20 Minutes Each Week in 2018

It's nearly the start of a new year, and as Dan Lorhmann's growing list shows2018 is predicted to be a doozy. As CSO magazine put it , "Breaches will be bigger, hackers will be smarter, and security teams and budgets won't seem to keep pace."

While that kind of warning can seem dire, I challenge you not to be so overwhelmed you don't act.

Awareness is a huge help to avoiding nearly every form of data security or privacy snare. Set aside 20 minutes each week to read an article, listen to a podcast or visit a recognized expert's social stream. I guarantee you'll learn something new - and with any luck, it will help you steer clear of those big breaches, smart hackers and too-low security budgets.

You can start right now by reading through this month's Tips message. Enjoy, and if you find something in here that's particularly helpful, pass it on!

dpdData Privacy Day Turns 10!

Annual effort pushes for greater awareness

As part of its global online safety, security and privacy campaign, the National Cyber Security Alliance has hosted the international Data Privacy Day on January 28 since 2008. Happy 10th birthday, DPD!

For nearly as many years, my Privacy Professor business has been fortunate enough to secure January 28 as Iowa Data Privacy Day here in our home state. We are awaiting word from the governor's office to see if we can do the same this year. In addition, my team and I produce DPD content to help educate consumers and business people on the risks of our connected society and what steps they can take to mitigate those risk.

I'd love to hear how you will be celebrating DPD 2018. Drop me a note and share your plans. 

nomNominate a Data Privacy Hero
Tell us about someone who goes above and beyond

The black hats of the world get far too much attention. We'd like to shine a spotlight on those donning white ones!

Each month in 2018, beginning with our February edition, we'll introduce an individual who has gone over and above to advance data security and/or privacy in their corner of the world. This could be someone who has launched a new program for workplace education or a volunteer who teaches senior citizens how to avoid scams online. The possibilities are unlimited!

There is no action or activity too small for the Data Privacy Hero of the month. Simply drop us a note and explain why we all need to know your hero. 

ranRansomware Works... It's That Simple
Simple, smart scam will increase this year 

In its article about the predicted rise of ransomeware attacks in 2018, Security Boulevard called ransomware a simple threat with large business implications.

Among the issues exacerbating the problem is that victims continue to pay the criminals the ransom they demand for release of the data the crooks have stolen. It's true paying up may be less costly than losing all of your data (or the data of your customers, patients, users, etc.). But, doing so only emboldens the bad guys.

Even though refusing to pay would be, in the long run, better for everyone, a sense of duty to the larger business and private community can be difficult to inspire in some boards of directors and top executives (Just look at Uber's payment of $100K to hide a breach exposing 57 million users). 

Therefore, the best course of action is to make sure you never become a victim in the first place. Here's how...
  1. Make backups of all your data and software on a separate storage device that is not attached to your network or computer. This way, if you get hit with ransomware, you can quickly restore everything without even responding to the cybercrooks.
  2. Use effective and constantly updated anti-malware tools. This won't stop all ransomware, but it will block those that are known, which are many.
  3. Stay up to date on the latest phishing scams, and do not click on photos, links or attachments without first considering the consequences.
  4. Educate your employees, family members and friends about destructive malware. Show them this article as a start.

TheyThey Know When You Open Their Email

Open trackers reveal more than you may think

Streak, just one of several email tracking services, lets senders know exactly when, where and on which devices recipients open their emails. Think that through the next time you consider fibbing about when you actually saw someone's email.

What's interesting is the migration of tracking tools like this from the business and marketing world to the personal world. A recent study found nearly 20 percent of conversational email (that between friends) is now tracked.

What's less interesting and more scary is how Amazon, Facebook and others with apps on your mobile device are using email tracking. As one software expert told Wired:

Both Amazon and Facebook "deeplink all of the clickable links within the email to trigger actions on their app running on your device. Depending on permissions set by the user, Facebook will have access to almost everything from Camera Roll, location, and many other logs that are hidden. But even if a user has disabled location permission on his device, email tracking will bypass this restriction and still provide Facebook with the user's location."

There are a few things you can do to avoid being tracked on email:
  • Download a trusted anti-tracking service. Just a few of the many possible are Ugly Mail, PixelBlock and Senders. But make sure you check in on it regularly, as tracking tools are evolving and finding new ways around these fixes.
  • Block all images in your email client. This will prevent the typically invisible image used by open trackers to send your information back to the sender. On the downside, it will also keep you from seeing images, such as those in the monthly Tips. But, if tracking is a concern, you can always view the images in the online versions of such emails.
  • Be vocal. Tech companies and email clients, such as Google, have the ability to "kill email tracking altogether." Similarly, government intervention could make tracking illegal. Let your voice be heard. When tech companies don't hear from their users, they believe there is no concern or interest in privacy protections. Many tech company executives have told me as much. 
  • FYI: Constant Contact, the email service we use to send this Tips message, includes an email open tracking feature. We use this not to determine who has read a particular Tips, but the percentage of recipients that has read them. This helps us determine which of our headlines and topics are most interesting to you.

faceFacebook Does 180 on Child Users

Social network launches "kid friendly" messaging app

In what could be seen as a complete reversal of its prior philosophy on children using its services, Facebook has launched Messenger Kids, specifically targeting children ages 6 to 12.

Where do we even start?!?

Every person, no matter how young, is worth money to social media outlets. Their personal data is incredibly valuable to a wide range of entities, particularly those looking to market products, analyze behaviors and understand preferences of the next generation of consumers.

We know kids have long lied about their ages to access Facebook (and many other social media sites, for that matter). We can also conclude Facebook has been gathering data on these so-called "invisible users" for years. Perhaps Messenger Kids, (which coincidentally launched as U.S. lawmakers are asking tough questions about big data collection strategies) is the social giant's way of bringing a somewhat veiled practice out into the open. It may also be their way to secure loyalty among adult / parent users, who are bombarded with new social competitors every day.

We get that most kids are now online. So we need to make sure that they are being better protected from the continuously growing online dangers. Perhaps Facebook is just taking the bull by the horns.

So what is the danger? Here are just a few things to consider before you allow your child to become a Messenger Kids user:
  • Facebook has said collection of child user data will be "limited," but what does that even mean? And with whom will it be shared? We couldn't find explicit (non-vague) answers in Facebook's privacy policy. What the company has described is a wide-open set of possibilities. When it comes to our children's data, these are important answers to have. Please let us know if you find where Facebook explains its limited data collection in more detail.
  • The Drum called the app "a notification-filled interruption machine." Will your child be able to focus with Messenger Kids dinging, beeping or otherwise interfering with their day (and night)? With all these attention grabbers, will their guard go down, and will they give away information that will cause security, privacy and safety problems? My kids grew up having their own laptops and got smartphones when they were in high school (sounds old fashioned now, right?). However, they also learned that real-life "face time" requires putting down the phone and interacting with the people around them. So much more can be written about this going far beyond our data security and privacy. 
  • Although content is controlled, parents have to be fully and completely engaged with their kids both online and off. It's not difficult to imagine a parent approving a contact based on a fake profile or thumbs-upping content that looks benign but really means something they don't understand. While the intent may generally be good, the execution of the app in reality brings more security, privacy and safety risks of which parents must be aware.
Food for thought before you sign up your youngsters for this latest social media offering.

whatWhat To Do With That Old Device

Lots of new gadgets replacing old ones this holiday

If you bought (or received!) a new phone, computer, fitness band or any number of Internet of Things (IoT) devices, you may be tempted to throw out the old. Before you do, take these steps:
  • Reinstall the original computer software or reset the device to its original factory settings.
  • Use a disk-wiping tool or deletion software to delete the data or overwrite the system's hard drive with junk data. The process should be irreversible. Some are not. Ask the tool vendor about this.
  • If you're especially concerned about sensitive data falling into the wrong hands, you can physically destroy hard drives or SIM cards, usually by drilling a few holes through or smashing it. But if you go this route, be safe. Wear gloves and goggles. There are some nasty chemicals inside our electronics!

PPInewsPrivacy Professor On The Road & In the News  

On the road and in the ethernet...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the places I have been recently and a few of the events I have scheduled for the upcoming season.

Nov 28, 2017: Panelist, alongside  Karen  Worstell and  Michael  Angelo, for ISSA's  "Secondary Costs of Intrusions." Follow the link to view a recording of the 2-hour discussion. 

Telecommuted for this one!
Dec 13, 2017: Panelist, alongside Katina Michael, Shanti Korporaal and Mr. Meow Meow, for IEEE Life Sciences Conference's "
From Wearables to Implantables that Measure and Enhance Human Behaviour: What can we do already? Where are we headed? Follow the link to listen to a recording of the 1-hour discussion. 

Dec 14, 2017: Hosted ISSA Healthcare SIG's "Lessons Learned and Recovery from Breaches" webinar. Follow the link to view the 1-hour recording. 

Jan 2, 2018, 3 p.m. pacific: Guest on Leadership without Borders radio show to discuss " Big Data and Compliance, What Leaders Need to Know" with host Kimberli J. Lewis. Follow the link to tune in live or to access the post-show recording.   

Privacy Professor in the news...


Beginning late January 2018, I'll be hosting the brand-new radio show, Data Security & Privacy with The Privacy Professor, on the  VoiceAmerica network . Stay tuned for information on how to access it. 

Privacy Piracy

I was happy to speak with Mari Frank on the  Privacy Piracy  radio show (88.9 FM and www.kuci.orgon  October 30 and again on December 11. We discussed the privacy and security implications of the Internet of Medical Things (IoMT) in the October show. On December 11, we discussed the data security and privacy risks that vendors and other types of third parties bring to an organization.

Credit Union Times

Naked Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On December 26 , I visited the studio to discuss the need to secure those new tech gadgets received as gifts and to describe a widespread phishing scam. 

You can catch up on many of my visits to CWIowa Live with my on-demand library on YouTube.

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

We are super excited to celebrate the 10th annual Data Privacy Day next month. Will you join us?

Recognizing the special day can be as simple as sharing a tip or a warning you learned with a spouse or as large as organizing an enterprise-wide event. 

I can't wait to hear how you honor this important date in your neck of the woods!  And remember, please let us know who you nominate to be your February data privacy hero!

Here's to an outstanding 2018!

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter