to always protect your identity, tax season makes people more vulnerable to this crime and you should be especially cautious.

A recent article in the New York Times uncovers an H&R Block office in the Bronx that was infiltrated by identity thieves (apparently it was not the only office affected).

Last year, Kevin Johns, a construction worker in the Bronx, did his taxes at the H&R Block store on Riverdale Avenue that he had used for the past 20 years or so. The next day, though, he got a call from the tax preparer: his return was rejected because he had already filed. Or at least, someone had filed in his name. That someone helped himself or herself to a $8,499 refund.

Sharon Hawa, a disaster-relief coordinator with the Red Cross and another longtime customer at the same office, had a similar experience. Ms. Hawa said she went to have her taxes done, only to be told that someone had already e-filed her taxes and collected $6,145.

Both Ms. Hawa and Mr. Johns said they were told by police detectives investigating their cases that at least 20 customers of the branch and possibly many more had been robbed by identity thieves who were very likely H&R Block employees. Both said the fraudulent filers used their previous year’s adjusted gross incomes as proof of identity.

Identity Theft Prevention and Recovery Workbook

$10.95* (Including Shipping) – Click Here to Order!

Order your copy Today to get our special introductory pricing!

The #1 recommendation to prevent Identity Theft is Education. Know what to look for and the steps to take to fight Identity Theft. If you have been a victim, learn which steps to take and in what order to recover your Identity quickly, accurately and safely!

Identity Theft is on the rise and according to Javelin Strategy & Research there were a staggering 11.1 MILLION Identity Fraud victims in 2009 alone. The cost of this handbook is well worth the price of protecting your most valuable asset, your Identity!

This 20 page Workbook includes:

Part I – Prevention

This 10 phase process of Preventing Identity Theft Includes:

• Protecting your credit.
• Knowing what is in your wallet.
• Securing databases and physical documents.
• Being safe when mobile computing.
• Protecting Online presence.
• Travel Safely.
• Social Engineering awareness.

Part II – Recovering from Identity Theft Basics

This 17 step process to recovery your Identity includes:

• Top 15 ways to detect Identity Theft.
• Contacting banks, creditors and credit reporting agencies
• How to keep an accurate Dossier.
• Credit Freezes, Fraud alerts and credit monitoring services.

Businesses often make fraud training boring! And that’s bad for their bottom line, because no one ends up remembering anything about the subject.

Too often, fraud and social engineering workshops cover just the concepts that define fraud rather than the feelings that signal it’s happening. The key to training your executives, employees and even customers on fraud is to let them experience what it feels like to be conned. In other words, they need to actually be socially engineered (manipulated into giving away their own private information) several times throughout the training so that they begin to reflexively sense fraud as it is happening. Like learning to throw a ball, there is no substitute for doing it for yourself. Fraud detection is similar; it takes actually doing it (or having it done to you) to fully understand the warning signs. Anything less will leave your audience yawning and uneducated.

This social engineering video was recorded at a fraud training I did recently for the Department of Defense, and it demonstrates how fun it can be to train someone on detecting fraud, and how profitable. As silly as it might seem, the skills necessary to detect fraud can be taught in very entertaining and engaging ways. After watching the video, take a minute to understand the basic skills your employees and executives will need to Stop Fraud: