Tag Archive for: Fraud Training

Clean Up Your Online Profile with Fox and Friends

7 Steps to Secure Profitable Business Data (Part II)

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

Identity Theft Expert John Sileo on 60 Minutes


Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

For starters, let’s assume your business is strong, maybe even profitable in these tough economic times. In the spirit of Sun Tzu and The Art of War, you’ve dug in your forces, preparing for a lengthy battle: you’ve reduced costs, maximized your workforce, and focused on your most profitable strategies. As your competitors suffocate under market pressure, you breathe stronger as a result of the exercise. But like Achilles, your survival through adversity blinds you and even conditions you to ignore pending threats. You begin to think that your overall strength translates into an absence of weaknesses; and in general, you might be right. But Achilles didn’t die because of his overall strength, which was significant; he died because he ignored critical details. What details are you and your company ignoring?

Information, like Achilles himself, is power. And maintaining control and ownership of your information is quite possibly the most threatening Achilles’ heel any data-reliant business faces. Companies that don’t actively take control of their data are prime targets for identity theft, social engineering, data breach, corporate espionage, and social media exploitation. Regardless of your title, you have a great deal to learn from Achilles’ mistakes, and a significant opportunity to protect your own corporate heel.

Achilles 3 Fatal Mistakes and How to Avoid Them

Admit Your Vulnerabilities. Achilles forgot that he was human, failing to take inventory of his weakness in spite of superior strength. Though his faults were limited — a small tendon at the base of his foot — his failure to protect himself in the right spots proved fatal. When protecting data, it is imperative to understand that your greatest vulnerabilities lie with the people inside of your company. No matter how secure your computer systems, no matter how much physical security you deploy, humans will always be your weakest link. The more technological security you implement, the quicker data thieves will be to attempt to socially engineer those inside your company (or pose as an insider) to capture your data. Admitting vulnerabilities doesn’t have to be a public, embarrassing act. It can be as simple as a quiet conversation with yourself and key players about where your business is ignoring risk.

The three greatest human vulnerabilities tend to be: 1. Unawareness of the risks posed by data loss, 2. Lack of emotional connection to the importance of data privacy (personally in professionally) and it’s affect on profitability, and 3. Misunderstanding that in a world where information is power, it’s no longer about whom you trust, but how you trust. These symptoms suggest that your privacy training has either been non-existent or dry, overly technical, policy related and lacking a strong “what’s-in-it-for-me” link between the individuals in your organization and the data they protect every day.

If this is true inside of your business, rethink your training from this perspective: Your audience members (employees) are individuals with their own identity concerns, not just assets of the company who can be forced to follow a privacy policy that they don’t even pretend to understand. By tapping into their personal vulnerabilities regarding private information (protecting their own Social Security Number, etc.), you can develop a framework and a language for training them to protect sensitive corporate information. Like in martial arts, where you channel your opponent’s energy to your favor, use your employee’s humanness to your advantage. Pinpoint these vulnerabilities and shine the light of education on them.

Fight Prevention Paralysis. One of the most unfortunate and destructive character traits among humans is our hesitation to prevent problems. It is human nature to invest time to prevent tragedy only after we’ve experienced the pain that results from inaction. We hop on the treadmill and order from the healthy menu only after our heart screams for attention. We install a home security system only after we’ve been robbed. Pain motivates action, but the damage is usually done. You can bet that had he the chance to do it all over again, Achilles would slap a piece of armor around his heel (just like TJMAXX would encrypt their wireless networks and AT&T would secure their iPad data).

Prevention doesn’t get the proper attention because its connection to the bottom line is initially harder to see. You are, in essence, eliminating a cost to your business that doesn’t yet exist (the costs of a future data breach: restoring and monitoring customer credit, brand damage, stock depreciation, legal costs, etc.). This seems counterintuitive when you could be eliminating costs that already exist. But here is the flaw in that method of thinking: the cost of prevention is a tiny fraction of the cost of recovery. When you prevent disaster, you get a huge return on your investment (should a breach ever occur). Statistics say that a breach will occur inside of your organization, which means that by failing to invest in prevention you are consciously denying your organization a highly profitable investment. Why would you insure your business against low percentage risks (fire), but turn the other way when confronted with a risk that has already affected 80% of businesses (data breach) and has an almost guaranteed double digit ROI? It is your responsibility to demonstrate how the numbers work; spend small amounts of money preventing, or vast sums of time and money recovering.

Harden the Riskiest Targets. Once you have admitted to and cataloged your vulnerabilities and allocated the resources to protect them, it is time to focus on those solutions with the greatest return on your investment. A constant problem in business is knowing how to see clearly through information overexposure and pick the right projects. Just think of how much stronger Achilles would have been had he placed armor over his heel (which was human) rather than his chest (which was immortal). There is no financially responsible way to lower your risk to zero, so you have to make the right choices. Most businesses will gain the greatest security by focusing on the following targets first:

  1. Bulletproof Your People. Most fraud is still committed the old fashioned way – by manipulating trusting, unsuspecting people inside of your organization. Train your people for what they are: the first line of defense against fraud. Begin by preventing identity theft among your staff and then bridge this personal knowledge into the world of professional data privacy.
  2. Protect Your Mobile Data. Laptops, smart phones and portable drives are the most common sources of severe data theft. The solution to this very powerful and ubiquitous form of computing is a quilt-work of security including password strengthening, data transport limitations,  access-level privileges, whole disk and wireless encryption, VPN and firewall configuration, physical locking and human decision making (e.g., don’t leave it unattended the next time you get coffee at your corporate conference).
  3. Prevent Insider Theft: Perform thorough background checks, reference verification and personality assessment to weed out dishonest employees before they join your organization. Implement an ongoing “honesty meter” for your employees that ensures they haven’t picked up bad or illegal habits since joining your company.
  4. Classify Your Data. Develop a system of classification that includes public, internal, confidential and top secret levels, along with secure destruction and storage guidelines.
  5. Anticipate the Clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. You must be aware of who owns that data, today and in the future, when your storage company is bought out or goes bankrupt.

We have much to learn from the foresight of New Zealand; they are an excellent example of how organizations should defend their Achilles’ heel. To begin with, they have begun to acknowledge their vulnerabilities in advance of the problem (in fact, their chief vulnerability is that dangerous form of innocence that comes from having very few data theft issues, so far). In addition, they are taking steps to proactively prevent the expansion of identity theft and data breach in their domain (as evidenced by the corresponding educational story on 60 Minutes). Finally, they are targeting solutions that cost less and deliver more value. I was in New Zealand to instruct them on data security. Ironically, I gained as much knowledge on my area of expertise from them as I believe they did from me.

John Sileo speaks professionally on identity theft, data breach and social networking safety. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

Social Engineering Expert Quoted in CSO Article

Quoted from the original CSO Online story:

Social engineering stories: The sequel

Two more social engineering scenarios demonstrate how hackers still use basic techniques to gain unauthorized access, and what you can do to stop them

By Joan Goodchild, Senior Editor
May 27, 2010 —

John Sileo, an identity theft expert who trains on repelling social engineering, knows from first-hand experience what it’s like to be a victim. Sileo has had his identity stolen—twice. And both instances resulted in catastrophic consequences.

The first crime took place when Sileo’s information was obtained from someone who had gained access to it out of the trash (yes, dumpster diving still works). She bought a house using his financial information and eventually declared bankruptcy.

“That was mild,” said Sileo, who then got hit again when his business partner used his information to embezzle money from clients. Sileo spent several years, and was bankrupt, fighting criminal charges.

Now that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.

ow that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.

“I’m trying to inspire employees to care about privacy,” he said. “If they don’t care about it at a human level, they are not going to care about the company’s privacy policy or IT security. You’ve got to get it at a primal personal level.”

Sileo ran through some memorable social engineering scenarios he’s heard during his years as a security lecturer. The first is taken from his upcoming book

Continue Reading Social engineering stories: The sequel

If you are serious about training your staff on social engineering scams, fraud detection and protecting your business from a costly data breach, start with the items above and then bring a professional social engineering expert to your next meeting or conference. Email us for more information or contact one of us directly on 800.258.8076.