A New Year’s resolution for CEOs

“I am going to take cyber security seriously in 2016.”

On the whole senior executives claim that they want to act in an ethical manner. And yet if they fail to embrace cyber security they are clearly lying.

Why do I say that? Because playing fast and loose with customer data wrecks lives. It is as simple as that. Lose your customers’ data and you expose them to a major risk of identity theft – and that can and does cause people massive personal problems.

The problems that David Crouse experienced in 2010 are typical. When his identity was stolen he saw $900,000 in goods and gambling being drained from his credit card account in less than 6 months. His credit score was ruined and he spent around $100,000 trying to solve the problems.

Higher interest rates and penalty fees for missed payments just made his financial situation worse. His debts resulted in his security clearance for government work being rescinded. Having lost his job, other employers wouldn’t touch him because of his debts and credit score. He felt suicidal. “It ruined me, financially and emotionally” he said.

Data breaches frequently result in identity theft. And this can have a devastating emotional impact on the victims, as it did with David Crouse. Research from the Identity Theft Resource Center  indicates that 6% of victims actually feel suicidal while 31% experience overwhelming sadness.

The directors of any company whose negligence results in customers feeling suicidal cannot consider themselves to be ethical.

Unfortunately most data breaches that don’t involve the theft of credit card details are dismissed by corporations as being unimportant. And yet a credit card can be cancelled and replaced within hours. A stolen identity can take months, or longer, to repair.

And all sorts of data can be used to steal an identity. An email address and password; a home and office address; the names of family members; a holiday destination; a regular payment to a health club… Stolen medical records, which are highly effective if you want to steal an identity, will sell for around £20 per person online, while credit card details can be bought for as little as £1. Go figure, as they say in the USA.

Organisations must accept that any loss of customer data puts those customers in harm’s way. And if they want to be seen as ethical they must take reasonable steps to prevent data breaches. Until they do, well the EU’s new data protection rules can’t come on-stream quickly enough for me!

How to manage your reputation online (2 of 4)

Listen

Managing your online reputation isn’t just about ensuring you have registered all the appropriate social media accounts and URLs for your name. As well as preventing people from using your name online in social media accounts and URLs as far as possible, you also need to:

  • Listen to what people are saying about you online
  • Create a strong profile, using the social media accounts and URLs you have registered
  • Repair any damage caused by people abusing your name online

This post briefly looks at how to listen out for when people are using your name.

Monitor the web

The first thing you need to do is to monitor when people use your name (or your company name or brand names). It is very simple to set up a Google alert that will email you when Google finds someone using your name. You shouldn’t rely on this though. Google isn’t perfect and may miss some mentions. It’s sensible to set up an alert using another tool like Yahoo. Alternatively simply  use another search engine such as Bing on a regular basis (say once a week) as an extra check.

Remember to set your searches up for appropriate variations of your name: I have alerts for jswinfengreen, “j swinfen green”,” j swinfen-green”,  “jeremy swinfen green” and “jeremy swinfen-green” (my fault for having a silly name). You can also include your twitter handles such as @jswinfengreen.

Google allows various options when setting up your alerts such as how often they are delivered. You may want to consider selecting “All results” rather than the default “Only the best results”.

It is also sensible to use a dedicated social listening tool to search for mentions of your name on social media. There are plenty of free tools. I particularly like SocialMention but there are dozens of others. SocialMention does have an Alert facility although it is disabled at the time of writing.

Note that the social media tools (especially the free ones) are generally less comprehensive than the big search engines so you will get a different and probably much smaller set of results. But they will be results from social media which may be useful as it can be easier to manage comments in the social media space than in the wider web. If you want to be more certain of who has mentioned you on social media then you will need to go to each platform and search: a useful exercise on Twitter and YouTube ( where it is just a simple search) as well as LinkedIn (search for Posts) but less so on Facebook which will not show you posts where your name is mentioned.

Identify themes

Once you have pulled out the relevant results, perhaps those where people are being unpleasant about you or your brands, you should start to identify the themes that reoccur. For instance if you work for a motor manufacturer (let’s call them “Supa Carz”) and people are complaining about the breaks failing you will want to monitor that closely and make sure you don’t miss any instances of a complaint that you need to respond to.

In this case you will want to set up alerts for things like Supa Carz breaks failure as well as more general alerts such as Supa Carz sucks.

Note that if you are paying for a social media listening tool you may still need to search the web for mentions of your name or brand because not all tools will monitor sites beyond the main social media platforms. This means that mentions in online communities like mumsnet may get missed.

Monitor sentiment

A change in sentiment can be a signal for an approaching problem. So it also makes sense to monitor this. Doing this well takes time but if you just want an indication  of sentiment then simply use the free sentiment measure on SocialMention or Coosto (shown below). coosto sentiment

Don’t fool yourself

The search engine you use will typically customise the results it shows you depending on your previous behaviour. This means that you may not see the same set of results for a brand that I see. This can be a problem: perhaps it means that you are seeing a set of results on the first couple of pages that are favourable to you: because you are always checking out your social media pages, your blog and your website these come up at the top of the list of links you are shown.

But, because I rarely if ever check your social media pages out, I may see other links at the top of my list of results. And some of these may be damaging to your reputation.

Because of this, it is a good idea to make sure that “personalised search” is disabled when you search for your name. There are several ways of doing this but the simplest is to toggle between the two buttons found to the right of “Search tools” and the left of the Options “cog” to see or hide personalised results for a particular search.

Icons that allow you to turn personalised search on and off in Google

Listening isn’t enough

If you are not listening you won’t be able to manage your reputation online. But listening is not enough. You will also need to create a robust profile so that your name appears linked to positive content such as your Twitter and LinkedIn profiles. And you will need to know what actions to take should someone start damaging your reputation online. More on that shortly.

12 ways to protect your organisation against spear phishing

Online scammers are getting smarter. And one area of increasing threat is spear phishing.

You probably know what phishing is: an email, often badly written, trying to persuade you to divulge confidential information such as bank log in details, or asking you to click through to a site that will prove to be decidedly dodgy.

With spear phishing the scammers have taken things up a notch. For a start the emails tend to be well written. But they are also personalised. Highly personalised. What’s happening is that the scammers are targeting individuals, perhaps wealthy people or people who have access to things they want such as customer lists or corporate information. Once they have identified you as a target, they trawl your social profile, getting information form sites like Facebook and Twitter to identify things about you. They might even pay to get extra information from e.g. from genealogy sites. They then use this information to write an email that seems credible and relevant. For instance:

Dear Angie. Welcome to Acme Inc. It’s good to know you joined last week. Doris in HR tells me you like skiing. Well you might like to know that we have an Acme ski club and we are planning a little trip to the Alps next weekend. New joiners like yourself will get a big 40% discount so click through to find out more about the trip.

You click of course and – nothing seems to happen. But in fact your PC has been compromised with malicious software. What can you do about this. Well there are several techie things that your IT manager can put in place: setting the company’s firewall to block any emails that contain executable files, or running intelligent phishing detection software. But that won’t solve all your problems. There are a number of other things you need to put in place. And these mainly revolve around educating your staff:

