Protecting Your Business Against ID FraudPRESENTED BY JAMES HISEY IIPRESIDENTMANAGEMENT INSIGHTS

Respond when theft

happens

Prepare the

business

Protect the

business

Understand why ID Fraud is

such a big deal

A SCORE WORKSHOP

• Goals for our time together• Help prepare you and your business

to defend against ID theft.

• Give you some useful resources you can use to guard against ID fraud and to use when the business is attacked.

Many industry experts tell us it is not if but when your small business will be targeted by a cybercriminal

HAVING A PROCESS IN PLACE TO AVOID AND/OR MITIGATE CYBER CRIMES IS PARAMOUNT

Crooks love small businesses• Small Businesses don’t believe they are at risk – this

makes them an easy target

• They don’t have staff dedicated to keeping the company safe

• They often don’t have policies, processes and procedures to safeguard the business

• They often don’t have a culture that creates an awareness of the danger

• They don’t know what to do if a data breach or id theft happens

Are you a target?

"Small businesses feel like they're immune from cybercrime, and they're wrong. They are absolutely on the list of potential targets of cybercriminals," said Larry Ponemon, chairman of the Ponemon Institute.

A recent survey of executives at 500 U.S. companies of varying sizes found that 76% had had a cyber security incident within the past 12 months resulting in the loss of money, data, intellectual property or the ability to conduct day-to-day business, according to the Computing Technology Industry Association. About half of those cases were described by the businesses as "serious."

You are at risk

You have a responsibility

Most companies experience opportunity costs associated with a breach indecent, which results from diminished trust or confidence by present and future customers. … the negative publicity associated with a data breach incident can often damage companies’ reputations… and [slow] new customer acquisitions. (Ponemon Institute Study, 2010)

The estimated cost of a data breach is $214 per record. It could cost an organization with 1,000 customers $214,000 and months to recover. This can strain the resources of even large organizations. For a small company the result could be devastating.

An Identity Theft happens when a crook steals YOUR information

A Data Breach happens when a crook steals your CUSTOMERS’ information

Identity theft and data breaches are types of ID Fraud

• Accidents• Losing equipment

• Hitting the send all button on an email with sensitive information

• Malicious attack • Hackers or Thieves

• Viruses

• System Failures• Actual computer failures that lead to loss of

data

• Poor policy and lack of preparedness by the organization

Both can happen for many reasons

An ID thief can be anybody from your trash collector to an employee to a cyber criminal

• Drivers licenses

• Credit cards

• Social Security numbers

• Passport

• Medical records

• Customer records

• Utility bills

• Intellectual property

Your car

Your office

Your trash

Your mailbox

Your phone

Your computers

Your network

Your people

Data Breaches

• Banking/Financial

• Business/Corporate

• Educational

• Government

• Medical/Healthcare

Hackers can enter your computer systems from the internet and steal information.

Employees could lose a laptop with company records on it.

Anybody with a thumb drive can steal information.

Thieves could break into your offices and steal records.

Thieves steal from us using the very things we need to be in business today

Where your company is vulnerable…

• Viruses

• SPAM

• Phishing

• Systems

• Lack of policies

• Lack of preparedness

• Lack of knowledge

• Your trash

• The phone

• Social Media

• The Cloud

• Your People

…and the list grows all the time as technology pushes forward

We are vulnerable on the InternetFile Infectors: Attach themselves to programs and spread when you run the program

Boot Sector: Write themselves into the computer’s memory when you start it

Trojan Horses: Act like legitimate programs

Macro Virus: Attach themselves to documents, email, websites, pictures and anything else you might open on the internet

Viruses and malware are computer programs - sometimes called malicious code - that are created to cause harm!

What to Expect if Infected…

• Delete files• Wipe your hard drive clean• Email confidential information to

crooks• Cause your computer to attack

other computers• Make it impossible for you to use

the machine

Viruses and their relatives can and do:

Viruses have lots of names

DoS attack - denial of serviceRootKitDrive by downloadKey loggerMalwareAdwareTrojanBotnetSpyware

DoS Attack

• Denial of service attacks are designed to crash your website, your server or your network

• Crooks flood the website with so many requests for pages that the server can’t respond and crashes

Denial of Service and

DDoS distributed denial of service attacks

RootKit

• A rootkit gives the crook access to all your folders and files, things like your address book, and your customer records

• It runs with administer privileges

• Rootkits hide from your antivirus software on the operating system

• They also hide other programs like malware, bots and worms

• They can be hard to remove

• They can be hard to detect

• They can create logs about your computer usage

A rootkit commands and controls the computer without your knowledge

Key Logger

• Key loggers are really good at stealing user names and passwords

• Common sources of key loggers are file sharing networks, online gaming sites, fake greeting cards sent via email

• A key logger a may also install root kits or other programs on your computer

• There are hardware key loggers that can be installed on a computer

Key loggers can record all of your keystrokes or even respond when you visit a banking website and enter your user name and password

Adware

• Adware can download automatically and without your knowledge by some websites or free programs

• Adware can redirect your browser to another site - more often than not, one you don’t want to visit

• Adware crooks can take advantage of misspelled URL’s to take you to a drive by website

Adware are programs that launch pop ups and other advertisements

How to protect your company from viruses

• Back up your data

• Purchase an antivirus software package

• Be sure you have a firewall in place

• Update your software

• Use secure passwords with the ability to change them periodically

• Don’t respond to emails unless you know who sent them

• Don’t click on links

• Do a full anti-virus scan on all of your computers on a regular basis

Having processes and standard procedures – that are understood and adopted by all staff relating to all of these activities - is a critical first step – these are great place to start!

Hackers/Drive by Downloads

• All you have to do is visit the site

• It is not just “those websites”

• Legitimate websites can be infected. Celebrity sites that down loaded malicious code were in the news recently

• There are ways to trace your steps

Hackers install software that downloads automatically when you visit an infected website

You may be amazed at who gets notified when you visit a website

Collusion is a browser add on that graphs what happens when you visit a website

How to protect yourself from drive by downloads

• Be sure your firewall is on

• Consider a third party firewall

• Never click on links where people other than the owner have posted them – blogs, chat rooms

• Use latest NON Beta browsers

• Don’t install plug ins or add-ons that you don’t know

• Be careful about downloading software.

SPAM

• SPAM is all that junk e-mail you get

• It is sent out in mass and spammers make money from the small percentage of people who respond

• SPAM can - and sometimes does - spread malicious code

You really can thank Monty Python

How do crooks get my email in the first place?

• They buy them• 30 million Hotmail addresses go for $450

• 5 million Gmail addresses go for $350

• If your Internet service provider won’t let you send 5 million emails at once, crooks can buy that service too

Or phone number, etc.

How do crooks get my email in the first place?

• You provide them yourself• Sign up for newsletters

• Facebook, google+

• AMAZON

• LinkedIn

• Online banking

• Go paperless

• Your Internet service provider

• All of those countless people and companies that ask you for your address

Or phone number, etc.

How to protect your company from SPAM

• Use multiple email addresses• One for your business: jhisey@management-

insights.com

• One for your personal mail: hiseyii@gmail.com

• You could have a “subscriber” email and use it to register in public forums, chat rooms, mailing lists etc.

• Don’t click un-subscribe links or respond to spam. When you do the spammer knows you are a real person and you will get even more.

• Use an ISP that provides SPAM filters – most do now days.

• If your private address is discovered – change it

• Make sure your web browser is up to date

Don’t ever click on links or attachments included in e-mail unless you know for certain who sent them. Even if you know the person be wary and find out if they actually sent the email before you reply or click

Phishing

• Phishing tricks you into giving away your personal information by creating a fake replica of a real company website

• Phishers are all those people who want to send you $1 million from their uncle in Nicaragua

• Phishers are the friends of yours who send an email from the far east saying they are stranded and need you to send them money

• Phishers are not all on the internet. Those phone calls from the “credit information” service are phishing too

Phishing tricks you into giving away your personal or company information. Sometimes it is called social engineering

This is a real example of a phishing expedition

The crook’s website is no longer there

So when you click your are taken here

This is thereal CitiBank website

Notice the real address is in boldAnd that the lock sign is there

Here is a Phishing attempt my wife received

Looks real until you check the return address and the foreign alphabet after the ID summary

How to protect yourself from Phishing

• Look for the lock symbol in the address

• Report anything suspicious to your bank

• Don’t complete a form in an email message that asks for personal information

• Be sure the HTTPS:// is in the internet address

• Don’t use an email message to load the web page. Type in the address yourself

• Check your accounts regularly

This is especially important if someone is asking you for bank information

• Facebook, LinkedIn, YouTube, Twitter and more are all important ways to network and grow your business

• As we put more and more information online it makes it easier for our customers and potential customers to find us

• Our information also opens opportunities for theft

Social Media

Secure Passwords are a major way to protect your identity on social media sights

You want customers and those you don’t know are customers to find you

You DON’T want people to change your profile

Social Media - Meet my “friend” JoergR

JeorgR sent me this email

I didn’t think I knew him but he looked sort of familiar and I was curious

Clicking on the link was a BAD idea

Fortunately my virus protection software caught the virus before any harm was done

Social MediaYou can change what people see on your public profile

The Cloud

• Drop Box

• ICloud

• Google

• Microsoft

• Amazon

More and more companies are offering to keep your information on their servers

The Cloud

• Drop Box

• ICloud

• Google

• Microsoft

• Amazon

Safety and privacy is a concern

• Cloud computing is the wave of the future • The question is do you want to have

someone else have all of your important business information on their computer

• Actually you probably have a lot of information in the cloud already

• Email, music, on line backups • You need to know how your data is being secured

and what measures the service provider takes to ensure the integrity and availability of that data should the unexpected occur

• Use secure passwords

•

Systems SecurityTHERE IS A LOT YOU CAN DO TO PROTECT YOUR COMPUTER SYSTEMS

FirewallsFirewalls control what programs can communicate with your computer

Secure your web browser

• Add ins

• Plug Ins

• Security Settings

• InPrivate

Pop Up BlockersControl those unwanted ads and websites that “Pop UP” when you visit the main site. Even MSNBC uses pop ups

Privacy settings control which pop ups are allowed

Plug Ins and Add Ins their relatives

This is software that increases the functionality of a larger program. For example, a plug in allows your web browser to play videos

Some are gateways for malware

There are ways to disable plug ins and add ins

How to create a secure password

• Make passwords you can remember but are hard to guess. Not your kids names, not your birthday, not a real word

• Mix upper and lowercase letters, numbers and punctuation marks

• Don’t use the same password on all of your accounts. If a hacker cracks one they have them all

• Use a phrase – !amcO1dt@day

• Use Padding – C@t$$$$$$$$$$$$$$$

• Change your passwords often, but don’t recycle them East1port, West2port, South3port

• Don’t tell anyone your password! If you have to give it out, change it right away

Size does matter

A 6 letter alpha numeric password can be cracked in 0.0000224 seconds

A 10 letter alpha numeric password can take weeks to crack

Password Managers

• So you have all of these fancy secure passwords but if you are like me I can’t remember them when I need them.

• A Password Manager remembers them all for you and signs you in automatically.

• They will generate secure passwords

• All you have to do is remember 1 password.

• PC magazine rates some of the best - • Dashlane 1.1

• Kaspersky Password Manager

• Last Pass 2.0

Password Managers keep track of all of your passwords...

You may find them useful

How do you know if your computer is infected

• Your computer starts behaving strangely

• Unexpected sounds or messages

• Programs that start all by themselves

• You get a firewall warning

• System errors

• Computer won’t start

• Blue screen of death

• The hard drive access light keeps running

• Web browser won’t let you close a window

• Programs or controls no longer work

It is not always easy to tell

What to do with a computer that has a virus

• Disconnect from the internet

• Try loading the operating system in “safe mode”

• Boot from a rescue CD

• If the computer starts do a complete scan using your antivirus software. If the virus scan finds nothing you may not have a virus

• Remove any unlicensed/trial software

• Remove all of those junk files you have

• Be sure you have the latest software updates installed

• If the computer was compromised and data was breached don’t turn it off

It is not always easy to tell

We are vulnerable – Dumpsters and more

Don’t forget that the internet is not the only place your data can be breached

Protect physical records and prying eyes

• Use a shredder

• Keep files locked

• Secure your mail boxes

• Use passwords on your computers’ screensaver

Preparedness Plan

It takes a whole company to protect the business

• Leadership to provide direction and resources

• Secure the computer systems

• Familiarity with changing state and federal notification requirements

• Notifying the media and keeping track of how a breach may affect on the business

• Training employees and making them aware of how to protect themselves and the organization

• Notifying and engaging law enforcement should a theft occur

• Working with a theft and data breach resolution provider to handle escalation, tracking, notification and call center services for those affected by the breach

In a small organization managing all of these functions may rest on just one or two people

If a breach occurs there is a lot to do these are the things you need to consider across your business

Make fraud preparedness a priority

• Have data security and mobile device policies and keep them current

• Communicate those policies to everyone

• Limit the type of data and employee can assess based on job requirements

• Review the plan annually

Make sure everyone in the company knows what to do

Make fraud preparedness a priority

• Choose an Incident leader• Manages the company’s overall response and

team• Is the intermediary between executives and the

team• Reports problems and progress• Identifies key tasks, timelines, documents and

reports the theft and its solution• Proposes the ID Fraud budget required to

remedy • Summarizes required steps • Updates contact lists• Assures key personnel are trained• Reviews the organization’s response to make

the next time function better

Put your team together

Train everybody

Practice – just like a fire drill

Are you ready?

• Internet access

• Email

• Preparedness is a priority

• Restricted use of thumb drives

• Laptops are encrypted

• Mobile devices

• Data access limited to those who need to know

• Best practices followed by the entire organization

• Regular bank and credit card account monitoring

Are you Ready –Look at your legal obligations

• Work with your attorney to be sure you meet your industry reporting obligations for the type of data that was stolen

• Review who needs to be contacted• Customers

• Employees

• Media

• Regulators

• Agencies

• If notification is required be sure they are sent within the required time line

• Never send Social Security Numbers or other sensitive information to vendors supporting your breach rectification efforts

Are you ready?

1. Update the data breach response team contact list

2. Review your response plan to be sure it is comprehensive

3. Review notification requirements

4. Evaluate your Information Technology Security

5. Be sure third parties that have access to your data use best practices

6. Review your vendor contracts to assure they continue to match your requirements

Quarterly

What to do if there is a breach

What to do first

1. Note the date and time the theft occurred or you found out about it

2. Engage the response team

3. Preserve evidence by securing the place where the theft occurred

4. Take affected machines offline to stop additional harm but DON’T turn them off

5. Document, document, document

6. Determine what the risk is overall and prioritize next steps

7. Notify your vendors

8. Bring in the police

The breach or theft is “discovered”

Work with your team to find out more about what happened

• What counter measures were in place when the theft occurred

• Was the data encrypted

• Review backups and other information that was preserved to find out as best you can what was taken

• Begin the process to determine who was affected and the extent of it

• Put together names and address so they can be notified

Fix the cause of the problem

• Find and delete the virus or other tools the hacker used to get the data

• Clean the affected machines before you put them back on line

• Find and fix security gaps or other risks

• Do the best you can to ensure that the type of breach does not happen again

• Document the who, what, when, how and why of the breach or theft

Resources

• Microsoft malicious software removal tool

• Microsoft Safety and Security Center

• Your computer manufacturer

• Your soft ware manufacturer

• Your ISP

• Google

• Virus definition directory

• Build a list of trusted sites

• ID theft resource center

There are tons of information out there about ID Fraud

ID Theft Protection Services

• Credit Monitoring

• Credit Reports

• Credit Scores

• Internet Monitoring

• Alerts

• Public Records Monitoring

• Software

• Lost Wallet

• Insurance / Guarantee

• Call Center

• Guidance and advice

NXG Strategies

Lifelock

ProtectMY ID

Trusted ID

Summary

Protecting the business against theft requires all of these things• Knowledge

• Systems

• People

• Policies

• Plans

• Partners

I asked someone once what is the most important thing you need to have a successful business. He said “You need it all.”

ID theft protection is part of the requirement.There is a lot to learn but you are not alone

SCOREManagement Insights

At the end of the day it is the right thing to do!

• Knowledge

• Systems

• People

• Policies

• Plans

• Partners

•Power

• Your computers and your business will run better• Your business will be more secure• You will have more time to do the important things• You will save money• You are fighting evil• You will sleep at night• You are being a proactive business owner• You will know enough to finally understand what the IT

people are talking about a little better• You will have more power over your enemies• You will have done all you can to protect your business

against a real and present danger• You will meet some really cool people who have your

back

Questions

How did we do?

Thank you!

James Hisey IIPresidentManagement Insights LLC384 Ronald DriveFairfield, CT 06825203-307-5123jhisey@management-insights.com