‘Data Breach’ Articles

During your fraud training exercises, fostering an attitude of curiosity (or in the corporate world, a culture of curiosity) is the most powerful critical thinking skill in your arsenal of tools to protect sensitive information. Employees who can think critically and ask the right questions regarding data privacy make up the fabric that supports a Culture of Privacy. Interrogation is the art of questioning someone thoroughly and assertively to verify intentions, identities and facts.

Questions: Who’s in Control? Can I Verify? What are my Options? What are the Benefits?

When spies need information, they ask for it. They “socially engineer” or con their victims with a variety of tools.

The primary tool for evaluating risk once your reflexes have been triggered (Hogwash) is to interrogate the person or institution asking for your information. Interrogation is not meant to be about forceful or physical questioning. I define interrogation as clear, aggressive questioning used to establish whom you can trust, how far you can trust them, and with what information.

Sticking with the language of espionage, an Enemy is anyone or anything (including a computer, fax machine, email, letter, etc.) requesting your information, information of someone you know, or information about your organization. It is not designed to make you confrontational or warlike – that is taking the metaphor too far. Once you have established a trusted relationship, you are no longer in enemy territory.

The Privacy Reflex
When I am training corporate executives, managers and employees to detect fraud and social engineering (manipulative information-gathering techniques), I take them through what it feels like to be conned. In other words, I actually socially engineer them several times throughout the presentation so that they begin to reflexively sense when more fraud is coming. There is no substitute for experiencing this first hand.

The Trigger—Requests for Identity
Spies are trained to instantly react when anyone asks for information of any kind, whether it is theirs or someone else’s. The trigger, or what causes you to be on high alert, is actually very simple—it is the appearance of your identity in any form (wallet, credit card, tax form, passport, driver’s license, etc.). Anytime someone requests or has access to any of the names, numbers or attributes that make up your identity, or to the paper, plastic, digital or human data where your identity lives, the trigger should trip and sound an alarm in your head.

When your identity is being requested in any way, slow down and ask yourself: Is the risk of giving this piece of identity away in this specific situation worth the benefit?

Great employees are hard to find, but without the right employee background screening process, deceitful candidates are even harder to spot. Hiring dishonest employees puts your sensitive and confidential business information at risk and could cost you millions if stolen or damaged.

According to The Ponemon Institute, an independent research foundation, the average cost of data breach to a victim corporation is $6.3 million. In 2008, the lowest reported cost of data breach was $613,000, while the highest was just under $32 million. Given that the average cost per stolen record is $202, one missing laptop with 2,500 customer or employee records on it would come with a data breach recovery bill for a half a million dollars. And that doesn’t factor in loss of stock value, brand damage or customer defection that results from having your breach in the news.

Insider theft, where one of your employees facilitates the breach, is a common source of this crime. And your risk doesn’t go away when your employees do. Over 60% of  employees keep sensitive data after they have been terminated and nearly 80% of them stated that they knew it was against company policy. This includes everything from email lists and customer information to financial business information.

Laptop theft and mobile data theft (tape backups, iPhones, BlackBerries, USB drives) account for nearly half of the cases of serious corporate data breach and workplace identity theft. Your corporation’s data breach protection will be significantly improved by educating your staff on the following mobile data best practices:

Before you save sensitive data to any mobile device, it is your responsibility to:

• Determine if your organization allows you to remove the data in question from the office in the first place. Are you allowed to save that database, Excel file, Word document, customer list, employee record, intellectual capital, etc. on your laptop, thumb drive or other mobile device?
• Decide if it is absolutely necessary to remove it from the more highly-controlled and secure environment of the office. In many of the major cases of reported data breach, the data stored on the mobile device did not actually need to be there in the first place.
• Verify that you have been authorized by your supervisor to place a copy on your device. When in doubt, check with your manager, supervisor or privacy officer to determine the correct course of action.
• Exhaust all other lower-risk alternatives for accessing the data. In many cases, it is possible to utilize a secure remote access connection to access the data so that it never leaves the company premises. You lower your personal liability when you access the data through centralized, highly secure methods.

Workplace identity theft isn’t caused by paper documents because we have gone paperless, right? Rubbish. Paper rubbish, in fact.

You and I both know that we use as much paper as ever. We sign up for electronic statements and then print and file them, along with important emails, financial documents, etc. Paper documents are more plentiful than ever, and they pose a significant risk of workplace identity theft and data breach.

According to a recent study* conducted by the Alliance for Secure Business Information (ASBI):

• 80% of large organizations surveyed indicated that they had experienced one or more data breaches over the previous 12 months
• 49% of those breaches involved the loss or theft of paper documents.
• The average breach recovery cost $6.3 Million!

In other words, most businesses have already been breached and half of the time it was because of paper documents!

Fact: Every day, businesses manage highly confidential information (customer data, employee records, intellectual property), leaving themselves, their employees and customers vulnerable to an extremely costly data breach.

But what many fail to realize is that paper documents pose just as much of a risk to an organization as electronic documents.

Shredding is the most concrete form of identity theft prevention and the only way to help ensure that all confidential information included on paper documents remains just that…confidential.

Here’s a statistic that’ll get your attention!  285 million records were compromised in 2008 according to a new data breach study from Verizon Business.  The report claims that organized crime is responsible for a large increase in the number of breached corporate electronic records.

The report of industries affected by data breach shows that Financial Services was the major gainer in 2008.  That industry doubled its percentage of data breach to 30% while Retail is still the most affected industry (barely) at 31%. The shift to data breach in Financial Services will affect all of us more drastically.

According to the study, which Verizon Business compiled using data from the 90 confirmed corporate network breaches it recorded last year, roughly 93% of all records breached came from the financial sector. The company also says that nine out of every 10 of these breaches involved “groups identified by law enforcement as engaged in organized crime.” Verizon says that the 285 million electronic records breached last year were more than the total number of records breached in the past four years combined. The reason for the sharp increase is that attacks on financial firms’ networks have become more sophisticated and successful, the company says. Although only 17% of the attacks studied by Verizon constituted “highly sophisticated” data breaches, these attacks were responsible for 95% of all records breached. Verizon says that cybercriminals are targeting financial service companies’ networks to get customers’ personal identification number (PIN) information in order to withdraw cash directly from their accounts. Cybercriminals are also selling PIN information on the black market, the company says. Read the full report on data breach. (Scroll down when you see “285″). Technorati Profile

Identity theft speaker John Sileo on why identity theft is moving into the workplace.

It feels as if there has been a directional shift in the past year regarding the source of data theft. From the stories I hear after every identity theft speech I deliver, the crime of data theft, identity theft and intellectual property theft are becoming more organized and moving much more into the realm of workplace identity theft and corporate data theft (i.e., it’s happening at work even more than out of our homes). The information being stolen is still often times consumer-based, but it is being compromised more often at the business level.

I think one factor contributing to this shift into the working environment has been the decline in the value of identity information. The average social security number or bank account number is worth far less on the black data market than it was even a year ago. This means that in order to make large sums of money, the thieves need to increase volume.

Instead of stealing identities one at a time, they are going for mass-data thefts, like the one that hit Heartland Payment Systems a few weeks ago. Naturally, these large thefts tend to involve more technology breach (stolen laptops, sniffed networks, botnets, malware, hacked servers, etc.) because that is where high concentrations of data live. Just like the rest of business, it’s all about economies of scale!

Are you one of the 200,000,000+ Americans (almost 66% of the US population) who had their identity stolen from TJ Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 or DSW?

If so, you need to know that 11 people, including a Secret Service informant,