Security Precautions to Take Following Citibank’s Second Reported Online Breach

 

Updated Feb. 4, 2012 

Citibank’s acknowledgment that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

The bank’s May, 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

None of the reports I found pointed out that it was Citibank’s second reported major security issue in just 18 months. Soon after the bank’s first breach was reported, it seemed as though the security issue was buried. There weren’t any follow-up reports.

That’s when I wrote the column, How to Protect Yourself from the Internet Crime Wave, quoting Dr. Stan Stahl, a nationally known security expert based in Los Angeles.

Over the years, Dr. Stahl has been a valuable resource – some of the most-widely read Biz Coach columns have included his expert opinions, especially these three columns:

Our Mobile-Banking Warnings about Security Prove Prophetic

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

5 Safety Measures to Thwart Mounting Social-Network Attacks

A security expert I’m not, but I’ve learned from Dr. Stahl’s valuable insights.

In addition to the tips in the above columns – whether you’re a Citibank customer or not – I’d suggest immediately taking these defensive computer measures:

1. Change all log-in information. That means all banking, retail credit card and e-mail passwords and information.
2. Make certain that you don’t use the same password twice.
3. Install adequate firewall and anti-virus protection on your computer.
4. To limit your exposure, use the same computer for your financial information. Never use it for social media networking.
5. Review all privacy and policy information.
6. Avoid using your debit card online. At least personal credit cards offer liability protection under federal regulation. But business banking is not federally protected – it’s left up to individual banks, so check your bank’s policies regarding your company’s accounts.
7. Don’t conduct financial transactions over WIFI.
8. Don’t do mobile banking.
9. If you get an e-mail allegedly from your financial institution, act like an all-pro football defensive end. Prevent an end run. Assume it’s a fraud. If you must communicate with your financial institution, make a telephone call or a personal visit.
10. When doing your online banking, be sure to type in the financial institution’s Web address in your browser.
11. Regarding the security questions, be creative and don’t list the right answer, which might be obvious to any hacker who learned about your personal situation.
12. Check your financial accounts daily.
13. If your account is compromised, quickly take appropriate action.

For your company’s management controls, Dr. Stahl has previously recommended taking six precautions:

1. Don’t allow your employees to use your computers in social networking.
2. Establish a list of allowable web-sites.
3. Closely monitor your bank account.
4. Train employees in social engineering awareness.
5. Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
6. Strengthen your defenses.

Cybercriminals, I’m sad to say, are here to stay. Do your due diligence.

(Note: Dr. Stahl and I are fellow members of Consultants West, www.consultantswest.com, a roundtable of veteran management consultants.)

From the Coach’s Corner, here’s Dr. Stahl’s cyber security blog and his Web site.

“In a world in which the total of human knowledge is doubling about every ten years, our security can rest only on our ability to learn.”

- Nathaniel Branden

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact himtoday?

 

Is It Time to Educate CEOs about Threats from Cybercrime?

 

Updated Jan. 3, 2012

The movement to persuade senior executives on cyber-security dangers is slowly growing.

Indeed, two business professors – University of Virginia’s Tim Laseter and Dartmouth’s Eric Johnson – argue there’s “A Better Way to Battle Malware.” They successfully argue in the lengthy article that senior executives could implement production quality controls to conquer cyber security issues.

Indeed, there’s plenty of evidence that cybercriminal activity is flourishing. Every week we see the headlines about newly discovered sinistere events. But USA Today first reported in 2010 that many CEOs have been unaware about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believed that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros. It was conducted by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

• 83 percent indicated their organization has been a recent target of advanced threats
• 41 percent said they were frequently attacked

So, it’s time to check with go-to security expert Dr. Stan Stahl. Is it really possible that senior executives don’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” believes Dr. Stahl. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Indeed, the study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program”, writes Dr Stahl. “Our objective is nothing less than to raise information security awareness.”

Of course, the association has local chapters in multiple cities; see www.issa.org.

Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem. Here’s more: How CIOs Can Get More Respect in the C-Suite.

From the Coach’s Corner, this portal’s Tech section contains many Biz Coach articles on cybersecurity with solutions from Dr. Stahl. (Note: I’m very familiar with Dr. Stahl’s expertise as we’re both members of Consultants West, www.consultantswest.com.)

For more on Dr. Stahl, see his Web site and his blog.

“Distrust and caution are the parents of security.”
-Benjamin Franklin

 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

 

How China-Google Controversy Might Affect Business, Government Security

 

Updated 6:50 p.m. April 20, 2010

The security issue between China and Google appears to be taking on new ramifications – threatening proprietary information for business and government agencies, if they do business with the giant search engine.

When Google was hacked last year by cybercriminals in China, they stole a computer program that managed access to Google’s programs, according to a New York Times article Monday. In the past, Google has denied hackers were able to access personal information from Gmail accounts, but the search engine did not respond to The New York Times report.

“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. (www.citadel-information.com).

“While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority.

“Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.

As a management consultant, I wonder about two other questions:  What about the privacy of Google’s services and business and government agencies? Is the threat to Google’s business model more severe than first thought?

Google’s services for the private and public sectors are not limited to the following but they include:

•  AdSense is a platform for publishers to generate income by displaying a bevy of click-through advertisements, but Google requires sensitive information in order for publishers to receive payment. Google’s AdSense automatically inserts display and text ads, which are frequently changed.
• Google Analytics is a service that helps Web site owners to understand how they’re faring with visitors , such as how they reach your Web site and what they visit.
• AdWords is a sponsored links section. It’s the largest service of its kind and Google has the No. 1 market share.
• Merchant Center uploads product listings in for use in a variety of ways. They include AdWords ads, Google Search, Google Product Search, and Google Commerce Search.
• Checkout helps businesses increase sales by selling online.
• Website Optimizer, with access to sites, tests content in order for publishers to optimize the conversion rates of their visitors.

There are other Google services, but you get the idea.

The news article provided more alleged details that include Google’s “Gaia.” That’s Google’s stolen password system. Gaia is the Greek mythological goddess of earth. Gaia managed the entry to its services for the private and public sectors.

For more of the report’s details, see: Cyberattack on Google Said to Hit Password System

If The New York Times article is accurate, and my Biz Coach sense is that it is, businesses and public agencies doing business with Google might want to consider a security-needs assessment by a qualified expert. This is also a bigger threat to Google’s business model than we first believed. Google deserves support on this security issue.

(Disclosure: This site published Google public service messages.)

From the Coach’s Corner, in a new related development, BusinessWeek reports government criticism of Google in this article: Google Is Neglecting Online Privacy, Authorities Say

Also, worth reviewing are two Biz Coach columns regarding Internet security:

How to Protect Yourself from the Internet Crime Wave

Business 101 Lessons: Google vs. China’s Censors, Cybercriminals