Like & Follow us On

Sunday, November 15, 2015

A Call of Digital Duty: Key Questions and Actions for Securing Your Own Files

Have you ever wondered about the value of a single document or digital asset to your work, your livelihood or even life? Maybe the file contains a contract or evidence to support a claim, a deed or last will and testament, an insurance policy, years of research, or a business plan. Perhaps interview notes from anonymous sources for an investigative article. Is the file worth protecting? Is it worth keeping confidential?

Stop Taking Security for Granted Because of Tech Convenience 
The marvels of technology make nearly every digital action we take more convenient. Yet, when it comes to security, “easier” can often mean lazier and an open door for attacks that could threaten your business. The same level of effort that went into creating your document or digital asset should also apply to how files are protected when they are stored, accessed and shared. And it’s not only a technical job. Time spent training users, changing behavior or bad habits, managing the process and monitoring compliance can fall on your shoulders.

A few years ago, TechRepublic ran a great article called “Chasing the elusive approval for an IT-security budget.” The piece talked about inherent and residual risks and how IT managers can make a business case to help non-tech management understand associated costs. The article also shed light on: “When is the cost of reducing risk more than the cost of having the risk occur?”

That reminds us about how digital risks, consequences and occurrences apply not only to enterprise IT but also more granularly to files and to every file creator or collaborator. While tech security is vast and complex, the answer regarding costs for reducing risk at the file level should never exceed costs of having the risk occur. Part of the solution is finding a security-equipped application to protect your files. And some of those costs equate to seeing how that application can complement work flow and get used regularly.

What is your file worth?  
The worth of the file, of course, is related to the information digitally encoded inside. As a file creator, your job should always be to make sure your work is stored, accessed and shared in the safest ways possible. Potential damages from a data leak or attack should keep you up at night. Lawsuits, stolen trade secrets, adverse affects on stock prices, broken client relationships, professional ethics infractions, missed business opportunities, infighting, a tarnished image and more are real consequences from negligence. Instead of considering the likelihood that these events will occur, anticipate that they will happen if you do nothing.

Given the consequences, consider whether the same protections should apply to all files. Ask yourself if every file is equally important and if you should treat them the same when saving, storing and sharing. The answer will be “no” unless you are creating the same document or form over and over with no variation.

To make that assessment for each file, or category of file type, ask yourself what would happen if that private information suddenly disappeared or became public. Based on your knowledge of what is inside the file, ask yourself:
  •       “What will people mentioned in the file (or related to the file) lose?”
  •       “What will I lose?” 
  •       “What will we (those mentioned in the file, you and your organization) lose?”

In a similar way, consider what the price tag could be to remedy such a loss. Kaspersky Lab and B2B International recently issued a global study of more than 5,500 IT specialists that found attacks cost small businesses an average of $38,000 per incident in 2015.  In addition to your billable rate and intellectual property, what costs might surface related to lawsuits, crisis planning, penalties and fines, repairing relationships, managing media relations, discounting products or services, or passing up business opportunities due to the distraction? You may not know exact costs but can surely get a feeling for low to exponential levels of effort toward righting a mishap or catastrophe.

For files with information containing a lot of value and exposure to risk, do not get lazy because you have never experienced an information security incident. After answering and acknowledging what will be lost and costs to rectify, you need to understand how files are currently protected and what a more ideal, vigilant state looks like for their security.

Here are 10 basic questions to consider:

1. How are your important files saved (local, network or cloud) and what levels of security protect them (are there backup, co-location hosting, virtual private servers and redundant hosting service available)?
2. What encryption methods are used (AES with 128, 192 or 256 bit keys, RSA and/or 3DES) when files are accessed and stored, and sent in transit (TLS)? Who created the system and has it been 3rd party tested?
3. Do you have both personnel and technical solutions for managing secure file access?
4. How is security maintained as files are shared with people and by others?
5. What are password requirements and how often are password changes required?
6. What options are available for multi-factor authentication of invited file users?
7. What are document, network and cloud-level permissions?
8. What are administrators and users able to do with the file (read-only, saving, editing, deleting)?
9. If your cloud provider promises “convenience” features like file synchronization between a local device and cloud storage, what security precautions are in place if your device is lost, stolen or attacked? If they promise to wipe your data remotely, how does that really work?
10. How, when and where are your files retained and disposed?

Whether you work for a small business or multinational organization, maintaining vigilance for file security should be in everyone’s job description. At the file level—where you are a factor—the costs of reducing risks by taking precautions should be a fragment of the sum of having the risks occur. 

Your Call of Duty
Ask your IT and legal departments about a process for securing files. As part of the process, watch out for tools that promise to automate or connect to everything or seem so complex that the user experience leaves you scratching your head.

Remember that a solution is only effective if it's regularly applied. In addition to a policy and proper tools, do you have a checklist in place for users that includes key manual security measures for important documents? If answers are not within easy reach, you and your organization are at risk. If you don’t have an IT or legal resource and don’t have answers, then you have a bit of research to do.

There are plenty of experts and applications available to help, plus SANS Institute’s, Qualys’ and Kaspersky Lab's assessment and awareness resources with tools, tips and training. The good news is that you can improve your file security situation quickly and reduce your exposure by assuming greater accountability and following best practices.

Tuesday, November 10, 2015

Here's To The Rejects!

Driving on country roads in northern Illinois a couple of weeks ago, my wife remarked, as we passed the sparsely-placed farm houses, how lonely it must have been, many years ago, with no phones and no internet.

The area had been settled about 175 years ago and here we were, wondering what would compel someone to move to such a remote location to make a living.  The short answer, for probably most of them, was, "They had no choice."

Building a better world

For the most part, the United States was settled by people who were rejected by the their home
country.  Many were rejected because of the religion they practiced.  Others were rejected when they tried to get a job that paid enough to feed and shelter themselves or their families.  Still others, migrating from the eastern seaboard, saw the good land and jobs gobbled up by the wealthy and well-connected.  So, they were rejects.

Thursday, October 22, 2015

Beware of Digital Grave Digging: Guard Deceased Identities

Do you ever wonder how the deceased are able to receive social security checks,  vote or open new credit card accounts?  It's happening more and more.

According to the Internal Revenue Service, nearly 2.5 million deceased American's identity is stolen every year.   Although the deceased person isn't affected (of course) their survivors are.  Stolen identities can result in financial obligations that the surviving family is responsible for covering, or at a minimum, spending a lot of time and energy fighting.

So how are these identities stolen?

According to the ID Theft Center, Identity thieves obtain information about deceased individuals in
various ways.  They may watch the obituaries, steal death certificates, or even get the information from websites that offer the Social Security Death Index.  These web sites are supposed to be used for genealogy research but are sometimes used to steal identities.  It's not necessarily a stranger you have to worry about either. The ID Theft Center reports that as much as 30 percent of identity theft may be committed by a family member or friend! This scenario may be more likely if the deceased person suffered from lengthy illness, mental confusion, or if there is disagreement among family members prior to the death.

Wednesday, October 14, 2015

An Epic Digital Scare: Prepare to Lose Your Laptop

I had a scare earlier this week at Epic Burger in Chicago that was not a result of food poisoning or poor service. Quite the opposite, in fact, occurred. While waiting for a late afternoon take-out order, I set my backpack in a nearby chair. After filling a drink from the self-serve fountain, I walked out of the restaurant without returning to the chair and backpack. Partially due to battling a migraine headache, I did not realize the bag was gone until late in the evening. Even more painful, inside the backpack was my laptop containing more than 10 years of data.

Digital Detachment
“Lost Laptop” Photo via Flickr
There is a feeling of free-fall vertigo that comes with a lost or stolen device. On my laptop were many local files related to work and my livelihood, personal matters and mementos, and graduate school. The cost of the laptop was one thing, but the value of the accumulated stored documents and assets was quite another.

After retracing steps, I concluded that the backpack and laptop had to be at the restaurant. Later that evening, I went to look at location and deactivation options through Apple. Unfortunately, their service is of little use for devices not connected to the Internet and not powered on. My login offered some prevention for unauthorized access but files inside were not encrypted. I thought about identity theft and someone pulling personal account information. Would I have to change all of my credit cards? I also envisioned someone wiping the serial number and data to sell the computer. I visited Epic Burger’s website where I found an after-hours service number to call, as well as email to contact the location.

Encrypted Precautions
Beware which files you save where!
I did have the foresight to upload many of my critical files—closing documents to my house, passport and social security scans, tax returns, legal agreements, retirement and financial accounts, graduate school research and more—to rest encrypted in the cloud. For what I could still recover, I figured that file-wise I’d be ok. And the absence of clutter might even be cathartic. I also reminded myself that I did not use file synch applications for the vulnerabilities associated with this exact scenario. Losing a device that opens access to cloud storage through synchronization can put everything that you’ve stored there at risk.

Afterward, I pulled back and paused. In the scheme of things, the loss maybe wasn’t as big of a “fall” as I had made it out to be. Yes, losing a device such as a laptop was a big expense. Yes, I could be exposing my personal information. And yes, alerting bank and credit accounts, along with ID monitoring agencies was more than a hassle. Fortunately, I had already taken some precautions by storing important assets in the cloud (you can probably guess where) before this accident happened.

When Epic Burger opened the next morning, I contacted them. I described what the bag looked like and the first employee who answered said they did not have it. A second look from the manager, however, confirmed that they received my messages and had already placed the backpack in their office for safekeeping. I breathed a sigh of relief and thanked them for their honesty and diligence. In picking up the backpack, a simple thank you would not suffice, so I shared a nominal tip for doing such an honest deed.

Unexpected Outcomes
Learning from the experience I acknowledged that loss of laptops and devices happens—we are only human. I also decided that there are a few more files on my laptop that should be encrypted and put behind multi-factor authentication at-rest in the cloud, not on my laptop. Similarly, there are some files on my laptop that should not be saved there long-term at all. And passwords for both can always be longer, more unique and changed. The world can be an unforgiving place and we need to take steps to batten down the hatches, defend against data leakage, loss, misuse or worse. At the same time, even in the age of ubiquitous digital danger, let’s not lose sight of the “Epic” goodness that exists in humanity. Prepare for the worst, indeed, but do not stop appreciating or hoping for the best.

Friday, October 2, 2015

Help! A Dog Hit Me While My Waterskis Were On Fire!

Yesterday, the United States joined the rest of the world with its adoption of the International Classification of Disease codes, Revision 10.

Originally designed for statistical purposes, the ICD is now the de facto database organizing protocol for the US medical billing system.  Medicaid, Medicare and now all private insurers are transitioning to the new system. There is a one-year grace period.

How dangerous is this world, anyway?

This change is very important, and even before it is in full use, it provides some important insight into the dangers we face.  So as a public service, we at SafelyFiled want you to know some of the potential dangers you face.  We didn't make these up.  The ICD must actually consider these a risk, otherwise there would be no code for them.

For example, you could be injured and if your injuries were coded as V54.1XXA and V91.07XA, it was because you were struck by a dog and burned while on water skis.  Don't believe me?  Take a look at these screenshots below.  My questions are, "How did the dog hit you?  Did he jump out of the boat?  And what did you use to get your skis to burn?"

Friday, September 18, 2015

You Are Responsible For Your Health Care

You have an absolute obligation to help your doctors and medical staff provide you with the best care possible.  You simply can't get good care if you don't do your part.  Remember, you are your best healthcare advocate.

Here's What Doesn't Help

If your doctor asks you what medication you are taking and you tell her you are taking three white round pills a day, you are not much help.

If you are asked if you are allergic to any medications and you say yes, but you don't remember which ones, you are not much help.

If you list your prior injuries, but neglect to mention the concussion from the auto accident you were in 10 years ago, you are not much help.

Wednesday, September 2, 2015

The Check is Not in The Mail? A Life Hack for Digital Person-to-Person Payment

Secure Payment via Encrypted, Permitted & Shared Storage

Trying to get your son or daughter a check quickly? Need to pay back a friend for a small loan? Late on a payment to a contractor? We are always on the lookout for unique ways to utilize SafelyFiled’s signature blend of enterprise-grade security measures and simple, yet tight and effective permission controls for completing tasks. Here is a new life hack to avoid incurring wire and overnight delivery charges, and deliver payment from a personal check faster than you can say the U.S. post office's unofficial creed.

  • First, make sure whoever is receiving the check has digital remote deposit set up through their bank. Most major banks offer the service through account features or mobile applications and they are typically quite secure, simple and fast. Double-check to see what file types the bank accepts—jpg, tif, png, gif—and any special size or dimension requirements for the image.

  • Second, scan the check that you want to send for payment, front and back. We are ScanSnap fans, however, other high-quality scanners will do. You also may be able to get by with taking close-up photos with your smart phone camera. After capturing the images, temporarily save the files to your device in a format and size that agrees with your bank’s uploading requirements.

  • Third, upload the check images to your SafelyFiled account where you can title, tag, make notations and even set a reminder for the check if you want to take action later. You will also want to add your intended recipient’s email and set document-level permissions in your account before sending a secure link to access the check. Rest assured, your files are encrypted when they are sent and stored (see our note below for additional information). Also, don’t forget to delete the local files of your scanned check images saved on your device.

And that’s it for sending! Receiving the check is just as simple ...

  • First, your recipient should have temporary access to your scanned check since you added their email for sharing and set permissions in SafelyFiled, along with expiration for access. The recipient should receive a link to the scanned and encrypted files, which they can then grab and download locally.

  • Next, after downloading, your recipient should print out the two files—the front and back of the check. Importantly, they should make sure that the banking and routing numbers do not smudge so their bank can read the information clearly. Then add a restrictive endorsement on the back of the check with corresponding signature and “For Deposit Only” to prevent fraud.

  • Last, recipients should place the printed front and back of the endorsed check in a well-lit area, like a kitchen table or home office. They can then upload the front and back through their bank’s remote deposit application, via their website or mobile. Once accepted, void the check and delete the local files of the scanned images.

We think this life hack is a bit like check delivery at the speed of the Internet through your own "armored vehicle." SafelyFiled has many other uses beyond facilitating person-to-person payments too. But cost for this postage, not to mention speed of delivery, beats bank wire transfer fees, the U.S. Post Office and other postal services, FedEx, UPS and PayPal by a wide margin. Plus, your recipients will know exactly when and where to expect payment. 

Additional note on security: we respect your need for confidentiality and work hard to protect your privacy. SafelyFiled maintains expertly designed algorithms (using AES and RSA) at the core of our security architecture. SafelyFiled ensures that your files—including checks—are protected both when they are stored in the cloud through 256-bit encryption and while they are transmitted over the Internet.