Posts

Information Security Speaker: 5 Information Espionage Hotspots Threatening Businesses

, , ,

You and your business are worth a lot of money, whether your bank accounts show it or not. The goldmine lies in your data, and everyone wants it. Competitors want to hire the employee you just fired for the thumb drive full of confidential files they smuggled out. Data thieves salivate over your Facebook profile, which provides as a “how to” guide for exploiting your trust. Cyber criminals are digitally sniffing the wireless connection you use at Starbucks to make bank transfers and send “confidential” emails.

Every business is under assault by forces that want access to your valuable data: identity records, customer databases, employee files, intellectual property, and ultimately, your net worth. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost: $6.75 million) and have no idea of how to stop a repeat performance. These are clear, profit-driven reasons to care about who controls your data.

Information Espionage Hotspots

Here are 5 Information Espionage Hotspots that your business should address now:

  1. Lousy training. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property. See the video above for an example of bridging the worlds of personal privacy and corporate data security.
  2. Human weakness. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses. Strategy: Immunize your workforce against social engineering and poor decision making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontier that thieves are exploiting are your employees social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation. 
  3. Wireless surfing. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unprotected data being sent from your computer to the web. Strategy: Have a security professional configure the wireless router in your office. Here is your laundry list of things to ask her to do. She will understand the terminology: Utilize WPA-2 encryption or better; Implement MAC-specific addressing and mask your SSID; While she’s there, have her do a security audit of your network; To protect your connection while surfing on the road, purchase an encrypted high-speed USB modem from one of the major carriers (Verizon, Sprint, AT&T) and STOP using other people’s free/fee hotspots.
  4. Inside spies. Chances are you rarely perform a serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out a “digital door” when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check using a product like CSIdentity.com’s SAFE before you hire instead of wasting much more money cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background jump starts your intuition and discourages dishonest applicants from the outset.
  5. Mobile data. In the most trusted research studies, 36-50% of data breach originates with the loss of a laptop or mobile computing device (smart phone, thumb drive, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily. Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. In addition, physically secure this goldmine of data down when you aren’t using it. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption, and remote laptop-tracking and data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it.

Your espionage countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your profit margins. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, data breach and social networking exposure, and is the author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

Identity Theft's Latest Victim? Your Business.

,

Latest Identity Theft Trend is Stealing Your Business’s Identity to Falsify Accounts

In the past two weeks, I have been contacted separately by two local business owners to share how their business identity has been stolen and used to set up accounts with various companies on which thousands of dollars are charged and they (the actual owners) are left to pay the bills. There are no identity theft statistics on this type of crime, but I am certain that it is just coming onto the trend radar. In further proof that this is becoming a major problem for corporations, the Denver Post ran an article this morning titled “Corporate ID Thieves Mining the Store“.

Here’s how this incredibly easy form of business identity theft works:

  1. A thief scours the internet for your company information (Facebook is usually a good place to start, as is your local Secretary of State’s website). They are particularly interested in bids for government contracts, as they often contain a sample of your letterhead as well as your pertinent business information. If they can obtain the Federal ID# of your businesses, they have even more ammo to defraud you.
  2. Business name in hand, the thief logs on to your local Secretary of State’s website (the agency generally responsible for registering corporations and maintaining databases on corporations) and pays a small fee ($10) to alter the name of a corporate officer or the address of a company’s registered agent on public records. I would imagine that they generally register an identity stolen from another individual in order to cover their tracks further. In most states, there is no password to protect your official business filings from unauthorized users and changes. In Colorado, according to the Denver Post article mentioned above, officials say that “putting password protection on corporate data — where only a business owner or representative can make changes — is prohibitively expensive.”

    “In other words, the State of Colorado provides less protection for your corporate data than the average online dating service.”

  3. Now that the imposter is a “corporate officer” of your business with full authority to act on behalf of your corporation, the thief applies for a credit account in your business’s name, generally at a large national retailer (Home Depot, Lowes, AT&T, Sprint and Verizon see to be the top choices). If necessary, they use your poached letterhead to facilitate the process of setting up the account.
  4. The retailer, before extending credit, verifies with Dun & Bradstreet that you are in fact an official officer of the corporation. And where does Dun & Bradstreet get its information about your business? From the Secretary of State’s office, the very source of your illegally modified information. In other words, all parties in the process are relying upon falsified source data that remains unprotected on government websites.
  5. Using the newly established business account with terms (i.e., the thief doesn’t have to pay for what they buy, it is invoiced to the company for payment at a later date), the thief makes large purchase of equipment of services, often worth tens of thousands of dollars.
  6. Equipment in hand, the thief leaves the store never to be seen again. Your business, of course, receives the bill, and begins the arduous, time consuming and expensive process of proving that you never made the purchase, a difficult task given that the account was established by what the retailer considers to be a legitimate officer of your corporation.

Far fetched? Not at all. The problem is compounded by the fact that sales associates at many national retailers receive incentive bonuses for every sale they make. Why wouldn’t they push the sale of 50 mobile phones through the system when they receive a large commission to do so. It’s much easier than selling one handset at a time.

Both actual cases I worked with involved phone companies, and each business owner has struggled desperately to prove that they did not make the purchase and do not owe on the account. In one of the cases, the business in question already had an account established with the phone company – same company name, address, phone number, etc. – and the phone company failed to ask any questions as to why they would want a second account. In many of the cases, the thieves use the same stolen business identity over and over again in different cities (rarely do they even shop in your actual city), causing the owner untold hours of time repairing their damaged Dun & Bradstreet ratings, fighting with collection agencies and sitting on hold trying to explain to large corporations that don’t have any incentive to believe what you are saying.

In a spiraling economy, taking your eye off the ball can mean you lose the game. In the meantime, you can take these steps to being affecting change and protecting your valuable business data:

  1. Contact your local Secretary of State’s Office and encourage them to resolve the issue as quickly as possible. You just might be the first person to let them know that this problem exists. At minimum, ask them to begin protecting your corporate data with a password that only the verified and legitimate corporate officers of your corporation can access.
  2. Review your corporate filing with the Secretary of State’s Office regularly to make sure that there is no altered or false information in their database. If there is, contact them immediately.
  3. While in your corporations’ listing on the Secretary of State’s website, make sure that you set up any security measures they have provided. For example, if they have email alerts anytime your profile changes, make sure you take them up on it and have a current email address in the profile. This will send you an alert anytime someone changes your file.
  4. Monitor your Dun & Bradstreet account regularly to make sure that no liens or encumbrances have been placed on your credit profile. If there is incorrect or unrecognizable data on your report, contact D&B’s fraud department immediately at 1.800.234.3867.
  5. Set up a Google Alert for your corporation’s official name, TIN and any DBAs to monitor unexpected internet activity on behalf of your organization.
  6. If you are a contract-based vendor, include a clause in your contract prohibiting the publication of your TIN/EIN/SSN in any electronic or internet form without your prior written consent.
  7. Protect your TIN, letterhead and company information as if it were currency, because it is.

Check back over the next few days for information on how to recover from this crime if you are a victim.

John Sileo speaks professionally to organizations that wish to avoid the costs associated with identity theft, data breach, social media exposure and insider theft. His satisfied clients include the Department of Defense, Blue Cross Blue Shield, the FDIC, Pfizer and hundreds of corporations of all sizes. Learn more about his entertaining and effective presentations on identity theft, data breach and fraud training or contact him directly on 800.258.8076.

The 7 Deadly Sins of Privacy Leadership: How CEOs Enable Data Breach

Technology is not the root cause of identity theft, data breach or cyber crime.

We are.

Too often, technology is our scapegoat, providing a convenient excuse to sit apathetically in our corner offices, unwilling to put our money where our profits are. Unwilling, in this case, to even gaze over at the enormous profit-sucking sound that is mass data theft. The deeper cause of this crisis festers in the boardrooms of corporate America. Like an overflowing river, poor privacy leadership flows inexorably downhill from the CEO, until at last, it undermines the very banks that contain it.

The identity theft and data breach bottom line? Read more