Internet Criminals to Pose Bigger Threat than Terrorists – FBI

 

Feb. 4, 2012

The U.S. government along with state and local agencies, businesses and consumers should all heed ominous testimony before Congress. FBI Director Robert Mueller warned “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”

That was his message to U.S. House Permanent Select Committee on Intelligence last week in discussing the importance of the Internet.

“The theft of intellectual property, the theft of research and development, the theft of the plans and programs of a corporation for the future, of all which are vulnerable to being exploited by attackers,” Mr. Mueller testified.

Mr. Mueller warned it’s imperative for the FBI and federal government to get more proficient in analyzing, gathering and sharing information. He also requested appropriate legislation.

Indeed, we see proof of his admonition in news headlines almost daily, which has prompted countless Biz Coach columns about cyber attacks with tips for Internet security.

The most-read Biz Coach topic of all time quoted Dr. Stan Stahl, a nationally recognized security expert, in using Starbucks’ WIFI? Security pro issues warning and security checklist. Also highly read is our mobile-banking warnings about security prove prophetic.

“In the last several weeks, we’ve seen successful distributed denial of service (DDoS) attacks against banks, governments, law enforcement and the entertainment industry,” said Dr. Stah in Los Angeles.

Don’t forget about healthcare. It’s vital to understand why many healthcare workers are responsible for an alarming trend: Medical ID theft. Here’s a lesson about passwords after the theft of 16,000+ UCLA patient records.

“We’ve seen Israeli and Palestinian cyber-vigilantes launch DDoS attacks against each other’s web sites,” he explained.

“What happens when radical organizations discover they can launch a DDoS attack against their enemies?” he asked. “We should not be surprised to see the Internet become a battleground in America’s culture wars.”

Key questions

Dr. Stahl recommends that all organizations answer four key questions:

1. Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses?
2. Are we effectively analyzing this information, using it to better secure our information?
3. Are we sharing it with the necessary parties?
4. In particular, is management getting the information they need to proactively manage information risk?

“One highly critical defensive measure, for example, is to rigorously keep software patched,” he added. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software.”

Dr. Stahl’s firm, Citadel Information Group, is regularly asked to help businesses.

“Patching needs to be on the weekly must-do list of every IT department and IT vendor,” he explained. “Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops.”

Questions for IT departments

To information technology departments, he poses these five questions:

1. Does IT gather vulnerability information?
2. Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum?
3. Is it shared with senior management?
4. Does senior management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the payment card industry’s data security standard?
5. Does senior management regularly monitor “weekly vulnerability trends?”

“Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better,” he concluded. “While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.”

Amen. You can keep yourself updated by subscribing to Dr. Stahl’s Weekend Patch and Vulnerability Report.

From the Coach’s Corner, here are more Internet security resource links:

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

5 Safety Measures to Thwart Mounting Social-Network Attacks

Security Precautions to Take Following Citibank’s Second Reported Online Breach

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers…organizing your lives, staying in touch with people, being creative…if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.”

-Bill Gates

 

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today? 

 

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

 

A study discloses a disturbing trend – nearly four out of five small companies are storing unsecured data about their customers. That’s an indictment of such businesses, and is alarming news for consumers about their vulnerability to credit card fraud and identity theft.

The 2011 study was conducted by the National Cyber Security Alliance (NCSA).

“How can this be,” you ask?

Nationally known security expert Dr. Stan Stahl, of Citadel Information Group in Los Angeles, knows why.

“Citadel works with small business leaders every day and – based on our experience – the reason small businesses don’t take cybercrime seriously is that they see it primarily as something their IT people are managing, not yet realizing the critical importance of their own leadership,” says Dr. Stahl.

“This includes establishing clear policies and standards for information use, explicitly assigning cyber security management responsibility to a member of the senior management team, providing cyber security awareness training and education to all information users, and ensuring that IT personnel are effectively managing the security of the IT infrastructure,” he adds.

The alarming results in the study first came to my attention after reading Small Businesses Don’t Take Cybersecurity Seriously, which was mentioned in Dr. Stahl’s security blog.

