Security/Emergency Information

Start with Security: A Guide for Business (even nonprofits)

Lessons from Federal Trade Commission cases

Go to the FTC Start with Security website here or click here to download a PDF copy of their full recommendations.

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.
Posted in Cybersecurity

It’s National Cyber Security Awareness Month

Cyber Security is Everyone’s Responsibility

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans. Intrusions into financial, corporate, and government networks. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Ransomware is type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid. In addition to individual users, ransomware has infected entities such as schools, hospitals, and police departments. The actors behind these sophisticated schemes advise the users that if they pay the ransom, they will receive the private key needed to decrypt the files. Most recently, these cyber criminals—demonstrating some business savvy—give victims the option of decrypting one file for free to prove that they have the ability to restore the locked files. More on ransomware.

Business e-mail compromise, or BEC, scams continue to impact many businesses across the U.S. and abroad. BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts—often belonging to either the chief executive officer or the chief financial officer—for the purpose of conducting unauthorized wire transfers. After compromising a company’s e-mail account—usually through social engineering or malware—the criminals are then able to send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account. BEC scams have been reported in all 50 states and in 100 countries and have caused estimated losses of more than $3 billion worldwide. More on BEC scams.

Intellectual property theft involves robbing individuals or companies of their ideas, inventions, and creative expressions—often stolen when computers and networks are accessed by unscrupulous competitors, hackers, and other criminals. Intellectual property can include everything from trade secrets and proprietary products and parts to movies, music, and software. And the enforcement of laws protecting intellectual property rights (IPR)—which are critical to protecting the U.S. economy, our national security, and the health and safety of the American public—is an FBI criminal priority. The Bureau’s IPR focus is the theft of trade secrets and infringements on products that can impact consumers’ health and safety, including counterfeit aircraft, automotive, and electronic parts. More on intellectual property theft.

“The FBI is doing everything we possibly can, at every level, to make it harder for cyber criminals to operate,” says Associate Executive Assistant Director David Johnson, “and I believe many of them are now starting to think twice before they put fingers to keyboard. But we also ask that the public do its part by taking precautions and implementing safeguards to protect their own data.”

Check back on our website during the month of October for information on protecting your data and devices and on FBI efforts to combat the most egregious cyber criminals.

High Holidays: Are you ready to get out if you have to?

It’s happened more than once…a fire in a synagogue during High Holiday services. Bomb threats and suspicious packages … check.
Most people  tend to exit through the door they entered. In an emergency, if people don’t use all of the doors there will be bottlenecks leading to injuries or worse.
With a little bit of planning and rehearsal this problem can be readily mitigated.
  1. We all have seen the “cards in the seat pockets in front of you” on a plane. Simply figure out how to divide your sanctuary spaces so that all of the exits will be used and create a chart like the one below, reproduce it and stick it in the pockets in front of the pews.
  2. No one expects you to conduct a fire drill on Yom Kippur, but you can ask your ushers and key staff to attend a rehearsal meeting in advance of services. Discuss your plans and their roles with them ahead of time.
  3. Pre-write directions that should be kept on the bimah. In the event of an emergency you shouldn’t count on people to call an “audible” (i.e., improvise).

(click to enlarge)

Ransomware victims urged to report infections





September 15, 2016/Alert Number I-091516-PSA


High Holiday security: stay vigilant

Bernard Picart [Public domain], The Sounding of the Shofar on Rosh Hashanah, illustration circa 1733–1739 by Bernard Picart from

Bernard Picart [Public domain], The Sounding of the Shofar on Rosh Hashanah, illustration circa 1733–1739 by Bernard Picart from “The Ceremonies and Religious Customs of the Various Nations of the Known World”

Security and emergency planning should be an integral component of every synagogue’s High Holiday preparations. Here are some tools to guide you:

High Holiday Security and Emergency Preparedness Planning Library

Synagogue-specific Security & Emergency Planning

Consider the following elements of heightened vigilance:

  • Increase visible security measures. Someone planning an attack may look at your facility, conclude that it is defended and decide to go elsewhere. Several recent incidents also underscore that the presence of armed security and law enforcement personnel and the placement of security checkpoints do not guarantee that an attack will be averted or interupted. Nevertheless, their presence can enable the timely discovery and quick resolution of potential threats and reduce the lethality of terrorist attacks.
  • Review your policies and procedures. How else can you send a signal to outsiders that your facility is a tough target? For example, does your staff do regular inspections of your facility looking for something that, “Just doesn’t look right?” If not, start now. If they do, should you increase the frequency. Review JCRC’s Sample Access Policies and Procedures to identify additional steps.
  • Test your systems. OK, you’ve identified systems to screen your mail, respond to bomb threats and suspicious objects and you have an active shooters plan. The key question is: “Will they work in reality?” Do your panic buttons function? Test them (after you first alert the alarm company). Have you had tabletop exercises and drills covering multiple hazards? How can you make sure that your entire staff and constituencies are on their collective toes?
  • Check in with your local police. For most Jewish organizations, September is the start of a new program year. Reach out to your local police. Offer them the opportunity to get to know your programs, your rhythms, your people and your building. Ask them for suggestions as to how to make your people safer.
  • If you see something, say something. Think how to build a culture of security, because security is everbody’s business. If any of your staff, students, volunteers, congregants or clients sees or hears something suspicious they should feel comfortable to report it to the appropriate person in your facility and the information should be passed on to the police. In NYC the number is 1-888-NYC-SAFE. Elsewhere in New York State the number is 1-866-SAFE-NYS. Every tip is investigated.