Image Credit: Copynotify.com

I read a post on the IBM Midsize Insider blog that has remained with me (URL provided below). The post referenced research conducted by Gartner indicating that by 2017, “Half of employers may impose a mandatory BYOD policy and require all employees to provide their own equipment, including laptops, tablets, and smartphones.”

Due to the widespread popularity of iPhones, iPads, and other smartphones and tablets, the phrase “Bring Your Own Device” to work has become a curse to IT Departments everywhere. Individuals who are responsible for network infrastructure are increasingly spending their time on employees’ personal devices in order to facilitate employee productivity. This is clearly not the best use of IT professionals’ time or resources. So, why would a company impose a mandatory BYOD policy?

Consider these scenarios:

•  A member of your sales team visits a prospect in the field and his/her laptop dies or malfunctions during a presentation. The salesperson looks unprofessional because family photos appear as the desktop screen on the salesperson’s personal laptop. Question: Does the salesperson take the laptop back to the store where he/she bought it, or does your IT Department drop everything to remotely attempt to fix the problem?

•  A member of your marketing team attends a tradeshow and uses his/her smartphone with a business card application to capture leads, but the smartphone malfunctions or the app doesn’t work, and all leads appear to be lost. Question: If your marketing manager contacts your IT Department, will the IT team know how to retrieve the leads since the smartphone is not company-issued? The IT Department did not purchase or load the software, and in addition, may not be familiar with the smartphone model, so will they be able to walk the marketing manager through the retrieval process, or are all the leads gone for good?

•  A member of your leadership team walks into the conference room to give a presentation to the key leaders of your company. The presentation is stored on the person’s tablet. But something goes miserably wrong, and the tablet doesn’t work correctly. Question: Does the leader call someone in your IT Department to come to the conference room to work on a tablet for the very first time? Top leaders don’t have time to waste sitting in the conference room while someone works on a device that they’ve never worked on before.

While BYOD may seem like a cost-effective solution, it simply cannot become a mandatory policy. Companies pay for desks, lights, copy machines, printers, etc., so when did technology disappear from that list? Just because some employees may think it’s easier to use their own smartphones, tablets, or laptops for email, document creation, Internet research, etc., doesn’t mean that companies should stop paying for equipment and requiring employees to use their own.

With the scenarios described above, IT Department personnel would be at a serious disadvantage in trying to resolve the issues. But if the equipment were company-issued, they would be much better prepared to resolve whatever technical glitches occurred because they would be trained on and familiar with the physical equipment, the network settings, the security settings, etc.

The bottom line is this: Do you want your employees to be prepared to do their jobs? BYOD will definitely interfere with their ability to do their jobs efficiently and correctly. And while there are many security issues of BYOD, one is most important. When employees use their personal devices for work, they don’t always install malware protection on them. With both iOS and Android devices becoming increasing targets of viruses, worms, etc., a new attack vector has been opened to the enterprise. If not addressed properly, these viruses can make the leap from personal email to corporate email – and infect the network. BYOD may seem like a cost-saving solution, but in reality, it’s putting your data at risk, which is priceless.

The Post: http://www.midsizeinsider.com/en-us/article/could-byod-become-mandatory

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Does your company use those out-of-date applications where the applicant must provide his or her Social Security number and driver’s license number? If so, throw them out immediately. You could be setting your business up for a potential lawsuit.

In the old days, or in other words, the pre-Internet era, employment applications included what we today call Personally Identifiable Information, or PII, which includes Social Security numbers and driver’s license numbers. The simple act of requesting these numbers wasn’t given a second thought because no one knew about identity theft. That crime had not become mainstream.

However, today, these types of documents are ripe for the picking. How long do you keep those applications, and what you do when you get rid of them? Do you shred them? Or do you just toss them in the trash. If you do toss them in the trash, dumpster divers can find a treasure trove of identities ready to be stolen. And even if you do keep the applications, who’s to say that someone in your office won’t help himself or herself to one or two of the applications and use them to steal information and create false identities.

Naturally, being a security professional can make one paranoid. I know I am always looking for ways that identities can be stolen, and if I can think of them, others can too. We all know that people are the weakest link in the security chain. HR people are only human and are prone to making mistakes, just like the rest of us. Eventually the number of applications in Personnel Departments fills more than just one filing cabinet. At some companies, they can take up an entire room. So eliminating them is only natural. But it’s what you do while getting rid of them that matters.

Use a confetti-type shredder that shreds documents into fine pieces of paper. That is the best option since there’s no way for anyone to piece documents back together. If, by contrast, you use a standard cross-cut shredder that cuts documents into strips, that would enable anyone to piece documents back together. All prospective employee applications should be treated like any other confidential documents that your business maintains.

You may think you need this information to do a background check on prospective employees. But you don’t. Background checks aren’t needed until you’re ready to offer prospective employees a job. The offer of a job should be contingent upon passing a background check, and that should be the time that you request a driver’s license and Social Security number. When I fill out applications with those requests, I write “to be provided later.”

Many years ago, I was the victim of identity theft, and I can report firsthand, it’s not a pleasant experience. I worked with the local police department, the credit unions, the US Customs Office, banks, and credit card companies. Depending upon what type of identity theft you are involved in, you may be considered guilty before you are proven innocent. A person’s credit rating can be severely damaged, meaning that he or she is unable to buy a home, a car, or get a loan. And all as a result of throwing out a piece of paper that had too much information on it. If I discovered that my identity had been stolen as a result of filling out an application for a prospective employer, and that the employer had mishandled my confidential information, I know the first thing I would do. How about you?

Information is the currency of the 21st century. Social Security numbers and drivers licenses are gold. Treat them as such, or mishandle them at your own risk.

__________________________________________________________

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Image Credit: SiliconAngle

One day, you come into the office and discover that your network has been breached. To make matters worse, your customer data has been stolen. What do you do?

If you work in a midsize business and are part of the leadership team, try not to panic – you will need every ounce of concentration at this difficult time. First, check your procedures manual for the steps you need to take in the event of a network breach. You do have a policies and procedures plan listing the steps your company should follow in the event of a network breach, don’t you?

In the security industry we have a saying: There are companies that know they’ve been breached, and there are companies that haven’t discovered they’ve been breached yet. Simply stated, it’s not IF you’re going to have a network breach, but WHEN.

The decision about what to do is based on the type of business you have and where you are located: United States or another country. This post focuses on the United States and the laws or rules with which you must comply.

[1] First and foremost, alert your customers. Failure of communication can lead to loss of goodwill, loss of your customer base, and depending on the size of the breach, loss of your entire business. If you take due care, reasonable precautions to show that your organization is being responsible, lawsuits may be avoided. Customers appreciate when you are upfront with them – while they may not be happy about the news, they do understand that data breaches happen as part of doing business in today’s electronic age. If you pay for a free year of credit monitoring for all customers, that is really a very small price to pay to keep your customers.

[2] Compliance issues should be on your mind. Is your company covered under Gramm-Leach Bliley Act (GLB), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability & Accountability Act (HIPAA), or California Senate Bill 1386 (SB1386)? Does your company capture Personally Identifiable Information (PII)? Each requires compliance with different types of accountability, and each has its own set of stringent steps that a company must follow after a breach occurs. Be sure you are always up-to-date on the latest laws and rules so that your business is in compliance and not subject to a penalty or fine.

[3] If you are a public company, you must comply with SEC guidelines. Depending upon the risk, you may or may not be required to divulge the breach that has occurred depending upon the risk of financial impact.

[4] Depending on what type of data records you keep, you may need to notify the local police. If your servers are located across state lines, you may need to contact the FBI. While law enforcement may be scary, it may be a necessary step. Your breach may be part of a bigger data theft ring, or depending upon your customers and data, and possibly your employees, you may be a victim of espionage.

[5] IT departments may not be equipped to handle certain types of breaches, so it’s always a good idea to hire network and information security experts who know how to deal with plugging up the “holes” that have been created. This may also help avoid future breaches.

Finally, before you even open that “Breach Book,” make sure you have trained your employees about what to look for when opening email messages. This may be a strange thing to add, but remember, many breaches are a result of opening email messages and attachments that should never have been opened. Being careful is the first step to avoiding a breach in the first place. There are some types of breaches that cannot be stopped, but why not keep as many as possible from happening?

Your company may be lucky and never experience a data breach, or maybe you think you’re too small to be a target. But, the reality is, all it takes is one spear-fishing or phishing email to open up your network to anyone who might be “just looking” for an easy target. And also consider the disgruntled employee who wants to steal your data and give it to a competitor. This is a breach of a different kind, but still a breach.  Humans are the weakest link in the security chain, so remember, all it takes is one broken link to breach your business.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Email security has become part of the job description for every employee. All it takes is one employee to cause a breach that opens up the entire company. For example, consider The New York Times: the recent breach by Chinese hackers was done via a phishing or spear phishing email. All that was necessary was that one email to be opened, and The New York Times network was accessible to the hackers. And once an attacker is behind the firewall, then the hacker can do anything.

Recently, hackers have been getting even more creative. One of the students in the information security class I teach showed me an email that she received. It contained a message about email phishing schemes and what to look for. The subject line was incorrect when compared with previous emails from the same organization. The body of the email had an incorrect logo and a slightly incorrect signature line. Also, there was a link with a call to action that requested my student to sign in to her account and learn more. She reported this email to the company who allegedly sent it. Had my student not been aware of phishing schemes, she might have clicked on the link and opened up her system to hackers.

Without proper training, it is easy for an employee to accidentally open and launch a window for a hacker. It is the duty of every personnel department to train new employees as to what to look for when receiving email messages. This information should be included in employee manuals and should also be posted on lunch room walls as reminders. With the volume of emails we all receive on a daily basis, it is very easy to forget that one of the emails could be a “Bomb” that could cause a breach. And a network breach can lead to data loss, loss of reputation, and denial of services for your employees and clients.

There are two types of phishing email messages: phishing and spear phishing. Phishing is a generic type of email that is sent to everyone in a company with the hope that someone will open the email and click on a link or open an attachment. There are no names attached to it, the subject line is generic, and the TO: line usually says recipients_not_disclosed. That’s a dead giveaway! Finally, the FROM line does not conform to corporate email standards.

The second form of phishing is called spear phishing. This type of email is more insidious. Someone or some organization has taken the time to find information about a specific employee and personalize an email message to make it look like it has been sent to that person from someone he or she knows. As a result, the email looks legitimate. This email is designed through a few methods. The attacker scours Facebook, LinkedIn, Twitter, and possibly financial information sites, such as, Hoovers. The hacker may make calls to a company’s receptionist to find other pertinent information regarding the email recipient, possibly email address and/or phone number. In bigger companies, they may even call the IT department and claim that they are the person of interest and forgot their email password and ask for it to be reset. Hopefully, there are policies in place with the IT department that make it impossible for someone to change a password without multifactor authentication (multiple types of ID must be given before the password can be changed – this is an issue for another post). Spear phishing emails are usually sent to management-level employees since they tend to have more network privileges.

Once again, even with spear phishing, the questions one must ask include: Are you expecting an email from this person and do you even know him or her? Is there a link in the body of the email? If yes, do not click on it. If you really must know what the link is, send it to the IT department or your security team and let them confirm if it is legitimate. Due to the speed of business these days, it may be difficult to remember what to look for, but it’s also difficult to recover from a breach. It can happen to anyone, don’t let it be you for your company’s sake.

Host computers should all have a good virus scanner to scan inbound emails and attachments. After that, here are some things to look for when determining if you’re looking at a phishing email. Does the email address in the FROM: line correspond to the corporate email layout? This may mean: last name first, or first name last. When a message is sent to you, are you expecting an email from that person or is the email coming from someone you don’t know? Look at the subject line of the email: Are there any misspellings in the subject line, and does it make sense?

Make it a policy to never click on live links within an email message. A live link (one that is colored and underlined) could look like a legitimate link but the actual link may send you somewhere else. If you really must know what the link is, copy and paste it into the notepad program. This will show where the link is actually pointing you to. Hovering the mouse over the link will reveal the actual URL. However, if the URL is embedded in an image within the email, you will have to retype the entire URL. There are two other options for shortened links (for example, bitly.com or goo.gl). All you need to do is visit either http://checkshorturl.com or http://urlxray.com. These two sites will allow you to view the entire URL so that you can determine if it’s safe to click and view.

