To cloud or not to cloud? That is the question. And while there’s no questioning the convenience and benefits of cloud storage – you can access your data from multiple devices and save space on your own servers – there are questions regarding how secure cloud storage really is.

Given recent hacking incidents at bigger-than-big companies and popular cloud services, here are a few things you need to consider when using a cloud provider:

Look for robust authentication: If a cloud provider offers a one-step login, i.e. password-only security, that’s a red flag. If there’s just a single password standing between your sensitive data and hackers, how long until that password gets cracked? Or it could be accidentally or maliciously shared with the wrong person or written down on a piece of paper that’s later lost. The bottom line is, you need more than a password. Look for and use a cloud provider that has a robust login and authentication process. Yes, it takes longer every time you log in. But it also helps to keep hackers out. Be sure to change your passwords and other authentication data regularly. And remember that not everyone in your organization needs to know how to access the cloud.

Take your time: It’s good to be cautious when you’re talking data storage, especially when it’s an outsourced service. So take your time choosing a cloud provider. Ask questions about what security measures are in place and how they are maintained. A dependable cloud provider should be able to answer all of your questions quickly. That likely means they know their service well and have anticipated your concerns. If you’re getting the runaround or don’t feel confident with the answers you’re receiving, look elsewhere. There’s not just one cloud in the sky.

Sign on the dotted line: You’ve thoroughly vetted a cloud provider’s security and authentication measures and have determined you’ll actually have a higher level of security using the cloud than with internal, on-site storage. You’ve asked about risk management, documented policies, incident preparedness, encryption levels, employee training and all of your other concerns. You’ve conducted a thorough audit and you’re happy with what you’ve found. Then and only then enter into a service agreement with a cloud provider.

Just remember that any type of cyber security is never foolproof and new threats constantly emerge in the cyber world. So keep up with what’s going on at your cloud provider and keep access to the cloud restricted only to individuals in your organization who really need it. If one of those individuals leaves your organization, change all of your cloud passwords and authentication data at once.

The fewer people who have access to your sensitive data – both inside and outside your organization – the more secure it is.

How important is cyber security? October is National Cyber Security Awareness Month for the ninth consecutive year and each year, the designation seems to become more important.

So important that a top U.S. cyber warrior is recommending that his cyber command division be elevated into a top-level military unit under the Department of Defense. The Cyber Command, created two years ago, is currently under the U.S. Strategic  Command, which is responsible for U.S. nuclear and space operations.

Rear Admiral Samuel Cox, the cyber command’s top intelligence officer, believes his unit needs more power to combat the growing number of cyber threats facing the nation, according to Reuters. Many of those threats come from foreign hackers who are trying to pierce the Pentagon’s computer networks to obtain highly-classified information.

But cyber attacks aren’t just a threat to the military. Look at the numerous banks that experienced online outages due to cyber attacks in the past few weeks. And what about the flurry of data breaches reported this year by healthcare organizations?

The fact is that no organization – large or small – is immune from cyber attacks, hackers or simply the loss of a portable device containing the personal identifying information of consumers. Every organization and – every individual for that matter – needs to take cyber security seriously. And what better time to check on your security measures than during National Cyber Security Awareness Month. So here’s a checklist to help you keep your data safe.

•  Install the most up-to-date firewall, anti-spam and anti-virus software.
• Establish policies for handling sensitive data, mobile devices and computers. Educate everyone from C-suite executives to employees to contractors and vendors.
• Upload patches to fix any problems with your software programs.
• Use passwords on laptops, computers and mobile devices. Educate employees and contractors on the importance of using long, strong passwords.
• Encrypt laptops and mobile devices. Also encrypt sensitive files.
• Back up sensitive files and properly dispose of files you no longer need. Store backup data in a separate location – ideally off-site – from your main servers. To dispose of sensitive data, you should physically destroy the hard drive that contains the data. Otherwise, someone may be able to retrieve that data if the computer is sold or donated.

Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.

A great deal of data is collected on students of all ages. Registration forms, health forms, emergency contact forms and permission slips are all a part of the information overload that schools typically require from their pupils, and many of these forms request sensitive data such as social security numbers. Unfortunately, school administrators don’t always protect this information as well as they should and education institutions are just as susceptible to data breaches as any other organization.

This vulnerability, combined with the fact that stealing personal information from minors can go undetected for years, is just part of the reason why minors are 51 times more likely to suffer from identity theft than adults.

The Federal Trade Commission recently issued a release alerting parents about how to protect students from fraudulent activity. Of particular note is information about the federal Family Educational Rights Privacy Act (FERPA), enforced by the U.S. Department of Education, which protects the privacy of student records and gives parents of school-age kids the right to opt out of sharing contact information with third parties, including other families.

The FTC’s safety tips for parents include:
• Read the notice schools must distribute that explains the rights of students and parents under FERPA. This legislation protects the privacy of student education records and gives parents the right to inspect and review your child’s education records, consent to the disclosure of information in the records and correct errors in the records.
• Ask your child’s school about its directory information policy. Student directory information can include a child’s name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy and give them the right to opt out of the release of directory information to third parties. Absent opting out, directory information may be available not only to the people in a child’s class and school, but also to the general public.
• Take action if your child’s school experiences a data breach. If you believe there’s been a data breach and your child’s information has been compromised, contact the school to learn more. Talk with teachers, staff, or administrators about the incident and their practices. Keep a written record of your conversations. Write a letter to the appropriate administrator, and to the school board, if necessary. The U.S. Department of Education takes complaints about these incidents. Contact the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave., SW, Washington, DC 20202-5920, and keep a copy for your records.

Perhaps it’s no coincidence that as more attention is directed to the risks of identity theft amongst children, cyber defense is becoming a hot new field of study for students. National cyber defense competitions have emerged as spirited forums for budding technical talent, including the National Security Agency’s Cyber Defense Exercise – a competition that pits students from a series of military academies against each other – and against the competition’s leaders at NSA; the Air Force Association’s National High School Cyber Defense Competition, CyberPatriot, created to inspire high school students towards careers in cyber security and associated fields; and the National Collegiate Cyber Defense Competition, designed to provide practical experience for students in a fast-changing field that needs ever more talented workers.
We can only hope that this new generation of cyber experts – borne from a time when new risks have posed threats to their own personal safety – can meet the growing challenges of cyber defense.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

A recent data breach discovery serves as a reminder that even when you’re on vacation, cyber criminals never sleep.

Vacationland Vendors, a company that supplies vending machines and video games to entertainment venues, recently reported that an unknown intruder penetrated its point of sale systems, resulting in a data breach affecting approximately 40,000 customers at waterland resorts in Tennessee and Wisconsin.  Although credit card and debit information was apparently stolen between December 2008 and May 2011, Vacationland Vendors did not state how the breach was discovered or whether affected customers have been notified.  The company did issue a general recommendation to anyone who visited the affected resorts within the targeted time frame to remain vigilant for fraud activity on their bank and credit card statements and to consider adding a fraud alert with the major credit bureaus.

The Vacationland Vendors data breach highlights the continued vulnerabilities of point of sale technology to crafty cyber criminals.  Heartland Payment Systems, a leading payment processing company, discovered this several years ago when it was hit by a historically large breach that exposed the accounts of as many as 100 million cardholders.  The same kind of breach affected CardSystems Solutions when a breach exposed the accounts of 40 million debit and credit card holders, leading to the sale and ultimate closure of the company.  Indeed, the theft of credit card data is one of the most common forms of fraud and the very reason that the Payment Card Industry Data Security Standard strengthened its requirements of payment card device vendors last year.

The debate about how to best secure credit card transactions has continued this year with the burgeoning introduction of end to end encryption technologies that can better protect cardholder data throughout the entire transaction process.  An example of improved safety mechanisms in the POS process is newer chip and PIN technology, as evidenced by Visa’s recent announcement that it is accelerating chip migration and adoption of mobile payments.

Until the technology around POS systems is more bulletproof, it’s especially important for companies to implement added safety measures around its current credit card payment processes.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.

The tourism industry may be bouncing back from the worst of the recession, but occupancy, unfortunately, isn’t the only thing on the rise.  So are data breaches.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, reports and tour companies.

Why are hackers increasingly making themselves at home in the hospitality sector?

According to hospitality experts, the reasons are multi-fold:

1.    Labor cutbacks.  Given the recessionary climate, hotels have reduced staff and are trying to do more with less.  While the lean and mean approach may help hospitality businesses bolster bottom lines, it hurts the industry’s front line defenses against hackers.

2.    Software and equipment reductions.  While hotels ride out the recession, security maintenance, implementation and upgrades fall lower in the priority checklist, creating an easy welcome mat for fraudsters.

3.    Multiple entry points.  Customers book hotels through hotel websites, online travel reservation portals, phone calls, email, postal mail, and in-person with concierges.  Each channel offers its own risks for data breaches and must be individually addressed.

4.    Large access to personal data.  The hospitality industry keeps massive amounts of personal data on file for years and can sometimes lose track of what they have stored and where – all within databases that may be far less than bullet-proof.

5.    Guest room computers with flimsy protection.  Those networked desktops that hotels sometimes provide for guests can be so helpful…and harmful.  Often these computers are riddled with viruses or hiding bits and bytes of old customer data.

6.    Insecure cultures.  Even in the best of times, much of the hospitality industry simply doesn’t prioritize security as it should.  By creating business cultures that don’t sufficiently respect privacy, hotels are jeopardizing the trust of their customers.

Given that hackers have identified the hospitality sector as a soft target, what can hotels do to keep these unwanted guests out?  Here are some tips from industry watchdogs:

1. Minimize data collection.  If you don’t need it, don’t collect it.
2. Understand and comply with PCI-DSS.  Make sure your business is completely aware of its “cardholder data environment” and is providing appropriate protections.
3. Find and digitally shred unneeded information.  Old, forgotten data is dangerous. Don’t be “data blind” – eliminate what you no longer need.
4. Simplify your reports.  For example, don’t offer up social security numbers if not needed.
5. Limit access.  Employees should be on a “need to know” basis with PCI and HR data.
6. Split up your network.  Create electronic firewalls that limit the spread of viruses and attacks.
7. Encrypt. Proper encryption renders hacked data unusable.
8. Understand your network.  Review network logs for unauthorized activity, and make sure your security professionals do, too.
9. Don’t put security in the ghetto.  Security isn’t just for IT professionals; make sure your entire organization creates and respects a culture of privacy that prioritizes security as the basis for all of its operations