  1. Tell people to be watchful. Describe what spear fishing emails can look like and what they do. And explain to them what they should do if they are suspicious. For instance if an email is asking for sensitive information they should check with a colleague. And if an offer is too good to be true, then it probably is!
  2. Ask people only to use their company email for business purposes; if they haven’t got a personal email help them to get a free one from Google or Yahoo. This will limit the potential ways users’ email addresses can get out onto the Internet.
  3. Teach people not to open email attachments from sources that they’re not familiar with. Similarly, warn people to take care when downloading software and apps to mobile devices; if they are not familiar with the source they should check it out and if they are familiar with it should should go directly to the source by typing in the url rather than clicking on a link.
  4. Teach people not to click on links in emails, especially shortened one. They should type in the URL directly. (Cutting and pasting the URL may not be a good idea because they may not have noticed a tiny change to the URL that means it isn’t going where they think it is). Similarly clicking on links in social media can be very dangerous: these links (often in surveys or special offers)  account for over half of malware attacks.
  5. Accept that people are lazy and they are unlikely to type in email addresses so tell them that at the very least they should check where the link is leading by looking at the address which comes up at the bottom of their screen when they put their cursor over the link.
  6. Include in your social media policy advice or instructions on what corporate information not to divulge on social media (e.g. on LinkedIn). The more information you share the easier you are making it for scammers. Depending on your business and the employee’s role you may want to restrict information such as the names of people they report to, direct telephone lines and email addresses. Directors and IT personnel should be particularly careful about this.
  7. Tell people that if a “friend” emails and asks for a password or other information, they should contact that friend they really are who they say they are. They shouldn’t do this by replying to the email obviously!
  8. Reiterate that it is never appropriate to share passwords and PINs with anyone online or on the telephone.
  9. Explain to people that just because a link starts with HTPPS that doesn’t mean it is safe.
  10. Give people a taste of spear fishing. Send your colleagues a targeted spear-phishing email using an outside email address. Ideally dig up some information on their social media sites (Facebook, Twitter, LinkedIn, etc.) and use this to make the email seem credible. If this is impractical, for instance if you work for a large company, one thing you might do is  find out which bank people’s pay is sent to (you won’t need their branch and account number and I’d hope HR wouldn’t give you that anyway). Send them a fake phishing message seemingly from that bank.  When they click on the link tell them that they have been phished and give them some tips about avoiding  this in future.
  11. You need people to report attempted attacks. Reward people for reporting suspicious emails and, if they do appear to be malicious, make sure everyone in your organisation knows to look out for them.
  12. You need people to report any instances when they think they have been scammed. After all you will need to check their PC and your corporate network. So make sure you have a “no blame” culture about spear fishing; and never discipline people if they fall foul of an attack.

The bad news is you are unlikely to be able to prevent 100% of spear fishing attacks as they are so difficult to detect. The good news is that you can prevent a lot of them by giving people the right information. Any other tips? Let me know and I will gladly share them.

Want to get your identity stolen?

A friend had his email account hacked recently. He is a director of a large public company. Luckily the hackers were only sending spam out. But what if they had malicious intentions against his company?

It’s pretty easy to get your identity stolen online! But if you want to make it hard for someone to hijack your identity then there are some simple rules to follow.

These rules won’t prevent someone from accessing your bank account online (there are still more rules to help stop that): but they should at least protect your Twitter and email accounts.

  1. Don’t use an easy to crack password. Never use a word or a name, especially one that is related to you in some way. Use one that is at least 8 characters long and has some capital letters, lower case letters, numbers and special symbols (yes some of all of these) but doesn’t contain any recognisable words (and that includes words with numbers substituted in an obvious way e.g. “p455w0rd” for “password”). And don’t use the same one for multiple accounts, especially important ones. Use a service like LastPass to help you manage your passwords. Remember, the more high profile you are, the more secure you need to make your passwords
  2. Don’t allow your portable devices (laptops and phones) to remember your passwords, even if you have password protected the device itself.
  3. Do install an anti-spyware programme on any device you use to access the internet – including your phone.
  4. Do ensure that you have used the appropriate privacy settings on your social media accounts. You really don’t want to help people to build up a detailed picture of your life that they could use to steal your identity.
  5. Don’t publish information that could be used to answer your passwords security questions. Often these questions are fixed and include things like “What is your mother’s maiden name”, “What is your birthday” and “What is your pet’s name”. It’s hard to keep some of this information to yourself but having standard “internet answers” that don’t reflect reality can help.
  6. Separate your professional identity from your personal identity. For instance set up two email accounts such as myfirstnameandsurname@emailprovider.com as a personal email and myfirstinitialandsurname@email provider.com as a professional email. In social media have separate identities as well so you can excite your personal twitter followers about what you had for lunch and inspire your professional twitter followers with your latest industry insights (after all your friends will be even less interested in these than in what you had for lunch).
  7. Don’t assume email is secure. Never send information such as passwords or information that could be used to steal your identity by email.
  8. Don’t assume public wi-fi is secure either.

None of these rules mean that you can guarantee the safety of your online identity. But by following them you can at least make yourself more secure. So don’t make it easy for them! Good luck…