Why Is Cybersecurity Awareness Training Important?

 

Why is cybersecurity awareness training important? Just as ships rely on lighthouses to steer clear of dangerous rocks, organizations need cybersecurity awareness training to protect their digital assets. By illuminating threats lurking in the dark, awareness training equips employees with the knowledge they need.

As a lighthouse provides illumination for navigation, trainings light the way for employees, executives and boards alike to make informed decisions about cyber defense and identify potential risks. Let’s take a closer look at why cybersecurity awareness training makes all the difference.

7 Sources of Light That Cybersecurity Awareness Training Provides

Cyber Threats Equips employees with the tools to identify, avoid, and stop cyber threats, from malware to ransomware, hackers to fraudsters.
Social Engineering Enables employees to recognize the suspicious, manipulative and malicious behavior of bad actors and respond appropriately.
Sensitive Data Educates employees about the importance of protecting sensitive data and adopting data security best practices as well as the stakes of failing to do so.
Insider Threats Sends a strong message to any potential malicious insiders that the organization is watching, thereby reducing the likelihood and impact of insider threats.
Compliance Ensures employees and executives are aware of their obligations and responsibilities under cybersecurity regulations and standards.
Incident Response Enables employees to respond promptly and appropriately to security incidents to minimize and contain damage.
Human Error Drastically reduces the 60%+ chance that a breach is due to unwitting human error rather than intentionally malicious behavior.

Protection against cyber threats: Cybersecurity awareness training is important because it helps employees understand the various types of cyber threats, such as phishing attacks, malware infections, ransomware, zero-day exploits and social engineering. By educating employees about what may be lurking at sea, they are better equipped to identify and avoid risks, reducing the chances of falling victim to cyber-attacks and identity theft of customer information.

Defense against social engineering attacks: Social engineering attacks involve manipulating individuals to gain unauthorized access to systems or sensitive information. Cybersecurity training raises awareness about standard social engineering techniques, such as pretexting, baiting, or impersonation. This knowledge enables employees to recognize suspicious behavior and respond appropriately, minimizing the chances of falling prey to such attacks.

Protection of sensitive information: Organizations handle a significant amount of sensitive data, including personal, financial, and proprietary information. Cybersecurity awareness training emphasizes the importance of protecting this information and educates employees on best practices such as strong password management, data encryption, secure file sharing, and data classification. Implementing these best practices reduces the risk of data breaches and unauthorized access.

Mitigation of insider threats: Insider threats can be unintentional or malicious, where employees inadvertently or intentionally compromise security. Cybersecurity training helps create a security culture within organizations, promoting responsible behavior and ensuring employees understand their roles and responsibilities in safeguarding sensitive information. It also sends a strong signal that the organization is mindful of insider threats, and is watching closely. By increasing awareness, organizations can reduce the likelihood of insider incidents and their potential impact.

Compliance with regulations and standards: Many industries are subject to specific cybersecurity regulations and standards, such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard. Cybersecurity awareness training ensures that employees know their obligations and responsibilities under these regulations, reducing the risk of non-compliance and associated penalties.

Incident response and reporting: In a cybersecurity incident, employees who have received cybersecurity training are more likely to respond promptly and appropriately. They will know how to report incidents, whom to contact, and how to limit the damage. This quick response can significantly reduce the impact of a cyber-attack and help in the recovery process.

Minimizing human error: Human error is a primary driver behind a massive number of successful cyber attacks. There is no malicious intent in these cases, just a lack of knowledge and proper training. This is one of the easiest, least expensive types of light an organization can shine on their data security.

Practical skills such as recognizing phishing attempts, creating strong passwords, and identifying malicious websites act as a lighthouse, allowing employees to steer clear of danger and make informed choices. Training programs enable them to protect sensitive information and contribute to a safer online environment.

Best Cybersecurity Awareness Training 

The best cybersecurity awareness training can vary depending on an organization’s needs and goals. However, an effective cybersecurity awareness training program includes the following elements:

  • Comprehensive coverage: Training should cover a wide range of cybersecurity topics, including password security, phishing attacks, social engineering, malware prevention, safe browsing practices, and data protection. That’s why lighthouses are more effective than, say, a flashlight haphazardly duck taped to a pole. Range matters.
  • Engaging content: The training should be exciting and interactive to keep participants interested and motivated. This can include videos, quizzes, real-life scenarios, and gamification elements.
  • Regular updates: Cybersecurity threats and best practices evolve rapidly, so the training program should be up-to-date to reflect the latest trends and vulnerabilities. Training programs must regularly update their content to ensure participants have the latest knowledge and techniques to recognize and counter emerging threats.
  • Customization: The training should be tailored to the specific needs and roles of the participants. Different departments may have varying cybersecurity risks and responsibilities, so the training should address these differences.
  • Ongoing reinforcement: Like the beacon on a lighthouse, cybersecurity awareness is not a one-time event but an ongoing, constantly evolving process. The training program should incorporate regular, bite-sized reminders, newsletters, and follow-up sessions to reinforce key concepts and ensure participants retain the knowledge over time.

To help you navigate the turbulent digital seas, award-winning main-stage speaker John Sileo offers comprehensive cybersecurity awareness training that is engaging, cutting-edge, and customized for your needs and goals. With a humorous live-hacking demonstration and powerful lessons learned from losing his business to cybercrime, he connects with your employees and drives home security awareness training that sticks.

John Sileo is an award-winning cybersecurity keynote speaker who has entertained and informed audiences for two decades. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our CONTACT FORM to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

Travel Phishing: If It Seems Fishy, It Might Actually Be Phishy

travel-phishing

It is summertime which means that the beach is calling. Unfortunately, so are travel phishing scammers. 

The change in season brings an influx of travel-based scams and unfortunately, our eagerness to book the next vacation is making us more vulnerable to fraud. 

If there is one thing we know about humans, it is that we love bargains. Especially when it is masked as an all-inclusive buffet + wine tasting + ocean-view deal. 

But booking with caution now will save you a lot of stress later. That way, you won’t be mid-margarita when your bank calls to inform you that your identity was stolen and your child’s college fund just bought a lifetime supply of steak and an alarming amount of inflatable pool flamingos. (Or in my ID theft case, an expensive house in Boca Raton.)

In this article we dive into the hottest scams and how to keep cool this season… 

 How Travel Phishing Scams Trick Us

Email Spoofing Scammers are experts at making emails look genuine by mimicking the logos and formatting of real companies. So double check those emails from travel agencies, airlines, and hotel booking websites.
Social Media Lures This includes fake promotions and contests, influencer impersonation, and malicious downloads disguised as links to exclusive deals or apps.
Vendor Compromise Attacks Scammers may attack travel agencies, booking platforms, or tour operators to gain unauthorized access to sensitive customer information.
HR Department Impersonations and Credential-Harvesting Scams Hackers gather personal info through these conversations to later sell this data to the dark web.
Chat GPT AI is making phishing attempts more convincing and therefore harder to detect.
Urgency and Fear Tactics By putting pressure on victims to take immediate action (“limited time only!”) scammers hope to bypass your critical thinking.
Social Engineering By impersonating customer service representatives or travel agents, hackers may be using emotional and psychological manipulation tactics to request money and/or information.

What You Can Do About Travel Cyberattacks

  1. Be skeptical of unsolicited promotions, contests, or giveaways. Trust your instinct. If it seems fishy, it’s likely phishing.
  2. Stay informed about common travel phishing scams.
  3. Double check website URLS. Make sure it is spelled properly, HTTPS encryption, and trust indicators like padlock symbols.
  4. Enable two factor authentication to travel related accounts. This adds an extra layer of security by sending a code to your mobile device.
  5. Verify account authenticity. Check for verification badges and signs of legitimacy on social media accounts. Cross-check by doing independent research.
  6. Be careful where you click. Web-based threats are getting harder to detect. Take a few extra minutes to research the company before clicking on any links.
  7. Be selective about who you share your personal information with. AI chatbots will steal valuable credentials if you are too quick to trust them.
  8. Don’t use free public wifi or charging stations. Why? Because if something is convenient to you, it likely is convenient to hackers as well. So go ahead and pack that extra battery pack and buy the larger data plan.

So next time you might see a bargain and think “this is too good to be true”, it likely is. Sorry. However, there is hope! Cautious booking means carefree vacationing. By remaining vigilant, staying informed, verifying authenticity, and adopting secure practices, you can navigate the travel landscape confidently, ensuring that your vacations remain moments of joy rather than becoming tales of travel phishing woe. 

Safe travels!

John Sileo is an award-winning cybersecurity keynote speaker who has entertained and informed audiences for two decades. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s. John’s greatest joy is spending time in the mountains with his amazing wife and adventurous daughters. 

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our CONTACT FORM to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

John Sileo Cybersecurity Expert Top Tips

I get asked at almost every keynote speech how the audience members can protect themselves, their families and their wealth personally. So I put together a series of videos to take you through some of the first steps. I hope this gets you started, and that I am lucky enough to meet you in person at a future speech!

Freeze Your Credit

A freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

Two-Step Logins

There are three basic ways to find out whether or not your provider makes two-step logins available:

  • Call them directly and ask them how to set it up. I especially like this method when working with financial institutions, as you want to make sure that you set it up correctly and they should be more than happy to help (as it protects them, too).
  • Visit the provider’s website (e.g. Amazon.com) and type in the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Google the name of the website (e.g., Schwab.com) along with the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Visit this helpful listing (https://twofactorauth.org/) to see if your desired website appears on the list of two-factor providers.

Online Backups (for Ransomware)

You need to have an offsite backup like in the cloud or elsewhere that is well-protected that happens daily on your data. That way, if ransomware is installed on your system, you have a copy from which to restore your good data. You have the ransomware cleaned off before it enacts and you’re back up and running. Make sure it:

  1. Is updated whenever a change is made or a new file is added.
  2. Is stored somewhere different than your computer.
  3. Actually works when you try to restore a file.

My personal recommendation and the one I use is iDrive online backup (iDrive.com).  I recommend buying twice the hard disk space of the data you need to back up.

Personal VPNs

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, research the term “VPN Reviews” to get the latest research and then install a VPN on every device to cyber secure your virtual office and smartphone.

Free Credit Reports

Go to annualcreditreport.com to see your three credit reports from the three credit reporting bureaus.  Periodically request a report from one of the bureaus and cycle through each of them every three months or so.

Identity Monitoring

Ask four questions as you research your options:

  1. Does the service have a simple dashboard and a mobile app that graphically alert you to the highest risk items?
  2. Does it include robust recovery services? (How long does it take to reach a live human being in the restoration department?)
  3. Does the service monitor your credit profile with all three credit reporting bureaus?
  4. Do you have faith this company be in business three years from now?

Password Managers

A password manager is a software application that helps a user store and organize passwords. Password managers store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password that grants the user access to their entire password database.

Research Password Management services such as Dashlane, LastPass, or the one I personally use, 1Password. Google the term “Password Manager Reviews” and look for articles in a magazine you trust to find the one right for you.

Junk Mail

To opt out of pre-approved credit offers with the three main credit reporting bureaus, call 888-5-OPT-OUT (888-567-8688) or visit www.OptOutPreScreen.com.

Phone Scams

If you receive a call that triggers your scam alert reflex, HANG UP!  If you receive a call from someone supposedly from a financial institution, utility company or a government agency and they ask for personal information like your Social Security number, HANG UP! Or if someone calls from “Apple” or “Microsoft” promising to help with a computer issue, HANG UP!  You get the idea.  If you think it is a legitimate call, tell them you will call them back from a published number.  If they start making excuses, HANG UP!!!

Google Maps

  1. Go to www.google.com/maps
  2. Locate your house by typing its address into the search box and pressing Enter.
  3. Click on the small picture of your house that says Street View.
  4. Adjust Google Maps Street View by clicking the left and right arrows on the Street View image until you see your house.
  5. Click the Report a Problem link at the bottom-right corner of the Street View image or, depending on the device you are using, click on the three dots in the upper right-hand corner.
  6.  It will take you to a page to Report Inappropriate Street View.  Here you can ask to have any number of things blurred, including the picture of your house.
  7.  You will need to provide your email address and submit a CAPTCHA.

Smart Speakers

Ask yourself how comfortable you are having a corporation like Amazon or Google eventually hearing, analyzing and sharing your private conversations. Many people will say they don’t care, and this really is their choice. We are all allowed to make our own choices when it comes to privacy. But the vitally important distinction here is that you make a choice, an educated, informed choice, and intentionally invite Alexa or Google into your private conversations.

Account Alerts

To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. If you spend even a dollar at a store, you receive an email or text notifying you of the purchase.

  1. Go to the bank or credit card company website.
  2. Search for “Account Alerts” in their search window.
  3. Set up your alerts for a dollar threshold that makes sense for you.

Internet of Things

  1. Understand your exposure.  What do you currently connect to the internet?
  2. Make a list of the devices you have that connect to apps on your smart device.
  3. At a minimum, make sure you have CHANGED THE DEFAULT PASSWORD!!!
  4. Also consider disabling location services, muting any microphones and blocking any webcams.
  5. Finally, update the firmware regularly.

Tax Return Scams

If you suspect tax fraud, call 877-438-4338 or go to consumer.ftc.gov to alert them.  (They will not EVER call you or reach out via text or email!)

If you had a fraudulent deposit made directly to a bank account, contact your bank’s automated clearing house department to have it returned.  And close that bank account and open a new one while you are at it!

Safe Online Shopping Habits – Episodes 1, 2 & 3

  1. Stick to websites you know and trust. Beware of imposter websites that have a URL nearly identical to the one you mean to use.
  2. Always look for the lock icon in the browser and and “https” in the URL.
  3. Use long strong passwords.
  4. Never shop with a debit card online. It’s even better to use a dedicated credit card just for online purchases.
  5. Set up automatic account alerts on your bank account.
  6. Request a new credit card number once a year (after the busy shopping season).
  7. Set up two-factor authentication on your bank, credit card and retail accounts.
  8. Use a Personal Virtual Private Network (VPN).
  9. Download the apps for your favorite retail sites onto your smart devices and shop directly from them using your cellular connection.  This will assure you are not on a fraudulent site, you are protected by at least two passwords and your internet connection is encrypted.

Phishing Scams

  1. Mistrust every link in an email unless you know who it is coming from and you were expecting that link.
  2. If you’re suspicious about a link in an email, type the URL directly into the address bar of your browser to make sure it takes you to the legitimate website.
  3. Use the hover technique to see if you’re going to the real site or the site of the cyber criminals.

John Sileo, cybersecurity expert and identity theft speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.

Overturning Roe v. Wade Privacy Implications

Roe v. Wade privacy concerns

After the supreme court overturned Roe vs. Wade on June 24th, 2022, politics and privacy were turned upside down overnight. Politics aside, there are serious privacy implications as a result of the decision to end women’s constitutional right to abortion. Tech companies are at the forefront of making critical privacy decisions that could have legal, social, and political consequences no matter which way they sway. Abortion data is just another type of data to be collected and protected. And you should be aware of the implications, regardless of where your opinions fall on the issue.

How heavy should the data protection burden be for organizations? How do company and consumer protection relate to one another? How will privacy policies change and if they do, what does that say about political agendas? Does the overturning of Roe v Wade mean that tech companies will be more politicized based on their agreement to share or withhold private user data? These questions are surfacing in the face of this historic change. Abortion data privacy (and privacy in general) is going to look increasingly different in the near future. So, I’m here to wonder with you as we adjust to the new cybersecurity implications.

What we know is that data mining is nothing new. Nor is a desire for privacy. The political sphere may look different, but our privacy protecting habits shouldn’t. If anything–in the wake of geopolitical tensions and tense party lines–now is a great time to know who knows what about your data and what you can do to minimize data collection.

But first, what are the risks? Who are the stakeholders? And what do we do next?

Roe v. Wade Privacy Risks – Abortion Data Ripe for Exposure

  1. Text messages
  2. Location tracking
  3. Web searches
  4. Health apps (fertility/period tracking apps)
  5. Health centers: Sexual/reproductive histories, test results, ultrasound photos, consultation information

Who Stands to Cash In on Pregnancy & Abortion Data

  1. Third party data brokers looking to mine fertility, pregnancy and abortion data for the sake of profit
  2. Companies looking to sell you goods and services based on your stage of life
  3. Anti-abortion activist groups who want to target pro-life messages to both political sides

