Quantcast
Channel: Articles
Viewing all 88 articles
Browse latest View live

Steps Toward Tracking And Managing Your Digital Footprint

0
0
Even if you're not ecologically inclined, you've probably heard the term "carbon footprint"-a phrase that refers to the amount of excess carbon an individual, family or organization contributes to the earth's atmosphere. But are you as aware of your "digital footprint?" You should be.

The cyber dictionary netlingo.com defines digital footprint as "the trail you leave in cyberspace and on any form of digital communication." Hackers, identity thieves and other cyber crooks can use your digital footprint to collect identity theft data and misuse your personal identifying information. Companies may use legally collected information to market to you, and potential employers may review public parts of your footprint-such as your social media presence when considering you for a job.

It pays to not only be aware of your digital footprint, but to also take steps to manage it.

Making tracks

So how does a digital footprint occur? Simply put, everything you do in cyber space-emails, text messages, Web browsing, logging on or off a network, etc.-leaves a trail. Some of the information that makes up that trail are things you voluntarily share, such as anything on your social network profile, but other aspects occur invisibly, without your express consent or knowledge.

Most of us have only a rudimentary understanding of how to follow our own digital footprints (think backtracking through your browser history to find that cool site you came upon the other day). Cyber crooks, however, know how to track your trail straight to usable information.

With the use of mobile devices such as smartphones and tablets becoming wide-spread, the average person's digital footprint has grown even larger.

Managing your footprint

You can take steps to minimize privacy issues and identity theft risks associated with your digital foot print. It's important to realize that it is virtually impossible to entirely erase your digital footprint. Instead, focus on management techniques to ensure your footprint is small and positive.

• Track your own footprints as much as possible. You can find online calculators that can help you understand the reach of your digital footprint. Open your Web browser and search for your own name. Take steps to remove your information from mailing lists and Web lists.

• Another way to narrow your footprint is to delete all your social media accounts - something most of us aren't willing to do. A better option is to carefully review privacy settings on all your social media accounts, and choose settings that ensure the maximum protection for your information.

• When working online, always read a website's privacy policy (no matter how long and dull) before entering any personal information on the site. When shopping online, only deal with reputable websites that have demonstrated security measures in place.

• Regularly clear cookies and history from your browser, especially if you've used a public PC (such as in a hotel business center) for personal business. Avoid conducting personal online business over unsecured wireless networks.

As our digital lives continue to evolve, so will the ways in which we leave tracks through cyber space. Taking steps to manage you digital footprint can help ensure cyber criminals never pick up your trail.

What Medicare Fraud Means To You

0
0
Americans spend decades protecting their Social Security numbers - not carrying their cards in their wallets, carefully parsing who they share the number with, monitoring their Social Security statements for signs of fraud. So many people are shocked when they first enroll in Medicare only to find that the card they must carry and show in order to obtain health care services bears their Social Security Number.

With few exceptions, Medicare identity card numbers are the carrier's Social Security number - a fact which has spurred an alarming volume of Medicare fraud and identity theft cases. Enterprising identity thieves can use Social Security theft to open new credit accounts and commit a range of other types of theft and fraud.

The financial impact of Medicare fraud is far-reaching, affecting not only individuals but the American economy as well. Since its founding in 2009, the federal Medicare Fraud Strike Force has nabbed nearly 600 people connected with almost $2 billion in fraudulent billings, according to the U.S. Department of Health and Human Services. A May operation netted 89 suspects, including doctors, nurses and other licensed health care professionals, for schemes that involved about $223 million in faked billings.

If you'll soon be enrolling in Medicare, or if you're already on Medicare, it's essential to take steps to catch fraud and prevent identity theft. Preventive actions include:

• Present your Medicare card only on an initial visit to a new health care provider. For subsequent visits, take a photo copy of the card and trim it to remove the last four digits of your number, so that if they copy is lost or stolen, your entire number won't be compromised.

• Record the dates of doctor visits and exams, and what services you received. Compare saved receipts and your records to your Medicare claims statement to ensure Medicare wasn't billed for services, medications or other items you didn't receive.

• If you spot an error on your statement and the provider can't explain or clear up the discrepancy, report your suspicions to Medicare at (800) MEDICARE (63342273).

• Monitor your credit report and financial accounts regularly. Often, these are the first places identity theft and fraud will show up. Catching crime quickly may help mitigate the damage.

• Never lend your Medicare card to someone else to obtain services or medications. It's against the law, and could put you at risk of both identity theft and criminal prosecution.

AARP's Ms. Medicare blog notes that many consumer groups and government agencies have advocated changing Medicare identification so that it no longer uses Social Security Numbers. However the cost and logistics - at least $800 million over a five-year period to update 47 million Medicare card holders, and billions of doctor's office, hospital and other records - make it unlikely a change will occur any time soon, AARP says.

Old School Scams Make a Comeback

0
0

Scammers don’t need to be master hackers to bust into your bank account. A pen and paper can be enough—especially if the paper comes from a lost or stolen checkbook.

Cyber crimes may rule the headlines, but old school scams are making a comeback—and some of them never really went away. Check fraud, for example, is one of the oldest forms of payment fraud and one of the most persistent. About 87 percent of financial professionals said their companies experienced check fraud, according to the 2013 Payments Fraud and Control survey

“One of the simplest and most prevalent ways to commit financial crime, to steal money, is to commit some form of check fraud,” said James Freis Jr., former director of FinCEN, an agency of Treasury Department.

Check fraud continues to be a problem for a number of reasons. Billions of checks are processed every year, making it challenging to do a review of each check to prevent fraud. Plus, criminals now have easy access to basic desktop publishing tools, increasing their chances of success.

A Retiree’s Story

Check fraud was the last thing on William Barker’s mind when he reviewed his bank account balance to make sure his monthly retirement check had been deposited. It had arrived safely, but he noticed something else: A check for $4,500 had been cashed. It bore his wife’s signature and a note that read “1984 motor home.”

There was just one problem: Barker and his wife didn’t buy a 1984 motor home.

When the doors of his bank opened that morning, Barker was there to dispute the transaction and begin the tedious process of recovering his money.

"For us, $4,500 is a lot of money," he said. “We’ve always been real vigilant about our finances, so this was quite a blow.”

Fortunately, Barker’s home insurance policy provided him with identity management services from IDentity Theft 911 at no cost. A seamless transfer from the claims department put him in touch with fraud investigator Bridgette Novak.

Novak took immediate steps to protect Barker’s credit:

• She made sure he filed a police report.
• She confirmed that he spoke with the bank to dispute the transaction, close his account and open a new one to avoid future fraud.
• She placed a 90-day fraud alert on his credit file.
• And she connected him with ChexSystems to see if anyone had tried to open bank accounts with his information.

“Bridgette immediately made us feel better, like everything was going to be OK,” Barker said. “We know we don’t have anything to worry about because if we have more fraud, she’ll be there to take care of it.”

Barker’s bank ultimately restored the funds to his account, but he and his wife are still on guard for suspicious activity on all their accounts.

Novak offered some tips for consumers to protect themselves against check fraud.

1. Keep your checks in a secure location. Don’t leave them in a car, at work or out in the open at home.
2. Review your checking accounts regularly for suspicious activity.
3. Pick up new checks at a local bank branch. Avoid having them sent by mail.
4. Never include personal data on the check. That includes your Social Security number, driver's license number, phone number and address.
5. Drop bills paid with checks at the post office instead of in your mailbox.

Barker has taken it one step further. "If you can avoid it, don't use checks at all," said Barker, who now uses debit cards instead of checks. "It's just not worth it."
 

 

 

Q&A: Everything You Need to Know About Social Bots

0
0
Social bots are programmed to appear as real people on social networks—tweeting and retweeting, amassing followers, even having matching Facebook accounts. Filippo Menczer, an Indiana University professor and a principal investigator for Truthy, a research program that tracks bots and Twitter trends, explains how social bots can increasingly manipulate consumers.

What is a social bot and how does it work?

A social bot is piece of software that is designed to have a presence on the Internet—especially on social media—and is engineered to achieve some purpose. Typically they’re designed to make something appear to be happening that isn’t. They can impersonate someone and post as this person, thereby promoting a message. Spammers can do this to promote content or an idea to convince someone to do something. Social bots can be used to create a smear campaign, to promote legislation, or to make it look like many people are responding to something to make a topic trend. Social bots can make a website, a hashtag, a person or user become popular.

For example, we know from social theory that people are more likely to change behavior or adopt a new behavior—say voting or buying something—when they’re exposed to multiple people they know exhibiting or promoting that behavior. Well, creating the image that multiple people are buying something or voting in a particular way could have very real implications.

Why should people care about the rise of these bots?

People should care because no one wants to be manipulated. Social media is becoming very popular and prevalent. A large number of people are interacting on Facebook and Twitter—here and around the world in other large countries—and on clones such as Renren in China. Statements made on social media, the patterns on these networks, affect our personal choices and behaviors. What we see online informs our voice, our opinion when we buy something, how we vote, when we decide to sign a petition.

As with all new technologies there’s an initial period when we’re naive to possible negative repercussions. But it’s our job to become aware and protect ourselves against them. We’ve learned to develop spam filters for email and malware removal software for our computers. Now we need to realize that comments on social media may not be coming from a real person. A statement backed by a 1,000 people may be coming from a single programmer.

A recent New York Times news story said that social bots could be used “to sway elections, to influence the stock market, to attack governments.” Are these likely scenarios we can expect in the near future? 

Nobody knows for sure if they were used to sway elections, but we know people have tried. It’s not my work, but some of my colleagues in Boston presented a paper at the Web Science conference in 2010 on an attack by social bots that happened the night before the special election to replace Sen. Kennedy in Massachusetts. The attack was against the Democratic candidate and was either false or misleading, depending on your political beliefs. There were 10 of these social bot accounts and they posted on the same topic with a link to a site with a fake or alleged statement by the candidate, targeting thousands of users. This is a technique used by spammers so Twitter identified it. The accounts were taken down in two hours, but in that time Republican voters retweeted it, and kept it alive. So, the next day when one typed the Democratic candidate’s name into Google, the first thing that came up was this fake news, because Google pulled live election news from topics trending on Twitter. Whether it swayed the election, we don’t know, but we do know it generated 60,000 tweets. My colleagues did find out that a well-known PAC was behind it, the same people behind the Swift Boat Veterans for Truth campaign.

In other instances people have shown that Twitter can be used to predict movements in the stock market, and even election outcomes, so if some of this chatter is generated by bots, well, you can put two and two together. Just recently Apple stock rose very much because a famous investor said on Twitter that he thought it was undervalued. You can imagine a fake investor, or group of fake investors, generating false information to capitalize on it. Someone could get very rich with those movements.

As for attacking governments or political groups, we’ve already seen this. Social media has done a lot in government resistance circles, from the Occupy movement to more extreme cases in Russia, Georgia—the country, not the state—Iran and, more recently, in Turkey, Syria, and Egypt. Groups have mobilized on Twitter and Facebook and other parties have flooded Twitter and Facebook with fake or misleading messages to delude that information. Someone posts that the protest is in this square, but then fake information is inserted with the same hashtag (Twitter topic marker) that says, “No, it’s in this square.” This is a very unsophisticated but effective way social bots can disrupt communication.

You commented in the Times on how oversharing and information saturation is contributing to the rise of the social bot? Can you elaborate?

Indeed, this is the very point I was trying to make. There are a number of things that contribute to social bots. First, we are in an attention economy. Information is abundant, but attention is scarce. So what we decide to pay attention to gets popular. But just because information becomes popular doesn’t mean it’s more valid or truer or better than other information. It just got our attention. Observation No. 2: Social media is a how we’re observing so much of this information, deciding on its popularity, and these decisions affect other choices we make—our shopping or voting preferences, say. No. 3: The more friends we have, the more invested we are in social media, the less time we have to verify and vet our network, so we’re losing the personal connection—as these things were originally intended to provide. We become more susceptible to the manipulation of that social reinforcement effect I mentioned earlier. If five of my friends have the newest phone and endorse it, it’s likely I will want the newest phone, for example. That opinion on the newest phone may come from a person we trust, or it could have come from another person who retweeted someone they trust, but all it takes is one person in that chain to be duped. So if information comes from our friend, we tend to believe it came from that friend, but the more people we’re engage with on our social networks, the easier it is to make a mistake on the source—and the less reliable that piece of information becomes.

We hear on the news this video has been watched one million times. We’re compelled to watch it. What if I told you it was watched by 100,000 people and 900,000 bots? We’d feel differently about it, but we don’t focus on that, we focus on that one million number. And the point of online marketing right now is helping develop viral messages, and there are many unscrupulous people who aren’t afraid to cut corners. Followers on Twitter are an example of this. It was shown that some politicians had huge numbers of followers who, when examined, were not real people, but fake accounts. Well, who has the time to analyze every follower of every politician? So yes, I suspect our limited attention due to information saturation makes us more vulnerable to manipulation.

Kashmir Hill in Forbes recently quoted an expert who said, “Twitter bots loose on the Internet could be a way for attackers to figure out who at an organization is gullible; if you fall for a Twitter bot, you’ll probably fall for a phishing attack.” Here at IDentity Theft 911, when we first heard of social bots, this was our first thought, too. Have bad guys made this connection yet between bots and phishing attacks or data breaches?

I don’t have an authoritative answer for you, but I’m ready to believe it. Here’s why:  We had a paper titled “Social Phishing” in 2007 on phishing attacks using a social bot. We ran an experiment where we took open data from online social networks to view an individual’s friend network. This information is easily available; for example if you use Facebook to log into a site, that site now has access to your friend list. Well, all we needed to know was that Alice is friends with Bob, and then we sent Alice a fake message from Bob that simply said “Check this out” with a link to a phishing site. We had two groups receive the same message and link. In one group the message came from a known friend, in the other from a stranger, and 72 percent—72 percent!—of the people who thought the message was from a friend logged into the phishing site with their actual Indiana University user name and password, whereas in the control group 16 percent—which is still huge— logged in with IU credentials. Sixteen percent is much more than we expected, but it’s not 72 percent. We couldn’t believe it.

So you can see how easily, just by creating a profile and getting people to friend you, you can get sensitive information about usernames and passwords in a phishing campaign. Well, a social bot can very easily friend people and get information on their  friends. This could be the stupidest social bot in the world, but it can get enough information to be used in a phishing attack. You could make the bot more sophisticated. The bot could make a message that appears to come from two of your friends, or three of your friends. That could be very powerful, and we see it as very scary.

Bots sound like a whole new avenue of potential fraud. They could “court” potential victims by the thousands, no?

Yes, and some people have looked into that. It’s not my work, but the Times cited dating sites as an example. Someone creates a bunch of accounts with very attractive photos, so people on the site are likely to contact them. In an attempt to meet this fake person people disclose information on where they live, what they do, and all that information can be used in a phishing attack or fraud. This is definitely happening. In the Times it was said that when the bots were cleaned from a site, human participation dropped because people didn’t find the site a warm environment—they weren’t bombarded with fake, flattering messages. We all want to be loved. This has been the idea behind brick-and-mortar fraud for centuries, so there’s no reason to expect that it wouldn’t happen online. 

That brings up a good question: What can users do protect themselves against social bots? 

Today, at this time, the only thing a person can do is to be vigilant. Take your mom’s advice: Don’t talk to strangers. Just because they’re online doesn’t mean they’re innocuous. By adding unknown people to your friend networks you can make yourself easy to victimize. You have to be careful whom you talk to online. Don’t talk to strangers. It’s really that simple.

Eventually, we hope to develop counter measures that are automatic in the network, and then we can be a little less careful, because the system will police itself. And of course social media companies are working very hard to delete fake accounts and identify criminals. For example, now on Facebook you can flag someone who tries to friend you if you don’t know them. This presumably puts them on a watch list that can be vetted for trouble. 

What about positives? Can you imagine a way bots could be used to protect children against cyberbullying, say, or to combat phishing bots?

Absolutely. You have to think of social bots as any other kind of mass communication device. If you have a good message—defined by who created it and who’s reading it— then bots could be used to promote that message. It’s just another form of advertising. Brands are using social media en masse to do this. They’re trying to create profiles or pages that are attractive. They’re not stating that they’re people, but they’re trying to persuade you. This could be used to raise awareness against racism or bias or, as one of my IU colleagues is doing, combat the stigma of mental disorders. So yes, definitely, you can have a campaign, positive or negative, that uses software to generate messages, to promote messages, to generate followers, who will listen to your message. This can all be automated. You can make a social bot that alerts followers to an event in their area, or to sign up for a newsletter or sign a petition. All of this can be automated. We even use bots in our research. For example, we would like to promote an app developed in partnership with The Kinsey Institute for Research in Sex, Gender and Reproduction. Spreading the word about the app will foster data collection—for us, it’s basically advertising. Now, would we create a fake account? No. But we can use social bots in a way that’s not frowned upon. We might automate certain posts triggered by events of interest to users, directing users to links with further relevant information.

Some people say technology is neutral; it can be used for good or bad. With bots we shouldn’t brand this technology, but have to accept that it can go either way. This happened with the telephone—people thought it would end face-to-face communication—similarly with the radio, with television. To some degree, with any new technology, bad things will happen. With social bots, they can definitely change our behaviors so we can’t be naive about it.

 

 

This Casanova Was An Imposter

0
0

Raul Siqueiros knows his way around Facebook. He frequently updates his own personal page, and as a Realtor, he also runs his company page to attract new clients.

He's a social guy. But he had no idea how social he was—how in-demand—until a woman reached out to him. Then another, then another. Eventually more than 50 women contacted him, all asking the same question: Is this the man I've been dating online?

A scammer somewhere had hatched an ingenious plan: Using a "social bot"—software that appears to be a person on social networks—the scammer had created a profile on several dating sites all over the country. The profile not only had Raul's name, but photos of him and of his children, as well as personal details of his life. Some of the women who'd responded to the fake profile were so captivated by him that they obliged requests to send him money, via Western Union. One was about to meet him in person.

This was no dating game.

“I was shocked,” Siqueiros said. “I couldn’t believe it was happening—that someone was using my name and pictures of me and my family to hurt these women.”

Thousands of men and women fall victim to romance scams every year. Lured by promises of love and stories of tragedy, they often send money to their scammers. The FBI’s Internet Crime Complaint Center (IC3) reports that victims of romance scammers lost more than $56 million in 2012, and those numbers are likely higher since many victims are too embarrassed to file complaints.

But now with the development of social bots, it’s becoming easier for bad guys to commit these crimes of the heart.

“They have a larger platform to make these types of scams happen—and they can code a program to automate it and lower their costs to execute the attacks,” said Filippo Menczer, a principal investigator at Truthy, an Indiana University research program that tracks bots and Twitter trends. “This particular group, with a social bot, could contact, say 100,000 people a day, instead of a 1,000.”

The victims

Siqueiros noticed that many of the women who contacted him about the dating scam were older, and they had minimal experience with social media and the Internet. That jibes with national statistics from IC3, which show that women age 50 and older are the biggest victims of online romance scams. Plus, the women were using lesser-known dating sites that were regional in scope.

And, of course, Siqueiros was a victim, too. Though he didn’t fall for a scammer’s false declaration of love, his identity was stolen and misused online. He contacted all the dating sites and requested they take down profiles that used his name and images of his family to target victims. Now when anyone searches his name on the Internet, images appear with watermarks that read, “Fake.”

“It’s annoying because I have to explain I’m not a scam artist when I’m meeting people for work for the first time,” Siqueiros said.

How it started

A little digging revealed that Siqueiros’ problems began with Facebook. All the images used in the fake dating profiles were pulled from his social network during a specific time period—after Siqueiros friended someone for work.

“I do all the things you’re not supposed to do on social media: I post where I’m at, every move I make, all that good stuff,” he said. “If anyone was associated with real estate or showed an interest in real estate, I’d accept their friend request.”

Siqueiros ended up with hundreds of friends he had never met in person, including the scammer who stole his identity. Siqueiros discovered that he friended him because he and the man shared a mutual friend on Facebook. “But when I contacted the mutual friend, he realized he had never met the person.”

Once Siqueiros scrubbed his friend list and deleted the suspected scammer, the calls from concerned women began to taper off.

How to protect yourself

If you’re interested in dating online, experts recommend sticking to nationally known dating sites only. The FBI says you can spot an online dating scammer if they:

1. Ask you to leave the dating website where you met and to communicate via personal e-mail or instant messaging;
2. Profess instant feelings of love;
3. Send you a photograph of himself or herself that looks like something from a glamour magazine;
4. Claim to be from the U.S. and is traveling or working overseas;
5. Make plans to visit you but is then unable to do so because of a tragic event; or
6. Ask for money for a variety of reasons (travel, medical emergencies, hotel bills, hospitals bills for child or other relative, visas or other official documents, losses from a financial setback or crime victimization).

To protect yourself from getting into a situation like the one Siqueiros found himself in, practice safe social media habits. Limit the information you share. Stay updated on privacy policies. Be very wary when interacting with people you don’t know.

“This experience was a big wake-up call,” Siqueiros said. “My advice to people out there is that this can happen to you, too, so be careful, especially on Facebook.”

Q&A: Why SMBs Are Targets For Cyber Crime

0
0

Ondrej Krehel is a computer forensics consultant. With more than a decade of experience in computer forensics, he has launched investigations internationally and domestically into a broad range of IT security matters. He is a member of the High Technology Crime Investigation Association (HTCIA), the Information Systems Security Certification Consortium (ISC) and the International Council of Electronic Commerce (EC Council). He also is a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH).

Q: One in five small businesses falls victim to cybercrime each year, according to the National Cyber Security Alliance. And of those, some 60 percent go out of business within six months after an attack. Why are hackers turning their attention to small businesses?

A: There are a few elements to consider: First, small to medium-size businesses (SMBs) generally do not have in place the same cyber security practices as larger enterprises. They lack the same type of staff measurement or caution about how to safeguard information. That information can be financial, customer data, personally identifiable information (PII), or data compliance-related. They may not recognize that the data they have in their systems are, essentially, assets. And if they lose those assets—that data—they will lose the business. Second, hackers are attracted to small businesses once they realize that there is nothing much that an SMB or law enforcement can do. Most cyber crime is done over Internet and in places where law enforcement has no jurisdiction. For example, there is no simple legal agreement between the United States and the European Union on cybercrime.

Q: When hackers shop for a small business to hack, what are they looking for—specific types of vulnerabilities?

A: Most of these businesses don’t understand the complexity of the data in their systems, and they process a significant number of transactions. They’re good targets. SMBs are red flags if they:

• Export to and import from foreign countries. Thirty to 40 percent of SMBs engage in international transactions.
• Wire money to and from foreign countries.
• Conduct business and make payments through international vendors.

When SMBs exchange data with banks and third-party vendors over the Internet, hackers can gain access to a payroll system, generally just one PC, and lock down the company’s PC and bank accounts to do their own transfers. By the time company is aware of the problem, one-third of the financial transactions is in the hackers’ accounts, and corporate data is lost. For example, Hillary Machinery Inc., based in Plano, Texas, lost $800,000 in unauthorized transfers from its bank in a 48-hour period. The bank retrieved $600,000 but legal battles ensued over security practices. The transfers were initiative from several Eastern European nations.

Q: How do hackers determine that a SMB is vulnerable?

A: They profile SMBs and focus on two types of targets: The first are SMBs engaged in ecommerce and the second are SMBs that engage in international trade.

The ecommerce SMBs use pretty defined Content Management Systems online. These CMSs are often custom-made from online platforms such as Drupal, Mambo, and Joomla for anywhere from $4,000 to $50,000. But the custom-builders often don’t engage in safe coding practices. So the end result is a portal sitting on the Internet with no credentials, or weak credentials for administration. It’s a tool that the SMB uses, but it never really went through vigorous review. When we look at fraud overall, around 60 percent of it originates in ecommerce, according to Verizon’s 2012 Data Breach Investigations report.

International trade SMBs that import/export are generally registered with a state for Foreign Qualification status. And foreign companies conducting business with American ones on American soil also must register in with specific states as business entities in the U.S. So hackers get a list of these companies through public records, look around, and determine which company is the best target. Then the hackers go after companies that are sending wires.

Then the bad guys look at the company sites, their CMSs, and they see where the company is, who is behind it, and so on. These things are very opportunistic. They spend a few minutes on research, and then they say, “This is how I want to get in.” They send spear phishing email to various employees at the company. Once the employee opens it up, the system is compromised. And they go right after financial transaction PC from the compromised computer. Generally, it’s the attachment that an employee opens that gets them.

Q: The definition of a SMB varies, but often explained by the number of people employed and annual revenue.  Symantec Corp.’s 2013 Internet Security Threat Report focused on businesses with fewer than 2,500 employees. How do hackers size up SMBs?

A: One measurement hackers use to identify SMBs is their earning picture. They look at the earnings per employee for publicly traded companies. Hackers are not necessarily targeting the mom-and-pop pizza shop down the street where the earning picture may not be high. They target SMBs that are connected, that accept customer credit cards (PCI DSS Data) and use wires for payments. For example, hackers recently attacked an SMB that imports carpets from Eurasia. The SMB, based in New York, was very profitable. It had only two owners and two employees. Though the company had cyber liability coverage, it didn’t have enough. It was hit very hard. Also, think of suppliers for companies like Macy’s. The suppliers themselves may not import goods, but they serve as an umbrella for smaller boutique firms that import from overseas.

Q: How should SMBs take steps to protect themselves?

A: It’s very hard for SMBs to do this on their own. They may consider shifting their security environment into a cloud solution rather than trying to host it internally, because internally they most likely won’t be able to sustain the pressure. They have to look at other tools available. Maybe the state where they operate has cyber secure programs that they can utilize. For example, instead of using a payment system on their site, they can redirect payments to a third-party system using tools that the hackers can’t get to. The goal is for the SMBs to offset the liability. Sometimes the best option is to look at what you have, see who else can do it for you more securely, and then evaluate the cost.

Cyber attacks cause many SMBs to go out of business. The main reason is that almost none of them have sufficient cyber liability coverage. Another important step: SMBs should make sure they have data breach policy that covers them for the steep costs they may face to comply with state and federal data breach laws, as well as potential lawsuits from victims. SMBs should be sure to select a coverage that offers value-added benefits such as access to expert service providers that deliver data assessments proactively, to protect against a breach, as well as breach response solutions.

There are two basic types of policies: first-party coverage and third-party coverage, which is usually added on to the first-party policy. First-party coverage covers the hard costs a company faces when responding to a breach, such as letters notifying affected customers. Third-party coverage gives protection to companies responding to third-party liability claims, such as damages caused by a vendor. Coverage is key. Say a SMB was breached and 50,000 credit card numbers were exposed. It’s going to cost the business approximately $250,000 in remediation costs, and that doesn’t even include fines and penalties from regulators and the PCI DSS Council. That’s maybe what that owner is making a year. It may be too much for the SMB to swallow that cost.



 

Shut Out Hackers with Vulnerability, Penetration Testing

0
0

By Mark McCurley

Many companies inadvertently give hackers an easy way into their networks by failing to stay on top of vulnerabilities, or weaknesses in their software, hardware or network configurations.

The No. 1 reason: IT departments lack the resources, tools, processes and oversight to stay on top of patch management. Information systems and web applications that remain unpatched or poorly configured for long periods of time leave a business at risk of a data breach or system outage.

Companies can protect information systems and sensitive data from unauthorized access by proactively uncovering those weaknesses before an outage or a data breach occurs. The key is to work with a trusted data security firm that can perform the following against targeted networks, Web applications and information systems:

• A comprehensive vulnerability scan
• A web application scan
• A penetration test

These scans and tests—conducted through a combination of automated security tools and manual techniques—will detect holes in a firm’s software applications, hardware or network, and provide a detailed report, analysis and remediation steps to mitigate those vulnerabilities.

Be sure to look for a provider that, like IDT911 Consulting, can conduct:

• Vulnerability scanning and reporting that checks internal and external network or information systems and provides a comprehensive report on findings, plus recommended remediation steps.
• Web Application scanning and reporting to scan external or internal facing Web applications for vulnerabilities such as XXS, SQL injections and CSRF. A detailed report of findings and recommended mitigation steps is key.
• Penetration testing using manual and automated techniques to test defenses against intrusion.
• Analysis and report on findings in which the scan reports are analyze to interpret the severity of risk and recommend steps to fix vulnerabilities.
• Continuous monitoring after the initial scanning phase to perform ongoing periodic scanning that ensures new vulnerabilities are detected during the lifecycle of information systems and web applications.

Mark McCurley is senior information security officer for IDT911 Consulting.

 

Four Steps to Stronger Vendor Security

0
0

Four Steps to Stronger Vendor Security
By Deena Coffman

When it comes to entrusting your company’s sensitive information to suppliers and contractors, out of sight shouldn’t be out of mind.

Consider these vendors, all of which have experienced a data breach in the past two years: Adobe, LexisNexis, Dunn & Bradstreet, Kroll Background America a/k/a HireRight, J.P. Morgan, State Farm, Kaiser Permanente and Epsilon .

What if one of them was on your vendor list? You wouldn’t know critical data was compromised unless your contract required the vendor to notify you after a security breach.

A company’s future revenues and profitability are jeopardized when confidential business information is exposed through the disclosure of proprietary information or penalties for noncompliance with data breach and privacy regulations. For this reason, it’s important to make sure suppliers and contractors handle business information assets with the expected level of care. Third-party security reviews are a good—not to mention widely adopted—approach to protecting information assets when handled by supplier and contractors.

However a security review of every vendor isn’t necessary. So where to start?

  1. First, look for your company’s most important information assets.
  2. Next, determine which suppliers and contractors have access to those systems and/or data. To do this, build an information asset inventory. Then, map the data flow as sensitive information comes into your organization, is copied, processed or transferred, and then finally disposed.
  3. Now that you know what you want to protect and where it is exposed, list all vendors with access to the exposure points. Remember to check systems, mobile devices, email, websites, databases, and access to facilities, such as those given to waste removal companies or maintenance services.
  4. Once you understand which vendors have access to your information and which information is the most sensitive, rank as your first priority the vendors that have the greatest access to the most sensitive level of information. Request that those suppliers or contractors have a review of their security program as it pertains to the information they handle for you. For example, suppliers with recurring, persistent access to sensitive data would warrant a more in-depth review than a contractor with limited access to a subset of information. A full review would involve the physical, technical and administrative controls the organization has for information security and privacy.  
Security is like a chain: It is only as strong as its weakest link. An exposure from a weak process or policy could render a large security technology investment ineffective. Conversely, for those circumstances where limited data exposure exists, a self-assessment and contractual protections may be more appropriate than a full review.

Suppliers can gain an advantage over the competition by establishing and demonstrating a strong security posture. They can perform assessments as part of their compliance programs to proactively show clients they’re mindful of security. And they can provide a report of the assessment, with confidential information removed, of course. Additionally, a strong security posture reduces the time and effort to move from proposal acceptance to contract; the process would take longer for vendors that still need to be vetted for security.

One word of caution, however, when using PCI compliance reports as security vetting tools.  PCI pertains only to a set of standards that apply to payment card processing. It may or may not be relevant to the information and systems for which you need to have assurance.
 
Because even the most onerous security standards permit risk management and not risk removal, contractual measures may be substituted. For example, if the security review would be greater than the value of the contract or where access or the amount of data is limited, it may be more advantageous to forego a required security review, and instead, specify some or all of the following in the contract:
  • Indemnification against third-party claims, especially IP infringement
  • Limitations on liability
  • Responsibility during a breach for notification, legal defense and remediation (first- and third-party)
  • Insurance minimums
  • Information security requirements (such as mandatory encryption)
  • Assignment 
  • Service-level agreements that support incident response needs
  • Incident response testing participation
  • Insurance
    • Data breach
    • Cyber liability
Risk managers may elect to avoid, transfer or accept information security risks rather than mitigate them through controls. In any event, it should be an informed, deliberate decision. Trust but verify because regardless of whether a data breach occurs at your facility or through a third-party supplier, your reputation and your revenue ultimately is at stake.

Deena Coffman is CEO of IDT911 Consulting.

Four Do's and Don'ts After a Breach

0
0


Companies aim for greater revenues, profits and brand loyalty. They never wish for data to be lost or stolen because a data breach takes away from these three important goals.

But the reality is that a data security incident can happen to any organization—regardless of its size or industry.

The key to handling an exposure is to move swiftly, confidently and lawfully to counter the negative impact of a breach and preserve the company’s reputation. Here are some recommended do’s and don’ts to bolster a response plan:

1.  DO contact your general counsel immediately. Your organization will need to follow certain legal requirements. Getting critical direction from experienced counsel is important in order to be compliant with the patchwork of laws that can apply. Remember that breaches don’t just happen when a hacker attacks a network. Mis-mailings, either in paper or electronic format, and lost laptops are breaches. The scale can vary from a single compromised record to the exposure of all the customer data your network holds, but it’s still a reportable breach.

Though seen mainly as a PR issue, breaches actually have a range of compliance implications. Your organization may need to comply with local, state and/or federal legal mandates. Coordinating the right response is likely to require customer-facing communications as well as behind-the-scenes work with regulatory agencies and possibly law enforcement. To meet your obligations, any breach should begin with a discussion with legal counsel.

2. DON’T power equipment off automatically. In an effort to stop a breach, many organizations immediately begin powering down servers, computers, mobile devices, and other network devices. While this may be the proper action to take in some circumstances, it can result in the loss of valuable forensic data in other situations. Also, malware is sometimes able to detect when its host machine has been altered. This could prompt the malicious code to go on a rampage, deleting data or replicating itself as a way to further corrupt any remaining information.
Before doing anything, check with the forensic expert your organization has partnered with to see how you should proceed. You may be able to disconnect the compromised machine from the network rather than turning it off, thus preserving the forensic data needed for a thorough investigation. Because time is of the essence in any breach response, your organization should establish a relationship with an experienced forensic expert ahead of time, and preferably include that expert in incident response testing exercises.
3. DO document your objective findings without adding any speculation. Your documentation should consist only of what you see and can verify. Assumptions, guesses, theories—these all can be misconstrued or forwarded on to others as fact, essentially creating a red herring that may seriously impact the investigation into the breach. Once something is in an e-mail, it may be forwarded to others. You don’t know where or to what extent the mis-information could spread.
Instruct others in your group to follow these same guidelines. Remind them, too, not to discuss the investigation outside the team assigned specifically to respond to the breach. Information pertinent to the investigation must be kept confidential and factual at all times, and details released to individuals not in the incident response team should be reviewed by both the legal and communications teams.
4. DON’T send confusing messages. As recent high-profile breaches have shown, a confusing message can damage your brand. If customers need to reset their account passwords, provide them with clear, concise instructions. The same goes for the implementation of multi-factor authentication protocols and even the activation of credit or non-credit monitoring services.
In addition, it is crucial to avoid communications that have the hallmarks of spam or phishing messages. E-mail messages should only come from the domain they know to be yours. Any e-mail links should be to organizations your customers recognize and trust. It’s also helpful to post a link on your website for customers to access, which will take them to these same tools in case they’re hesitant to follow the links in your e-mail messages.

Deena Coffman is CEO of IDT911 Consulting.

10 Questions Executives Should Be Asking About Data Security

0
0

 

The phone rings, and it’s your information security officer—or worse, law enforcement—with bad news. Your company appears to have experienced a data breach. Information that is protected by law or that belongs to a client has been found on the Internet. 

At this point, you are in one of three positions:

• Unprepared. You haven’t been paying attention to information security.  You have not received reports or if you have received them you haven’t reviewed them.
• Shaky ground. You have received reports and briefings on the state of your security, and you have accepted the information at face value hoping your company’s information assets are secure.
• Ready. You have been briefed regularly on potential weaknesses, you know what your company has done to minimize points of exposure and you are able to answer confidently.

To get into this last category, ask the following questions of managers who are responsible for technology and operations:

To understand the points of impact, ask:

1. What would happen if you came into work tomorrow and couldn’t get to anything on your computer network? No access to email, client files, financial systems, or HR information?

To understand the probability of an event, as well as how your company’s attention to security may be perceived after an event, ask:

2. Do your employees receive training on how to identify and report a potential security incident? 

3. How do employees know to securely dispose of sensitive, protected or confidential information?

To understand your technical defenses, ask:

4. Where is the most valuable or sensitive information in the company?  Who can copy or tamper with that information? 

5. Do we use encryption to protect sensitive data on our network, on backup media, in databases and on mobile devices?

6. When I need to send sensitive information via email, how do I do that? (Hint: It isn’t by sending it via regular email. Everyday email is not secure.)

7. What were the results of our last incident response drill?

8. What logging/monitoring is in place? Can an intruder modify the logs? How long is log data retained and how quickly is it available during an incident response? The majority of data breach incidents remain unnoticed for three months or more, and the mean average time in 2012 was more than 200 days. Accessing log files quickly in an incident is critical to knowing what was and wasn’t exposed, as well as avoiding a “CNN moment” where the world is asking, “Why did they take so long to notify the victims?”

9. When did we last test the ability to restore from backup? It sounds simple, but you would be surprised to know in reality how many times a company has relied upon backup data only to find that the backup data can’t be restored. The daily warning message from the backup server is overlooked, or a false “successful” message is blindly trusted. Ensure that your IT department regularly restores more than a single file from the backup to test the efficacy.

10.  Have you had a penetration test, information security audit or vulnerability assessment in the past year? 

• Did it include your website, wireless networks and mobile devices?

• What recommendations that resulted from that exercise were implemented, and which are outstanding?

If the answers you receive are not certain or leave more questions, ask again or ask someone else until you fully understand. After all, the media will be asking you. You’ll need to know the answers and sooner is far better than later, in the event of a data breach.

Deena Coffman is chief executive officer of IDT911 Consulting.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


The phone rings, and it’s your information security officer—or worse, law enforcement—with bad news. Your company appears to have experienced a data breach. Information that is protected by law or that belongs to a client has been found on the Internet. 

At this point, you are in one of three positions:

• Unprepared. You haven’t been paying attention to information security.  You have not received reports or if you have received them you haven’t reviewed them.
• Shaky ground. You have received reports and briefings on the state of your security, and you have accepted the information at face value hoping your company’s information assets are secure.
• Ready. You have been briefed regularly on potential weaknesses, you know what your company has done to minimize points of exposure and you are able to answer confidently.

To get into this last category, ask the following questions of managers who are responsible for technology and operations:

To understand the points of impact, ask:

1. What would happen if you came into work tomorrow and couldn’t get to anything on your computer network? No access to email, client files, financial systems, or HR information?

To understand the probability of an event, as well as how your company’s attention to security may be perceived after an event, ask:

2. Do your employees receive training on how to identify and report a potential security incident? 
3. How do employees know to securely dispose of sensitive, protected or confidential information?

To understand your technical defenses, ask:
4. Where is the most valuable or sensitive information in the company?  Who can copy or tamper with that information? 
5. Do we use encryption to protect sensitive data on our network, on backup media, in databases and on mobile devices?
6. When I need to send sensitive information via email, how do I do that? (Hint: It isn’t by sending it via regular email. Everyday email is not secure.)
7. What were the results of our last incident response drill?
8. What logging/monitoring is in place? Can an intruder modify the logs? How long is log data retained and how quickly is it available during an incident response? The majority of data breach incidents remain unnoticed for three months or more, and the mean average time in 2012 was more than 200 days. Accessing log files quickly in an incident is critical to knowing what was and wasn’t exposed, as well as avoiding a “CNN moment” where the world is asking, “Why did they take so long to notify the victims?”
9. When did we last test the ability to restore from backup? It sounds simple, but you would be surprised to know in reality how many times a company has relied upon backup data only to find that the backup data can’t be restored. The daily warning message from the backup server is overlooked, or a false “successful” message is blindly trusted. Ensure that your IT department regularly restores more than a single file from the backup to test the efficacy.
10.  Have you had a penetration test, information security audit or vulnerability assessment in the past year? 
• Did it include your website, wireless networks and mobile devices?
• What recommendations that resulted from that exercise were implemented, and which are outstanding?

If the answers you receive are not certain or leave more questions, ask again or ask someone else until you fully understand. After all, the media will be asking you. You’ll need to know the answers and sooner is far better than later, in the event of a data breach.
Deena Coffman is chief executive officer of IDT911 Consulting.

Deena Coffman is CEO of IDT911 Consulting.

Avoid These Six Common Breach Scenarios

0
0

 

By Deena Coffman

A short list of trigger events are responsible for a large percentage of data breaches. The majority of exposures can be greatly minimized by focusing first on these areas. Also, these scenarios are a good starting point for agents and carriers working in the information security and data protection sectors when discussing policyholders’ risks.


1. Lost and stolen devices. It’s a problem when a smartphone, laptop or tablet containing sensitive corporate and customer data is lost or stolen. Even more so when the device contains login credentials with access to the company’s stores of personal identifiable information (PII), protected health information (PHI) and other confidential data. Thieves used to be interested in the equipment itself, but today they’re more interested in the data the equipment houses.

2. Mis-mailings. It’s all too easy for companies to send an individual’s personal information to the wrong person by email or slow mail. It often happens when delivering invoices, account statements and appointment reminders. For a mass mailing, if the labels and contents of the envelopes are off by even just one record, the organization could be looking at a wide-scale data breach.

3. Hacking. One lesson learned from the breaches at Target, Michael’s, and P.F. Chang’s? External threats are more prevalent than ever. Some hackers focus on specific companies while others look for systems with easy access. Internal dangers lurk here, too. Employees who are disgruntled or vulnerable, who have access to sensitive data, may use it for financial gain or to retaliate against the company or a coworker.

4. Backup malfunctions. Cloud backup services open another door for lost or exposed data if the vendor suffers any type of breach. Even companies using onsite backup appliances and conventional tape backups run the risk of a breach if the network is compromised or the tape’s chain of custody comes into question.

5. Third-party vendor breaches. Organizations routinely work with outside providers. Two commonly outsourced functions—payroll and benefits management—by their very nature hold PII. If one of those vendors suffers a data breach, the ripple effects throughout their client base can be devastating to your entire employee base and pose a system-wide risk.

6. Improper data disposal. Vast amounts of data are being generated today. Properly disposing of this information once it’s no longer needed has become a security weakness all its own. Be sure to have a secure disposal program so that medical records, old account information and other data don’t find their way into the Dumpsters.

For data security consultation or if your business has experienced a breach, please visit IDT911Consulting.com or call 1-866-296-1755. IDT911 Consulting experts provide practical solutions to help businesses avert, prepare for and respond to a data loss incident.

Deena Coffman is chief executive officer for IDT911 Consulting.

5 Ways to Keep Your Office Copier Data Safe

0
0

When it comes to your business security, the office photocopier may be the last thing that comes to mind. But today’s generation of machines are networked, multi-functioning devices that can print, copy, scan, fax and email. They hold a treasure trove of sensitive data—Social Security numbers, health records, account number and more that, in the wrong hands, can lead to identity theft and fraud. Also, copiers are often leased, returned and then re-leased or sold, putting businesses at a greater risk of a data breach.

Consider one company’s recent data security nightmare: The business returned its copier to a leasing company that failed to erase the machine’s memory before reselling it to a news organization. The news organization discovered the personally identifiable information of hundreds of individuals and produced a news story about the incident. The company faced a potential breach of federal privacy laws, but was able to recover from the incident with help from IDT911.

Businesses can protect themselves—and their company’s and customer’s sensitive and confidential data—by including copiers in their information security plan. Follow these tips to safeguard information:

1. Educate yourself and your employees about copier risks. Be aware of the information stored on the device and the risk if that data is stolen or the device is lost. Limit storage of sensitive private and corporate data on such devices.

2. Assign responsibility. Make sure copiers are managed and maintained by your company’s IT or information security team. Employees who secure company computers and servers also should secure the data contained in the copiers.

3. Research and use your copier’s security features or buy the extra security capabilities. Many copier companies—whether they sell or lease the copier—offer disk override or disk erase features that ensure each new document copy overrides the previous one. Some copiers have built-in data encryption capabilities that aren’t activated or used. Additionally, many copier companies sell such encryption capabilities for their copiers that may prove to be a good value.

4. Secure data before returning or disposing of copier. Review your options for securing the hard drive or internal memory with the copier manufacturer, dealer or servicing company. Some companies may handle data disposal for you. If returning to a leasing company, use easily available software to sanitize or “wipe clean” the hard drive and document the sanitization process.

5. Consider compliance responsibilities. Your business may be required to follow specific compliance obligations depending on the information it stores, transits and receives. Financial institutions, for example, must follow the Gramm-Leach-Bliley Safeguards Rule for protecting personal computer data that includes copiers. Make sure you’re aware of state, federal and international requirements.

Case Study: Thieves Use Stolen Identity for Retail Therapy

0
0

Katie Smith* was living an upright life—working for a large manufacturer, saving for retirement and being a good neighbor—when she received a voicemail from Kohl’s department store about activity on her newly opened account.

The only problem was she didn’t have a Kohl’s credit card. Someone had used her Social Security number, date of birth and address to open an account there and at 14 other retail stores, ultimately running up $18,000 in fraudulent charges in her name. The news left her reeling.

“I thought I was going to be sick on the spot,” Smith said. “You feel vulnerable. It’s not like they stole my car. They stole my identity—and I didn’t realize it for weeks.” Even though she’d been careful—shredding her mail and using different complex passwords for each of her accounts—somehow someone was able to get ahold of her personal information.

Katie called her insurance agent who had recently added identity theft coverage from IDT911 to her homeowner’s policy. “When I found out the annual coverage for identity theft was less than what it cost for one Friday night dinner, I thought ‘Why not?’—after all, anything could happen.” And, it did.

A claims representative connected her to an IDT911 fraud investigator, Maria Valenzuela, who immediately began working on Smith’s case.

“Maria was reassuring from the start,” Katie explained. “We looked at my credit report together, and I saw all of the places where they . . . were trying to open accounts.” Without IDT911 as an ally, Katie said she would have been lost.

“When I looked at the credit reports, I couldn’t identify the places I needed to call,” Katie said. “Maria knew who to call, which company was represented by each code, and she had all of the numbers.” Even with all the contact information, Maria and Katie together spent three and a half hours that first day reporting the fraudulent charges to the companies.

Additionally, Maria tracked which companies had sent Smith affidavits, which are sworn declarations by Katie that she is not responsible for the charge. Maria also:

• Tracked when signed affidavits were returned and followed up with creditors to track the progress and resolution of each investigation.

• Removed erroneous information from Katie’s credit reports.

• Updated Smith on next steps, when she’d call back and consistently followed through.

In the five months that followed the initial report to IDT911, Katie found things didn’t go smoothly even after doing everything right, “There were times we had to pull out tracking numbers to prove that we’d sent the affidavits in. One bureau said that I didn’t have any inquiries, and then they said I did have an inquiry that I didn’t respond to–it was crazy. If you don’t have someone like Maria tracking every communication and every document, I don’t know how you’d do it.”

Throughout it all, Katie found that Maria supported her emotionally and professionally. After working closely with Maria for five months, there were only two inquiries that need to be removed from one bureau. “Going through the process, you don’t realize how draining it is,” she said. “Maria kept everything moving forward. Without her follow-up, professionalism–If I had to do this on my own—I know that I wouldn’t have things wrapped up by now. I know that I wouldn’t be where I am today without IDT911. You want to have IDT911 on your side.”

* Names have been changed to protect customer privacy.

How HR Can Safeguard PHI

0
0

By Deena Coffman

Human resource departments are collecting a growing amount of protected health information (PHI) on employees and their dependents for health benefits on a daily basis. Yet many of them are unaware of the risks associated with managing so much accumulated sensitive data.

It’s important for HR departments to ensure the PHI entrusted to them is adequately safeguarded from the moment it is received, through processing, storage, and finally to disposition. To achieve this, HR teams need a thorough understanding of where PHI exists, the security risks to sensitive information and data protection obligations.

Regulations Covering PHI

HR professionals may not receive the training they need on legal requirements under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. To avoid overlooking important data protection requirements by reviewing the HIPAA Security Rule, which offers important guidance for individuals in roles that administer requirements related to privacy, security and breach notification. Compliance advice such as the “Minimum Necessary” guidelines and other aspects of these regulations can all help HR groups navigate what is required of them.

Identifying Information Assets in the Form of PHI

To protect sensitive information, companies must identify how the information is received, where it is located, who has access to it and how long it is retained. Once those factors are known, a plan can be developed for protecting and securely disposing of the information after retention periods expire. A data inventory is a foundational step in developing a data privacy framework. In some environments, a HIPAA risk assessment may also be needed.

Risk Assessment

A risk assessment will help HR groups understand which of these security measures and practices may already be in use, which may be available but not routinely utilized, and which can be added to improve the department’s security posture. An assessment also helps identify whether vendors have weak security protocols that could impact data privacy.

Third-Party Vendor Risk

To manage third-party data breach exposure, HR departments will want to work with procurement, security and legal departments to vet all third-party vendors with access to systems or sensitive information and to implement contractual language that provides requirements for secure data handling as well as responsibilities in the event of a security incident.

Security Strategies

Companies need to focus not only on deliberate, targeted attacks, but also on accidental exposures caused by accident or a lack of training. Lost laptops and smartphones, a problem that has reached epic proportions, are a leading cause of data breaches. Simple measures taken by HR departments can greatly reduce the probability of an opportunistic attack being successful. They include: requiring the use of strong passwords, encrypting sensitive data is another, and installing and keeping updated antivirus and antimalware software. These simple practices can be highly effective, especially when accompanied by policies that are communicated to employees in training and awareness programs.

Mitigating Risks

The next step in improving security and properly protecting PHI is the development of a written information security plan (WISP). This is a plan that pulls together all the data protection protocols and practices the organization uses. Employee training programs, acceptable use policies, protocols on securing communications should be included to ensure that a cohesive picture of the organization’s security posture is established and communicated.

Devising a plan to deal with data exposures is also recommended. Often called an incident response plan (IRP) or a data breach response plan, this document is designed to outline the steps that HR as part of a breach response team will take if a security event, a security incident and/or data breach occurs. By proactively planning responses to an exposure, HR and other departments will be in a position to act quickly and limit the damage from a data breach. This plan will also facilitate alerting the proper agencies if HIPAA-protected data has been exposed. Practicing the plan will raise security awareness and become an ongoing risk management reduction exercise.

Coordinating Internal Operations

A compliance program requires the coordinated efforts of internal groups. This holds true for HR teams grappling with the proper handling of PHI. First, executives from the C-suite down must be on board as support for the program—and the allocation of the necessary resources to implement it—is crucial to success. A top-down approach sends a message that the organization is serious about the initiative and that compliance is not optional.

The information security group, if one exists, will also need to be part of the team. Informing IT of the existence of protected data as well as specific requirements for protecting it allows the IT department to understand what is required so they can select and implement the technology tools that will meet the requirement while tending to productivity and cost.

Together, this multiprong approach will help to ensure HR departments are meeting any compliance obligations that may exist under HIPAA. They will be better equipped to securely manage the day-to-day processing of PHI, as well as its long-term retention and destruction. Workers with access to sensitive data will have a deeper understanding of their responsibilities as part of the organization’s overall privacy policy, and they will also be able to respond more quickly if they suspect the department’s PHI files have been exposed.

For data security consultation or if your business has experienced a breach, please visit IDT911Consulting.com or call 1-866-296-1755. IDT911 Consulting experts provide practical solutions to help businesses avert, prepare for and respond to a data loss incident.

Deena Coffman is CEO of IDT911 Consulting.

School Year Poses Identity Theft Concern?

0
0
For parents across the country, registering their children for preschool, kindergarten or a new school system is a necessary part of making sure those kids get the education they need. But at the same time, doing so might also pose a significant problem when it comes to protecting their personal information.

Many school registration forms require parents to turn over large amounts of private and sensitive data about their children, which in turn poses an identity theft threat, according to a report from the Christian Science Monitor. The required information and associated documents can include everything form their names and dates of birth to their Social Security numbers and even copies of their birth certificate.

All that information could therefore fall into the wrong hands if the school to which it is being turned over does not take all precautions to completely protect it, the report said. For this reason, the U.S. Federal Trade Commission recently took the time to warn parents about all documents their kids' schools make them fill out, including registrations, permission slips, health forms and student directories. This is because a large number of cases of identity theft are the result of a rogue employee stealing data.

In fact, a study from Carnegie Mellon University conducted last year found that more than 10 percent of all children had someone else using their Social Security number, the report said. When compared with the same statistic for adults, the rate is 50 times larger. Child victims who are affected by these crimes can be just about any age - the youngest ever was just five months old - and their data can be used to obtain everything from a credit card, mortgage or auto loan, to jobs and official government documents like drivers' licenses.

Identity theft involving children is often problematic because in many cases it may take several years or more for victims or their parents to realize they've been affected by such a crime, because there's no reason for anyone under the age of 18 to have a credit report in their own name at all.

Matt Cullina, the chief executive officer for Identity Theft 911, has a blog about the ways in which children can be affected by this type of fraud.

Case Study: Identity Theft Hits Too Close to Home for Seniors

0
0
Eileen and Laurence Cashman carefully planned their retirement, securing an affordable apartment in a building for seniors where they’d have the support they needed in their twilight years.

They didn’t know their home address would make them more vulnerable to identity thieves who prey on the elderly. A temporary, state-paid employee who was working in their building stole their Social Security numbers and used them to open email and online Social Security accounts, view their bank account balances, and access their life insurance—all without their consent.

“I was astounded when I found out,” said Eileen Cashman, who serves as guardian for her husband, who is he recovering from a stroke. “I felt very violated.”

Cashman immediately contacted the police. Then, she remembered her auto insurance provided identity management services with IDT911. An IDT911 fraud investigator was assigned to help the Cashmans until their case was fully resolved.

The investigator took immediate steps to protect the couple’s identity and credit by:

•    Placing fraud alerts on their files with all three major credit bureaus
•    Filing an identity theft affidavit with the Federal Trade Commission
•    Requesting the IRS place a tax marker—an identity protection indicator—on their tax accounts, and
•    Providing ongoing monitoring of their credit files and accounts.

“The investigator notified credit bureaus right away. I had no idea how to do that,” Cashman said.

Though no immediate fraud was detected, the couple could be vulnerable to many kinds of fraud—from the opening of new credit lines to government benefits theft—that can destabilize their livelihood.

“That one person could change your whole life,” Cashman said. “She could just redirect the Social Security (direct) deposit. If I can’t protect my Social Security check, what can I protect? Everything else is easy to get at.”

Seniors are often the target of scams and fraud because they often have nest eggs, are less computer savvy, and are more trusting of people, said Brett Montgomery, IDT911’s fraud operations manager. According to AARP, they account for roughly half of all scam victims.

And government documents and benefits fraud is one of the most common forms of identity theft, comprising 34 percent of complaints reported to The Federal Trade Commission, according to its annual Consumer Sentinel report. The FTC also estimates that about 20 percent of identity theft victims are age 60 or older.

The Cashmans are grateful for the identity protection and support they’ve received from IDT911 because it will help them remain vigilant and stay ahead of identity fraud.

Cashman plans to alert more agencies, including the federal housing authorities, and keep warning others. She even has driven a few neighbors to the Social Security Administration office to help them block online access to their accounts.

“When we looked to rent, we gave (the landlord) copies of our whole lives. We trusted them to handle our information and respected their ability to use the information properly,” she said. “It floors me, what they did.”

6 Reasons Why Changes to Rhode Island's Breach Laws Won't Work

0
0

By Eduard Goodman

The main reason why? Legislators are asking for a 14-day notification timeframe, but that can lead to a number of problems. Responding to a breach is complicated. Organizations first need to determine if a breach actually happened, identify who was impacted, what information was exposed—and by what methods—and then determine the harm that was done.


Rushing that process can lead to these headaches:

1.    Multiple notifications will confuse consumers. Companies most likely won’t be able to get all the information they need for a notification in two weeks. They’ll be forced to provide initial notification quickly, and they will then be compelled to follow up with additional details as more information comes to light. This over-reporting provides little benefit to consumers. Instead, they’re apt to find themselves confused and upset.

2.    Communications may be sent to the wrong address. Depending on the nature of the business and the age of the breached data, the organization may not have time to confirm it has the right contact information for the affected parties before the notification clock runs out. Sending notifications to the wrong physical or electronic address will only further bungle any breach response.

3.    Required credit bureau notification may amount to wasted effort. Proposed new language also requires businesses to notify the credit bureaus after a breach, but this is an outdated concept that often does nothing more than generate more work for the breached organization and leave consumers open to marketing contacts. If Social Security numbers (SSN) or other specific data sets haven’t been exposed, then notifying the credit bureaus provides little benefit.

4.    Suggested standard language may not apply in all breach situations. Standard language is being suggested for notification letters, but different breach types render some of the universally required language unnecessary. The advice contained in each letter should relate to the specific data types that were compromised, such as payment card numbers, email addresses, medical information, etc.

5.    Limited notification is bad for consumers. The revised regulations also call for notification only when names are exposed in conjunction with another type of data, such as SSNs or account numbers. But a compromised SSN can be damaging in and of itself. The name is just a bonus. In today’s world, the risk of fraud exists even when only a single piece of data is released.

6.    Electronic notification is problematic. Consumers may think an email offering credit monitoring or other services is spam or a scam. This is especially true in the case of organizations that typically communicate with customers via snail mail, such as utility companies. Emailed messages could also end up in consumers’ junk box without them ever knowing they existed. Instead, the regulations should stipulate that notice be based on the method most likely to actually reach consumers based on the prior relationship.

The proposed amendment’s impacts to the business community must also be considered in light of its impact on the public. By adding unnecessary costs there may be fewer resources available for the business to support consumers. The more a business must put towards meeting overly stringent timing guidelines thought up by academics and politicians, the less it will have to spend on affected consumers like you and me and on preventing future incidents from occurring.

Eduard Goodman is chief privacy officer at IDT911.

Insurance Professional Navigates Tax Fraud Nightmare

0
0

Tax fraud happens all the time. And without the right resources at your back, it can be a nightmare. Just ask Melissa Richardson.

When Richardson efiled her 2013 tax return through a popular online service, she received an “already filed” message and was confused. “I thought there is no way anybody would steal my identity. I’m just a normal middle-class person and you think that would happen to people with a lot of money and assets,” explains Richardson. Unfortunately, she was wrong. Identity thieves focus on personal information, not income.

Richardson’s first response was a logical one: call the IRS and straighten it out. But she quickly realized she was going to be caught in a growing web of red tape. “I probably spent 10 to 15 hours on the phone trying to get through to the IRS to understand what to do,” she says. Even after following directions, she wasn’t getting responses after more than 60 days, and her $1,100 Federal refund still wasn’t on the radar.

Fortunately, Richardson remembered that she had a free IDT911 policy through her employer, so she contacted IDT911 for help.

Richardson found the very first call to be a relief. “With the IRS, I kept getting conflicting answers, depending on who I talked to. But my IDT911 fraud investigator, Juli Kennedy, knew exactly what to do,” says Richardson. Kennedy immediately took steps to secure Richardson’s identity and credit by:

•    Calling the three major credit bureaus to place fraud alerts on Richardson’s credit files.
•    Clarifying how to handle the process with the IRS and explaining the importance of keeping copies of everything she sent to them. “I was so upset about the situation, I hadn’t even thought about a lot of this stuff,” says Richardson.


Richardson says that having an advocate on her side made a huge difference in the end, “Juli would just call to see how things were going and let me vent. It saved me a lot of time instead of trying to figure things out myself,” explains Richardson.

In the end, Richardson received her federal tax refund in less than a year after detecting the fraud, which is faster than average. As to what actually happened, Richardson still doesn’t have a clear picture.

“The IRS would only tell me that someone from Miami used my maiden name, Social Security number and an old address, along with some made-up information, to get a tax refund,” Richardson explains. “It’s sad it happened, but it was great to have IDT911 there for me throughout this scary process. It could have been a lot worse.”

Savvy Financial Advisor Falls Victim to Identity Theft

0
0

Having worked in the financial industry for 31 years, Jay Smith* thought he knew how to protect himself against identity theft. But when identity thieves began rapidly opening new accounts the day after Christmas in 2014 he soon realized he was going to need help.

“It started with an email from one of my credit card companies advising me that several attempts were made for a $3,000 charge,” explains Smith. “That same morning, my bank sent an email informing me of a new account. And while I was in the car on the way to the bank, a department store representative called to ask if I had recently made a purchase on my previously inactive card.”

That was only the beginning. As Smith sat with his bank’s branch manager he saw that the hackers had transferred over $80,000 from his valid accounts to five newly established fraudulent checking accounts. Smith also discovered that the hackers had changed his account contact information, and even set up a Western Union account on his bank's bill pay system as a means of attempting to syphon funds from his bank account. Moreover, a multitude of other credit cards, credit unions, pre-pay cards and discount brokerage firms were pinging the new accounts.

Smith quickly sprung into action. He had his bank transfer his money back to his accounts. He also contacted the three major credit agencies and froze his credit. But the thieves did not give up, so Smith finally decided to move all of his funds to his own brokerage firm for safekeeping. But the problems didn’t stop. “I was learning about more and more fraudulent accounts,” Smith explains. “Every time I knocked one down another would pop up—and each issue required hours on the telephone. It was incredibly frustrating.”

That’s when Smith remembered his homeowner policy included an identity theft rider. Smith called his agent, who put him in contact with a fraud investigator at IDT911.

Smith quickly recognized the value of his IDT911 advisor. “I knew I needed to make sure all of the fraudulent accounts were identified, closed and removed from my credit files,” he explains. “She got to work immediately and explained the key steps in the resolution process.” Given the scope of the fraud against Smith there was a lot to do, including:

•    Completing identity theft affidavits
•    Notifying the Federal Trade Commission and IRS of the theft
•    Reviewing current credit reports from the credit monitoring agencies and ChexSystems to identify every piece of fraud for dispute

Smith also enrolled in the IDT911 credit monitoring service for an extra layer of protection. With the help of his IDT911 fraud investigator, Smith now how has the fraud under control, and he couldn’t be more relieved. “Each time a new problem was discovered she was ready on her direct line to help me,” Smith explains. “I have a lot more peace of mind knowing that I have a fraud expert on my side to help me every step of the way.”

* Identifying details have been changed to protect the victim’s privacy.

5 Habits of Highly Successful CISOs

0
0

By Deena Coffman

Businesses of all sizes—from international corporations to local coffee shops—must concern themselves with data privacy. Curious about your company’s security posture? See if you’re following these best practices that keep businesses secure.


1. Properly train employees. It’s important for businesses to provide training that includes instruction for newly hired employees. The program should make them aware of the company’s privacy policy, educate them on data security best practices, and ensure they know what to do and where to turn if they suspect a breach has occurred. It also should provide for refresher courses for existing staff. Reminder messages delivered via email, newsletter, posters and campaigns will increase employee compliance with your recommended privacy protocols while also keeping everyone up to date on the latest data security threats.

2.  Plan for a security incident. The worst time to discover your breach response plan isn’t up to par is when you’re in the middle of trying to respond to an actual breach. If your small business doesn’t make the effort to wring out the bumps in its security plan ahead of time, you risk delays in getting the situation handled. It’s also a recipe for bungling your public response to any security concerns, which can hurt your brand’s reputation for months or years to come. Every small business should have at least a simple framework in place that outlines the steps that must be taken if a data breach or other security event occurs.

3. Don’t expect IT to cover security. Information technology and information security provide two distinct, yet related functions. IT is responsible for finding technology tools that work well and that employees find useful. Security is responsible for data protection. As an analogy, IT is like the architect and builder of a house, and information security would be responsible for adding locks to doors, installing an alarm system, monitoring the alarm system, etc. The IT team should work alongside other departments and experts who specialize in information security and risk management. This will give your small business a holistic view on data privacy risks and the best strategies to mitigate them.

4. Test your security. Even when a small business puts in the work needed to implement a robust data privacy strategy, it’s surprising how few follow through with some real-world testing. Steps such as conducting penetration testing, vulnerability assessments and risk evaluations of your small business’s security measures can reveal critical vulnerabilities. You may discover there are otherwise reliable software platforms with out-of-date patches or updates that have now turned against you. Or it could be revealed that the settings for components within your network are creating unexpected security gaps. There’s almost no way to know about these issues without testing your company’s security measures.

5. Consider vendor security issues. Most small businesses have a handful of vendors that provide important support. If these vendors don’t have strong security practices and protocols in place, then the hard work your team is doing to protect its data can be quickly rendered ineffective.

Begin by discussing data privacy with existing vendors. Work with them to ensure there are no weaknesses where your systems connect, and confirm their employees have been trained in current security best practices. In addition, language in contracts and service agreements should require external partners to maintain appropriate security levels and to notify you immediately if they experience a breach.

Deena Coffman is chief executive officer of IDT911 Consulting.
Viewing all 88 articles
Browse latest View live




Latest Images