January 24-28th is Data Privacy Week! Given the ever evolving state of data privacy, this is a great opportunity to discuss how we can protect ourselves against data breaches and identity theft. Originally, this tradition started as a day observed on January 28th as a result of a European Council meeting on the subject in 1981. This was “an educational initiative focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.” (Wikipedia)
Clearly the people who started this initiative made an extremely accurate prediction: The breadth and usage of the internet would expand rapidly and data privacy laws would fail to keep up with the times. While there have certainly been some recent advancements in data privacy laws such as GDPR it remains true that we have a long way to go before we, as a society, can consider our personal data adequately legally protected.
As users of internet services, we are all victims of the mishandling of our own personal data. We can see this mishandling in so many ways:
- Data breaches as a result of malware leading to massive swaths of personal info such as credit card and social security numbers being stolen and sold by bad actors
- Ransomware attacks that have now also turned to data extortion - threatening to leak confidential data and risk damage to company reputation, for a price. This is one of the more recent and nasty developments in the Infosec space.
- Terms of service agreements (which most of us fail to read) allowing companies to sell our data, usually to marketing agencies, so that those agencies can target us for personalized ads
- Identity theft as a result of our data being stolen or improperly handled by the many companies that have access to it
While we as individuals cannot (directly) change data privacy laws, we can certainly change our behaviors to mitigate vulnerability to any data disasters as listed above.
Considering privacy vs. convenience
Many apps and websites ask for access to different types of personal info. This can include your contacts list, geographic location, or microphone access. We would all benefit to consider the downsides of sharing our data with organizations before we click on the “allow all” button. Some questions that are valuable to ask before accepting the data request prompts on an app include:
“Is this company trustworthy?”
“Is there any real reason this app needs access to my microphone?”
“Why does this game app need GPS data from me?”
If it’s possible to use an apps’ or websites’ primary functionality without granting it additional access to other parts of your phone/computer, we recommend you do so purely to minimize how much free data they get from you. As a general rule, if the app is free, then you and your data in that app are the product.
Add protection layers to your data
There are some crucial activities we can all take to lower our risk of things like identity theft or an online account being taken over. The first one is improving our password habits, and we can do this in a few simple ways:
- Use long (18+ character) unique passwords for each account. Pass phrases can really help!
- Utilize a password manager to generate unique and strong passwords (with the benefit of not having to remember them!)
- Turn on MFA (multi-factor authentication) for any service that has it as an option
Many account “hacks” originate from leak of password data from a service. Once hackers have passwords that are associated with email accounts, they can do what is called “credential stuffing”. This is a cyberattack method in which attackers use lists of compromised user credentials to breach into other accounts that use that same email and password combination. Using MFA and unique passwords will keep you protected from this kind of attack.
Another really great option available to us is the ability to freeze our credit with all of the different credit agencies. In the U.S. there are three main credit agencies: Transunion, Equifax, and Experian. These agencies have an extraordinary amount of data on each U.S. citizen and therefore, a data breach (as we saw with Equifax in 2017) can lead to millions of people having their social security, birth date, and other information stolen. When bad actors have access to this type of personal data, they can attempt to open lines of credit (such as credit cards or loans) in your name. The best method to preventing this kind of identity theft is to freeze your credit with all of these credit agencies. Having your credit frozen will mean that any time you (or a bad actor) tries to open a new line of credit, you have to contact the credit agencies and provide them with a specific pin code and a length of time you’d like your credit freeze to be lifted. It’s a bit of a hindrance when applying for a new loan, but it is nowhere near the amount of headache and frustration you’ll go through if your identity is stolen.
Join the conversation!
Data privacy week is a time for all of us to educate ourselves on the current state of data privacy and what we can do to protect ourselves. While we definitely need more robust privacy/data legislation in the U.S. and across the world, we can all take actionable steps towards protecting ourselves in the meantime. I hope that the information I’ve provided here has helped you all recognize the steps you can take to protect your data and why we should care enough to take those steps.
We all want to take back control of our data and our online identities - that requires us to change habits and normalize this conversation. All of us could use a bit more privacy - even if it’s for, like, one second.
Do you have any data privacy tips to share with the rest of us? I’d love to hear the steps that any of you have taken to protect your data or identity! Please respond here or join the conversation with us on Twitter by tweeting us @Webroot on that platform. Can’t wait to hear your thoughts!
Very well articulated. The most impactful point is that nothing is actually free. To get something free, we usually end up selling ourselves (our data) in an ignorant Faustian bargain.
Convenience is always at odds with security, it seems.
My main point of attack when this comes up is to advise clients, usually with a suitable example, of where the cost of a cleanup was far greater than the additional security that could have prevented a breach.
I find if you can outline likely breaches (and most people will have heard of examples in their network) and the likely downtime and fallout then security becomes a more valued conversation.
Great informative article, 10/10!
Good Article and reminder to be dilligent! Human nature is to always look for the easiest way out and what is most comfortable and convenient. I like the idea of freezing your credit, even if you haven’t been compromised. The only problem is that in Australia it looks like you can only freeze your credit for 21 days, and then you can get an extension .
