Are You Up-to-Date in Managing Cyber Risk? Here’s How



A strange development is taking place. Businesspeople are increasingly concerned about risk management and data loss, but many are implementing the wrong solutions.

True, chief executives have finally learned that failure to deal with cyber-security threats will cost them their jobs. Not only are CEOs on notice.

They finally fear cyber-security threats, and boards of directors are directing them to strategize on cybercrime, too. The new strategic risks as a result of technological changes range from big data and cloud computing to social media.

As a result, executives are targeting five technology threats to company value.

ID-10088767 stockimagesHowever, many business and information-technology pros have been focused on the wrong issues in data loss and risk management. That’s according to a Vision Solutions’ 56-page report, “State of Resilience Report 2015.”

My impression of the salient reasons for data loss in information technology:

— Storage failure

— The lack of a backup copy

— Human error

— Data protection program malfunction

— A data protection solution that’s down for maintenance

— Corrupt data

All of this means companies are making decisions on uncertain data. Consequently, 62 percent of the survey’s respondents have postponed data migration over concerns of downtime or not having the right resources.

Therefore, with the uncertainties from globalization, meeting consumer needs, IT risks and complying with regulations – there are gaps in business strategy, data management and technology.

CEOs have long complained to me about information technology. They complain about high-priced consultants, and that IT projects are too expensive and fail to yield a return on investment. Further, two studies indicate the need for IT pros to get businesslike.

Daily data breaches have become the norm in news headlines. We’re also hearing a lot about strategies to manage third-party risks. They are a chief culprit in cybercrime. Your business associates might be bigger risks for data breaches than you realize, too.

Solutions

So what’s needed? That would be creative thinking.

Key questions you must ask of yourself:

  1. How are we focused on continuous improvement?
  2. What are the impending problems, and what are the solutions?
  3. Are we doing the right things to understand the needs of our customers – now and for the future?

All of this means companies are making decisions on uncertain data. Consequently, 62 percent of the survey’s respondents have postponed data migration over concerns of downtime or not having the right resources.

Chances are you’re not able to adequately answer the above three questions. Meantime, remember risks from cybercrime gather steam every day.

Not to complicate things, but here’s another question: How are you managing three Rs – resources to repurpose, redeploy and realign?

For bosses to guard against cyber risks, here are four must-do strategies:

  1. Bosses must communicate proactively in cyber-risk management. Communication with IT professionals must improve – dramatically. Analysis should include priorities, the potential dangers to information assets and the tradeoffs.
  2. CEOs must direct security initiatives at every level and opportunity. This includes being transparent with customers and potential customers in the marketplace before and after any cyber attack.
  3. CEOs must be role models in security. They must walk the talk in cyber security matters. Only then will they be effective in motivating staff to use security measures.
  4. CEOs must make sure all employees and vendors employ security controls and diligent follow policies. It should be an ongoing process to monitor security issues to insure progress.

Another proven method

To help accomplish these safeguards, a solution lies in borrowing a page from the insurance industry – employing an actuary skilled in risk management.

If you operate a company with sizable assets, the recommendation is to become sophisticated in analysis and by employing a risk manager. Don’t rush into it without adequate due diligence.

A key point to consider: Don’t hire just anybody. Hire someone who is astute about your industry and business.

You want someone who can help you meet your risk-management goals now and who can also securely help drive your business growth in strategic planning.

If you can’t recruit an experienced person with these skills, consider a bright, enthusiastic MBA.

You’ll sleep better at night.

From the Coach’s Corner, here is additional relevant information:

Risk Management – Making Best Decisions, Using Right Tactics — To prevent a crisis from interfering with the continuity of your business, you must strategically plan to manage any potential risks. That means avoiding the classic mistakes routinely made by companies, and making the right decisions for proactive measures to minimize any dangers.  But how can you best manage risk?

How to Avoid Failure in Risk Management and Strategic Planning — Incredible as it might seem, companies fail because they underestimate strategic risks – yes, strategic blunders instead of common sense – according to an authoritative study. Here are three recommendations.

