Survey Highlights Serious Security and Compliance Problems
Data Privacy Day was earlier this week. I can’t think of a time when data privacy was more discussed among businesses and individuals than right now, and yet, this day to focus on privacy went largely unnoticed. At least, I had no idea it was coming until a couple of people alerted me. Now I know it falls every January 28.
Of course, data privacy isn’t something we should be thinking about only one day a year. Nor should data privacy be seen only in relation to NSA spying and Edward Snowden. It is something that should be practiced regularly and improved upon whenever possible in order to keep information from getting into the wrong hands (and I don’t mean the government).
As Guidance Software’s Anthony Di Bello pointed out in a blog post, data privacy and security needs to be used everywhere for it to be effective. The best practices used at work should extend to home. The trick is making sure employees understand why instituting best practices for privacy is so important. Di Bello provided an example from a chief information security officer (CISO) with whom he works, and I think this advice should be shared:
This CISO knows that a single, annual 30-minute webinar on security awareness training will not be enough to establish best-practices data handling for the employees of this global company and the many third parties who are part of their information ecosystem. To interest employees in improving corporate data security, his team focuses a variety of courses year-round on the individual employee’s personal data privacy and security. People are naturally more invested in topics that improve their personal lives, and have found that that employees trained to appreciate data security will apply those same security principles when working with corporate and customer data at work.
Computer users should be encouraged to think about privacy choices the next time they create a new online profile, or load an app on a phone, or sign up for a frequent shopper card at their favorite retail establishment, Chester Wisniewski, senior security advisor at Sophos, told me in an email, adding:
And with the big data movement hell bent on collecting as much information about us whenever possible, apparently innocuous or unimportant details can be pieced together in new and surprising ways.
Wisniewski provided three very easy ways to protect user privacy. These steps encourage employees to not only protect their own data, but company information as well:
- Turn off geolocation, and leave it off. Geolocation data has been silently hoovered up and sent home by phone software as diverse as flashlights and mobile apps for kids.
- Turn off Wi-Fi. Turn it on when you need it. As Wi-Fi searches for networks to join, your phone will offer up the names of Wi-Fi networks you’ve used previously. Many Wi-Fi networks are named after the places where they’re located, so that your phone’s electronic greeting can read like a history of where you’ve been. Alongside the networks it’s joined, your phone will also broadcast its MAC address almost constantly. Commercial organizations have begun to show serious interest in that little unique ID because it can be used just like a cookie to track and profile your movement in the real world, according to Wisniewski.
- Log out when you have finished. Everything you’ve used but haven’t logged out of is an open back door that leaves your privacy at the mercy of click jacking attempts, cross-site referral forgery attacks, social media tracking beacons and people just sitting at your keyboard when you’re not there.
