A deep analysis into security (security analytics programs) unveils some riveting areas that need to be addressed if business users are serious about reducing threats of data breaches.

Reveal data leaks. Convinced your business is “data leak proof”? See what stones that security analytics turn over. Don’t be surprised if the leaks that are discovered have been ongoing, as this is a common finding. You can’t fix a problem that you don’t know exists.

An evolution of questions. Analytics programs can create questions that the business owner never thought to wonder about. Analytics can reveal trends and make them visible under the business owner’s nose.

Once these questions and trends are out of the closet, decision makers in the organization can have a guideline and even come up with additional questions for how to reduce the risk of threats.

Connections between data sources. Kind of along the same concept described in the previous point, security analytics programs can bring forth associations between sources of data that the IT security team many not have unearthed by itself.

Think of data from different sources being poured into a big funnel, and then what comes out the other end are obvious patterns and associations between all that data, even though it was “poured” from differing sources. When “mixed” together, the data reveals connections among it.

Uncovering these associations is important so that businesses can have a better understanding of disparate segments of their network, various departmental information, etc.

Discovery of operational IT issues. Take the previous points a step further and you get a revelation of patterns and connections in the IT operations realm—associations that can help mitigate problems with workflow and efficiency.

In other words, an issue with IT operations could be something that’s causing a drain on productivity, or, something that’s not creating a problem per se, but can be improved to spark productivity.

Uncover policy violations. Analytics can turn up policy violations you had no idea were occurring. Not all violations are malicious, but once they’re uncovered, they cannot be covered up; the next step is to do something about it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video.

The AllClear Guarantee is designed to protect a business owner’s customers from identity theft. Your customers are assured:

• Six months of automatic protection once they complete their transaction. Each new purchase means extended coverage with any merchant who displays the Guarantee.
• Protection wherever customers go. Customers are protected by the Guarantee beyond your site, no matter where they go or how ID theft happens.
• If a customer’s ID is stolen, AllClear will fix everything: restoration of credit report, recovery of financial losses, etc.
• Zero cost to customers. Participating merchants pay for the Guarantee.

These points are extremely important to the merchant. After all, according to Forrester (2012), 66% of customers are most worried about getting their identities stolen while they’re online. But what’s their greatest online concern? Edelman (2012) says that 90 percent of customers name sharing financial information online as being their greatest concern—as in, for example, using a credit card to make an online payment to a retailer.

How does guaranteed protection benefit the business owner?

• Increased revenue. Your customers will have more confidence when they complete transactions and will feel more secure about giving accurate information.
• Customer retention. When consumers feel safe online, they’re more likely to return time and again. The Guarantee will provide this secure feeling.
• Reduced risk. You’ll be able to respond faster to a data breach, thanks to the Guarantee.

With the AllClear Guarantee, you won’t hope your clients are safe online; you’ll know they are.

• Consumers should seek out websites that show the AllClear Guarantee
• Every purchase gets automatic identity protection.
• The Guarantee is covered by participating merchants.

 Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Most websites should have a privacy policy (although I don’t think it’s always the easiest thing to find). And then once you do find it, you’ll see a huge amount of what I consider to be legal mumbo jumbo. And because you really should care about this stuff, the question becomes how do you sort through all this stuff?

Most privacy policies usually begin with something around them collecting, using and sharing your personal information or data. For example, here’s how Google, Twitter and Apple’s privacy policies start out:

• Google (http://www.google.com/policies/privacy/) – “There are many different ways you can use our services – to search for and share information, to communicate with other people or to create new content.”
• Twitter (https://twitter.com/privacy) – “This Privacy Policy describes how and when Twitter collects, uses and shares your information when you use our Services. Twitter receives your information through our various websites, SMS, APIs, email notifications, applications, buttons, widgets, and ads (the “Services” or “Twitter”) and from our partners and other third parties.”
• Apple (http://www.apple.com/privacy/) – “Your privacy is important to Apple. So we’ve developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information.”

Here’s what you really need to understand about a website’s privacy policy as this can affect you

• How it gathers information – sites usually use cookies to collect or track information.
• The type of information it gathers – it is keeping track of your name, age, or email address.
• What it is doing with the information – make sure you understand how the site is using your information, whether it’s just to provide a better experience for you when you return to the site or it is sharing your data with third parties.
• Security measures it has in place – how a site is protecting your information that it gathers is critical. This should be not only when the data is being transmitted to them, but also once they have it.

And why is this important? Those factors above can affect you if the site is not taking care of your personal information. It could lead to unwanted spam, identity theft and financial fraud depending on what type of information they have gathered from you and how they are using it or taking care of it.

You should also know that the sites should provide options for you to opt in or opt out of how they share your information. Another key thing is to find out how long the site keeps your information. Some sites keep it forever, while others delete it after a certain amount of time. For instance, you should know what happens to your data if you delete your account.

Yes this is something else for you to check. But in our digitally connected world, it’s something you just gotta do.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  

You must change your passwords like you must change your bed sheets. This is not up to negotiation, thanks to the influx of viruses, malware, phishing sites and key loggers.

Changing a password means having a new password for all of your accounts rather than using the same password. Imagine what would happen if someone got ahold of your one password—they could get into all of your accounts.

The biggest problem with passwords as far as how easy they can be cracked, is when they have fewer than eight characters, and are an actual word that can be found in a dictionary, or are a known proper name. Or, the password is all the same type of character, such as all numbers. There’s no randomness, no complexity. These features make a hacker’s job easy.

How to change Passwords

• Each site/account should have a different password, no matter how many.
• Passwords should have at least eight characters and be a mix of upper and lower case letters, numbers and symbols that can’t be found in a dictionary.
• Use a password program such as secure password software.
• Make sure that any password software you use can be applied on all devices.
• A password manager will store tons of crazy and long passwords and uses a master password.
• Consider a second layer of protection such as Yubikey. Plug your flashdrive in; touch the button and it generates a one-time password for the day. Or enter a static password that’s stored on the second slot.
• Have a printout of the Yubikey password in case the Yubikey gets lost or stolen.
• An alternative to a password software program, though not as secure, is to keep passwords in an encrypted Excel, Word or PDF file. Give the file a name that would be of no interest to a hacker.
• The “key” method. Begin with a key of 5-6 characters (a capital letter, number and symbols). For example, “apple” can be @pp1E.
• Next add the year (2014) minus 5 at the end: @pp1E9.
• Every new year, change the password; next year it would be @pp1E10. To make this process even more secure, change the password more frequently, even every month. To make this less daunting, use a key again, like the first two letters of every new month can be inserted somewhere, so for March, it would be @pp1E9MA.
• To create additional passwords based on this plan, add two letters to the end that pertain to the site or account. For instance, @pp1E9fb is the Facebook password.
• Passwords become vulnerable when the internet is accessed over Wi-Fis (home, office, coffee shop, hotel, airport). Unsecured, unprotected and unencrypted connections can enable thieves to steal your personal information including usernames and passwords.

Thus, for wireless connections (which are often not secure), use a VPN—virtual private network software that ensures that anything you do online (downloads, shopping, filling out forms) is secured through https. Hotspot Shield VPN is an example and has a free version, available for Android, iPhone, PC and Mac.

• Set your internet browsers to clear all cookies and all passwords when you exit. This way, passwords are never retained longer than for the day that you’ve used them.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. 

Target continues to be tangled up in chains due to its December 2013 data breach that current estimates say affected 110 million customers.

Target is known as proficient and prolific in the use of mobile devices and other means for collecting consumer data. This proficiency has backfired, resulting in the retail giant struggling to regain consumer trust and brand name reputation, not to mention figuring out how this mess happened in the first place and how to prevent a repeat performance.

• Was there a lapse in Target’s IT security?
• Did “Big Data” go too far and get way too ahead of security?

And let’s not put all the focus on Target, either. What happened with Target is a sign of the times and perhaps a sign of things to come in this world of cyber transactions. The questions above should also be asked of Facebook, Google, Yahoo and others who waited until the fiasco involving Edward Snowden’s NSA scandal to better encrypt their user data.

Big Data is like a drug; so addictive you can’t get off it, and of course, a huge potential for danger. Companies like Facebook, Google and Twitter love to sell consumers’ data to advertisers—this is how these giants stay giants; otherwise, they’d shrink into nothing. And there’s no end in sight with Big Data. Big Data is on course to become the Big Bang Data—to forever expand consumers’ personal information into cyber space. 

But all of these entities—retailers, social media, the government—need to take responsibility for what they’re doing with our data.

Just when you thought that your privacy couldn’t be violated any more, Big Data has now spread its tentacles into the realm of selling lists of sexual assault victims, people with AIDS and HIV, and seniors with dementia to marketers. The World Privacy Forum, in the midst of researching how data brokers gather up and sell consumers’ private information, discovered these lists, and unfortunately, there are more disturbing list categories that were uncovered. Marketers are actually purchasing this kind of data to target shoppers from every which way.

When are lawmakers going to catch up to Big Data and grab it by the horns?

In the meantime, consumers need to take control of their information online; it just takes one hacker to wreak havoc. Here are 6 tips every consumer should take to stay protected online.

#1 Install/update your devices antivirus, antispyware, antiphishing and firewall.

#2 Update your devices operating system ensuring the critical security patches are current.

#3 Password protect your devices and use strong passwords with upper/lower case, numbers and characters. Never use the same password twice. 

#4 Protect your wireless communications from prying eyes with a virtual private network that encrypts your data. Hotspot Shield masks your IP address and prevents data leakage.

#5 Limit your exposure on social networks. Consider what you post and how it can be used against you by criminals, predators and your government.

#6 Before giving out your name, address, phone, email, or account numbers consider how it will be used and read the services terms of service and privacy policies.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.

Legal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.

When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)

• Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
• Though there aren’t really any notification laws regarding overseas victims, they too should be notified.

Notification

The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.

Damage from misuse can be significant, such as with stolen SSNs and names.

When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.

FTC Recommendations for Notification

• Inform law enforcement when notification takes place so they don’t cross lines with it.
• Also find out from them precisely what information the consumer notification should contain.
• Select someone from your organization to manage release of information.
• This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
• To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
• Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
• Make sure victims know how to reach the contact person.
• Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
• Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. 

What a steal: You can purchase a U.S. stolen identity for $25, and an overseas one for $40. Cybercrime is booming. Cybercriminals are competing even against each other. Data theft is becoming increasingly easier, with more and more people gaining entry into this realm. It’s no longer for the elite.

Hiring someone to perform a cybercrime doesn’t take technical knowledge; only the ability to pay. Even a computer isn’t necessary, and the crime can be outsourced.

The underground of cyberspace is known as the Darknet. Illegal activities of the Darknet are mighty cheap these days.

• Under $300: credentials for a bank account that has a balance of $70,000-$150,000.
• $400-$600 a month: Hire a crook to fire a denial-of-service attack on your online competitor to knock it offline. This service can also go for $2 to $5 per hour. Prices are actually quite varied, but the range goes well into the cheap end.
• $40 bought a personal identity (U.S. stolen ID as of 2011), and $60 bought a stolen overseas ID (as of 2011). Currently, these IDs cost 33 to 37 percent less.

Other Crime Fees

• $100 to $300: hack a website
• $25 to $100: A hacker will steal all the data they can on a person or business by using social engineering or Trojan infiltration.
• $20: a thousand bots; and $250 will get you 15,000.
• $4 to $8: one stolen U.S. credit card account including CVV number ($18 for European accounts)

What does all this mean to you? It means your identity is at risk.

• Update your PC with the most current antivirus, antispyware, antiphishing and a firewall.
• Update your devices critical security patches.
• Require password access for all your devices and use strong passwords for your accounts.
• Invest in identity protection because even if you secure your data, a major retailer or bank can be breached putting your data at risk.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.