We face an unparalleled threat to the digital safety of our personal information daily. Believe it or not, we are all fighting an information war, our data is under constant attack and our privacy is at risk. Our data is a target for multiple reasons and by a variety of individuals, gangs and institutions. We should be making it our priority to protect our data. There is no silver bullet but there are ways to mitigate the threats, there are measures that we can take and technologies that we can use to help protect our personal information and maintain our right to privacy.
The threat to our Privacy is often directly comparable to our data exposure. By choosing to minimise the amount of data that you leave exposed, you automatically minimise your attack surface, the threat to your data and your privacy. So, we should be attempting to reduce our data exposure rather than carelessly flaunting our personal data or allowing its exposure without much thought to the consequence thereof.
Threats to privacy can take on many forms
Data breaches are happening left right and centre but they may not always evolve as we perceive them to. When we hear of a breach, our initial thoughts turn to a hacker with malicious intent targeting and infiltrating systems to steal our data. This is sometimes the case but it is important to remember that this is not the only way in which our data can be breached and our privacy risked.
Organisations are required to process personal data in a secure manner- in order to avoid personal data being placed at risk from unauthorised or unlawful access and processing, accidental loss, destruction or damage. All these instances constitute a breach of personal information.
Other than direct hacking, data is also placed at risk through employee error, sending the incorrect data to the incorrect recipients, or losing devices that contain data in an unsecured form, for example.
In all these cases, there is still a risk to our data and potential breach of our privacy, however, breach incidents such as these are due to some organisations security inadequacies rather than a direct malicious attack.
Other causes could be through weak or missing passwords, not patching or updating software and systems, misconfiguring services or failing to implement proper access controls. Also, viewing data on rogue wireless networks (where your login credentials are captured), social engineering, manipulated emails, phishing, and targeted attacks as well as, insider and outsider threats (both malicious and not).
While hackers and cybercriminals are often the cause of data breaches and privacy breaches it’s important to realise that there are also incidents where organisations, public bodies or government agencies unintentionally expose our sensitive or confidential data online. Additionally, individuals can place themselves in vulnerable positions by not taking the appropriate measures to protect their data and their privacy.
No matter how the breach occurs the impact is significant to the owner of the personal information. It’s an attack on their privacy! Those of us, who are aware of the consequences of a breach are concerned-and rightly so! It is a legal obligation to ensure personal data is secure yet massive data breaches are still a regular occurrence even at major companies and well-known organisations.
Breaches, we just don’t seem to learn from them
As individuals become more knowledgeable about data protection and their privacy rights, hearing of these data breaches more regularly is beginning to hit home. Many are concerned and left asking the questions: Why are companies not taking data protection seriously? Why are companies not implementing the appropriate measures to protect our data?
When companies don’t take data protection seriously and don’t implement the appropriate measures to protect the data, many feel the need to look out for themselves and to take control of their own security and privacy.
If proper security practices were deployed the majority of the breaches could be avoided. The Equifax breach immediately comes to mind. It was a big one that impacted 143 million consumers. One of the largest credit bureaus in the US had a vulnerability on one of their websites which led to the data breach. It is thought to have started in May 2017 and went unnoticed until the end of July 2017. During that time, the personal data including social security numbers, birthdates, addresses, driver’s license numbers and credit card details of its customers were exposed.
Yahoo had an incident between 2013 to 2014, compromising the information of 500 million users and 3 billion user accounts (revised to this number in 2017). User’s names, email addresses, dates of birth and telephone numbers were compromised.
Many healthcare related breaches occur. Anthem, for example, the second largest health insurer in the States was breached in 2014, impacting 80 million current and former customers. The attack exposed all the personal details needed to steal an identity! It is thought that it all started with a phishing email (which could easily have been avoided if technical measures to secure the data were used!). The British NHS has been breached on numerous occasions and just recently almost half of Norway’s population had their details compromised when Health South-East RHA had their systems breached.
Then there have been breaches at large stores like Home Depot, Target and Forever 21, where loyal shoppers have had their data compromised. Many resulting in credit card data breaches via access to the payment card systems (which were accessed as the technical measures were either not in place or not working, which really is the same as not existing!).
Other notable breaches are Uber, Dropbox, VeriSign, Sony, eBay, JP Morgan Chase…the list is endless and breaches are happening across all industries, all sectors and companies of all sizes and varied value. You quickly realise that no company is immune and that even the companies of high worth that have the resources to protect our data are just not doing it adequately.
If this data were protected the impact of the breach would have been nullified! The peoples’ personal data and privacy would have been maintained. These are large organisations who have the resources to prioritise their security. It demonstrates the extent of the problem that we are facing.
So, what can you do…
It’s so important that you keep, protect and control your data on your terms whenever possible. Use appropriate data protection technologies to protect your data whenever it’s possible for you to do so. Use two-factor authentication when available. Be cautious. Be vigilant. Only entrust your data to reputable organisations. Ask questions and make sure you get the answers that you need and guarantees that you need to warrant the safety of your data.
There are some simple steps that you can take to improve your security posture and maintain your privacy. They are:
- Protect your data and secure your communications.
- If you use cloud storage-protect your data before uploading it to the cloud. You wouldn’t leave your sensitive documents in an unlocked filing cabinet, so why keep them unencrypted in services like Google Drive and Dropbox where your documents can be accessed by the providers and others linking to your account?
- Use strong passwords (the more characters the better!), use access control and the best authentication methods available to you. Automated software can guess passwords in no time, so use a layered approach whenever possible.
- Patch and keep your software updated. Remove buggy software and software that you just don’t use. (remember the aim is to reduce the attack surface wherever possible)
- Rethink your data: What you keep and store. Do you need it? How long should you keep it for? Be organised and know what you have. Have a retention plan and delete the data that you no longer need. Avoid keeping data unnecessarily. When you store it, transmit it and share it-remember to protect it!
- Know that it is OK to Opt-out. If you do not want to share your details-don’t! If you do not want to join a list or a registry, that’s fine. It is your choice to hand over your details or not to, so make sure you are happy with who holds and processes your data.
- Ask questions! Why do you need that? What are you doing with it? Will you protect it? If you are not happy with the answers you receive- don’t settle, go elsewhere until you are satisfied.
- Make sure that your data is treated in a manner that ensures it is always confidential, available and keeps its integrity. That your data cannot be linked in any way to identify you (so you maintain your privacy) and that it is always under your control so that you can choose to intervene if you wish (access it, remove it, transfer it, or rectify it etc.).
Remember that your personal data is yours, it is valuable and you should treat it that way. No one values your data as much as you do.
You wouldn’t leave your valuable items unprotected, your house open or your car unlocked, would you? Knowing the risks that there are, seeing and hearing of the breaches that occur and the impact that they have on so many individuals, this should be a wakeup call!?
Reduce exposure, reduce the attack surface and mitigate the risk
Every step you take to protect your privacy- is a step in the right direction. Even a single change will improve your security posture and reduce your exposure. Make the necessary changes, take control of your security and maintain your privacy.