Why Are You Getting This?


You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Cybersecurity Doesn't Have to Be Scary! Here's How to Score Better Security & Privacy Awareness

October is International Cybersecurity Awareness Month! And this is the 20th year that this special month has been observed. There certainly are many scary cybersecurity and privacy threats out there. So this month let’s share some helpful information and help others score higher awareness for how to protect their privacy and better protect their personal data. We are providing a wide range of information in this month’s Tips that you can share. And, to jumpstart your brainstorming for other helpful ideas that are specific to your own situations.


We heard from some of our longtime Tips readers that their spam filters had stopped some of our recent Tips because we had included so many questions and answers, and beacons, that the length triggered spam blocks. Thank you for letting us know! We will ponder how to answer questions in other venues, like in blogs, or in videos on our YouTube channel, and then point to them from each Tips message. 


For this month we have limited our questions answered to four, and we’ve cut down on the number of beacons to be limited to ten. Let us know if you like this plan to make it more likely for the Tips to pass through your spam filter. And, let us know if you have other suggestions. 


Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips. 


We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 



Thank you for reading!

Rebecca


We would love to hear from you!

October Tips of the Month



  • Monthly Awareness Activity
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Privacy and Security News
  • Where to Find the Privacy Professor

Monthly Awareness Activity

October is Cybersecurity Awareness Month! Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, a month dedicated to having public and private sectors, and tribal communities work together to raise awareness about cybersecurity risks and the importance of mitigating the risks. This year the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance have partnered and launched a new awareness program that encourages four actions every individual can take to stay safe online. As stated by these agencies, these include:

 

 

We generally agree with these actions. We do have some additional advice regarding password managers, that are based on considering the context of each situation, and the associated risk considerations.

  • We prefer password managers that are local to where you are instead of using those that are cloud-based, where many privacy breaches and data destruction incidents have occurred. When using local password managers, you are controlling the devices yourself. You can store the passwords on external drives and then keep one secured in your office, and another in a different physical location in the event of a fire, flooding, or other destructive event. Keep as many as you want or need to fit your living situation.
  • For those of you who have strong physical security access to where you primarily use your computer (your home office, your bedroom, etc.,) it is perfectly fine and a low-risk action to keep your passwords documented in a notebook. Just be sure to lock up your notebook when you are not at home and when others may be in the room where you keep the notebook. Ideally, if possible, simply keep it at all times in a locked, water-proof and fire-proof safe, except when you need to update your passwords, or remind yourself of a password.
  • Related to this topic, consider putting information into your will about how your chosen survivors can get into your digital password manager, and/or into your safe, to be able to use your passwords to download your data and delete your account, or to do other actions, if these are things you’d want your survivors to be able to do.

 

Three more actions every individual can take to stay even safer online, that everyone needs to do:

  • Make frequent backups of all your data, applications and systems and store them in secure location (including offline) that are not connected to your network.
  • Secure your internet of things (IoT) devices; none of them come secured by default. And unplug your digital assistants (Amazon Echos, Google Homes, etc.) when you are not using them. Never forget they are listening and sometimes watching all the time.
  • Completely and irreversibly remove all data and applications from computing and storage devices before trashing, selling or giving them away.

 

What other activities do you suggest for Cybersecurity Awareness Month? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in September? 

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

October 2023

We are finally starting to see more publicly published comments, questions and tips from the general public about protecting privacy and improving security. After a few decades, this is a great slight turn in the tide to see! However, more awareness is still needed. And will always be needed. No amount or types of new technologies will ever replace the need for humans to understand and be aware of how to protect privacy, secure data, and comply with existing privacy and data protection legal requirements. Hacking and cybercrime are now in the news literally every day. 

 

We received a variety of questions about hacking tactics, as well as ongoing HIPAA and healthcare data questions. We’ve included four of the many questions we’ve received here and will answer the others elsewhere, or in upcoming Tips. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: Will quantum computing impact the security and/or privacy of wireless connections? Kyla (US Midwest middle school student)


A: Kyla, we love your question! Thank you for sending it.

 

This is a complex topic that you have inspired me to address more fully in a blog post probably in early 2024. And, thinking about it, this would also be a great new online course. [Readers, let me know if you would find such a course helpful!]

 

Here is a short answer for now:

 

Let’s consider an increasingly more common use case. Generally, all “smart” internet of things (IoT) types of devices are wireless, at least some of the time or through the devices connected to them. To secure those IoT devices, access to them should be encrypted. Currently, the strongest encryption used for such connections is WPA3, which uses GCMP-256 encryption.

 

The quantum computing threat comes from unprecedented brute force and seemingly limitless advantage of quantum computers to solve a wide variety of computational problems. Breaking what have been to date the strongest of public key cryptography algorithms is one of the outcomes of use cases involving quantum computing. Cryptography experts and engineers have been debating this for years, but it is becoming nearer on the horizon. The timing of when quantum computing processors will break the currently strongest wireless encryption continues to be debated. However, we believe it is not a matter of if it will occur, but when. And at this point in time, security and privacy of wireless will have been significantly impacted.   

 

Something good to know related to this is that the National Institute of Standards and Technology (NIST) is leading the development of a new public key cryptographic algorithms that will result in quantum computers taking an impractically long period of time to crack. Hopefully this development will produce a much stronger tool that can be implemented prior to the advent of public quantum computing.

Q: A friend of mine in the US said that when she took her fourteen-year-old daughter to the pharmacy to get a prescription filled, the pharmacist required her to explain why she was taking it. Isn’t this a violation of HIPAA?



A: I can certainly understand the concern. No one likes to have someone requiring personal information that is none of their business. However, such information often is the business of a pharmacist, who often needs to ask questions to ensure patient safety.


First, something important to keep in mind is the definition of a HIPAA covered entity (CE). In short, it includes pharmacists, who generally under HIPAA are healthcare providers. As a healthcare provider, pharmacists must ensure patients bringing in prescriptions are getting drugs or other products that are going to help them and not hurt them.


Usually, the doctor filling out the prescription is not aware of all the possible harmful interactions of specific drugs with all the other drugs and prescribed products that their patient is taking, prescribed by other physicians. This determination of potential patient harm is a role that the pharmacist typically fills.


Pharmacists do not want to fill a prescription for one of their patients if the drug will have a harmful interaction with the other drugs or products (e.g., contact lens, insulin pumps, etc.) that have been prescribed to the patient. Good pharmacists will, and should, ask the patient requesting a prescription some questions about the other drugs or products that they know have, or could have, harmful impacts on patients who are using them. One of these may be, why are you taking this drug? Based on the answer, the pharmacist can then ask other questions related to the patient’s health history, other medications being used, and other relevant issues.


If you ever believe a pharmacist is asking for information that is in violation of HIPAA, simply politely ask the following questions:

  • Why do you need to know this information to fill my prescription?
  • Is your question allowed under HIPAA?


One more important issue related to HIPAA compliance: Did the pharmacist ask this question with others not involved with the daughter’s healthcare within earshot? Some pharmacists may argue that this is a permissible “incidental disclosure.” However, if they are asking for this information in a way that doesn’t even try to limit who can hear the information, it could very well be considered a HIPAA violation by an HHS OCR HIPAA compliance regulator, upon subsequent investigation.


Personally, when I get a prescription filled, I try to go through the drive-thru, where the only people who can hear my conversation with the pharmacist, because of how the drive-thru is setup, is the pharmacist themselves. In situations where I am inside the pharmacy, I provide answers using a notepad I carry with me. Not only does it keep those nearby from hearing what type of prescription I am getting, it also gives me an opportunity to discuss HIPAA Privacy Rule compliance with my pharmacist, and hopefully raise awareness for them about the need to be discreet with discussing patient PHI and prescriptions.



Q: As voice deepfakes sound more like humans, even to computers that may be used to distinguish them, how much risk are deepfake calls to banks for committing fraud? What should banks and credit unions do to mitigate the risks of being victims of voice deepfake social engineering?


A: We are glad that you are addressing this quickly growing threat. First, here’s a brief overview of deepfakes for readers who may not be familiar with this term. Deepfakes are videos, audio, photos and text that were created using artificial intelligence (AI) to look and sound like a living person. And as AI capabilities improve, they are becoming extremely hard to differentiate from the real people they are purporting to represent.


