20 Simple Actions to Implement
By Daniel Bulley
"You can take some fairly simple precautions to protect yourself and your business from dumpster divers, hacksters, and the Almighty Con."
With 22,918,441 data records stolen in the US in 2011*, identity theft has reached an all time high. Roughly 16% of those were subcontractors. It’s worth noting that Verizon’s 2011 data breach investigation report states that 96% of the breaches were avoidable through simple or intermediate controls. Why not make 2013 your most secure year?
You can take some fairly simple precautions to protect yourself and your business from dumpster divers, hacksters, and the Almighty Con.
Protecting Your Devices
Although the old rules for your personal security still apply, new technology dictates additional precautions you can implement fairly simply. Be sure all of your devices are protected — your computer as well as your smart phone and tablet.
Your social security number is the single most important piece of data to protect; much harm can be done when it is stolen. Keep your social security number very private, don’t use debit cards (they make your money immediately accessible and therefore more difficult to recover), use strong passwords, and load antivirus and anti-spyware programs on your computers. I found out my identity had been stolen because the perpetrator only had my birth month and year and had guessed the day wrong — which flagged the credit card company that called me to verify. This points to the importance of not giving out your full birth date.
Whereas identity theft and business fraud used to be separate crimes, the proliferation of smart phones has changed the landscape and morphed the two security issues together. Smart phones contain sensitive personal information. Business information also is often accessible through a smart phone. Some phones can even connect directly to corporate servers, banking, and employee records. Tablets aren't immune. An iPad has as much or maybe more information than a laptop — but is it as secure? Be sure all of your devices are protected with a screen lock and a strong password.
It’s unfortunate that so many people still think of mobile devices simply as phones. A thief with access to your mobile device might as well take your work computer and network server and plug it in at his home to violate at his leisure. Contractors have even more problems than the average user. Is your proprietary bid data at risk from a smart phone or tablet? Can someone get in and change, steal, or delete your electronic drawings?
Using a Lock Code
The first step to securing your mobile device is to use a lock code. Go to your settings/security to set up a screen lock. On a droid you can choose to use a pin or a password or draw a pattern. Whatever code you use, take the time to create one that is not obvious. Everyone should be doing this. The inconvenience of dealing with your lock code doesn't amount to a hill of beans when compared to what you'll have to go through to reverse identity theft or fraud. It took me two years to regain my identity.
Many phones that connect to corporate servers can be wiped clean by the server if missing. Is this enabled on your device? The Apple devices and some others give you the option of more than a 4 number password. You can even set it to wipe your device if you have 10 wrong password tries.
Passwords have become a major problem. With so many different accounts, many people use the same password for various things — a big mistake.
For business accounts, using a separate, unique password for each major service — and making sure that none of these passwords are the same as those associated with personal accounts — is essential.
One solution is to use a password encryption program. These applications help you manage your accounts with user names, passwords, and notes directly on your mobile phone in a "secure" way. You won’t have to remember which password you use for which account. You can put all your accounts in one database, which is locked with one master password. This master password needs to be a very strong one because it unlocks the entire database.
The accounts in database are encrypted using an encryption algorithm.
There are a multitude of programs for password encryption and management.
I personally don’t like the idea of storing all my passwords in the cloud —encrypted or not. One encryption company was recently hacked — making millions of passwords available to the perpetrator. I still prefer to list all my passwords in a document offline, then encrypt that document and keep a backup in a locked and secret location. Your computer may have its own encryption program so you don’t have to buy one. Mac has its keychain, which encrypts your passwords. However, if you don’t go into your browser preferences and turn off the "autofill" option, those passwords aren’t really secure. There are tutorials on You Tube that show you how to encrypt files safely on a Mac. On my PC, Word has its own encryption facility.
Nothing is going to be foolproof; you need to take the action that makes the most sense for you and your business, and then stop worrying. Take an hour or two to research these applications and make your choice carefully. Some are online, some are offline software; and some offer a combination of the two. Here are two helpful articles that will help you choose:
Using HTTPS Website Logins
It’s also a good idea to use HTTPS website logins. Here is an excerpt from the mashable article linked above:
"Beyond just using unique, secure passwords and password management tools, it’s also important that businesses use secure logins, especially when accessing web services from outside of a corporate network.
In the last few months, a growing number of websites, including Twitter, Facebook, Gmail, Foursquare, and HootSuite have started to implement HTTPS as a login option. Using HTTPS, logins are encrypted over the network. This means that even if the network itself is open, the password and username to your account isn’t visible to those sniffing the network.
Turning on HTTPS as a default login option in the web services that support it is a good idea for all users, but it makes even better sense in a corporate context."
The following are 20 specific actions you can take this week for securing your business and personal identity:
1. Set up a screen lock for every device.
2. Use password encryption and use a unique password for every account.
3. Use https:// login when available on websites.
4. Install and run antivirus and antispyware programs regularly.
5. Don’t give out your full social security number, birthdate or mother’s maiden name. In rare instances when your social security number is necessary, ask how they will protect it.
6. Contact all accounts which have your mother’s maiden name (bank, credit cards) and give them a different one that you remember.
7. Use a shredder that cross-cuts your sensitive documents.
8. Don’t leave sensitive information-containing mail in your mail box. Don’t leave outgoing bills in the box for pickup.
9. Use a credit card rather than a debit card.
10. Don't tell your computer to remember passwords when prompted.
11. Do not put account numbers on checks when paying bills. Use last 4 digits if anything.
12. Keep all banking files, credit cards and other sensitive information locked up. Include a list of the 800-numbers of all your credit cards. If you are backing up your business data on an external hard drive, keep that locked up too.
13. If you receive packages you didn’t order, call the company that sent the packages.
14. If you receive phone calls from creditors you don’t know, don’t give out personal information and make your own calls to follow up.
15. Get State ID cards for non-drivers. This protects your kids from false IDs being made in their names.
16. Don’t carry your social security # on you. Be aware that some other forms of ID contain this number (insurance cards, Medicare cards, veterans IDs, driver’s licenses).
17. Be careful of people looking over your shoulder or taking pictures with a camera phone.
18. Cover the keypad when entering ATM or other codes.
19. Never give sensitive information to someone that calls you. You should initiate the call.
20. Don’t enter online contests.
If you have employees, schedule a meeting to share this information. Not only will your business be more secure; you will be helping your employees to protect themselves and their families. It’s pointless to spend your time worrying about the possibility of being defrauded — but if you take appropriate actions to protect your business, you can move forward to more productive enterprises. HBM
*Breach Report 2011 Identity Theft Resource Center.
Since his identity was stolen in 2003, Daniel Bulley has volunteered as an advocate with the Identity Theft Resource Center. As V.P. of the Mechanical Contractors Association of Chicago (mca.org), Bulley is passionate about helping contractors, small business owners and individuals take the steps necessary to protect themselves and their businesses from fraud.
V20-1 Add:3/13 HP: