Living in a Perpetual April Fool's Day
Will you be looking over your shoulder this Saturday? Probably not a bad idea - it is April Fool's Day after all!
A favorite holiday among practical jokesters, April 1st marks a tradition that goes way back - hundreds of years back. People, businesses - even some media - attempt to fool as many people as possible with any number of "believable" tricks.
Of course today, we live it what could be considered a perpetual April Fools Day, with fake news, spoofed websites, social engineering scams and hundreds of other "believable" tricks coming at us every day.
Read on to avoid some of the latest deceits - Saturday and beyond.

Fake News Everywhere You Look (and Listen)

Two ways illegitimate headlines are sneaking into your life

While there is no shortage of ways to get your fake news, you can add digital assistants and spoofed news sites to that growing list.
Voice-enabled digital assistants
As reported here, Google's Home device recently shared a fake news story in the same manner it would a legit news item. Why? Because the device (and others like it, Amazon's Echo, Samsung's Bixby) appears to be programmed to respond to questions from users in snippets, which are short, direct answers found at the top of its search results.

This is a good example of the unintended consequences of lax engineering of smart devices. Just as it creates the spreading fake news, itcan also create privacy and security problems.
But, writes Mike Murphy of Quartz, the devices don't know any better. They are simply "parroting what Google search shows when the same questions are asked online."
Spoofed news sites
Scammers are getting very good at building websites that look like real news sites. And the FTC is warning consumers. ( I've seen several of them; they are good replicas!)

This should be especially interesting to those of you in health care, as some of the craftier scammers out there are pedaling "brain booster" pills that make give false hope to patients with mental deficiencies, such as difficulty with concentration or memory.   

Suspect a Data Breach? Google It
Search engine results may indicate a compromise
Google has begun adding a small, but mighty, phrase under search directory listings when its systems detect something has gone awry with an organization's website.
The warning reads "This site may be hacked."
As reported by Brian Krebs, the advisory seems to indicate Google's spiders are capable of identifying sources of a large credit card breaches.
Google's attempts to protect its users is a double-edged sword for businesses and other organizations that rely on web traffic for revenue or engagement. On the one hand, it can lessen the fallout of a malware infection by preventing users from visiting the site. On the other, the warnings can persist long after the infection has been cleared. Read this article for more on the little known consequences of website infections.
All the more reason to work double time to prevent those infections from happening in the first p lace! Many of our SIMBUS360 clients thank us for helping them to establish the procedures and implement the tools necessary to be successful in this regard.

Surveillance Innovation Creates Privacy Concerns
From live streaming video to police body cams...

... surveillance these days is everywhere. A colleague of mine recently lamented she can't even sing along to the radio in her car without fear of winding up in a SnapChat video filmed by her 13-year-old in the backseat.
In Des Moines, Iowa, where my businesses are based, a company donated video cameras that now push a couple of live, public feeds of a downtown street, popular for its nightlife. It's like taking Google Maps' satellite images, which only capture a single moment in time, to a whole new level.

I looked at the feeds as I was creating this, and I saw a group of around 30 or so 1st  - 3rd  grade schoolchildren waiting to cross the street at an intersection. Given what is going on in the world, it is unsettling to think someone else in that area with malicious plans could have also been watching and seen an opportunity to do something bad.
Yes, this is a public space. However, the difference is that it is live-streaming, available for everyone to see, not just a small group like security guards or police officers. I'm hopeful they will soon post signs that alert people they are being monitored. Often, we're just completely unaware we're being watched. Take some government buildings, for example, which have security cameras in their bathrooms. Many people will be surprised that such cameras are located within such a private space.  (A bill currently before our state's senate seeks to ban them.)
Des Moines is also touting its new police body cameras as a crime prevention innovation. 

I definitely agree there's potential for body cameras to create transparency. It makes sense to use them when necessary to resolve conflicts over specific incidents between suspects and police. However, we also need to balance those benefits by addressing the very real privacy issues they create.  

Consider that video captured on these cameras is now being analyzed using unproven, emerging technologies, such as facial recognition and artificial intelligence, to aid law enforcement in multiple ways.  
Said a police sergeant: "If you are going to be out in public just understand there are going to be times where you are video taped." That's all well and good for the planned moments in your life. But what about crime victims? What about their right to privacy? Audio of 9-1-1 callers aired for all to hear have been a concern for many years; this issue is only becoming more complicated with the entry of video. 

Using video captured on police body cameras for an indefinite period of time creates more concern. How could video from an individual's teen years impact them later in life if employers or others were able to access it? The privacy risks for the full lifecycle of such video, from the time it is created, through the time it is destroyed, needs to be clearly defined with rules established for its ongoing use.

WikiLeaks Has Done it Again

4 things you may have missed in the headlines

You've likely read the headlines about the, now two sets of, documents provided to WikiLeaks disclosing how intelligence agencies spy on people through our devices. But let's dig a little deeper. Here are 4 meaningful take-aways:

  • By law, intelligence agencies can only use the tools described in the leaked information if they have secured a warrant.
  • The fact these agencies have methods and technologies that allow them to spy on people is not surprising. Making them public, however, opens the doors for cybercriminals to learn from the agencies' practices.
  • Internet of Things devices are already telling tales about their users. This is not new, but the WikiLeaks incident helps consumers understand we all have to take ownership of our own privacy. There are things you can do, such as configure 2-factor authentication and encryption.
  • The news also underscores the need for all organizations to have policies and procedures in place to monitor for and prevent insider threats, such as the leaking of confidential information. 
Speaking of Insider Threats...

A new kind of employee = a new kind of risk  
As more people are replaced by automated technology in industries from health care to manufacturing, organizations will have to contend with a new kind of insider threat - vulnerable robots.
Researchers have uncovered 50 flaws in popular robots and robot-control software used in businesses, industrial sites and even in homes.
Among the reasons many robots are so vulnerable is their reliance on the Robot Operating System (ROS). Sounds made up, doesn't it? But it's very real, and the system as we know it today uses cleartext communication, authentication and weak authorization features, this according to the researchers who looked into the security flaws. 
losingLosing Sight of IT Security Basics

Cyber incidents don't always stem from hackers
A recent article in Fast Company covering the March outage of Amazon Web Services (AWS) raised an incredibly important issue. The world is so focused on hackers and cyber criminals that we may be forgetting the basics of IT security. At the top of that list are continuity and compliance.
Business continuity
Numerous big-name brands were out of luck with AWS went down. In one particularly ridiculous incident, a company was unable to communicate its trouble with AWS because the platform it relied on to communicate with its users also relied on AWS. 
Security compliance
In addition to ensuring your business can continue to function in times of system outages, organizations of most every type have to consider security regulations. A violation of HIPAA, GLBA, and others, as well as standards like those from PCI, ISO/IEC and NIST, are a critical factor for running a successful business or advancing a cause.


"When Workers Go, So Must Their Access" 
I recently had the pleasure of contributing to the subscription journal Report on Patient Privacy, in editorial put together by the brilliant Theresa Defino. Here's a bit of what we discussed in her article, "When Workers Go, So Must Their Access." Contact the Health Care Compliance Association (HCCA) if you're interested in becoming a subscriber.
Managing workers' access "is an area where most organizations, of all types, struggle," says Rebecca Herold, president and CEO of SIMBUS, a HIPAA compliance firm.
Healthcare organizations and hospitals are especially challenged because there are "often large numbers of contractors, doctors that are business associates and not employees of the hospital, students and interns and volunteers. Because of the widely diverse population, it is important for hospitals [and other CEs] to have rigorous access controls, identity management requirements and thorough off-boarding processes," says Herold.
Systems must make efforts to narrow and track access. For example, some may allow too many pathways "of entry into the network," which can lead to one or more being missed, she adds. "This is where regular audits of log activity can identify the unauthorized access much earlier," says Herold.

SeventhPrivacy Professor On The Road, In the News & On the Shelves

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

April 4, 2017:  Giving speech,  "Fraud 2017 - Protecting Your Business From Email Attacks," to attendees of the BBB Fraud Program meeting in Omaha, NE. 

April 12, 2017: Giving webinar, "How will GDPR Impact Incident Response and Data Breach Management?sponsored by DF Labs.

April 18, 2017:  Giving speech, "Don't Let Third Parties Bring Down Your Business: Effective Vendor Management," to attendees of  ISSA Minnesota Chapter Meeting , St. Paul, MN. 

May 23, 2017: Giving webinar, "Strategies for Effective 3rd Party Risk Managementsponsored by IT GRC Forum.

June 14, 2017: Giving webinar, "Building a Framework for Data Privacy and Protection in the Cloud," sponsored by IANS Research
August 10, 2017: Providing sessions at the Internet of Medical Things III: Engineering and Cybersecurity for Connected Devices Conference , hosted by the BioPharmaceutical Research Council, NJ Hospital Association,  Princeton, NJ.

August 11, 2017: Providing keynote at the North East Pennsylvania Innovation Conference, hosted by tecBRIDGE, Scranton, PA. 

In the news...

Tech Target Search Security

Health Info Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio on March 9, during which we talked about the WikiLeaks dump of CIA documents. 

On the shelves...

The ISACA Privacy Book, for which I was Lead Author and Developer, released in late January. ISACA members can purchase the book for $35, non members for $70. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

Every now and then, it's okay to let down your guard just a little. April Fool's Day is one of those times. Let your kids put Milk of Magnesia in your cereal or cellophane on the toilet seat. Those are memories you'll never forget!

The rest of the year, keep your wits about you. With hectic schedules and so many demands on our time, it can be easy to go with your first reaction. Take the time to dig a little deeper. It's so worth the extra steps...  

Have a fabulous April,

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter