Every year on January 28th the privacy community gets together to remind people about their rights as individuals to have their personal information protected by the organizations that they share it with and to remember to take note and follow privacy best practices. This year, more so than others before it, Data Privacy Day is something consumers and businesses alike should stop and consider.
Why this year? Data breaches compromised billions — yes, that’s a “B” — of accounts in 2017, the largest reported hack being Yahoo’s three-billion compromised accounts. On the business side, a 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year.
Here are nine tips for reclaiming your privacy on Data Privacy Day (Sunday, January 28):
1. Take advantage of free services like Have I Been Pwned? (HIBP) to see if your email address and account information has been compromised on websites you use. HIBP is currently tracking over 4.8 billion accounts impacted by various data breaches. Ideally, use a different password for your email account login (e.g., for Gmail, Yahoo, or Outlook) than the one you use for a website that requires an email address as your username. Do not be surprised to see your email address tied to a data breach, so make this analysis the first step in reclaiming your privacy.
2. Review and update your social media account permissions and authorizations. Many services are using social login these days that give them access to account information. Deleting the application, later on, doesn’t necessarily mean they will delete your data.
3. Now that you’ve taken the time to remove access to your accounts from applications and services you are no longer using consider deleting old apps from your phone, computer, and tablets.
4. Enable Two-Factor Authentication (TFA) on accounts when available. All of the major email services offer TFA for consumers requiring both a password and a number that changes every time you try to log in. These secondary codes are typically sent at the time of login via a text message, an email, or via an app/key associated with your account (e.g., Google Authenticator).
5. Commit to a regimented data backup plan for all the important documents, contacts, videos, and photos on your desktop PC, laptop, tablet, or phone. Next create a calendar reminder to do this every month, or, better yet, automate a backup as frequently as possible. If you are using an external drive as your data backup, never leave the drive connected to the computer while not in use. Also, keep your backup drive in a protected, safe environment. Malwarebytes reported that ransomware was the most common type of malicious software distributed (more than 60% of cyber attacks in March 2017). As ransomware attacks increase, costing individuals and companies an estimated five-billion dollars in 2017 to have files unlocked, save yourself the pain and begin regularly backing up your data.
6. Another common method bad actors use to access your personal data is by combing through your mail and other documents that you throw out with the garbage or recycling. Take precautions before disposing of old files and unwanted mail by using a paper shredder with a cross-shredding capability (P-4 security should be good for the home and office) and a privacy stamp to redact the most sensitive bits of personal information.
For businesses, consider these solutions to maximize protection of all stakeholders: customers, partners, employees, and your brand.
7. Enable email authentication solutions for all your domains; Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) on all of your domains, even those that don’t send email. If you’ve already enabled these solutions, be sure to periodically review your records for problems and old IP ranges or “includes” in your records.
8. Become familiar with common social engineering tactics like:
Tailgating: an attacker, seeking entry to a restricted area, simply walks in behind a person who has legitimate access to a physical space.
Baiting: the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim.
Spear Phishing: a technique that fraudulently obtains private information through sending highly customized and believable emails that users respond to.
9. For businesses, implement defenses against CEO Fraud. The US Federal Bureau of Investigation also calls this type of scam “Business Email Compromise (BEC)” and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” Build safeguards into your process to require multiple authorizations or a secondary verification of these requests via a phone call between the requester and the individual that would execute the request.
These nine simple tips are meant to help empower both yourself and your corporation to take control of your privacy both online and offline. A few short minutes could save you from a lifetime of regret.