So unless you have been living under a rock (or on vacation!), a barrage of cyber attacks have been going on the past 1-2 months now. The primary treasure taken was the databases and customer information, though it definitely has had an extended impact beyond just data theft.
Sony, the primary slap-dummy in all this, was hit repeatable, with the Play Station Gaming Network Customer Information the target. What’s ironic about this is they constantly reported they had no idea how it happened, weren’t sure exactly what happened, and didn’t seem to be in much of a rush to stop the bleeding. I’ll tell you what happened: You got hit, hit again, and again, and again, and then once we were done with you, we went to your cousin’s in the other countries (Brazil) and ran the same game on them. Talk about getting kicked when down. And then kicking your family, friends, mechanic, neighbors at the same time. Ouch.
Something like that just stinks of not properly monitoring your external networks, but also really sounds like there is an element of single point of failure. Basically, once they figured out how to get in to the primary domain, they were given access into everything else; or were able to quickly figure it out. Let’s not even talk about the IPS/IDS not communicating with the other nodes.
Our friends at the IMF have been getting hammered with sex scandals from their former head, but now they report a cyber attack happened in mid-May. This time the objective was to get an inside presence from the installation of mal/spyware in order to gain access to personal information for fraudulent usage. The IMF also had several employee’s laptops compromised and was then used to access critical systems within.
What does this all mean? All of this again shows just how real, sophisticated, and powerful a cyberattack can be. One big thing that companies of all sizes have a hard time with is monitoring their systems and taking action on events that look suspicious in nature. Big companies are hit a lot more than a small business or one, two, or three person firm, but the impact is still the same. Loss of revenue, loss of reputation, and loss of data, which can turn into serious legal matters.
The good news is you can shield yourself enough to at least provide some insulation from all of this.
1. Have an active firewall operating and monitor it daily
2. Review and manage all access to sensitive systems and accounts
3. Have your network and systems scanned for vulnerabilities (virus, malware, open ports, attack attempts)
4. Communicate immediately to customers and clients if any sensitive customer data was breached or accessed in anyway
5. Implement some system to manage and classify all data residing in your servers and systems (or cloud service)
I know that’s not the most advanced and complex system, but it well let you implement a basic security architecture which you can manage yourself.
Good luck and you know who to ask if you have any questions.
I haven’t posted anything for awhile now, as I have been busy with the designers getting the new logos updated and various websites/social media pages completed. Well after a lot of work, revisions, and technical difficulties (thanks hosting company!), we are up and running and ready to rock.
Here’s all the links for you to enjoy:
Facebook Page: http://www.facebook.com/pages/The-Matador-Media/313637060009
Twitter: http://twitter.com/#!/MatadorRTN
YouTube Channel: http://www.youtube.com/user/thematadormedia
I am very happy and excited to finally have this done and can work on product creation and continuing to service clients better than all the rest.
Have a great weekend!
O
If that title totally confuses the hell out of you, congratulations! You actually are thinking about it in a context of your business and how it is probably something you deal with on a daily basis. What I’m going to do is show some ready-made guidelines for achieving all of this and more. So let’s get to it.
Protecting Your Business
- Control Access: User accounts, passwords, equipment, bathrooms. All of it.
- Monitor Network Activity: Check to see if anything looks “unusual” or not in the norm. Examples of this are random login attempts, posts on your blogs that look suspicious or blatant hacking attempts, and forms being submitted with symbols and other commands that are not typical data submitted by your visitors.
- Reputation is King: Check all social media profiles and other public facing interfaces for damaging or possibly damaging comments. Malicious communications need to be addressed ASAP, so if it seems unusual, check it out.
- Back It Up: Your Data. Self-explanatory.
Profits
- Host Check-up: Check every morning to see that your sites are up and running and loading under 5 seconds.
- Got Links?: Are they functioning? Are any/all affiliates and their campaigns reporting correctly?
- Do You Exist: Make sure you are still showing up in all MAJOR search engines (“SE”) and niche specific directories. People can’t find you, then you don’t exist.
- Marketing: Check campaigns and reports from any/all online advertising outlets if tracking and costs are reporting and accurate. PPC, Media Buys, Text Link Ads, Affiliate Networks, Videos, etc. Verify and validate all.
Staying Out of Trouble
- Compliance Resistance is Futile: Verify all policies and necessary privacy and security controls are in place if required by a region or state you do business with or have associates within. Basic things such as taxes, transparency on what you do with customer data, EU Safe Harbor, California Laws are biggies here.
- Third-Party Data Handling: All about data a)who will own it, b) how it’s handled, c) where it’s located, d) retention period, and e) how is it “destroyed”. This is very easy to do, but if overlooked, can REALLY become a legal and PA nightmare for you.
- Due Care and Due Diligence: Monitor and react to issues like you would your own bank account. Easy concept isn’t it?.
Defend your business, make all the money you can, and do everything you can to stay out of legal/compliance issues in your state, country, and internationally.
Good luck, and as always, I am here to help you with any of this.
Unless you’ve been hibernating or completely in a different universe, the word Epsilon, privacy, data breech, and “we’re sorry” all in one breath should be familiar. Check your emails, Social Media Networks, Twitterverse, and any other major media outlet if you still are lost by what happened.
Legal issues and high-tech security online. One more thing to keep you up at night.
Anyhow, a massive data (lists mainly) management company had some data taken, which mainly consisted of email addresses used by a variety of companies to send out newsletters, promos, etc. So what do you care about this? Well for starters, you’re privacy, and second, the confusion as to how or why someplace called Epsilon had your information to begin with. I’ll even add in that you should be paying very careful attention to this if you collect, store, and manage lists of your own; past or present, in-house or via third party.
Many states require you to clearly allow for opt-in, opt-out of anything used to collect customer information, as well as to provide protective (safeguarding this data) and corrective (communicating a breech to all who may be affected) measures. While this may seem daunting, it is easily and simply a matter of due care and due diligence in having the right protection in place to mitigate the effects, as well as a verifiable incident response as well.
How can anyone 100% guarantee that data breeches will not happen? You can’t, just as it is impossible to eliminate 100% of any risk. What a person can do is: a) classify sensitive data, b) use a Privacy Impact Assessment to plan for disasters to happen, c) simulate incidents to gauge plan weaknesses, and d) formalize communication path when incidents do happen. Some regulations to become familiar with are Red Flags Rule, GLBA, SB 1386 (California), amongst others.
A critical incident will happen, and while you might not have the defense ability of the Pentagon, you can protect yourself in the event it does happen.
Leaving your business wide open and unprepared is not acceptable nowadays with all the interconnected networks, relationships, and transparency.
A list of some of the companies with data that was compromised:
• Kroger • TiVo • US Bank • JPMorgan Chase • Capital One • Citi • Home Shopping Network (HSN) (added 4/3)
• Ameriprise Financial • LL Bean Visa Card • Lacoste • AbeBooks • Hilton Honors Program • Dillons
• Fred Meyer • Beachbody (Makers of TRX) • TD Ameritrade • Ethan Allen • Eileen Fisher • MoneyGram • TIAA-CREF
• McKinsey & Company • Ritz-Carlton Rewards • Marriott Rewards • New York & Company • Brookstone
• Walgreens • The College Board (added 4/3 @8:20am) • Disney Destinations • Best Buy • Robert Half
• Target • QFC • bebe Stores • Ralphs • Fry’s • 1-800-Flowers • Red Roof Inn • King Soopers • Air Miles
• Eddie Bauer
A lot of household names and big time retailers.
Google and Facebook. Your own small business. Did this get your attention?
Looking around and you’ll probably see all kinds of disasters (Japan most notably), but also human inflicted disasters in Egypt, Tunisia, Libya, Charlie Sheen. If you think something like this hasn’t effected many business owners, well you need to think hard about that. Any business (big or small) can be effected by much less, though the damage from either can devastate and possibly eliminate your business for good.
But you’re in luck today my money making friends. We’ve helped businesses with this before, been through numerous disasters ourselves, and feel it is our duty to help anyone we can best prepare for this.
Here is The Matador Media Tips for your business to survive a disaster:
1. Formal Disaster/Business Continuity Plan: Describe what employees (or you) will do if a disaster occurs while in an office. Point out how to evacuate everyone, who should be the “leader”, where the meeting point will be.
2. Communication Plans: Historically, the first thing to go out in any disaster is communication. Even though you may run a virtual or your business from off-site, some sort of plan describing how communication will still flow in an emergency should be in place. Make sure you can still operate and handle customer inquiries and update all key parties as to what is going on and when to expect to be fully operational again.
3. Lots of Data Backups: Having a redundancy plan could be a lifesaver, and what keeps you from disappearing completely. A good practice is at least three (3) locations for backed up data (cloud computing solutions offer remote access) and in separate locations as well as mediums. This is one area where having an excess is a good thing.
4. Find Alternate Sites: If you use a shared location, you can enter a reciprocal agreement which basically is an agreement with others in your building to share space and/or services if a disaster strikes. This costs nothing to do, though does require trust on both sides to uphold it.
5. Get Some Insurance: Your entire business is run and supported by the data you have, so check to see that this is placed into any business insurance policies you have. A “data deductible” or policy is normal nowadays, though still only few business owners even consider this. Don’t be one of them.
Anyone working with an exclusively online business, or having both an online/offline operations, is guaranteed to have lots of data. From business financial records, customer databases, order/invoices, personal data, pictures, videos, email, text messages, instant messenger logs, to locally stored backups. Yup, you definitely have a lot going on there.
Forgot to mention the data on your websites, social media profiles, email storage folders, and also that thing called “the cloud”. So I was wrong when saying you have a lot going on there; you have a TON going on there. Remember, data is basically in 1 of 3 states: in use, at rest, or in transit.
In big companies and government organizations they typically assign classifications to their data, after also putting them through a car wash of sorts (real word is audit, but no likes that word!). To help with this issue I’ve created a simple recipe in 4 four steps for you below. Hold the “oohs”, “ahhhs”, and “wows” until you’ve read this.
Omar’s No-nonsense Data Classification Recipe
1. Assign homes and locations - Simpler the better; Marketing in one spot, Financial data in another, Vacation Images in their own home and so forth.
2. Clean House - Delete any duplicates, misnamed files (mostly in the text or documents), or unfinished files from more than 60 days ago.
3. Learn your data - Really. Learn what the gist/nature is of your stuff, especially if you’ve become a mass data hoarder and have lots of unconnected, unrelated stuff. Note: If you’re starting out or a growing business, this is probably going on already.
4. Tag that data - Marketing data should get tagged as such, with a meta-tag as well, such as Marketing Dallas, etc.
5. Get it classified - After tagging data, get your data classified in whatever way you want. I’d stick with Public, Private, Sensitive, Confidential. But that’s just me.
Having done all this, you now have clear, transparent, classified, and tagged data of your business. The benefit to you is in operational efficiency, data management, proof of using due care and due diligence (will get into that more later), and will also help streamline or possibly avoid invasive compliance audits and reviews.
Good luck!
It’s definitely hard enough to make your business operations compliant, much less keep up with the changes, nuances, and other mandates that seem to never end. Add in the stress of just typical business operations and you have a nice little dilemma there. And let’s not forgot the costs involved for consulting, “one-size-fits-all” compliance tools, and also outdated methodologies using outdated processes.
You’re asking yourself: “how in the heck do I do this?!?!?!”. Well, “we have an answer for that (using the corny Apple App Commercial voice-over)”. Take what you consider your biggest risks, add in what you aren’t sure of, and then see what you already have/are doing to lessen the impact. Look at these results and then see if what looks like a risk is truly a risk, or merely fear (kind of like being scared every soda can you open will in fact explode all over you when opened, but you open it anyway).
Our advice, for all you lean and mean, entrepreneurial machines, is to simplify everything as much as possible and keep those costs LOW. We understand that in this new era of golden online business it’s almost impossible to defend against everything, especially with your need to be engaging, and connecting with as many people as possible online for your brand. It’s pretty much mandatory to do so, but along with all of this, comes new threats and risks, which are part of the process.
Can’t have the good without the bad, and you can’t be afraid to open that soda can for fear of it exploding all over you.
So why would someone just give info, checklists, and other highly valued knowledge away freely? It’s simple. I want to help out as many people as possible, with as many things as, in as many ways, all the time. Just like that.
I’ve worked and still do handle large projects for major corporations, mid-size companies, and many private companies as well. So-called “industry standard” certifications and training? Ya, I got a bunch of those. With more coming this year.
While I do provide solutions in that space, I’ve always felt my biggest impact will be with help start-ups, small businesses, solo-professionals, self-employed geniuses, and others out there making their livelihood using the Internet. From the inception of the company stage, to the maturity phases, and even with the post-ownership data management phases. A major bank may require more time in assessing risk and providing security solutions for their new ERP system or data management, though the 1 or 2 small systems you use for your business are just as important in order for your business to function and thrive.
While I was writing a lot about risks, security, social media, how to protect yourself and so forth, it just hit me that I didn’t really get to openly say why I do what I do here. I think I can relate and connect with you being that I am a serial entrepreneur, self-employed, and also a business owner (now and at other times in my life).The Matador Media is the latest business, but the one that will have the most impact for years to come.
What I won’t do is become a generic content generating “BS” machine (kinda like some people on Twitter…no names provided today!), but instead something openly attracting feedback from everyone who reads this, and also a resource which can benefit you in some way.
Comment away, send me any tips, suggestions, or so, and good luck with all your online endeavors.
So I’ve been rambling on about what risks exist for people operating/existing online, but nothing definite on how to go about it. Well here it is. A nice score card, with dashes of NIST Publications, CoBIT, PCI, EU Safe Harbor, ISO17799, e-Discovery rules, GLBA, and all their other friends as well. You want to be big time now and use what the big boys use? Alright! You asked for it, you got it!
1. Data Inventory: Ask yourself, do we collect or store any customer PII (personal identifying information) such as SSN, CC #, email, phone #, etc? If so, this needs to be protected for not just business reputation, but the plethora of regulations and various compliance initiatives out there.
2. Online Virtual Profiles: List all places you have a blog, website, vlog (video blog), Twitter, Facebook. MySpace, Hubpages, LinkedIn, or any other major social presence. Count how many times per day you put out content and if you have performed any secure code checks on any of these that all code to be interpreted.
3. Apps: List all mobile you have for business/branding purposes, and also if you have performed any (not a third party, but YOU) security tests on it, specifically against things like the OWASP top ten. Also include any automated content tools in use for putting content in a scheduled manner.
4. Internal/External Access: List all people who have access to all key business social media sites, cloud stored data, web hosting, online advertising, and payment processing providers.
5. Disaster/Business Continuity: List any and all plans, procedures, or actual tests done to allow your businesses to flourish in the event of a disaster (natural, cyber, etc).
Score everything as such:
1. Collect PII and sensitive data: +2
2. No Presence of an ‘opt-in’ capability for collecting data: +1
3. No adequate protection of PII and other sensitive data collected: +1
4. No easily found privacy policy: +1
5. No checks performed on any social media outlets/business websites: +2
6. Releasing content more than 1xday on all sites: +1
7. Not validated any mobile apps for my business/branding efforts: +2
8. Access given to more than one person for key business assets: +1
9. Shared accounts and pw for key business assets: +2
10. No disaster recovery/business continuity plans: +2
Add your scores up and see what you get.
1-5= Pretty secure, but still should be lowered with minimal effort.
6-10= Known issues and something is likely to happen impacting your business.
11+= Extremely insecure operations, and more likely to be targeted for cyber attacks and/or more likely to be in violation of several regulations and compliance initiatives.
Again, even if you have score, don’t automatically assume you are violating every compliance mandate, or are just an open target for attack by the universe. This just a quick assessment tool for your to use on your current operations, mainly to help point out some areas for consideration.
It’s also said there is no excuse for being unprepared or uninformed. They also say you can’t know or prepare for everything to possible go wrong.
That’s where I come in to help drive off as much of that as possible.
Why do you buy insurance for your car? How about your life? Better yet, why do you put locks on doors, or passwords on your vital accounts?
Big businesses definitely take this seriously, though it’s stunning how many small businesses and one-person shop/operations don’t put this into their strategic planning, much less think it is needed. For some reference, take a look at this article on what happens when you a small business didn’t do this from SC Magazine: http://www.scmagazineus.com/small-businesses-largely-not-pci-compliant/article/141557/.
Scared, don’t care, gotta go work on our tans? Probably a little of everything I’ll guess.
You should care if your business (or you) collect customer information (name, add CC#, phone), take or send payments, put out large amounts of content online, and lastly, have any type of virtual storefront/presence online.
My point here is not to dictate “Thou shalt comply with various regulations, install elaborate and futuristic security measures, and be prepared to pay through the nose and into your next generation”. My intention is to bring to your attention what is happening, but also provide easy ways to deal with it now, in the future, and lessen the impact of when disaster strikes. It will happen, just a matter of when, and how much it will slowdown (or shutdown) your virtual operations.
Got questions or just want some general info, send me an email: omar@thematadormedia.com, or find me on twitter @MatadorRTN, and promise I will get back to you.
Good luck everyone.
