Forgot your user code/password?
Enroll in Online Banking
or Open an Account
When you no longer need to save specific data, erase it. In part one of this series we discussed the need for an information protection and destruction plan. In this article we look at some suggestions for making more permanent destruction choices.
When you decide that something needs to go, out of sight is not good enough. Tossing sensitive data into the recycling bin leaves it wide open for fraudsters. The path it takes to get turned into another paper product is unlikely to be secure and safe. Shredders and companies that offer secure shredding and paper destruction are probably your best bet. Many small businesses can take advantage of community secure shredding events if they fall in line with your timing.
If you’re still using an old shredder that cuts paper into ribbons you should look at this article from PC magazine. It’s a good overview of some of the options that might work for your business if you don’t have the volume for a data destruction service.
When your schedule calls for deleting data from dedicated drives, Popular Mechanics has a good article on how to destroy your old hard drive. They note that the Department of Defense sets the standard and that is to overwrite the drive seven times. It goes on to suggest methods of destruction, including the recommendation that sometimes “brute force is the best option.”
CNET has a great overview and specific tips on getting rid of data on phones when you trade them in or upgrade. They also look at deleting information from cloud backups and off device storage. It’s worth the time to make sure your phones and those used by employees are as safe as possible. Remember they also note that destruction is the only 100% foolproof way to guarantee that your data doesn’t end up where you don’t want it.
Every cloud storage system is different, and has different file retention policies. Some files may be deleted, but are still lingering in the background. This is why it is important to understand your cloud platforms and their file retention, recovery, and deletion capabilities. If you are storing secure files, you’ll also want to make sure your cloud system is encrypted and closed. All the systems, from Microsoft, Dropbox to Citrix Sharefile have different policies on securing files and wiping them. Read your user agreement carefully.
In part three of this mini-series on data retention and destruction we’ll look at getting started on your schedule to measure and evaluate data security risk and plan for deleting and destruction as necessary.
Keeping your confidential company information is always key, and we all know that protecting sensitive client information is important. Before computers, all you needed to do was shred your papers and this information disappeared! Now, it is more complex in addition to paper we don’t just have electronic information, but documents that live in the “cloud” and information on mobile devices.
Today, protecting your files and purging them systematically takes a little planning. Having a plan in place will make it easy to know just what you have in storage, what to destroy, and when. This is the first of Androscoggin Bank’s series on file retention and destruction.
The best way to start is to identify where and how all your information is stored. Ask yourself, does it live in one place, or is it found physically in the filing cabinet, digitally on your network drive, and backed up to the cloud?
Then ask yourself what is the most vital information to protect. Not all information is created equal. Does your industry have a legal obligation to protect client data? What about competitive information? Extortion attacks by hackers, asking for money to return your stolen data is getting more and more common. What can’t you afford to lose or expose? That information should be at the top of your protection list. Then you can figure out how to protect that information.
Another aspect of data retention is to balance what you need to keep and how safe it needs to be. Let’s take a tax return for an example. The IRS has guidelines on how long you need to keep tax records. The length of retention is tied to a “period of limitations” for that return. It could be as short as three years or “indefinitely” if no return was filed for that year. So it’s not as simple as saying we can destroy tax returns after x number of years.
Maybe more important than how long to keep those tax returns is the question of how to protect them and other data. Also consider where those files are kept. Can they go to a secure storage facility? Kept in a locked file cabinet? Who has access? And how hard would it be for someone to use the information for criminal intent?
Once you figure out what you need and what and how to protect it – don’t forget that getting rid of it might be the safest bet. A written plan to destroy data or physical files will help you keep track of what and when to destroy it.
On the next part of this series we will look at how to destroy physical files and drives as well as deleting data you can’t see in the cloud – like all of your phone backups with emails.
According to the Federal Trade Commission (FTC) “Your company’s data security measures should be reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” There’s a lot behind that statement. The basic takeaway should be that having a policy and making sure it’s followed is an essential component of protecting your business.
Androscoggin Bank’s Information Security Officer Bob Rand is a strong believer in the importance of a data security policy. Rand, points out that a good information security policy:
SANS, the information security training company offers free templates. This may be more than some small businesses need, but are still an excellent place to start. The templates are available for download here. These policy templates are a good resource to start, or refine, your policies.
What if you had to remember a password that changes every 32 seconds? Impossible.
That’s the idea behind the security token for businesses and municipalities at Androscoggin Bank. The connectionless token generates one-time passwords that are used in combination with your pin to log in. It ties to the Bank’s already robust security system and creates two levels of security—the one time password and the pin. This is also known as two-factor authentication.
Androscoggin has been offering this security feature for about ten years. It has become more common for business users to see this type of device as it’s used to log into some virtual private networks (VPNs) and other secure business applications. This is just one of Androscoggin’s security features for business. Learn about tokens here.
