breach - Blog - Global Risk Community2024-03-29T08:29:34Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/breachDoorDash Admits 4.9 Million Affected by Data Breachhttps://globalriskcommunity.com/profiles/blogs/doordash-admits-4-9-million-affected-by-data-breach2019-11-07T18:01:18.000Z2019-11-07T18:01:18.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>DoorDash has admitted that it has been the victim of a data breach, which has affected about 4.9 million merchants and people.</p><p><img src="https://activerain.com/image_store/uploads/agents/robertsiciliano/files/061.jpg" alt="" width="300" height="200" align="right" /></p><p>In a recent blog post, DoorDash announced that it noticed some odd activity early in September from a third-party service. After looking into it, the company found that an unauthorized third party was accessing user data from DoorDash on May 4, 2019. DoorDash immediately took steps to stop any future access and to improve security.</p><p>Those who were affected by this breach joined DoorDash on April 5, 2018 or before. Those who joined after that specific date were not part of this breach. The company said it will contact those customers who were affected.</p><p>This breach involved data including email addresses, names, order history, delivery addresses, phone numbers, and encrypted passwords. In some situations, bank account numbers and the last four digits of payment cards were also released. Additionally, the driver’s license numbers of approximately 100,000 delivery people were accessed. Bank account information and full payment card numbers were not compromised.</p><p>This data is called PII or Personal Identifying Information that could be used to open new accounts, take over existing or “socially engineer” you. Going forward, as with all data breaches be on the lookout for scammy emails and phone calls. Be suspect every time the phone rings and make sure unless you are 100% sure, you aren’t clicking links in emails even if you recognize the sender.</p><p>DoorDash also said that it has added additional layers of security in order to protect the data of its customers, and it has improved the protocols that are used to get access to this data. The company has also told customers that it is a smart idea to change their passwords, even if they were not affected.</p><p>ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of <a style="color:#f30e0e;" href="https://creditparent.com/" target="_blank">CreditParent.com</a>, the architect of the <a style="color:#f30e0e;" href="https://protectnowllc.com/" target="_blank">CSI Protection</a> certification; a Cyber Social and Identity Protection <a style="color:#f30e0e;" href="https://safr.me/actnow/" target="_blank">security awareness training</a> program.</p></div>Root Causes of Data Breacheshttps://globalriskcommunity.com/profiles/blogs/root-causes-of-data-breaches2019-09-04T09:35:53.000Z2019-09-04T09:35:53.000ZMadeline Dicksonhttps://globalriskcommunity.com/members/MadelineDickson<div><p><a href="{{#staticFileLink}}8028303460,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8028303460,original{{/staticFileLink}}" class="align-center" alt="8028303460?profile=original" /></a></p><p>As big organizations are storing a large amount of data on various online platforms, the news headlines about <a href="https://www.bleepingcomputer.com/news/security/12-449-data-breaches-confirmed-in-2018-a-424-percent-increase-over-the-previous-year/" target="_blank">data breaches</a> are increasing with each passing day. This puts partners, customers at major risk. Hence, all companies need to make efforts to stay safe from risks and threats associated with data breaches.</p><p>Below we have listed a few most common causes behind data breach so that you can take appropriate actions to prevent them:</p><p><strong><em>Weak Passwords</em></strong></p><p>Some of you may consider hacking attacks as the most common cause of data breaches, but in actual, most of the times it happens due to weak or stolen credentials. Stats reveal that 4 out of 5 data breaches are caused by lost passwords. That is why experts always advise using strong combinations of passwords and do not share them with anyone. Some <a href="https://globalriskcommunity.com/profiles/blogs/use-a-password-manager-or-you-will-get-hacked">experts also advise</a> to use password managers.</p><p><strong><em>Application vulnerabilities</em></strong></p><p>There is no need to create a new entrance to the system when some holes are already available. Hackers are always in search of some poorly written application software that provides enough space to crawl inside. If you are also using a few such apps on your handset, your personal data is also at risk. Make sure you keep all your hardware and software solutions up to date.</p><p><strong><em>Malware attacks</em></strong></p><p>Hackers can use both direct and in-direct malware attacks to harm user data. These <a href="https://keonesoftware.com/guides/masok-file/" target="_blank">malicious codes</a> create a path for hackers to the target system and may further provide access to a few connected systems. Experts advise not to open a suspicious email attachment and do not click on links directly. They may contain some harmful things to compromise your personal information.</p><p><strong><em>Too many permissions</em></strong></p><p>If you follow overly complex data access permissions, they can serve the best food to the hackers. Many big organizations make a mistake of allowing unwanted access to their stored data, and it happens when they set wrong permission settings. The idea is to make it simple yet secure.</p><p><strong><em>Insider threats</em></strong></p><p>It is not always necessary that data breach will be caused by some external or trained hackers. If you share your personal details and important credentials with the friends around, they may also pose a threat at some point. When people know your passwords and usernames, they can alter, steal or copy essential information without seeking your permission.</p><p><strong><em>Social engineering</em></strong></p><p>When your system is more dependent on human interactions, it is common to see people breaking normal security guidelines. Many of them may try to gain unauthorized access to the system from different physical or network locations. Such attacks may be posed to gain some financial benefits. It is important to use high-end protocols to control all interactions on the system so that your content can stay safe and protected for the long run.</p><p>The idea is to follow solid security measures to stay safe from data breaches. Secure systems may save you from major data losses and from compromising business reputation in the competitive market.</p><p> </p><p> </p></div>The "Mother of All Data Breaches?" It Could Be Here…https://globalriskcommunity.com/profiles/blogs/the-mother-of-all-data-breaches-it-could-be-here2019-05-16T14:12:22.000Z2019-05-16T14:12:22.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.</p><p><img src="https://activerain.com/image_store/uploads/agents/robertsiciliano/files/internet.jpg" alt="" width="325" height="198" align="right" /></p><p>Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.</p><p>This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.</p><p>So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.</p><p>This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.</p><p><a style="color:#f30e0e;" href="https://safr.me/meet-robert/" target="_blank">Robert Siciliano</a> personal security and <a style="color:#f30e0e;" href="https://safr.me/blog/2018/03/16/identity-theft-advice/" target="_blank">identity theft expert</a> and speaker is the author of <a style="color:#f30e0e;" href="https://www.amazon.com/Identity-Theft-Privacy-Protection-Prevention-ebook/dp/B07FT67BMC/ref=sr_1_3?s=digital-text&ie=UTF8&qid=1535732363&sr=1-3&keywords=Robert+Siciliano&dpID=51hWnD29JtL&preST=_SY445_QL70_&dpSrc=srch" target="_blank">Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud</a>. See him knock’em dead in this <a style="color:#f30e0e;" href="https://youtu.be/2m3Ra6ROPeA" target="_blank">Security Awareness Training</a> video.</p></div>Should You Worry About Contactless Credit Card NFC Skimminghttps://globalriskcommunity.com/profiles/blogs/should-you-worry-about-contactless-credit-card-nfc-skimming2019-01-09T15:42:57.000Z2019-01-09T15:42:57.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>If you have a contactless card, you might have worries about skimming. A contactless card or “frictionless” or “tap and go” is a card that has technology in it that allows payment over secure wireless like Apple Pay, Android Pay etc. Basically, this is where a criminal literally digitally pickpockets you by scanning things like your debit card or passport. What’s scary about this is that anyone can get an app for their phone that will allow them to skim. Is there protection for this? Maybe.</p><p><img src="https://activerain.com/image_store/uploads/agents/robertsiciliano/files/credit-card-hackers.png" alt="" width="300" height="200" align="right" /></p><p>But before you freak out, you probably don’t even have a contactless card. Very few cards deployed in the USA are contactless, so that sleeve you use doesn’t protect you from anything. Now if you are overseas or even in Canada, then look at your card and if there is a WiFi looking logo on there, you have contactless.</p><p>The way that the bad guys skim this information is by using RFID, or radio-frequency identification. There are RFID signal jammers out there, but the question is this: do they work and are they necessary?</p><p><strong>RFID Signal Blockers</strong></p><p>If you put some time into it, you will find a number of RFID signal blockers on the market. Some of these are small and slip right into your wallet. Others are passport sized. There are also RFID signal blocker wallets on the market.</p><p><strong>The Test</strong></p><p>A blogger recently put these RFID signal blockers to the test…on the London Underground, one of the most crowded places in the world, especially during rush hour. He set up the test by asking one person to place a debit card in their pocket, and then another person used a mobile phone with an RFID signal scanner. The result was that the phone could scan and record the number on the debit card and the expiration date, simply by holding the phone really close to the pocket.</p><p>The blogger took the test a step further and tried to block these signals with RFID blocking technology. Even though the experiment was very unscientific, the blogger found that the blocker stopped the skimming.</p><p><strong>Protecting Yourself</strong></p><p>There are some things you can do to protect yourself from this. First, check your passport. It should have a chip in it. This chip is in all US passport that have been released since 2007. Now, someone can still take information from your passport using RFID skimming, but they have to actually be on the page where the photo is, and it’s pretty rare that they would have access to that.</p><p>You can also use a shielding device. They can certainly work, and some people have even found great results by using tinfoil. This will further help to protect your accounts.</p><p>Finally, even if you are using an RFID shielding device, make sure that you are checking your statements for anything suspicious. This is especially the case if you often find yourself in crowded places, like the subway.</p><p><a style="color:#f30e0e;" href="https://safr.me/meet-robert/" target="_blank">Robert Siciliano</a> personal security and <a style="color:#f30e0e;" href="https://safr.me/blog/2018/03/16/identity-theft-advice/" target="_blank">identity theft expert</a> and speaker is the author of <a style="color:#f30e0e;" href="https://www.amazon.com/Identity-Theft-Privacy-Protection-Prevention-ebook/dp/B07FT67BMC/ref=sr_1_3?s=digital-text&ie=UTF8&qid=1535732363&sr=1-3&keywords=Robert+Siciliano&dpID=51hWnD29JtL&preST=_SY445_QL70_&dpSrc=srch" target="_blank">Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud</a>. See him knock’em dead in this <a style="color:#f30e0e;" href="https://youtu.be/2m3Ra6ROPeA" target="_blank">Security Awareness Training</a> video.</p></div>2017 Was the Worst year for Data Breaches EVER!https://globalriskcommunity.com/profiles/blogs/2017-was-the-worst-year-for-data-breaches-ever2018-09-07T14:06:51.000Z2018-09-07T14:06:51.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.</p><p><img src="https://activerain.com/image_store/uploads/agents/robertsiciliano/files/Capture.png" alt="" width="300" height="225" align="right" /></p><p><a style="color:#f30e0e;" href="https://www.darkreading.com/attacks-breaches/2017-smashed-worlds-records-for-most-data-breaches-exposed-information/d/d-id/1330987">According to reports</a>, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.</p><p><strong>Big Breaches of Big Data</strong></p><p>Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.</p><p>Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.</p><p>When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.</p><p>What were the biggest breaches of all time? Here they are, in order:</p><ul><li>Yahoo (US company) – 3 billion records</li><li>DU Caller Group (Chinese company) – 2 billion records</li><li>River City Media (US company) – 1.3 billion records</li><li>NetEase (Chinese company) – 1.2 billion records</li><li>Undisclosed Dutch company – 711 million records</li></ul><p>Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.</p><p>Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.</p><p><a style="color:#f30e0e;" href="https://safr.me/meet-robert/" target="_blank">Robert Siciliano</a> personal security and <a style="color:#f30e0e;" href="https://safr.me/blog/2018/03/16/identity-theft-advice/" target="_blank">identity theft expert</a> and speaker is the author of <a style="color:#f30e0e;" href="https://www.amazon.com/Identity-Theft-Privacy-Protection-Prevention-ebook/dp/B07FT67BMC/ref=sr_1_3?s=digital-text&ie=UTF8&qid=1535732363&sr=1-3&keywords=Robert+Siciliano&dpID=51hWnD29JtL&preST=_SY445_QL70_&dpSrc=srch" target="_blank">Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud</a>. See him knock’em dead in this <a style="color:#f30e0e;" href="https://youtu.be/2m3Ra6ROPeA" target="_blank">Security Awareness Training</a> video.</p></div>When Your Vendor Says 'Your Data Was Breached - Six Months Ago.'https://globalriskcommunity.com/profiles/blogs/when-your-vendor-says-your-data-was-breached-six-months-ago2018-05-07T16:43:45.000Z2018-05-07T16:43:45.000ZMichael Joneshttps://globalriskcommunity.com/members/MichaelJones<div><p><a href="https://ncontracts.com/wp-content/uploads/2018/05/Vendor-Data-Breached-1024x512.jpg" target="_blank"><img src="https://ncontracts.com/wp-content/uploads/2018/05/Vendor-Data-Breached-1024x512.jpg" class="align-full" alt="Vendor-Data-Breached-1024x512.jpg" /><br /></a></p><p>What’s worse than a vendor that suffers a data breach that exposes your sensitive customer information? The answer: A vendor that waits almost six months to tell you about it.<br /></p><p>That’s the issue that both Sears and Delta Air Lines are facing after a malware attack on each of the company’s online chat services vendors. Hundreds of thousands of customers’ payment information was accessed, including payment card account numbers, expiration dates, names, and addresses, reports <a href="https://gizmodo.com/malware-attack-on-vendor-to-blame-for-delta-and-sears-d-1825015769">Gizmodo</a>. Sears and Delta weren’t made aware of the breach, which happened in September 2017 and took two weeks to contain, until mid-March of this year.<br /></p><p>That’s not just inconsiderate. It can also create legal issues. Several states, including Massachusetts and California, have strict timelines for notifying consumers when data is accessed by unauthorized parties. This is especially true for sensitive data like account and Social Security numbers. An institution needs to know about a breach as soon as possible so it can follow notification protocol. Just because an institution doesn’t have bricks and mortars in another state doesn’t mean it’s exempt from those rules. It needs to follow the notification laws where a customer resides.<br /></p><p>As hackers and cybercriminals become more inventive (see the <a href="https://www.consumeraffairs.com/news/the-weekly-hack-banks-hospitals-casinos-and-handyman-apps-make-ripe-targets-042018.html">casino</a> that was hacked through its Internet-connected “smart” thermometer), data breaches are becoming increasingly common. Third-party vendors remain a viable entry point for those looking to steal sensitive information. This is why having a plan for dealing with vendor data breaches before they happen is essential. Another essential part of effective strategy is to structure agreements with vendors to ensure that you’re notified in a timely fashion. <br /><br />Regulators don’t distinguish between your actions and the action of your vendors. Vendor breaches create a unique set of issues that require attention. Make sure your vendor is required to notify you promptly of any breach so that you can take action.<br /> <br /><br /></p></div>Protecting Yourself from a Data Breach requires Two Step Authenticationhttps://globalriskcommunity.com/profiles/blogs/protecting-yourself-from-a-data-breach-requires-two-step2018-03-08T16:05:37.000Z2018-03-08T16:05:37.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Have you ever thought about how a data breach could affect you personally? What about your business? Either way, it can be devastating. Fortunately, there are ways that you can protect your personal or business data, and it’s easier than you think. Don’t assume that protecting yourself is impossible just because big corporations get hit with data breaches all of the time. There are things you can do to get protected.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/laptop-mobile.jpg" alt="" width="300" height="300" align="right" /></p><ul><li>All of your important accounts should use two-factor authentication. This helps to eliminate the exposure of passwords. Once one of the bad guys gets access to your password, and that’s all they need to access your account, they are already in.</li><li>When using two-factor authentication, you must first enter your password. However, you also have to do a second step. The website sends the owner of the account a unique code to their phone also known as a “one time password”. The only way to access the account, even if you put the password in, is to enter that code. The code changes each time. So, unless a hacker has your password AND your mobile phone, they can’t get into your account.</li></ul><p>All of the major websites that we most commonly use have some type of two-factor authentication. They are spelled out, below:</p><p><strong>Facebook</strong></p><p>The two-factor authentication that Facebook has is called “<a href="https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920">Login Approvals</a>.” You can find this in the blue menu bar at the top right side of your screen. Click the arrow that you see, which opens a menu. Choose the Settings option, and look for a gold colored badge. You then see “Security,” which you should click. To the right of that, you should see Login Approvals and near that, a box that says “Require a security code.” Put a check mark there and then follow the instructions. The Facebook Code Generator might require a person to use the mobile application on their phone to get their code. Alternatively, Facebook sends a text.</p><p><strong>Google</strong></p><p>Google also has two-factor authentication. To do this, go to <a href="http://www.google.com/landing/2step/">Google.com/2step</a>, and then look for the blue “get started’ button. You can find it on the upper right of the screen. Click this, and then follow the directions. You can also opt for a text or a phone call to get a code. This also sets you up for other Google services, including YouTube.</p><p><strong>Twitter</strong></p><p>Twitter also has a form of two-factor authentication. It is called “<a href="https://blog.twitter.com/official/en_us/a/2013/getting-started-with-login-verification.html">Login Verification</a>.” To use it, log in to Twitter and click on the gear icon at the top right of the screen. You should see “Security and Privacy.” Click that, and then look for “Login Verification” under the Security heading. You can then choose how to get your code and then follow the prompts.</p><p><strong>PayPal</strong></p><p>PayPal has a feature known as “<a href="https://www.paypal.com/webapps/mpp/security/security-protections">Security Key</a>.” To use this, look for the Security and Protection section on the upper right corner of the screen. You should see PayPal Security Key on the bottom left. Click the option to “Go to register your mobile phone.” On the following page, you can add your phone number. Then, you get a text from PayPal with your code.</p><p><strong>Yahoo</strong></p><p>Yahoo uses “<a href="https://help.yahoo.com/kb/activate-two-step-verification-sln5013.html">Two-step Verification</a>.” To use it, hover over your Yahoo avatar, which brings up a menu. Click on Account Settings and then on Account Info. Then, scroll until you see Sign-In and Security. There, you will see a link labeled “Set up your second sign-in verification.” Click that and enter your phone number. You should get a code via text.</p><p><strong>Microsoft</strong></p><p>The system that Microsoft has is called “<a href="http://windows.microsoft.com/en-us/windows/two-step-verification-faq">Two-step Verification</a>.” To use it, go to the website login.live.com. Look for the link on the left. It goes to Security Info. Click that link. On the right side, click Set Up Two-Step Verification, and then follow the prompts.</p><p><strong>Apple</strong></p><p>Apple also has something called “<a href="https://support.apple.com/en-us/HT204152">Two-Step Verification</a>.” To use it, go to applied.apple.com. On the right is a blue box labeled Manage Your Apple ID. Hit that, and then use you Apple ID to log in. You should then see a link for Passwords and Security. You have to answer two questions to access the Security Settings area of the site. There, you should see another link labeled “Get Started.” Click that, and then enter your phone number. Wait for your code on your mobile phone, and then enter it.</p><p><strong>LinkedIn</strong></p><p>LinkedIn also has “<a href="http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification/">Two-Step Verification</a>.” On the LinkedIn site, hover your mouse over your avatar and a drop-down menu should appear. Click on Privacy and Settings, and then click on Account. You should then see Security Settings, which you should also click. Finally, you should see the option to turn on Two-Step Verification for Sign-In. Turn that on to get your code.</p><p>These are only a few of the major sites that have two-step verification. Many others do, too, so always check to see if your accounts have this option. If they don’t, see if there is another option that you can use in addition to your password to log in. This could be an email or a telephone call, for instance. This will help to keep you safe.</p><p><strong>Amazon</strong></p><p>Amazon’s <a href="https://www.amazon.com/gp/help/customer/display.html?nodeId=201962420">Two-Step Verification</a> adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in.</p><p>Without setting up Two Step authentication for your most critical accounts, all a criminal needs is access to your username, which is often your email address and then access data breach files containing billions of passwords that are posted all over the web. Once they search your username/email for the associated password, they are in.</p><p>Two factor locks them out.</p><p><a href="http://robertsiciliano.com/" target="_blank">Robert Siciliano</a> personal security and identity theft expert and speaker is the author of <a href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996" target="_blank"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a>. See him knock’em dead in this <a href="https://www.youtube.com/watch?v=2m3Ra6ROPeA&index=1&list=PL68455D9C6D4E9101&t=237s" target="_blank">identity theft prevention</a> video.</p></div>Equifax Exposed: Major Breach of Data from Major Credit Bureauhttps://globalriskcommunity.com/profiles/blogs/equifax-exposed-major-breach-of-data-from-major-credit-bureau2017-09-08T19:30:00.000Z2017-09-08T19:30:00.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>If you haven’t yet heard, Equifax, one of the three major credit bureaus in the United States, has been hacked. What does this mean for you? It means that your Social Security number, and possibly even your driver’s license information, could be in the hands of <a href="https://mediaexplorers.lpages.co/cyber-exposure-awareness-toolkit/">hackers</a>. Some are already calling this the worst breach of data in history.</p><p><strong>How Did This Happen?</strong></p><p>On September 7<sup>th</sup>, Equifax announced that a security breach occurred that could impact as many as 143 million people. Though this isn’t the largest breach to occur, it could be the most devastating. The data that was accessed included Social Security numbers, address, birth dates, and driver’s license numbers. All of these can be used for identity theft.</p><p>Equifax also announced that the credit card numbers of more than 200,000 people were accessed, as were documents containing personal identifying information for more than 180,000 people. With this information, the hackers can commit credit card fraud. This isn’t as bad as identity theft, as credit card fraud is usually simple to fix, but these thieves could still open new credit card accounts in your name with your Social.</p><p>According to Equifax, the company discovered the data breach on July 29. Apparently, the hackers accessed the files from around mid-May all the way through July.</p><p>Richard F. Smith, the chairman and CEO of Equifax, admits that this is a “disappointing event” and that it “strikes at the heart” of the goals of the company. He also apologized to customers who work with Equifax and consumers. Boo hoo. I cry for you.</p><p><strong>Why Did It Take So Long to Announce This?</strong></p><p>You might be wondering why it took so long to announce that there was a data breach at Equifax. After all, the company discovered it on July 29, and didn’t announce it until September 7. Their Director of Social Media, has an answer. She said that as soon as the company discovered the breach, they stopped the intrusion. The company also hired a cybersecurity firm, which did a full investigation. This investigation was time consuming, and they wanted to have all of the information available before informing the public. Makes sense.</p><p><strong>But Wait…There’s More</strong></p><p>To add to this story, Bloomberg News announced that three executives from Equifax sold shares worth about $1.8 million. What’s shocking is that they did this AFTER the company discovered the breach. This will come back to bite them.</p><p>You can check to see if you are affected by the breach by using an <a style="color:#bb0000;" href="https://www.equifaxsecurity2017.com/potential-impact/">online tool</a> that Equifax has set up. FYI, I checked out my info, I’m a victim.</p><p><img class="img-center" src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/Equifax.png" alt="" width="513" height="342" /></p><p>You should go there, enter your last name and the last six digits of your Social Security number, and the system will tell you if your information has been compromised. If it has, Equifax is offering a complimentary enrollment into the TrustedID program. However, there is language in the terms of service that may restrict your ability to have your day in court if you were to join a class action and the NY Attorney General is pissed. According to <a style="color:#bb0000;" href="https://www.usatoday.com/story/money/2017/09/08/massive-equifax-cyberattack-triggers-class-action-lawsuit/645632001/">USA Today</a>, a class action lawsuit has already been filed against Equifax. This class action suit seeks to secure all records associated with the breach and fair compensation for those who were affected.</p><p>Read the <a style="color:#bb0000;" href="https://www.nytimes.com/2017/09/08/business/equifax.html?mcubz=0">NYT</a>.</p><p>You don’t have to have done any type of business with Equifax to be affected by this. If you have ever applied for a mortgage, loan, or credit card, the company likely has your information. The TrustedID program is going to be free for an entire year for anyone affected. It gives consumers the ability to lock and unlock their credit reports. They also get internet scans for their Social Security numbers and identity-theft insurance. You can also call Equifax at 866-447-7559.</p><p><a style="color:#bb0000;" href="http://robertsiciliano.com/">Robert Siciliano</a> personal security and identity theft expert and speaker is the author of <a style="color:#bb0000;" href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a>. See him knock’em dead in this <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a> video.</p></div>Kmart Cyber Breach: Another Failure in Risk Managementhttps://globalriskcommunity.com/profiles/blogs/kmart-cyber-breach-another-failure-in-risk-management2017-07-26T17:16:06.000Z2017-07-26T17:16:06.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>Kmart recently suffered another cyber breach (the second in the past few years) that echoes events affecting companies including <span style="text-decoration:underline;"><strong><a href="http://www.logicmanager.com/erm-software/2016/07/28/wendys-data-breach/">Wendy’s</a></strong></span> and <span style="text-decoration:underline;"><strong><a href="http://www.logicmanager.com/erm-software/2013/12/23/erm-report-targets-breach-an-needless-mishap/">Target</a>.</strong></span> In this case, a wholly preventable weakness in the company’s POS system let through a malware attack, affecting an undetermined number of Kmart’s 735 domestic sites. Failure to recognize and mitigate the root cause of a security breach is inadequate risk management; it leaves the company vulnerable to future failures.<a href="{{#staticFileLink}}8028257698,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028257698,original{{/staticFileLink}}" class="align-right" alt="8028257698?profile=original" /></a></p><p>In response to the breach, <span style="text-decoration:underline;"><strong><a href="https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/">Sears Holdings (Kmart’s parent company) reported</a>,</strong></span> “We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”</p><p>This response is just another proof point that <span style="text-decoration:underline;"><strong><a href="http://www.logicmanager.com/erm-software/2017/04/17/reputation-incident-prevention/">incident prevention is more important than incident recovery</a></strong></span> for preserving your company’s reputation. In Kmart’s case, this is particularly significant, since any setbacks only compound recent struggles in performance. Kmart’s sales have dropped 72% and its stock price 88% since the first breach.</p><p>Within the same statement, Sears specified that “payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls.” Anti-virus systems, while important, are only one of many lines of defense that will help you <span style="text-decoration:underline;"><strong><a href="http://www.logicmanager.com/erm-software/2017/02/14/eliminate-cybersecurity-vulnerabilities/">avoid being hit with a cyber breach</a>.</strong></span></p><p>Although accountability can be publicly directed onto external sources through marketing, when it comes down to it, breaches such as these occur because of poor governance. <span style="text-decoration:underline;"><strong><a href="http://www.kmart.com/en_us/dap/statement05312017.html">Kmart states on their website</a></strong></span> that “It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner.”</p><p>In reality, if your card is involved in an unauthorized transaction, you may be liable after as little as two business days. 60 calendar days after receiving the account statement, customers are 100% liable. Even more frightening, there is no protection against fraud liability for debit cards; all the money in your ATM/debit card account is your liability.</p><p>Providing credit monitoring, as Kmart has done, doesn’t solve the root cause or prevent another cyber breach. It also does not make customers feel secure. Prospects and customers are more educated than ever, and the damage to companies that fail to implement proper risk management is increasing; companies that cause harm through negligence experience greatly spiked churn rates.</p><p> </p><h3><strong>Fool Me Once, Shame on You. Fool Me Twice, Shame on Me.</strong></h3><p></p><p>Another point of concern is a tendency to see problems as isolated incidences, not systemic failures that will lead to other, future incidents. Again, this is Kmart’s second breach in three years. The fact that a second breach occurred is evidence that the root cause was not identified and neutralized.</p><p>Further, due to the nature of enterprise risk management negligence, the repeat rate for failures is high. Target and Chipotle – and so many others – have been in the news repeatedly for chronic, preventable failures. These failures in risk management are like whack-a-mole. Addressing a risk in one area doesn’t solve the systemic problem, and it’s likely to materialize in a different department within three years.</p><p>It may appear to a different kind of problem, like vendor fraud or supply chain negligence, but the root cause is the same: poor risk assessment processes, a lack of transparency between departments, and an inability to reveal interdependencies between resources.</p><p>Governance processes (as opposed to expensive technology solutions) should be used to <strong><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2017/05/16/methods-protect-ransomware-attack/">ensure automated governance of your cybersecurity program</a></span></strong>. This includes:</p><ul><li>Identifying and monitoring vulnerabilities in your virus security system</li><li>Regularly approving and deploying patches,</li><li>Tracking password policy effectiveness (for all devices, applications, and services) at the user level</li><li>Monitoring the effectiveness of routine updates to infrastructure and firmware</li></ul><p>Each of these steps contributes to the avoidance of cyber breaches. Performing them but failing to confirm they are regularized (and effective) is not enough. An enterprise risk management approach is necessary if you are to make sure activities are performed across silos, out to both frontline users and supply chains.</p><p>Without an integrated approach to cybersecurity, you won’t be able to provide sufficient evidence that your risk management processes evolve alongside your innovations. If implemented properly, however, risk management can kill two birds with one stone:</p><ol><li>It will help you detect and avoid surprises like cyber breaches before they occur.</li><li>It will provide assurance to your customer base and thereby reduce churn.</li></ol><p> </p><p><strong>To learn about best-practices in risk management that will enable your company to avoid surprises and preserve its reputation, download our free eBook, <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/best-practice-erm-programs-ebook/"><em>5 Characteristics of the Best ERM Programs</em></a>.</span></strong></p></div>Healthcare Breach and $400,000 Penalty Result From Poor Risk Assessmentshttps://globalriskcommunity.com/profiles/blogs/healthcare-breach-and-400-000-penalty-result-from-poor-risk2017-07-11T15:35:44.000Z2017-07-11T15:35:44.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028259495,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028259495,original{{/staticFileLink}}" class="align-right" alt="8028259495?profile=original" /></a>Breaches are <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2017/04/25/good-governance/">preventable</a></span> failures in risk management. A healthcare breach at Metro Community Provider Network (MCPN), a federally approved organization, led to a $400,000 penalty and a mandated correction plan. The Office for Civil Rights (OCR) levied the penalty; the cause of the breach has been cited as a failure to conduct “a timely and comprehensive risk assessment,” according to <span style="text-decoration:underline;"><a href="http://www.govinfosecurity.com/ocr-signs-400k-hipaa-settlement-colorado-based-health-center-a-9840"><i>Information Security Media Group</i></a></span>. </p><p>As we’ve said before, an old proverb – <i>An ounce of prevention is worth a pound of cure</i> – is a fitting rule in risk management. Had MCPN invested in integrated risk management activities, it would have prevented the breach altogether. Instead, it’s financing corrective action (the “cure”) in a response to a <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2016/04/26/cyberattack-prevention-erm/">phishing attack</a></span>, must pay $400,000 for noncompliance, and will likely suffer major damage to its reputation.</p><p></p><h2><strong>What Happened? </strong></h2><p>In January 2012, MCPN filed a healthcare breach report with OCR. A hacker reportedly “accessed employee’s email accounts and obtained 3,200 individuals’ electronic protected health information through a phishing incident.” It wasn’t until April of this year, however, that the OCR revealed it has signed a resolution agreement with MCPN following the healthcare breach. </p><p>This is particularly calamitous for a healthcare organization, which the public trusts to safeguard sensitive information. Poor <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2017/04/25/good-governance/">governance</a></span> affects all of us and is never excusable. It’s negligence, and a company that allows a scandal to unfold through negligence is not just being unjust, it’s violating its moral obligation to its stakeholders and community. </p><p>As described in another of our blog posts, “<span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2016/04/26/cyberattack-prevention-erm/">Use ERM to Defend Against Ransomware and Data Breaches</a></span>,” phishing attacks target individual employees, often masquerading as trustworthy emails. </p><p>MCPN failed to conduct an enterprise risk analysis until a month after reporting the breach. Even when the organization <i>did</i> start assessing risk, however, those efforts were not deemed sufficient to meet requirements in the HIPAA security rule. </p><p>Failure to perform risk management best practices (a minimal investment compared to the fallout of a breach) led directly to the cybersecurity incident, compliance issues, and significant negative media exposure.</p><p> </p><h2><strong>Companies in Every Industry Can Learn From This Healthcare Breach</strong></h2><p> </p><p>As is the case with many incidents, this healthcare breach is fundamentally not a <span style="text-decoration:underline;">cybersecurity</span> issue, nor a compliance issue. It’s a <span style="text-decoration:underline;"><b><a href="http://www.logicmanager.com/erm-software/2017/04/25/good-governance/">governance issue</a></b></span>. Strong governance is crucial to effective risk management, and it’s also the framework for the “ounce of prevention” that makes “a pound of cure” obsolete. </p><p>MCPN should have started performing <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root-cause risk assessments</a></span> well before it did. Its failure to identify and assess risks in its ePHI environment prevented the organization from implementing appropriate <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/mitigate/">mitigation activities/controls</a></span>. </p><p>Specifically, the $400,000 restitution is a sign that breaches/incidents are now considered “a symptom of larger issues that indicate general failures to have appropriate safeguards in place.”</p><p> </p><p><b><i>Download our free eBook,</i></b> <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/ebook-5-steps-for-better-risk-assessments/"><b>5 Steps for Better Risk Assessments</b></a></span><b><i>, for an in-depth look at how risk profiles should be assessed to prevent breaches and other vulnerabilities.</i></b></p><p></p></div>The Switch to the Chip Card – One Year Laterhttps://globalriskcommunity.com/profiles/blogs/the-switch-to-the-chip-card-one-year-later2016-11-02T14:23:12.000Z2016-11-02T14:23:12.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>The October anniversary of the liability shift has passed, and anniversaries are an excellent time to look back on progress…this is no exception. The <a style="color:#bb0000;" href="http://www.forbes.com/sites/seanmcquay/2016/10/25/happy-first-birthday-chip-cards-right/#5d6e40b88895" target="_blank">U.S. EMV migration</a> plan was set four years ago as a way to fight card fraud and to protect both consumers and merchants.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/The-Shift-to-Chip-Infographic-11-1-2016.jpg" alt="" width="300" height="593" align="right" /></p><p>Back in the day, we had one choice when we wanted to purchase something, and that was cold, hard cash. However, a few decades ago, people began using credit cards for everyday purchases instead of for only big ticket items, such as refrigerators. Though this was certainly convenient, it also opened the door for the bad guys to not only access your credit card information, they could use this information to make purchases and even to learn more about you and steal your <a style="color:#bb0000;" href="http://www.trustedalarm.com/">identity</a>. Over the past couple of years, once again, we in the U.S. are changing things up when it comes to how we use credit and debit cards. Our new cards, the ‘<a style="color:#bb0000;" href="http://newsroom.mastercard.com/2016/09/28/six-things-worth-knowing-about-chip-cards-emv-an-evolution-in-security/" target="_blank">chip cards</a>,’ as in use in most other places in the world, are making it safer than ever before to make purchases.</p><p>Love ‘em or hate ‘em, these new chip cards and terminals are working to eliminate card fraud, and they are working very well. The way we pay in the U.S. needed a huge overhaul, and this security upgrade was an attempt to make things safer. Data and research confirms that this new technology has had a great impact on reducing card fraud.</p><p>Don’t get me wrong. This transformation has not been without a few headaches for merchants and consumers but believe me…things are improving, and they will continue to improve as businesses complete their shift to the chip. How much? Mastercard fraud data indicates that there was a 54 percent decrease associated with counterfeit fraud when comparing data from April 2016 to April 2015.</p><p><strong>We Have a Strong Start, But There is Still Work to be Done</strong></p><p>When considering everything, the U.S. is off to a solid start, but we still have work to do. When looking at the more than 150 world markets that use chips in cards, we know that more chip transactions must be done before we can see a significant drop in fraud. To do this, we will need about 60 percent of chip terminals interacting with a minimum of 60 percent of chip cards in market. If you have one or have seen chip cards, you likely know that we have gone well beyond that 60 percent mark on cards, but only about 30 percent of store terminals are set up to accept chips.</p><p>Another thing that we need to do is continue to speed up the certification process for merchants. The faster we can get chip terminals in stores, the faster we will see these card fraud levels drop.</p><p>We also need to increase the speed of which these transactions occur. If you have used a chip terminal, you know that it feels like a slower process than the ‘swipe’ we are used to. The payments industry is hard at work to address this issue, and new technologies are being created to speed up transaction times when using these payment methods. Remember, even though the process feels a bit slower right now, you are significantly safer when using a chip card.</p><p>Ultimately, if we can have a little bit of patience with the process and endure these short-term issues, we will all greatly benefit when it comes to payment security. We are already moving in the right direction, and if we keep adding terminals and encouraging the use of chip cards, we will definitely see even more improvement when we compare with next year. Before you know it, most forms of card fraud will be all but gone thanks to the switch to the chip.</p><p><a style="color:#bb0000;" href="http://robertsiciliano.com/">Robert Siciliano</a> CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of <a style="color:#bb0000;" href="http://www.amazon.com/Things-Wish-Before-Identity-Stolen/dp/1941308996/ref=as_sl_pc_qf_sp_asin_til?tag=httprobertc02-20&linkCode=w00&linkId=JAZ7MOSJYUIXZMJ3&creativeASIN=1941308996"><em>99 Things You Wish You Knew Before Your Identity Was Stolen</em></a>. See him knock’em dead in this <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a> video.</p></div>Business Continuity Is Crucial for Reducing Data Breach Costs. Here's Why.https://globalriskcommunity.com/profiles/blogs/business-continuity-is-crucial-for-reducing-data-breach-costs2016-08-11T21:01:23.000Z2016-08-11T21:01:23.000ZLou DiSerafinohttps://globalriskcommunity.com/members/LouDiSerafino880<div><p><a href="{{#staticFileLink}}8028248691,original{{/staticFileLink}}"><img width="300" height="199" class="align-left" style="width:257px;height:170px;" src="{{#staticFileLink}}8028248691,original{{/staticFileLink}}" alt="8028248691?profile=original" /></a>A couple of weeks ago, a colleague of mine came to tell me about a new finding that she knew I'd love: BCM helps reduce data breach costs.</p><p>All I could think was, 'FINALLY.'</p><p>This is something that I've been telling clients for years: BCM is more valuable to your business than you can possibly imagine.</p><p>The new research from Ponemon Institute found that data breaches now cost as much as $4m - to say nothing of reputational hits. And, you could face a double whammy with <a href="http://www.infinitive.com/2015/10/21/why-a-data-breach-could-make-your-insurance-premiums-skyrocket/" target="_blank">higher insurance premiums</a>, too.</p><p>But the research also found that companies with strong BCM programs found and dealt with breaches faster than companies without. Those saved days translate not only into dollars, but preserved customer trust.</p><p>For my full take on this exciting new validation of the value of BCM, <a href="http://www.infinitive.com/2016/07/22/business-continuity-key-mitigating-data-breach-costs/" target="_blank"><strong>check out this article</strong></a>. </p></div>Wendy’s Data Breach: What Does it Mean for You?https://globalriskcommunity.com/profiles/blogs/wendy-s-data-breach-what-does-it-mean-for-you2016-07-28T20:00:00.000Z2016-07-28T20:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>The words “data breach” are often met by a clamor whenever they make headlines. Home Depot, Target, Ashley Madison, Heartland, Citibank, the list goes on and on. These breaches spent time in the limelight because of their magnitude; they affected hundreds of thousands – in some cases millions – of cardholders.</p><p><a href="http://www.logicmanager.com/wp-content/uploads/2014/10/powerful-ERM-software-500x350.png" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2014/10/powerful-ERM-software-500x350.png?width=250" width="250" class="align-right" alt="powerful-ERM-software-500x350.png?width=250" /></a>But the reality is data breaches are far more common than large headline events like these would have us believe. According to a <a href="http://www.idtheftcenter.org/images/breach/DataBreachReport2016.pdf">report</a> published by the <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjqh6bdnYfOAhVD5iYKHfsSBtAQFggsMAA&url=http%3A%2F%2Fwww.idtheftcenter.org%2F&usg=AFQjCNHuS11fUEclXKIMvLAoWVZFLf0sWA">Identity Theft Resource Center</a>, there have been at least 538 data breaches this year alone (through July 19<sup>th</sup>), exposing nearly 13,000,000 records!</p><p>The result? Besides opening customers to financial vulnerabilities, the sheer number of these data breaches has jaded consumers and business alike. The <a href="http://www.investopedia.com/articles/investing/071316/wendys-breach-worse-previously-thought-wen.asp">recent Wendy’s data breach</a>, for example, despite its serious implications, hasn’t received as much attention as one might think.</p><p>Simply accepting the possibility of a data breach as a fact of business is a dangerous mistake. Wendy’s is undoubtedly suffering reputational damage – hackers had extended access to customer names, card numbers, security verifications, and more.</p><p></p><h3><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4">What Happened with the Wendy’s Data Breach, and What Are the Implications?</span></strong></h3><p></p><p>Even though the breach didn’t receive any significant media attention until recently, Wendy’s admitted to its cyberattacks in October of last year affecting 300 of its franchisee-owned locations. The problem was however that hackers continued to access data undetected at more than 1,000 franchisee-owned locations for over a year. It wasn’t until banks and credit unions and others disputed the size of the problem that Wendy’s was forced to reopen their investigations and uncover the full extent of the breach. As we discussed in last Wednesday’s webinar, “<a href="http://www.logicmanager.com/register-integrate-governance-areas-webinar/">How to Integrate Governance Areas</a>,” the corporation tried to distance itself from the breaches by pointing out that no company-owned stores had been affected.</p><p>This isn’t just a story of failed cybersecurity. It’s also a story of failed vendor and third-party management. Like we wrote regarding the recent <a href="http://www.logicmanager.com/erm-software/2016/06/15/freedom-information-act-vendor-management/">CRF listeria outbreak</a>, organizations are responsible for performing their own vendor assessments. This applies as much to franchisees as it does to suppliers and other third parties. There’s a reason no company-owned stores suffered a breach, while more than 1,000 franchised locations were affected. Wendy’s maintained its own cybersecurity processes. What it failed to do was ensure that all locations maintained the same standards.</p><p>Too often, companies react by purchasing a point of sale solution – effectively a Band-Aid. Instead they should be ramping up risk assessments to identify potential future issues and identify the root causes of the problem. More than 63% of data breaches are caused by weak passwords. Billions of dollars are spent on Band-Aid-types of mitigation while the real risk is left unmitigated. This is a classic problem solved with ERM at a fraction of the cost.</p><p>Not only would ERM have prevented the breach, for a situation like Wendy’s vendor risk management would also prevent costly litigation claims for negligence that Wendy’s is now subject to.</p><p>Wendy’s now subject to costly litigation claims, and to make matters worse, the industry trend amongst insurers is to not pick-up the tab for claims of negligence due to the fact that cyber threats are often exploited through third party networks. The courts have ruled in favor of the insurers in these cases and the third parties are being held liable for the transaction costs, leaving long term brand damage to the entire supply chain. The implications go far beyond credit card data, ransomware, and traditional personal information to any information a company has that supports its customers.</p><p>The questions to ask yourself are, “Does my organization rely on their parties? Do any of our vendors? Is there a possibility that our vendors are operating with lower standards than we are?” If the answer to any of those questions is <em>yes</em>, it’s imperative that your organization has an ERM system with robust <a href="http://www.logicmanager.com/grc-software/it-security-risk-management/">IT risk management</a>, policy risk management as well as <a href="http://www.logicmanager.com/grc-software/vendor-management/">vendor risk management</a> capabilities to ensure consistency, this is also sometimes called enterprise governance risk and compliance.</p><p></p><p><strong>To learn about how your organization can stay ahead the rising data-breach tide, </strong><a href="http://www.logicmanager.com/erm-software/2015/10/20/risk-based-cybersecurity-prevents-cyber-attacks-data-breaches/"><strong>read our blog post</strong></a><strong>, “Risk-Based Cybersecurity Prevents Cyber Attacks and Data Breaches.” Also download our free </strong><a href="http://www.logicmanager.com/ebook-sec-cybersecurity-annotated-guide/"><strong>Annotated Guide to SEC Cybersecurity</strong></a><strong>.</strong></p><p><strong> </strong></p></div>Carders cashing out on Magstrip Cardshttps://globalriskcommunity.com/profiles/blogs/carders-cashing-out-on-magstrip-cards2016-06-30T14:52:25.000Z2016-06-30T14:52:25.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Two thousand credit card payment terminals stand to become infected with malware called Trinity point of sales.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/2C.jpg" alt="" width="320" height="213" align="right" /></p><p>Ten million credit cards were stolen by hackers, called Fin6, who may end up scoring $400 million. The cards were stolen from retail and hospitality businesses. If each card sells for $21 on secret carder shops, you can see how the hackers will rake in hundreds of millions of dollars.</p><p>As you may know, the U.S. is gradually switching over to chip cards. But it will be a while—a very long while—before magnetic strip cards are non-existent in America. Until then, these types of cards remain a favorite target for cyber thieves.</p><p>The methods that Fin6 used are technical, but suffice it to say, these hackers are pros. At this point, there has not been any way to stop this hacking group.</p><p>This is yet another example of the inherent vulnerability of the magnetic strip card, which, unlike in other industrialized nations, continues to be the main type of credit card in use in the U.S.</p><p>Protect yourself:</p><ul><li>Go to “alerts/notifications” at your bank/cards website and sign up for emails/texts for every charge made.</li><li>Download your bank/cards mobile app and sign up for emails/texts for every charge made.</li><li>Check your statements frequently.</li><li>Federal law protects you from unauthorized charges made with your credit card number but you still have to dispute the charges.</li><li>In the event the credit card is in a thief’s hands, you’ll be liable, but only for a maximum of $50, provided you report the problem to the credit card company. However, in many cases a “zero liability” policy may kick in.</li><li>Debit cards fall under a different federal law than credit cards. Regulation E, the Electronic Fund Transfer Act, says after two days, you could be liable for up to $50. After 2 days liability jumps to 500.00. Beyond 60 days, you could be liable for all unauthorized transactions. Otherwise, federal rules are on the bank’s side.</li><li>Beyond 60 days, there’s likelihood you’ll never see your money again.</li></ul><p>Robert Siciliano is an identity theft expert to <a style="color:#bb0000;" href="http://bestidtheftcompanys.com/companies">BestIDTheftCompanys.com</a> discussing <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>.</p></div>Three Quarters of a Billion Records breachedhttps://globalriskcommunity.com/profiles/blogs/three-quarters-of-a-billion-records-breached2016-04-20T14:26:54.000Z2016-04-20T14:26:54.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Last year, says the security firm Gemalto, over 700 million records were breached. Or, to put it another way, this translates to two million stolen or lost records every day.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/3D.jpg" alt="" width="350" height="179" align="right" /></p><p><strong>2015 Breach Level Report</strong></p><ul><li>1,673 hacking incidents</li><li>398 were triggered from the inside of the attacked company: employees and even IT staff who were tricked (social engineering) by hackers into clicking on malicious links or attachments</li><li>Government agencies suffered the greatest data leaks.</li><li>Following that were nation states and healthcare enterprises (remember the big Anthem breach?)</li></ul><p>Gemalto also says that the U.S. is the leading target of cyber attacks, with the UK, Canada and Australia following behind in that order. But don’t let Australia’s fourth place standing fool you. It reports only 42 publically reported incidents, while the U.S. has reportedly had 1,222.</p><p><strong>How can you tell your computer has been compromised by an attack?</strong></p><ul><li>Your computer is running slowly; you’re not simply being impatient—the device <em>really is</em> moving at a crawl. This is a possible sign the computer is infected.</li><li>Another possible sign of infection: Programs open up without you making them, as though they have a mind of their own.</li></ul><p><strong>Protecting Your Computer</strong></p><ul><li>First and foremost, businesses need to rigorously put their employees through training. This includes staged phishing attacks to see if any employees can be tricked into revealing sensitive company information. Training for workers must be ongoing, not just some annual seminar. A company could have the best security software and smartest IT staff, but all it takes is one less-than-mindful employee to let in the Trojan horse.</li><li>If you receive an e-mail with a link or attachment, never rush to open them. Pause. Take a few breaths. Count to 10. No matter what the subject line says, there is always plenty of time to make sure an e-mail is from a legitimate sender before opening any attachments or clicking any links.</li><li>Use firewall and anti-virus software and keep them updated.</li><li>Use a virtual private network to scramble your online activities when you’re using public Wi-Fi so that cyber snoopers see only scrambling.</li><li>Use the most recent version of your OS and browser.</li><li>Regularly back up your data.</li></ul><p>Robert Siciliano is an identity theft expert to <a style="color:#bb0000;" href="http://bestidtheftcompanys.com/companies">BestIDTheftCompanys.com</a> discussing <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>.</p></div>Three ways to beef up security when backing up to the cloudhttps://globalriskcommunity.com/profiles/blogs/three-ways-to-beef-up-security-when-backing-up-to-the-cloud2016-03-21T14:37:07.000Z2016-03-21T14:37:07.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/PHX1.jpg" alt="" width="320" height="213" align="right" /></p><p>Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.</p><p>A great way to protect your files is by backing up to the cloud. Cloud backup services like <a style="color:#bb0000;" href="http://www.carbonite.com/">Carbonite</a> allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.</p><p>Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:</p><ul><li>Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.</li><li>Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.</li><li>Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.</li></ul><p>Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.</p><p><em>Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about</em> <a style="color:#bb0000;" href="http://www.carbonite.com/en/cloud-backup/business-solutions/business-backup-and-recovery/"><em>Carbonite’s cloud and hybrid backup solutions for small and midsize businesses</em></a>. <a style="color:#bb0000;" href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>Data security policies need teeth to be effectivehttps://globalriskcommunity.com/profiles/blogs/data-security-policies-need-teeth-to-be-effective2016-02-09T14:54:00.000Z2016-02-09T14:54:00.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Bottom line: If you have a data security policy in place, you need to make sure that it’s up to date and contains all of the necessary elements to make it effective. Here are 10 essential items that should be incorporated into all security policies:</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/4H.jpg" alt="" width="320" height="320" align="right" /></p><p><strong>1. Manage employee email</strong></p><p>Many data breaches occur due to an employee’s misuse of email. These negligent acts can be limited by laying out clear standards related to email and data. For starters, make sure employees do not click on links or open attachments from strangers because this could easily lead to a <a style="color:#bb0000;" href="http://www.carbonite.com/en/resources/carbonite-blog/five-ways-to-avoid-or-defeat-a-ransonware-infection/">ransomware</a> attack.</p><p><strong>2. Comply with software licenses and copyrights</strong></p><p>Some organizations are pretty lax in keeping up with the copyrights and licensing of the software they use, but this is an obligation. Failing to do so could put your company at risk.</p><p><strong>3. Address security best practices</strong></p><p>You should be addressing the security awareness of your staff by ensuring that they are aware of security best practices for security training, testing and awareness.</p><p><strong>4. Alert employees to the risk of using social media</strong></p><p>All of your staff should be aware of the risks associated with social media, and consider a social media policy for your company. For example, divulging the wrong information on a social media site could lead to a data breach. Social media policy should be created in line with the security best practices.</p><p><strong>5. Manage company-owned devices</strong></p><p>Many employees use mobile devices in the workplace, and this opens you up to threats. You must have a formal policy in place to ensure mobile devices are used correctly. Requiring all staff to be responsible with their devices and to password protect their devices should be the minimum requirements.</p><p><strong>6. Use password management policies</strong></p><p>You also want to make sure that your staff is following a password policy. Passwords should be complex, never shared and changed often.</p><p><strong>7. Have an approval process in place for employee-owned devices</strong></p><p>With more employees than ever before using personal mobile devices for work, it is imperative that you put policies in place to protect your company’s data. Consider putting a policy in place which mandating an approval process for anyone who wants to use a mobile device at work.</p><p><strong>8. Report all security incidents</strong></p><p>Any time there is an incident, such as malware found on the network, a report should be made and the event should be investigated immediately by the IT team.</p><p><strong>9. Track employee Internet use</strong></p><p>Most staff members will use the Internet at work without much thought, but this could be dangerous. Try to establish some limits for employee Internet use for both safety and productivity.</p><p><strong>10. Safeguard your data with a privacy policy</strong></p><p>Finally, make sure that all staff members understand your company’s privacy policy. Make sure that data is used correctly and within the confines of the law.</p><p><em>Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about </em><a style="color:#bb0000;" href="http://www.carbonite.com/en/cloud-backup/business-solutions/business-backup-and-recovery/"><em>Carbonite’s cloud and hybrid backup solutions for small and midsize businesses</em></a><em>.</em></p></div>How to recycle Old Deviceshttps://globalriskcommunity.com/profiles/blogs/how-to-recycle-old-devices2016-01-21T14:10:04.000Z2016-01-21T14:10:04.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: <em>Out of site, out of mind, into criminal’s hands</em>.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/7W.jpg" alt="" width="328" height="200" align="right" /></p><p>Your discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.</p><p>Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.</p><p>Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.</p><p>Only 25 states have e-waste recycling laws. And only <em>some</em> e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.</p><p>Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.</p><p>To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.</p><p>I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.</p><p>The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.</p><p><strong>What to Do</strong></p><ul><li>If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:</li></ul><p>Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3<sup>rd</sup> party software to accomplish this.</p><ul><li>If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.</li><li>Or send it to a reputable recycling service for purging.</li></ul><p>Robert Siciliano is an identity theft expert to <a style="color:#bb0000;" href="http://bestidtheftcompanys.com/companies">BestIDTheftCompanys.com</a> discussing <a style="color:#bb0000;" href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a></p></div>Tips for backing up and protecting your data while travelinghttps://globalriskcommunity.com/profiles/blogs/tips-for-backing-up-and-protecting-your-data-while-traveling2015-12-21T14:11:34.000Z2015-12-21T14:11:34.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>The season of giving is now upon us — but don’t forget, it’s also the season of stealing — and no, I don’t mean your wallet or the gift package at your doorstep, but your Social Security number, credit card information, medical records and any other highly confidential information that you have stored on your computers.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/1D.jpg" alt="" align="right" height="269" width="320" /></p><p>Thieves want your <strong>data</strong> — the information stored in your smartphone, laptop and other devices. People are especially vulnerable to this crime when they travel. Don’t let the hustle and bustle of holiday travel detract you from protecting your data!</p><ul><li>Make sure your devices have updated security software.</li><li>Remove all the sensitive data (e.g., medical records) from your device prior to travel — but not before you back it up.</li><li>One way to protect your data is cloud backup. Protecting your data begins with keeping your computer in a safe, secure, locked location, but when you are traveling, this is simply not an option. Therefore, <a href="http://www.carbonite.com/en/cloud-backup/personal-solutions/personal-plans/try/">automatically back up data to the cloud</a>. The third layer is to use local backups; ideally sync software that offers routine backups to an external drive.</li><li>Before the trip, an IT expert should install disk encryption for your laptop– especially if you’ll be bringing along lots of sensitive data. If the laptop ends up in the wrong hands, the crook will see only scrambled data.</li><li>Even with the aforementioned security measures in place, you should also use a virtual private network when conducting online transactions at public Wi-Fi spots, so that snooping hackers “see” only encrypted transmissions.</li><li>All of the above tactics <em>still</em> aren’t enough. “Shoulder surfers” could visually snatch your login credentials while you’re typing away at the airport lobby or coffee shop. “Visual hackers” may also use binoculars and cameras. A privacy filter for your screen will conceal what’s on your screen. If they’re right behind youthis technology will alert you. You should use a privacy filter even when your back is to a wall.</li></ul><p>Never let your device out of your sight, and if you must, like at a relative’s dinner gathering, lock it up.</p><p>Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about <a href="http://www.carbonite.com/en/cloud-backup/personal-solutions/personal-plans/try/">Carbonite Personal plans</a>. See him discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>20 Security Tips For Overseas Travelers With Credit Cardshttps://globalriskcommunity.com/profiles/blogs/20-security-tips-for-overseas-travelers-with-credit-cards2015-12-16T14:13:30.000Z2015-12-16T14:13:30.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Thinking of bringing a credit card with you on your travels? You can end up in a jam: You just treated your extended family to fine dining in France. Time to pay; your credit card is declined.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/2C.jpg" alt="" align="right" height="213" width="320" /></p><p>If you try to make a purchase overseas, your credit card company might think it’s fraudulent, since it would appear anomalous, relative to your usual, U.S. purchases.</p><p><strong>So before you leave for your trip:</strong></p><ul><li>Back up credit card data. It’s always important to have a backup of your card data, both online and in print. Photocopy each card and carry with you or store in your luggage. The <a href="http://www.carbonite.com/en/cloud-backup/personal-solutions/personal-plans/try/">Carbonite</a> mobile app lets you access your backed-up data from anywhere in the world.</li><li>Review your auto drafts and consider these when traveling to avoid maxing out the card.</li><li>All your cards should be signed.</li><li>Get a “data plan” and make sure your credit card company’s e-mail and phone numbers actually work.</li><li>See if your company will issue you a chip-n-pin card, since this technology is widespread in foreign countries.</li><li>Memorize the PIN and make sure it’s enabled for foreign ATM withdrawals.</li><li>Install the credit card company’s mobile application so that you can be alerted to any suspicious issues.</li><li>Gift cards and debit cards should be authorized for international use.</li><li>Set your phone up for international use.</li><li>Activate the feature in your card account that alerts you every time the card is used.</li><li>Alert the credit card company when you’ll be overseas so they can monitor your purchases.</li><li>Store the company’s 800 and non-800 numbers in your phone.</li><li>Also make sure you have their e-mail address.</li><li>The card(s) numbers should be documented in hardcopy.</li><li>Find out if the card has a foreign transaction fee.</li><li>Know the to-be-visited country’s phone dialing patterns.</li></ul><p><strong>While on your trip:</strong></p><ul><li>Never give anybody your card for a purchase unless you can see everything they’re doing.</li><li>At ATMs, carefully punch in the keypad numbers; you may not get too many chances to get the PIN correct.</li><li>Save all receipts and inspect them. Use your computer or phone and secure Wi-Fi to monitor your account online. This can be done with <a href="http://www.hotspotshield.com/">Hotspot Shield</a><span style="text-decoration:underline;">,</span> which will encrypt all transmissions.</li></ul><p>Know that your card company will never request highly personal information such as your Social Security number. If anyone contacts you with such requests, it’s a scam.</p><p>Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about <a href="http://www.carbonite.com/en/cloud-backup/personal-solutions/personal-plans/try/">Carbonite Personal plans</a>. See him discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>Best practices for BYOD data storagehttps://globalriskcommunity.com/profiles/blogs/best-practices-for-byod-data-storage2015-11-16T14:55:53.000Z2015-11-16T14:55:53.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>The Bring Your Own Device (BYOD) movement has in some ways saved companies money, but in other ways put customer data at risk. Employees are onsite, telecommuting or traveling on business. This means their devices, and company data could be anywhere at any given moment.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/7W.jpg" alt="" align="right" height="200" width="328" /></p><p>A company manager or owner realizes that company use of employee mobile devices brings benefits. But employees also use the devices for personal activities, increasing the risk of hackers getting into company data.</p><p>The solution is to train these employees in BYOD, information security and awareness. They must be aware of how risky a data breach is, how to secure data, especially if the device is loaded with company data. An overlooked part of that training is knowing how to deal with old data, back up that data and in some cases, delete it.</p><p>Data lives in 3 forms: stored on a local device, backed up in the cloud and deleted. Over time, old data begins to accumulate on devices and that can cause problems.</p><p>Here are some key considerations and best practices for dealing with the BYOD phenomenon at your business:</p><ul><li>Ask yourself when old data no longer needed? Data should have expiration dates set up to indicate this.</li><li>Businesses should realize that “useless” or “old” data may surprisingly be needed sooner or later. This data can be stored offsite, in the cloud, so that if the device is hacked, at least the old data (which may contain valuable information to the hacker) won’t be accessible.</li><li>Setting up cloud storage that automatically backs up data will ensure that if a device is lost or stolen, the data is still available. Every bit of data, even if it’s seemingly useless, should be backed up.</li><li>How do you truly delete data? Don’t think for a second you’ll achieve this by hitting the delete button. In many cases, a hacker could still find it and obtain it from the hard drive. What you can’t see is not invisible to a skilled hacker.</li><li>Want to just get rid of old data altogether? You must destroy the hard drive. This means put it on the ground and hit with a sledgehammer. Then recycle the guts. Or you can professionally shred it.</li><li>Deploy Mobile Device Management (MDM) software that gives companies the ability to remotely manage devices. Tasks might include locating, locking or wiping a lost or stolen device. MDM can also be used to update software and delete or back up data.</li></ul><p>The planning and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and the tricks that cyber thieves use.</p><p>Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about <a href="http://www.carbonite.com/en/cloud-backup/personal-solutions/personal-plans/try/">Carbonite Personal plans</a>. See him discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>Human error is inevitable: Ways to protect your businesshttps://globalriskcommunity.com/profiles/blogs/human-error-is-inevitable-ways-to-protect-your-business2015-09-14T15:02:45.000Z2015-09-14T15:02:45.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p><a href="http://go.carbonite.com/lp/business/national_preparedness_month_2015?utm_campaign=10104&utm_source=carbonite&utm_medium=social-embassy&utm_content=986&c3placement=986&Category=LN-LANDING-PAGES&Page_ID=GUEST-BLOG&cm_mmc=social-embassy-_-carbonite-_-986-_-684">National Preparedness Month</a> is happening right now. It’s the perfect time to take action for you and your community. It’s all about making plans to remain safe, and when disasters do strike, to keep communications going. September 30th is the culmination of NPM, with the National PrepareAthon! Day.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/3D.jpg" alt="" align="right" height="173" width="340" /></p><p>If a burglar sees your Facebook status that you are traveling on vacation and then enters your house, and takes $10,000 worth of valuables, it’s safe to say you as the homeowner facilitated the theft. This is no different than leaving your doors unlocked when you head to the store. This lack of attention to security is why crime often happens.</p><p>These lapses in judgement are akin to how human error enables data breaches. Even worse, for a small business, employee behavior accounts for a significant number of hacking incidents – and the costs of data breaches are tremendous.</p><p>A study from CompTIA says that human error is the foundation of 52 percent of data breaches. The CompTIA report also says that some of the human error is committed by IT staff. Funnily enough, it also points out that typically, businesses rank human error pretty low on the priority list of potential problems.</p><p>Some important things to remember:</p><ul><li>Security awareness training is crucial for employees.</li><li>A strong incident response system must be in place.</li><li>Appointing a CISO (chief information security officer) will also help.</li></ul><p>The high price of human error can include lost or stolen mobile devices, slow notification of a data breach, a weak security structure and response plan, and lack of a CISO. To avoid these and protect your business, you should:</p><ul><li>Implement an aggressive security awareness training program for employees</li><li>Develop a data breach response plan</li><li>Implement strong authentication practices</li><li>Use encryption</li><li>Implement a data loss identification system</li></ul><p>And all companies should take note of the following safeguards:</p><ul><li>Vigorously train employees in safety awareness that pertains to the “bring your own device” policy. Many data breaches occur when someone conducts business on their personal mobile device.</li><li>Security awareness training isn’t just about telling employees the facts. It also should include staged attempts at a data breach (by hired white hackers) to see who takes the bait. This also includes staged attempts by people posing as vendors or other executives trying to gain access to sensitive information.