Hopefully, your business is not one of the businesses cited in the study. Cybercrime has become a global nightmare. My question for companies about Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? 

For NCSA’s tips for small business security, read this post. 

“Seventy-nine percent of businesses are storing consumer information when they don’t need it. It’s not protected. It’s not secure,” Verizon spokesperson Andrea Woroch was quoted in a published report.

For consumers, Verizon offers these tips:

Watch the people swiping your credit or debit card.

“You don’t want to blame or suspect everyone’s trying to steal your information, but there are people who will and are trying to copy your credit card information with extra swipes,” says Ms. Woroch.

Take extra care when you buy on the Internet.

“Don’t mark that little check box that says ‘to store for future purchases.’ you don’t want that organization, that business, that Internet website to hold any of that information,” explains Ms. Woroch.

Consider alternatives to using your credit card, such as gift cards.

Carefully study your billing statements.

“Lots of consumers overlook little charges that are being made on their statement and that’s how people are continually able to trick them and deceive them and steal them and take extra money out of their accounts,” adds Ms. Woroch.

Resource link: Dr. Stahl’s Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

“Being good is good business.”

-Anita Roddick

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

 

Sept. 26, 2011

Medical identity theft is skyrocketing. It’s the fast-growing trend in ID thievery, and the data shows it adversely impacted 1.42 million Americans in 2010, according to a study by PricewaterhouseCoopers (PwC) in a published report.

PwC reports medical ID theft aggregately cost more than $28 billion.

“The root cause of the fraudulent use of someone else’s medical identification is that protected medical information is widely dispersed in multiple information systems where it all too often is inadequately secured,” says nationally known security expert, Dr. Stan Stahl, president of Citadel Information Group, Inc. in Los Angeles.

MedPage Today (Medical Identity Theft a Growing Problem) reported the three most common identity breaches:

1. Employees who act unprofessionally – improper use of patients’ data in doctors’ offices, hospitals, insurance company and life sciences companies. They’ve even been caught posting comments about patients on Facebook.
2. Almost 40 percent of hospitals and physicians report they have caught patients using another person’s identity when they seek treatment.
3. Twenty-five percent of insurance companies acknowledge the improper transfer of information in patients’ health files. Unauthorized persons viewed such files.

“Every organization that collects or stores personally identifiable medical information – hospitals, doctors, clinics, pharmacies, billing offices, insurance companies, even employers – has a legal and ethical obligation to properly secure that information,” asserts Dr.Stahl.

In public reports, theft was responsible for 66 percent of medical ID breaches in the last two years. The thefts include notebook computers, smartphones, using another person’s personal information for fraudulent claims, and people using others’ names.

More shocking news

Authors of the PwC study indicated most healthcare organizations aren’t equipped to prevent medical ID theft – despite the growing use of information technology in the medical profession.

“Most breaches are not the result of [information technology] IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure,” said James Koenig, director of the Health Information Privacy and Security Practice at PwC in a press statement.

More than 50 percent of the study’s respondents who work for healthcare organizations said they knew of at least one privacy breach since 2009.

“Doctors need to take measures to assure their patients are who they say they are,” recommends Dr. Stahl. “That can include checking referrals.”

What can patients do?

“Patients need to treat their medical information with the same care that they treat their financial information, including periodically checking with their insurance company to identify fraudulent activity,” advises Dr. Stahl.

The PwC study indicated that most healthcare organizations admit they haven’t even begun to adequately deal with privacy and security issues in this digital-information age.

Obviously, as a business-performance consultant, here’s my sense:

1. The medical profession should immediately take adequate security precautions.
2. All medical employees should undergo privacy-confidentiality sensitivity training.

After all, shouldn’t these precautions be part of medical care?

Dr. Stahl’s links:

• Informative security blog
• His Web site 

From the Coach’s Corner, you might consider these security-resource links:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

11 Travel Tips – Save Money, Prevent against Cyber Theft, Fraud

“If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.”