Risk Management – Picking the Best Cloud Storage Provider — If you feel you must go the cloud route, remember choosing the right cloud storage provider is a must for risk management.

7 Thought Leadership Tactics for Strong Performance — For a company to achieve strong performance, its culture and employees must be aligned with business strategy to provide value. But more and more, it seems employees can’t even articulate business strategy. Therefore, management must identify and communicate effective programs that are aligned with employee behavior in order to blaze new paths and fuel business growth.

Risk Management – Lawyer Explains Basics in Protecting Intellectual Property — Entrepreneurs are well-advised to consider ways to avoid legal entanglements over their inventions and intellectual property.

“The greater danger for most of lies in not setting our aim too high and falling short; but in setting our aim too low, and achieving our mark.” 

-Michelangelo

  __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is also a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Photo courtesy of stockimages at www.freedigitalphotos.net

Skyrocketing Cybercrime Calls for 8 Strategies to Manage 3rd Party Risks



The massive hack of Equifax affecting 143 million people and other frequent data breaches have become the norm in news headlines.

Equifax and other companies seem to pass the buck and usually blame their vendors.

Indeed third-party risks are a chief culprit in cybercrime.

Your business associates might be bigger risks for data breaches than you realize. In other words, they’re potentially third-party risks for cybercrime.

It’s not just Equifax, ask the state of Oregon. No, it’s not just the failed Oregon ObamaCare Web site that cost $307 million in taxpayer funds but never got off the ground.

ID-100303074 (1) Stuart MilesIn March 2015, a hacking third-party infiltrated a statewide system – the Department of Administrative services. The agency manages technology for most of the state’s government. Three days elapsed before the state discovered the breach.

In February, outdated software exposed the Secretary of State’s office. It the state had to take data for state businesses and election records offline for almost 21 days.

In October 2014, hackers got into Oregon’s Employment Department data for job seekers. In this breach of data that included names, addresses and Social Security numbers, the state only learned about it from an anonymous tip.

Obviously, just like the businesses registered with the state of Oregon and the state government itself, businesses worldwide have third-party risks, too.

For instance, any time you outsource information technology, cloud data storage or social media functions, you’re at risk.

Oregon decided to find an expert to review its information-technology system to identify risks and to provide solutions.

To prevent third-party data breaches, the state and the private sector need to implement best practices, which include:

1. Research the privacy and security policies of any person or company with access to your data – before you do business with them.

2. Confirm with your associates that they conduct professional-level background checks on their employees. Be sure that their subcontractors do the same for their employees, too. Require a guarantee of background checks of anyone with possible access to your system.

3. Strategize for the likelihood of cyber attacks. Make certain to have a suitable plan. Require your associates to prepare, participate and test the plan. Get a guarantee they’ll inform you of any problems.

4. Leave no stone unturned at every phase of your relationships. Perform a vendor-risk assessment. You must continue to identify, and monitor and manage the risks – before you commence relationship, during the relationship and when you end the relationship.

5. Thoroughly research the relationships of your associates. Make sure you know if your vendors are concealing vulnerabilities of their other relationships. It’s not uncommon in business for companies to have nested relationships. Every party must thoroughly protect data.

6, For complete transparency, have an internal comprehensive plan for safeguards. Security responsibilities for critical data shouldn’t be subjected to outsourcing.

7. In addition to your background check requirements, monitor in real time all location risks in any of your offshoring and outsourcing.

8. Encourage everyone you know to share information regarding all cybercrime. This is one dilemma that takes a village to solve.

From the Coach’s Corner, here are more security tips:

Information Security: How to Make the Right Choices — More than ever, businesses, government agencies and consumers are learning costly lessons about due diligence in privacy and data security. A nationally known expert tells how to make the right choices in information security.

Recruiting an IT Professional for Your Small Firm? 6 Tips for the Right Skills — Are you looking to add information technology personnel? You want to hire for a competitive edge, right? IT is a crucial position for you. The difference between failure and success requires reflection to hire for the right competencies.

How to Enhance Security in Your Company’s Wireless Network — Do you take it for granted that your wireless network is secure? Don’t make that assumption. Wireless routers present dangers. Your router is vulnerable to hackers and, hence, security issues. If you’re really serious about security, WIFI might not be for you.

6 Tips to Save Time and Money by Hiring the Right Tech Consultant — If you need to hire an information technology consultant, it can be costly in time and money, if you choose the wrong person. Use due diligence. Sophisticated tech vendors and consultants of all sizes have been known for cost over-runs. Again, certain precautions are needed. Your technology dilemmas can worsen with the wrong choice – whether the person isn’t up-to-speed or simply isn’t the right fit for your organization. Either can cost you time and money unnecessarily.

Tips to Avoid Advertising Scams Tricking You to Ask for Tech Support — Advertising scams that prey on Internet consumers have prompted four Internet companies to band together to fight the abuse. The scams use harmless-looking ads to trick consumers into using phony tech support that actually enable cybercriminals to invade the unsuspecting owners’ devices.

“I know a baseball star who wouldn’t report the theft of his wife’s credit cards because the thief spends less than she does.”

-Joe Garagiola


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is also a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.




The New Face of $1 Trillion in Cybercrime on Business – Account Takeovers, Credit Card Fraud



Business Web sites are facing an increasingly intense full-court press from cybercriminals – the aggregate cost of cybercrime annually, which includes prevention strategies, has exceeded $1 trillion.

Large-scale data breaches are savagely victimizing new accounts while account takeover attempts and credit card fraud has doubled, according to a fraud-data study in June 2013 .

A report by ThreatMetrix shows that Web fraud attacks endanger the full customer life-cycle: New account registration, authentication and payment transactions. ThreatMetrix (www.ThreatMetrix.com) is a provider of cybercrime prevention solutions. The study included the experiences of 9,000 the firm’s customers.

“Nearly one in every 10 new accounts opened online is done using a spoofed identity, and the incidence of account takeover attempts and online payments fraud have both doubled in a six-month period,” said Alisdair Faulkner, the ThreatMetrix chief products officer.

“Data breaches are imminent and given the increased sophistication of malware, organizations should assume that a material percentage of their customers and user accounts are either compromised or criminal and invest accordingly,” he added.

He said attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud. About 10 percent of online services originate from a cybercriminal.

New account registrations include applying for new lines of credit, creating a profile on a social networking site or marketplace and enrolling in an authentication scheme.

Mr. Faulkner said the most common form of stolen identities is by human or bot-generated fraud attacks directed through proxies and Virtual Private Networks (VPNs) intended to disguise the true origin of the attacker. These bypass IP address-based geo filter blacklists that also have the downside of unknowingly blocking legitimate visitors.

“The economic impact of these attacks varies by industry,” he added. “However, the common thread is that without automated visibility into the true device, persona, relationship and global behavior, the only alternative is additional verification roadblocks put in front of legitimate customers and extended review and hold-out periods.”

Payments Fraud

Payments fraud attempts, which include online credit card transactions and money transfers, increased from 3.1 percent to 6.4 percent over the six months ending in March 2013.

Mr. Faulkner explained the trends:

  • Sophisticated credit card cyber gangs adopting banking malware, normally used to hijack bank accounts, to steal full credit card information from customers as a fake verification step when attempting to log into a bank account
  • Increase in percentage of digital goods sold by ThreatMetrix customers that historically have a higher incidence of attack
  • The increased availability and adoption of free and commercial VPN services and the growing use of Platform-as-a-Service (PaaS) providers by cybercriminals to set up ad hoc tunneling protocols. VPNs are favored by cybercriminals because they are impervious to proxy piercing technologies and undetected by traditional IP proxy detection services.

Account Takeover

Based on data taken from October 2012 through March 2013, ThreatMetrix customers saw account takeover attempts nearly double (168 percent). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and Software-as-a-Service (SaaS) companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites.

ThreatMetrix has seen a rise in the sophistication of account takeover attempts using blended attacks to exploit companies that do not have an integrated solution for malware, device identification and bot protection.

They include:

  • Multi-stage malware exploits: Malware, typically using Man-in-the-Browser (MitB) Trojans, is used to extract login and setup verification credentials from a customer that is then used by a separate device or third party to avoid server-side MitB detection capabilities.
  • Multi-stage scripted attack exploits: Automated bot attacks test previously breached credentials from third-party sites, exploiting that many people reuse user names and passwords. After checking account balances or verifying whether an account has a stored credit card, a second attack is launched, typically done manually, to avoid any server-side bot detection.

Whew. So that’s more evidence that businesses need to be diligent in operating their Web sites and preparing with precautions and response philosophy.

Not only that, but most small businesses make you vulnerable to credit card fraud and identity theft.

From the Coach’s Corner, here are more IT resource links:

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

Richard Clarke

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.  

Protect Your Bank Accounts So You Can Sleep at Night



Imagine for a moment — you’re sitting at your desk enjoying a second cup of morning coffee. Then, your phone rings. It’s a call from your bank to discuss possible fraud.

Your bank is concerned about possible suspicious activity with your accounts, and wants to make sure you’re not a victim. As a consumer, your accounts are insured by the FDIC.

However, if you own a business, your bank accounts are not insured. So it’s imperative that you use best practices to buy cyber insurance.

Actually, the nightmarish threat happens each weekday. Attacks by cybercriminals are skyrocketing, according to the American Bankers Association. The association represents the $14-trillion banking industry.

ID-10057558 David Castillo Dominici“Small businesses are a growing target for account takeover,” said Frank Keating, president and CEO of the American Bankers Association (ABA). “Yet, a strong partnership with your financial institution will give you the tools needed to shield yourself from this attack.”

Criminals are transferring money from accounts by stealing sensitive information.

Banks have a term for it – corporate account takeover.

How? The lawbreakers use variety of tools – online social networks, malicious software and phony e-mails.

Their goal is to get login credentials. That’s how they gain access to small business accounts.

“We’re far more effective at combating account takeover when we combine resources than going at it alone,” said Mr. Keating.

“Talk with your banker about the tools your business and bank can use together to minimize this threat,” he added.

The lawbreakers use variety of tools – online social networks, malicious software and phony e-mails.

Tips to protect bank accounts

To prevent your accounts from being taken over by cybercriminals, the ABA provides four tips:

1. Protect your online environment. It is important to protect your cyber environment just as you would your physical location. Do not use unprotected internet connections.

Encrypt sensitive data and keep updated anti-virus and anti-spyware protection on your computers. Change passwords from the default to something complex, including at point-of-sale terminals.

2. Partner with your bank for payment authentication. Talk to your banker about services that offer call backs, device authentication, multi-person approval processes, batch limits and other tools that help protect you from unauthorized transactions.

3. Pay attention to suspicious activity and react quickly. Put your employees on alert. Look out for strange network activity, do not open suspicious emails and never share account information.

If you suspect a problem, disconnect the compromised computer from your network and contact your banker. Keep records of what happened.

4. Understand your responsibilities and liabilities. The account agreement with your financial institution will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement.

If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.

From the Coach’s Corner, here are related articles:

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

5 Safety Measures to Thwart Mounting Social-Network Attacks — An epidemic of social-networking attacks presents an unprecedented danger to companies, and five crucial steps are needed for business survival.

Tips For Internet Security to Prepare you for New Cyber Attacks — Do you need more evidence to be diligent in using best practices for security on the Internet? According to a Web security study in 2013, Internet attacks have been impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities.

New Cybercrime Serves as Warning to Take Defensive Precautions — Cybercrime is only getting worse. From both sides of the Atlantic Ocean, here are three examples of countless crimes: Authorities including the Secret Service are investigating the hacking of retailer Target in 2013 – hackers stole credit and debit card data from 40 million customers.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

“He who does not prevent a crime when he can, encourages it.”

-Lucius Annaeus Seneca


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry. 




Photo by David Castillo Dominici at www.freedigitalphotos.net

DNSChanger Prompts 7 Reminders about Staying Web Safe



The massive scare over the DNSChanger in was yet another reminder to be diligent to keep your computer safe. According to the FBI, an Estonia group was able to surreptitiously capture at least $14 million by replacing advertisements on computers of unsuspecting Internet users with their phony ads.

About 50,000 U.S. computers among 250,000 systems worldwide were believed infected with the Trojan in July 2012. Most of the damage was in the U.S., Germany, Great Britain, India and Italy.

ID-10024302 Salvatore VuonoThe FBI warned about the issue for months after shutting down the Estonia ring closing the DNSChanger system, which eliminated Internet service on those computers.

In fact, a few months earlier the FBI said Internet criminals pose a bigger threat than terrorists.

Such cybercrime, means the dangerous implications are many, especially for businesspeople and individuals who use online banking.

Of course, it’s important to guard against criminals who want to steal your money by accessing your personal information.

At first, it was only big bank customers being attacked. Now, cybercriminals have victimized credit unions and their members.

Seven reminders to stay safe:

Links – Don’t ever click on a link allegedly emailed to you by your financial institution. Never respond. That means not forwarding your credit and debit card numbers, user ID or passwords. Criminals, or phishers, will direct you instead their site that looks like your bank’s Web site. That’s how they grab your sensitive information.

So, if you want to logon to your bank, simply type the bank’s address in your URL. Look for the “https” designation and the padlock icon in your browser. You should be nervous if a popup appears. Sign out right away.

Start clean – Because search engines save the pages you visit to make for faster surfing, delete all activity via your control panel. In other words, clear out your cache. Especially, if you use Windows, make sure your browser has a fresh security update. Make sure your antivirus software downloads the latest security update, and then run a full-system scan.

Don’t allow your browser to save your user names and passwords. Malware can easily find it.

WIFI – Never use a public terminal or WIFI for sensitive information. Be very careful if you live in an urban area where your WIFI can be accessed by others.

Private, not public – If for financial or other logistical reasons away from your home or office and you have no other choice – use a portable operating system. Use a Linux-based OSes flash drive, such as open source Ubuntu to create a disc. It can be converted to a startup disc for a mobile Ubuntu.

Use bank’s on-screen keyboard – If you use your bank’s computer terminal, it’s best to use the on-screen keyboard. That will insure your password can’t be stolen by others using this machine.

Passwords – Create strong passwords. It’s best to use a random selection of letters and numbers. Don’t store your user IDs and passwords on your computer. Change them regularly.

Mobile banking – Don’t succumb to your bank’s propaganda about mobile banking. Why?

See these two articles:

Identity Fraud Escalates in Smartphones, Social Media — Skyrocketing mobile malware threats amid widespread use of BYOD, bring your own devices, were on track for a $1.88 billion services market in 2013. That’s according to ABI Research. Cybercriminals are successfully attacking vulnerabilities in individual devices and networks to an ABI report.

Who Profits from Android’s Security Issues? Not Users — Countless headlines detail the cyber dangers of Android-based devices. It has to do with the apps.

From the Coach’s Corner, here are other tips:

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues.

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study — Most Results from a Web security study show that almost all of the Web security administrators agreed that Web browsing is a serious malware risk to their companies.

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

Why Many Healthcare Workers Are Alarmingly Responsible for Medical ID Theft — Medical identity theft is skyrocketing. It’s the fast-growing trend in ID thievery.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home

“Cyber terrorism could also become more attractive as the real and virtual worlds become more closely coupled, with automobiles, appliances, and other devices attached to the Internet.”

-Dorothy Denning


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.




Photo courtesy of Salvatore-Vuono at www.freedigitalphotos.net


More Cybercrime Serves as Warning to Take Defensive Precautions



Cybercrime is only getting worse. Every week there are revelations about hackers.

From both sides of the Atlantic Ocean, here are some examples of countless crimes:

Countless consumers were affected when hackers invaded grocery chain Albertson’s in 2014. Authorities including the Secret Service are investigating the hacking of retailer Target in 2013 — hackers stole credit and debit card data from 40 million customers.

ID-10064688 chanpipatIn New York, six Estonians and one Russian were charged in November 2011 by authorities with cybercrimes on a massive scale.

Victims include the National Aeronautics and Space Administration, other government agencies, businesses and 500,000 people. 

In the U.K., 13 people were sentenced to jail terms over their use of malware in banking fraud totaling 2.9 million British pounds, or $4.6 million. Hundreds of people were victimized. 

These stories are another lesson to take cybercrime seriously.

For best practices in thwarting cybercriminals, I always turn to nationally recognized security expert, Stan Stahl, Ph.d., of Citadel Information Group in Los Angeles.

His tips:

1. Keep systems patched with the latest updates. (His security blog, Weekend Vulnerability and Patch Report, lists major updates for software typically found in small offices and home computers.)

2. Run up-to-date anti-virus anti-malware software – or what is even better, a strong intrusion detection and prevention solution.

3. Use strong passwords for access to sites with sensitive information. Password length is more important than randomness; size matters. ‘2HelloPepper#’ is a much stronger password than “Ab$%16vF” plus it’s a lot easier to remember.

“Be extremely sensitive to social engineering attacks,” Dr. Stahl adds. “Don’t open email attachments or click on links in emails unless the email is from someone you know and is expected.”

Indeed, we see proof of his admonition in news headlines almost daily, which has prompted countless Biz Coach articles about cyber attacks with tips for Internet security.

WIFI warning

The most-read Biz Coach article of all time quoted Dr. Stahl about using Starbucks’ WIFI.

Also highly read is our mobile-banking warnings about security prove prophetic.

Don’t forget about healthcare. It’s vital to understand why many healthcare workers are responsible for an alarming trend: Medical ID theft.

For more of Dr. Stahl’s insights, visit his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are more security strategies:

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (UCLA Health System Warns About Stolen Records). Medical records of the patients included addresses, birth dates and medical information covering July 2007 to July 2011.

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft — A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks, according to data released in 2013. These incidents continue to represent a significant threat to corporate brands. Results from a Web security study show that almost all of the Web security administrators agreed that Web browsing is a serious malware risk to their companies.

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do. The “Data Security and Breach Notification Act of 2012″ died in committee and was re-introduced as S. 1193 again in June 2013 but has stalled.

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues. Apple was forced to release an update just a few days after the rollout of its iOS 8 in late Sept. 2014.

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

-Chris Pirillo

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry. 

Photo by chanpipat at www.freedigitalphotos.net

How Epsilon’s Security Flaw Threatened Millions of Businesses, Consumers



Epsilon, a major email marketing company, annually forwards billions of messages. The firm purports to be the leading op-in marketing company with more than 2,000 global customers.

Epsilon reportedly emails customers for some pretty big players, including Capitol One, Citibank, Disney, Home Shopping Network, JP Morgan Chase, Kroger, and TiVo.

As expected, Epsilon has an attractive Web site, www.epsilon.com. It touts all kinds of cutting-edge services. The site creates a favorable first impression.

ID-10074458 chanpipatBut in my April 4, 2011 visit to Epsilon’s home page and again two years later, an important element was also missing – an unfortunate omen, if you will. You see, appearances in business are important, especially first-impressions about IT security.

However, Epsilon has failed to adequately reassure its site’s visitors that it provides cutting-edge security.

In today’s IT environment, that’s more than just a gaffe. It suggests a catastrophe of monumental proportions waiting to happen. (In 2011, its branding slogan was “Marketing as Usual. Not a Chance.” Most recently, it’s been changed to “Where Intelligence Ignites Connections.”)

