Posts

Higher Education Features Cyber Security Expert John Sileo

Universities perfect learning environment for data security

Higher Ed Organizations are among the highest risk groups to become victims of identity theft and data breach. Because students are relative “beginners” when it comes to personal finances, because university environments are predicated on trust and credibility, and because of the recent progress towards a mobile-centric, social-networking-dominated campus, higher education’s digital footprint is constantly exposed to manipulation.

"The most engaging speaker I've ever heard - period"

“The most engaging speaker I’ve ever heard – period.”  Debbie Bumpous, NSU Chief Information Technology Officer speaking about John Sileo

“John Sileo was the secret sauce in launching our cyber security awareness program” – University of Massachusetts Director of IT

Universities are 357X more likely to be affected by data breach than the average organization. High profile cases, some of which ended in class action lawsuits against the breached university include the University of Nebraska (650,000 breached records at an estimated cost of $92 million), UCLA, Auburn, Delaware, and Texas. Data theft is bad for students, time consuming for the administration and a public relations nightmare for the university. John Sileo knows their pain first hand, as he is generally the person contacted by universities after they have been breached. 

Video: watch John help a university prevent data theft before it happens

Universities Have a Distinct Advantage in the Fight for Data Privacy

There is genuinely optimistic news amidst the gloom and doom. Because of their teaching facilities, their communication channels and their understanding of pedagogy, universities small and large are uniquely equipped to train campus wide on the simple steps to keep private data secure before it is breached. But it takes the right speaker to introduce security in such a way that it connects with a mixed audience–student and faculty, young and wise, technologically-oriented and digitally-challenged.

John Sileo sets the standard for presentations that get students, faculty and administrators to emotionally connect to the critical nature of privacy, security and identity protection. Using his own personal story of identity theft, John interacts with your audience to gain “buy in” to the increasing importance of securing identity in a mobile-driven, social-media-dominated world.

“If the presentation is boring or overly technical, the campus won’t listen, won’t learn. John is anything but boring…”

Video: Hear what university leaders have to say about John’s ability to make it personal

John has spoken extensively for other universities to increase awareness on privacy, security and identity. Unfortunately, he’s usually brought in AFTER THE BREACH and asked to sign confidentiality agreements that don’t allow him to disclose his work with the university. And if there is someone that respects his client’s right to privacy and confidentiality when requested, John is it. We can say that John has worked with top ranked universities in California, Colorado, Connecticut, Massachusetts, Maryland, South Dakota, Nebraska, Florida, New York, Pennsylvania , Washington D.C., Utah, Wyoming and Virginia. We hope that your university/fraternity/organization chooses to proactively address the problem like those public references listed below:

Listen to what Universities have to say about John’s presentations

Wellesley College“Your presentation had the audience engaged from the first moment you started speaking. Data security is so often such a dry topic that it can be very challenging to get our users to listen to anything we have to say (let alone to show up). Your personal stories were both heart wrenching and thought provoking, and they provided an important backdrop for the lessons you were teaching. And you did all of this with humility, and a wonderful sense of humor, that caputred the audience’s attention. When people were leaving the event, many told me it was the best presentation they had ever seen and it was unanimous that was time well spent.”

— Donna Volpe Strouse, Information Security Officer, Wellesley College


 

UMASS“John’s presentation was excellent. He has a unique and skilled way of connecting with the audience and relating personal security to university security initiatives.”

“Felt like a knowledgeable friend grabbed me by the shoulders, slowed me down and saved me from getting into trouble.”

Engaging and entertaining delivery of what is typically a dry topic – it makes the message stick.”

“Compelling, persuasive, intelligent, common sense and passionate presentation that opens your eyes. Funny too!”

— Various CIO Coordinators and Attendees at the Six University of Massachusetts Campuses


 

Seal_of_Northern_State_UniversityThe most engaging speaker I’ve ever heard – period. As part of a campus-wide cyber-security awareness program, Northern State University hosted John Sileo on our campus. John’s presentation was the culmination of a month-long awareness campaign for faculty, staff and students and part of the National Cyber-Security Awareness Month. The presentation itself was of the highest caliber. John personally catered the content of his presentation to our unique and diverse audience members. John is an incredibly motivational presenter that can speak directly to any audience, of any age. Throughout his presentation, he actively engaged members of the audience, capturing and holding their attention. This engagement brought a personal touch to the presentation and underscored the importance of his message. I would highly recommend John Sileo as a presenter or guest speaker. His expertise, friendliness, and professionalism are exemplary.”

