Posts

Dumb Kids Equal Easy Targets

,

Your national security depends on the job you do educating your children. 

Here’s an alarming wakeup call: a task force led by former Secretary of State Condoleezza Rice and Joel Klein, former chancellor of New York’s school system has issued a stunning report. They warn that the nation’s security and economic prosperity are at risk if America’s schools don’t improve. The task force consists of 30 members with backgrounds in education and foreign affairs and was organized by the Council on Foreign Relations. As reported by the Associated Press, the report cautions that far too many schools fail to adequately prepare students and that “The dominant power of the 21st century will depend on human capital. The failure to produce that capital will undermine American security.” A shortage of skilled workers is expected to get worse as the current work force retires. The task force said the State Department and U.S. Intelligence agencies face critical shortfalls in the fields of foreign language, science, defense and aerospace. And so, it’s not a stretch to realize that no matter how diligent we are about educating people and businesses to protect their identities and information and to develop safe habits, the problem is ever so much more complex.

In my profession, just the thought of this scenario scares the living daylights out of me – it means I’ll never be put out of a job. Nothing would please me more than knowing that the sensitive information of most people and businesses – even the world as a whole – had become so secure that I’d have to tackle another topic. Rice and Klein said in interviews that they’re encouraged by efforts to improve schools such as the adoption of “common core” standards set in reading and math and the Obama administration’s “Race to the Top’ competition. But, they added, the pace to improve America’s schools must accelerate. “The rest of the world is not sitting by while we, in a rather deliberate fashion, reform the education system,” Rice said. Klein continued “I don’t think people have really thought about the national security implications and the inability to have people who speak the requisite languages who can staff a volunteer military, the kind of morale and human conviction you need to hold a country together.”

The panel makes three main recommendations:

  • Adopt and expand the common core initiative to include skill sets critical to national security such as science, technology and foreign languages
  • Make structural changes to provide students with more choices in where they can go to school, so many students aren’t stuck in underperforming schools
  • Create a national security readiness audit, prepared by governors working with the federal government, that can be used to judge whether schools are meeting national expectations in education
So what can we do? To protect ourselves and our children’s children, we have to jump in and actively support our school systems. Beyond the education community, we can encourage discussions that engage those in the defense and foreign policy establishments about how to improve schools.

At the same time, there are great rays of hope in education. On February 7, I spoke at The Leeds School of Business at the University of Colorado and found the students to be engaged, curious, and eager to learn how to be critical thinkers. When I return in April, I anticipate they’ll put me through the paces with their intelligent observations.

These may have been some of the same students who recently heard Andrew Fastow, former chief financial officer of Enron speak to the students, faculty and staff of Leeds. Fastow contacted the university and asked whether he could speak after reading an op-ed piece, published by Bloomberg Businessweek in January, written by Leeds dean David Ikenberry and Donna Sockell, director of the school’s Center for Education on Social Responsibility. The piece was about the need for deeper ethics training in business schools. Fastow, who completed a six-year prison sentence in December, imparted the message that following the rules isn’t enough. It took him a couple of years to realize he had “used the rules to subvert the rules.” So while there are bright spots in education, it’s more important than ever that we commit to improvement at every level, from grade school, up!

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

7 Steps to Secure Profitable Business Data (Part II)

, , , ,

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

 

7 Steps to Secure Profitable Business Data (Part I)

, , , , ,

Everybody wants your data. Why? Because it’s profitable, it’s relatively easy to access and the resulting crime is almost impossible to trace. Take, for example, Sony PlayStation Network, Citigroup, Epsilon, RSA, Lockheed and several other businesses that have watched helplessly in the past months as more than 100 million customer records have been breached, ringing up billions in recovery costs and reputation damage. You have so much to lose.

To scammers, your employees’ Facebook profiles are like a user’s manual about how to manipulate their trust and steal your intellectual property. To competitors, your business is one poorly secured smartphone from handing over the recipe to your secret sauce. And to the data spies sitting near you at Starbucks, you are one unencrypted wireless connection away from wishing you had taken the steps in this two-part article.

Every business is under assault by forces that want access to customer databases, employee records, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. Combine this with the average cost to repair data loss, a stunning $7.2 million per incident (both statistics according to the Ponemon Institute), and you have a profit-driven mandate to change the way you protect information inside of your organization. “But the risk inside of my business,” you say, “would be no where near that costly.” Let’s do the math.

A Quick and Dirty Way to Calculate Your Business’s Data Risk

Here is a quick ROI formula for your risk: Add up the total number of customer, employee and vendor database records you collect that contain any of the following pieces of information – name, address, email, credit card number, SSN, Tax ID Number, phone number, address, PIN – and multiply that number by $250 (a conservative average of the per record cost of lost data). So, if you have identifying information on 10,000 individuals, your out-of-pocket expenses (breach recovery, notification, lawsuits, etc.) are estimated at $2.5 million even if you don’t lose a SSN or TIN. And that cost doesn’t necessarily factor in the public relations and stock value damage done when you make headlines in the papers.

In an economy where you already stretch every resource to the limit, you need to do more with less. Certain solutions have a higher return on investment. Start with these 7 Steps to Secure Profitable Business Data.

  1. Start with the humans. One of the costliest data security mistakes I see companies make is to only approach data privacy from the perspective of the company. But this ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language and framework that can be easily adapted to business. Once your people understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases, physical documents and intellectual property. Start with the personal and expand into the professional. It’s like allowing people to put on their own oxygen masks before taking responsibility for those next to them. For an example of how the Department of Homeland Security applied this strategy, take a look at the short video.
  2. Immunize against social engineering. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, bribery or sense of urgency. Social engineering is the craft of manipulating information out of humans by pushing buttons that elicit automatic responses. Data thieves push these buttons for highly profitable ends, including spear-phishing, social networking fraud, unauthorized building access, and computer hacking.Strategy: Immunize your workforce against social engineering. First, when asked for information, they should immediately apply a healthy dose of professional skepticism. Train them to automatically assume that the requestor is a spy of some sort. Second, teach them to take control of the situation. If they didn’t initiate the transfer of information (e.g., someone official approaches them for login credentials), have them stop and think before they share. Finally, during this moment of hesitation, empower them to ask a series of aggressive questions aimed at exposing fraud. When we do this type of training, whether it is for the Department of Defense, a Fortune 50 or a small business, the techniques are the same. You have to make a game out of it, make it interesting, interactive and fun. That’s how people learn. For an example of fraud training in action, visit www.Sileo.com/fun-fraud.

You will notice that the first 2 Steps have nothing to do with technology or what you might traditionally associate with data security. They have everything to do with human behavior. Failing to begin with human factor, with core motivations and risky habits, will almost certainly guarantee that your privacy initiatives will fail. You can’t simply force a regime of privacy on your company. You need to build a coalition; you need to instill a culture of privacy, one security brick at a time.

Once you have acknowledged the supreme importance of obtaining buy-in from your employees and training them as people first, data handlers second, then you can move on to the next 5 Steps to Secure Profitable Business Data.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

3 Exposure Lessons Learned Via Anthony Weiner

,

Just for a minute, put yourself in the shoes of Anthony Weiner. You’ve done something exceptionally stupid, whether it’s sending sexually explicit photos of yourself to strangers you don’t even know, or another unrelated mistake. To compound the stupidity, you involve social networking – you Facebook or tweet or YouTube the act – or even simply email details of what you’ve done.

Everyone of us makes impulsively bad decisions (probably not as bad as Weiner, but bad nonetheless). Prior to the internet, you at least had a chance to recover from your past transgressions, as there wasn’t a readily accessible public record of the act unless you happened to be caught on tape (think Nixon, Rodney King, etc.). But now that pretty much every human carries either a camera or video recorder with them at all times (mobile phones), can communicate instantly with a massive audience (Facebook, Twitter, SMS, blogs), and have access to more information than exists in the Library of Congress just by pulling up Google, the equation of how you control sensitive information about yourself has changed radically. Every stranger (and even friend) is like a full service news station with video, distribution and commentary, just waiting to report on your missteps.

Here are three lessons the rest of us can take from the Anthony Weiner affair:

  1. Fame raises the bar. Celebrity, for all of it’s glory, puts a spotlight on your conduct. When you get paid for attracting attention, you are bound to attract unwanted attention. Unless your brand consciously involves a rebel persona (Paris Hilton, Lindsey Lohan, Dennis Rodman – in other words, the more trouble you get in, the more money you make), you will be held to a higher standard than those of us who fly under the radar. Fame has its faults. Remember when Gary Hart challenged the press to prove he wasn’t a standup guy? Now everyone who has even the most basic tech tools is an instant paparazzi.
  2. Mind the 3 Laws of Posting Online. When you post anything online, what you have published is most often immediately public, permanent and exploitable. You may think that you have a claim to privacy online, but you are deluding yourself. What you upload is only as private as the company or individual housing the data. Once you post, there is no “taking it back”. Weiner removed his tweets quickly, but posts, pictures and videos are backed up, re-tweeted, liked, screen captured and otherwise saved long before you can put a stop to it. Finally, as this case reinforces, what you post online can and will be used against you if it falls into the wrong hands. In Weiner’s case, the wrong hands were those of a political enemy, conservative blogger Andrew Breitbart. Because Weiner chose to make the posts public (even accidentally), Breitbart has a free pass to commit perfectly legal extortion. Before it is all over, the Democratic party will lose one of it’s brightest stars. That is probably a just result, but there is still a question about the forceful nature of the means involved.
  3. Admitting fault early and often. If you’ve done something wrong and it is recorded online, “hang a lantern on it” as quickly as possible. This is a phrase that Chris Matthews used in his book on political survival, Hardball. To summarize Matthews position, if you make a mistake and it goes public, admit to it as quickly as possible, take ownership of the wrongdoing and don’t lapse into the web of lies brought on by panic. Hang a lantern on it – expose it to the light, take your lumps and move on. In the end, what will bring Weiner down will likely not be his obscene tweets or explicit photos. Rather, it will be the fact that he blatantly lied about his posts. Had he come clean immediately, he would be judged as a person who made some mistakes just like the rest of us, not as a Congressman who deliberately mislead his constituents.

And there is a larger, more important lesson in all of this. In a world where your every action is subject to capture, publication and mass distribution, it’s far easier to be a moral, upstanding, well-adjusted individual than it is to attempt to hide a dysfunctional dark side. Ultimately, a bit of restraint, discretion and even therapy will be much cheaper than living a double life.

 

John Sileo speaks, writes and consults professionally on information leadership: managing the exposure of personal and corporate information. His clients include the Department of Defense, Pfizer, Homeland Security and Blue Cross. Learn more at www.ThinkLikeASpy.com or contact him directly on 1.800.258.8076. Expose yourself wisely.

Are You Begging to Get Fired?

, , , ,

We’ve all done it before – left the table to get a coffee refill or go to the bathroom and left our laptop, iPad, smartphone or purse sitting on the table. We justify it by telling ourselves that we are in a friendly place and will only be gone a second. Our tendency is to blame technology for information theft, but the heart of the problem is almost always a human error, like leaving our devices unattended. Realizing that carelessness is the source of most laptop theft makes it a fairly easy problem to solve.

My office is directly above a Starbucks, so I spend way too much time there. And EVERY time I’m there, I watch someone head off to the restroom (see video) or refill their coffee and leave their laptop, iPad, iPhone, briefcase, purse, client files and just about everything else lying around on their table like a self-service gadget buffet for criminals and opportunists alike.

I trust deeply in the honesty and integrity of the people I know well, but if you are trusting your Starbucks crowd with this amazingly valuable data, you are going to get a steaming hot lap full of trouble. Data thieves target places like this because it is an upscale, trusting clientele. Just ask Ben Bernake, Chairman of the Federal Reserve, whose wife got taken at a Starbucks.

Just about 50% of major corporate data breaches are caused by the theft of a laptop computer. They don’t want the computer, they want the data on it, and it can cost your business millions. The average breach recovery cost, according to the highly respected Ponemon Institute, is $6.75 million dollars.

It’s one thing if you leave a personal computer and it gets stolen – you aren’t harming anyone other than you and your family. But when it’s a company computer, or has work files on it, you are putting your employer at risk for lawsuits, government compliance fines, reputation damage and months of headaches.

The answer is simple: train your employees first on personal responsibility with their data-bearing gadgets. If they understand the selfish reasons not to abandon their laptop or iPad in a cafe (the data on it is worth a mint, they could lose their job, etc.), the chances of them applying what they have learned strengthens. Additional points of training can include:

  • Proper usage guidelines including what data can be loaded to the laptop and what cannot.
  • Good password habits and a strong login password that is shared with no one.
  • Proper use of WiFi (not the free hotspots at the cafe, airport or hotel)
  • Tethering, remote tracking and remote wiping techniques to minimize risk.
  • Encryption, especially simple PDF password encryption to email private files.
  • Proper physical security while traveling with the laptop.

If you are going to expose yourself and your company while getting another cup of coffee, you might as well apply for a job as a Barista while you are there. Don’t endanger the health of your company (or the safety of your own personal data) for the sake of convenience. Next time, you might be the one caught on video.

Award-winning author and identity theft keynote speaker John Sileo trains executives and employees to respect and protect the data that makes their company profitable. His clients included the Department of Defense, Homeland Security, FDIC, Pfizer, Blue Cross and organizations of all sizes. Contact him directly on 800.258.8076 or watch him deliver an Identity Theft Speech.

Egypt Going for Total Information Control

,

The Egyptian government has reportedly cut all access to the internet, extending their earlier restrictions on Twitter, Facebook, BlackBerry service and other forms of mass communication. The ban is likely to be in response to the use of social networking sites to organize pro-democracy, anit-Mubarak demonstrations in Egypt and other countries.

Internet access issues in Egypt have coincided with mounting demonstrations in the country, many of which were organized via social-networking sites like Facebook and Twitter. Thousands poured into the streets of Cairo starting Tuesday to protest failing economic policies, government corruption, and to call for an end of the nearly 30-year rule of President Hosni Mubarak. -PC Magazine

Pro-gun lobbyists worry about enforced gun registration because it could possibly give the government a way to confiscate all firearms. That’s child’s play compared to their ability to shut down access to the critical tools we use every day: the internet, email, Facebook, Google, text, cell phones – the information arsenal that we all tend to take for granted. Egypt understand the importance.

And so does the Obama administration, according to this WSJ Post:

At the State Department, spokesman P.J. Crowley expressed “deep concern” after Mr. Mubarak shut down the Internet and mobile phone service in Cairo. On his Twitter account, Mr. Crowley wrote: “Events unfolding in #Egypt are of deep concern. Fundamental rights must be respected, violence avoided and open communications allowed.”

Information is power, and Mubarak is playing offense in this game.

John Sileo trains organizations on Information Offense Strategies to stay ahead of the data theft, social networking and intelligence control curve. Learn more at ThinkLikeASpy.com.

WikiLeaks – The Ultimate INSIDE Job

, ,

If you need a world class example of the adage that INFORMATION IS POWER, look at the recent kerfuffle WikiLeaks has caused. Since threatening to release more than 250,000 U.S. diplomatic cables, WikeLeaks has experience a rash of cyber problems (none attributable to the U.S. Government, but it does make you wonder…):

“The site’s efforts to publish 250,000 diplomatic cables has been hampered by denial-of-service attacks, ejection from its server host and cancellation of its name by its American domain name provider. Each time WikiLeaks has worked out other arrangements to bring the site back online.” – By Charley Keyes and Laurie Ure, CNN

Who wouldn’t leak information via WikiLeaks? You are pretty much guaranteed anonymity with few repercussions. You don’t like the way something is being handled at your corporation or in your Government Department, but have a Non-Disclosure Agreement that keeps you from speaking up publicly? Send it to WikiLeaks and let them do your dirty work. Non-traceable, non-accountable, high profile information dissemination at your service. I’m not sure if it’s fair or ethical, but who cares when it’s so damned convenient and effective? Transparency in a box.

WikiLeaks is an international non-profit media organization that publishes submissions of otherwise unavailable documents from anonymous sources and unnamed leaks. It has no association to Wikipedia, which confuses a lot of people. WikiLeaks was  launched in 2006 and is run by The Sunshine Press. Within a year of its launch, the site claimed a database that had grown to more than 1.2 million documents.

WikiLeaks has been responsible for the release of extremely controversial war time videos and documents. In April 2010, they posted a video showing the slaughter if Iraqi civilians; the Iraq War Logs were posted in October and most recently they are known for releasing a series of diplomatic cables. The leak of Iraq War Logs included over 400,000 controversial documents that were released with the help of major media groups.

The most recent controversy is because WikiLeaks says it has 251,288 cables sent by American diplomats over the last 40 years that it plans to release over the next few weeks and months. One of these cables seems to show an order by United States Secretary of State Hillary Clinton to diplomats to obtain credit card and frequent flier numbers of the French, British, Russian and Chinese delegations to the United Nations Security Council.

Many wonder how WikiLeaks can hide the sources of their documents and information. The site boasts that they use state-of-the-art technology that allows them to bounce the encrypted information from country to country to hide the trail and protect their sources. Countries such as Sweden and Belgium have given them legal protection.

It’s fairly apparent that the source of these documents is an inside job. Someone inside of the State Department, or other entity with access to State Department records, is leaking these documents with impunity.

This recent leak has lead to an open criminal investigation by the Department of Defense. Senator John McCain, R-Arizona, called the WikiLeaks episode “an incredible breach of national security.” I have to agree with him a bit. I believe in government transparency, but there are areas where information control trumps disclosure. Unless I read the individual documents in question, I wouldn’t know how to rule on this case – but it doesn’t matter, because they are already out there.

So far a single low-ranking U.S. soldier, Pfc. Bradley Manning, is the only person charged and held in custody in connection with the leaks.

Jeh Johnson, The Pentagon’s top lawyer, said WikiLeaks has openly solicited people on its web page to break the law and provide classified information. “I don’t view WikiLeaks as journalism,” said Johnson. Johnson said he was briefed regularly on the open criminal investigation by the Department of Justice.

John Sileo delivers keynote speeches on topics of information exposure and control.

Identity Theft Expert John Sileo on 60 Minutes

, , ,

During a recent 60 Minutes interview, I was asked off camera to name the Achilles’ heel of an entire country’s data security perspective; what exactly were the country’s greatest weaknesses. The country happened to be New Zealand, a forward-thinking nation smart enough to take preventative steps to avoid the identity theft problems we face in the States. The question was revealing, as was the metaphor they applied to the discussion.

Achilles, an ancient Greek superhero — half human, half god — was in the business of war. His only human quality (and therefore his only exploitable weakness) was his heel, which when pierced by a Trojan arrow brought Achilles to the ground, defeated. From this Greek myth, the Achilles’ Heel has come to symbolize a deadly weakness in spite of overall strength; a weakness that can potentially lead to downfall. As I formulated my thoughts in regard to New Zealand, I realized that the same weaknesses are almost universal — applying equally well to nations, corporations and individuals.

For starters, let’s assume your business is strong, maybe even profitable in these tough economic times. In the spirit of Sun Tzu and The Art of War, you’ve dug in your forces, preparing for a lengthy battle: you’ve reduced costs, maximized your workforce, and focused on your most profitable strategies. As your competitors suffocate under market pressure, you breathe stronger as a result of the exercise. But like Achilles, your survival through adversity blinds you and even conditions you to ignore pending threats. You begin to think that your overall strength translates into an absence of weaknesses; and in general, you might be right. But Achilles didn’t die because of his overall strength, which was significant; he died because he ignored critical details. What details are you and your company ignoring?

Information, like Achilles himself, is power. And maintaining control and ownership of your information is quite possibly the most threatening Achilles’ heel any data-reliant business faces. Companies that don’t actively take control of their data are prime targets for identity theft, social engineering, data breach, corporate espionage, and social media exploitation. Regardless of your title, you have a great deal to learn from Achilles’ mistakes, and a significant opportunity to protect your own corporate heel.

Achilles 3 Fatal Mistakes and How to Avoid Them

Admit Your Vulnerabilities. Achilles forgot that he was human, failing to take inventory of his weakness in spite of superior strength. Though his faults were limited — a small tendon at the base of his foot — his failure to protect himself in the right spots proved fatal. When protecting data, it is imperative to understand that your greatest vulnerabilities lie with the people inside of your company. No matter how secure your computer systems, no matter how much physical security you deploy, humans will always be your weakest link. The more technological security you implement, the quicker data thieves will be to attempt to socially engineer those inside your company (or pose as an insider) to capture your data. Admitting vulnerabilities doesn’t have to be a public, embarrassing act. It can be as simple as a quiet conversation with yourself and key players about where your business is ignoring risk.

The three greatest human vulnerabilities tend to be: 1. Unawareness of the risks posed by data loss, 2. Lack of emotional connection to the importance of data privacy (personally in professionally) and it’s affect on profitability, and 3. Misunderstanding that in a world where information is power, it’s no longer about whom you trust, but how you trust. These symptoms suggest that your privacy training has either been non-existent or dry, overly technical, policy related and lacking a strong “what’s-in-it-for-me” link between the individuals in your organization and the data they protect every day.

If this is true inside of your business, rethink your training from this perspective: Your audience members (employees) are individuals with their own identity concerns, not just assets of the company who can be forced to follow a privacy policy that they don’t even pretend to understand. By tapping into their personal vulnerabilities regarding private information (protecting their own Social Security Number, etc.), you can develop a framework and a language for training them to protect sensitive corporate information. Like in martial arts, where you channel your opponent’s energy to your favor, use your employee’s humanness to your advantage. Pinpoint these vulnerabilities and shine the light of education on them.

Fight Prevention Paralysis. One of the most unfortunate and destructive character traits among humans is our hesitation to prevent problems. It is human nature to invest time to prevent tragedy only after we’ve experienced the pain that results from inaction. We hop on the treadmill and order from the healthy menu only after our heart screams for attention. We install a home security system only after we’ve been robbed. Pain motivates action, but the damage is usually done. You can bet that had he the chance to do it all over again, Achilles would slap a piece of armor around his heel (just like TJMAXX would encrypt their wireless networks and AT&T would secure their iPad data).

Prevention doesn’t get the proper attention because its connection to the bottom line is initially harder to see. You are, in essence, eliminating a cost to your business that doesn’t yet exist (the costs of a future data breach: restoring and monitoring customer credit, brand damage, stock depreciation, legal costs, etc.). This seems counterintuitive when you could be eliminating costs that already exist. But here is the flaw in that method of thinking: the cost of prevention is a tiny fraction of the cost of recovery. When you prevent disaster, you get a huge return on your investment (should a breach ever occur). Statistics say that a breach will occur inside of your organization, which means that by failing to invest in prevention you are consciously denying your organization a highly profitable investment. Why would you insure your business against low percentage risks (fire), but turn the other way when confronted with a risk that has already affected 80% of businesses (data breach) and has an almost guaranteed double digit ROI? It is your responsibility to demonstrate how the numbers work; spend small amounts of money preventing, or vast sums of time and money recovering.

Harden the Riskiest Targets. Once you have admitted to and cataloged your vulnerabilities and allocated the resources to protect them, it is time to focus on those solutions with the greatest return on your investment. A constant problem in business is knowing how to see clearly through information overexposure and pick the right projects. Just think of how much stronger Achilles would have been had he placed armor over his heel (which was human) rather than his chest (which was immortal). There is no financially responsible way to lower your risk to zero, so you have to make the right choices. Most businesses will gain the greatest security by focusing on the following targets first:

  1. Bulletproof Your People. Most fraud is still committed the old fashioned way – by manipulating trusting, unsuspecting people inside of your organization. Train your people for what they are: the first line of defense against fraud. Begin by preventing identity theft among your staff and then bridge this personal knowledge into the world of professional data privacy.
  2. Protect Your Mobile Data. Laptops, smart phones and portable drives are the most common sources of severe data theft. The solution to this very powerful and ubiquitous form of computing is a quilt-work of security including password strengthening, data transport limitations,  access-level privileges, whole disk and wireless encryption, VPN and firewall configuration, physical locking and human decision making (e.g., don’t leave it unattended the next time you get coffee at your corporate conference).
  3. Prevent Insider Theft: Perform thorough background checks, reference verification and personality assessment to weed out dishonest employees before they join your organization. Implement an ongoing “honesty meter” for your employees that ensures they haven’t picked up bad or illegal habits since joining your company.
  4. Classify Your Data. Develop a system of classification that includes public, internal, confidential and top secret levels, along with secure destruction and storage guidelines.
  5. Anticipate the Clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, non-compliant server farm, you will ultimately be held responsible when that data is breached. You must be aware of who owns that data, today and in the future, when your storage company is bought out or goes bankrupt.

We have much to learn from the foresight of New Zealand; they are an excellent example of how organizations should defend their Achilles’ heel. To begin with, they have begun to acknowledge their vulnerabilities in advance of the problem (in fact, their chief vulnerability is that dangerous form of innocence that comes from having very few data theft issues, so far). In addition, they are taking steps to proactively prevent the expansion of identity theft and data breach in their domain (as evidenced by the corresponding educational story on 60 Minutes). Finally, they are targeting solutions that cost less and deliver more value. I was in New Zealand to instruct them on data security. Ironically, I gained as much knowledge on my area of expertise from them as I believe they did from me.

John Sileo speaks professionally on identity theft, data breach and social networking safety. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.

Information Survival: Your Life Depends on It

,

I became a professional identity theft speaker because my business partner used my identity (and my business’s impeccable 40-year reputation) to embezzle more than a quarter million dollars from our best, most trusting customers. Thanks to drawn-out criminal trials and a seriously impaired lack of attention to my business, I suddenly found myself without a profession.

So I wrote a book about my mistakes, and with a little luck, it led to a speaking career based in first-hand experiences with data theft. The formula works – sharing my failure to protect sensitive information and losing just about everything as a result – my wealth, my business, my job and nearly my family – is a powerful motivator for audiences, both as individuals and professionals. People only understand and act upon the corrosive nature of this crime when they can taste it’s bitterness for themselves. My goal has always been to provide a safe and effective appetizer of data theft that convinces audiences to feed on prevention rather than recovery.

But I’ve realized through my contact with exceptionally smart people, from the Pentagon and Department of Homeland Security to Fortune 500 executives and privacy experts, that identity theft (and it’s close business relative, data breach), are just symptoms of a larger movement undermining personal lives and profit margins on a daily basis —  a movement that demands we be trained in the art of information survival.

What is Information Survival?

We are bombarded by information, 24 hours a day –  24/7 news, email, Facebook, Twitter, LinkedIn, YouTube, texting, instant messaging, voice mail, cell phones – and the mobile revolution means that we have access at all times of the day, every where we go. Confronted by so much data, we are often forced to process it instantly, relying on shortcuts and bad data along the way to make rapid decisions at digital speeds. And when we make rapid decisions, we often make mistakes.

Recently, Tyler Clementi, a student at Rutgers University, witnessed the cruel speed and ubiquity of information when his room mates posted a YouTube video of him having what he believed was a private sexual encounter in his dorm room. Humiliated, Tyler made a rushed decision to throw his young life over the George Washington bridge. His is the cruelest failure of information survival because Tyler never had a chance to control the information, the video, that would destroy him. Thankfully, we can teach other youngsters how to control what information they can control, and how to survive the rest.

Best selling author, Larry Winget, put it well in a post on my Facebook wall last week:

I agree that teaching our children not to bully others is an issue that must be addressed – but teaching our children not to be victims of bullies is more important. — Larry Winget (emphasis mine)

Information survival is the skill set that allows each of us to weather the downsides of a data-driven economy, to thrive in a knowledge-is-power world without stooping to use information as a weapon, like Tyler’s roommates did. Information survival is part data control, part self-esteem.

When we consciously withhold certain information from our Facebook profile (date of birth, hometown, current location), we are engaging in information survival. When the United States forms a task force to defend our power plants, stock markets, banks, air traffic control, water supply and phone connections against cyber attack, we are acknowledging the power of information, and the imperative of survival training. The company employee who refuses to transmit sensitive data on an unprotected wireless connection in a cafe, the executive who leads by example while instilling a culture of privacy in his corporation, the college student who understands the destructive power of their next post — these are all examples of information survival in action.

Don’t wait to train your people on information survival – whether they are your kids, your employees, or yourself.

John Sileo is a professional speaker on information survival, social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.