Data Privacy Week Is a Time to Consider What You Share
This is Data Privacy Week, when everyone who uses the Web is encouraged to think about, and limit, the amount of personal data they share online. We often think of data privacy and data breaches in terms of someone stealing information we have shared. During this week, that thinking should be reversed: Ask what you share, where you share it and whether sharing is even necessary.
Data Privacy Begins with You
Thieves cannot steal what you do not share. If you never give your credit card number, name, address or phone number to any website, you have zero data privacy risk. This is impractical if you want to shop online or use services such as email and social media. Most people get so used to sharing personal information to do things online that they share freely in all spaces online, making them targets for data theft and phishing attacks. Some sites, such as Linkedin and Facebook, encourage a level of sharing that creates significant risks to your personal information. Companies may share more than necessary if they try to market their employees, as detailed in Is Your Website a Bait Shop for Phishing Attacks?
Cyber crime would be much lower if everyone followed the rule taught to all children: Do not talk to strangers. Do not tell them your name, where you live or the route you take home. Do not share where you went to high school and college, what you studied, or your employment history. Never give them your mother’s maiden name, your pet’s name, your birthday, the name of your prom date, the name of your favorite teacher, or your favorite grocery items.
By now you should have a window into all the ways you deliberately (social profiles) and casually (social media quizzes) surrender your digital privacy. While sharing online can feel normal, it invites predators. Cyber criminals will gather as much information as they can about potential victims through your posts and profiles. They then use this information to target attacks against you or people you know.
Easy Ways to Improve Data Privacy
Data privacy should be protected on two fronts: Limit what you share initially, then limit how long it remains online. “Online” includes both publicly available information and information you share with others to shop or use services.
- Use guest checkout. Nearly every shopping site now offers a guest checkout option. When you choose this instead of setting up an account, the business should not build a profile about you or store your information permanently. Use this feature whenever you buy something online for the first time. If you come back, consider opening the account. If you never come back, you will have less risk if that business suffers a breach.
- Never respond to online quizzes. Facebook has significant, ongoing problems with data-harvesting scams masquerading as quizzes. Because Facebook requires people to give their real names when they sign up, even the most innocent-looking quizzes can yield meaningful data. Criminals often look for clues to passwords or try to fill gaps in an individual’s data profile, or get information they can use to commit fraud. In one example, an image shows several food staples, such as eggs, milk, cereal, orange juice and bacon, then asks which one you dislike the most. Choose eggs and a criminal now knows not to buy eggs when they try your stolen credit card number at the grocery store.
- Skip the optional fields when you sign up. Whenever you sign up for a service, your goal should be to give as little personal information as possible. This can be challenging if your browser automatically fills in all of your data, or if you fill out forms without looking to see what is actually required. Be wary of businesses that ask for credit card information for a “free” trial, or that want your email, phone and mailing address for services that do not require physical mail.
- Only post recent, relevant information on social sites. No one needs to know your entire work history, or that you got a Masters Degree from Harvard unless that experience is highly relevant to your current work. This is challenging for thought leaders and those with specialized skills who market their abilities based on experience. Consider using less-specific descriptions, such as “Ivy League educated” instead of “Harvard Class of ’92.” Criminals need specific data points for social engineering fraud. The more you provide, the easier you make it for them.
- Never post your personal email or phone number. Many small businesses believe posting emails and phone numbers increases the number of contacts they receive. There is no real data to support this. Contact information on a website should go to a generic inbox, such as “info@mysite.com,” and phone numbers should forward to an unpublished office line. One of the leading scams right now harvests personal phone numbers, matches them with company email addresses, then targets employees with texts that appear to come from senior executives, often asking for gift cards or passwords. This scam exploits the abundance of seemingly innocent information that individuals share.
- Never post photos or videos from your workplace. If you or your company must Instagram what it does, set up a location in the lobby and only allow photos and videos to be shot there. Photos and videos should never be allowed in work areas for any business, because they can give away private or proprietary information. Criminals can learn about your security procedures and your workplace layout, and sometimes find passwords on notes or white boards in the background. Those who work in health care have an additional duty to protect patient privacy, as well as their own.
- Remove anything personal in the background of your video conferencing space. The rise of video calls and videoconferencing has encouraged people to treat their home office like a television set, with strategically placed books, awards and mementos, information that is valuable to criminals. Another risk, once again, is the whiteboard or bulletin board with sensitive information. Something as simple as a diploma or family photo can be the hook a criminal uses in a targeted attack. Keep anything identifiable out of frame, or use a generated background for your calls.
- Close all outdated accounts and subscriptions, then ask for your data to be removed. This one is last because it is a little harder. If you have ever canceled a Netflix subscription, you know how easy it seems. They turn off your service and stop billing, but they keep your information by default. Under data privacy laws in the United States, you have the right to have that information removed, which is what you must do to protect your personal data. Every online business has a process for this, and you may need to hunt for it in their Terms of Use or Privacy Policy statements. Get in the habit of reviewing and removing unused accounts at least once a year.
If you maintain strong data privacy, you will be at a far lower risk from breaches and targeted attacks. This is part of the personal approach to data protection that Protect Now promotes through its CSI Protection Certification program, which boosts cyber security by teaching employees the importance of personal as well as professional data privacy. To learn more, contact us online or call us at 1-800-658-8311.