How to Create Good Business Continuity/Disaster Recovery Plans

We generally have no idea when a disaster is coming, and even if we do have a heads up, it’s very possible that things are going to go wrong.

How to Create Good Business Continuity/Disaster Recovery PlansThis is where a business continuity plan comes into play for you. What does it do? It is a plan that helps your company get through a disaster. Disaster could mean a natural disaster as in mother nature makes a mess of things, it could also mean fire or flood and it could mean a significant security incident that takes down all systems.

What Does Business Continuity Mean?  

Business continuity, commonly shortened to BC, typically refers to a plan that helps your business function as soon as possible following a disaster. Again, this could be a flood, a fire, or a cyber-attack, amongst other things. With this type of plan in place, you can look to it for specifics when these things occur.

Some people believe that a DR plan, or a disaster recovery plan, is exactly like a business continuity plan, but that’s not true. A disaster recovery plan specifically focuses on IT, and it is actually a part of a full business continuity plan.

Consider your own company. Do you have a plan that would allow you to get your sales up and running? Do you have customer service ready to go if you had a flood? Could you keep handling customer requests if you lost your company to a fire? All of this is part of a BC plan.

Why Your BC Plan is Important  

It doesn’t matter if your business is small or large, you have to remain competitive in the market. It is important that you keep your current customers engaged while also bringing in new ones.

Ensuring that your IT capabilities are up and running is extremely important, and there are many solutions available. You can rely on your IT team for this, but what about the rest of your business functions? The future of your business greatly depends on how quickly you can get back to normal, and if you don’t, you could see your customers leaving in droves.

Your business might also experience losses including financial losses, legal losses, and of course, the loss of your company’s reputation.

The Important Parts of a BC Plan 

If your company doesn’t have a BC plan, you should start by taking a close look at all of your business processes. Look for areas of vulnerability and try to determine what your losses might be if you lose functions in those areas for a day, a few days, a week, or more.

Next you should start creating a course of action. Here, are there six steps that you should take:

1.   Identify what you want to do with the BC plan

2.   Choose areas that you want to focus on

3.   Determine the most critical functions

4.   Look for areas and functions that are dependent on others

5.   Calculate how much downtime is acceptable for any functions that are critical

6.   Create a plan to keep your business open and working as much as possible

One of the best tools that you can have when creating a BC plan is a checklist that includes your supplies and equipment, the location of backups, who should have access to the plan, and a list of contact information for important people, emergency contacts, and backup providers.

Keep in mind that a DR plan is only a part of a full BC plan, do if you don’t have a DR plan in place, this is a great time to make one. Resources that may assist in a DR plan may involve your inhouse IT people, a Virtual CISO or a Managed Service Provider or MSP. If you do have a DR plan, don’t just assume that it will work with your new BC plan. You must make sure they both fit together.

As you begin to create this plan, consider meeting with others who have gone through a disaster and used a BC plan. They can give you a lot of information and share what worked and what didn’t.

Test Out Your BC Plan 

It is imperative that you ensure your plan works before disaster hits, and the only way to do this is to give it a try. The best thing, of course, is a real disaster, but you can also create a “fake disaster” in order to test it out.

You need to make sure that your BC plan is complete, and that it meets your needs in case there is a disaster. You don’t want to take an easy way out, though. Any test should fully challenge your plan, too. Additionally, you must make sure that everything is measured. If you just try to skate by, your plan will be weak, and you could run into issues if a disaster strikes.

It is recommended that you plan on testing your BC plan a couple of times a year, especially if there are potential changes to the plan, like new equipment or staff. Doing things such as simulations or walk throughs can help your team practice and make sure they are ready in case a disaster hits.

Review and Improve Your BC Plan…Always  

The effort you put into testing your business continuity plan cannot be stressed enough. Once this is done, some organizations let it go and focus on other things, but this can quickly lead you to trouble.

Things are changing all the time with both technology and personnel, so it is important that your plan is always up to date to reflect that. This means, that it is a good idea to at least once a year to review your plan with your staff and point out areas that might need to be updated. Additionally, you may want to get staff feedback, which you can ultimately add to the plan.