-Kahlil Gibran

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

11 Travel Tips – Save Money, Prevent against Cyber Theft, Fraud

 

Sometimes data is misleading. Business travelers might be relieved to learn the number of fraud and identity theft victims is down, according to the Javelin 2011 Identity Fraud Survey Report. However, the aggregate financial pain from cybercrime is greater. It increased 63 percent from 2009 to 2010.

Javelin Strategy & Research provides data for the financial services industry globally.

The most vulnerable travelers are businesspeople. That’s because they have to use Internet and e-mail. They’re expressly in danger from vulnerabilities – from wirelessly- accessible passports to using WIFI.

To save you from aggravation and money, here are 11 quick tips:

1. There are no free meals. The adage is applicable to offerings that appear too good to be true. If you get a unique travel offer, do your due diligence. Review the scam alerts at Web sites, such as www.419legal.org. It wouldn’t hurt to check the site of the airline trade organization, International Air Transport Association, www.iata.org.
2. Watch for offers from fakes. Cybercriminals are prevalent in the travel industry, and are publishing sites that look like the real, well-known companies.
3. Don’t use social media to chat about your travel plans. Don’t alert criminals. Your home-front and business will be vulnerable.
4. Cautions about debit and credit cards. Unlike debit cards, credit cards protect against fraud and theft. Better yet, before you travel obtain a no-foreign transaction fee card. Be sure to alert your credit card company about your trip. Just in case you might need help on your trip, get the credit-card issuers’ number that you can telephone collect when you’re overseas.
5. Guard against currency conversion surprises. Don’t sign any checks or receipts that aren’t shown in the local currency. Overseas merchants sometimes try to manipulate travelers – they provide their prices in U.S. currency, not their local currency.
6. Be prepared to utilize your passport when making a purchase. Reputable foreign merchants don’t trust your credit card unless you have acceptable identification. That’s because U.S. credit cards have the old-fashioned magnetic stripe on the back. European credit cards use the chip-and-pin system, which is a modern fraud-security system.
7. Use your own computer. For data security and privacy, never use public computers.
8. Forget WIFI. Don’t use WIFI. It’s not just a matter of cybercriminals viewing your computers. They’re establishing fake access points, which can give them an entrée to your important files and data. If you have to use a computer, hook your computer to your smartphone’s service or try MIFI.
9. Protect your e-passport. They have RFID chips containing your personal information. Cybercriminals can view your information even though you can’t see them. So use an RFID blocking passport.
10. Bluetooth has vulnerabilities. So turn it off.
11. Think twice about using in-flight mobile phone and SMS services. They’re just as risky as a WIFI hotspot.

Use these tips to help insure you enjoy your trip and to transact some good business.

From the Coach’s Corner, here’s a site with helpful research information http://globaledge.msu.edu/.

 

“If you don’t know where you are going, any road will lead you there.”

-Unknown

__________

Terry Corbell is a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Strategic Planning: List of Informative Web Sites

 

Keywords have become the currency of the digital economy. They transmute into cash when you attract the right prospective customers to your Web site. In Internet searches, the right key words will also deliver the right data – saving you time and money while increasing revenue.

If you’re like most businesspeople, you have your favorite Web sites, which are often trade or profession-specific. You probably get great newsletters, too.

As Biz Coach, I enjoy hearing from many of the best strategists in the world and daily receive information from scores of sources on best-practices management and other topics. And some of my best feedback and questions come from readers who stumble across this column after searching for specific topics.

No one is able to accurately predict what the future holds for your business. But you can influence it, of course, by acting on the best information available. Your best bet for a crystal ball depends on whether you have a good awareness of human nature and developing trends throughout the nation and the globe.

If you need capital, here is some helpful information: “What No One Tells You about Raising Investment Capital.”

For information on mounting a business comeback, see “Step-by-Step Solutions for a Company Turnaround.”

What does the future hold generally for the economy and your business? Not to be a broken record, but in order to design a strategic plan to maximize your resources, you’ll want to complete a SWOT analysis to determine your strengths, weaknesses, opportunities and threats. But you’ll probably need answers from external sources.