Security I like putting in place for myself and my customers:
Very well written article. The age old debate of Privacy over convenience has been and will always be a major talking point.
But sadly too few people are really taking this stuff seriously until they get nailed by it. We here in South Africa have a piece of legislation similar to GDPR called POPIA (Protection of Personal Information Act) I personally think it wont help as its too similar to GDPR plus the regulator here had its teeth removed so to speak.
My tips, they might be painful to follow they can help save your data in the long term
Great article . Thanks.
My views on GDPR are that they force companies to put good processes in place for data and be honest when there is a breach.
Thanks that was an interesting read. Definitely right about why does that website need access to my microphone, I’ve had several websites that have tried doing that and I never clicked yes. To think they’re trying to listen to me breathe, creepy…
On another note, having incredibly long passwords are good and will make it super hard to bruteforce, however some users most likely will use the same long password with a potentially different word somewhere in it, maybe they put the website name in? If that password was stolen, then the thieves will only need to guess on other websites. I suppose I’m trying to say that the user would make the password easy to guess, unless trained to not make it easy.
Obviously, a password manager would solve that, but the user may need one that is online or syncs between devices so its another cost of convenience on their end if they forget the master password or are not using a device with the password manager, which may cause them to use a much simpler master password.
The advice you gave was still very good and I’ll probably use it. Excuse my rambling on the subject above.
Thanks Keenan! Nice take on an “old topic”. And the gifs were a nice distraction from something so serious. My birthday is 01/01/00, and my mothers maiden name…. Oh, you didn’t need that?
My kids are at the age when they start getting important online accounts (banking, subscriptions, etc.) When they’re going through all the security questions options (what is your pets name, your first car, your zip code, etc.) I tell them they can put anything they want for answers; they don’t have to match, just be remembered. For example, Q: What is your first car? A: Mr. Peanutbutter. Q: What is your pets name? A: Toyota Corolla.
I try to get them to NOT participate in the your _____ is your birthday and the street you live on social engineering tricks.
So far the kids are ok. They know the dangers from being on the Internet their whole life. It’s the older co-workers that are naive babes oblivious to the danger they’re strutting into.
Great article, and in this current age, we need to always be mindful of privacy. Complex passwords are a must these days and fortunately there is a lot of password manager tools and most browsers will have this capability as part of their core functionality. Another function for those in the Apple ecosystem is the hide my email option when signing up to websites. A great way to hide your identity on those sites you won’t frequent regularly.
When all else fails Dark Web scanning for leaked credentials can give organisations some visibility in what credentials and personally identifiable information of their employees are on the web. As other posters mentioned end user training and awareness for identifying phishing scams is a great way to minimise credential leaks.
Useful info and something to think about. Still feel that users will always be the weakest link and people need a constant series of training to make sure they understand the risks and impact. People can just be to complacent these days.
Very useful article, privacy is critical nowadays.
Create a fake identity and use that for all the bogus sites. Don't answer online quizzes with answers that really can identify you. Better yet, don't answer the question at all. E.g. if they ask for your favorite movie, fill in a car brand.
Really good article that focus more on people than business.
I’ve seen many bad handling of personal data at past customers and i sure ain’t doing business with them as an individual.
We, as IT people, have a responsibility to educate our customers/management on these risks and matters.
All this tap your card/phone/watch to pay without entering a PIN is scary. Is it really that difficult to spend a few seconds punching in a few numbers for a little security? I don’t care if unauthorized purchases will be refunded. I want to prevent the unauthorized purchases from happening in the first place. This feature should never be activated by default.
Also, smart homes and personal assistants. I don’t trust them. I can flip a switch to turn on the lights.
No thanks. I’m old school. It’s safer that way.
I have my doubts about the effectiveness of GDPR but it than that very well thought it and will written sucks. The advice about 2FA is sorry on.
We have been pretty lucky with clients calling in before they click, but we still get a couple instances a month of someone clicking a bad link in an email. So far we have been lucky with that as well and our systems catching it before anything adverse can happen.
Thank you for sharing. The memes are a nice added touch!
I moved to using a password manager in my personal life. Took a couple of days picking away to fully migrate everything in and then change everything to stupidly long complex pass phrases and then to clear out saved passwords and log ins from browsers. It’s a process, just a bump to get through but once it’s done, that one single password for access makes life a little easier. Also, I do not use the password manager browser extensions. Like the old joke, I’m not being paranoid, I know people are out to get me.
that you also aspire to lead a quiet life, to mind your own business, and to work with your own hands, as we commanded you,
If you use the same “fake” information for authentication and verification (“Your Pets Name”, What is the third number of the last four digits of your Social Security Number?”, etc) then you are still as much at risk for having other accounts of your hijacked. While they may not be able to buy a house with your bogus information, the damage they can do is still going to be considerable.
Well written article, that gives a lot to think about!
A data privacy tip: lie.
Do some of these websites really need to know your birthdate, address (unless for shipping), your first pet’s name, etc? So long as you use a trusted password manager, you can keep these lies sorted in the event you need to reset a password. In the event of a breach, your fake information cannot be used to impersonate you.