Ensuring Your BC Plan Will Work 

By taking a casual approach towards creating this plan, the odds are good that it will fail. Every business continuity plan has to have the support of all staff, including senior management, who must take on a very active role in supporting the plan.  On top of this, a plan like this has higher odds of success when management makes it a priority.

Finally, it is extremely important that senior members of staff promote user awareness of this type of plan. After all, if your team doesn’t know about it, and at least a few details about it, how are they supposed to act on it when a disaster strikes? Training and distributing the plan is important, too, so think about working with your human resources team to make sure that all of your staff is aware of the plan and what is in it. This way, your staff knows that it is important, and they can see it as an important part of your business.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Business Identity Theft; Big Brands, Big Problems

Cyber criminals go after brand names like vultures, infiltrating company websites, hijacking mobile applications and tainting online ads, among other tricks.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Some corporate websites aren’t as secure as business leaders think they are—and cyber thieves know this. They use the “watering hole” technique to infiltrate the system. Ever see an animal TV show in which the lions wait in the brush, camouflaged, for their unsuspecting prey to approach the lone body of water? You know the rest.

Think of the company’s website as the watering hole. The company typically uses “landing pages” to entice people to their main site, but leave the landing pages up after they’ve served their purpose. Here’s where trouble starts, fewer resources are devoted to monitoring or updating these pages, allowing hackers to pounce on the vulnerabilities and insert malicious code, luring visitors to malicious sites using the trusted reputation of the brand..

Ultimately, the brand name becomes associated with this. Some examples as reported by Forbes.com:

  • The nbc.com home page was infected with the Citadel/Zeus installation malware.
  • The U.S. Veterans of Foreign Wars’ website was infected with malware.
  • Third-party app stores are a source of downloaded malware, since these are usually un-policed. Apps can be repackaged with mal-code, creating an association of bad with the brand name of that app. The mal-code could gather personal data on the purchaser, which is then sold to data brokers, violating user privacy, making the user think pretty negatively about the brand name.
  • Malvertisements are malicious ads that crooks place on legit websites. These normal-appearing ads spread bad things around, and do NOT have to be clicked to trigger a viral attack.
  • Banner ads can also be the target of injected mal-code.
  • These clever crooks will even pose as an actual name-brand company and put up legitimate ads on a website, but then replace those with mal-ads over the weekend—which go undetected because IT departments are lax on the weekends. After oh, say, a few million computers and mobiles are infected, the thieves stick the original, legit ad back in, which makes their crime difficult to track.

Third-party networks place a lot of ads, making it very hard to hunt down malvertising fraud. This complexity can make it virtually impossible for companies to protect themselves against 100% of malicious attacks.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Check Fraud Identity Theft is Rising

Robert Siciliano Identity Theft Expert

As opening new lines of credit becomes more difficult, identity thieves are gravitating toward check fraud.

Check fraud is a billion dollar problem. As predicted by the Identity Theft Resource Center, check fraud, which accounted for 12% of financial crimes in 2007, increased to 17% in 2008. According to the American Bankers Association Deposit Account Fraud Survey Report, $969 million were stolen via check fraud in 2006, up from a reported $677 million in 2003. Of the $969 million dollars lost to check fraud, 38% was stolen through return deposit scams, 27% was stolen using cloned checks, 28% was stolen using counterfeit checks,  and 7% was stolen by altering or washing checks.

In an article in The New York Post, a brazen ring of thieves enlisted crooked bank tellers to run a check fraud scheme that was brought down when the crooks made the mistake of forging checks from a NYPD account. Two criminal hacker ringleaders organized the counterfeit scam, using 950 “soldiers,” or “mules,” to deposit and cash counterfeit checks, netting them millions of dollars. Three bank tellers were involved, stealing and selling customer profiles which included names, Social Security numbers, and account numbers. Insider identity theft of this kind accounts for up to 70% of all instances of identity theft.

Check fraud victims include banks, businesses and consumers themselves. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

I presented a program on motivation and self-improvement at a women’s prison in Massachusetts a few years back. I requested a little background on the women I was speaking to, just because I watch too many movies and I wanted to know if there was any possibility I’d get shanked. The case worker informed me that about 80% of the women were incarcerated for check fraud and shoplifting. It seems that when some people get a checkbook, they consider it an opportunity to print money.

There are numerous forms of check fraud:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check and cashes or deposits it. There’s really nothing anyone can do to protect themselves from this, aside from guarding their checks and going over their bank statements carefully.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves. In order to prevent your checks from being counterfeited, make sure you shred all canceled checks before throwing them away, and be sure to lock up any checks in your home or office. Consider a locked mailbox so nobody can access your bank statements. You should also seriously consider using online banking exclusively, and discontinuing paper statements.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check. In this case, it’s generally the bank or whoever cashed the check that gets burnt, unless they are able to go after the person who used their own account.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves. In this case, something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

If you write a check to pay a bill and then put it in your mailbox for the postal carrier to deliver, you put yourself at a higher risk for check fraud. Thieves see that red flag up and go phishing for checks. I suggest using a uni-ball pen and taking checks directly to the post office, or dropping them in a big blue mailbox.

If you plan to do any online banking, which millions do, make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Robert Siciliano identity theft speaker discussing identity fraud and security

Social Media Identity Theft Hits MLB Coach On Twitter

Identity Theft Expert Robert Siciliano

The scourge of identity theft knows no boundaries. It can happen to anyone: rich, poor, good credit, bad credit. Victims include children, the elderly, celebrities and politicians, even the dead. Identity theft may include new account fraud, account takeover, criminal identity theft, business identity theft and medical identity theft. Most of these result in financial loss.

One form of identity theft that is particularly damaging to the victim’s reputation is social media identity theft. Social media identity thieves have various motivations. The most damaging type of social media identity theft occurs when someone poses as you in order to disrupt your life. This disruption can take on many forms. They may harass and stalk you or your contacts, or they may steal your online identity for financial gain.

In the case of St. Louis Cardinals manager Tony La Russa, someone created a Twitter account in his name. La Russa is suing Twitter, claiming the impostor Twitter page damaged his reputation and caused emotional distress. The lawsuit includes a screen shot of three tweets. One, posted on April 19, read, “Lost 2 out of 3, but we made it out of Chicago without one drunk driving incident or dead pitcher.” Apparently, La Russa has had a drunk driving arrest and two Cardinals pitchers have died since 2002. One pitcher died of a heart attack, the other in a drunk driving accident.

There is no limit to the damage someone can do by using your name and picture in order to impersonate you online. In Milwaukee, Wisconsin, an 18 year old student was accused of posing as a girl on Facebook, tricking at least 31 male classmates into sending him naked photos of themselves, and then blackmailing some of these young men for sex acts.

Social media websites were created with the intention of bringing people together in a positive way, but we are beginning to see these sites being used in very sinister ways. The root of the problem is the fact that social media sites are all based on the honor system, with the assumption that people are honestly setting up accounts in their own names. There are few checks and balances in the world of social media, which means that you need to adopt a strategy from yet another form of predator to protect yourself.

There are hundreds or even thousands of social media sites, including Facebook, MySpace, Twitter and YouTube. Even your local newspaper’s website has a place for user comments, and most people would prefer to register their own names before someone else has done so on their behalf.

I have obtained over 200 user names pertaining to my given name in order to mitigate social media identity theft. This may sound obsessive, but the two examples given above are all the proof anyone needs to clamp down on social media. I’m on everything from Affluence.org to Zooomr.com. Some I use, others just have my profile and a link back to my website. I should also mention that there are some hazards involved in such a mission. You may experience a spike in spam, as I did, so I suggest creating an alternate email address. Furthermore, some websites make you join various groups that you don’t have much control over. I’m now a member of some masochistic fetish group of the opposite sex. Not exactly what I signed up for. So be careful.

The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters.

These tips bear repeating:

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Consider dropping $65 on Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 120 social media sites. Their top 120 is debatable, but a great start. The user experience with Knowem is relatively painless. There is still labor involved in setting things up and with some of the 120. And no matter what you do, you will still find it difficult to complete the registration with all 120 sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
  5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
  6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
  7. Or do nothing and don’t worry about it. But when some other John Doe does something stupid or uses your name in a disparaging way or for identity theft, and people assume that it’s you, remember that I told you so.
  8. Despite all the work you may do to protect yourself, you still need identity theft protection and Internet security software.

Robert Siciliano, identity theft speaker, discusses social media privacy.