Sometimes emails arrive in your inbox under the guise of legitimacy. They appear to come from somewhere within your organization, but they’re not. An email arrives and asks to change your security credentials – but don’t be fooled. First of all, there should be a general announcement regarding this topic distributed company-wide to all users. It will be sent out by one person, not from “The Security Team.” Be aware of that. Emails regarding this sensitive issue must be sent by individuals, not groups, and an email sent by an internal employee will adhere to corporate email structure, fakes do not.

Many breaches come from an email that looks legitimate from an internal employee. So, look at the signature line at the bottom of the email. If it isn’t the standard signature line that your company uses for all emails, it’s probably suspect. I realize that checking an email to be sure that it’s real can be time-consuming, but the more you look for errors, the better you become at spotting them.

The larger a company is, the harder it is to remind employees about staying vigilant. But in the long run, what’s worse: reminders or hackers? You do the math.

______________________________________________________________

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Today, the world of mobile devices includes smartphones and tablets. This post doesn’t favor any specific brands, but let’s agree that the industry leaders are iOS and Android devices. The jury is still out as to whether or not BlackBerry will become a contender.

Another fact that we must agree on is that most users of smartphones and tablets use Apps. Some of the most common Apps feature news, weather, banking, photo editing, social networking, navigation, entertainment, music, and games. These Apps may be common for individual users, but thanks to Bring-Your-Own-Device (BYOD) to the office, now employees are using their personal devices for work-related projects. This means that your confidential corporate data may now be stored on employee devices – whether you want it to be or not. This is extremely important to the midmarket segment because midmarket businesses tend to allow their employees to leave company email and attachments on their smartphones and tablets.

So with BYOD as part of the equation, does your business have a BYOD policy? How about a security policy? And does your business sponsor regular security training sessions?

While BYOD may sound like a good idea, there are a couple of issues you need to address and make clear in a policy from the start. First, state that your company is not responsible for maintenance or repair of the employees’ devices, should anything happen to them. Otherwise, you will find your IT staff servicing different platforms of devices on company time. Second, do not allow installation of company email services on any employee-owned device. Doing so creates another attack vector for malware. The reason is simple: If an employee’s personal email gets attacked, your company network may then get attacked. A better option is to use a browser-based email portal instead.

Now, back to your employees and their devices…do you clearly state that, before they download a free App or one that has a cost, they are required to read the App’s Privacy Policy? Do you require employees to check to see if support information exists, such as, an email address or a website? Do you require them to read the App reviews?

Do you instruct your employees on App security issues? For example, if they download a free App, are they aware that the annoying ads might contain links to malware? The malware could interfere with your corporate data, and worse, infect your corporate data. If employees frequently use free Apps, their confidential data stored on the device (name, phone number, email address, contacts, photos, etc.) could easily be shared with the advertiser – and what if the developer sells the data? What if some of the contacts stored on the employee devices are your customers?

Now that you see the reasons to create a BYOD policy and a mobile device policy, ask your employees these questions. How secure is your mobile device? Do you have a backup App on the device? Is your data encrypted? At the very least, do you have a password or passcode to turn it on? Do you have passwords or passcodes on frequently-used Apps? Do you have wipe software installed in case of theft? Is there a policy in place so that when an employee leaves, he/she does not take corporate emails and documents with them? This is especially important if an employee is fired.

There is no dispute that the future belongs to mobile devices and mobile-accessible websites. However, businesses that don’t educate their employees about mobile security may encounter serious data breaches. Don’t you want to be prepared?

____________

Check out this Infographic:  Why You Should Care about Mobile Security:

http://www.infosecisland.com/blogview/22567-Why-You-Should-Care-About-Mobile-Security-An-Infographic.html

Check out this Infographic: Smartphone and Mobile App Usage: http://www.xcubelabs.com/smartphone-mobile-app-usage.php

____________

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Growing companies tend to use technology to increase productivity and decrease overall costs per employee. This is most often accomplished by keeping employees as busy as possible, even during dead times in their schedules, such as, in airports, coffee shops, hotels, etc.

Enter automotive Wi-Fi, a new tool to increase employee productivity while on the go. This tool can be used by executives and employees who require connectivity to the office. Typical uses are downloading and uploading data and sending emails while sitting in parking lots and traffic jams before or after meetings. Wi-Fi is the less expensive option to sending data over cellular networks.

Today, almost every new high-content vehicle comes with an infotainment system featuring GPS, Internet streaming content (such as, Pandora, etc.) that is customized for the driver, and Bluetooth connectivity. As General Motors explains, “Many of our vehicles offer an advanced suite of infotainment services. Our vision for infotainment is to empower our customers to maximize their enjoyment and customize their in-vehicle entertainment experience – simply and with a robust array of choices.”

Nice marketing fluff, but what would prevent a thief from grabbing the signal from the vehicle and installing a virus? And what about if someone wishing to cause havoc activated the GPS (global positioning signal) in order to follow the vehicle to the owner’s home or office?

And here’s another unintended scenario: Someone could insert malware on the computer being used in the vehicle so that emails, contacts, and banking information could be accessed and stolen. Remember, once a virus gets into your computer and you return to your office, it’s inside your firewall. Now, it doesn’t matter what security procedures you have in place because once inside the firewall, the virus can run rampant and cause damage. In midmarket businesses, that damage can be substantial from losing client data to shutting down internal networks. The risks are high. Data can be irreplaceable if not protected properly resulting in loss of integrity, availability, and most likely, confidentiality.

I’m sure automotive designers have considered these implications, but it was not their first priority – instead, they focused on being first to market with this new technology. I bet that automotive wireless systems will use either weak or nonexistent encryption. I wonder, how many people other than those in the infosecurity industry actually think of security settings first and foremost when confronted with a wireless device? Although manufacturers say that the networks between automobile and Wi-Fi are separate, you can be sure that identity thieves and crackers (bad guys) are also thinking about ways to infiltrate automotive Wi-Fi.

The reality is, any computer system can be tampered with. Adaptive cruise control, lane warning systems, and automated braking can all be altered. Improbable? Maybe. Impossible? No. Tuners have been modifying performance parameters for years using plug-in devices and laptops. Why can’t the bad guys do the same thing via a poorly-protected wireless access point?

As the saying goes, “Innovation is anything but business as usual,” and there is no denying that to move a company forward, there must be innovation and attempts at new ways of doing things. How often have you assembled teams of talented individuals to discuss, create, and recreate new products or line extensions for existing customers and/or new customers? There is nothing wrong with innovation. However, it is critical when creating, launching and introducing new technologies that will be used by millions of people that all safety and security issues are addressed and solved BEFORE bringing the technology to market.

I don’t know about you, but I’ll stick with classic cars.
__________

Further Reading from GM and Ford:

http://www.gm.com/vision/design_technology/in-vehicle_infotainment.html

http://www.microsoft.com/windowsembedded/en-us/evaluate/ford-sync-windows-embedded-automotive-infotainment.aspx

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

The number one issue is connecting from the home environment or the field environment to the office, but secure communications are often overlooked due to costs and complexity. Using a virtual private network (VPN) is the safest way to protect important data that transmits in both directions. There are inexpensive VPN’s that can either be purchased by the telecommuter and/or the company at a reasonable price. The reason for the use of VPN’s is that a lot of telecommuters tend to use free Wi-Fi in coffee shops, airports, and other places that puts data at risk from the device to the wireless access point.

A VPN protects the data by scrambling it so that it is protected in transit in both directions. That also includes using smartphones and using wireless environments. Prices range from a couple of dollars to approximately $30 per month or more, or daily access can be purchased from VPN providers. Purchasing VPN time is much less expensive than going to a complex system, such as, Kerberos or TACACS, which require complex servers. If at home, use the best wireless security, WPA2-PSK personal, and change default passwords on the router. Of course, the best way to avoid these problems is to create a policy that prohibits the use of free Wi-Fi in places that may be convenient for the employee but risky for a company’s data.

Consider the BYOD (Bring Your Own Device) to the office phenomenon. While in the short term, it will save companies money since they don’t have to purchase or support devices for personnel, they are opening up a whole new attack vector (how malware gets into networks). This problem occurs when an employee’s device is not properly protected with a good anti-virus program. The possibility of an infected email launching itself onto a corporate network is high. Use a DMZ approach to protect external employee email so that any malware can hopefully be killed before they do any damage. With the advent of viruses now hitting Android as well as iOS products, the risk increases everyday. The way around this scenario is to sandbox browsers and use only webmail to retrieve and send email within the corporate environment from outward-facing clients. A good program is Sandboxie.

