Locking up sensitive documents is one of the most important and underutilized ways to protect company data. Of the individuals surveyed by the Ponemon Institute, 56 percent state that over 50 percent of their company’s sensitive or confidential information is contained within paper documents. Since 49 percent of all breaches involved paper, locking up what cannot be eliminated or destroyed is essential. To get you firmly into the business mind-set of thinking like a spy, start with this simple three-step classification process:
1. Classification: Set up a classification scheme. For example, you might have four levels of access: public, internal, classified, and top secret.
Public documents are the only documents meant to be seen by outsiders (the public). This might include sales and marketing materials, websites, public filings, and the like.
Internal documents are those appropriate for employees of the company to see, but inappropriate for outsiders. These are generally not high-risk documents, still it’s better to keep them confidential, just in case.
Classified documents are a security risk if the wrong people see them, either internally or externally. Only certain employees and executives would have access to these documents (see step 2). Classified documents might include human resource files,customer lists, product development papers, department financials, strategy frameworks, and so on.
Facebook just added a check-in or location-sharing feature, much like the one provided by FourSquare.com. The feature is designed to accomplish three main tasks:
Help people share where they are in a social context
See which friends are near by
Discover nearby places and new places through friends’ profiles
But, by default, it also allows your friends to tag and publicize your location for you. It’s like being tagged in a photo, except the other person gets to share your location instead of your picture (even if you don’t want others to know where you are, and even if you are not there).
Here are some of the rarely discussed ways that Facebook Places will be used (now or in the future) that you might want to think about before checking in:
Facebook will sell (share) your current location and profile to stores in your vicinity so that they can server you hyper-targeted advertising (e.g., here’s a coupon for the store you are about to enter).
Friends who aren’t actually your friends will be able to check you in to questionable Places even when you are not there (the practical jokes for the Check Friends In feature are limitless)
For businesses, shredding is low-hanging fruit (one of the easiest sources of data breach to eliminate). But businesses are so often focused on electronic forms of data breach that they fail to heed the following statistics highlighted in a recent Ponemon Institute study conducted for the Alliance for Secure Business Information:
More than 50 percent of sensitive business data is still stored on paper documents.
Forty-nine percent of data breaches reported in the survey were the result of paper documents.
Sixty percent of businesses admitted that they didn’t provide the proper tools (e.g., shredders) to safely discard documents that were no longer needed.
The average data breach recovery cost according to this survey was $6.3 million.
If you own a business, make sure to destroy sensitive documents prior to discarding them, to decrease your legal liability. Businesses are required to destroy all consumer information before discarding it in the trash. The Fair & Accurate Credit Transaction Act (FACTA) Disposal Rule states that ‘‘any person who maintains or otherwise possesses consumer information for a business purpose’’ must properly destroy the information prior to disposal. FACTA further states that every person and/or business must take ‘‘reasonable measures’’ to protect against unauthorized access to the use of the information in connection with its disposal… Click Here to Continue.
During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.
Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.
Laptop anti-theft, or protecting your mobile data, is a MUST for corporations and consumers. Almost half of workplace identity theft takes place because of mobile data. And the average value of the data on your laptop can be worth hundreds of thousands of dollars to a corporate spy or experienced identity thief. At the higher end of the scale, the value of the 26 million Veteran identities on a laptop lost over a year ago was estimated to be worth more than $100 million. Those are the types of computer security risks that can make your business unprofitable. But there are solutions.
Broken Window Theory: By removing graffiti and repairing broken windows in crime hot-spots throughout New York City, the NYPD was able to drastically reduce the entire city’s overall crime rate (not just the quantity of graffiti and broken windows), including thefts, burglaries, muggings and murders. In other words, certain actions that we take (e.g., focusing on crime hot-spots rather than on every type of crime) can have a disproportionately positive effect on achieving our goal (e.g., lower crime rates). Business translation: you get a far higher return on investment for certain well-planned tactical strikes than you do for far more expensive strategic initiatives.
My point? In the world of workplace identity theft and corporate data breach, laptop computers are the biggest broken window. Not only do laptops account for a disproportionate amount of data theft, but training the organization to properly protect mobile computers has a radiant effect on all other types of identity protection. Good habits in one area breed good habits in others.
Stop the theft of corporate laptops (or personal laptops with corporate data on them) and you have eliminated approximately 50% of the entire data breach problem at a fraction of the security cost.
Laptop theft generally occurs in transit: airports, hotels, cars, commuter trains, conferences, off-site meetings, vacations, coffee shops, etc. Build laptop anti-theft training into your organizational culture of privacy:
Only in California! A Huntington Beach woman used another woman’s identity to pay for breast implants and liposuction. At first glance, it’s a laughable story. But imagine being the woman who has to prove that she wasn’t the augmentation recipient! Remember, with identity theft, you are guilty until you prove yourself innocent. Medical identity theft will take us to new and embarrassing depths in order to prove that we are innocent. It will give new meaning to the phrase “bearing witness”. And it prompts the question of why we don’t have a set of universal rules that govern our personally identifying information?
On a related note, I recently became involved with the Santa Fe Group which published an excellent white paper informally known as the Identity Theft Bill of Rights. Registering for a download of the paper is well worth your time – it does an excellent job of summarizing the identity theft issues that we, as Americans, face in the coming years. It includes discussions about modifying language in HIPAA to protect against medical identity theft crimes similar to and far more serious than the Huntington Beach case.
As our population grows older on the shoulders of the baby boomers, medical identity theft and its cousins will become ever more prevalent and damaging. Help us fight for our identity rights by getting involved. Start by registering for a webinar put on by the Santa Fe Group called:
I am starting to reconsider my opinion that online banking is safer than traditional banking. Primarily because I have been hearing horror stories during some of my identity theft seminars. But now I am seeing it in the mainstream media. Case in point: read this short article in this morning’s USA Today about Hackers Swarming Bank Accounts. I’m open to your opinions, but I feel like the thieves are starting to win. In a YouTube video post I did some time ago about online banking, I suggested that if your computer is well-protected, you are better to bank online.
But lately, it seems like the thieves are a step ahead. What are your thoughts? Have you had any troubles with identity being compromised because of the types of threats discussed in the article?
At the Privacy Project, our success is your nightmare (unless you are my speaking agent).
Business at the Sileo Group and engagements as an identity theft speaker are up 400% compared with the same period last year. I am booked for exactly 4X as many identity theft prevention and privacy leadership speeches in the first quarter of 2009 as I was in 2008; and 2008 brought me more work than I could handle on my own. Some of this is due to an extensive contract with the Department of Defense, but not all of it.
I’m not sharing our success to blow my own horn, though admittedly, it is satisfying to finally share some good news with you after having lost so much to this crime.
I’m sharing because our success gave me cold sweats at 3am this morning.
Why? Because the strength of my business is inversely proportional to the safety of yours. My business is thriving because identity theft is thriving, and that is not my purpose for being in business. I am in the identity theft prevention business to put myself out of a job. When I say it keeps me awake at night, I’m being sincere. At 3am this morning, I spent several hours deciphering the underlying causes responsible for the exploding demand for identity theft speakers… even as the meetings and speaking business has suffered drastically at the hands of the spiraling economy. And then it came to me; I realized that the answer was contained in the question…
I just finished delivering an identity theft speech for the Department of Defense to the Airmen and Women of Eglin Air Force Base in Ft. Walton, Florida. It is the highest honor for me to be able to serve the United States military, who so valiantly and humbly serve every American. Thank you Eglin AFB, and a special thanks to the person who asked me to clarify this question after the speech:
Is LifeLock identity theft monitoring service truly free to military personnel, or is it just for certain personnel?
The Privacy Problem: Thanks to laptops, smart phones, DVDs and a deluge of other data-holding mobile devices, we carry as much sensitive data with us as we keep in our homes and offices. These devices are at a much higher risk of theft when they are in transit.
The Privacy Project: To help you better protect identity-bearing devices while they are being transported and stored in your car (RV, boat, etc.). The solution…
At the Privacy Project, our success is your nightmare (unless you are my speaking agent).
I just finished delivering an identity theft speech for the Department of Defense to the Airmen and Women of Eglin Air Force Base in Ft. Walton, Florida. It is the highest honor for me to be able to serve the United States military, who so valiantly and humbly serve every American. Thank you Eglin AFB, and a special thanks to the person who asked me to clarify this question after the speech:
