Posts

15 Data Security Tips to Protect Your Small Business

Thanks to SmallBusinessComputing.com and Jennifer Schiff for this article!

In August 2010, the Privacy Rights Clearinghouse published its latest Chronology of Data Breaches, which showed that since 2005 more than a half-billion sensitive records have been breached. Of those breached records — which contained such sensitive data as customer credit card or social security numbers — approximately one-fifth came from retailers, merchants and other types of non-financial, non-insurance-related businesses, the majority of which were small to midsized.

An equally scary statistic: approximately 80 percent of small businesses that experience a data breach go bankrupt or suffer severe financial losses within two years of a security breach, according to John Sileo, a professional identity theft consultant and speaker, who knows firsthand about the havoc a security breach can wreak on a small business.

What can a small business owner do to protect her business from a security breach? Small Business Computing spoke with two security and privacy experts and consulted the leading security and privacy sites to find out. The good news: protecting your business from a data security threat is easier than you think. It’s also much cheaper than the physical, financial and emotional cost of repairing one.

Click Here to Continue Reading……

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his financial speaker’s website.

Identity Theft's Latest Victim? Your Business.

,

Latest Identity Theft Trend is Stealing Your Business’s Identity to Falsify Accounts

In the past two weeks, I have been contacted separately by two local business owners to share how their business identity has been stolen and used to set up accounts with various companies on which thousands of dollars are charged and they (the actual owners) are left to pay the bills. There are no identity theft statistics on this type of crime, but I am certain that it is just coming onto the trend radar. In further proof that this is becoming a major problem for corporations, the Denver Post ran an article this morning titled “Corporate ID Thieves Mining the Store“.

Here’s how this incredibly easy form of business identity theft works:

  1. A thief scours the internet for your company information (Facebook is usually a good place to start, as is your local Secretary of State’s website). They are particularly interested in bids for government contracts, as they often contain a sample of your letterhead as well as your pertinent business information. If they can obtain the Federal ID# of your businesses, they have even more ammo to defraud you.
  2. Business name in hand, the thief logs on to your local Secretary of State’s website (the agency generally responsible for registering corporations and maintaining databases on corporations) and pays a small fee ($10) to alter the name of a corporate officer or the address of a company’s registered agent on public records. I would imagine that they generally register an identity stolen from another individual in order to cover their tracks further. In most states, there is no password to protect your official business filings from unauthorized users and changes. In Colorado, according to the Denver Post article mentioned above, officials say that “putting password protection on corporate data — where only a business owner or representative can make changes — is prohibitively expensive.”

    “In other words, the State of Colorado provides less protection for your corporate data than the average online dating service.”

  3. Now that the imposter is a “corporate officer” of your business with full authority to act on behalf of your corporation, the thief applies for a credit account in your business’s name, generally at a large national retailer (Home Depot, Lowes, AT&T, Sprint and Verizon see to be the top choices). If necessary, they use your poached letterhead to facilitate the process of setting up the account.
  4. The retailer, before extending credit, verifies with Dun & Bradstreet that you are in fact an official officer of the corporation. And where does Dun & Bradstreet get its information about your business? From the Secretary of State’s office, the very source of your illegally modified information. In other words, all parties in the process are relying upon falsified source data that remains unprotected on government websites.
  5. Using the newly established business account with terms (i.e., the thief doesn’t have to pay for what they buy, it is invoiced to the company for payment at a later date), the thief makes large purchase of equipment of services, often worth tens of thousands of dollars.
  6. Equipment in hand, the thief leaves the store never to be seen again. Your business, of course, receives the bill, and begins the arduous, time consuming and expensive process of proving that you never made the purchase, a difficult task given that the account was established by what the retailer considers to be a legitimate officer of your corporation.

Far fetched? Not at all. The problem is compounded by the fact that sales associates at many national retailers receive incentive bonuses for every sale they make. Why wouldn’t they push the sale of 50 mobile phones through the system when they receive a large commission to do so. It’s much easier than selling one handset at a time.

Both actual cases I worked with involved phone companies, and each business owner has struggled desperately to prove that they did not make the purchase and do not owe on the account. In one of the cases, the business in question already had an account established with the phone company – same company name, address, phone number, etc. – and the phone company failed to ask any questions as to why they would want a second account. In many of the cases, the thieves use the same stolen business identity over and over again in different cities (rarely do they even shop in your actual city), causing the owner untold hours of time repairing their damaged Dun & Bradstreet ratings, fighting with collection agencies and sitting on hold trying to explain to large corporations that don’t have any incentive to believe what you are saying.

In a spiraling economy, taking your eye off the ball can mean you lose the game. In the meantime, you can take these steps to being affecting change and protecting your valuable business data:

  1. Contact your local Secretary of State’s Office and encourage them to resolve the issue as quickly as possible. You just might be the first person to let them know that this problem exists. At minimum, ask them to begin protecting your corporate data with a password that only the verified and legitimate corporate officers of your corporation can access.
  2. Review your corporate filing with the Secretary of State’s Office regularly to make sure that there is no altered or false information in their database. If there is, contact them immediately.
  3. While in your corporations’ listing on the Secretary of State’s website, make sure that you set up any security measures they have provided. For example, if they have email alerts anytime your profile changes, make sure you take them up on it and have a current email address in the profile. This will send you an alert anytime someone changes your file.
  4. Monitor your Dun & Bradstreet account regularly to make sure that no liens or encumbrances have been placed on your credit profile. If there is incorrect or unrecognizable data on your report, contact D&B’s fraud department immediately at 1.800.234.3867.
  5. Set up a Google Alert for your corporation’s official name, TIN and any DBAs to monitor unexpected internet activity on behalf of your organization.
  6. If you are a contract-based vendor, include a clause in your contract prohibiting the publication of your TIN/EIN/SSN in any electronic or internet form without your prior written consent.
  7. Protect your TIN, letterhead and company information as if it were currency, because it is.

Check back over the next few days for information on how to recover from this crime if you are a victim.

John Sileo speaks professionally to organizations that wish to avoid the costs associated with identity theft, data breach, social media exposure and insider theft. His satisfied clients include the Department of Defense, Blue Cross Blue Shield, the FDIC, Pfizer and hundreds of corporations of all sizes. Learn more about his entertaining and effective presentations on identity theft, data breach and fraud training or contact him directly on 800.258.8076.

Business Identity Theft Radio Interview, Part II

,

John recently did a second radio interview on business identity theft for New Construction Strategies hosted by Ted Garrison. The construction industry, like most industries, battles with data theft on a daily basis. Insider theft, cyber crimes, social networking exposure – these are just a few of the areas that businesses need to defend against in the information economy. Listen to the interview to learn more.

“Privacy Means Profit” John Sileo with Ted Garrison

Data breach, identify theft, and corporate espionage can cause huge damage if you don’t stop them upfront because the impact goes right to your bottom line.  “We spend thousands of dollars on our computers but we don’t necessarily put the money into protecting the data that is on them,” reports identity theft expert John Sileo. Listen Sileo explain how this can destroy your company and how to prevent this disaster.

LISTEN NOW

Business Identity Theft Radio Interview, Part I

,

John recently did a radio interview on business identity theft for New Construction Strategies hosted by Ted Garrison. The construction industry, like most industries, battles with data theft on a daily basis. Insider theft, cyber crimes, social networking exposure – these are just a few of the areas that businesses need to defend against in the information economy. Listen to the interview to learn more.

“DODGING THE HIT FROM IDENTITY THEFT: WHY YOU SHOULD CARE”
John Sileo with Ted Garrison

Data breach, identify theft, and corporate espionage can cause huge damage if you don’t stop them upfront because the impact goes right to your bottom line. Listen to John Sileo, author of Stolen Lives, describe the horrors of not protecting yourself as well as what you must do to protect yourself.

LISTEN NOW


FTC Red Flags Rule: Is Your Business Ready?

, ,

FTC Red Flags Rule Goes into Effect June 1st, 2010

The FTC  will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

This includes:

  • Any Business that Extends Credit
  • All Banks
  • Most Brokerage Firms
  • Credit Card Companies
  • Mortgage Lenders
  • Non Traditional lenders (utilities, dealerships, health care providers)

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan consists of four main parts:

  1. Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
  2. Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.
  3. Response: The plan needs to include a process of responding to red flags as they are detected.
  4. Revision: The plan should specify the process the organization will use to periodically update sections 1-3 as the threat landscape changes

The plan must cover how your organization will ensure that any company to which you are outsourcing to will be compliant. Every organization’s senior employees or board of directors must approve the initial plan and train the appropriate employees.

The FTC has also identified five main categories that an organization’s Red Flags might fall under. They are:

  1. Alerts, notifications, or warnings from a consumer reporting agency.
  2. Suspicious documents.
  3. Suspicious personally identifying information (PII).
  4. Suspicious activity relating to a covered account.
  5. Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

As with any new plan or program there will be bumps in the road. The FTC won’t be actively auditing organizations, but it will be investigating on the basis of reported issues, and the costs of being found non-compliant can be staggering.  Since most older and more mature organizations already have an Identity Theft Prevention Program in place, it won’t be a huge change. We have already begun to see a connection between the Red Flags Rule and a decrease in the ease with which identities are stolen out of businesses. Hopefully, this trend will continue.

In the meantime, you should get started on designing and implementing your identity theft prevention plan. For help understanding the process and other privacy issues that your and your business face, attend the Privacy Survival Boot Camp for Small Businesses hosted by John Sileo, America’s Top Identity Theft Expert.

_______________________________________________________________________

Bulletproof Your Business Against Data Breach, Identity Theft, and Corporate Espionage

Join John September 17th in Denver, Colorado for his Privacy Survival Boot Camp for Businesses. You will walk away with the Privacy Best Practices Kit:

  • John Sileo’s latest book, Privacy Means Profit
  • A Sample Privacy Policy to guide you through creating your own
  • Guidelines for establishing Social Networking Best Practices
  • A Mobile Data Protection Checklist for your laptop, smart phone, etc.
  • An Action List for Implementing Red Flags Rule compliance

Seats are going fast so don’t miss this opportunity to learn first-hand how to immediately protect your profits!