Unfortunately, such a security breakdown has already occurred. Indeed, on April 1, 2011, an ominous press release appeared on the company’s Web site. Unfortunately, it was not an April Fool’s joke.

Epsilon published this terse announcement:

Epsilon Notifies Clients of Unauthorized Entry into Email System

IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Security debacle

Epsilon’s notice didn’t please me. You see, the cybercriminals were already at work. Several days prior to the press-release posting on March 30, I became aware that something was amiss – phishing scams trying to entice businesses and consumers to take advantage of so-called offers.

Afterward, Threatpost reported that some of Epsilon’s customers in-turn warned their customers — here’s the warning from Disney Destinations to its customers:

“We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system.  We regret that this incident has occurred and any inconvenience this incident may cause you.  We take your privacy very seriously, and we will continue to work diligently to protect your personal information,” the statement says.

“We want to assure you that your email address was the only personal information we have regarding you that was compromised in this incident. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.”

Two morals

The two salient lessons from this security debacle:

  1. Epsilon and other companies that provide IT services need to make security more of a priority.
  2. Businesspeople and consumers need to stay alert to the dangers lurking on the Internet, and IT in general.

In conclusion, what are the solutions for this situation and to prevent more occurrences? My longtime go-to security expert is Dr. Stan Stahl of Citadel Information Group in Los Angeles. Here’s what he had to say in What You Really Need to Know to Stay Web Safe.

Further, noteworthy management lessons have evolved from the alleged data-management program at Epsilon. Obviously, Epsilon’s data management is an oxymoron. It is not managed properly. Here are Management Lessons from Epsilon’s Email-Breach Scandal.

From the Coach’s Corner, Dr. Stahl’s insights were also quoted in this business portal’s all-time most-read column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

Dr. Stahl’s Web site: www.citadel-information.com. You can also find his informative blog.

“The single biggest existential threat that’s out there, I think, is cyber.”

-Michael Mullen


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Photot courtesy of chanpipat at www.freedigitalphotos.net


How CEOs and Boards Can Prevent Cyber-Security Threats


Here’s a comprehensive infographic examining security threats to business plus the top-10 best practice guidelines to prevent cybercrime.



CEOs finally started to deal with cyber-security threats, but only after they learned failure to act will cost them their jobs.

The trend started after Target fired its CEO, Gregg Steinhafel, in May 2014 over a hacker attack on its millions of customers during the 2013 holiday selling season.

It’s one thing to be attacked but it’s another to act too slowly to deal with it. Shockingly,

Mr. Steinhafel learned that Target’s point-of-sale terminals were vulnerable, but he apparently was nonchalant and very slow in dealing with the issue.

Target’s revenue dropped $21.5 billion or 3.8 percent in Q4 2013. That was the hammer that finally got the attention of the suits.

Now, not only are CEOs on notice, but boards of directors are, too. The National Association of Corporate Directors is now mindful of cyber issues.

It’s been too long in coming. Many CEOs had been unaware about the dangers.

Better way

Indeed, two business professors – University of Virginia’s Tim Laseter and Dartmouth’s Eric Johnson – argue there’s “A Better Way to Battle Malware.”

They argued in their lengthy July 2010  article that senior executives could implement production quality controls to conquer cyber security issues.

“Distrust and caution are the parents of security.”
-Benjamin Franklin

USA Today first reported in 2010 that many CEOs were indifferent about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believed that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

— 83 percent indicated their organization has been a recent target of advanced threats

— 41 percent said they were frequently attacked

Confirmation of data

Is it really possible that senior executives didn’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” agreed Stan Stahl, Ph.D. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft.

His qualifications:

— He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions.

— He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Intellectual property thefts

Indeed, the Ponemon study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association have embarked on an aggressive Community Outreach Program,” writes Dr. Stahl. “Our objective is nothing less than to raise information security awareness.” (The association has local chapters in multiple cities, www.issa.org.)

