How Small Businesses Can Evaluate Their Security Risks in the New Year

Evaluating risk vs. reward is a process most people go through on a daily basis. For example, you are about to make a left-hand turn but a car is coming. You think you can make it but he’s kind of coming fast. The risk, of course, is misjudging his speed and getting into an accident.

At Ready.gov a risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.

A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered.

Risk is a fundamental part of a small business operation. The question is how much attention you pay to each risk and what the reward is for reducing the risk. The cost/benefit key is to effectively recognize risk and reduce it with as little investment as needed.

Define Risk

Be able to define, articulate and be alert to what risks the organization may face in a given year. If any of these risks could cause loss in any way, they need to be addressed far in advance.

Identify Risk

Risk comes in many forms. Create a list of potential threats from your experiences, others’ experiences or from proper risk assessment plans. Threats come from criminal hackers, employees, customers, competitors and more. What’s at risk may include reputations, digitized information, paper documents, physical hardware, and life and limb.

Create a Risk Assessment Chart.

Compile a list of assets (people, facilities, machinery, equipment, raw materials, finished goods, information technology, etc.) in the left column.

For each asset, list hazards that could cause an impact. Since multiple hazards could impact each asset, you will probably need more than one row for each asset. You can group assets together as necessary to reduce the total number of rows, but use a separate row to assess those assets that are highly valued or critical.

For each hazard consider both high probability/low impact scenarios and low probability/high impact scenarios.

As you assess potential impacts, identify any vulnerabilities or weaknesses in the asset that would make it susceptible to loss. These vulnerabilities are opportunities for hazard prevention or risk mitigation. Estimate the probability that the scenarios will occur on a scale of “L” for low, “M” for medium and “H” for high.

Analyze the potential impact of the hazard scenario. Rate impacts “L” for low, “M” for medium and “H” for high.

Information from the business impact analysis should be used to rate the impact on “Operations.”

The “entity” column is used to estimate potential financial, regulatory, contractual, and brand/image/reputation impacts.

The “Overall Hazard Rating” is a two-letter combination of the rating for “probability of occurrence” and the highest rating that impacts people, property, operations,  environment, and entity.

When evaluating risk and determining where funds, energy and attention are allocated to such risks, a risk scoring system can help determine what is a high or low probability vs. what would cost the company irrevocable harm.

The worst thing any organization can do is…nothing. Taking responsibility and using past experience and prediction methods can properly prepare an organization for the inevitable. As they say, if you fail to plan, you plan to fail.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

What Security Challenges to Focus on in the New Year

In 2012, security challenges we faced were often the ribbon cuttings and business plans that startup criminal organizations launched. In 2013, those criminal enterprise business plans will come together—and we need to be ready.

Social media is high on criminal hackers radar. Criminals scan social media looking for people who they can scam. One such scam seeks out entire families and usually targets a grandparent. Criminals will pose as the grandchild and call granny asking for money to be wired. They are also looking at your page to crack password resets. Only friend those you know like and trust and lock down your privacy settings.

With Windows 8 out, criminals have set their sights on this new operating system and are seeking out its vulnerabilities. Old Win XP machines will be as vulnerable as ever. Macs are higher on hackers’ radars, too. Protecting your devices with essential security such as antivirus protection and keeping the OS updated are critical.

Mobile also is high on the hackers’ radar. McAfee predicts that as mobile malware grows, we can expect to see malicious apps that can buy additional apps from an app store without your permission. Buying apps developed by malware authors puts money into their pockets. We also expect to see attacks that can happen without you having to install an app, so no interaction on your part is needed to spread the malicious app.

Mobile ransomware quickly is moving from the PC to mobile devices. Criminals hijack your ability to access data on your phone or even use your phone, so you are faced with losing your contacts, calls, photos, etc. or paying a ransom—and even when you pay the ransom, you don’t always get your data back.

Protect yourself by refraining from clicking links in text messages, emails or unfamiliar web pages displayed on your phone’s browser. Set your mobile phone to lock automatically, and unlock it only when you enter a PIN. Consider investing a service that locates a lost phone, locks it and wipes the data if necessary, as well as restoring that data on a new phone. Keep your phone’s operating system updated with the latest patches, and invest in antivirus protection for your phone.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

What We Learned About Digital Security In 2012

Sometimes it’s the worst things that can happen that become the eye-opening best things that effect positive change. The year 2012 saw numerous high-profile data breaches, epic hacks, full-on hacktivism and lots of major identity theft ring busts. The best news is the public is more aware, which means they are better equipped to protect themselves and law enforcement is well prepared to take down criminals. Individuals, companies and governments worldwide all have their eyes open and are taking action to protect themselves.

High-Profile Breaches

LinkedIn, Yahoo and many others were hacked—and hacked BIG. Unpatched system vulnerabilities and simple passwords were the common denominator in many of these hacks. It’s not enough to have antivirus protection; you also need antispyware, antiphishing, a firewall, updated critical security patches in your operating system and strong passwords that can’t easily be cracked. The good news is all these things are easy to do.

Epic Hack:

Wired reporter Matt Honan recounts how his connected digital life was used to destroy all his data. From this we learn that even a technologist is vulnerable and that there is no shortage of lessons to be learned from his experience.

“In many ways, this was all my fault. In the space of one hour, my entire digital life was destroyed,” he says. “First my Google account was taken over, then deleted. Next my Twitter account was compromised and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad and MacBook.”

The chance of this happening to you are slim, but knowing it’s possible will make you better prepared.

Hactivism Grows Up

Hackers have evolved significantly over the past 20 years. At first “hacker” meant someone who was inquisitive and tested the boundaries of technology. But then in the late ‘90s, hacker became a bad word as a result of a few hackers going too far and the media latching onto the title. Last year saw groups like Anonymous and others take action not just to disrupt, but also to right what they considered wrong. While their actions are often illegal, many feel they have evolved into a sort of voice for those that don’t have one.

The Long Arm of the Law

There isn’t a week that goes by that news reports of federal law enforcement, assisted by state, local and even foreign governments, takes down a carder ring or organized web mob responsible for stealing hundreds of thousands to millions of dollars. It was the year when the law got smart, savvy and as sophisticated as the criminal hackers, and that’s the best news of all!

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

3 Scams To Be Aware of – Lookout for These Nastygrams

Natural disaster scam: Sadly, scammers seem to come out of the woodwork during a natural disaster such as Hurricane Sandy to catch consumers when they’re in a panic, looking for answers, and when they’re most vulnerable.

People should not click on links or respond to phishing e-mails for relief donations that ask for credit card numbers or other personal information.  In addition, be wary of tiny URLs on social media services and posts on social networking sites.

Follow these guidelines to ensure that donations to victim relief efforts are sent through legitimate sites:

  • Verify that the organization is actually a registered charity by going to http://www.charitynavigator.org/
  • Recognize that solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams.
  • Be aware that donation requests made via advertising banners can also be scams.

Black money scam: Scammers send thousands of phish emails regarding an unknown inheritance. Ok right there should be a red flag. But, for many who think their ship has come in, it’s opportunity to get paid. Once engaged, the victim is told of the mass amounts of money needing to be snuck in/out of the country and told the money is dyed black to avoid detection by custom officials.

Once a meeting is arranged the victim is shown a trunk full of dyed black money, then to whet the appetite of the victims, a few of the bills are pulled out, and a magic solution cleans off a few nice crisp $100.00 bills.

The ruse is to get the victim to buy thousands of dollars of this magic cleaning solution for the promise of making hundreds of thousands of dollars.

Grandparents scam: One of the easiest and most vile scams on the block is the “Grandparent Scam”.

The phone rings and an elderly person answers the phone. The caller says either “Grammy, Granny, Grandma, Nana, Nonna, Papa, Baba or Grandpa?”  The elderly person says ‘Yes” and the caller states “It’s your grandson!” When the elderly person responds and rattles off a name of a grandchild and says “Robby is that you”, the scammer responds “YES!” and knows he’s got a fish on the hook.

The scammer begins to hem and haw that they’ve been arrested or are stranded or car broke down or lost their wallet and need the grandparent to wire some money to them. Once the grandparent agrees they instruct the victim to go the address of the local check cashing place that wires money and the scammer siphons as much as possible out of their victim.

If there is someone in your life that could possibly, even remotely fall for this scam you need to educate them on what to look for. Put systems in place to make it difficult for them to make financial withdrawals without a cosigner.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

How to Protect Your Personal Data: 3 Things You Must Know

There are two kinds of identity theft you must protect yourself from:

New account fraud: Refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Account takeover fraud: Using another person’s account numbers, such as a credit card number, to obtain products and services using that person’s existing accounts or extracting funds from a person’s bank account.

3 ways to protect yourself:

#1. Prevent new account fraud: When a security freeze is in place at all three major credit bureaus, an identity thief cannot open new accounts because creditors can’t check your credit. If you want to apply for credit then simply unlock or unfreeze your credit.

#2. Prevent account takeover: Run Windows Update, also known as “Microsoft Update.” It scans your computer on a regularly scheduled basis for any necessary software or hardware updates. You can access Windows Update from your control panel. Make sure it is set to download and update critical security patches automatically. Use comprehensive security software and keep it up to date to avoid keystroke log­gers and other malware.

#3. Effective passwords: There is no such thing as a truly secure pass­word. There are only more secure or less secure passwords. Don’t reuse passwords across multiple sites, use different passwords for each of your accounts, use at least eight characters of upper and lowercase letters, numbers, and, if possi­ble, symbols.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Top 10 Websites for Worry Free Online Shopping

When searching for a product online it’s unfortunately too easy to end up on a site that isn’t secure. The following websites will provide a worry free and more secure experience than many others:

Amazon.com: Amazon is the global leader in e-commerce. Started in 1995, Amazon has significantly expanded their product offerings. Today, Amazon offers everything from books and electronics to tennis rackets and diamond jewelry.

Buy.com: With millions of products in categories ranging from computer hardware and software to electronics, cellular, books, movies, music, sporting goods and more, Buy.coms got whatever it is you’re craving 24/7, all year long.

Walmart.com: Walmart.com is a lot like your neighborhood Walmart store. They feature a great selection of high-quality merchandise, friendly service and, of course, Every Day Low Prices.

eBay.com: With more than 100 million active users globally, eBay is the world’s largest online marketplace, where practically anyone can buy and sell practically anything.

Shopping.com: Shopping.com, an eBay company, pioneered online comparison shopping over a decade ago and today remains one of the leading shopping destinations for a comprehensive set of products from thousands of premier brands and trusted online stores.

Apple.com: Apple is an American corporation that designs, develops, and sells consumer electronics, computer software, and personal computers including the iPhone, iPad, Mac and many other products.

Overstock.com: Overstock.com is a discount retailer that sells a broad range of products including furniture, rugs, bedding, electronics, clothing, jewelry, travel, cars, and more.

Yahoo Shopping: You know the search engine Yahoo, well what better place to find what you are looking for than the search engines marketplace.

QVC.com: QVC is the world’s leading video and ecommerce retailer, offering a curated collection of desirable brands to millions of customers around the globe each day through broadcast, Internet, and mobile sales outlets.

AOL Shopping: AOL Shopping is an online shopping site focused on women, fashion & beauty trends, and deals to help you find what you are looking for.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

10 Secure Online Holiday Shopping Tips

Holiday shopping is easy, convenient and it can be secure too. Here are 10 tips to a secure online shopping experience during the holiday season:

Avoid spoofed websites. Common sense says any time you receive an offer via an e-mail automatically be suspicious. The same goes with offers via tweets and messages received in any social media site.

Don’t click the links in e-mails. Especially if it’s a “too good to be true” offer.

Beware of cybersquatting and typosquatting which may look like the domain of a legitimate eTailer.

Look for https:// in the address bar signifying it’s a secure page. Generally, scammers won’t take the time to set up secure sites. Note the closed padlock in your browser to back up the HttpS.

Beware of e-mails coming for eBay scammers. If you are seeking deals on eBay, go right to the site and don’t bother responding to e-mails. Search deals on an e-mail directly on eBay.

Look at the eBayers history. eBay is set up on the honor system. If the eBayer is an established seller with great feedback, they should be legit.

Pay close attention to your statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles.

Don’t use a debit-card online. If your debit card is compromised, that’s money out of your bank account. Credit cards have more protection and less liability.

Avoid paying by check online/mail-order. Once the money is taken from your account and you don’t receive the goods, you are going to have a difficult, if not impossible, task of getting it back.

Secure your PC. Update your critical security patches and anti-virus and only shop from a secured internet connection.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author

The Upside of Electronic Health Records – Will This Be Possible?

In a world where a Twitter tweet can be heard around the world instantly, a friend’s video on YouTube can go viral overnight, and you can speak to anyone online across the globe without using a phone, it seems backwards that the local hospital may still be keeping your medical information in a filing cabinet. This situation is starting to change, however, as healthcare providers around the world introduce increasingly sophisticated IT systems to securely store and share patient data.

Having electronic medical information available to any doctor you visit, any time, for any reason can be extremely timesaving, efficient and of course lifesaving.

The key to electronic healthcare documents being accessible to everyone lies in:

  • Secure electronic storage of patient data in a format that can be accessed and updated as necessary by healthcare professionals.
  • The distribution to patients of smart cards that can be used for storing medical information (such as blood group, allergies and treatment history), verifying their identity, carrying prescriptions and making health insurance claims.
  • A fully integrated e-healthcare system makes it possible for a doctor to upload a prescription onto a national database and the patient’s personal smart card at the same time. The patient then takes the smart card to a drugstore, where the pharmacist can insert it into a reader to confirm the details of the prescription. Meanwhile, those details are now on the database so that other medical professionals can view them as necessary.

The downside of digitizing medical documents is that opening up sensitive personal data to greater numbers of people can increase the risk of it being viewed by unauthorized parties. This can lead to identity theft if proper checks and balances in security are not put in place.

So ultimately, the key challenge for healthcare organizations lies in striking a balance between making a system easy to use and ensuring that watertight security controls are in place.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Benefits of an Electronic Passport While Traveling

With the U.S. requiring ePassports or Visas from visitors as standard, and the European Union’s push for electronic travel documents, authorities are now requiring citizens to have new, safe ID documents, giving themselves and their citizens the peace of mind they need.

An Electronic Passport is the same as a traditional passport with the addition of a small integrated circuit (or “chip”) embedded in the back cover. The chip stores the same data visually displayed on the data page of the passport; a biometric identifier in the form of a digital image of the passport photograph, which will facilitate the use of face recognition technology at ports-of-entry, the unique chip identification number and a digital signature to protect the stored data from alteration.

The Electronic Passport facilitates travel by allowing automated identity verification, faster immigration inspections and greater border protection and security.

The Electronic Passport is designed to function for the passport’s full validity period under normal use.

The special features of an Electronic Passport are that it securely stores biographical information and digital image that are identical to the information that is visually displayed in the passport. And the contactless chip technology that allows the information stored in an Electronic Passport to be read by special chip readers at a close distance and the digital signature technology that is used to verify the authenticity of the data stored on the chip. This technology is commonly used in credit cards and other secure documents using integrated circuits or chips.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Upgrading Your Driver’s License- Why Technology is Needed for Identity

The driver’s license is a document with multiple uses. On the road, it gives its holder the right to drive certain vehicles. Very often, it also serves as an identity document, particularly in countries that do not have a national identity card program.

This is just one more reason why it has to be highly secure. Historically, it has often been not more than a paper-mounted document with little or no security.

Identity is a simple idea that has become a complex problem. It has become complex due to fraud that is  motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you.

We have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems.

The international ISO/IEC 18013 standard, which came into force in 2009, outlines the framework for migration towards a secure identity document. The standard stipulates the use of visual security elements comparable to those used on other identity cards and passports.

As with all other secure documents the standard proposes the addition of a chip (microprocessor) to extend the range of possibilities offered by the card. There are many benefits to using a smart card for driver’s licenses, security being the most important one.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures