March 2016

The word “data” can be misleading. When we see that word we think of ones and zeroes, bank account numbers, debit card PINs, financial records and software code. Technically speaking, any information stored on any electronic device is data. Data could be how many minutes you like to put on the microwave timer to let you know when your tea is done brewing, it could be the receipt that Amazon sends you when you purchase a Christmas gift for your nephew.

We use the word “data” because we’re talking about cyber security, but “information” might be the more accurate term. We’re not just concerned that someone is going to steal the code for a program we’re developing to compete with Adobe Photoshop, we simply don’t want our secrets getting out. That secret could be a bank account password, or it could be the secret recipe to a restaurant’s signature barbecue sauce. Sensitive data is more than just a bunch of ones and zeroes.

In other words, we need to think not so much of “sensitive data” as “private information.” And this extends beyond data that is stored digitally. Paper-shredders were invented for a reason.

Beyond trade secrets, there are also instances where an information leak might not do any direct harm to your business or to a client or a partner, but it might affect your reputation. An attorney who boasts a little too loudly of all the high-profile clients he’s assisted isn’t proving himself capable so much as he is proving himself incapable of discretion. Even letting information that isn’t-quite-sensitive can be bad news for earning the trust of new clients.

A good rule of thumb is that any information that isn’t attached to a press release or already public knowledge should generally be kept to oneself. Of course it’s fine if your new assistant manager boasts about his promotion to her friends, but if she starts getting too specific about her new responsibilities, she could be putting client trust at risk.

Sensitive data should include anything and everything that someone involved with your company might not want the public to know about. The Internet is full of armchair detectives with nothing better to do than pore over leaked information for anything they can use. They might not even be malicious, they might be major supporters of your brand who lack the self control not to spoil your next product launch. In short: If you’re not already planning to make it public, don’t make public.

Signing up for a new account somewhere is always a bit of a pain. You may have a basic password that you use for almost every account, but then this one says you need something that’s 16 characters long with three numbers, a capital letter and a symbol. How are you going to remember all of that, and how are you going to remember that this is one of the accounts where your password is Olympiu$998 instead of just olympius?

Although these password measures are intended to make your account more secure, they can have the opposite effect simply because you need to write those complicated passwords down somewhere so that you don’t forget them.

So, here are some tips for coming up with new passwords, and remembering them without having to leave a sticky right on your monitor:

• Base your password on a secret. People can look up your date of birth, they can ask you what your dog’s name is, they know your favorite brand of coffee. They might not know the name of your first crush, how old you were the first time you stole your dad’s car, or which Backstreet Boys song you secretly listen to when you’re alone. If you base your password on personal information, make sure it’s not personal information that just anyone might now.

• If you have to write your passwords down, don’t write them down in an unencrypted file on your computer, and don’t keep a list in your wallet. An encrypted file with a password that you can remember is a safe place to keep your codes, or you can stash them in a notepad somewhere private, like under a mattress or in your car’s glovebox.

• If you like to use one password for everything, at least switch it up every now and then. Maybe you can’t remember a list of thirty two passwords for everything you have to log into online, but you can change that skeleton-key password once every six months or so just in case anyone’s cracked it.

Of course, you can also just download a password manager. There are apps that can sync with a smartphone and with the cloud, and can even auto-generate passwords for you so that you don’t need to worry about it. You log into your password manager, and it logs into everything else for you, so you only need to remember one of them. Here are some of the top managers according toPC World.

Source http://www.pcworld.com/article/221505/passwords.html

It’s pretty easy to print out a few pages on how employees can keep private data private. It’s not so easy getting your employees to keep those reminders in mind. Here are a few ideas for ensuring compliance in security protocol:

Clearance Levels

There’s no reason for your interns to have the same clearance level as your senior IT people. Having tiered clearance levels ensures that nobody has to be responsible for anything that isn’t directly related to their own work. If an employee doesn’t have access to certain data, then there’s no way for them to put it at risk in the first place. This will also help you to determine who can be trusted with higher clearance levels by seeing how they comply to security protocol at a lower level.

Get It In Writing

Having employees sign an agreement to comply with all security protocol is a good way to sort of set it in stone. A memo is just a memo, we can take or leave it. Signing one’s name to a legal document, on the other hand, can go a long way to imparting the importance of protocol. Even if you never plan to do anything more than give someone a warning for violating the agreement, simply having the agreement in place can go a long way towards compliance.

Put Responsibility On Your Staff

You don’t even need to have any serious discipline measures in place. If an employee is expected to replace it themselves should they lose their phone, then they’re probably not going to lose their phone. In essence, compliance has a lot to do with making sure that security is just as much a concern for your employees as it is for their employer. It’s easier to keep protocol in mind when it’s for one’s own sake, but not so much when you approach a job with a sort of mercenary attitude. Putting some responsibility on your employees is sort of a way to remind them that they are part of the company, so security is just as much their concern as it is yours.

A lot of compliance issues can be solved simply by hiring the right people. You want people who are experienced enough to appreciate the importance of security, and professional enough to follow protocol. As with any area of running a business, hiring the right people will always make your job easier.

Most cyber-criminals are never caught. It’s a high-reward, low-risk area of crime. Cyber-thieves don’t typically drain bank accounts, they steal a nickel here, a dollar there from thousands and thousands of users, and almost nobody is going to go file a police report over seventy eight cents, and if they do, it’s not going to be a high priority for law-enforcement. Changing your MAC address regularly makes it almost impossible to trace a hacker through the web, and physically capturing a hacker in the act isn’t easy.

And yet, hackers do get caught now and then.

The question is: How?

Bragging

Sometimes hackers just can’t shut up about it, as was the case with a hacker from Anonymous who apparently needs to reread the first chapter of the dictionary. John Anthony Borell III had some fun hacking into the website of the Utah Chiefs of Police Association and the SLC Police Department. He would have gotten away with it too except… he went and took credit for it on Twitter. Other hackers, like “Sabu” got caught after bragging about their dirty deeds in IRC chatrooms. A lot of hackers are in it for the thrill, not the financial reward, and they simply need for others to recognize how clever they are. Sort of like The Riddler in the old Batman TV series: He’d never spend a day in jail if he’d learn to stop leaving clues behind.

Blind Ambition

Some hackers simply don’t know to quit while they’re ahead, like Albert Gonzalez. Gonzalez ran a website where hackers could sell stolen credit card numbers, passports and other sensitive information. After an arrest for credit card fraud, he signed up for Operation Firewall as a key informant. This earned him immunity and a job offer from the Secret Service. So of course, with the Secret Service now keeping tabs on him, what was Gonzalez to do but partner with Ukrainian hacker Maksik and start swiping credit cards, and then start driving BMW’s into work at the Secret Service.

Fame

When you’re too high-profile, the fame alone will do you in. This is what happened to Kevin Pulsen, known as Dark Dante in the late 80’s online scene. Poulsen used to hack government documents, leaking wiretap details on foreign leaders, the mafia and the ACLU. His abilities were so impressive that he actually knocked out Unsolved Mysteries‘ phone lines when they did a feature on him. All the same, the episode made him famous, and he was recognized in a supermarket, leading to his arrest.

Source http://www.adweek.com/socialtimes/hacker-brags-on-twitter/462620 http://www.bbc.com/news/technology-17302656