ANS Blog

Sharing Personal Data: When You Become the Product

April 03, 2018 in Data Privacy

Sharing Personal Data: When You Become the Product

This week as you browse the web, shopping for special deals, watching YouTube videos or using your Gmail account, keep one important thing in mind. When you're not paying with cash, you're paying with your personal information.  

These days, in order to access all the awesome free, or discounted, stuff on the web, we willingly give up a whole lot of our personal information. It’s a movement that most of us have just simply come to accept. Or have we?

A 2010 quote posted by a seriously unhappy MetaFilter user sums it all up nicely: “If you’re not paying for it, you’re not the customer; you’re the product being sold.”  It’s hard to know just how many people are actually aware of the big implications of this statement; or whether they even care. What can be definitively stated is that, if they don’t, they should.

The Cost of "Free"

The recent Cambridge Analytica/Facebook data privacy controversy is proof point that everybody wants stuff for free, but seldom do we ever question what it really means to get something for free. Over the last decade, the focus on personal data privacy and protection has had its ups and downs. But it’s headline news like Facebook’s data sharing debacle that shines a floodlight on how social media companies, and so many others we interact with, collect our information and make it available to others.

Studies conducted by the Pew Research Center show that most people are anxious about all the personal information that is collected and shared, as well as the security of their data. In addition, almost all participants agree that we’ve lost control over how personal information is collected and used by all kinds of entities. Yet, even as they express great concern about the privacy implications of doing so, the number of people who say they would find it hard to disconnect continues to rise.

So how do we bridge the chasm that exists between the control people say they want, and what actually happens with their personal data?  A big part of the problem is that even though the vast majority of people will tell you that it’s very important to be in control of who has information about them, most people don’t truly understand how and what data is actually being collected.

The reality is, social media sites are only part of the overexposure of our personal data. We ourselves, are constantly sharing our own personal information with entities that we don’t really know, and without fully understanding the implications, in exchange for something. Why? Because we humans can’t resist the lure of convenience and cost savings when we want or need something. So, in those moments when we are filling out a very innocent looking profile form or questionnaire, we don’t choose to over analyze the fact that we’re paying for that something with the data we also want to protect.  Here are just a few common examples of where this can happen:

  • You created and use a Google account.
  • You registered for a grocery store, or other retail store, customer loyalty card.
  • You agreed to let your car insurance company monitor your driving habits to get a discount.
  • You posted your resume online for your new job search.
  • You used the free Wi-Fi available because it helps save your data plan and is a lot faster than 4G.
  • You loaded apps on your smart phone that require knowledge of your present location or request access to your contacts or camera.

The bottom line is that we now live in a time when we generate and share (both knowingly and unknowingly) a tremendous amount of personal information. And that personal data is extremely valuable.  Not just to cybercriminals, but also to marketers who have figured out how to make it a multi-billion-dollar industry that’s become increasingly invasive. Let’s just take Facebook, for example. Last year, Facebook's average advertising revenue per user was $20.21—that’s double the amount it generated just three short years ago. When you turn that situation around, it seems like most people, if asked to trade a large portion of their personal information for $20.21, would not be willing to share it for that price.

What can we do to protect ourselves?

We first need to acknowledge that the concept of personal data has changed drastically over the last decade. It’s gone way beyond our credit card numbers or passwords. It’s now our own behavior—who we are, what we like, what we buy, who we know, where we are, and where we plan to go—that’s being captured and monetized by others. So, we have to educate ourselves and learn to share in the responsibility for the digital footprint we leave behind each day. An important part of controlling our personal data can start with our own behavior. Stopping to ask the question, “Do I really want (and need) to share this information?”

It’s also about learning how to handle your data and, as much as possible, make sure there’s a greater level of informed consent involved before you give it away. Taking the time to read privacy statements and lock down your privacy using the settings available on each of your online accounts. Making a conscious, informed decision that the something that you’re getting is of real value to you before you fill out the next form. While I’m not suggesting this is the solution to all of our data privacy abuse issues, I’d say it’s a start; and we should do whatever we can on our own behalf.

As we watch the EU implement its General Data Protection Regulation (GDPR)— a regulation that requires businesses to protect the personal data and privacy of its citizens—I believe that America will eventually be forced, based on growing awareness and demand, to develop its own standard for consumer rights regarding their data. Only time will tell if GDPR is successful in changing the business models of companies that monetize personal data; but to be sure, the rest of the world will definitely be watching.

Why Cybercriminals Love Small Businesses

Small businesses are in the crosshairs of an increasingly complex and sophisticated array of cybersecurity threats.  Although major hacks of large corporations are now regularly headlining the news, small businesses are actually being attacked more regularly–and with increasing frequency. In fact, a recent Verizon study reports about 71% of data breaches occur in businesses with fewer than 100 employees.

The ugly truth is that regardless of how often cybercrime is talked about, small and medium-sized organizations continue to fall short at managing their cyber risk. As a result, they make easy pickings for hackers; that’s why they love to target them. So, if you own a small to medium-sized business or non-profit, here are a few reasons why organizations like yours are frequent targets:

1. Small businesses have lots of information cyber-criminals want

No matter what you may believe, you DO have information on your computers that can be monetized and, therefore, worth stealing.  If your organization uses accounting software, online banking, or processes credit cards then you are a perfect candidate for a network hack. If you have employee payroll data or keep patient-student-client-or vendor records in your systems, you are also a worthy target.

2. Their limited resources are not focused on IT security

Most smaller organizations focus their limited people and money resources on things other than network security. A majority have a low-level of security awareness, and often little to no security policies implemented. Even if a basic firewall and an anti-virus product are in place, these baseline security measures often don’t fully protect against the newer, more sophisticated versions of malware being generated every day. In fact, the newest forms of malware are specifically designed to bypass or evade these basic defenses.

Unlike large organizations, small ones don’t have the budget to hire the right people or deploy the best security technologies to protect themselves. In fact, even though they are aware of the dangers a cyberattack can pose, they usually still don’t allocate any additional budget for security. They prioritize things like maintaining a healthy cashflow and implementing new marketing strategies, but neglect the equally important matter of data security. Cyber criminals know all of this, and relentlessly search for ways to get into under-defended networks.

3. Their under-trained employees make them vulnerable

Smaller organizations often don’t foster a culture of security awareness. Often there are no formal IT security policies enforced, nor is there a training program to educate employees on the topic of information security and how to spot/avoid potential threats.

Hackers love to target unsuspecting employees with email phishing scams and other social engineering techniques in order to trick them into providing confidential information. Due to their continued high success rate, email links and attachments are the #1 delivery vehicle for malware. Since a plethora of current research tells us over 80% of data breaches are caused by some form of human error, it’s easy to see how untrained employees are the weakest link in the cybersecurity chain.

4. They are low-risk targets that offer big returns

In many instances, cyberattacks are designed for a quick, short-term payoff. Sometimes, the attackers goal is to get employees to provide access to their computer in order to launch a ransomware attack. Other times, their goal is to get employees to provide information that can be quickly monetized; like payroll records, credit card information, or access to an online banking site. Still, other times, the payoff is over the longer term including breaches aimed at stealing specific company assets like intellectual property, trade secrets and other proprietary information.

These kinds of breaches can go on inside the unknowing victim’s network for months and sometimes even years before they’re discovered. Overall, the chances of a cybercriminal getting caught are relatively low. Cybercriminals can launch attacks on hundreds of thousands of small businesses from anywhere in the world, making it increasingly difficult to catch them. Only a small percentage of cybercrime waged against small businesses get reported in the police or the media; and even when cybercrimes are reported to authorities, they rarely result in a conviction.

Protecting your data can mean staying in business

As I mentioned earlier, the ever-growing number of announcements of corporate data breaches has become almost everyday news. What’s different about these kinds of attacks, when they happen to small organizations, is their effect. The impact of a data breach on small businesses is usually much more detrimental than for larger companies. Phishing scams can drain your bank accounts and ransomware attacks can grind your business operations to a dead halt. Remediating a breach costs money—to repair your network, recover lost assets, to notify affected parties and restore your good name with customers and vendors.

On average the cost per lost or stolen record is $221. As a result, a National Cyber Security Alliance Study found that 60% of small to mid-size companies go out of business within 6 months of a data breach. This is a pretty depressing statistic that only serves to underscore the fact that no small business can afford to operate in a blissful state of denial. Better protection for your network doesn’t have to be a complicated process or financial burden. Learn more about how our managed security programs can cost-effectively defend your organization against an ever-changing cyberthreat landscape.

2-factor authentication (2FA) reduces account compromise

In the world of IT, authentication is the process of identifying that an individual is who he or she claims to be.  It can be based on providing information like a username and password, an ATM card and PIN, a device that can generate or receive a code that can be used to login, or a biometric like a fingerprint that can be scanned. Authentication is a key requirement if you want to carry out a transaction online; but like all other credentials we use, it’s susceptible to being compromised.

Single vs. 2-Factor Authentication

Authentication can be single factor, where a user enters a username and password. It can also be two-factor (2FA), where a user logs in using a username and password, plus enters a one-time-passcode received from another electronic device, like a mobile phone. Authentication can also be multi-factor (MFA) which requires two-factor authentication plus another factor like a voice or fingerprint. A risk-based multi-factor authentication system requires MFA dynamically, based on set of risk-based rules (such as what device you are trying to log in from).

The traditional, and not so secure way to log into an account, like Netflix.com, is single factor authentication. Most people like to use their email address and a familiar password so they can remember it. Enter these two pieces of information and you’re in and able to use your account.  Unfortunately, if you’re one of the 54% of consumers who use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows a hacker into any number of different accounts (most containing a lot of personal information), just by cracking ONE password! That’s where two-factor or multi-factor authentication comes in, both of which offer better protection.

Even though two-factor authentication requires an extra step in the login process, most commercial sites offer the option, and make it a relatively easy process. In fact, you may already be using it now with your online banking or favorite shopping site and not realize it.  A typical 2FA experience is when you log into a web site that sends a numeric code to your mobile phone which you in turn need to enter into the site to access your account.

Increased Security

2FA adds an additional layer of security, making it harder for someone to impersonate you online. So, in the example I gave above, someone would need to steal both your password and your phone to compromise your account. If your mobile phone is locked (which it should be), they would also need your phone PIN, swipe pattern, or fingerprint to unlock it rendering it even less useful.

Unfortunately, there is no safe practice or product available that can guarantee you’ll never experience online, or any other type of, fraud. But using 2FA can help significantly reduce the chances you’ll end up a victim. 2FA should be used whenever possible. Especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. Some sites require you to use 2FA, and many others offer it as an extra option that you can turn on—but you have to take the initiative to do it. You can look here to find a list of websites that offer 2FA; and here for step-by-step instructions on enabling it for your accounts on sites that do offer it.

Reducing IT Threats with Security Awareness

As good as many of our IT solutions have become at thwarting security threats, some incidents can’t be 100% prevented by technology. The threats from social engineering are one of them. Within the realm of IT security, social engineering is the art of manipulating people so they unknowingly give up confidential information.

The types of information criminals are looking for can vary but, when someone is targeted, criminals are usually trying to trick them into providing website user ids and passwords, social security numbers, or credit card and banking information. Social engineering can also be used to secure company network logins, allowing access to your computer. Once inside, malicious software can be secretly installed that allows a criminal to quietly steal confidential company or personal information or control a device.

Cybercriminals use social engineering tactics for two reasons. First, because it is usually a lot easier to exploit a person’s natural inclination to trust, than it is to discover ways to hack their information. Second because, so often, it works.

At its core, security is about knowing who and what to trust. Knowing when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is legitimate; when providing your information is or isn’t a good idea.

The Weakest Link

Security professionals will tell you that the weakest link in the chain is the human being who accepts a person or scenario at face value. There are some people who will invariably trust the person in the email who says that they need all employee W-2 information sent to them immediately, or that access to their online banking accounts have been revoked. If you don’t know the sender is legitimate, it doesn’t matter how many layers of technology you have in place; you are completely exposed to whatever risk that scenario represents.

The art of manipulating people into providing access to confidential information isn’t new; and it doesn’t even have to require the use of technology. It can also result from someone providing password information over the phone; or someone talking their way past a security guard and gaining physical access to a restricted area.

In each of these cases, there are few technical controls that can be used to prevent this sort of attack.  So, in addition to the physical and technological layers of security you use, you should also teach your users to be aware of these kinds of threats and how to deal with them. 

It’s important to understand that focusing attention on security awareness is key to reinforcing more responsible behavior. Information security is everyone’s responsibility. That means security awareness should be taught to, and expected from, your entire organization; from top executives all the way down.

Should my company invest in security awareness training?

In a word, yes. One of the best ways of fortifying the weakest link in the chain is through the use and enforcement of security policy along with security awareness training. It’s important for every organization, regardless of size, to have (and apply) a documented set of rules and practices surrounding IT security (a security policy).

Adding an awareness training program—one that covers topics including social engineering (with or without the use of technology), phishing, acceptable use of information,  password management, data encryption and incident reporting—can play a significant role in further reducing data breach incidents.

Awareness training also raises the level of understanding about why information security is a vital aspect of your organization, what the consequences of security incidents are, and what’s expected of them. In certain industries having formal information security awareness program is not even an option, since regulations including FISMA, HIPAA and GLBA require it.

Whether your organization is subject to government regulation or not, at the end of the day, the main goal of security awareness is to provide a greater level of protection.  An awareness training program helps ensure employees are better aware of policies, understand the basic controls in place, know how to spot/avoid potential security threats, as well as report an incident.

This information can go a long way in reducing your overall business risks and costs, and foster a more security-minded organizational culture. If you’d like more information on how to implement a security awareness training program at your organization, see our handout on Security Awareness Training.

Tips for Creating an Acceptable Use Policy

Organizations of all sizes have to worry about what their employees are doing with company computer equipment and Internet connections. It's no longer just a matter of wasted time that should be spent on job duties or the cost of network bandwidth. In the growing jungle of government regulations, civil lawsuits, and criminal charges for inappropriate online behavior, it's essential that companies cover their assets by establishing and enforcing clear rules governing computer and network usage. Policies are also needed to protect the security of the network and prevent users from introducing viruses or opening their systems and the entire network to attacks.

That's the reason you need an Acceptable Use Policy (AUP). It's not enough to just tell your employees not to use their work machines for non-work-related activities. You need to create and distribute a written policy and have users sign off that they've received and read it. The trick is to design a policy that's effective, fair, and won't be outdated as your organization grows.

Elements of a Good Acceptable Use Policy

An AUP sets out a formal set of rules that limit the ways in which network and computer equipment can be used. It should contain explicit statements defining procedural requirements and the responsibilities of users.

Some tips for creating your policy include the following:

  • Prohibited activities should be clearly spelled out. Phrases such as “Inappropriate use is prohibited” are vague and ambiguous. You must define what constitutes inappropriate use. Of course, you probably won't be able to think of every single individual action that would be considered “inappropriate,” but the most common misuses should be specifically named. For example, you can prohibit sending e-mail containing sexually explicit text or images, prohibit using the Web browser to visit online gambling sites, and so forth.
  • Blanket statements can address activities you don't specifically name. For example, you can prohibit engaging in any Internet activity that violates any local, state or federal law, or from sending any e-mail, instant messages, documents, or other communications that disclose any confidential information about the company, its clients, or partners.
  • To be effective and enforceable, the policy must be supported by management and there must be a designated person who has the responsibility for overseeing development and updating of the policy. This is often the Information Technology Director, CIO or other member of management.
  • The policies should be reviewed by the company attorney. Although it may be necessary to include some legal jargon in the policy document, each policy should also include a summary that explains in layman's terms that the average user can be expected to understand.

Consequences and Enforcement

It would be nice to think that, once your AUP is put in place, all employees will fully comply and use their network resources solely for business purposes; but, they won’t. This means that a monitoring/enforcement mechanism, and consequences for infringement, have to be built into the policy implementation process.  Implementing a policy without these two elements not only leaves you open to continued risk of dangerous scenarios, but also to serious liability issues.   

The consequences for violation of the policies should be defined in the policy itself. Since violations themselves vary in severity, consequences should also vary depending on the specific violation and the violator's intent. For instance, consequences for sending a short personal e-mail to a friend with innocuous content would not be the same as consequences for using the company network to conduct a part-time (legal) business, which in turn would not be the same as those for downloading child pornography to the company's computers.

Which brings us to another issue: you should only set policies that you intend to enforce. If you create an overly restrictive policy “just in case” you might need to use it against someone, and then proceed to ignore it, users who are subsequently disciplined for violating that or other policies could argue that you had established a conflicting unwritten policy by knowingly permitting violation of policies in the past, and/or that you enforce policies in an arbitrary or discriminatory manner. The disciplined employee might even be able to successfully sue you on those grounds.

Enforcement should have teeth, but doesn't necessarily have to be confrontational. Organizations have a number of options for discreetly enforcing acceptable use policies. For example, your IT department or vendor can use firewall rule sets, blacklists, and content filters to block prohibited activity. The implementation of sound network security practices, to prevent theft and unauthorized use of sensitive or confidential information, is also important. This should include things like restricting access to sensitive resources, locking down file directories and configuring desktops and laptops to prevent the installation of unauthorized applications.

Despite all the various preventive measures a company can take, users will invariably find ways to violate security policies. As more organizations adopt stronger policies and enforcement, employees should know and understand their organization’s security policies—and to expect punishment, up to and including termination of employment, that come with violations.

Developing Your Policy Content

While there is some content which is normally considered a standard part of an AUP, each organization should customize their policy to fit their unique corporate operations, values and culture. If you would like assistance developing and implementing your acceptable use policy, please contact your Advanced Network Systems account executive for more information.

The Case for Building a Cyber Incident Response Plan

A strong defense is critical to fighting the battle against cybercrime. But having a plan to deal with a cyber incident—should one occur—is equally as important. Why? Because when it comes to preventing a cyber-attack, there is no such thing as guaranteed protection. That’s right, there is no “silver bullet.”  We live and do business in a world marked by increasing cyber-attacks, and all new rules. Beyond the increase in frequency of attacks, we also face an increase in the types of organizations that have become targets. As you can see, from the onslaught of daily news reports, no organization—even ones with the best defended networks—are immune.

A quick and effective response to a cybersecurity event can go a long way when it comes to minimizing the financial damage and most importantly, protecting your organization and its reputation.  In short, how you plan and respond to security incidents can make the difference between a “crisis” and an “event.”

Having a cybersecurity incident response plan builds on your overall information security program by establishing a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes, and technologies in place to respond effectively.

In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage in cost and reputation to your organization.  

While each organization should always have a cybersecurity incident response plan tailored to their specific business operations and industry requirements, a response plan should include these general components:

People

  1. Management support and buy-in.
  2. A designated incident response team made up of staff from all functional departments.

Technical

  1. Identification of all critical IT resources (systems, applications, data, IT services), who needs access, and where they reside.
  2. A plan that defines how critical systems and data files will be backed up or made redundant
  3. A plan describing how critical systems and services will be restored
  4. A plan that defines how data files and applications will be restored
  5. A relationship with qualified cybersecurity vendors who may be required to assist in remediation and restoration

Communications

  1. A communications plan that helps you talk to your staff.
  2. A communications plan that addresses how external communications (customers, vendors, media, etc.) will be handled.

Procedures

  1. A clear definition of what constitutes a cyber incident.
  2. Processes and procedures that are in-line with, and support, your organization’s overall business continuity plan.
  3. A clearly defined protocol for how a response will be handled (action steps) and who is responsible for each required task.
  4. Having cyber-liability policy in place for your own organization.
  5. The incorporation of cyber-risk/cyber-liability insurance and liability language in contracts with outsourced service providers.
  6. A method and schedule to practice your incident response plan.

When it comes to cyberthreats, the only things that are really certain are the increased probability of becoming a victim of cybercrime, and the exponential rise in bad actors capable of successfully attacking even the most reputable, well defended organizations. This makes an extremely strong case for every organization to develop its own incident response plan, along with a solid defense strategy, more important than ever. Start yours today.

Why Being Compliant Is Not the Same as Being Secure

There is a dangerous misperception that often comes up, regardless of which regulatory standard we talk about (PCI, HIPAA, etc.).  The misperception is that compliance equals security. Sometimes organizations think they’re the same thing; sometimes they get so consumed by complicated regulations that they stop focusing on security altogether.

To be clear, compliance does not equal security — it’s basically just a snapshot of how your security program meets a specific set of security requirements at a given moment in time.

What’s critical to understand is that in order to truly protect sensitive data, having both the proper security program in place, AND being compliant are critical. Without a complete and active security program, paired with a solid compliance plan, any organization is at significant risk of being breached. To keep your entire network environment protected from the criminals targeting your data every day, you have to build and manage an advanced security program that goes far beyond specific sets of compliance requirements.

Security and Compliance Are NOT the Same

Security and compliance play different roles, both in your internal and external environments. The right cybersecurity measures protect your information from threats by controlling how that information is used, consumed and provided. Compliance, on the other hand, is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations.

Beware of the "Checkbox Mentality"

Meeting compliance regulations will never cover all of your security needs. This “checkbox” mentality results in inadequate protection. Why? Because compliance only ensures that a specific set of requirements that change slowly (typically only once a year) are in place. As a result, it can’t possibly keep pace with the changes that are occurring daily in the world of cybersecurity.

To truly safeguard against the growing number of sophisticated threats, organizations have to elevate security and develop an overall approach that integrates all the necessary controls with each other to create a cohesive, multilayered web of security. This isn’t something that satisfying a regulatory standard can ever provide.

Don’t Use Compliance as Your Security Blueprint

Using compliance requirements as a plan for building a security program is another common mistake. An effective cyber security program should be built from the ground up and be based on an organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.

Remember, investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term, and protect your data, business and brand.