Posts

User Distrust at Heart of Facebook Troubles

, ,

Satisfaction with social-networking powerhouse Facebook has slumped, according to the latest survey from the American Customer Satisfaction Index — hitting a new record-low score in the social media category that placed it in the five lowest-scoring companies out of more than 230 surveyed. There are several immediate factors that undermine user trust:

  • Inconsistency. Facebook’s user interface changes constantly (think Timeline) and this inconsistency leaves users feeling like they don’t know what to expect next from the social media site. Consistency builds trust, but Mark Zuckerberg doesn’t seem to have much vision for consistency.
  • Lack of Transparency. The average user has very little comfort with or knowledge about how Facebook is collecting, analyzing, using and selling their personal data. While Facebook has a range of privacy and security settings, most users still don’t comprehend the enormity of the information that Facebook collects on them. This lack of transparency leaves users with a bad taste in their mouth, like they are being cleverly deceived for the sake of profit.

Facebook is staring down some potentially unnerving obstacles when it comes to key areas of monetization and growth: public distrust and display ad apathy.

Look at these highly revealing statistics:

  • 59% of Facebook users said that they had little to no trust in Facebook to keep their information private according to a recent AP-CNBC poll.
  • Despite these ongoing concerns, the number of users continues to increase. Facebook has grown to 900+ million monthly active users worldwide. This paradox (that Facebook continues to add users even though most of us don’t trust them), suggests a level of reliance bordering on addiction.
  • 54% of Facebook users declare that they don’t trust Facebook using the platform for financial transactions like purchasing goods or services.
  • 83% of Facebook users say they never, or rarely ever, click ads or other sponsored content when they use the site.

Facebook is facing a crisis of trust. For now, they are masking it well and continuing to grow, unless that is, if you judge their success by revenue rather than users.

John Sileo is an award-winning author and data security speaker on social media over exposure. He is CEO of The Sileo Group, which advises organizations on privacy strategy, data security and fraud prevention. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Yahoo Hacker Wake-up Call WILL FAIL (Data Breach)

, ,

Yahoo BreachA hacking group known as D33Ds Company leaked about 453,000 hacked email addresses and passwords of Yahoo Voices users in order to send a “wake up call” about poor data security practices at Yahoo. The information posted online was NOT restricted to YahooMail login credentials, but included Gmail, Hotmail, Aol and Yahoo user information. In the past few weeks, there have been similar breaches at LinkedIn, eHarmony, Formspring, Nvidia, and AndroidForum. Whazzzup?

Corporations are clearly ignoring warnings that are now commonplace from privacy and security experts: protect your customer data or lose stock value, subscribers and ultimately, your brand reputation.

The average business will NOT take responsibility for preventing a similar breach of their data until AFTER THEY GET HIT. Which is why 95% of companies will hit the snooze button on the wake-up call.

Here is a short list of the mistakes made by Yahoo (and lessons learned) that your company should implement (unfortunately, only 5% of forwarding-thinking companies will do something about):

  • The credentials file (which contained the usernames and passwords for Yahoo sites as well as Microsoft, Google and others) was stored in both an encrypted (good) and unencrypted (bad), text format. Translation: Yahoo started to take steps to protect themselves but didn’t finish the job of applying a secret code to the sensitive parts. Lesson: Intention isn’t good enough in business, you must have follow-through and accountability built into your culture of privacy. 
  • Yahoo didn’t adequately protect against one of the most damaging and common types of attacks (known as a SQL injection attack), which suggests that they didn’t have all of their operating system and security software up to date. Lesson: New year, same old story. For years, businesses have been skipping the simplest of anti-hack fixes – update your software.
  • Yahoo failed to require their users to implement strong passwords (hey, that’s our fault as users, too – we have a responsibility to use strong passwords). In this case, it would have done nothing to protect the end users, but in most cases it does. Lesson: Force strong passwords on your users. They’ll get over the pain and will thank you when they don’t get breached. 
  • Yahoo didn’t salt the passwords as part of their protection. Lesson: Don’t even ask what salting is, just have your tech team implement it as part of your encryption.
  • Yahoo was counting on a third-party to provide security software for their assets. Remember, no one cares about your data like you do, and that doesn’t mean you shouldn’t get the right help when you need it. Lesson: If you use a third party, make sure that you perform the correct due diligence when choosing the vendor and implement proper oversight to make sure they’re doing their job.

If you don’t hand this article to your techies and ask them to prevent the same from happening to you, you will have missed the wake-up call just like everyone else.

John Sileo is an award-winning author and keynote speaker on data security, breach and online privacy. He is CEO of The Sileo Group, which helps raise the PrivacyIQ of organizations of all sizes. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentations or watch him on Anderson Cooper, 60 Minutes or Fox Business.

SCAM ALERT: Target Texting Scam

, , ,

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

Gadgets Attract Thieves at Starbucks – Privacy Project Episode #01

, , , ,

On this episode of Privacy Project, John confronts a coffee drinker about leaving their laptop totally alone as they talked outside on the phone at Starbucks.

America’s top Privacy & Identity Theft Speaker John Sileo has appeared on 60 Minutes, Anderson Cooper, Fox & in front of audiences including the Department of Defense, Pfizer, Homeland Security and hundreds of corporations and associations of all sizes. His high-content, humorous, audience-interactive style delivers all of the expertise with lots of entertainment. Come ready to laugh and learn about this mission-critical, bottom-line enhancing topic.

John Sileo is an award-winning author and keynote speaker on the dark art of deception (identity theft, fraud training, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust.

Zappos Breach: 5 (Foot)Steps for the CEO, 6 for Victims

, ,

Let’s say you ordered winter boots for your spouse on Zappos.com (now part of Amazon), which has world-class customer service. You don’t really even shop the competition because someplace in your brain you already trust Zappos to deliver as they always have. Your unquestioned confidence in Zappos is worth a fortune.

And then hackers break in to a server in Kentucky this past weekend and steal private information on 24 million Zappos customers, including (if you are a customer) your name, email address, physical address, phone number, the last four digits of your credit card number and an encrypted version (thank goodness) of your password. Consequently, your junk email folder is overflowing (your email has been illicitly sold to marketing companies), you receive the doom-and-gloom breach notification from Zappos (just like I did), and suddenly, you don’t have quite the same confidence in this best-in-practice business any more. Your shaken confidence in Zappos costs them a fortune. For the foreseeable future, you will pause before using their website again.

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Zappos CEO Tony Hsieh said in a note to employees Sunday. “It’s painful to see us take so many steps back due to a single incident.”

In a smart move, Zappos reset the passwords for all affected accounts and notified victims on how to create a new one. But their efforts to recover customer trust are just beginning. Here are 5 Core Concepts of Trust that Zappos leadership should weave into their breach recovery process:

  1. Ownership. Leadership at the company should take complete responsibility for the loss of data and not make excuses as to how it was someone else’s fault (remember the BP oil spill finger pointing?). The last thing victims need is to become more victimized by a corporate spin cycle that further erodes trust. Authentically respecting their customer base (which they do), even when it costs a few extra dollars to maintain, is a sound investment strategy.
  2. Transparency.  Zappos customers have the right to know exactly what was stolen and how it might be used. They deserve to know what the company knows and what law enforcement knows. Sharing their failure (as opposed to covering it up in any way, which they don’t seem to be doing) is a painful process with high short-term costs, but it is the first step in taking responsibility.
  3. Expectation.  Zappos needs to set customer and marketplace expectations early and often about how they will make it better. Forcing users to change passwords does little to ease fears that it will happen again. What tangible steps will they take to repay customers for the trouble they have caused and what measures will they implement to better protect users in the future?
  4. Delivery. Zappos must deliver on the expectations they set with the victims, with the media and with the marketplace. False promises (pretending to implement better security but underfunding the budget) are cheap Band-Aids but only further infect the inflicted wounds when nothing actually changes. To regain trust, Zappos must set impressive expectations and deliver on them flawlessly
  5. Competence. Zappos is not in the business of recovering from identity theft or data breach. They need to aid their legal department by bringing in breach mitigation and recovery experts. Saving a few dollars up front keeping the efforts in house will raise downstream recovery by multiples.

In the meantime, if you are a victim of the Zappos’ breach, begin with these steps:

  • Immediately change your password according to Zappos emailed instructions.
  • Use an alpha-numeric-upper-lower-case password that has nothing to do with your personal life and can’t be found in a social networking profile or dictionary
  • If you use the same password on other sites (webmail, financial), change those as well
  • Implement identity theft monitoring services.
  • Monitor your credit profile for suspicious activity at AnnualCreditReport.com
  • Don’t click the links in that email. Zappos is sending every one of its affected customers a warning e-mail. However, more often than not such “official” e-mails are from hackers (for example, “We’ve had a security problem. Please change your password.”). These fraudulent e-mails can be virtually indistinguishable from legitimate communications, including identical graphics, logos, and authentic looking return e-mail addresses. Instead of clicking, type the URL (in this case Zappos.com) directly into your address bar. If there’s an important notice on your account, you’ll find it there.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach) or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

 

Using an iPad to Your Competitive (and Secure) Advantage

If you received an iPad for the holidays (or already have one), you own the most powerful productivity tool invented in the last 20 years – it’s like command central for your life and work. I use the iPad as a step-by-step, centralized way to keep tabs on everything related to my business. Over a cup of coffee, I consume highly-relevant information (no Angry Birds at this point in the day) in a low-stress way simply by clicking through my iPad apps in a consciously prioritized order. I’m not actually taking action on anything at this point, just getting an overview of the appointments, current events, and communications that will make me more effective. That way, when I get down to work,  I know exactly what should get my attention. The routine is always the same, so I never have to remember what I need to do except to open my iPad before I officially start the day. The process takes me about 20 minutes, and by the time I get to work, my brain has sorted most of the information and knows where to start. Here’s how I consciously prioritize my apps (see screen shot):

  1. Calendar (iCal). I look at my calendar first to remind myself of appointments taking place that day.
  2. Project Planner (OmniFocus). I use OmniFocus to organize larger projects. It is a great way to do a brain dump of all of the little tasks that clutter my creative thinking. These project lists are shared with my team and give us a centralized way to track and prioritize our business.
  3. Event Management (eSpeakers and SalesForce). Because I speak professionally as my main source of revenue, I utilize an industry specific app called eSpeakers that tracks every aspect of my speaking engagements. In 30 seconds, I have a quick view of what speeches are on the horizon and what tasks need to be completed. Since this is a revenue center of my business, I want to keep very close tabs on what is taking place. SalesForce is for leads, accounts and contact management.
  4.  News (local paper, USA Today, Zite, Instapaper, NPR). Once I have a view of the day ahead, I skim the news (general and industry specific) to determine if there are any stories I need to pay closer attention to. This isn’t a complete reading, just to put it on my radar.
  5. Note Taking (Evernote). I use Evernote as a clearing house for all of the notes I take, whether it’s an article, random thoughts, etc. By keeping my note taking app close to the news apps, I record anything highly relevant.
  6. Social Networking (HootSuite). I use HootSuite to monitor my Facebook Fan Page, Twitter Feed and LinkedIn Profile. I might quickly post an interesting piece of current news in my field or an upcoming event or media appearance. I do NO personal updates at this point in the day. Business only.
  7. Email. Email always seems like the most important task, but I find it to be distracting. I leave it until last and simply read through all emails and flag them for later work. If they require more than a three word answer, I don’t use my iPad to communicate. I do this once I am sitting at my computer; in the meantime, my subconscious has generally come up with the necessary responses.
You get the point. When you have covered the critical items, close the iPad and go make breakfast. Let your brain mull it over and process what’s important and what’s a waste of time. Don’t continue to consume more information, spend the rest of your day acting on what you’ve already reviewed. This will keep you from information overload.
If you apply this method, your iPad desktop will look completely different, customized to your needs, industry and interests. The power here is in the cutomization of what makes you effective and efficient and the ritualization of the process. Instead of remembering 20 things, you remember one – open your iPad before your work day begins. Twenty minutes well spent can give you a sizable competitive advantage. Try it for a week and see what you think. If you have other ways that you leverage your iPad for work, share them in the comments below. And don’t forget to keep all of this mission-critical data out of the hands of identity thieves and competitors by following these 7 Simple Security Steps:

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, protect it like one. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. 

It will only take a minute to implement these steps and will encourage thieves to move on to the next victim.

John Sileo is an award-winning author and speaks worldwide on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply results and increase performance. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Contact him on 800.258.8076 or learn more at ThinkLikeASpy.com.

iPad Vampires: 7 Simple Security Settings to Stop Data Suckers

, ,

Information is the currency and lifeblood of the modern economy and, unlike the industrial revolution, data doesn’t shut down at dinnertime. As a result, the trend is towards hyper-mobile computing – smartphones and tablets – that connect us to the Internet and a limitless transfusion of information 24-7. It is an addiction that employers encourage because it inevitably means that we are working after hours (scanning emails in bed rather than catching up with our spouse).

In the work we do to change the culture of privacy inside of organizations, we have discovered a dilemma: iPads are not as secure as other forms of computing and are leaking significant amounts of organizational data to corporate spies, data thieves and even competing economies (China, for example, which would dearly love to pirate the recipe for your secret sauce). Do corporations, then, sacrifice security for the sake of efficiency, privacy for the powerful touch screens that offer a jugular of sensitive information?

Of course not! That’d be like driving a race car minus seat belts and air bags.

iPads provide a competitive advantage, and like generations of tools before it (the cotton gin, the PC), individuals and organizations alike will be forced to learn how to operate this equipment safely or risk the bite of intellectual property vampires. Here are 7 Simple Security Settings to help you lock down your iPad much like you would your laptop.

7 Simple Security Settings for Your iPad

  1. Turn On Passcode Lock. Your iPad is just as powerful as your laptop or desktop, so stop treating it like a glorified book. Your iPad is only encrypted when you enable the passcode feature. (Settings/General)
  2. Turn Simple Passcode to Off. Why use only an easy to crack 4-digit passcode when you can implement a full-fledged alphanumeric password? If you can tap out short emails, why not spend 5 seconds on a proper password.
  3. Require Passcode Immediately. It is slightly inconvenient and considerably more secure to have your iPad automatically lock up into passcode mode anytime you leave it alone for a few minutes.
  4. Set Auto Lock to 2 Minutes. Why give the table thief at your favorite café more time to modify your settings to his advantage (to keep it from locking) as he walks out the door with your bank logins, emails and kid pictures.
  5. Turn Erase Data after 10 Tries to On. Even the most sophisticated passcode-cracking software can’t get it done in 10 tries or less. This setting wipes out your data after too many failed attempts. Just make sure your kids don’t accidentally wipe out your iPad (forcing you to restore from your latest iTunes backup).
  6. Use a Password Manager. Your passwords are only as affective as your ability to use them wisely (they need to be long and different for every site). Keeping your passwords in an unencrypted keychain or document is a recipe for complete financial disaster. Download a reputable password-protection app like 1Password to manage and protect any sensitive passwords, credit card numbers, software licenses, etc. Not only is it safe, it’s incredibly convenient and efficient.
  7. Avoid Untrustworthy Apps. Not all applications are friendly. Despite Apple’s well-designed vetting process, there are still malicious apps that slip through the cracks to siphon data out of your device. If the app hasn’t been around for a while and if you haven’t read about it in a reputable journal (Macworld, Wall Street Journal, New York Times, etc.), don’t load it onto your system. Don’t jail-break your iPad to download apps outside of iTunes. Short-term gain equals long-term risk.

Believe it or not, these simple steps begin to give you a level of security that will discourage casual data vampires. After implementing the Simple 7, move on to 5 Sophisticated Security Settings for iPads for even more robust data defense.

John Sileo lost almost a half-million dollars, his business and his reputation to identity theft. Since then, he’s become America’s leading keynote speaker on identity theft, social media exposure and weapons of manipulation. He helps organizations build successful cultures of privacy. His clients include the Department of Defense, Pfizer and Homeland Security. To learn more, visit ThinkLikeASpy.com or contact him directly on 1.800.258.8076.

Facebook Top Tips for Socializing Safely

,
  1. Only Friend people you know.
  2. Create a good password and use it only for Facebook.
  3. Don’t share your password.
  4. Change your password on a regular basis.
  5. Share your personal information only with people and companies that need it.
  6. Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type www.facebook.com into your browser address bar.
  7. Use a one-time password when using someone else’s computer.
  8. Log out of Facebook after using someone else’s computer.
  9. Use secure browsing whenever possible.
  10. Only download Apps from sites you trust.
  11. Keep your anti-virus software updated.
  12. Keep your browser and other applications up to date.
  13. Don’t paste script (code) in your browser address bar.
  14. Use browser add-ons like Web of Trust and Firefox’s NoScript to keep your account from being hijacked.
  15. Beware of “goofy” posts from anyone—even Friends. If it looks like something your Friend wouldn’t post, don’t click
    on it.
  16. Scammers might hack your Friends’ accounts and send links from their accounts. Beware of enticing links coming from your Friends.

Read the full PC Magazine Article.

Are You Begging to Get Fired?

, , , ,

We’ve all done it before – left the table to get a coffee refill or go to the bathroom and left our laptop, iPad, smartphone or purse sitting on the table. We justify it by telling ourselves that we are in a friendly place and will only be gone a second. Our tendency is to blame technology for information theft, but the heart of the problem is almost always a human error, like leaving our devices unattended. Realizing that carelessness is the source of most laptop theft makes it a fairly easy problem to solve.

My office is directly above a Starbucks, so I spend way too much time there. And EVERY time I’m there, I watch someone head off to the restroom (see video) or refill their coffee and leave their laptop, iPad, iPhone, briefcase, purse, client files and just about everything else lying around on their table like a self-service gadget buffet for criminals and opportunists alike.

I trust deeply in the honesty and integrity of the people I know well, but if you are trusting your Starbucks crowd with this amazingly valuable data, you are going to get a steaming hot lap full of trouble. Data thieves target places like this because it is an upscale, trusting clientele. Just ask Ben Bernake, Chairman of the Federal Reserve, whose wife got taken at a Starbucks.

Just about 50% of major corporate data breaches are caused by the theft of a laptop computer. They don’t want the computer, they want the data on it, and it can cost your business millions. The average breach recovery cost, according to the highly respected Ponemon Institute, is $6.75 million dollars.

It’s one thing if you leave a personal computer and it gets stolen – you aren’t harming anyone other than you and your family. But when it’s a company computer, or has work files on it, you are putting your employer at risk for lawsuits, government compliance fines, reputation damage and months of headaches.

The answer is simple: train your employees first on personal responsibility with their data-bearing gadgets. If they understand the selfish reasons not to abandon their laptop or iPad in a cafe (the data on it is worth a mint, they could lose their job, etc.), the chances of them applying what they have learned strengthens. Additional points of training can include:

  • Proper usage guidelines including what data can be loaded to the laptop and what cannot.
  • Good password habits and a strong login password that is shared with no one.
  • Proper use of WiFi (not the free hotspots at the cafe, airport or hotel)
  • Tethering, remote tracking and remote wiping techniques to minimize risk.
  • Encryption, especially simple PDF password encryption to email private files.
  • Proper physical security while traveling with the laptop.

If you are going to expose yourself and your company while getting another cup of coffee, you might as well apply for a job as a Barista while you are there. Don’t endanger the health of your company (or the safety of your own personal data) for the sake of convenience. Next time, you might be the one caught on video.

Award-winning author and identity theft keynote speaker John Sileo trains executives and employees to respect and protect the data that makes their company profitable. His clients included the Department of Defense, Homeland Security, FDIC, Pfizer, Blue Cross and organizations of all sizes. Contact him directly on 800.258.8076 or watch him deliver an Identity Theft Speech.

Identity Theft Expert John Sileo on 60 Minutes

, , ,

During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.

For starters, let’s assume your business is strong, maybe even profitable in these tough economic times. In the spirit of Sun Tzu and The Art of War, you’ve dug in your forces, preparing for a lengthy battle: you’ve reduced costs, maximized your workforce, and focused on your most profitable strategies. As your competitors suffocate under market pressure, you breathe stronger as a result of the exercise. But like Achilles, your survival through adversity blinds you and even conditions you to ignore pending threats. You begin to think that your overall strength translates into an absence of weaknesses; and in general, you might be right. But Achilles didn’t die because of his overall strength, which was significant; he died because he ignored critical details. What details are you and your company ignoring?

Information, like Achilles himself, is power. And maintaining control and ownership of your information is quite possibly the most threatening Achilles’ heel any data-reliant business faces. Companies that don’t actively take control of their data are prime targets for identity theft, social engineering, data breach, corporate espionage, and social media exploitation. Regardless of your title, you have a great deal to learn from Achilles’ mistakes, and a significant opportunity to protect your own corporate heel.

Achilles 3 Fatal Mistakes and How to Avoid Them

Admit Your Vulnerabilities. Achilles forgot that he was human, failing to take inventory of his weakness in spite of superior strength. Though his faults were limited — a small tendon at the base of his foot — his failure to protect himself in the right spots proved fatal. When protecting data, it is imperative to understand that your greatest vulnerabilities lie with the people inside of your company. No matter how secure your computer systems, no matter how much physical security you deploy, humans will always be your weakest link. The more technological security you implement, the quicker data thieves will be to attempt to socially engineer those inside your company (or pose as an insider) to capture your data. Admitting vulnerabilities doesn’t have to be a public, embarrassing act. It can be as simple as a quiet conversation with yourself and key players about where your business is ignoring risk.

The three greatest human vulnerabilities tend to be: 1. Unawareness of the risks posed by data loss, 2. Lack of emotional connection to the importance of data privacy (personally in professionally) and it’s affect on profitability, and 3. Misunderstanding that in a world where information is power, it’s no longer about whom you trust, but how you trust. These symptoms suggest that your privacy training has either been non-existent or dry, overly technical, policy related and lacking a strong “what’s-in-it-for-me” link between the individuals in your organization and the data they protect every day.

If this is true inside of your business, rethink your training from this perspective: Your audience members (employees) are individuals with their own identity concerns, not just assets of the company who can be forced to follow a privacy policy that they don’t even pretend to understand. By tapping into their personal vulnerabilities regarding private information (protecting their own Social Security Number, etc.), you can develop a framework and a language for training them to protect sensitive corporate information. Like in martial arts, where you channel your opponent’s energy to your favor, use your employee’s humanness to your advantage. Pinpoint these vulnerabilities and shine the light of education on them.

Fight Prevention Paralysis. One of the most unfortunate and destructive character traits among humans is our hesitation to prevent problems. It is human nature to invest time to prevent tragedy only after we’ve experienced the pain that results from inaction. We hop on the treadmill and order from the healthy menu only after our heart screams for attention. We install a home security system only after we’ve been robbed. Pain motivates action, but the damage is usually done. You can bet that had he the chance to do it all over again, Achilles would slap a piece of armor around his heel (just like TJMAXX would encrypt their wireless networks and AT&T would secure their iPad data).

Prevention doesn’t get the proper attention because its connection to the bottom line is initially harder to see. You are, in essence, eliminating a cost to your business that doesn’t yet exist (the costs of a future data breach: restoring and monitoring customer credit, brand damage, stock depreciation, legal costs, etc.). This seems counterintuitive when you could be eliminating costs that already exist. But here is the flaw in that method of thinking: the cost of prevention is a tiny fraction of the cost of recovery. When you prevent disaster, you get a huge return on your investment (should a breach ever occur). Statistics say that a breach will occur inside of your organization, which means that by failing to invest in prevention you are consciously denying your organization a highly profitable investment. Why would you insure your business against low percentage risks (fire), but turn the other way when confronted with a risk that has already affected 80% of businesses (data breach) and has an almost guaranteed double digit ROI? It is your responsibility to demonstrate how the numbers work; spend small amounts of money preventing, or vast sums of time and money recovering.

Harden the Riskiest Targets. Once you have admitted to and cataloged your vulnerabilities and allocated the resources to protect them, it is time to focus on those solutions with the greatest return on your investment. A constant problem in business is knowing how to see clearly through information overexposure and pick the right projects. Just think of how much stronger Achilles would have been had he placed armor over his heel (which was human) rather than his chest (which was immortal). There is no financially responsible way to lower your risk to zero, so you have to make the right choices. Most businesses will gain the greatest security by focusing on the following targets first:

  1. Bulletproof Your People. Most fraud is still committed the old fashioned way – by manipulating trusting, unsuspecting people inside of your organization. Train your people for what they are: the first line of defense against fraud. Begin by preventing identity theft among your staff and then bridge this personal knowledge into the world of professional data privacy.
  2. Protect Your Mobile Data. Laptops, smart phones and portable drives are the most common sources of severe data theft. The solution to this very powerful and ubiquitous form of computing is a quilt-work of security including password strengthening, data transport limitations,  access-level privileges, whole disk and wireless encryption, VPN and firewall configuration, physical locking and human decision making (e.g., don’t leave it unattended the next time you get coffee at your corporate conference).
  3. Prevent Insider Theft: Perform thorough background checks, reference verification and personality assessment to weed out dishonest employees before they join your organization. Implement an ongoing “honesty meter” for your employees that ensures they haven’t picked up bad or illegal habits since joining your company.
  4. Classify Your Data. Develop a system of classification that includes public, internal, confidential and top secret levels, along with secure destruction and storage guidelines.
  5. Anticipate the Clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. You must be aware of who owns that data, today and in the future, when your storage company is bought out or goes bankrupt.

We have much to learn from the foresight of New Zealand; they are an excellent example of how organizations should defend their Achilles’ heel. To begin with, they have begun to acknowledge their vulnerabilities in advance of the problem (in fact, their chief vulnerability is that dangerous form of innocence that comes from having very few data theft issues, so far). In addition, they are taking steps to proactively prevent the expansion of identity theft and data breach in their domain (as evidenced by the corresponding educational story on 60 Minutes). Finally, they are targeting solutions that cost less and deliver more value. I was in New Zealand to instruct them on data security. Ironically, I gained as much knowledge on my area of expertise from them as I believe they did from me.

John Sileo speaks professionally on identity theft, data breach and social networking safety. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.