</li><li>Back up all data on a frequent basis, ideally on a local drive in combination with a cloud service.</li><li>Computers should be replaced every two to three years. This will make it easier for businesses because the computers at this point will still be functioning.</li></ul><p>The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use. To learn more about preparing your small business against the common accidents of everyday life, download Carbonite’s <em>e-book</em>, “<a href="http://go.carbonite.com/lp/business/national_preparedness_month_2015?utm_campaign=10104&utm_source=carbonite&utm_medium=social-embassy&utm_content=986&c3placement=986&Category=LN-LANDING-PAGES&Page_ID=GUEST-BLOG&cm_mmc=social-embassy-_-carbonite-_-986-_-684">5 Things Small Businesses Need to Know about Disaster Recovery</a>.”</p><p>#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>Company for sale includes your Datahttps://globalriskcommunity.com/profiles/blogs/company-for-sale-includes-your-data2015-08-14T14:07:27.000Z2015-08-14T14:07:27.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>When you subscribe to an online service, be careful of how much information you give out about yourself.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/1P.jpg" alt="" align="right" height="209" width="320" /></p><p>Most businesses in their terms and conditions, say they “respect your privacy.” But what if these companies go under or are sold? An article from the online <em>New York Times</em> explores this concept. Today’s market-data-hungry-businesses can gather lots of data about subscribers. This data can be transferred to third parties in the event the company is sold or goes belly up.</p><p>The <em>New York Times</em> recently analyzed the top 100 U.S. websites, and the revelation is that it’s par for the course for companies to state that subscribers’ data could be transferred as part of a sales or bankruptcy transaction. Companies like this include Google, Facebook, LinkedIn, Amazon and Apple.</p><p>On one hand, such companies assure consumers that privacy is important. Next second they’re telling you your data will get into third-party hands if they sell out or fizzle out.</p><p>A real-life example is the True.com Texas dating site that attempted to sell its customer database to another dating site. However, True.com’s privacy policy assured members that their personal details would never be sold without their permission. Texas law stopped the attempt.</p><p>The <em>Times</em> article points out that at least 17 of the top 100 said they’d notify customers of a data transfer, while only a handful promised an opt-out choice.</p><p>This isn’t as benign as some might think. For example, WhatsApp was sold to Facebook. A user of both services ultimately complained that Facebook, <em>without his consent</em>, accessed his WhatsApp contact list, even though his Facebook account was set to prevent people outside his network from obtaining his phone number.</p><p>Another example is Toysmart.com. When it went bankrupt, it tried to sell customer data, which included birthdates and names of children. The company’s privacy policy, however, promised users that this information would never be shared.</p><p>To avoid fracases, companies are now jumping on the bandwagon of stating they have the right to share customer/subscriber data with third parties per business transactions.</p><p>Don’t be surprised if you read something like: “We value your privacy,” and in another section of the privacy policy, “Upon sale of our company, your personal information may be sold.”</p><p>Robert Siciliano is an identity theft expert to <a href="http://bestidtheftcompanys.com/companies">BestIDTheftCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>.</p></div>Why Hacking is a National Emergencyhttps://globalriskcommunity.com/profiles/blogs/why-hacking-is-a-national-emergency2015-07-29T14:29:17.000Z2015-07-29T14:29:17.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Foreign hackers, look out: Uncle Sam is out to get you. President Obama has issued an order that allows the State Department and Treasury Departments to immobilize the financial assets of anyone out-of country suspected of committing or otherwise being involved in cyber crimes against the U.S.</p><p><img src="http://activerain.com/image_store/uploads/agents/robertsiciliano/files/7W.jpg" alt="" align="right" height="201" width="330" /></p><p>This order, two years in the making, covers hacking of <em>anything</em>. The order refers to hacking as a national emergency. Imagine if entire power grids were hacked into. Yes, a national emergency.</p><p>Another reason hacking is a national crisis is because the guilty parties are so difficult to track down. Hackers are skilled at making it seem that an innocent entity is guilty. And a major hacking event can be committed by just a few people with limited resources.</p><p>However, the order has some criticism, including that of assigning it an over-reaction to the Sony data breach. But it seems that the government can never be too vigilant about going after hackers.</p><p>Proponents point out that the order allows our government greater flexibility to go after the key countries where major hacks come from, like Russia and China. This flexibility is very important because the U.S. has a crucial financial relationship with these countries. And that needs to be preserved.</p><p>For instance, there’d be little adverse impact to the U.S. if our government choked off the bank accounts of isolated hackers who were part of the Chinese government, vs. strangling the entire Chinese government.</p><p>In short, the activities of small hacking groups or individual hackers within a foreign government will be dealt with without penalizing the entire government—kind of like doing away with punishing the entire fourth grade class because one kid threw a spitball.</p><p>Hacking is now elevated to terrorism status; the order is based on the anti-terrorism bill. So foreign hackers, you’ve been warned; the U.S. is not reluctant to level you because the order allows for sparing your government as a whole from being sanctioned.</p><p>You can do your part to protect the Homeland simply by protecting your own devices using antivirus, antispyware, antiphishing and a firewall. Keep your devices operating system updated and uses a VPN when on public WiFi.</p><p>Robert Siciliano is an identity theft expert to <a href="http://thebestcompanys.com/antivirus/">TheBestCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>.</p></div>Is your Website and Data secure?https://globalriskcommunity.com/profiles/blogs/is-your-website-and-data-secure2015-05-28T14:24:13.000Z2015-05-28T14:24:13.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Imagine a lifeguard at the beach sitting on his perch. His job is to patrol and monitor for signs of trouble. He sees a surfer being attacked by a shark. Wow, a lot of good it does that he’s in a completely helpless position; by the time he scrambles off his perch and runs towards the water, the victim has bled out. Ouch.</p><p><img src="http://robertsiciliano.com/wp-content/uploads/2014/02/2D-300x200.jpg" alt="" align="right" height="241" width="360" /></p><p>This is the same concept behind cyber crime. By the time a business or everyday Internet user realizes they’ve been hacked…major damage has been done. We can’t just be reactive. We have to be preventive.</p><p>The damage can destroy a business, not to mention take down the everyday persons website who did not have their prized and sensitive data, blogs, or photos backed up.</p><p>Forbes <a href="http://www.forbes.com/sites/thesba/2013/11/08/protect-your-website-the-reality-of-cybersecurity/">points out</a> that over 60 percent of small businesses, after a serious data breach, go belly-up within a year, cyber crime is a major threat to medium-size businesses as well.</p><p>Companies worry a lot about their product and service, but are slowly coming around to the idea that a potent draw to potential customers and clients is the advertising of powerful IT security to fight off data breaches.</p><p>Customers and clients (and potential) want to know what a company is doing for prevention, not just what it’ll do <em>after</em> the attack.</p><p>What if you can’t afford a top-flight IT team? There are still things you can do for your business’s safety as well as for your home computer’s safety.</p><ul><li>First off, back up all of your data.</li><li>Use antivirus software and make sure it’s always updated.</li><li>Use antispyware, antiphishing and a firewall and make sure that’s always updated as well.</li><li>If you have a website, scan that with your antivirus/malware or have your host provider do it. A website and web applications can be attacked by hackers.</li><li>Update to the latest version of the sites primary software and plugins.</li><li>An unexplained spike in traffic to or from your network is a red flag.</li></ul><p>Robert Siciliano is an identity theft expert to <a href="http://bestidtheftcompanys.com/companies">BestIDTheftCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU">identity theft prevention</a>.</p></div>The White Hat Hackerhttps://globalriskcommunity.com/profiles/blogs/the-white-hat-hacker2015-03-14T14:49:15.000Z2015-03-14T14:49:15.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>These days, it is hard to pick up a newspaper or go online and not see a story about a recent data breach. No other example highlights the severity of these types of hacks than the Sony breach late last year.</p><p><img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/11D.jpg" alt="" align="right" height="281" width="370" /></p><p>While a lot of information, including creative materials, financials and even full feature-length movies were released – some of the most hurtful pieces of information were the personal emails of Sony executives. This information was truly personal.</p><p>You have a right to privacy, but it’s not going to happen in cyberspace. Want total privacy? Stay offline. Of course, that’s not realistic today. So the next recourse, then, is to be careful with your information and that includes everything from downloading free things and clicking “I agree” without reading what you’re approving, to being aware of whom else is viewing your information.</p><p>This takes me to the story of a white hat hacker—a good guy—who posed as a part-time or temporary employee for eight businesses in the U.S.. Note that the businesses were aware and approved this study. His experiment was to hack into sensitive data by blatantly snooping around computers and desks; grabbing piles of documents labeled confidential; and taking photos with his smartphone of sensitive information on computer screens.</p><p>The results were that “visual hacking” can occur in less than 15 minutes; it usually goes unnoticed; and if an employee does intervene, it’s not before the hacker has already obtained some information. The <a href="http://www.3mscreens.com/visualhacking">3M Visual Hacking Experiment</a> conducted by the Ponemon Institute shed light on the reality of visual hacking:</p><ul><li><strong>Visual hacking is real</strong>: In nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach. On average, five pieces of information were visually hacked per trial.</li><li><strong>Devices are vulnerable:</strong> The majority (53%) of information was visually hacked directly off of computer screens</li><li><strong>Visual hacking generally goes unnoticed:</strong> In 70 percent of incidences, employees did not stop the white hat hacker, even when a phone was being used to take a picture of data displayed on screen.</li></ul><p>From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless.</p><p>One way to prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack is to get equipped with the right tools, including privacy filters. 3M offers its <a href="http://www.3mscreens.com/eprivacyfilter">ePrivacy Filter</a> software, which when paired up with the traditional <a href="http://www.3mscreens.com/">3M Privacy Filter</a>, allows you to protect your visual privacy from nearly every angle.</p><p>Robert Siciliano is a Privacy Consultant to <a href="http://solutions.3m.com/wps/portal/3M/en_US/3MScreens_NA/Protectors/For_Organizations/Risk_Assessment/?WT.mc_id=www.3Mscreens.com/visualhacking">3M</a> discussing Identity Theft and Privacy on YouTube. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/">Disclosures</a>.</p></div>Online Data less safe than everhttps://globalriskcommunity.com/profiles/blogs/online-data-less-safe-than-ever2015-02-17T14:36:13.000Z2015-02-17T14:36:13.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>It’ll get worse before it gets better: online data safety. It’s amazing how many people think they’re “safe” online, while one huge business or entity after another keeps getting hacked to the bone.</p><p><img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/1D.jpg" alt="" align="right" height="295" width="350" /> And “safety” doesn’t necessarily mean the prevention of your computer getting infected with a virus, or falling for an online scam that results in someone getting your credit card information. It’s also a matter of privacy. While targeted advertising (based on websites you’ve visited) may seem harmless, it’s the benign end of the continuum—that someone out there is tracking you.</p><p>So, do you still think you’re hack-proof?</p><p>That you can’t be fooled or lured? That your devices’ security is impenetrable? That you know how to use your device so that nobody can get ahold of your sensitive information?</p><p>Consider the following entities that got hacked. They have cyber security teams, yet still fell victim:</p><ul><li>LinkedIn</li><li>Yahoo! Mail</li><li>Adobe</li><li>Dropbox</li><li>Sony</li><li>Target</li></ul><p>You may think the hacking is <em>their</em> problem, but what makes you believe that the service you use is immune? Are you even familiar with its security measures? That aside, consider this: You can bet that some of your personal information is obtainable by the wrong hands—if it already isn’t in the wrong hands.</p><p>Are you absolutely sure this can’t possibly be? After all, you’re just a third-year med student or recent college grad looking for work, or housewife with a few kids…just an average Joe or Jane…and you use the Internet strictly for keeping up with the news, keeping up with friends and family on social media, using e-mail…innocent stuff, right?</p><p>You’ve never even posted so much as a picture online and say you don’t use a credit card online either.</p><ul><li>But hey, if your passwords aren’t strong, this ALONE qualifies you as a potential hacking victim.</li><li>So, what is your password? Is it something like Bunny123? Does it contain your name or the name of a sport? Keyboard sequences? The name of a well-known place? The name of a rock band?</li><li>Do you use this password for more than one account? That gets tacked onto your risks of getting hacked.</li><li>You need not be someone famous to get hacked; just someone who gets lured into filling out a form that wants your bank account number, credit card number, birthdate or some other vital data.</li><li>If you just ordered something from Amazon, and the next day you receive a message from Amazon with a subject line relating to your order…did you know that this could be from a scammer who sent out 10,000 of these same e-mails (via automated software), and by chance, one of them reached someone at just the right time to trick you into thinking it’s authentic?</li><li>People who know you may want your information to get revenge, perhaps a spurned girlfriend. Don’t disqualify yourself; nobody is ever unimportant enough to be below the scammer’s radar.</li><li>Did you know that photos you post in social media have a GPS tag? Scammers could figure out where the photo was taken. Are you announcing to all your FB friends about when your next vacation is? Did you know a burglar might read your post, then plan his robbery? Between the GPS tags and your vacation dates…you’re screwed.</li></ul><p>Well, you can’t live in a bubble and be antisocial, right? Well, it’s like driving a car. You know there are tons of accidents every day, but you still drive. Yet at the same time, if you’re halfway reasonable, you’ll take precautions such as wearing a seatbelt and not driving closely behind someone on the highway.</p><p>Most of your fate is in your hands. And this applies to your online safety. You won’t be 100 percent immune from the bad cyber guys, just like you’re not 100 percent immune from a car wreck. But taking precautions and having the right tools really make a tremendous difference.</p><p>Robert Siciliano is an identity theft expert to <a href="http://bestidtheftcompanys.com/companies" target="_blank">BestIDTheftCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU" target="_blank">identity theft prevention</a>.</p></div>How to build up or rebuild your Credithttps://globalriskcommunity.com/profiles/blogs/how-to-build-up-or-rebuild-your-credit2015-02-11T14:37:57.000Z2015-02-11T14:37:57.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>After taking all the necessary steps to Fixing a Credit Report after being hacked, it is then tome to rebuild your credit. Bad credit is bad credit no matter how it happens. No matter how responsible you are with your money, you won’t get a loan if there’s no evidence of this. The evidence comes from having credit. You need to show lenders you can be trusted. <img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/12D.jpg" alt="" align="right" height="233" width="350" /></p><ul><li>Every time you apply for a credit card, this puts a dent in your credit score. In other words, it can negatively affect your scores especially if there are lots of credit checks in a short period of time. So apply with a lot of discretion; do you <em>really</em> need that extra charge card? Or is it worth it to continually cancel accounts and open new accounts while playing the interest/points game?</li><li>Get a major credit card. A charge card is an opportunity to show that you will pay back, on time, money that you “borrowed.” A debit card for this purpose is meaningless because it withdraws money from your account on the spot.</li><li>An option is a type of credit card that requires a security deposit. Payment of your bills will not come from this security deposit. But it looks good to a potential lender, making you seem more trustworthy.</li><li>Charge things like gas, food and other items, and/or put a monthly bill on the card for automatic payments such as your cable bill, then pay the card on time every single time—ideally the entire balance. This will create a record of your trustworthiness.</li><li>Charge no more than 50 percent of the card’s limit in any given month, even if you CAN pay the whole thing off every month. Exceeding 50 percent, some say, can adversely affect your credit score.</li><li>A rule of thumb is to charge only what you’d be able to pay in cold cash every month. Just because your card has a $5,000 limit doesn’t mean you should rack up $4,500 worth of purchases in one billing cycle.</li><li>Use the card every month; don’t let it go dormant, as this is not impressive to a lender. If you’re having a tough time remembering to charge things like new shoes, food, drug store items, etc., then set it up for automatic draft of a monthly service.</li><li>Even ONE late payment will screw things up. Remember, charge only what you’d be able to pay for in cash each month. If you can’t, don’t charge it.</li><li>If YOU check your credit report any time; it won’t dent your credit score. When lots of creditors check your credit, that can affect your scores.</li></ul><p>Robert Siciliano is an identity theft expert to <a href="http://thebestcompanys.com/antivirus/" target="_blank">TheBestCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU" target="_blank">identity theft prevention</a>. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. <a href="http://robertsiciliano.com/blog/2010/01/01/disclosures-term-conditions/" target="_blank">Disclosures</a>.</p></div>Data Breach Aftermathhttps://globalriskcommunity.com/profiles/blogs/data-breach-aftermath2015-02-03T18:30:16.000Z2015-02-03T18:30:16.000ZRobert Sicilianohttps://globalriskcommunity.com/members/RobertSiciliano<div><p>Haste certainly doesn’t make waste if you’ve suffered from an entity getting hacked resulting in a data breach. Don’t waste a single minute delaying notifying affected accounts! In the case of a credit card company, they will investigate; you won’t have to pay the fraudulent charges. The breached card will be closed, and you’ll get a new one. And there is more.</p><p><img src="http://activerain.trulia.com/image_store/uploads/agents/robertsiciliano/files/11D.jpg" align="right" alt="11D.jpg" /></p><p>All sounds simple enough, but the experience can be a major hassle. Below is what you should do upon learning your card has been breached:</p><ul><li>If a SSN is breached, place a credit freeze or fraud alert with the three big credit bureau agencies. Placement of the credit freeze or fraud alert will net you a free copy of your credit reports; review them.</li><li>See if you can find companies that have accounts in your name—that you didn’t set up. Notify and cancel them. Make a list of entities that might be affected by your ID theft, then contact them.</li><li>If your identity is actually stolen, you may need documents to show creditors proof of your ID theft, you should file a report with the police and FTC.</li><li>Keep vigilant documentation of all of your relevant correspondence.</li></ul><p>If your credit card was compromised, you also must contact every company or service that was on autopay with the old card. This includes quarterly autopays (e.g., pesticide company) and yearly autopays, like your website’s domain name. Don’t forget these! You now have to transfer all the autopays to your new card.</p><p>But you also must consider the possibility that your credit card breach is only the beginning of more ID theft to come. You now must be more vigilant than ever. If it can happen once, it can happen again.</p><ul><li>Check every charge on every statement. If you don’t remember making that $4.57 charge…investigate this. Thieves often start with tiny purchases, then escalate.</li><li>Use apps that can detect anomalous behavior with your credit card account. These applications are free and will alert you if there’s a purchase that’s out of the norm, such as there’s a charge to the card in your home town, but an hour later another charge occurs 800 miles away.</li><li>See if your card carrier will let you set up account alerts, such as every time a purchase exceeds a set amount, you get notified.</li><li>Never let your card out of your sight. The thief could have been someone to whom you gave your card for a payment—they used a handheld “skimming” device and got your data. If you don’t want to hassle with, for instance, the restaurant server who wants to take your card and go off somewhere to get your payment, then pay cash (if possible).</li><li>Never use public ATMs; ones inside your bank are less likely to be tampered with with skimming devices.</li></ul><p>Other than tampered ATMs and retail clerks taking your card out of your view to collect payment, there are tons of ways your personal information could get into a thief’s hands. Here are steps to help prevent that:</p><ul><li>Shred all documents with any of your personal information, including receipts, so that “dumpster divers” can’t make use of them.</li><li>When shopping online, use a virtual credit card number; your bank may offer this feature.</li><li>When shopping, patronize only sites that have “https” at the start of the Web address.</li><li>Never save your credit card number on the site you shop at.</li><li>If a retail site requires your SSN in order to make the purchase, withdraw from the site and never go back.</li><li>Never give your credit card or other personal information to online forms that you came to as a result of clicking a link in an e-mail message. In fact, never click links inside e-mail messages.</li><li>Make sure all your computer devices have a firewall, and antivirus/antimalware software, and keep it updated.</li></ul><p>Robert Siciliano is an identity theft expert to <a href="http://bestidtheftcompanys.com/companies" target="_blank">BestIDTheftCompanys.com</a> discussing <a href="http://www.youtube.com/watch?v=p_ikx0_erfU" target="_blank">identity theft prevention</a>.</p></div>The ACME Corporationhttps://globalriskcommunity.com/profiles/blogs/the-acme-corporation2012-07-18T15:30:00.000Z2012-07-18T15:30:00.000ZDon Turnbladehttps://globalriskcommunity.com/members/DonTurnblade<div><p>It just seems the either no one is measuring realized risk exposure numbers for their firms, or mums the word on their findings. The information that I collect is strongly covered by Non-Disclosure Agreements. To help with this, I want to start publishing de-identified statistical abstracts. </p><p>I included some of these statistical abstracts in the financial section of a paper published by ANSI. I am a coauthor on, "The Financial Impact of Breach Health Information, A Business Case for Enhanced ePHI Protection" <a href="http://webstore.ansi.org/">http://webstore.ansi.org/</a> There are more, yet wrapping one's head around measured risk in this area takes time. </p><p>Still, there is a substantial financial costing approach as well as a selection of known failure paths that could be estimated. I want it to be an incremental step towared a better answer to the following question. How does anyone justify Information Secuirty Risk Exposure without any notion of what a data flow is worth and what a misrouted data flow might cost? In medical terms, "When can spending $10,000 on InfoSec be better for patients than buying a new heart monitor?" </p><p> </p><p> </p><p> </p><p> </p></div>