For more on how to conduct a SWOT Analysis, visit: “Boeing, Airbus Rivalry: Lessons in Strategic Planning.”  

Once you conduct your SWOT you can start your strategic planning.

Here’s a potpourri of Web sites that provide some enlightening answers:

National Bureau of Economic Research. The private, nonprofit organization is a wealth of economic data that has been providing information regarding the workings of the economy since 1920. The organization does not predict recessions but is regarded as the authority on the nation’s economic health. You can sign up for daily updates on economic indicators at www.nber.org.

Federal Reserve outlook. Current information works best if you also have a sense of history. You can access the government’s current and historical data, including the last four decades at www.federalreserve.gov.

Data from 100 federal agencies. At www.fedstats.gov, you’ll be able to see the latest statistics from 100 government agencies concerning the big picture economy and your specific industry – topics range from agriculture to transportation. You can also see demographic data for every city.

Retail sales. Retail sales data is available at www.chainstoreage.com. This is helpful information as you finalize your product orders and plan your advertising dollars.

Housing. You can get wide-ranging clues from the National Association of Home Builders, www.nahb.com. Admittedly, it is designed to influence policy, but the site also has far-reaching data ranging from the housing industry to consumer-oriented home and remodeling information.

Airline and travel. Face time is important for selling to customers. But it is not fun if your flights are delayed or cancelled. There are at least four helpful travel sites: www.dot.gov, www.thetravelinsider.com, www.flightaware.com and www.flightstats.com.

Small business loans. The Small Business Administration, of course, provides loans to qualified small businesses.

Naturally, it is no secret that federal agencies can be a desirable target for small businesses. Federal agencies indeed are huge opportunities. But the Small Business Administration, www.sba.gov, confirms that federal agencies do not meet their quotas in contracting with small firms. For each agency, the quota is to award 23 percent of contracts to small business.

Here are the requirements: 5 percent to disadvantaged businesses; 5 percent to female-owned businesses; 3 percent to service-disabled veterans; and 3 percent to small firms in defined enterprise zones.

Newsletters of consulting firms. While many successful consulting firms charge for helpful studies in the form of newsletters, a substantial number are complementary, such as some from McKinsey & Company, www.mckinsey.com.

From the Coach’s Corner, Internet security and identity theft are huge threats. One of my favorite consultants in Internet security is Dr. Stan Stahl at www.citadel-information.com.

For up-to-date information on global security risks, here is his blog site: www.citadelonsecurity.blogspot.com.

Information Security: How to Make the Right Choices

 

Updated Feb. 9, 2012

More than ever, businesses, government agencies and consumers are learning costly lessons about due diligence in privacy and data security.

In recent years, more than 100 million Americans have been victimized, according to the Privacy Rights Clearinghouse, www.privacyrights.org, a consumer rights organization.

The Pacific Northwest is considered to be very tech-savvy. Unfortunately, the consumer group says the Northwest has been well-represented with numerous security breaches.

Washington:

• Swedish Medical Center, Ballard campus
• Ameritrade in Bellevue
• Boeing
• Washington Employment Security Department
• University of Washington Medical Center
• King County Records, Elections, and Licensing Services Division
• Madrona Medical Group, Bellingham
• Compass Health, Everett
• Stevens Hospital Emergency Room, Edmonds
• Port of Seattle
• T-Mobile
• Poulsbo Department of Licensing
• Starbucks
• TD Ameritrade Bellevue
• U.S. Department of Veteran’s Affairs, Seattle

Oregon:

• Providence Home Services, Portland
• Oregon Department of Revenue
• Dollar Tree, Ashland
• Ron Tonkin Nissan, Portland
• Transportation Security Administration, Portland
• Beaverton School District
• Willamette Educational Service District
• Clay High School, Oregon City

Idaho:

• Idaho State University
• Idaho Power Company
• University of Idaho, Advancement Services Office

The epidemic is caused by hacking, theft, and unscrupulous employees.