A relatively new way that employers are handling the sticky issue of BYOD and home systems is to create virtual machines on the server side so that an employee only has direct access to his or her “traditional desktop” from the virtual machine. This way, if malware is detected, the virtual machine can be destroyed, and an exact replica can be put back into service with little or no delay to the end user. Above all, the integrity of the server and network will not be affected.

If your employees are using work-supplied devices, it’s best to make sure that their global positioning system (GPS) has been activated. Keep a log of the serial numbers and phone numbers for all devices. Install location apps on the devices, such as, LoJack, Prey, or Lookout, so that if a device is lost or stolen, you can activate the program to locate the device. Once the device is located, you can either inform the police or if installed, you can activate the remote wipe feature. To avoid any Fifth Amendment privacy issues, have the employee sign a contract stating that the device belongs to the company so that the company has a legal right to track a device if lost or stolen – and that the employee won’t be tracked for any other reason.

Remote wipe is the capability to delete information off a device completely so that no trace of company data remains. Unfortunately, you risk deleting all of the employee’s data from the device as well, which is why encryption is a better option.

Nowadays, devices are equipped with the ability to have all of their chips encrypted. They use 128-AES encryption, which is a Government and industry standard. Once encrypted, the device is useless for anyone who doesn’t know the password to unlock the encrypted data. Use at least 10-character passwords that are easy for the employee to remember, and make sure that you implement a policy that the IT Department has a copy of those passwords – or the IT Department should set up the passwords with the employees. Then password-protect the device settings so that an employee cannot change device passwords. While all of these practices may seem to be a lot of work, in the long run, it will help to protect a company’s data.

Unless an employee is using a multi-use combination online file-sharing program, such as SharePoint, that is controlled by your company, file-sharing services (such as, Dropbox) should be banned. Dropbox should be avoided because the site keeps copies of all documents including deleted documents that don’t use industry-approved security protocols.

Every company should have an “acceptable use policy” for work-supplied devices, including downloads of personal data including apps, photos, music, etc. The problem with these types of files is that they can take up large amounts of space that is designated for work product and company files. Personal files may create attack vectors (how malware gets into networks). But, in order to avoid problems, this acceptable use policy must be clear from day one when the device is provided to the employee. A document describing your company policy should be signed by all employees indicating that they are aware of and will adhere to the usage specifics.

Remember, employee personal files that have been added to work-supplied devices could wind up as part of E-Discovery for lawsuits, or on the Internet. Who can forget WikiLeaks? And you never know if an employee’s personal images might pose a problem as well as legal liability for a company.

You should ALWAYS go on the assumption that it’s not if you will lose your data, but when. You may not be able to save everything, but you will be able to mitigate the damage. If you use the tips detailed above and update your virus protection enterprise-wide as recommended, you will have less possibility of encountering security risks from telecommuters.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

For a related post about BYOD and SMB’s, check out this post by Alan Shimel at http://goo.gl/0qR15.

Ted Claypoole, an attorney and co-chair of the Cyberspace Privacy and Data Security Subcommittee of the American Bar Association’s Business Law Section, and Theresa Payton, a security advisor and CEO of Fortalice, LLC, have written a must-read book entitled, “Are You Naked Online? Protecting You Internet Identity.”

The book begins: “We are all born naked. We emerge into this world with nothing to hide. But we are born into a complex human society, and it soon forces us to cloak ourselves in secrets. We choose to hide many aspects of ourselves from the world. Finances and romances, opinions and frustrations, imperfections and bad habits are all sensitive personal information. We can find as many reasons to keep personal information private as there are people protecting their privacy. The longer our lives, the more private information we accumulate. [But] today the Internet threatens to strip us bare. By broadcasting many of our most sensitive and important secrets, and keeping that information available and searchable indefinitely, the Internet displays aspects of our lives that we thought we’d kept private. Even worse, the Internet allows other people to collect facts about us and to aggregate those facts into a picture of our identities and our lives.”

The book emphasizes the theme that “some aspects of our lives should not be shared with everyone…and you should have control over what you share and how you share it.” However, that is easier said than done.

For family and friends who don’t think about security on a daily basis, Claypoole and Payton provide an easy-to-understand explanation. Consider being at an airport in our post-9/11 world. Now, we all must walk through an X-ray machine. We feel exposed – but that is nothing when compared to how exposed we can feel as a result of the Internet.

Claypoole and Payton showed a family how easy it was to access information about them online. A search was conducted with the mother’s name, city, and place of worship. The search led to a site with a church newsletter that described a charity project the mother was working on and included her email address. Armed with the email address, the Facebook account could be found. Despite the fact that her Facebook posts were positive, what if they weren’t? And armed with all of this information about the mother, now a cyber thief could impersonate her.

So, instead of being naked online, make the conscious decision to be dressed when using the Internet. Keep important and confidential information offline. Use that famous rule: don’t post anything that your grandmother or boss shouldn’t see – that means credit card numbers, plans for when you will be away from home on a vacation, or photos from a late-night party when you might have had too much to drink. So, before you post anything, ask yourself, could this information ever be used against me? Then ask yourself a second time before you click okay or post.

As you “dress” when online, review the places you share information:

• Check your digital footprint: social media profiles, dating sites, photo sites, video sites, location-based sites, music sites, shopping sites, and merchant sites
• Do these sites allow you to limit access to friends only, or is the information you post public for anyone to see?
• Have you used your real name or a fake name?
• Have your friends and family posted information on your sites also?
• What other sites may have information about you, such as, government sites, court sites, genealogy sites, newspaper sites?
• Have you run searches on search engines, such as, Google, Spokeo, etc.?

Even after you clean up your digital footprint, you cannot rest. Protecting your digital footprint is an ongoing 24/7 process. The scary truth is that you cannot rest because the cyber criminals who want to steal your identity NEVER rest. But, you’re better prepared to proactively protect your digital footprint after reading Claypoole’s and Payton’s book.

January 28 is the day each year that everyone’s attention centers on data privacy. Sponsored by the National Cyber Security Alliance, Data Privacy Day serves as a reminder of the importance of protecting people’s privacy and maintaining control of our digital footprints.

It is our responsibility, each and every one of us, to protect our data and our digital footprints, so here are five easy ways to recognize this annual event. But in order to be safe online on a regular basis, practice these activities on a monthly as opposed to annual basis.

[1] Review the apps you use on Facebook and delete the ones that you can live without – since they access your information.

[2] Review the widgets you use on Twitter and revoke access from the ones that you really don’t need – you will be surprised by the number of them that you have accumulated since you set up your Twitter account – and the widgets may have “post to your Twitter account” rights.

[3] Set up Google alerts with your name and family member names to monitor online mentions.

[4] Search for your name and family member names on Spokeo.com and follow the steps to remove the listing or listings.

[5] Make sure that your virus software is up-to-date – don’t even think of letting it lapse – ever.

Data privacy – it’s up to you. Use the tools or lose the data!

__________

For more information: http://www.staysafeonline.org/data-privacy-day

For security check-ups: http://www.staysafeonline.org/data-privacy-day/free-security-check-ups

Connect on Facebook: https://www.facebook.com/staysafeonline

Follow on Twitter: http://www.twitter.com/staysafeonline

A client recently told me she had purchased an iPhone 5, but she was experiencing trouble transferring photos from the iPhone to her computer. Apparently, most iPhone users take photos with their phones but don’t transfer photos to their PCs or laptops, but this user wanted to do that.

So here are the instructions to resolve this issue in the event that you or someone you know experiences this same situation. On your traditional computer’s desktop or laptop’s desktop:

• Go to Start
• In the Search box at the bottom, type “Autoplay”
• Click on Autoplay
• Click the box “Use Autoplay for all media and devices”
• Then, for PICTURES, click: Open folder to view files using Windows Explorer

The next time you sync your iPhone with your computer, a folder will appear on your computer’s desktop. Double click on the folder. It will open to a drive called Internal Storage – double click on it. The next folder will be called DCIM – double click on that folder. The next folder will have a bunch of numbers – double click on it. Your images will be within that folder. But the images will only be photos you’ve taken with the iPhone that are stored within the Camera Roll.