— Debbi Bumpous, Chief Information Technology Officer, Northern State University


 

Foundation_LogoThe Delta Gamma Foundation is the heart of the Delta Gamma Fraternity… One of the most successful programs we offer our collegiate and alumnae members is our Lectureship in Values and Ethics. Now present on 15 campuses throughout the United States (with 4 more Delta Gamma chapters in the process of completing their lectureship), our lectureship series has featured such nationally acclaimed speakers as Colin Powell, Queen Noir, Maya Angelou, Barbara Bush, Gerald Ford, Jeff Probst and many more.

On June 18, 2010, at our 64th biennial Convention in Denver, CO, the Delta Gamma Foundation sponsored our Convention Lectureship in Values and Ethics. This lectureship is very special because it is presented to the entire Convention body. Our guest speaker was John D. Sileo who spoke on identity theft prevention… John captivated an audience of 900 ranging in age from 19 to 90 telling his personal story of theft identity and educating all of us to intellectually understand the importance of one’s privacy. John is a story teller who tells a compelling story with humor, intrigue and ongoing audience interaction. The presentation was outstanding.

Delta Gamma continues to receive positive feedback on John’s presentation and performance. On behalf of the Delta Gamma Foundation, we would strongly recommend John for any audience of any age. His story needs to be told and shared.

— Roxanne LaMuth, Delta Gamma Foundation


 

CSC Wordmark 208- 2006John Sileo is the real deal. He speaks because he has something to say, but also because he is interested in his audience! If you host speakers, do yourself a favor and hire John… he will remind you of all that is good about offering a speaker to an audience.

Loree MacNeill, Chadron State College

 

 

WordPress a new target in latest online data security threat

Do you manage a blog or company site powered by WordPress? If so, your online data security may be in jeopardy.

Any popular site for hosting content can be a natural magnet for the devious intentions of hackers. Wordpress is free and easy to use, and its popularity has made it a victim of security breaches before.

In the most recent case, the culprit seems to be a botnet – a collection of internet-connected programs communicating with other similar programs in order to perform tasks. This botnet prays on the careless and naive by targeting any site with a login that contains the word “admin” or other default-sounding names and by predicting passwords. It goes to show that when it comes to crafting your digital identity, applying even basic computer tricks taught to kids in elementary school these days can help protect your rights and information. 

I know, I know: it’s hard to imagine that people still fail to use such basic safeguards as having strong user names and passwords. Believe it or not, failure to do this has allowed hackers to compromise thousands of accounts and computers. And once your site is hacked, it stays hacked and joins the botnet in a way that can aid future attacks. Though there are ways to deal with breaches after the damage is done, the best method is still taking preventative measures to safeguard your online data security beforehand.

Solving WordPress Online Data Security Threat

In some cases, the site can be your friend on this. Wordpress founder Matt Mullenweg addressed this in his blog. He offered these basic pieces of advice:

  • If you still use “admin” as a username on your blog, change it
  • Use a strong password
  • If you’re on WP.comturn on two-factor authentication
  • Make sure you’re up-to-date on the latest version of WordPress

Taking some simple steps and remembering the basics will help ensure that you’re not the next target when hackers set their sights on a service you use.

John Sileo is an online data security expert and keynote speaker on identity theft, reputation protection and digital privacy. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

User Distrust at Heart of Facebook Troubles

, ,

Satisfaction with social-networking powerhouse Facebook has slumped, according to the latest survey from the American Customer Satisfaction Index — hitting a new record-low score in the social media category that placed it in the five lowest-scoring companies out of more than 230 surveyed. There are several immediate factors that undermine user trust:

  • Inconsistency. Facebook’s user interface changes constantly (think Timeline) and this inconsistency leaves users feeling like they don’t know what to expect next from the social media site. Consistency builds trust, but Mark Zuckerberg doesn’t seem to have much vision for consistency.
  • Lack of Transparency. The average user has very little comfort with or knowledge about how Facebook is collecting, analyzing, using and selling their personal data. While Facebook has a range of privacy and security settings, most users still don’t comprehend the enormity of the information that Facebook collects on them. This lack of transparency leaves users with a bad taste in their mouth, like they are being cleverly deceived for the sake of profit.

Facebook is staring down some potentially unnerving obstacles when it comes to key areas of monetization and growth: public distrust and display ad apathy.

Look at these highly revealing statistics:

  • 59% of Facebook users said that they had little to no trust in Facebook to keep their information private according to a recent AP-CNBC poll.
  • Despite these ongoing concerns, the number of users continues to increase. Facebook has grown to 900+ million monthly active users worldwide. This paradox (that Facebook continues to add users even though most of us don’t trust them), suggests a level of reliance bordering on addiction.
  • 54% of Facebook users declare that they don’t trust Facebook using the platform for financial transactions like purchasing goods or services.
  • 83% of Facebook users say they never, or rarely ever, click ads or other sponsored content when they use the site.

Facebook is facing a crisis of trust. For now, they are masking it well and continuing to grow, unless that is, if you judge their success by revenue rather than users.

John Sileo is an award-winning author and data security speaker on social media over exposure. He is CEO of The Sileo Group, which advises organizations on privacy strategy, data security and fraud prevention. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

7 Data Theft Hotspots for Meeting Professionals

, , ,

Everybody wants your data, especially when you are in the business of meetings. Your data doesn’t just have a high face value (e.g., the attendee data, including credit card numbers that you collect and store in your online registration system), it also has a high resale value .

Here is how the theft is most often committed in your industry:

  • Competitors hire one of your employees and they leave with a thumb drive full of confidential files, including client lists, personally identifying information on talent and employees, financial performance data, etc.
  • Social engineers (con artists) mine your employee’s Facebook profiles to gain a heightened level of trust which allows them to manipulate your human assets
  • Cyber criminals hack your lax computer network or sniff the unprotected wireless connections you and your employees use while traveling (Starbucks, hotels, airports).
  • Mobile Computing Thieves target your digital devices (Laptop, smartphone, tablet) and other weak points while on the road.
  • Opportunistic Vendors (Cleaning services, painters, landlords) quietly collect data assets from your desks, filing cabinets, trash cans and dumpsters when you aren’t even in the office.

Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost according to the Ponemon Institute: $7.2 million) and have no idea of how to stop a repeat performance.

A Quick and Dirty Way to Calculate Your Risk as a Meeting Professional

Here is a quick ROI formula for your risk: Multiply the number of attendees, employees and executives for whom you store any one of the following pieces of sensitive identity – name, address, email, credit card number, SSN, TIN, phone number – and multiply that by $240 (the industry average per record of lost data). So, if you have identifying information on 1,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $240,000 even if you don’t lose a SSN or TIN. That is not a guess, those are real numbers.

As agencies who already stretch every resource to the limit just to stay in the game, you need to do more with less. I can’t possibly give you all of the answers to protecting your bureau or management company in a simple article, but I’d like to share 7 Data Theft Hotspots that you should address first.

  1. Start with the humans. One of the costliest data security mistakes I see departments make is thinking that this is a problem for large businesses only. It is a big problem for large businesses, but data theft is far more damaging to governmental organizations because of the increased regulation and legal scrutiny. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied at work without spending all kinds of money on a security risk assessment. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your attendee databases and intellectual property. You can do this in very simple, inexpensive ways. While this doesn’t necessarily train them on the specific tools to protect your bureau’s intellectual capital and customer data, it does increase their awareness of data theft and shows them that their self-interest is involved (i.e., their job depends on it). To get them started on protecting themselves, you are welcome to use this free Identity Theft Prevention Checklist.
  2. Immunize against social engineering. The root cause of most data loss in professional services companies like yours is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of you or your staff by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking. Strategy: Immunize your employees against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism (Hogwash J). Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., the credit card company called you, not vice versa), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. This is the key – getting them to be curious in the face of a request for sensitive information. These are some of the materials that I went through in an abbreviated fashion during IASB, but you can communicate them just as well as I can.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage in the meeting professionals world: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web. Strategy: Stop trying to keep your computer and network security in house and inexpensive – it is part of the costs of owning all of that processing power. Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, just hand a qualified technician this paragraph and continue to do what you do best (booking me J) while she earns your wisely spent dollars. While she’s there, have him do a security audit of your network, including firewall penetration, password strength, user-level access permissions, etc.Another major source of data theft (especially in the meetings industry) is Wi-Fi hotspot usage. Most Free hotspots do little to protect the data that you transmit over the wireless network. In fact, many home and company wireless networks are not set up to provide a secure connection to the internet and are, therefore, no safer than those you access for free in cafés, airports and hotels. Just say no to using free Wi-Fi hotspots, on your phone and your laptop. The most common form of exploitation associated with hotspots are “man-in-the-middle” attacks where a spy intercepts the transmission between your wireless network card and the cafés wireless router or modem. Using a legal, free and simple-to-use tool like Firesheep, a thief (or competitor/law enforcement, etc.) can sit next to you in a café and “sniff” your connections. Luckily, your Smartphone can provide a proactive way to help you protect your connection to the Internet when surfing wirelessly. Strategy: Tethering connects your computer to the Internet using a Smartphone (or Internet-enabled cell phone). It increases security because the mobile transmission between your cell phone and the cell tower is encrypted (scrambled) and hard to intercept. Therefore, when you use your Smartphone to surf the web, you are accessing a protected connection that probably can’t be sniffed. The connection might be slightly slower than a traditional Wi-Fi hotspot, but it is also much safer. Simply call your wireless provider and ask them if your Smartphone has tethering capabilities. You shouldn’t have to pay more than about $15 per month to put this solution into affect. Remember to do it for all company Smartphones as well.
  4. Eliminate the inside spy. Chances are you don’t always perform a very serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work and will discourage dishonest applicants from going further in the process. Finally, make sure that the prospect you are employing knows that you are going to these lengths to check them out. Most people who are trying to gain employment in order to defraud you are scared away when they know you are investigating them.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily in the high-travel world of the bureau and meetings industry. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person in a backpack, store it in the hotel room safe, or lock it in an office or fire safe when not using it. Physical security is the most overlooked, most effective form of protection and for people who travel as much as you do, it’s a major risk.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently. Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old W9s, invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. Also, check to make sure that these same documents are locked in a filing cabinet, safe or password-protected electronic format.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive attendee info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing meetings data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control?

This is a very quick overview of some of the risks that I see as most pressing for meeting professionals. Here’s the good news… your espionage and data theft countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your agency. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, social media exposure and online reputation and is the award-winning author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets and develop information leaders.

 

13 Data Security Tips for Meeting Professionals – SGMP

, , ,

I just finished delivering a keynote speech for the Society of Government Meeting Professionals (SGMP) at their annual convention on identity theft and protecting data in the meetings industry. Data security is a top concern in this industry because it is probably one of the most highly-targeted groups for identity theft, social media fraud, data breach and social engineering. Here’s why:

  1. Meeting professionals collect, store and transmit massive amounts of private data on attendees
  2. Data theft risk skyrockets when travel is involved, which is a frequent occurrence for meeting planners and professionals
  3. Meeting professionals are busy nearly 24 hours a day once they are onsite for the conference or meeting, meaning that they are highly distracted
  4. A single data breach of attendee data can put the organization responsible for the event out of business due to excessive costs and tight compliance regulations
  5. Conferences are generally collections of highly professional, highly valuable attendees who travel with laptops, sensitive intellectual property, smartphones, unsecured WiFi connections, etc.

Meeting professionals have enormous responsibilities throughout every stage of the planning process. Identity thieves target conferences because of the sheer quantity and value of data circulating around these events. Protecting sensitive attendee data before, during and after the event has become not only a nicety, but a necessity. Data stolen during the planning, execution or clean-up phases of your event can hamstring your organization with financial liabilities and a public relations nightmare. Start by taking these steps:

Meeting Security Before the Event

  • Secure Your Online Reservation System. If you are going to use online registration, invest in a system that delivers not only efficiency, but security. It is your legal, financial and ethical responsibility to protect your attendees’ personal information. Don’t try to do it all yourself. Hire a reputable technology provider to ensure that your data is protected behind firewalls, encryption, passwords, updated operating systems, security software and safe wireless.
  • Educate Attendees. Before they ever begin their travels, attendees should read through a quick 2-minute tip sheet on how to protect themselves while going to a conference. Simply making them aware of some of the risks that exist traveling (laptop theft, unprotected WiFi, smartphone hijacking, etc.) will cause them to pay greater attention on-site.
  • Minimize Data Collection. Collect only the data that you absolutely need and destroy it as soon as you are finished. Once you have processed credit cards, purge that information from your system. The quicker that you properly dispose of sensitive data, the lower your risk and liability.
  • Minimize Physical Files. Take as few physical files with you to the event (attendee lists, etc.) as these are easily misplaced when traveling and distracted. The more that you can keep behind a password protected, encrypted computer, the better.

Meeting Security Traveling to the Event

  • Protect Your Laptop. Almost 50% of serious corporate data theft occurs because a laptop computer is stolen. In addition to the standard forms of protection (passwords, encryption, anti-virus, etc.), carry as little data on your laptop as possible. And never leave the laptop unattended unless it is locked in your hotel room safe. Identity thieves target business travelers because they are generally rushed, distracted and carrying valuable data.
  • Think Twice about Free Wi-Fi. It is very convenient (and dangerous) to use a free wireless connection to the Internet provided by an airport, café or hotel. Unfortunately, it is nearly impossible to distinguish if you are on a safe network or one that allows thieves to pirate your information. Unless you are absolutely sure about the security in place, refrain from sending any sensitive material over a wireless connection that your IT department hasn’t configured or approved.

Meeting Security Onsite

  • Educate Attendees. Make frequent announcements at the start of each segment of your programming to remind attendees that they should not leave purses, laptops or files unattended. In addition, warn them to take care of their belongings in pre-conference material and encourage them to leave as much sensitive data at home or in the office as possible.
  • Room Monitors. Have room monitors that check badges as attendees are entering the room and that monitor purses and laptops that are left in the room during breaks (even if you warn people, some will still leave items). Make sure that you announce that room monitors are watching so that you let any would-be opportunists know that someone is watching. Just this one piece of information should discourage theft.
  • Control Digital Access. Make sure that only authorized users can access your onsite registration system. Don’t leave laptops or registration lists unattended, as they are a goldmine of sensitive data. Make sure you are using a VPN and secure wireless connection to connect back to your office or database server. Deactivate your USB drives so that data cannot be easily copied onto a USB thumb drive when you aren’t looking.
  • Provide Secure WiFi for Attendees. Setup secure WiFi (requiring a password) for your staff and attendees so that they are not broadcasting their private information over an unprotected network (which they are doing anytime they use a free hotspot without a password). Make sure that your contact onsite understands your security needs and concerns. That is part of the service they are providing.
  • Control Physical Access. Use a system of photo ID badges and room monitors to make sure that only authorized attendees have access to highly sensitive areas. You don’t want your biggest competitor to gain access to the meeting where you reveal next year’s strategy.
  • Shred Unneeded Documents. If you no longer need registration information on an attendee, shred it immediately. Every hotel or conference center should have shredders onsite that you are able to utilize. If they don’t, you might ask yourself how well they are protecting your data.

Meeting Security After the Event

  • Destroy the Evidence. When the conference or meeting is over, shred any remaining physical documents you no longer need. Purge digital files from your systems, especially those containing credit card or Social Security numbers. The less you keep on hand, the lower your changes of theft.

Above all, don’t forget to educate your staff and attendees on the risks of data theft while attending a conference. Higher levels of awareness drastically reduce the incidents of attendee identity theft and corporate espionage.

John Sileo is the award-winning author of Privacy Means Profit and America’s leading speaker on identity theft prevention, social media exposure, online reputation management and information leadership. Learn more about his keynote speeches on a variety of topics or call directly on 1.800.258.8076.