Curing Privacy & Security Madness
March madness typically describes the annual bevy of basketball tournaments. This year, though, it's a pretty accurate description of the ongoing battles happening on so many fronts: the pandemic, widespread weather events, power outages, and of course, cyber assaults by malicious actors exploiting poor business practices.

Especially in work-from-home situations, every person with sensitive digital files is vulnerable. The data security and privacy industry must do all we can to support them in the practice of consistent data and media information backups.
 
To do our part, we're providing tips for better backup practices, along with some news and other information you may find useful.
March Tips of the Month

  • Data Security & Privacy Beacons

  • Featured News Story: Avoid Zoom Mayhem

  • Quick-Hit News

  • Privacy & Security Tips

  • Where to Find The Privacy Professor
Photo by Andreas Steidlinger on Scopio
Data Security & Privacy Beacons*
People and places making a difference
Exposing.AI provided a way to determine if facial recognition systems have used your photos. “An online tool targets only a small slice of what’s out there, but may open some eyes to how widely artificial intelligence research fed on personal images.” 

 
Scam Spotter provided statistics about scams and pointers to helpful, authoritative resources for helping you to deal with various types of identity and other frauds.

Dan Solove wrote an article, "Restoring the [Communications Decency Act] CDA Section 230 to What It Actually Says." He is also providing a free copy of his book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (2007).
 
YouTube is providing tools to report and/or block inappropriate or abusive content or users; to report suspected hacked, hijacked or compromised accounts; and to point to more information for online safety and privacy.


*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
Photo by alessandro castiglioni on Scopio
Featured News Story
Avoid Zoom Mayhem
As many of us have seen in the news, online meetings can easily be interrupted by Zoom bombing if users don’t take control of the settings.

You can also be embarrassed by simple mistakes of user error, such as the gentleman whose screen showed him as a cat throughout an important meeting.

Tom’s Guide recently published “Zoom security issues: Here's everything that's gone wrong (so far)” which provides some useful information. To prevent any type of online meeting mayhem from plaguing you, take the precautions included in the article. Here are just a few:

  • Join Zoom meetings through your web browser

  • Ask that meeting participants sign in with a password. 

  • Set up two-factor authentication for your Zoom account. 
Quick-Hit News
Stories that caught our eye and inspired us to share.

The Verge: The Battle Inside Signal. "The fast-growing encrypted messaging app is making itself increasingly vulnerable to abuse. Current and former employees are sounding the alarm."

CyberNews: Combating COMB: 3.2 billion credentials leaked in breach compilation. “…what appears to be the biggest compilation of breached credentials in our lifetime.” Credentials (IDs and passwords) stolen from Netflix, LinkedIn, Exploit.in, Bitcoin, Gmail, Hotmail, Yahoo and more.

The Register: Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users. A parental webcam targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app gained access to admin credentials. The company has a habit of reacting badly..."

Independent: Tracking Pixels: Concerns raised over ‘grotesque invasion of privacy’ and how to know if you’re being watched when you open emails. Companies can track when an email was opened, where it was opened from and what device was used to open it. “Two thirds of emails sent to personal accounts include a tracking pixel that reveals how the user responded to the message.”

  • Is your company using web gifs, aka tracking pixels? Make sure you know the privacy and data protection compliance implications.
  • Here's another related story: BBC News: 'Spy pixels in emails have become endemic'. A Princeton University study indicated data gathered was sometimes linked to a users' cookies, allowing an individual's email address to be tied to their wider browsing habits.

Bloomberg Law: AI Panel’s Privacy, Civil Rights Advice Points to Gaps in Law. “Set to be finalized in March, the recommendations from the National Security Commission on Artificial Intelligence urge intelligence agencies, the Department of Homeland Security and the Federal Bureau of Investigation to review and mitigate such effects.”

Beckers Hospital Review: VA investigation finds employees hid privacy, security risks with patient health data project. “Two employees at the Department of Veterans Affairs made false representations and hid privacy and security risks tied to a 2016 artificial intelligence health data project between Flow Health and the agency.”

Healthcare IT News: HIPAA and remote work: Top compliance risks to address. "Compliance is a serious, enforceable matter – and must be properly addressed in the context of the workplace challenges and changes that have emerged amid the pandemic."

CPO Magazine. Why Enterprises Should Have Serious Concerns About the Security Shortcomings of Video Conferencing Platforms. "Last year, when the world was in the initial throes of COVID-19 and the businesses were quickly pushed to go remote, the FBI and DOJ issued warnings to the public about the possible cyber dangers of video conferencing."

Three articles on the hot topic of facial recognition and related privacy and security issues, including the development of new laws:




Philadelphia Inquirer: How to avoid COVID-19 vaccine scams. "Scammers are using platforms like phone calls, text messages, and social media to try to steal personal information, money, or both. Don't fall for it." Before replying to any text messages about COVID-19 vaccines, call the legitimate source of the vaccines.

ZDNet: Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code. "Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects."
Photo by Leta Taylor on Scopio
Privacy & Security News
Did you celebrate Safer Internet Day on February 12? We did. 

To mark the day, we put out a lot of free videos and eBooks with awareness tips and training for privacy, compliance, data and cyber/internet security. "We" refers to my son Noah and I. We launched our new business, Privacy & Security Brainiacs on another really important day, International Data Privacy Day, Jan 28, 2021!

Among the resources we shared was a free video for working from home. It includes several tips to strength security of IoT devices. Most of these devices communicate with clouds in the internet. 

We also created a free eBook for this year's Data Privacy Day, Jan 28. It contains some additional tips for improving security when on the internet, as well as a few physical security practices.

Feel free to share the above resources with family, friends and co-workers. We believe in continuous improvement, which relies upon feedback, so tell us what you think!

More about Safer Internet Day.

An important warning about Clubhouse.

A Tips reader recently invited me to join Clubhouse. I replied, “Thank you, but no thank you. Clubhouse has some significant privacy issues.”

“Oh…what are the privacy problems with Clubhouse?” the reader asked.

After I listed a few for him, he said, “I don’t like that! I will delete my account!”

I then shared another privacy issue: "Currently, there is no way for you to easily and immediately delete your Clubhouse account.”

Besides the curated articles from Debra Farber in the Beacons section, here are some additional sourcs of information about Clubhouse privacy concerns:





Privacy & Security Tips
How to perform effective backups & limit unwanted calls
Privacy Professor’s Tips for Backups…

Don't let your precious memories - or critical professional, business, financial, etc. information - get blown away, burned, drowned, frozen, altered or erased.

These include files and media, such as email, financial documents, photos, videos, social media. Basically, anything that you would be very sad to lose, could create a legal problem for you or others or could otherwise create problems for you.

Have you made backups of your data lately? Within the past month? No? Well, take some time to do so now! World Backup Day is March 31st, but you don’t need to wait to do it.
Do you think your backups are being automatically made to a cloud service? Have you checked those backup locations in the clouds to make sure you have all the files you need? Do it now!

Here are just a few additional actions to take to make sure all your valuable and treasured files are being backed up and secured wherever those backups are located:

  • Back up your emails, photos, videos, tax documents and contacts to multiple locations.
  • Use a surge-protecting power strip. Lightening can wipe out data and software literally in a flash.
  • Using cloud computing (an Internet-hosted service) is handy, but can also be risky. Be sure to research any cloud company thoroughly before depending on one to store your data.
  • For sensitive/confidential materials, back up to external drives, DVDs and/or USB thumb drives that you keep securely under your complete control. Store those devices (I use multiple devices) in a separate secure area. I keep some in my bank deposit box and others in a fireproof/waterproof safe on a different floor. Don’t keep your backup media in an area that could be flooded or ruined by mold and humidity.
  • Encrypt sensitive/confidential backup media to keep others who may obtain that media from actually getting access to the data.
  • For most people, making email backups once a week is sufficient and needed.
  • Backing up photos and videos depends on how often you create them; generally, the more often you do, the more often you should back up - immediately after you create the files.
  • Scan and keep copies of your paper and other types of hard copy documents that you do not want to lose.
  • We will soon be releasing new Privacy and Security Brainiacs training and eBooks with much more detailed tips and instructions for making and securing backups. However, the tips above will provide you with a good headstart.
 
Privacy Professor’s Tips to Limit Unwanted Calls…

A friend recently posted online: “The Do Not Call List is the biggest joke. I believe I have received a telemarketing call from just about every state today!” Dozens of people quickly agreed with him.

Do you agree, also? Are you getting dozens of phone calls even though you’ve put your phone numbers on the US Do Not Call List?

Let’s step back and consider the long-standing US Do Not Call Registry.It was very effective when it was introduced in 2003. Consider a few statistics:

  • In 2003 most people still used land-lines (over 92% in the US); 268 million households had landline phone numbers in the US. There were no smartphones, as we think of them today; there were 180 million cell phones with extremely limited internet capabilities and no apps. Those cell phones were very utilitarian.
  • Studies showed the Do Not Call list was pretty effective in cutting down on unsolicited calls (except for calls from political organizations, charities, telephone surveyors and some organizations with which you have a relationship, which are exempt).
  • However, today, the US has 260 million smartphones in use. Over 45 million in the US use VoIP from their laptops, tablets and computers to make calls. Compared to only around 38% (~48 million) of households that have landlines today.
  • The average cell/smartphone user has downloaded more than 100 apps onto that phone. Even though the average person uses only 9 of those apps.
  • There are more than 284 million people in the US who use the internet. The average US internet user spends a little over 3 hours per day on the internet, and over 76 minutes of that is on social media. Visiting hundreds of sites, participating in interactive games, quizzes, etc. and using many web-based apps.