There are some legitimate uses for these artificial representations of others, such as to use the voice of an individual, with their knowledge and consent, for “reading” scripts to allow for more types of personalization within commercials, or some other type of business activity, usually to save the individuals’ time. However, deepfakes are quickly and increasingly being used by criminals for exploitation and fraud for such things as pretending to be a CEO asking accounting or some other department to do such things as send funds to an outside entity, or provide new login credentials. Deepfakes are also being used to mimic the voices of customers, employees, patients, and others when calling into identity verification systems to get access to account data, and other digital assets. And many more types of criminal activities.


I’m currently acting as an expert witness in a case where a deepfake voice called the manager of the HR department to request employee data. By using this as an example, I am not putting the case at risk; this exact scam has been successfully used at thousands of businesses.



Banks, credit unions, all other types of organizations, and even members of the general public, can take the following actions to help prevent being a victim of deepfake audio calls:

  • Establish policies and procedures governing the actions, data and objects that employees, including executives, can request by phone.
  • Within the procedures, include setting a type of passphrase to require from callers who request data files, funds transfers, and other business-sensitive information and actions.
  • Provide education to all employees about deepfakes.
  • Describe some red flags that could indicate the caller is a deepfake recording. A few red flags include:
  • Audio: Longer-than-usual pauses between words and sentences. The voice sounding flat and lifeless. Just generally sounding a bit off normal.
  • Video: Long periods without blinking. Patchy skin tones. Lips being out of sync with the audio. More, or less, than five fingers on one hand. Blurring or flickering jawlines. Ears a completely different skin color from the face. And other curious or abnormal looking characteristics.
  • Include examples of some actual deepfake calls.
  • Provide a demonstration for how to follow the procedures described in the previous bullet.
  • Assign a role, team or department with responsibility for addressing all deepfake reports. This centralization of responsibility will help to ensure consistent handling of such calls, and will allow for trends and metrics for deepfake attempts to be determined.
  • After developing deepfake policies, procedures, and reinforcing identity verification policies with training, incorporate deepfakes into incident response plans.

Q: We just purchased a home that is a “smart home.” We are the third owners of the home. The first owners built in the smart home features in 2017. I love the house. But I am worried about all these IoT devices. I feel like the walls have eyes and ears! What should we do to ensure all those devices are secure, and that our privacy is protected?


A: Congratulations on your new home! You have good instincts. Purchasing a smart home means you are probably also purchasing many computing products that have been built into the home. They likely have multiple wireless access points into the home network(s), and likely have many different cloud services that are accessing and gathering and deriving data from the home products, activities, sights and sounds.

 

If you just purchased the home, we are going to assume that you recently signed the contract and haven’t actually moved in yet. [NOTE TO READERS: We confirmed this was true with our questioner.] Here are some actions to take now. Ask the realtor to:

  • Provide a detailed list of all the computing and smart devices and products that will be left within the home as part of the purchase. This should include:
  • Any of the original owner’s smart products that the second owners didn’t use.
  • All the associated cloud services or other types of data collection or sharing services that are part of the devices and products.
  • The locations of the products throughout your house and property.
  • All associated components and their locations, such as routers, controllers, etc.
  • Provide the manufacturers’ and/or current owners’ instructions for each of those products and services.
  • Ask the current owners to completely remove all data associated with all the computing and smart products that are part of the home.
  • Provide a list of all the other entities that the current owners gave access to the computing and smart products. For example, the police, fire station, neighbor, etc. This way, if any of them ask you for access to your smart products, you can politely let them know that you are the new owner, and that you will not be giving them access to your smart products, or that you will require them to explain why they need such assess before you decide whether or not to continue sharing access with them.
  • Provide the passwords/PINs/passphrases/keyfobs/etc. for each of the smart devices and products.

 

Then, as soon as you take possession of the home, reset all the passwords and other authentication credentials to strong passwords, and also implement multi-factor (“multi-step”) authentication (MFA).

 

For more information on internet of things (IoT) security and privacy, see our Privacy & Security Brainiacs e-books and infographic at:

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

 

  • Members of the public. We’re seeing more discussions and warnings about security and privacy scams posted to a wide range of social media sites. The following is just one example of the types of warning we are seeing being posted, which is pretty appropriate to share during Cybersecurity Security month! These posts generate a lot of interest, too. Notice the many comments for this post on NextDoor, which is a fairly small social media site, but is also quite active for these types of discussions.
  • Resecurity for identifying a large-scale smishing campaign targeting US, UK, Poland, Sweden, Italy, Indonesia, Japan, and other countries’ citizens that they described in an informative recent post. In short, the cybercrooks group was skillfully impersonating the United States Postal Service (USPS), Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), PostNord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). This world-wide attack demonstrates that social engineering is still being used quite successfully to trick people out of their data, money, and often safety.
  • The Identity Theft Resource Center (ITRC) Report that identified the human cost of identity crimes. One finding that stood out to use: Sixteen percent of identity crime victims considered suicide, which is double the rate from the 2021 research. Too many organizations consider only the impacts to their businesses when the personal data they are responsible for protecting is breached. They need to also consider the impacts to the victims.
  • Snopes for providing a good reminder, and detailed description about the recurring rumor, that Facebook is going to charge to use it. This rumor re-emerges every year or two. Keep in mind that Meta makes money from all their advertisers, and they want as many people using Facebook as possible. Since they would probably lose a lot of Facebook users, along with advertisers, if they started charging to use it, it would be a very bad, and surprising, decision for them to make, to charge people to use it.
  • Sammy Hagar with Eddie Van Halen featured on bass (yes, bass!), while Sammy played guitar for the song, "Privacy." Yes, we know this is a song from 1987, but we just discovered it, and wanted to share. Check out the lyrics. Wonder how many wireless access points (APs) Sammy’s current car has, and if he’s even aware of all such APs? Maybe he could add another stanza for today’s smart vehicles. 😊
  • AARP Fraud Watch Network. I've seen many of my contacts on FB, LI, NextDoor, and other social media sites warning about IRS imposter scams. The AARP put out a nice PSA about this over the summer. Check it out for some great advice.



  • PC Magazine for a couple of their recent articles that are apropos for Cybersecurity Awareness Month!
  • From Whitson Gordon, “Don't Freak Out: How to Save Data From a PC That Won't Boot. If you have important data trapped on a computer that's not working, there are ways to recover it. You should already have a backup, but here's what you can do in an emergency.”
  • From Eric Griffith, “Shield Your Internet History: How to Clear Your Cache on Any Browser. Don't let your internet history fall into the wrong hands. It's a good idea to delete your browser history and internet cache on occasion. Here's how to do it on the desktop and mobile.”

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts.

Check It Out!

Check It Out!


We have excellent feedback on our course, HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about our HIPAA Basics for Covered Entities 2023 Edition course have been made. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out! 


Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. Have questions about our education offerings? Contact us!

Where to Find the Privacy Professor

Tom Kemp

Dr. John Johnson

Rebecca is Speaking at CornCon in October!

Consider attending the highly prestigious while never pretentious CornCon, on the Mississippi River in Davenport, Iowa, October 5-7, 2023. Rebecca will be delivering a talk intriguingly titled:



It’s Not Always a Rattlesnake Just Because It Rattles: Everything I Learned About Risk Management I Learned on the Farm.


Rebecca’s Radio Show


If you haven't checked out Rebecca’s radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss many real-world topics within the data security and privacy realm.



Latest Episode



First aired September 2, 2023


Tom Kemp


Tom Kemp, author, “Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy”  


Need More Privacy? Write the Privacy Law We All Need!


Want a new privacy law? Well, don’t just sit there; get up offa that thing, get that new privacy law drafted into a bill, and then passed into law! Want to know how? Tom Kemp is on the show to tell you!




Next Episode


First airs October 7, 2023


Dr. John Johnson


 The History, Mystery, and Rise of AI at CornCon!


Dr. Johnson describes why he created the wildly popular cybersecurity conference, first held in 2015, in Davenport, Iowa on the banks of the Mississippi River. He also describes the goals for the conference, how it is unique from others in offering a children’s hacking bootcamp, and a hacking contest for teens, along with two days of sessions and activities for professionals.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Facebook  Twitter  Linkedin  

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:


Source: Rebecca Herold. October 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.


NOTE: Permission for excerpts does not extend to images.


Privacy Notice & Communication Information


You are receiving this Privacy Professor Tips message as a result of:

 

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn


When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com

 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.