Ever look at a bogus invoice or an odd phone message and try to figure out the angle? You’re not alone. Businesses like yours have been targeted by crooks long before the internet, email and electronic payment systems were part of the equation. Understanding how these scams work and how to spot them are the subject of this pdf from The Federal Trade Commission. It’s a quick read and may be useful for you and your employees to know what to do the next time you get a call from a bogus charity or someone insisting your businesses URL is expired and must be paid for today.
Tokens used to be good for a ride on the subway or the bus. Most of those fare paying and collecting systems are long gone and have been replaced with computerized kiosks and some sort of temporary or reusable swipe card. According to the AP, Chicago quit sales in 1999, New York in 2003 and Boston in 2006. So if you’ve been saving those old tokens for a trip in to Fenway, you’re out of luck.
Tokens are used to prevent fraud. Essentially they work to mask credit card or account numbers in payment systems, serve as a real-time authenticator of identity (see below for how this works), and are used in the background across the Internet to keep your data secure.
Apple Pay is a good example. When a credit card is set up by the user to make payments using the wallet feature, the actual credit card number is not stored. It’s replaced with a token (a series of numbers that change with each transaction) that represents that account and stands in place of your card number. The vendor must also be authorized to use the token to process the charge—adding an additional layer of security.
Another example is using the new EMV chip cards that the Bank has issued. These chips are an effort to greatly reduce in-person fraud or theft by unauthorized use of a credit card. They are unskimable, which means even if someone gives you a fake mag-stripe card, the payment processor knows it should be an EMV card with a token and won’t accept the basic account number.
Token technology makes data useless to outsiders. As a business, you have less risk of a data breach involving client account numbers or identifying information if you never have the actual account numbers stored in your system. This is safer, in some cases, than an encryption system that is built to protect the real numbers.
An authentication token is the physical version of the same process. It acts like an electronic key allowing you to access networks and accounts like email, bank accounts and mobile apps. It requires the key on the token device to match the lock in the system. Coupled with a PIN that only you know, the added level of authentication greatly increases the security.
While physical tokens are a great additional layer of security, don’t forget that like most security measures, they have specific weakness. Tokens are susceptible to certain malware attacks, which puts them at risk. They should be just one part of a robust security program at your company.
More and more businesses are relying on a cell phone, or two, or twelve or fifty to not only make calls on the road, but also answer email and link up with your business. Now it’s possible to get almost anything from your phone or tablet, even when you are traveling for business. With all of this information roaming with you and your people – are you doing everything you can to keep it safe?
Newer phones and tablets default to asking for a password to access your home screen and phone applications. It’s a good idea. The FBI and Apple have been publically fighting about privacy rights and access to cell phones. It shows just how valuable this most basic step really is in securing your business information. Consider making it mandatory for all employees using mobile data while on the job. It’s a good addition to the employee handbook or data policy.
Pubic Wifi that doesn’t need a unique password is not to be trusted. Also, the higher number of people that know the password, the less safe the Wifi network. Even if that coffee shop uses a password to sign into the Wifi, you can bet dozens, even hundreds of people know it– if even one of those folks is dishonest, you are at risk.
Logging in where someone can see what you’re entering isn’t safe and using a public Internet access is really unsafe for applications that can expose financial information. So banking, accounting, and credit card applications should be accessed only from secure locations/networks. It’s also essential to log out of those applications when you’re done. Try and get in the habit of ending these sessions with a definitive sign out.
The native security features in phone or tablet operating systems are constantly being updated by your operating system. These are important updates and an essential part of the battle to keep your phone free of malware and viruses. There are also third-party mobile security applications unique to your device’s operating system. It’s a good idea to get some advice from your tech support expert based on the type(s) of smartphones and tablets your company uses.
The Financial Services Information Sharing and Analysis Center produced a list of tips for National Consumer Protection week to their members on securing your mobile device. Here are a few short tips from them:
Sharing these and other tips with your mobile users can be an important key in keeping access to your sensitive information where it belongs and out of the hands of hackers.
If you have a broken piece of equipment, a leak in the roof, or need the parking lot paved, you would normally call someone to come in and take a look or get a quote and then hire them to make the repair. It might take a while, and not be as efficient as you’d like, but you are in charge of the whole process. You identify he problem, outline the scope of work, engage the person and get it fixed.
Wouldn’t you be suspicious if someone called you and said your copier or car has a problem that only they know about and you should pay them immediately to fix it before it gets worse?
This is exactly what’s happening, with increasing frequency and levels of deception, to businesses like yours from thieves posing as tech-support professionals. They call or come in and try to get access to your computer under the guise of upgrading security or removing a virus. It’s a scam that can leave you wishing you’d never answered the phone.
One of our associates got one of these calls. It went like this:
The fraudster starts out by saying that they are getting messages from a computer at that location and it needs to be fixed. It’s a security message and must be fixed right away.
The associate asked what messages were received and how they knew it was his computer.
The fraudster said that if the associate read off a number from his computer and it matched the one that they had on their end, then they would know it was the same one. The fraudster’s insistence that a quick turnaround was necessary continued to grow.
Our associate asked where they were calling from. The fraudster said the company was “We Fix Computers” and that our associate needed to go to the computer and give them the numbers right away. Our associate knew it was a scam, and hung up―his files, and his computer security intact.
What usually happens next is that this helpful fraudster offers to view your screen remotely to help you locate the ID number they need to fix your computer. From there the sky’s the limit on what they could do with access to the computer and any company networks that are attached.
The Federal Trade Commission (FTC) has some advice.
In a recent blog post the FTC shared some excellent tips about this type of tech-support scam. They are:
They also offer this link with more info on how the scams work and what to do.
With a little awareness and a solid dose of suspicion, this con can be avoided. You know who your tech support team is and what they can do for you. They should know about this type of hack attempt and be ready to help your business avoid the offer to fix something that’s not broken. In these instances, it’s ok to just hang-up.
You may have told employees to hide the password list more carefully and take down the sticky notes where they wrote their passwords, but do you have a password policy that makes your accounts harder to hack?
The annual list of most commonly used passwords is a very interesting, if slightly disturbing, look into how easy hackers have it.
The 2015 list from SplashData comes from millions of stolen passwords. Believe it or not “123456” and “password” are the top two on the list. The rest of the list includes shorter and longer versions of “12345…” and the very creative “qwerty.” The sports world inspires “baseball” and “football,” which are also in the top ten. A new password pops up on the list at number 11 this year. It is actually “welcome.”
When we think of hackers trying to steal identities or access accounts, it usually involves some type of computer program inputting thousands or millions of combinations to unlock the account. It turns out that in many cases it’s really pretty easy to guess a password, and the bad guys start with these simple passwords to unlock accounts on a regular basis. Many people use easy to remember words, names, pet names and dates. All of these are easily also found out by criminals. Without some guidance, employees are going to use the same password-making process they use on their home and personal accounts.
Once a hacker has cracked a personal password it’s not hard for them to use that information and password pattern to unlock more accounts. Essentially creating a “waterfall” from one password to the next as they follow the accounts right to your business. For example, if someone has used a predictable pattern from site to site – like Facebook1234, AOL1234, GMail1234 – then QuickBooks1234 isn’t hard to guess.
Using more complex and truly random passwords is an essential step in protecting your business. Telling your employees to leave the simple stuff at home is a good first step. Password creation and management applications are available to help business users create, manage and change passwords to stay ahead of the hack pack.
Using a token for your business banking account adds an excellent security measure. Your Androscoggin Treasury or Government Services officer can show you how it works and will help to protect your account from hackers.
Hackers are always on the lookout for new ways to access your accounts. Don’t make it easy for them. By making sure your passwords are strong and different for each account, you’re off to a good start. Adding in additional layer of security, such as two-step authentication, is another easy way to slow down would-be-fraudsters.
Need help coming up with your own complex passwords? Microsoft has some helpful tips here.
In a good competitive basketball game there’s always some contact. When it gets excessive, somebody is going to call a hack. A hack is a hard foul. It’s also any foul that doesn’t get called by the referee on one of your players. When it comes to your essential PCs and Macs in the business, how do you know you’ve been hacked and what’s the first thing to do?
Companies may be the last to know they’ve been hacked—learning of security breaches only after a customer or a vendor calls. These breaches are courtesy of true criminals who have a plan to stay undetected for as long as possible. Once inside, they collect data to be used later—in the most profitable or damaging ways. Hackers out to make a statement – as compared to the big profit – are easier to spot and can install malware that usually gets to work right away. They may be in it for the thrill or to make a point by embarrassing or disabling a site.
Smaller companies are less likely to be the target of a hacker looking to embarrass or expose some sort of secret information. True criminals driven by profit are out to hit you and your customers hard. So what should you and your employees be looking for?
The SANS Institute provides research and education to security professionals worldwide. Bob Rand, Androscoggin Bank’s Information Security Officer, shared a recent newsletter from the SANS Institute called “I’m Hacked, Now What?” The article is written by the Security Awareness and Education Program Manager at Uber. Click here for a PDF of the newsletter.
This basic guide might come in handy as something to share with your employees. Remind them to get help if they spot any of the telltale signs of a hack, because early detection and intervention can go a long way to reduce the risk for your company.