What does this have to do with Do Not Call list?

Almost all of the apps you download ask for access to your phone number, and to use it. Most people click agree. BOOM! You just gave permission for your phone number to be used and "shared with trusted third parties," which usually means the app company is selling those phone numbers to a large number of marketing companies, who will now call you.

You take quizzes on social media. BOOM! You probably gave that quiz provider access to use your phone number through the way you set the security and privacy settings on the social media site.

You download "free" things on websites. BOOM! You have now given those sites permission to take your phone number and call you or sell it to others, if they asked you for one in return for the download.

Most people do not read the terms of use and "privacy" (often more like "no-privacy") policies/notices on social media sites, in apps or on websites, and they usually are giving thousands...maybe even tens of thousands...permission to use their phone numbers, and sell those phone numbers to others.

With that permission, the Do Not Call list you've put yourself on doesn't apply. You've given permission/consent (whether you realized it or not) for all those apps/websites/social media/etc. to use your phone number.

Add to these tens of thousands of entities, the credit reporting agencies that also monetize your phone numbers if you've not explicitly opted-out of them sharing/selling them to other entities.

For sure, The Do Not Call List is long overdue for an update. Not to mention the need for a comprehensive US federal privacy regulation. In the meantime, we all need to be more aware of what we are agreeing to when we are online and using apps.
  
Photo by Billie P on Scopio
Where to Find the Privacy Professor
Here are just a few of the podcasts, webinars I’ve done and news articles I’ve written or been quoted within. 
I spoke recently with Corey Munson, VP of PC Matic, on his podcast about work from home security and privacy risks, and some specific risks that IoT devices within home work environments bring to businesses.
On this episode of Kim Hakim’s “And Security for All” podcast, Kim and I discussed “Everything you need to know about the Internet of Things”
NIST Cybersecurity for IoT Draft Guidance: Rounding Up the Requirements Fellow NIST authors and I presented key ideas on January 26, 2021.
I’m greatly honored to be a member of CompTIA’s new Cybersecurity Advisory Council! CompTIA Introduces New Cybersecurity Advisory Council. Top security executives will offer advice and guidance on staying ahead of cyber threats.

I was also honored to be named a top "100 Most Influential People in Cyber Security" by Cyber Security Newsletter.

Security Threats Soar From Nation-State Bad Actors as the New Year Gets Underway. Published in the Health Care Compliance Association journal.



GDPR regulators are sinking their teeth into violators. 2020's fines are proof. Cybersecurity Dive
 
2020 Was a Privacy Wake-up Call: Don't Go Back to Sleep in 2021! SecureWorld

Customer Data Privacy 2021: It's No Longer Just Business, It's Personal Panel discussion held Thursday, January 28, 2021.

And Security for All hosted by Kim Hakim on the Voice America Business Channel.
Shoering Up Security
On this episode of CompTIAWorld's Shoering Up Security, MJ Shoer and I talk about how to implement cybersecurity best practices—and how to get everyone involved in the conversation (not just IT). We also offer up advice for anyone thinking about starting their own business, as well as the terrific topic of women in tech.
On this Trility podcast, we discussed infosec and privacy specifically for senior living facilities.
Listen in to learn more about pandemic-era threats to consumer data security and privacy. 
The topic here was how to protect your home, kids, finances, health data and business from hackers. 

Here is another episode that covers privacy risks and impacts of contact tracing, IoT device use and the Surprising Places Your Data is Being Tracked.
Tips4Tech 12 Tech Resources
I was honored to be included in a list of a dozen resources for people turning to tech to help them through the COVID-19 crisis.
A couple recent industry articles to which I've contributed thoughts...
Defense-in-Depth (DiD) Strategies: Protect Higher Ed Users Against Cyberthreats
VA Did Not Disclose Huge Data Breach for 7 Weeks
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

Healthcare CISOs: Securing Patient Data & HIPAA Compliance with Mitch Parker, CISO/Exec Director, Indiana University Health


Next Episode

Defending the US Against Election Interference to Ensure Elections Integrity & Confidence in Their Outcomes With Matt Barrett, Co-Founder of US CyberDome and Chief Operating Officer for CyberESI.

New IoT Cybersecurity Drafts from NIST Will Impact the Ecosystem
On December 15, 2020, NIST released four new draft IoT cybersecurity documents to provide guidance for federal agencies and device manufacturers. Additionally, NIST is updating its catalog of IoT cybersecurity capabilities.
 
Please provide your feedback to NIST.
NIST Wants Your Feedback
In this video, Michael Fagan, technical lead for the NIST Cybersecurity for IoT program, and I, a subject matter expert (SME) on the NIST Cybersecurity for IoT program team, describe the path that led to the GitHub posting and its role in developing the Federal Profile.
The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. March 2021 Privacy Professor Tips. www.privacyguidance.com.

NOTE: Permission for excerpts does not extend to images.