How the Ruling Could Alter Privacy

  1. Privacy legislation. The American Data Privacy and Protection Act being drafted by the US House does not have specific provisions related to abortion. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law requiring the protection of sensitive patient health data. However, The Privacy Rule permits the use and disclosure of patient information without disclosure or permission when required by law, for judicial and administrative proceedings, and for essential law or government functions. (Learn more about what is permitted here.)
  2. App anonymization, deletion, and encryption. Anonymization means either erasing or encrypting your Personally Identifiable Information (PII) so that stored data cannot be traced back to the user. Encryption means that companies cannot hand over data if they get subpoenaed by the government. End-to-end encryption means that your login data and period-tracking data will be completely anonymized so that no one but the user can view it. Certain period-tracking apps like Clue, Natural Cycles, and Flo offer data deletion upon request. None of these items has been made into law and are open for interpretation.
  3. Geofence warrants. A geofence warrant is a warrant that officials can issue to gather information without having a particular suspect in mind. They differ from traditional court orders as they only require a location and period time (not a suspect) to conduct a sweeping search of a database. After Roe v Wade was overturned, we anticipate the issuing of subpoenas for search histories. This is nothing new. Law enforcement agencies often require Google to provide data needed for investigations without alerting the individual that their data is being shared. This has direct impact on abortion and health data privacy.
  4. Data mining and advertisement. Privacy laws and abortion laws are still separate. But not as separate as you think. The surveillance advertising industry already exploits search and social media platforms. Now with legal implications and enforcement, we wonder if state prosecutors will be permitted to order media outlets to identify and prosecute women seeking abortions. Where do we draw the line?
  5. Dark Web traffic. There will be an increase in Dark Web Traffic as women search for abortion pills that may become outlawed in their state.

Ways to increase data protection

Companies should stand up for privacy no matter what. Here are a few reminders on minimizing data exposure or exploitation.

  1. As an organization, it is a best practice to collect and use as little private information as possible. This will keep you from being such an attractive hacking target.
  2. Use minimal data collection search engines (duckduckgo, firefox, brave)
  3. Utilize a private browsing window like Incognito (Chrome)
  4. Communicate sensitive information over encrypted messaging services (Signal)
  5. Browse the internet on a virtual private network (VPN) like Proton VPN that masks your computer or phone’s IP address
  6. Install browser extensions that enhance privacy
  7. Disable advertising identifiers in your phone and browser
  8. Enable location services only when necessary and only when the app is in use.
  9. Bulletproof your culture of security by investing in engaging security awareness training.

We are more vulnerable to the surveillance economy than ever before. Changes to the political sphere are impacting virtually every aspect of our digital and physical lives, whether we know it or not. Now is a great time to take stock of our own blind spots and be intentional about how we protect our personal data.

Hackers Hot for Hotspots: Protect Your Remote Workforce


Your remote workforce is only as strong as its weakest link — which, believe it or not, may be a public WiFi hotspot. Insecure networks have been at the forefront of a recent spike in business-impacting cyber attacks, namely among organizations that have deployed a remote workforce who accessed malicious WiFi networks or hacker-enabled hotspots.

Have we become so dependent on the ubiquity and convenience of connectivity that remote employees will connect to any nearby network, so long as it looks legit? The answer is yes, and it’s the reason why 80% of security and business leaders said their organizations were more exposed to risk as a result of remote work.

Though remote work enables employees to work from anywhere, these harmful hotspots are everywhere, and many employees are simply none the wiser to the risks. The vulnerability of the remote workforce to these cyber attacks can no longer be ignored. Learn how to protect your remote workforce (and organization) from the harmful effects of network-induced cybercrime.

The Remote Workforce is Here to Stay

If 2020 was the year of remote work, 2021 was the year of the remote workforce — and recent data suggests it’s not going anywhere any time soon. While 70% of full-time workers were forced to switch to remote work in 2020, 69% still voluntarily worked remotely throughout 2021. Today, a whopping 81% would prefer a hybrid or remote working style indefinitely, even post-pandemic. 

Plus, it’s not just employees who favor a permanently remote workforce. According to the 2021 State of Remote Work, 26% of employers have voluntarily chosen to maintain a fully remote workforce and 20% have opted for a hybrid work model. Not to mention, approximately 40% of employers have either reduced or closed their physical office spaces. 

All signs point to an ongoing remote workforce. But if employers weren’t prepared for their teams to work from home in 2020, are they actually prepared now? Or will the risk of cybercrime dampen the otherwise fantastic benefits of remote work? Recent statistics suggest there’s still work to be done to protect both employees and organizations. 

But Are Remote Workers Safe from Cyber Crime? 

Are you familiar with the phrase, “One bad apple spoils the barrel?” Well, that’s a pretty accurate way to view public WiFi and free hotspots in relation to remote work. Though employees have the freedom and autonomy to dial in from anywhere in the world, they almost always require an internet connection to access company servers or internal databases. 

98% of remote workers use a personal device for work daily, yet 71% of security leaders lack high or complete visibility into remote employee home networks — which could explain why 67% of cyber-attacks directly targeted remote workers. From the local café to a hotel across the globe, it’s far too easy for employees to unintentionally connect to an unsecured network. 

A recent study, Cybersecurity in the New World of Work, found that 74% of organizations attribute recent business-impacting cyberattacks to vulnerabilities in technology put in place during the pandemic, namely migrating business-critical functions to the cloud. Two-thirds of security leaders plan to increase cybersecurity investments over the next two years, but what about right now?

So, Is Public WiFi a Trap Door for Hackers?

While security leaders scramble to implement better network practices for remote workers, this remote-work expert will let you in on a secret: Using free public WiFi is like licking the grade-school water fountain while you’re taking a drink. Sure, you get what you need out of the deal, but you open yourself up to a lot of nastiness… like, next-level gross. The same can be said for public WiFi. 

Though a public, insecure internet connection allows remote employees to access whatever they need for work, it also provides cybercriminals with access to business-sensitive or customer-centric data. A hacker can examine every piece of information a worker enters on the network, from important emails to security credentials for your corporate network.

Unfortunately, many people consider tethering their laptop to their phone as too technical or lack the appropriate data plan, so they default to a local hotspot. These hotspots are often unencrypted and require no login or password — that’s like open season for hackers! And with slim chances of tracking a cybercrime to the hotspot (or hacker) in question, they continue to be a blind problem. 

Why Public WiFi Makes a Hacker’s Job a Breeze

We as a society have become so dependent on connectivity, whether for remote work or pleasure, that the average person will connect to a random nearby network as long as it is named in a manner consistent with their place on the map. Near a café? FreeCafeWiFi it is! But why is it so easy for cybercriminals to create these malicious networks in the first place? 

First and foremost, it’s because you don’t have to hack a public network, you just have to imitate one. With an average iPhone, anyone can set up an “evil twin” WiFi network at the nearest café, airport, or hotel, and sniff any unsecured traffic that passes through. Most people don’t know the difference between the various WiFi or tethering symbols on their phone, so they’re in the dark about the inherent risks.

With slightly more sophisticated equipment and the right software, a true “evil twin” can be set up in a matter of seconds. In fact, when I’m in the field as a cybersecurity speaker, I often rename my iPhone to the name of the hotel or conference center hosting the event, like !SECUREMarriotWiFi. This naming convention makes the hotspot rise to the top of the list, and I regularly have attendees joining my hotspot to collect their email, log in to work, and more.

It’s that easy, friends. And it’s not always criminals doing the involuntary data grab: Retailers have been known to offer free WiFi with the specific purpose of learning more about their customers, meaning even “legitimate WiFi” can be a risk. The average café or retailer doesn’t actually care about the safety of your data, they are just keeping expenses low and connections convenient. 

Cybersecurity Expert Tips to Protect Your Remote Workforce 

Would you trust and inject a vaccine someone handed you at your favorite Starbucks? Don’t delude yourself. Working on free WiFi with sensitive material will never be as safe as using a secure hotspot or WiFi connection you own. If your remote workforce is spread across the city, state, or country, there’s no way they can all access a company-backed Internet connection.

So, you must do the next-best thing — educate your team on how to safely work remotely. Here are five tips, as told by a cybersecurity expert who has seen behind the curtain, to improve your Wi-Fi safety and protect your business. 

1. Connect (Work Remotely) via Cellular Data 

When remote employees are working on something sensitive or confidential (read: internal data), it’s best to connect to the internet via cellular data connection whenever possible. Connection from a smartphone to a personal device is encrypted and far more secure than any free WiFi.

If they don’t have a dedicated hotspot, tether a smartphone to a laptop and use that to communicate instead. In many cases, an available 5G network is faster than what the free WiFi will be. 

2. Utilize a Virtual Private Network (VPN)

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, install a VPN on every worker’s device to cyber secure your virtual office

For the remote workforce, a VPN is an excellent method to add security to employee communication, especially when leveraging an insecure connection like public WiFi. Even if a hacker accesses an employee’s device, the data will be strongly encrypted and is more likely to be discarded than run through a lengthy decryption process. 

3. Always Use HTTPS 

Take a look at your browser bar. Right now, the current web address should begin with https:// — that’s on purpose. HTTPS (Hypertext Transfer Protocol Secure) is an extension used for secure communication over a computer network. The majority of trustworthy sites will leverage HTTPS to encrypt communication, especially those that require log-in credentials. 

Entering those credentials in an unencrypted manner could open the door to a hacker, who can then repurpose those details to access your corporate or client network. So, be sure to personally enable (and encourage employees to enable) the “Always Use HTTPS” option of frequently-visited sites. Alternatively, install a web extension like HTTPS Everywhere for Chrome, Firefox, and Opera to essentially force each website you visit to connect using HTTPS. 

4. Safeguard All Settings

The settings on a personal device are the difference between leaving the backdoor wide open for cybercriminals or dead-bolting that door shut. When your remote workforce connects to the internet at a public place, be sure their settings have been optimized to prevent a cyber attack as much as possible. 

For one, turn off sharing from the system preferences or Control Panel. It’s unlikely your team has anything to share with the other patrons of a café, save the hacker lurking in the corner. Secondly, turn off Auto Connect for WiFi networks and log out of the WiFi when you leave, as many of today’s devices will automatically connect to the closest available network, without regard for safety.

5. Verify Legitimacy Whenever Possible 

Lastly, if you or your remote workforce ever find the dire need to use public WiFi, make sure to verify with the business that any WiFi hotspot you join is the legitimate one — not the “evil twin” — and make sure it requires a password to join. Confirm details such as the connection’s name and IP address before connecting any personal devices to the business’s network. 

Stay Protected with a Cybersecurity Overhaul 

Even a remote workforce that takes every possible precaution against third-party networks can encounter a cybercriminal. That’s just a risk of doing business in this increasingly digital age. As cybercriminals continue to evolve, cybersecurity best practices will also progress; and it’s up to business leaders to continue to upgrade their security practices to remain protected.

Don’t let the threat of cybercrime impact the longevity or productivity of the remote workforce. Take action today by empowering your remote workforce with the tools they need to remain safe, even when dialing in from halfway around the globe. Now is the time to invest in a cybersecurity crash course, if not for the safety of your business, for the protection of your employees and customers. 

Face Computers: Privacy Violation by Pupil Dilation? 

Smartwatches, holograms, self-driving vehicles — we may have just rung in the year 2022, but here on Earth, we’ve started to live (blindly) like the Jetsons in 2062. The latest technological advancement coming out of Orbit City, err, Silicon Valley is the face computer, wearable tech that will plunge users into the notorious “metaverse.” 

Just saying the word metaverse makes me throw up a little in my mouth. Though similar technology has been in the works for quite some time, rumor has it that Apple may be launching an augmented reality headset (face computer) sometime soon. And where Apple goes, hundreds of millions of followers go. I am one of them. So, what does this mean for you and me? 

Is it time to embrace the next gen digital lifestyle à la the Jetsons? Well, you might want to pause before strapping into a newfound face supercomputer and diving headfirst into the metaverse. Here’s what the rise of face computers may mean for your privacy, and how we should begin to implement boundaries that protect both our data and our security… before it’s too late. 

Pitfalls of Not Prioritizing Privacy 

As a society, we often become distracted by all of the fancy bells and whistles advertised by emerging technology and software programs. We watch a two-minute highlight reel of the ‘latest thing,’ whether it’s a new smartphone or social media network, and hop right in — reserving the hard-hitting questions for later.

Historically, that’s never worked out well. When we embrace new technology first and lay the ground rules for it second, we essentially open ourselves to inherent privacy risks. Don’t believe me? Think about Facebook and Instagram, which are both continuously under fire for predatory practices surrounding user data, yet 1.93 billion people use the platforms every day regardless. 

When privacy and security concerns take a backseat, the decisions surrounding new technology are ultimately driven by the technology companies themselves — much like we see with Meta, the Facebook parent company. Even when we do engage with the company, like by deactivating our accounts or signing public petitions, we don’t engage with the same robust financial backing of the organization, and consequently the deep pockets of Big Tech completely drown out our voice. 

Want the government to step in? Well, Congress has passed a few cybersecurity bills; however, the majority focus on emerging malware risks and other data breaches helmed by cybercriminals… not face computers. And as we can see with the media frenzy surrounding the Facebook whistleblower trial, Congress is not currently in a place where they will legislate in a bipartisan way on solutions. 

Potential Implications of a Face Computer 

So, what is the worst thing that could happen if we all strapped into a new face supercomputer with little to no restrictions? Picture it as having an Alexa device that doesn’t just listen to your every conversation, but also tracks your autonomic responses, like pupil dilation, respiratory rate and pulse. Then, your device sells that data to the third-party highest bidder for incredibly targeted advertising, which is then inevitably breached by Russian or Chinese state-sponsored hackers who are paid to gather every detail about every American they can. 

Does your heart rate speed up when you look at the Tesla website? They’ve learned what’s on your gift wishlist. Does your favorite politician make your pupils dilate? Get ready for an onslaught of political advertisements. From a privacy and security lens, these face supercomputers operate more like a biometric movie like the Matrix than they do a helpful media device. 

Prepare for Marketing in the Metaverse 

Face computers are poised to be the entryway into the highly prophesied metaverse. A metaverse is a fully-functioning virtual universe that allows real users to create, sell, own, and invest using personalized digital avatars. These virtual universes are always active and adhere to real-world timing, so the more users are involved, the more the metaverse will expand and evolve.

If you have a child or are partial to ‘sandbox style’ games, like Grand Theft Auto or Roblox, you’re already familiar with a type of metaverse. As virtual and augmented reality technologies become more popular, metaverses are penetrating the internet, with the folks at Meta predicting that the worldwide web will eventually transition into the ‘worldwide metaverse.’ 

As you could predict, advertisers are already hard at work infiltrating various metaverses. For instance, Bidstack, a video game ad tech company, has begun placing company ads on virtual billboards across games like Roblox and Fortnite. Even navigation platforms like Waze have gotten in on the action, delivering ads for brick-and-mortar businesses based on the route a driver takes. 

How to Prepare Now, So We Don’t Suffer Later

None of the above information is meant to intimidate you. In fact, it’s quite the opposite. In the cybersecurity industry, knowledge is power. The more we know and prepare for the introduction of face computers, the more we can implement ground rules that protect our right to privacy. I’m not in any way categorically rejecting the advent of face computers; I’m saying that we need to put limits on how our personal biometric data is collected, analyzed and sold. 

We should not delay educating ourselves and others about the potential impacts of this technology. Here’s how we can prepare for face supercomputers on an individual, company, and societal level.

1. Start with Background Education 

Threat trends are consistently evolving. From ransomware to the Internet of Things, most people are unaware of how privacy and security concerns shift with each type of technology introduced. When it comes to the latest data security threats, you can’t possibly do everything — but you must do the right things, starting with self-education. 

Consider educating your people with a cybersecurity crash course that provides a high-level, non-technical path through the complicated web of technological threats, human decision-making, network security, cloud computing, and more. The right cybersecurity keynote speaker for your event can help navigate emerging mobile technology with strategies grounded in fact, so you can feel more in control moving forward. 

2. Impose Company-Wide Policy 

Though face computers aren’t necessarily ‘workplace technology,’ it’s not a stretch to assume that these devices will soon make their way to boardrooms and break rooms alike. Mark Zuckerberg has already introduced the idea of virtual team meetings on the metaverse, and with remote work still going strong, a face supercomputer can help bridge the gap between dispersed teams.

However, as we learned with the recent shift to remote work, thousands of employees on one remote server can spell disaster for many organizations — and dozens of employees all using face computers to dive into the metaverse can provide a backdoor for cybercriminals. Now is the time to implement a company-wide policy for these types of technologies; start by Bulletproofing Your Business Against Breach  with a cybersecurity keynote speaker who has experienced the devastation of cybercrime. 

3. Make Your Powerful Voice Heard 

Much like we can’t stop the current technological evolution, we cannot prevent the introduction of face computer technology. In truth, that might be a good thing — there are dozens of incredibly valuable uses for this technology that range from public health to even climate control. However, we should encourage societal input to implement boundaries for our privacy. 

Now is the time to remember how much power we as consumers truly have. Society plays a massive role in the political power held by tech giants. We can help shape the media and other politically-relevant information that surrounds emerging technologies by continuing to educate ourselves and speaking amongst others to ensure consumers understand the full concept of face computers and not just the bells and whistles. 

Seek Peace of Mind with a Cybersecurity Keynote Speaker 

If all of this talk about supercomputers and virtual universes makes you feel like you’re living in a Matrix movie, you’re definitely not alone. Though we might not be ‘Jetson level’ futuristic, our society is slowly (but surely) getting there. To ease this latest technological transition, reach out to a trusted cybersecurity keynote speaker for peace of mind and protection. 

For nearly two decades, I have spoken to organizations including the Pentagon, Homeland Security, Pfizer, Charles Schwab, Visa, and the Federal Reserve Bank about how to safeguard their organizations from cybercrime. If you want to gear up for the latest evolution of smart headgear, contact The Sileo Group today to schedule your next cybersecurity keynote. 

New iPhone Setting Stops Apps & Ads from Stalking You (App Tracking Transparency)

Apple App Tracking Transparency is Finally Here!

With the release of iOS 14.5, Apple has given us the most powerful privacy tool for users in many years – it’s called App Tracking Transparency (ATT). The update also includes a lot of features that have Apple product users very excited, like new Siri voices and being able to open your iPhone with Face ID even when wearing a mask—IF AND ONLY IF you have an Apple watch.

But as a privacy advocate, the element that matters the most to me is the App Tracking Transparency (ATT) feature. This means that apps like Facebook, Instagram and Google will no longer be able to track or gather your surfing habits on other apps or websites without getting your permission. For example, if you worked out on the Peloton app this morning, Facebook can buy that information and advertise exercise clothing to you based on your exercise type, size, weight, etc.

This is a serious blow to Facebook and other “free” services that depend on gathering your intimate personal and behavioral data to sell to their advertising clients. Of course, these services have never actually been free, as we have always been paying by giving them our information.

Specifically, the update changes the Identifier for Advertisers (IDFA), which is a unique random number assigned to each iPhone and allows advertisers and developers to track user behavior on that device. This includes not only app usage but also web browsing behavior that is often used to target advertisements to your psychographic profile. Apple says this change will provide transparency and give users an easier way to choose if their data is tracked.

Needless to say, Facebook, Google, and other big tech firms are not happy with the change. Facebook was so upset they placed a full-page ad in The New York Times in December claiming that the change would negatively affect small businesses who will see a drop of over 60% in sales. Facebook was unable to substantiate that claim, but their claim that it will force developers to enable in-app purchases or force subscriptions to make up for lost revenue is most likely true.

What will this look like for you as a consumer?

Basically, whenever you open any app that wants to access the IDFA, you will see a pop-up notification that asks for permission to track you across apps and websites by other companies and you’ll be able to opt in to allow tracking or not by choosing between “Allow Tracking” or “Ask App Not To Track.” Opting into data collection rather than having to opt out finally catches up with data privacy regulations such as the EU’s GDPR. It will be required by all software makers within a few months of the release.

So it comes down to a question of are you willing to pay for the extras provided by apps in order to have a little bit more privacy?

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Is WhatsApp Privacy a Big Fat Facebook Lie? What You Need to Know.

WhatsApp privacy policy

WhatsApp Privacy: Facebook’s New “Data Use” Policy

I have been getting a ton of questions on the privacy of your personal data that is sent through WhatsApp. Is Facebook, who owns WhatsApp, sharing everything you write, including all of your contacts, messages and behaviors? It’s not quite that simple, but neither is Facebook.

Facebook announced a new WhatsApp privacy policy recently which created A LOT of confusion and user backlash. The changes caused such an uproar that they ultimately have decided to delay release of the new WhatsApp privacy agreement from Feb. 8 to May 15 while they sort themselves out. So let me give you a head start!

Behind all of this, WhatsApp is trying to break into the world of messaging for businesses (to compete with Slack and other programs). That way, when you communicate with a business, Facebook will see what you’re saying and use that information for advertising purposes.

Your Data That Can Be Accessed By Facebook

Facebook contends that your private messages will remain encrypted end-to-end, including to them, but Facebook & WhatsApp will have access to everything they’ve had access to since 2014:

  • Phone numbers being used
  • How often the app is opened
  • The operating system and resolution of the device screen
  • An estimation of your location at time of usage based on your internet connection

Purportedly, Facebook won’t keep records on whom people are contacting in WhatsApp, and WhatsApp contacts aren’t shared with Facebook. Given Facebook’s miserable history with our personal privacy, I don’t actually believe that they will limit information sharing to the degree that they promise. I think that this is one of those cases where they will secretly violate our privacy until it is discovered and then ask forgiveness and lean on the fact that we have no legislation protecting us as consumers. But please be aware that if you utilize Facebook, you are already sharing a massive amount of information about yourself and your contacts. WhatsApp may just add another piece of data into your profile.Watch The Social Dilemma on Netflix if you’d like to learn more about how you are being used to power their profits.

Highly Private Messaging Alternatives to WhatsApp

So, while it is mostly a “cosmetic change” to the WhatsApp privacy policy, if you are uncomfortable using it, you may want to consider the following:

    • There are alternative messaging apps, including Signal and Telegram, both of which have seen huge new user sign-ups since the announcement. I personally use Apple Messages (daily communications) and Signal (highly confidential communications).
    • WhatsApp says it clearly labels conversations with businesses that use Facebook’s hosting services. Be on the lookout for those.
    • The feature that allows your shopping activity to be used to display related ads on Facebook and Instagram is optional and when you use it, WhatsApp “will tell you in the app how your data is being shared with Facebook.” Monitor it and opt out.
    • If you don’t want Facebook to target you with more ads based on your WhatsApp communication with businesses, just don’t use that feature.
    • Trust the WhatsApp messaging app as much as you trust Facebook, because ultimately, they are the same company.

John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado

Telemedicine: Are Virtual Doctor Visits a Cyber & Privacy Risk?

The Trump administration has relaxed privacy requirements for telemedicine, or virtual doctor visits: medical staff treating patients over the phone and using video apps such as FaceTime, Zoom, Skype and Google Hangouts. The move raises the chances that hackers will be able to access patient’s highly sensitive medical data, using it, for example, to blackmail the patient into paying a ransom to keep the personal health information (PHI) private.

This relaxation in privacy regulations about telemedicine is necessary, as treating coronavirus patients in quick, safe, virtual ways is a more critical short-term priority than protecting the data. That may sound contradictory coming out of the keyboard of a cybersecurity expert, and that exposes a misconception about how security works.

Security is not about eliminating all risk, because there is no such thing. Security is about prioritizing risk and controlling the most important operations first. Diagnosing and treating patients affected by Covid-19 is a higher priority than keeping every last transmission private.

Put simply, the life of a patient is more important than the patient’s data. With that in mind, protecting the data during transmission and when recordings are stored on the medical practice’s servers is still important.

  • Doctors should utilize audio/video services that provide full encryption between the patient and the medical office during all telemedicine visits
  • If the doctor’s office keeps a copy of the recording, it should be stored and backed up only on encrypted servers
  • Not all employees of the doctor’s office should have the same level of access to telemedicine recordings; all patient data should be protected with user-level access
  • Employees of the doctor’s office should be trained to repel social engineering attacks (mostly by phone and phishing email) to gain access to telemedicine recordings

Telemedicine and virtual doctor visits is just one way that the government is willing to accept increased risks during the pandemic. Many federal employees are also now working remotely, accessing sensitive data, often on personal computers that haven’t been properly protected by cybersecurity experts. This poses an even greater problem than putting patient data at risk, because nearly every government (and corporate) employee is working remotely for the foreseeable future. I will address those concerns in an upcoming post.

In the meantime, stay safe in all ways possible.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, surveillance economy, cybersecurity and tech/life balance.

Private Eyes Are Watching You: What it Means to Live (and Be Watched) in the Surveillance Economy

What it is the Surveillance Economy

How do you feel about the fact that Facebook knows your weight, your height, your blood pressure, the dates of your menstrual cycle, when you have sex and maybe even whether you got pregnant? Even when you’re not on Facebook, the company is still tracking you as you move across the internet. It knows what shape you’re in from the exercise patterns on your fitness device, when you open your Ring doorbell app and which articles you check out on YouTube — or more salacious sites. 

Welcome to the surveillance economy — where our personal data and online activity are not only tracked but sold and used to manipulate us. As Shoshana Zuboff, who coined the term surveillance capitalism, recently wrote, “Surveillance capitalism begins by unilaterally staking a claim to private human experience as free raw material for translation into behavioral data. Our lives are rendered as data flows.” In other words, in the vast world of internet commerce, we are the producers and our digital exhaust is the product. 

It didn’t have to be this way. Back when the internet was in its infancy, the government could have regulated the tech companies but instead trusted them to regulate themselves. Over two decades later, we’re just learning about the massive amounts of personal data these tech giants have amassed, but it’s too late to put the genie back in the bottle. 

The game is rigged. We can’t live and compete and communicate without the technology, yet we forfeit all our rights to privacy if we take part. It’s a false choice. In fact, it’s no choice at all. You may delete Facebook and shop at the local mall instead of Amazon, but your TV, fridge, car and even your bed may still be sharing your private data. 

As for self-regulation, companies may pay lip service to a public that is increasingly fed up with the intrusiveness, but big tech and corporate America continue to quietly mine our data. And they have no incentive to reveal how much they’re learning about us. In fact, the more they share the knowledge, the lower their profits go. 

This is one of those distasteful situations where legislation and regulation are the only effective ways to balance the power. Because as individuals, we can’t compete with the knowledge and wallet of Google, Facebook and Amazon. David versus Goliath situations like this were the genesis of government in the first place. But in 2020, can we rely on the government to protect us? 

Unlikely. At least for now. For starters, federal government agencies and local law enforcement use the same technology (including facial recognition software) for collecting data and to track our every move. And unfortunately, those who make up the government are generally among the new knowledge class whose 401Ks directly benefit by keeping quiet while the tech giants grow. Plus, there are some real benefits to ethical uses of the technology (think tracking terrorists), making regulation a difficult beast to tackle. But it’s well worth tackling anyway, just as we’ve done with nuclear submarines and airline safety.

In a recent Pew study, 62% of Americans said it was impossible to go through daily life without companies collecting data about them, and 81% said the risks of companies collecting data outweigh the benefits. The same number said they have little or no control over the data companies collect. 

At some stage, consumers will get fed up and want to take back control from the surveillance economy, and the pendulum will swing, as it already has in Europe, where citizens have a toolbox full of privacy tools to prevent internet tracking, including the right to be forgotten by businesses. Europe’s General Data Protection Rule (GDPR) is a clear reminder that consumers do retain the power, but only if they choose to. It’s not inevitable that our every move and personal data are sold to the highest bidder. We’ve happily signed on, logged in and digitized our way to this point. 

When consumers (that means you) are outraged enough, the government will be forced to step in. Unfortunately, at that point, the regulation is likely to be overly restrictive, and both sides will wish we’d come to some compromise before we wrecked the system. 

In the meantime, you have three basic choices: 

  1. Decrease your digital exhaust by eliminating or limiting the number of social media sites, devices and apps you use. (I know, I know. Not likely.)
  2. Change your privacy and security defaults on each device, app and website that collects your personal information. (More likely. But it takes a time investment and doesn’t fully solve privacy leakage.)
  3. Give in. Some people are willing to bet that a loss of privacy will never come back to haunt them. That’s exactly the level of complacency big tech companies have instilled in us using neuroscience for the past decade.  

Loss of privacy is a slippery slope, and it’s important to take the issue seriously before things get worse. Left unchecked, the private eyes watching your every move could go from tracking your exercise habits and sex life (as if that’s not creepy enough) to meddling with your ability to get health insurance or a mortgage. And suddenly it won’t seem so harmless anymore.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, surveillance economy, cybersecurity and tech/life balance.