Check some of the key risks for both businesses and individuals
By Laura Haight
Privacy and security may seem unattainable. Every day, we learn of some new hack, some new incidence of a trusted partner or service exposing or selling our information.
Securing your business and personal information — the focus of Data Privacy Day on January 28 — takes diligence, consistency and maintenance. The results may not be perfect. But ask yourself if you should not bother locking your front door because - after all - someone can break a window and get into the house? No? Then don’t just be a victim. Do something.
Here are five risks and how to better guard against them for both businesses and individuals.
The biggest risk to any business is an authenticated employee. That’s the chink in the armor that opened the door to Equifax, Sony, SC’s Dept. of Revenue and every other major data breach so far. Employees, regardless of their level of authority, need training to help them identify ever more authentic-appearing phishing and whaling emails. And you need a mechanism for reporting and publicizing attempted breaches to other employees. We’ve talked about this before, but it is still the biggest issue for your business.
Keep your data inside your business where your internal network security can best protect it. To do that, businesses need to stop employees from taking sensitive info outside of the office. Several large breaches, have involved theft of shadow databases on a company laptop or USB. Block USB’s and external drives on desktops. But establish secure alternative ways for employees to access data remotely. Start by limiting data access to people who really need it; then implement a secure VPN for remote access. That will also do double-duty by protecting your employees from the risks of using public Wi-Fi while on the road.
Do former employees still have access to your network and data? There’s about a 50 percent chance that they do, according to researchers at the identity management company OneLogin. The company surveyed 500 CIOs and found that nearly half of them knew that ex-employees still had access (don’t get me started on why they aren’t doing something about it…). Start the year off right by getting IT and HR together to compare current employees with authorized users, as well as looking at whether their access levels are still matching up with their jobs.
Don’t keep what you don’t need. That’s a keystone of security. If your businesses doesn’t have an email retention policy, you need one. Employees cannot be left to their own devices on this. But make sure you think outside the desktop as you develop it. In the mobile device age, employees get email on multiple devices. Once on a non-work device, email is sort of out of your control. The employee can send it to someone else, save it to another file location, move it to an online service they use separate from a work resource. So even if that email is deleted from their work account, it may live on in many other places outside of your control and, more worringly, potentially more vulnerable to exposure. Never send sensitive info (like credit card numbers, SSNs, passwords) or copies of databases containing client or company proprietary information through email. Because you just don’t know where it will end up.
Got a website? Then you’ve got a possibly overlooked security issue. Chances are another company maintains it, which means they should be regularly installing security updates, security fixes and patches for widgets, and reviewing analytics that can identify potential exploits or nuisance spammers of your website. Ask them to report on the status of these items and, if they haven’t been done, this is a good time to do it. Your site is particularly vulnerable if you have public-facing forms (like contact forms) or accept credit cards.
The three most dangerous words ever voiced - at least as far as your security is concerned - were “plug-and-play.”
Personal users have been led to believe that someone else is taking care of their interests. It’s not the case, and with each new technology leap from smartphones to internet connected devices to driverless cars, users become more exposed.
Here are five of the biggest risks most users have at home or in their pocket and specific remedies to tighten things up.
Your router. The average user may know very little about the hardware that provides Internet access in your home. But that alone is a big problem. You probably have two devices in your home that your Internet provider installed: a modem that receives the broadband signal, and a router that distributes it to your wireless devices. The network name you see on your smartphone is the identifier of your router. The vast majority of users (and Internet providers) have never changed the administrator account logins and passwords to these routers. They are widely available in user manuals readily accessible on the Internet. Do three things: 1. Contact your Internet provider and have them walk you through accessing the management console of your router through a browser. 2. Change the administrator password. 3. Uncheck the box for DISPLAY SSID. This will stop broadcasting your network name. What a hacker can’t see they can’t hack.
Ransomware gets the most publicity when it hits a city (like Atlanta last year), a major industry (like Sony), or local schools and police departments. But, in fact, ransomware is a pretty effective tool for hackers who just want a cheap income scheme with everyday personal users - like you - as the victims. Ransomware holds your computer hostage until you pay. If time expires - the hackers wipe out your hard drive. Make sure you’ve got a backup of all your files offsite, preferably through an online service like Mozy Pro, Carbonite, iCloud (Mac), or OneDrive (Microsoft). Make sure that backup includes all your files, including photos. Most current computers have the operating system installed on a recovery partition, so if your drive is wiped out the recovery area would be able to reinstall the OS. Keep a list of all the software you use and make sure you have your license keys for it, in case you have to reinstall. Having these bases covered will make you less vulnerable to the threat, but it will still be a day of work to get your PC back to normal.
Passwords. Yes, I hear you groaning. “OMG, doesn’t everyone know that by now?” We’ll, you’d like to think so, but if they do, they still aren’t taking it seriously. Real security on your computer, your phone or table, is three-pronged: Something you know (your password), something you have (your phone), and something you are (a fingerprint or retinal scan). Wherever it is offered, use two-factor authentication (TFA). Generally, a site will ask you to login, then send you a code you need to enter to complete the authentication process, you receive the code on your phone that requires you use your fingerprint to unlock. TFA significantly increases the security of all your accounts and devices.
By now we should all be well aware of the dangers of being hacked or exposed on social media. Most sites offer the ability for users to manage their own security settings, but they don’t necessarily make it easy to find or to understand. Additionally, updates and changes to security systems on these sites often change your settings without your knowledge. Stay Safe Online, a program of the National Cyber Security Alliance, has a webpage with links to security setting information for every major social media site and online services. It will be time well spent to find the sites you use and check on how well you have secured your personal information.
Portfolio is proud to be a champion of the National Cyber Security Alliance, which sponsors Data Privacy Day.