IncTechnology.com > Privacy

No Downturn for Privacy Practices

Michelle V. Rafter — 2009-07-30T12:18:09-05:00

The recession has pummeled small businesses’ IT budgets, but that’s no excuse to slack off on electronic privacy and data protection safeguards.

In fact, hard times make keeping an electronic eye on privacy and IT security critical as economic factors are contributing to more frequent data breaches from outsiders and information theft from just laid-off employees and other company insiders, according to attorney Charles Kennedy, a privacy and data protection expert.

In 2008, reports of data breaches at U.S. companies jumped 47 percent to 656, according to the Identity Theft Resource Center, a San Diego nonprofit.

Reports of laid-off employees taking company information with them are also on the rise says Kennedy, with the Washington D.C. office of Morrison Foerster. Over half of 945 laid-off workers responding to a recent poll by Ponemon Institute, a Traverse City, Mich., privacy researcher, admitted taking company data when they quit because they felt entitled to it, thought it would help in their new job or didn’t realize it was stealing.

With breaches on the rise, small businesses simply can’t use the bad economy to rationalize trimming their electronic data protection program budgets, Kennedy says.

Another reason companies can’t let down their guard: state and federal regulators continue to pass stringent electronic data protection rules. One of the latest is the Federal Trade Commission’s Red Flags Rule, which takes effect Aug. 1 and requires financial institutions, health care providers and loan processors to create identity theft prevention programs. The Obama Administration’s economic stimulus bill included a stepped up health-care records security breach notification requirement that takes effect in February 2010. In addition, states such as Massachusetts and Nevada have passed laws requiring companies to use encryption and put in other controls over consumers’ personal information.

Regulations aside, following stringent privacy and security protocols is good for business. “If you have good privacy practices you can make it a feature of your advertising,” if you don’t exaggerate claims, Kennedy says. “When the other guy has a breach and you don’t, that’s good for you. Security is an edge you can’t afford to ignore.”

Doing the same or more with less

Still, no one expects small businesses to spend half their revenue on the latest firewalls and other data protections. Companies have to maximize whatever manpower and financial resources they’ve got. Kennedy and Alex Puertas, a program development manager at Iron Mountain, the data storage and protection vendor, recommend the following:

Squeeze every penny from existing privacy protections. If you’ve already purchased encryption, intrusion protection and other security technologies, make sure you’re using everything you’ve paid for. “Some data breaches occur because companies didn’t do things they should, like update passwords and firewalls. They’d already paid for them, they just didn’t use them,” Kennedy says.
Eliminate redundancies and shift resources. Cut costs by eliminating some of the overlapping functions in the security technologies you use. Likewise, reallocate funds from less critical IT and compliance programs to privacy and security, Kennedy says.
Create written policies and make sure employees know what they are. Written policies can stop problems from happening in the first place and the more trouble you avoid, the less money you have to spend mopping up after the fact. Policies should cover electronic records management - what data is saved, who saves it, how often, and by what method. Policies should also cover employees’ use of portable electronics, updates on new regulations and what to do to limit employees’ access to sensitive data if there’s a layoff.
Lean on outside contractors. Small businesses might not have the financial resources to maintain an in-house chief privacy officer or compliance department. If that’s the case, make sure you’re working with lawyers, CPAs, or other consultants who can provide you with reliable guidance and technology on privacy and security matters. “I deal with small, medium and big companies and I don’t know of any that can handle all phases of this alone,” Kennedy says.
Pick an insider as your privacy policy point person. Even if you use a third party to run privacy programs, choose a company insider as a liaison to ensure policies are being followed. That person should also head up formal audits every year or two so programs can be altered to adhere to new laws or industry regulations.
Tap into industry groups for cheap assistance. Trade associations are great resources for timely information on privacy regulations. In some cases, you don’t even need to be a member to take advantage of reference material that’s available for free on a group’s Website, Kennedy says.

SIDEBAR: Electronic Privacy and Security Policies Resources

Here are additional resources for creating and electronic privacy and IT security practices:

Fighting Fraud with the Red Flags Rule: A How-To Guide for Business -- A 17-page guide from the FTC on its new identity theft prevention requirements that includes step-by-step instructions businesses can use to create their own programs.

The Identity Theft Resource Center -- Theft prevention information for businesses and consumers, plus updates and statistics on data breaches at U.S. companies.

HIPAA health-care records data breach notification -- Health and Human Services Department document spelling out details of health-care privacy protections included in the economic stimulus bill that take effect in 2010.

Iron Mountain Knowledge Center -- Free white papers, webcasts, and other materials on electronic privacy protection and security issues.

Beware of Botnets and Other New Kinds of Spam

Todd Wasserman — 2007-03-19T14:35:13-05:00

Businesses appear to be falling behind in the eternal war against spammers. Just when they manage to block one variety of unsolicited junk email to their office inboxes, another variety is developed. Until new technological advances come along, the best they can hope to do is use existing technology to stem the flow or outsource the work to companies that fight spam full time.

In the last year, the amount of spam rose 250 percent over 2005 levels, according to security software firm SonicWall, in Sunnyvale, Calif.

There are two main reasons for this surge: Image spam and botnets.

Making it past spam filters

Botnets, in which a virus takes over a PC and turns it into a spam-sending machine, have helped increase the overall amount of spam. The way it works is that perpetrators that want to take over other people's computers for the purpose of sending spam first distribute viruses or worms to mostly Windows PCs. The code also contains a bot, or software robot, that automatically logs onto a server. Spammers access the server and order it to force the PC to send out spam to mail servers.

While botnets are dangerous, some businesses try to block bots from being deployed through the use of intrusion prevention systems, either through a hosted service or at the network level. While effective against network-base infections, IPS offers little to defend against infections caused by employees willingly downloading bot infection payloads deceptively marketed as screen savers or browser toolbars. And once infected, these systems won’t stop bots from communication with botnets using standard http and https protocols.

Image spam is also proving difficult to combat. Image spam has added to the amount of spam that makes it past spam filters employed by many businesses or Internet providers. Image spam was devised to foil filters looking for words like “Viagra” or “XXX.” When text is presented in a JPEG or PDF, such text-seeking filters are rendered useless.

Image spam has been around for a while, but until 2004 or so most of it was filtered out by software that was looking for “signatures” -- domains, common words or phrases, bulk recipients, etc. -- that were common to emails sent en masse. The spammers came up with “snowflake spam,” in which every image is unique, although they look the same to the naked eye.

Spammers quickly discovered the technique works: In 2005, only 3 percent of spam was imaged-based. In 2006, that figure rose to 30 percent, according to IronPort Sytems, a San Bruno, Calif., gateway security provider.

Patrick Peterson, vice president of technology for IronPort Systems, says signature-based filters don’t work very well anymore. IronPort does do some image-based filtering, like looking for similar background colors, but the technique is far from foolproof and optical character analysis -- the ability to recognize image-based text -- is still way too ineffective.

How to block the new flavors of spam

Another way to address image spam is to simply block all images unless they are sent from an address that has been pre-selected by the recipient. The downside, of course, is that some legitimate emails will inevitably be lost in the shuffle.
In addition to of filtering and blocking, many spam-fighters are focusing on “reputation analysis,” that is, assessing the validity of the recipient based on the incoming email address. Such reputation analysis finds out where the spam is coming from and then creates a blacklist.

Analysts say while reputation analysis is the most effective ways to combat spam right now, it is far from a total solution. The other problem is that, like with image spam blocking, legitimate emails may be blacklisted. “These are small steps,” says Jeanniey Mullen, executive director of email marketing for Ogilvy, the New York ad agency. “I don’t think anyone has the answer yet.”

Arabella Hallawell, research vice president for Gartner Research, of Stamford, Conn., recommends either getting an email appliance to limit a system’s exposure to spam and/or outsourcing -mail management to someone else. Not surprisingly, Peterson agrees with her. “The ante has really gone up,” he says. “In the old days, five to 10 really smart guys could put together a spam solution that’s pretty good. Now we’ve got 30-plus guys working on spam just to stay ahead of what the bad guys are doing.”

Positive ID: All About Biometrics

Anne Stuart — 2007-02-18T16:22:31-05:00

Biometric identification -- which instantly authenticates people by unique physical traits such as eye structure, voice patterns and handprints -- may seen like something out of X-Men or Star Trek. But it's neither fantasy nor futuristic.

In fact, biometric technology has been around for years. It's even a growth industry: The worldwide market for biometric devices is projected to nearly triple in the next few years, rising from $2.1 billion in 2006 to $5.7 billion in 2010, according to the International Biometric Group, a New York City-based research and consulting firm.

Meanwhile, biometric capability is increasingly available in products that are affordable for even the smallest businesses. More surprising than the devices' existence, though, are the ways in which some companies are putting them to use.

First, a bit of history. Particularly after the terrorist attacks in 2001, security experts were keenly interested in using biometrics for positive identification. The main goal then: keeping unauthorized users from gaining access to government or company buildings, computer systems and information.

Today, some organizations are using biometric technologies to keep outsiders out, but others are finding the technology -- especially the less-expensive fingertip and hand scanners -- far more useful for in-house security purposes. For example:

Tracking time and attendance: "Buddy-punching" -- when employees manually punch each other's time cards to falsify their work hours -- has been the bane of small businesses for decades. Biometric systems can end that practice by verifying employees' identities as they clock in and out, most commonly through a fingertip or handprint reader. Added bonus: Many systems also compile payroll data, replacing a tedious manual task. Systems begin at about $350.

Replacing or enhancing passwords: It's no secret that many people's system passwords are a cinch to decipher. Case in point: In a 2005 in-house security test, a California credit union's IT team used a tool that cracked about 80 percent of employee passwords within 30 seconds. IT staffers instructed workers to adopt stronger passwords in keeping with the organization's security standards, then repeated the test. The results weren't encouraging: The team still cracked 70 percent of the new, stronger passwords. So the credit union began using a combination of fingertip scanners and automatic, randomly generated passwords to authenticate system users. Bank officials say the change greatly improved those security audits and reduced password-administration costs, an expense that IT research firm Gartner Inc. says costs companies an average of $200-$300 per user per year. Fingertip readers begin at around $100 per device.

Securing dangerous or controlled substances: Businesses in a wide range of industries use biometric devices -- with hand-readers being a particularly popular option -- to help monitor access to toxic chemicals, radioactive waste, narcotic drugs and other potentially hazardous materials. Hand-reader security devices range from about $1,000 to $3,000 or more per device, depending on features.

Preventing ID-card sharing: Some businesses now use biometrics to keep multiple customers from sharing a single account or pass card. An Oklahoma City-based chain of tanning salons, for instance, installed fingertip readers at all its locations to authenticate paying customers, thus preventing people from simply loaning their membership cards to friends. (A company spokeswoman says the scanners don't store a complete fingerprint -- just a big enough piece to confirm the user's identity.)

Biometric technologies aren't infallible. Systems may fail to recognize an authorized user or detect an imposter. In one well-publicized case a few years ago, a Japanese cryptographer copied a fingerprint using a gelatin substance. He then tested the duplicate fingerprint on several commercial scanners -- all of which "recognized" it as real.

In addition, many people view the use of biometric security measures as an invasion of privacy. In testifying before Congress, Barry Steinhardt, director of the Technology and Liberty Program for the American Civil Liberties Union, has cited biometrics as yet another example of America's movement toward becoming "a surveillance society."

But for businesses needing to know exactly who's got their hands on which pieces of company equipment or information, biometrics are likely to be an increasingly attractive option.

For additional information:

International Biometrics Group LLC
U.S. Department of Defense Biometrics Tutorial

Protect Your Business from Phishing

Caroline Waxler — 2007-02-13T13:21:45-05:00

The latest news about "phishing" is not good for small and mid-size businesses. Phishers – people who send fraudulent emails and try to lure unsuspecting recipients into revealing confidential information on a phony website -- are no longer impersonating only big commercial banks. They've started using the names of smaller companies, too.

Phishing is a nightmare not just for the consumer recipients -- who have doubled in number since 2004, according to a recent Gartner Inc. report -- but also for the businesses whose brand names are being misused. When customers receive a phishing email that purports to be from your company, the company’s good name gets tarnished. That's not exactly a good way to brand a growing business. And there is always the risk that your company could be sued.

Phishing, unfortunately, isn’t going away anytime soon although it is changing in nature. Gartner found that phishing emails are impersonating banks less often and other types of companies more often. Many of those other brands are also big companies like eBay and PayPal, or financial firms, such as mid-size banks, but the threat to more types of businesses is growing. The good news, according to Gartner analyst Avivah Litan, is typically “really small businesses aren’t attacked because criminals don’t know about them.” However, any brand can be at risk. Here’s what you should know to protect your small business:

Be the master of your domain

Know the domain names that your company has registered and proactively register variations of those names. This way, if phishers try to set up a website imitating your business, the obvious variations on that name are already spoken for and hopefully customers are less likely to be fooled. The best defense, the cliché goes, is a good offense.

Eyes wide open

Continuously monitor the Internet for suspicious new domain registrations and changes to existing domain registrations, says Todd Bransford, vice president of marketing at online monitoring company Cyveillance, of Arlington, Va. “Early detection of a registration of a domain that’s similar to your organization's domain could allow you to minimize or even prevent a phishing attack.”

If you would rather farm out the monitoring of domain registrations, there are online fraud prevention companies, like Cyveillance and other one called MarkMonitor, that can do this for you. The rates for monitoring companies are typically run upwards of thousands of dollars per month.

Teach your clients

Educate your customers, suggests Bransford. That means let your customers know how you plan to contact them – via mail, telephone, or email. “Post a clear policy on your site, in plain English describing how you will contact them," says Frederick Felman, chief marketing officer of MarkMonitor, a San Francisco firm. Felman says also specify "what type of info you will ask for.... and what you will NEVER ask for," such as passwords. Remind your customers to use the anti-phishing features in some Web browsers, as well.

Browse well

Alert browser companies and email providers about those fraudulent URLs used by phishers so that each URL you identify is blocked at the browser or when the email is sent, advises Felman. Internet Explporer 7.0 and Firefox 2 do a great job of blocking phishing sites. Litan cautions, however, that this solution is not a cure all.

Deter this

Have a strong authentication, anti-phishing message prominently displayed on your website, Bransford says. This should include a mechanism for reporting suspicious emails or suspected phishing attacks such as a special inbox (i.e.phishing@yourdomain.com ). Customers are on the front line of these attacks and can be the first to alert you that your business has been targeted.

Take that extra step

Felman suggests including electronic signatures with your emails so that email providers know when an email sent by your company is really sent from you.

Disaster preparedness

Have a plan in place in the event your company becomes a victim of phishers. Remember to take care of your customers. Provide those who believe they have become victim information on what to do, such as contacting the major credit bureaus. You might also want to provide them with free credit reports for a certain time period, as a gesture of good will. Remember to alert other customers -- put a notice on your website at a minimum and perhaps also contact them by mail – to alert them about the potential fraud.

Contact authorities and report the crime immediately. Also contact the Anti-Phishing Work Group. Have a plan in place to notify website owners and Internet Service Providers to get phishing sites taken down, says Felman. Gather the numbers in advance. Just like with stolen credit cards, it can be a real hassle to deal with looking for numbers in the middle of a crisis. If that doesn’t work, monitoring companies can take care of all of this quickly for you, if you hire them after an attack. Cyveillance’s Bransford also suggests having a public relations strategy ready, too, to minimize the damage.

The bad news is that there’s nothing a small business can do to provide 100 percent protection from getting hit. If even big companies like PayPal aren’t able to stop it, cautions Gartner’s Litan, that doesn’t bode well for smaller businesses.

How Secure Is Your Email?

Todd Wasserman — 2007-02-13T13:14:27-05:00

The morning after the premiere of the sixth season of Fox's 24, millions of emails starting appearing in in-boxes everywhere with a quote from the show's hero, Jack Bauer. The quote wasn't meant to be inspirational. It was designed to fool email recipients who think the message may have come from someone they know.

That was just the latest weapon in the ongoing war between spammers and the companies that offer anti-spam software and hardware products.

For much of 2006, the spammers appeared to be winning. The year included two major spam innovations -- image spam and botnets, the latter of which are software robots that run autonomously. Those new threats managed to double the amount of spam, according to IronPort Systems, an email security provider from San Bruno, Calif.

Hidden dangers in spam

Usually spam, which accounts for about 90 percent of all email, is just a nuisance, but it can become harmful when employees opt to download software in a malevolent email message. Since most people are aware of spam and the risks involved, you might think that most employees would know better. "You would think," says Natalie Lambert, of Forrester Research, the Cambridge, Mass. research firm. "But it's not the case." That's especially true when spammers keep coming up with new tricks.

So, businesses in general have little choice but to try to limit spam as much as they possibly can. Since small businesses usually lack a deep roster of IT pros, a good option is to outsource the spam-fighting to someone else.

There are two main options to do this: email appliances and hosted email services.

Email appliances are hardware devices that have one function: screen spam, viruses and worms from infecting computers in the system. "You literally plug the thing in and a blinky light starts to flash and the spam goes away," says Tom Gillis, senior vice president of marketing for IronPort, which is in the process of being acquired by Cisco Systems. IronPort's systems start at $2,000, which includes a three-year service contract. That appliance can serve up to 50 users.

Fooling the spam filters

For that money, you get full-time spam cops. Like antivirus firms, email security companies like IronPort are constantly trying to outwit the bad guys. Take image spam: Spam filters have traditionally worked by looking for spam buzzwords. But when you send an email message as a JPEG rather than as a text file, such filters are useless.

IronPort quickly realized this and came up with an antidote. Another way spammers elude filters is by colonizing other PCs with botnets, which fooled spam filters that were looking for known spam IP addresses. Gillis said IronPort is tackling botnets with "reputation analysis," a tool that better traces where the email originates.

Another anti-spam option is a hosted service that does what IronPort does only without the hardware. Such services are usually charged at a monthly rate. Apptix, for instance, charges $9.95 a month per user to manage e-mail or $11.95 if the customer wants advanced filtering. Semir Gulati, vice president of marketing at Apptix, Herndon, Va., said the system catches 95 percent of the spam "and you don't even know it."

Robert Maynard, chief operating officer of LifeLock, a Tempe, Ariz. identity theft prevention agency, says he is "ecstatic" with Apptix's hosted service, even though it costs him $1,400 to $1,500 a month to get the company to run email accounts for 46 employees. "People write the numbers down and say 'I could just buy a license,'" says Maynard, "but there are so many costs in running a mission-critical system like email that it just makes all the sense in the world to pay these guys."

Are Your Cell Phone Conversations Secure?

Anne Stuart — 2007-01-31T10:39:25-05:00

One morning last December, I dropped into my favorite coffee shop and found myself about 12^th in line for some much-needed caffeine. The guy in front of me was on his cell phone, his voice booming all over the crowded café as he ordered last-minute gifts.

By the time he reached the counter, he’d clearly recited his name, full address, credit card number and the card’s security verification code -- twice. After paying for his order, he launched into a third call, sharing the same details.

It’s hard to say whether his credit-card account was in more jeopardy from some distant wireless eavesdropper -- or from the laptop-equipped customers at the next table who might well have been quietly typing down the information as he repeated it.

Either way, it illustrates a hard fact about cell phone security: Your safest strategy is to assume that you have unwanted listeners. Chances are that you don’t. But when it comes to confidential information that’s transmitted across radio frequencies, as cell phone calls are, your best bet is to conduct yourself as if you do.

Caution is especially important if you find yourself using an analog signal; that’s when someone using a scanner can pick up your call. Digital signals are scrambled, but security experts say it’s still possible that hackers armed with sophisticated equipment could intercept and decode them. And, of course, someone who can overhear your half of the conversation before it enters the phone -- as in the coffee-shop case -- doesn’t need any special devices to capture some highly valuable information.

With cell phone use at an all-time high -- manufacturers shipped more than 1 billion handsets worldwide in 2006, up from 833 million in 2005, according to Framingham, Mass.-based IDC Research -- related crime is likely to keep growing as well. Following are three other cell phone security threats, along with advice for preventing them:

Equipment loss

Many people save sensitive information -- account numbers, passwords, customer billing information, emails on confidential matters -- on their cell phones. Having those details at your fingertips is certainly convenient, but the device is misplaced or swiped, whoever winds up with it might know far more about you than you’d like.

If you must keep such data on the phone -- if, for instance, it doubles as your electronic address book -- at least protect it by using the password feature available on most contemporary models. You should also set the phone to automatically lock the phone after a certain period of inactivity. Those measures won’t foil professional hackers, but they may keep the casually curious from accessing the details of your life. As an alternative, you might consider keeping especially sensitive information on a removable memory card, if your phone is equipped to hold one -- and if you can train yourself to remove the card and store it in a safe place when you’re not actively using it.

Phone upgrades

When you buy new phones, remember that you can’t be too careful about wiping the data off your old ones. Consider the results of a recent experiment by Trust Digital, a McLean, Va.-based maker of security software for mobile devices. In mid-2006, the company purchased 10 used cell phones in eBay auctions. While the phones’ previous owners apparently believed they’d deleted all their information, technicians recovered plenty of potentially damaging data from all but one device. The information retrieved -- 27,000 pages of it -- ranged from passwords to confidential customer records to emails about pending business deals to text messages chronicling a love affair.

The problem: On many phones, permanently purging data requires a series of complicated steps so that customers don’t erase information accidentally. So even if you’ve deleted those your records and the phone’s memory seems empty, someone with the right software may be able to resurrect data once stored there. The solution: If you’ve got telecom specialists on staff, ask them to thoroughly clean all phones before you sell, donate or toss them. If not, call or visit your carrier so that their technicians can do the job for you. Or you may want to follow Trust Digital CEO Nick Magliato’s half-serious advice for making sure an old phone doesn’t give up your secrets: “Run over it in a car.”

Hackers

As socialite Paris Hilton learned in a particularly high-profile case, a serious thief doesn’t need the actual phone to swipe confidential information. In early 2005, a hacker broke into a major cell-phone carrier’s systems, accessed Hilton’s account, stole racy photos and private celebrity phone numbers and posted them on the Internet. (The culprit, a Massachusetts teenager, later pleaded guilty and was sentenced to juvenile detention and supervised release with -- no surprise -- no Internet access.)

While most of us won’t individually attract our own personal hackers, it’s worth checking with your carrier to find out what, if any, data it’s capturing from your phone. If you find that everything you’ve keyed into the phone is also sitting in the company’s computer systems, you may want to rethink what you’re storing on the device.

Bottom line: You need to determine acceptable-risk levels not only for yourself, but for your staff as well. Establish and enforce policies, especially about what information people store on their phones. After all, as with any other scenario involving corporate secrets, your security is only as good as the practices of your most careless employee.

The Basics: What is Phishing?

Peter Suciu — 2006-09-27T13:59:11-05:00

It used to be that so-called “phishers” only focused on large international financial institutions -- such as Barclays Bank or Citibank -- when sending out fraudulent e-mails that tried to imitate the look and feel of correspondence from those firms in order to scam customers. But now law enforcement authorities warn that phishers are invoking the names of local banks and smaller financial firms in their e-mail scams.

Phishing is a scam that attempts to lure recipients of the phony e-mails into going to a fake Web site and keying in account or password data -- information which then becomes the basis for identity theft. There were 255,000 reports of identity theft in the U.S. last year, according to the U.S. Federal Trade Commission, and phishing scams were a leading cause.

But the recipient isn't the only one vulnerable in these scams -- the business' brand and reputation is also harmed. That's why business leaders need to be aware of the growing threat from phishing and the need to take steps if their firms become targets, such as notifying authorities and warning customers.

What is Phishing?

Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials, according to the Anti-Phishing Working Group (APWG), an industry and law enforcement association dedicated to combating phishing. While immediate concern is often focused on the individual receiving the spoofed e-mail claiming to be a legitimate request for personal information, targeted companies are affected in a number of ways.

Who are the Targets?

Damaged caused by phishers makes consumers wary of an otherwise respected brand. Financial institutions including Barclays Bank -- which McAfee, the security software maker, refers to as BarcPhish -- are the most prevalent phishing targets. PayPal and eBay are also heavily hit. Security firm SophosLabs estimates that over 75 percent of all phishing e-mail targets PayPal and eBay users, coaxing recipients to log into their accounts on a hijacked site where scammers can grab account info and other personal data.

More, recently, however, the APWG has been tracking phishing attempts invoking the names of smaller financial institutions, such as Sky Financial and LaSalle Bank. The number of hijacked brands is on the rise, according to the APWG. In July, there were 154 brands targeted, up from 130 the previous month. The number of new phishing sites also increased to 14,191 from 10,047 in June, the group says.

To put the threat to your business in perspective, phishing accounts for less than 0.3 percent of all e-mails sent, according to Kaspersky Lab.

What Can a Company Do?

Halting fraudulent e-mails is a challenge yet to be solved. Many companies that become targets focus on educating customers on how to look for warning signs. They also notify customers about what types of messages they should and shouldn't expect to receive from the institution. One of the easiest steps a company can take to combat phishing is by posting a statement on the company website to notify customers that phishing e-mails are being sent illegally and to advise them what type of legitimate correspondence the company sends. Some companies make it a policy to only communicate with customers through paper mail, instead of e-mail and others say they never e-mail to ask a customer to input bank account and password information.

Education in-house also helps reinforce safety. Visiting sites set up by phishers can often install keyloggers and other malicious programs to unknowing users. Having programs reside on office, or home computers can spread threats from personal identity -- which is serious in itself -- to corporate data breaches.

Even if they haven't yet been targeted, some financial firms may want to warn customers about phishing red flags, such as e-mails with links to sites that ask for highly detailed information. On the surface, these e-mails to businesses and individuals often look convincing, use official sounding descriptions, logos from actual companies or banks, and a convenient link to help you get sort out a problem or address another concern.

“Is somebody asking me to confirm my account detail including username, password and credit card info?” asks Shane Coursen, Kaspersky Lab, senior technical consultant. “If so, this is the first and most obvious sign that the e-mail is a fraud.”

Companies should tell their customers that, Instead of replying or clicking on the link, the best thing to do is to forward the e-mail to the company. Most importantly, tell them not to click on any link.

Telecom Tricksters: How to Avoid Slamming, Cramming and Hijacking

Rich Martini — 2006-09-12T16:08:42-05:00

Back in the 1990's, more than one third of the written complaints submitted to the U.S. Federal Communications Commission involved “slamming” -- the practice of switching a telephone customer’s long-distance service provider to another carrier without the customer’s permission. But in the past ten years, state laws and telecom companies have helped curb slamming by ensuring the customer does a series of verifications before changing long-distance service. However, business leaders need to be aware of two new forms of telecom scams on the rise -- "cramming" and "modem hijacking."

“Cramming” is when a telephone company places unauthorized, deceptive and often expensive charges on a business customer’s telephone bill. The FCC warns that such charges often appear on the bill under such headings as “service fee,” “other fees,” “mail server,” “calling plan” or “membership.” They are often added to monthly bills without an explanation of the services provided.

Small businesses often targets

In August, 2006, Illinois Attorney General Lisa Madigan filed a lawsuit against two California companies and their owners alleging that, working together, they have bilked 17 small businesses across the country for thousands of dollars via “cramming.” Madigan’s complaint alleges that the companies, MSMB2B Inc and Zip Wide Web Inc., offered free trials of their services through telemarketing solicitations to small businesses, when in reality, if the customer didn't call and cancel within 30 days, they incurred charges of $49.95 per month. The charges appeared on the business’ phone bill as “Monthly Internet Service Fee” or “Internet Service Provider Monthly Fee” or "ISP Service Monthly Fee.” Small business consumers have filed complaints that they were charged despite refusing to receive any service and in some instances, denied getting actual solicitations from the telemarketers.

“While a private resident would certainly notice a $49.95 charge on their phone bill, small businesses often have phone bills that consist of many pages and total in the hundreds or thousands of dollars,” Madigan says in a prepared statement. “Companies like the defendants take advantage of the fact that small business owners are not likely to notice a small increase in their already large phone bill and may go several months before calling attention to a charge for a service they did not request.”

Modem hijacking

“Modem hijacking” – a variation on cramming – occurs when software, typically delivered via a pop-up ad, is downloaded onto a business computer over the Internet, and uses dialing software to reroute the computer modem to dial long-distance numbers. The fees are often exorbitant. Some scams operate while your PC is Web surfing, while others dial long distance charges while your PC is using its screen saver.

New York State lawmakers unveiled a bill recently targeting modem hijacking that would allow telephone companies and the state attorney general to bring lawsuits against modem hijackers and their accomplices. "This is a new kind of thievery and it takes new kinds of law to deal with them," says Assemblyman Richard Brodsky, one of the bill's sponsors.

What do you do if you've been slammed, crammed, or hijacked, and how do you prevent them from happening to your company?

The U.S. Federal Trade Commission's Consumer Affairs Division offers these suggestions to help protect small businesses from Web service scams and other unordered services:

Know your rights. If you receive bills for services you did not order, do not pay. The law allows you to treat unordered services as a gift.
Review your phone bills as soon as they arrive. Be on the lookout for charges for services you have not ordered or authorized. If you find an error on your bill, follow the instructions on your statement. Assign purchasing to designated staff and document all your purchases.
Train your staff in how to respond to telemarketers. Advise employees who are not authorized to order services to say, "I am not authorized to place orders."
Buy from people you know and trust. Authorized employees should be skeptical of "cold" or unsolicited calls and feel comfortable saying "no" to high pressure sales tactics.

To avoid having your modem hijacked, the FTC advises:

Turn off your computer and modem when not in use.
Raise the volume level of your modem so that you are aware of a redial.
Be aware when visiting sites of questionable content. A number of sites download surreptitiously onto consumers’ hard drives.
Consider using blocking software to keep children from questionable sites (e.g., adult content, gambling).
Close pop-up windows by selecting the, "X," button in the upper right-hand corner, rather than any other embedded icons.
Keep your operating system current with patches and updates.
Ensure that Internet dial-up access numbers are on your local telephone plan and delete unknown access numbers.
Be wary of any unusual icons on your PC.
Consider installing anti-virus software and update regularly.
Thoroughly examine your telephone bills and contact your carrier about suspicious charges; they may already have precautions in place to help avoid unauthorized calls.

How to Protect Your Business from Spyware and Adware

John Biggs — 2006-09-08T14:46:24-05:00

There's an old IT diagnosis: "Problem between the chair and the keyboard." It is more applicable today than ever, especially when it comes to spyware and adware.

No matter how much you scan and spam filter, no matter how many warnings you send out, someone, somewhere, will click the wrong e-mail link and potentially cause problems on your network.

Spyware and adware, and, to a certain degree, phishing e-mails, are constantly plaguing businesses, in some cases causing massive outages and productivity loss. Companies must be vigilant of spyware, the name for programs smuggled in under the guise of legitimate programs and secretly installed on your computer or your network, and adware, software that displays ads on your PC even when you're not surfing the Internet.

Both spyware and adware can impact data and/or system functionality, occasionally resulting in lost data and completely corrupted systems. Spyware and adware can render a computer sluggish, making even the most routine task, such as sending e-mail or calling up a document, slow. An estimated 30 percent of all help desk calls in companies today are the result of spyware, according to an IDC estimate.

The number of small and medium-sized companies investing in security technologies to fight spyware and adware is growing. Spyware now ranks with viruses, worms and spam as among the top SMB IT concerns, according to a 2005 study from Forrester Research. Forrester surveyed nearly 800 U.S. SMB technology decision makers and found that 71 percent planned to invest in additional security technologies by the end of 2005. The Radicati Group, a market research firm based in Palo Alto, Calif., forecasts that anti-spyware spending alone will grow from $103 million in 2005 to more than $1 billion by 2009.

The Anti-Spyware Coalition, a group made up of anti-spyware software companies, academics and consumer groups, has published a group of tips for businesses on how to block spyware and adware. The tips include the following:

* Training is the first defense -- Teach your employees not to click on links or files in e-mails... ever. Get them to sign an "acceptable use policy" stipulate that they won't access unauthorized programs. Some programmers suggest creating a secure FTP site and use that to trade important files back and forth with customers or use a service like xDrive.com to share documents. Focus on keeping e-mail attachment-free.

*Lock down desktops -- Desktop anti-spyware applications can find and remove spyware trying to execute on PCs. But maintain software updates, operating system and browser patches and manage desktop security from a central location. If you can, install an open operating system like Xandros or migrate to OS X. It's not something a lot of IT folks want to hear -- or have to learn -- but if the office assistant and the boss are both on Macs, they're going to experience less downtime because of spyware and still be able to handle almost any file type.

* Block spyware at the network -- Your company can configure gateway proxies and firewalls to prevent spyware from reaching PCs on the network by excluding download from known spyware sites and high-risk sites. They can also scan files at the gateway for known spyware code. Also, analyst logs of PC communications for high-frequency destinations.

*Create filtering rules, but be generous -- filter attachments, yet tag e-mails with bright and bold HTML messages informing the users how to get them out of your custom attachment lockbox. Also, consider unzipping archived attachments and scanning them immediately. Most spyware can be stopped at the source.

* Install a program like SpoofStick -- A free program for IE or Firefox, SpoofStick informs you if a website is "pretending" to be another, more legitimate website. In many cases, scams will take you to pages that purport to be a legitimate bank or other business, but are, in fact, fake information-farming pages designed to steal personal information. SpoofStick will blink if a page's URL doesn't match its title.

Solving the Opt-in/Opt-out Debate

Martha Rogers, Ph.D — 2006-09-08T13:31:33-05:00

Privacy issues are everywhere in business. Like dandelions in summer, Chief Privacy Officers are popping up among the Fortune 1000 and beyond, tackling compliance issues, deciphering new legislation, cultivating the "privacy brand," and keeping up with competitors. But CPO or otherwise, most execs only do what's necessary to avoid litigation. Their goal is to achieve compliance, using privacy strategies to protect the bottom line rather than boost it. It also positions privacy protection as a cost center rather than a customer-based revenue generator.

Decision makers must implement privacy strategies that act in the customers' best interests as well as protect company interest. In doing so, firms can become trusted agents able to capture revenue. A good place to start is the familiar opt-in vs. opt-out policy debate.

"Opt in" gives communication control to the customer, allowing him to check a box if he wants to be contacted by a company. If he doesn't check the box, he'll never hear a thing, even from a company he's already doing business with. The opt-out system, however, acts as a "tacit yes." It lets customers decide not to receive further communications; but until the customer explicitly requests a cessation of contact, a marketer can bombard her indefinitely. It strikes us that companies that limit themselves to these choices aren't effectively serving the needs of customers or themselves.

When black and white gets fuzzy
In other words, consumers must often choose between accepting a full-scale, marketing assault or a "lights-out" approach in which they're never informed of relevant offers. With such strict choices, it should come as no surprise that Forrester Research reports only 18 percent of customers respond to opt-in or out-out requests. Such low response hurts the company and possibly the customer. Why? If the 18 percent opt in, then a company is limited to contacting less than one-fifth of its customer base -- even though many customers just never got around to letting the company know they want to be contacted. If the opt-out route is taken, key customers may become annoyed about receiving communications they didn't ask for.

From lose-lose to win-win
Peppers and Rogers Group has long advocated letting customers determine the style and pace of a relationship. So why not translate this to privacy policies as well? Customers should be able choose what they want, when to be contacted, and across which channels. The solution may be a tiered opt-in system that gives the customer more choices when it comes to communication.

For example, a customer might say, "It's okay to email me three times a month for product 'A', but don't ever call me." Companies that honor this request will provide relevant and timely messages based on customer needs, cutting through the marketing noise to achieve better results. Instead of opt in or opt out, companies can focus on customer choice and company policy disclosure.

This begs an important question: Why would anyone bother with the tiered system if only 18 percent of customers opt in or out? Here's one solution: Pay customers to provide information. After all, firms pay list brokers top dollar for valuable customer information, and competitors sometimes share their lists for a price. By going directly to the customers, companies can cut out the middleman while simultaneously learning each customer's interaction preferences. Technology barriers would emerge at first -- especially campaign and database management issues -- but the ROI would be well worth the investment.

From the courtroom to the boardroom
Perhaps the biggest challenge is the change in executive mindset that would be required. Most companies haven't thought about customizing their opt-in policies because privacy decisions rattle around legal departments rather than customer strategy areas. Until that vital shift is made, privacy protection will remain an untapped, relationship-building resource.