Indeed, five years of research by Carnegie-Mellon University’s CERT Coordination Center, www.cert.org, and the U.S. Secret Service shows employees and former employees are responsible for much of the information technology sabotage. Some 80 percent of incidents were caused by workers already known by managers to be discontented. The individual costs have ranged from $500 to millions of dollars.

In other words, we’re in a state of crisis and it’s time for an update on solutions from a trusted source I’ve quoted in years past.

“The nature of the threat is far different than it was two years ago,” said Dr. Stan Stahl, a nationally known security expert.

He has three major concerns in recent security trends:

The first of which is organized crime, which he calls cyberscum. “Credit cards with pin numbers go for $100 on the black market,” said Dr. Stahl. “With such cyberscum, you have people who spend their days looking for vulnerabilities in software and they build botnets. The Secret Service uncovered one of the botnets that invaded and controlled 150,000 computers.

“Secondly, it used to be that the perimeter was well-defined because it was basically the corporate network,” he explained. “But now Blackberries, smart phones, and remote workers and all of that, the perimeter is no longer well-defined.”

His third concern? “It used to be you just needed anti-virus software, firewalls and passwords, but hackers are attacking anti-virus security so you really need to step back to take a big-picture look of protection to develop a secure program in your technology and culture,” he added.

Although convenient, confidential offsite storage is not guaranteed. Dr. Stahl recommends verifying the security of Web sites. “That’s one of the places the bad guys are looking.”

Small Business Security Checklist

His checklist advice for micro businesses:

1. Know what information you have that needs to be protected.
2. Understand the risks that your information is under.
3. Structure your networking to provide what’s called defense-in-depth. That’s a tiered architecture with network segmentation.
4. Watch the network.
5. Train your people.
6. Perform personnel background and physical security checks.
7. Manage the security of your third party vendors.

For success in reaching objectives in information-security control in financial institutions, other large companies and public agencies, Dr. Stahl provides a program that includes what he terms seven critical success factors:

1. Executive management responsibility: Senior management has responsibility for the firm’s information security program, and this program is managed in accordance with the enterprise’s information security policies.
2. Information security policies: The enterprise has documented its management approach to security in a way that complies with its responsibilities and duties to protect information.
3. User awareness training and education: Information users receive regular training and education in the enterprise’s information security policies and their personal responsibilities for protecting information.
4. Computer and network security: IT staff and IT vendors are securely managing the technology infrastructure in a defined and documented manner that adheres to effective industry information security practices.
5. Physical and personnel security: The enterprise has appropriate physical access controls, guards, and surveillance systems to protect the work environment, server rooms, phone closets, and other areas containing sensitive information assets. Background investigations and other personnel management controls are in place.
6. Third-party information security assurance: The enterprise shares sensitive information with third parties only when it is assured that the third-party appropriately protects that information.
7. Periodic independent assessment: The enterprise has an independent assessment or review of its information security program, covering both technology and management, at least annually.

Dr. Stahl’s approach is to meet with his nationwide clients in-person to evaluate their needs and later tests their sites remotely.

His list of credentials is voluminous, and he has a client portfolio ranging from small to large clients in the public and private sectors. He’s also president of the Los Angeles chapter of the Information Systems Security Association (ISSA). Nationwide, ISSA has 15,000 members.

His firm’s Web site and security blog: www.citadel-information.com. You can keep yourself updated by subscribing to Dr. Stahl’s Weekend Patch and Vulnerability Report.

For consumers, he recommends reconciling credit card and bank statements every month. For online security, he also likes the following software: SpySweeper, ZoneAlarm and Sandboxie for special protection for provocative sites like gambling. “Some are becoming more proactive, but they’re just now beginning to emerge and I haven’t had a chance to test them,” he said.

To check your credit report for fraud, here are the bureau telephone numbers:

Equifax – (888) 766-008

Experian – (888) 397-3742

TransUnion – (800) 680-7289

From the Coach’s Corner, here are more of Dr. Stahl’s insights:

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

5 Safety Measures to Thwart Mounting Social-Network Attacks

Security Precautions to Take Following Citibank’s Second Reported Online Breach