Uncovering Business Identity Theft

,

While the majority of identity theft schemes prey upon individuals, small-businesses and organizations are increasingly becoming targets. Business identity theft is a serious threat, but it mostly flies under the radar simply because companies are embarrassed to discuss.

Although most companies are protected by copyright, patent and trademark laws, smaller companies lack the higher IT security measures that large companies have. According to recent studies by Javelin Strategy & Research this makes them 25% more likely to be victims of business identity theft over larger businesses.  Not only do small businesses and business owners typically have larger lines of credit open than an individual, but they are unlikely to detect the fraud for six to eight months making them a prime target.

Business Identity has not been completely defined yet, but it definitely has been stolen. California has become the leader in offering identity rights to organizations and in 2006 they expanded the definition of ‘person’ in identity theft laws to include associations, organizations, partnerships, businesses, trusts, companies, and corporations. These types of amended laws have proved to deter business identity theft and provide greater assistance to those companies that have been hit.

Most commonly criminals assume the name of a business, rent out office space in the same building and order everything from corporate credit cards to hundreds of computers and equipment. In one instance the culprit billed a law firm for $70,000 in purchased equipment, hired a moving truck and disappeared from the building before the fraud was ever detected.  This has been not only costly, but timely. If businesses had the same protection as individuals this would have been quickly resolved and the victims would have moved on. Credit card companies have also followed suit and began to remove the distinction between business identity theft and individual identity theft.

The lack of publicity on this type of Identity theft is solely due to a lack of reporting by companies. Businesses are required by federal law to notify consumers who’s personal information has been hijacked, but not if their businesses identity has been stolen. In order to save face, most business owners would rather not own up to such a breach to avoid looking like the pawn in a criminals scheme. Without incentives and assistance to a company who has experienced this type of transgression there is little reason for them to come forward.

Until businesses and their owners come forward to help uncover business identity theft there will be less laws in place to deter criminals and small businesses will remain vulnerable.

For more information on this issue check out BusinessWeek.

John Sileo provides identity theft training to human resource departments and organizations around the country. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.



Biometric Identity Theft: Stolen Fingerprints

,

Identity Theft is a huge and growing problem. According to the recent 2009 Identity Theft Fraud report by Javelin Strategy & Research, victims increased 22% in 2008 to 9.9 million. When businesses are involved, the companies face billions of dollars in theft, millions of dollars in fines and, perhaps most important, the loss of customer trust.

The large impact that identity theft has on individuals lives and corporations’ bottom lines has made inexpensive biometrics look attractive for authenticating employees, customers, citizens, students and any other people we want to recognize. The most recent debate is on whether the pros outweigh the cons. (To see some of the materials that influenced this article, please visit George Tillmann’s excellent article in Computerworld).

fingerprintBiometrics uses physical characteristics, such as fingerprints, DNA, or retinal patterns to positively verify individuals. These biological identifiers are electronically converted to a string of ones and zeros and stored on file in the authenticator database.

[intlink id=”899″ type=”post”]Biometric Statistics[/intlink]

The downside or weakness of biometrics is that the risk of data breach remains relatively the same. Just as a credit card number can be stolen, the numbers that make up your biometrics and are stored in a database can be stolen.  It may take longer for thieves to understand how to use these new pieces of information, but they will eventually be used.

Ultimately, this could be more dangerous than having your ATM PIN, credit card number, or Social Security Number stolen, and it will take longer to clear up.  In a worst-case-scenario, someone inside of the biometric database company could attach their fingerprint to your record — and suddenly they are you. The reverse is also true, where they put your fingerprint in their profile so that if they are convicted of a crime, the proof of criminality is attached to your finger.

What will stop thieves from electronically sending your stolen fingerprints to your bank to confirm that you really do want to clean out your bank account through an ATM in Islamabad? Fingerprints, when stored in a database, are nothing more than long strings of numbers. What will you do when your digitized fingerprints wind up on a government No-Fly list? If you think it takes forever to board a plane now, wait until every law enforcement agency in the free world has your fingerprints on file as a suspected thief or, worse, a terrorist.

The reality is that biometrics could be a great alternative to securing one’s identity – and they are quickly becoming a part of every day identification.  But we can’t go forward into the new world of biometrics thinking that it solves all of our problems. Like the “security codes” on the back of our credit cards, like the two forms of authentication required for most banks, like wireless encryption standards – thieves eventually find work-arounds. And so too will they work around biometrics. If we implement biometrics without doing our due diligence on protecting the identity, we are doomed to repeat history — and our thumbprint will become just another Social Security Number.

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. Contact John directly on 800.258.8076.

Follow John on: Twitter, YouTube, Facebook.