 |
|
|
What's Under That Costume?
It's a spooky time of year, folks. All manner of tricksters and treaters are donning disguises designed to fool even the most whip-smart among us.
But it's not just Halloweentime that brings out the disingenuous.
As our world becomes increasingly digital, it's easier to pretend to be something you aren't. Let's take a look at a few of the ways we might be fooled this month and beyond...
IN THIS ISSUE
|
|
 Disguised As Just Another Employee
|
|
Consumer and client trust very hard to regain
Each of these individuals did it under the disguise of "just another employee," and at the expense of the consumers who trusted them to keep their information out of the wrong hands.
Whether or not we can refer to the Wells Fargo incident as insider fraud is debatable. We do know reportedly unrealistically high sales requirements provided much of the motivation for thousands of employees to do these actions. Thankfully, it's someone else's job to determine whether employees were following the rules or breaking them. What is clear, however, is that the bank's customers were fooled, and sadly, many lost money during this ruse.
In the case of Verizon, we see the influence of private investigators (PIs), who have been known to view and present themselves as law enforcement. Although we do not know all the details of this particular case, the employee may have been more compelled to provide the information to the PI out of a false sense of duty.
THE TAKEAWAY:
An extremely wide swath of motivations can cause an individual to take advantage of his or her position, and authorized access to personal information of clients, consumers and patients. Be mindful of the data privacy and security threats posed by those closest to your digital information assets. At work, ask yourself if you are doing anything to make the temptation to steal from, spy on or expose your end users.
|
|
Strike A Happy Medium With Insider Threat Mitigation
|
|
Privacy is all about context
Especially with recent headlines, employers run the risk of becoming "too" diligent with insider threat mitigation. Take this company, for instance. Ironically called Humanyze, the organization has built an employee badge that goes way beyond logging time. In addition to performing real-time voice analysis, the badges have sensors that track where an employee is and motion detectors that record how much he or she moves. (Movements inside bathroom locations are omitted... in the name of privacy... ha.)
Talk about extreme!
Employers absolutely should have controls to monitor for the bad behavior of employees. At the same time, it's important to remember the Golden Rule. Would you want to work for an employer that insisted on monitoring your heart rate or your cortisol levels (
such a thing is coming
if MIT researchers have anything to say about it)?
Thank you to my Facebook friend Christina A. for pointing to this issue!
THE TAKEAWAY:
If you're wondering whether a control or precaution crosses an ethical privacy line, consider the context. Indeed, privacy is all about context. While your doctor may need to understand how your heart rate changes throughout your visit, your favorite retail store does not.
|
|
Yahoo May Not Be Thinking of Everything
|
|
New data breach details often emerge over many months
|
|
 |
| Elastigirl and Dash joined Prince Phillip during this Halloween outing. |
|
If there's anything consumers have learned in this brave new world of hacking, breached companies don't always know (or reveal) all the details of their incident at the outset. It's become fairly common for these organizations to increase the amount or expand the type of information exposed in a breach over time.
A couple of points there: 1) Yahoo may learn of that exposure at a later date; 2) the type of information exposed (names, email addresses, phone numbers, dates of birth, concealed passwords and, in some cases, security questions and answers both unencrypted and encrypted) could easily help a criminal find his way into a consumer's online or mobile banking account. And that's simply because many people use the same passwords and security questions and answers across platforms.
THE TAKEAWAY: Don't be lulled into a false sense of comfort by any company's initial data breach announcement. One thing's for sure, the details rarely ever get
better over time. Keep an eye on your financial accounts and credit reports, and change your passwords frequently across platforms.
MORE TIPS:
To minimize the impact of the Yahoo breach, change:
- Your Yahoo password (or delete your account if you are no longer using it)
- Your Yahoo security questions and answers
- Other site passwords and answers (If you use your exposed Yahoo credentials elsewhere, they, too, need to be changed!)
|
|
Viruses Masquerading As Legitimate Emails, Software Updates
|
|
Emails with infected Word docs disguised as invoices sneak past anti-virus software
Slipping past anti-virus protections, this new string of malware comes to potential victims in the form of an email that appears to be collecting on a debt.
According to malware researchers
, there are two things that make this particular threat noteworthy:
- The Word doc attached to the email provides much more legitimate-looking instructions telling users to enable macros.
- Once executed, the macro-based malware uses a more sophisticated loading process designed to detect and bypass traditional security.
THE TAKEAWAY:
If an email looks even slightly suspicious (like having an invoice attached for something you did not purchase!), delete it immediately... and do not click on that attachment!
Dropbox share alert is not what it appears
If you or your colleagues frequently use Dropbox to share large files, be sure you are checking any email that appears to be from the company very carefully. A new phishing scam posing as Dropbox is spreading, and like many others, it is a master of disguise.
Here's what it looks like:
THE TAKEAWAY: Never click; always hover. Before clicking on a link in any email (suspicious or not), hover over it with your mouse. Your computer should display (typically in the lower left-hand corner of your screen) the actual URL of that link (see the image above).
Ransomware poses as Windows update
According to InfoSecurity
, another easy-to-fall-for threat is making the rounds... this one in the form of a Windows update. Displaying a fake update screen, the ransomware tricks Windows users into downloading a file called "Critical Update."
The tough thing about this particular threat is that the pop-up appears very legit. Users believe they recognize the update screen, so they simply follow the prompts and quickly find themselves in hot water. The clever authors of the ransomware keep up the pretense throughout the downloading process. Users believe it's the "Windows update" keeping them from switching to other open applications, but really, it's the fact each of their files is being encrypted.
THE TAKEAWAY: Keep up on the latest threats to reduce the chances of falling for charades like these. For example, three videos from the FTC to keep you and yours cyber aware.
|
|
International Privacy Regulations Rarely Look Alike
|
|
Facebook has not seen the last of global regulators
|
|
|
| My little ninja, the Grim Reaper and me as the Wicked Witch of the West |
|
Young companies with roots in the U.S. are facing some privacy headwinds as they expand globally. That's because laws and regulations governing data security and privacy are
much different
in
the U.S. Generally, they allow for more collection of personal information in the largely unregulated social media and online apps and services space.
THE TAKEAWAY:
Doing business internationally requires education and awareness of different privacy and data security rules. If your company is expanding, be sure someone is championing the cause and that this individual has a clear understanding of applicable privacy laws and requirements.
|
|
Celebrities Become Unintentional Front For Cybercriminals
|
|
Use caution when searching these names
|
|
Privacy Professor On The Road & On The Air
|
|
One of my favorite things to do is visit with leaders in different industries - healthcare to energy and beyond.
Below is a schedule of where I'll be over the next few months.
October 25:
(Live Presentation) "Vendor Management," Privacy + Security Forum, Washington, D.C.
A fresh webinar, materials available
The materials from my webinar, "Using ISACA's Privacy Principles to Create an Effective Privacy Program" are now available.
Halloween doesn't get all the October fun. It's...
Taking to the air waves
CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out
this online library to watch recent episodes.
Report on Patient Privacy
and
Report on Medicare Compliance
I was thrilled to be sourced for the September 2016 issues of these subscription only publications.
See one copy of it here. Contact
AIS Health or Theresa Defino for information on becoming a subscriber.
Secure World
has begun to republish the monthly Tips message. If you happen to miss one or the email filters file somewhere unknown, you might check there (or just give me a shout; I'm always happy to resend.)
Questions? Topics?
|
|
|
|
|
| My sons just before trick-or-treating, Halloween 2010 |
|
Imagine my delight to celebrate both Halloween and Cyber Security Awareness in the same month!
Be on the lookout for disguises... they're not all fun and games.
Have a terrific Cyber Security Awareness Month and a spook-tacular Halloween!
Rebecca
Rebecca Herold
The Privacy Professor
|
|
|
|
|
|
|
|
