Do you review your security and privacy practices? January 28th is international Data Privacy Day, the perfect time to start. Organizations, governments and individuals use the date to bring more awareness to personal information sharing and safeguards.
Here at Information in Bloom Management Services we’re thinking about privacy all year long, but good to stop and review the basics. In the spirit of Data Privacy Day, here are 10 ways to buff up your information safeguards and help understand what controls you possess over your own data.
10. Consider deleting old accounts
Is there an online service you're no longer a fan of? Consider dropping it entirely. Misuse and disclosures cannot effect information that isn't there. Conversely, those old accounts may still have personal information you've all but forgotten about, right up until a news story or email informs there's been a data breach. If you need help there are lots of guides out there, such as Charlie Osborne's blog in ZDNet. Some services, including DeleteMe will show you how for each website and service.
During cleanup, don't forget to check the service's privacy policy for details on what happens when you delete your account. Many services will take days, if not months, before the data is actually deleted. They do this to avoid remorse and let customers easily return, although some hackers have begun to use this loophole for attacks. Confirm if the information may still be accessible for a time period afterwards.
9. Read those policies and ask if you understand them
Those privacy policies and notices attached to products aren’t purely for show. Privacy laws, including PIPEDA in Canada require organizations to be open and transparent with their information practices. The GDPR in Europe takes this a step further: not only must organizations be open about their practices, but notices must be in "clear and plain language". Often, reading a privacy notice and moving forward with the service is taken as a sign of implicit consent. Organizations presume that if you've read the privacy notice and continue to use their service, you have given consent for collection and data use.
Take a few moments to read or re-read the policies of websites and services you frequently use. Do you understand the notice? What data do they collect, and how do they collect it? How is information shared? Are there any ways to opt-out? Do they have any guides on protecting your privacy? If you have questions on how an organization uses your information, the privacy notice should answer them. If it doesn't, does it provide a way to contact for more details?
8. Shred sensitive papers
Ready to recycle old mail and paper documents? If they contain personal or confidential information, shred them first. Shredding prevents papers from falling into the wrong hands of individuals who can use them to commit identity theft and fraud. While online identity theft is on the rise, traditionally individuals have been more at risk with loved ones and those with access to the victims home.
If you operate a home office, some shredding may also be required by law. Financial, health and privacy laws including SOX, HIPAA, FACTA and GLB all require secure disposal of sensitive information. Shred-Nations provides details on laws that require secure shredding in the United States. Other laws, including Canada's PIPEDA, include clauses on the safe destruction of sensitive information.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.[PIPEDA, 4.5.3]
7. Check privacy settings for services and devices
Unfortunately, for many applications privacy settings are not the defaults. This is a requirement of the GDPR, but not in North America or other countries. California's new law, for example, presumes users accept any sales of data unless they deliberately opt-out. Odds are you'll need to check your account to find any options, if available, on how to share less of your information.
Are there items you can select or click to share less information? For example, can you opt-out of emails from third party marketers, or using your data for product research? Depending on the app and service, you may be able to find your privacy settings quickly, or you may need to pull up third-party guides to navigate settings. The website StaySafeOnline offers a list to get started, with services and how to update privacy settings.
6. Enable multi-factor authentication on all accounts
Multi-factor authentication, also known as MFA, or 2FA for two-factor authentication is a security must-have. The concept is that in order to get access to their account a user must have two or more pieces of evidence to verify themselves. The secondary authentication makes a username and password alone not enough; hackers will also need access to a secondary phone number or application. As the technical services for Carnegie Mellon University puts it:
Many log-ins can be compromised in a matter of minutes, and private data; such as personal and financial details, is under increasing threat. Wouldn't it be nice if your online accounts let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others?
As MFA has become a viable way to make accounts harder to hack, many services offer MFA as a part of their security. Often these take the form of a second code sent to your phone, email or an app, that you enter at login. Check your security controls and help documentation for setup, and add this critical safeguard where you can.
5. Use a password manager
Reusing the same password for everything is dangerous, as one hack opens up all of our accounts. Yet trying to use multiple passwords can be a strain. Our brains only remember so much, and multiple passwords with a random assortment of characters and numbers is challenging. Enter the password manager: a program that saves your passwords securely so you don’t have to. With a password manager, you only need to remember one master password. The program keeps everything else for you, securely encrypted, until you need access to a specific account, at which point the manager can paste in credentials. Password managers make it easier for you to use different, complex passwords, without fear of forgetting them all.
If you’re uncomfortable with applications, physical password managers, i.e. writing them down in a notebook, are also good in a pinch. While writing your passwords down where others can read them might appear counterproductive, a password book is still better than having one single password that, if stolen, gives attackers to everything you have. Be sure however, that the book itself is secure in a locked drawer or cabinet. Lying on your desk where anyone could grab it is a definite no-no.
4. Block web cameras and speakers when not in use
While ideally web cameras only play when you want them too, sadly this isn’t always the case. Hackers can take advantage of exploits, such as in 2019 when a Zoom vulnerability allowed hackers control of Mac cameras. One surefire way to prevent unauthorized recording is disconnecting or blocking the hardware these applications rely on. Camera covers for laptops are growing in popularity, with Laptop Magazine featuring a few of their favourites in a past blog. Or, if you don't want to buy a commercial product, consider Mashable's the DIY variety using a post-it note. Unfortunately, audio blocking is a bit more difficult; covering your camera won't stop strangers from listening in. Glenn Fleishman of MacWorld offers advice on controlling that audio input, or consider a plug-in solution like a Mic-lock.
As cameras and recording devices are increasingly incorporated into ‘smart’ devices, you’ll also want to pay attention before you buy. Can you block or physically disconnect the camera when not in use? Could that voice-actives assistant be turned off when you want privacy, or to prevent remote access from the other side? Unfortunately, many IoT products lack quality security safeguards and can be attacked. Do yourself a favour, make sure you know how you might turn recordings off before purchase.
3. Run those updates
When was the last time you updated your operating system? Your anti malware definitions? Apps? While updates can be time consuming, and tempting to skip, don’t. Software updates are critical for your data security. They are the active measures of software publishers to block discovered vulnerabilities and recognize programs sent by bad actors. New bugs, attacks, and malware hit the digital world every day. A recent report by Varonis reveals hackers are attacking a target every 39 seconds!
However, even the most rigorous anti-malware can't keep you safe if it doesn't know what malware to spot, or if your computer still has known weak points. Software developers can write the code to protect you, but you'll need to allow the updates to happen, either automatically or by regularly scheduling time for patches to install.
2. Block website snooping
There’s a trove of personal data collection happening whenever you browse the internet. From search history to cookies, So of this isn’t a bad thing. Web developers and marketers for example, like to have some idea of what types of visitors enjoy their site so they can make improvements. Sometimes however, this data collection may be intrusive or downright overkill, particularly when your browsing habits are being mined for marketers. Fortunately, if you don’t want to be stalked by online services, you have options. There’s a growing sector of companies out there that are developing tools to keep you safe. These include extensions like Privacy Badger and Ublock, search engines DuckDuckGo and Startpage, to full-out privacy protecting browsers like Brave and Firefox Focus.
In addition to browser choices and extensions, you’ll also want to consider a Virtual Private Network. Better known as VPNs, these services protect privacy by encrypting your data and hiding your location. The result is a safer online experience, where attackers and your ISP cannot see the packets of data as you move from site to site. Be careful however, when selecting a VPN: some aren't as secure or private as advertised. Joel Lee of MakeUseOf highlighting some of the worst actors, while writing for Comparitech, Paul Bischoff provides good list of reliable providers and how to get started.
1. Develop a stop, pause and think before sharing habit.
It seems like everyone’s asking for your data these days. Want to read an article online? Sign up. New trend or game on social media? Add your account. Making a purchase in-store? Requests for your name and email. Yet as requests for personal information are becoming automatic, our responses shouldn’t be. Stop and ask before filling in that form if the level of information required matches up with the service. Are there sections you can leave black, or options for opting-out of information sharing? Does passing forward your data really offer any benefits, and can you refuse?Is there a clear policy you can read first, or could staff inform you on their data collection and use policies?
The stop, pause and think habit for information sharing can a lifesaver, particularly against social engineering and phishing schemes. Attackers want you to hand over your details, such as usernames and passwords, no questions asked. Less malicious, shops want your address so they can market to your inbox, or vendors want a phone number they can call. Yet too often users fail to realize they have more choice than initially offered. You might not need to provide contact information for an in-person service, or have the ability to opt-out of communications. As GetSafe Online puts it "Don’t be rushed – a genuine bank or organization won’t mind waiting to give you time to stop and think."
Be aware of your privacy rights, and get comfortable exercising them.
Image credit Jason Leung