Caveat Emptor: The Internet of Things (IoT)

smart-home1It’s the hottest thing going today. All your devices connected to the internet — and to you. And, to everyone else!

Yes, your new devices that are connected to the internet are a great convenience. Turning on your lights from your smartphone. Getting messages from your refrigerator when you need resupply. Home security systems with cameras and internet reporting. That Wifi connected baby monitor. That activity monitor that you upload data to every day about your fitness activities (some companies terms of use allow them to not only retain that data, but provide it to others!).

Walt Manning, a security expert and investigator, provides some insights into the IoT via his presentation at the Government Identity Fraud Conference in March. He notes that we already have more than 25 million devices connected to the internet. And by 2020 (only a few years away) this will double to 50 million! Ultimately, it is expected that the average house will have 100 devices connected to the internet.

Moreover, almost none of these devices are secure. On average, Manning reports, each device has 25 security flaws, and none of them are truly secure. This explosion of connected devices will have 5-10 times the impact that the internet currently has on the security of data.

Because, for all of the convenience of connected devices, we pay a price. That price is data; information about ourselves and our activities is recorded in logs somewhere. Everything. And to compound this problem, so far, every connected device has security flaws. So, someone, somewhere is storing all that data about you. And, that information is also readily available to anyone who wants to hack your systems.

So you want that information available to just anyone? Where is it stored? With what security? Is it encrypted? Do you even know? And, what are “they” allowed to do with that information?

There are some things you can and should do to protect yourself. For it’s a clear conclusion that the convenience of these devices is winning over security. So, some suggestions:

  1. Most devices will connect via your home Wifi router. Make sure it is passphrase protected.
  2. Check the terms of use with your internet provider. What do they say about providing data to others? Remember, they record everything that happens over your connection!
  3. Research each device and company before you buy. Do they have secure systems? Where is the data stored? Are they allowed to give that data to others? Under what circumstances? Read the Terms of Use for everything (I know, you won’t, but I have to tell you anyway.)

If your research demonstrates the device has little or no security, and/or data will be provided to others without your permission, look elsewhere. We ARE going to buy this stuff — it’s just too cool and too convienient not to. But, we neeed to protect ourselves with some simple research into the products we buy, and buy smart (pun intended!).

a891b87d092047e4a85da861a68c0d58Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Walt Manning for his great presentation on the Internet of Things ans security — some of their information is included in this article.

Advertisements

Are you smarter than your phone?

040616D-2590-D966-E2CAEDE376B61B8FOK, you are running anti-malware on your computer. You have upgraded protection on your wi-fi router and even started using a password application on your computer to manage your passphrases (yes, passphrases, not passwords!). Good job. Now they are attacking your cell phone! And half the world’s population uses a smartphone today.

Have you protected that mobile device with the same enthusiasm as your computer? Are you still vulnerable? You bet you are!

Almost 50 percent of us use a smart device as our primary internet connection. Yet, about 28% (Pew Research) don’t use a screen password/PIN to access the phone! About 1 in 10 have never updated their operating system (and so are well behind in code updates, many of which involve protecting against unauthorized access).

In this era where many of use live on our smartphones, don’t have landline telephones (how primitive!) and even do all our banking and shopping on our phones, these devices have now become the attack-point of choice for crooks looking to steal your identity. So, what to do? Walt Manning shared some key actions we can all take to protect our information and identities at the recent Government Identity Fraud Conference.

First, just how vulnerable are you? Wikileaks has demonstrated that the CIA (and that means others as well!) can hack your phone at will. Operating systems that are open and much more vulnerable than those that are closed (not available to just anyone to modify).

So, what to do?

  1. Use a password or PIN – always. Beware of touch technology. It has been defeated.
  2. Use a password application to manage your passwords just like you would on your computer (Hey, your smartphone IS a computer)
  3. Load and use an anti-malware application on your phone.
  4. Only get applications from an approved application store. While this is not 100% safe, it’s much safer than some website you came across!
  5. Always remember that if you have voice control and a personal assistant — it’s always listening. And recording. And available to others with access.
  6. Finally, DON’T connect to public wi-fi! You have no idea who you are dealing with, who has access or will gain access, where your data is going…etc. If you have to use public Wi-fi, use a VPN.
  7. Be very judicious about what apps you have and use. Almost all of them have terms of use that allow them to upload all of your contact information. Some can access everything on your phone!
  8. Finally, use two-factor authentication.

With the world moving to these devices, protecting our identities and information is paramount. Make no assumptions about your information security on your mobiles devices — protect yourself.

a891b87d092047e4a85da861a68c0d58Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to  Walt Manning for his great presentation information — some of which is included in this article.

I don’t trust you!

With the recent publication of the 2017 Edelman Trust Barometer report, research by this world class public relations agency has clearly established a significant lack of trust between general publics and institutions/organizations.

How much lack of trust? Two-thirds of people no longer trust institutions. And not just in the United States, but worldwide.

You don’t’ trust that company you have been doing business with for years. You don’t trust your federal agencies; you don’t trust local governmental units; you don’t trust that not-for–profit you have supported for years.

Why? Well, there are Ph.D. theses being written on this subject right now. Trust, however, almost always has to do with connecting communication with actual behaviors. When those two aren’t perceived as matching, there is distrust. Perhaps a little over simplistic, but the real issue is…

What does it mean for public relations professionals who work daily to create and maintain positive and mutually beneficial relationships with key publics? It means your traditional methods will no longer work!

Media? Forgetaboudit! More people trust a search on Bing or Google more than their local or national editors in traditional media. Readership is up, but trust is not.

Governmental units? Yeah, I don’t think so.

Global NGOs? Nope. These were formerly the most trusted organizations in the world. They now suffer from the same problems.

So what to do?

We must return to the tried and true techniques we always used: personal communication and word of mouth between individuals. If you have employees, they are now your best communicators because they talk with neighbors, family, and friends. They have their own networks. and if they trust you they can communicate that trust to others who trust them. Taking this into the 21st Century, they are also effective on social media. Same principle. We trust our peers, but not our organizations and institutions.

Now apply it to customers or vendors who do trust your organization. They can do the same thing. We’re back to a form of “all public relations is local.” It’s all about relationships.

So, it takes employees (and some others) who trust your organization. Do you have that? Yes? Excellent, begin. No? So sorry. You have a lot of work to do.

The Edelman Trust Barometer is a MUST read for anyone in public relations today. It won’t make you happy, but you gotta know.

Identity Theft: Following the Profits and Victims

web browsingWe know identity theft is a billion dollar business conducted by criminal enterprises. These are NOT mom-and-pop operations! So we must take it seriously. What happens with the money stolen/scammed? And who are the victims and what do we know about their plight? Continue reading

Employee Communication

I was reviewing research papers recently and came across one on employee communication. I must admit some frustration on this subject since we have to revisit it all too often. Yet too few organizations seem to understand the keys to effective employee communication.

In this era of increasing technological and social media, all of which is at least one level removed from the actual employee, there is one certain pathway that research and experience have demonstrated year over year, decade over decade, is effective in reaching employees. We know how to create an organizational relationship with employees: through their direct supervisor.

Professor Bruce Berger of the University of Alabama presented an excellent paper on this topic in 2014 (although there are numerous research studies on this subject ranging back many years!).

I’m not going to regurgitate the paper here, he does a great job without my help! But I do want to summarize his key points. He observes there are three key elements to employee communication and relationship development:

First, the employee’s supervisor I(whatever the title) is the first place any employee goes for information about their organization or their position in that organization. We’ve known this for years, but seem to keep forgetting it. Implication: we need to arm our supervisors, managers, and leaders with the right communication toolkit to be effective.

Second, organizational leadership is critical to employee communication and relationship development. If we want employees working consistently toward achieving organizational visions and goals, tie them with effective communication with the top (notice I said with, not from). This communication must be two-way symmetrical, not one-way asymmetrical.

Finally, the organizational culture must be one of openness and dialogue. Employees must be encouraged, even empowered, to communicate vertically and laterally within the organization and cannot perceive communication as potentially resulting in punitive actions.

We also need to keep in mind that “behavior IS communication.” That means that how you act, what you do, how you behave is communication visible to all employees. They make judgments on you and the organization based on those behaviors. For example: If supervisor/leaders hide in their office all the time, employees will make certain judgments about them (and the organization) – mostly negative. If they are out and engaged with employees in honest, authentic interactions – again employees will make judgments about the supervisor/leader and the organization – often positive. Moreover, if what you do is different than what you say, what you say becomes irrelevant!

I’ve simplified this for the purpose of this blog post. But Prof. Berger’s paper does a great job of laying all this out in greater detail and providing the supporting background research. He also provides 48 key action points covering all three elements of effective employee communication in organizations.

I highly recommend his paper to all public relations professionals, and all organizational leaders. Find it at http://www.instituteforpr.org/read-lips-leaders-supervisors-culture-foundations-strategic-employee-communications/

Protecting Yourself from Identity Theft

I wrote last week about the epidemic of identity theft. This week, again based at least in part on information provided by speakers at the 2nd Annual Government Identity Fraud Conference earlier this month, I’ll share some ways everyone can use to protect themselves from ID Theft.

First, a recap: Remember, experts tell us that with all the breaches that have occurred in the past few years, everyone’s identity has already been stolen. That means even though you have not been a victim, it doesn’t mean you won’t be. One Bulgarian ID thief/fraudster who got caught noted that they have so much data it will be years before they use up all the stolen identities already available.

And after all, the FBI reports it only costs $.35 on the dark web to purchase a real, identity!

So what can we do? Here are some ideas from the experts.

  1. Passcode protect everything. Don’t use obvious passwords like your dog’s name or your street address number. Instead use a passphrase that is a combination of words, numbers, and symbols at least 11 digits long.
  2. You say you can’t remember anything that long? Here’s a link to Morgan Wright’s free online course on setting a passphrase you can remember: www.identitysecurity.com/password. Morgan graciously provided this link to us at the conference.
  3. Change your passwords regularly. No, not every year, every month or so. Remember, even if one of your sites is breached and gives up usernames and passwords, they are only good until you change them. So change them regularly.
  4. Use a unique passphrase for each website or application. Don’t just clone that one password you can remember and use it for all your sites. Make them all unique, not just variations on a theme.
  5. OK, you say you can’t possibly remember all those passphrases? Neither can I. So use a password/passphrase management application. I use Dashlane, but there are many out there and they are all pretty good. Most will synch between devices. Pick your favorite.
  6. Make sure you are running malware protection software on all your devices. Start with your computer and then ensure you have protection on all your mobile devices. 
  7. Make sure the operating systems on your devices are up to date. Set them to auto update. Much of every update includes software patches for known security holes in the operating systems.
  8. Never, ever, use a public WiFi without using a VPN connection. Public WiFi is one of the easiest pathways to your data. Few of them are secure.
  9. Don’t fall for spear phishing emails! Spear phishing is a targeted email sent to you that appears to be from someone you know asking a reasonable question. But they almost always want you to send them private information about yourself or others. There’s a pair of rules to live by here. First, if it doesn’t sound right — it probably isn’t. Second, if someone, even someone you know, asks you to send personal information of any kind over the open internet, before responding, contact them directly to confirm it is legitimate (calling them is best). An ounce of protection… Keep in mind that spear phishing is the number one tool for espionage and information theft.
  10. Finally, although there is more, take the next step in privacy protection and use 2-factor authentication. This method requires not only a password/phrase but a secondary process of answering a question or using a unique PIN. It’s not foolproof, but it is a major step forward in security. Many applications and sites now offer this option.

Remember, the Identity Theft Resource Center reports an identity is used to the detriment of the real owner every 9 seconds in the United States. Here are ten ways you can protect yourself.

Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Morgan Wright and Walt Manning for their great presentations — some of their information is included in this article.

 

And stay tuned — there’s more!

Combating Identity Theft

I recently had an opportunity to attend the second annual Government Identity Fraud Conference. This event gathered more than 150 government managers dedicated to protecting citizens from identity fraud and theft. Great dialogue and information sharing opportunity.

So what did we learn? Let’s start with ID theft and tax fraud. The IRS reported that through November 2015 it stopped more than 1.4 million fraudulent tax returns valued at $8 billion. Yes, billion! Many states are on the defensive as well, including Indiana, Georgia, Ohio, California, and others. During the past three years they, too, have stopped millions of dollars in fraudulent tax returns. For example, in 2014 Indiana stopped more than $88 in tax fraud attributable to identity fraud. These organizations demonstrate the significance of the problem, and I have not even addressed Medicare fraud, Medicaid fraud, unemployment fraud…etc. Experts tell us identity fraud is a multi-billion dollar business of organized crime. We’re not talking about your run-of-the-mill tax cheat here, but organized efforts to steal identities and use them to submit fraudulent claims for tax refunds, healthcare reimbursements, etc.

Those experts also tell us that — are you ready for this? — everyone’s identity has been stolen. Everyone is already compromised. And they are all available for sale on the “dark web” or the “deep web.” I’ll write more about those in future blogs.  Your identity has been stolen, it may not have been used just yet. The point to remember here is: be vigilant!

Why? Don’t believe this is a problem of epidemic proportions? The Identity Theft Resource Center, a non-profit organization dedicated to aiding victims of identity theft, reports that every 9 seconds someone becomes a victim of identity theft. Every 9 seconds!

Another point to keep in mind is that government entities are working to protect and defend citizens as best they can from identity fraud. Hence the conference and information sharing at all levels of government, city, county, state and federal. Know that there is a concerted effort to defend against these acts as well as to attack this problem aggressively at all levels of government. And this effort must continue to gain in sophistication and subtlety. Crooks are getting more sophisticated — and so must we. That’s part of what this conference does annually, share information and techniques to defeat these efforts.

In coming weeks I’ll attempt to outline, without giving away any secrets to the bad guys, where and how criminals are perpetrating this identity fraud and where the stolen money goes (you’re going to hate the answers), what governments are doing about it, and what citizens can do to combat the problem.

The conference was an outstanding opportunity for information sharing and collaboration. It’s part of the solution to this problem, so thanks to the Identity Theft Resource Center (ITRC), the National Center for Missing & Exploited Children and LexisNexis Risk Solutions for presenting the annual conference that allows government organizations to learn, discuss, collaborate and defeat the crooks. These organizations’ websites also provide good information about this topic.