This portal’s Tech Category contains many Biz Coach articles on cybersecurity with solutions from Dr. Stahl.

Infographic on the importance of network security

From the Coach’s Corner, editor’s picks for related information:

Why Innovation Isn’t Working at 82% of Surveyed Companies — When you make a major investment in innovation, you want a good return on your investment, right? Well, hundreds of senior executives admit to disappointment over their innovation efforts despite making increased investments, according to an Accenture report.

How CIOs Can Get More Respect in the C-Suite — Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem, if they learn how to get recognition for their potential to help their companies.

Thought Leadership — Why Companies Hire Management Consultants — Companies want knowledge. A good idea can be worth $1 million and more. That’s why companies hire thought leaders. It’s also why you see many consultants position themselves as thought leaders and give away free information in how-to articles or studies, which lead to books, seminars and being quoted in the media.

“Distrust and caution are the parents of security.”
-Benjamin Franklin


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.






Antivirus Company Names Most-Perilous Internet Cities


In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city in 2010. That’s according to Norton from Symantec.

The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime. But tech-savvy Seattle atop the list of the most-perilous cities?

Maybe the list is accurate and maybe it isn’t. A leading cyber-security expert, Stan Stahl, Ph.D., questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (www.citadel-information.com).

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

  • Number of malicious attacks
  • Number of potential malware infections
  • Number of spam zombies
  • Number of bot infected computers
  • Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

  • Number of information systems security professionals in the city
  • Average number of information security professionals per 1,000 computers and per company
  • Percentage of computers who connect to hotspots using a VPN (virtual private network).
  • Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
  • Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
  • Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach articles featuring his expert opinions:

His security blog: http://citadelonsecurity.blogspot.com/

How to Protect Your Bank Account from the Internet Crime Wave



Over the last several years, at least 19 major banks have been hit by cyber attacks, according to a rash of published reports. For instance, a lot of nerves were rattled by a typical headline in 2012, “Cyber Attacks on US Banks Expose Computer Vulnerability,” appeared in Businessweek.

But this wasn’t a new security scare. For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming. The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – was hushed up.

ID-100222653 stockimagesMany online security experts say online fraud is skyrocketing and there are FBI warnings about such fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”).

The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks have been using what are called “banking Trojans.” Here was a typical case: “New Trojan Intercepts Online Banking Information – PC World.” It’s true insurance companies offer insurance to reimburse business victims of cybercrime. But cybercrime is expensive.

A client once hired top security expert Stan Stahl, Ph.D., to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

… cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

Mobile-banking dangers

Despite what banks claim, mobile banking is dangerous. (See this Biz Coach article: Our Mobile-Banking Warnings about Security Prove Prophetic)

Here’s the reason for the article: Identity fraud has escalated in smartphones and social media.

Personal online security tips

Here are some of his tips to enhance your personal online security:

  • Review all privacy and policy information.
  • Use unique and hard to guess login information.
  • Protect your computer.
  • Check your account balance regularly.
  • Pay using credit cards.
  • Do not access your account from public locations.
  • Verify email correspondence from bank.
  • If your account is compromised, take swift action.

Online management controls

For your company’s management controls:

  • Don’t allow your employees to use your computers in social networking.
  • Establish a list of allowable web-sites.
  • Closely monitor your bank account.
  • Train employees in social engineering awareness.
  • Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
  • Strengthen your defenses.

Oh, don’t forget the danger in opening and responding to e-mails — to avoid cyber criminals from phishing — a tactic to get you to reveal sensitive information.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

From the Coach’s Corner, if you’re a cyber victim, contact a noted security expert and then inform authorities (How to Report E-Scams and Hoaxes to the FBI).

Related security articles:

“Phishing is a major problem because there really is no patch for human stupidity.”

-Mike Danseglio


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry. 





Image courtesy of stockimages www.freedigitalphotos.net

Next Page »

Seattle business consultant Terry Corbell provides high-performance management services and strategies.