14 ways to keep your data safe on Data Privacy Day

If you're not already focusing on Data Privacy Day, it's time to join the effort. Here are some suggestions on how to observe this important day and improve your chances of keeping your data private.

data privacy title 1
Observing Data Privacy Day the right way

This Saturday, January 28th, marks the 10th anniversary of Data Privacy Day -- an international holiday meant to raise awareness of the importance of privacy and data protection. Initiated by the Council of Europe in 2007, Data Privacy Day was adopted by the U.S. a few years later. 

In light of the ever increasing number of data breaches and persistent problems with identity theft (many billions of dollars lost to consumers each year), this tenth anniversary of Data Privacy Day calls for us to focus on a steady promotion of privacy precautions. It calls on you to resolve to improve your privacy program and to pay more attention to the ways that you use, store, and share your personal data.

If you're not already focusing attention on its observance, it's time to join the effort. Here are some suggestions on how to observe this important day and improve your chances of keeping your data private.

safe window tom woodward
Know the difference between privacy and security

An important first step is to understand the difference between privacy and security. While closely related, the terms "privacy" and "security" do not mean the same thing. Privacy refers to the proper collection and storage of information -- keeping private information private and is generally only used in reference to personal information.

Security, on the other hand, refers to the protection of systems and data from compromise and exposure. It comprises the practices that need to be in place to ensure that 1. information isn't accessed by unauthorized individuals and 2. data will be available, accurate and accessible when needed.

Privacy asks whether you can see through someone's window. Security asks if you can break in. You need to make sure that your data is both private and secure. 

privacy metro centric
Value privacy

Privacy is critical to both individuals and to businesses. Individuals need to guard their financial accounts, medical information, etc. and protect themselves from identity theft. Companies need to protect private information that is stored and used on their systems -- whether customer or personnel data.

When you get down to it, personal and corporate information is like money. You need to value and protect it. Never lose sight of the potential damages to your finances and reputation if it is compromised.

Need help forming an image of the problem? Take a look at this recently updated graphic from Information is Beautiful that shows data losses greater than 30,000 records.

Now, let's look at some of steps that you can take to help keep private data private.

review policies nrc
Review privacy policies

For those of you responsible for managing and protecting private information, review and update your privacy policies, data security policies and incident response plans on at least an annual basis.

Make sure that all types of personal data, known risks, and precautions being taken are spelled out; that any recent changes in your procedures are reflected; and that your organization is following the rules as they are written.

Your plans should include solid data protection plans, reliable backups, access restrictions, and strategies for detecting signs of data compromise.

expired
Set passwords to expire

Do you know what the biggest security risk is to an organization? People

That is why system admins need to stay on top of things. They should expire users' network passwords every 3-4 months -- at least -- and configure settings so that the passwords cannot be changed back to what they were or to a recently used password and some reasonable complexity requirements are enforced.

crack eggs bernard goldbach
Use passwords that are hard to crack

Speaking of passwords, do you know how easy it is to crack a password? Maybe easier than some people realize.

That is why, in addition to periodically changing your passwords, you should make sure the new ones are going to be hard to crack. Remember that the minimum length and complexity levels have gone up considerably. A password that was good ten years ago might be easy to crack today. A minimum length of 12 or 14 characters should be considered.

Change your passwords often and never use the same password across multiple accounts. Utilize strong passwords and use two-factor authentication whenever you have the option; yes, it takes a little more effort, but it makes it considerably more difficult for anyone to log into a system with your credentials.

You also might want to check out the password meter to see how various passwords measure up to some fairly tough scrutiny, and if you find you can't remember all your carefully wrought passwords, you might want to check out a password manager

reminder tim pierce
Send reminders

Another good practice to get in the habit getting into peridocially if you manage people or are the person responsible for the protection of sensitive information, is sending notices to employees reminding them:

  • about the proper procedures for handling sensitive information;
  • of some of the ways that systems and accounts get compromised; and
  • to review and update their SaaS profiles and other security settings.
access wonderferret
Review access rights

In the business world, collaboration is reaching new heights, and as a result, collaboration tools are ubiquitous. That is all well and good, but from a security standpoint, collaboration tools are one more thing to monitor.

To make sure data is secure, regularly review and update account access and permissions for collaborative tools and shared applications. Be sure to verify that all accounts and privileges are still needed and that no one has more access than they require.

choose
Choose security over convenience

Organizations know that they need a cybersecurity plan, but many companies merely check the boxes instead of really making sure they are safe. If you work for such a company, carefully review the security of systems and applications that contain sensitive or personal data.

Migrate from “freemium” file sharing services that sacrifice security for convenience to business-grade alternatives when the risk warrants it.

Always choose security over convenience when sensitive data and privacy might be at risk.

classroom packet life
Provide training

Remember how we said that people are the biggest security risk to an organization? Besides encouraging employees to change their passwords, there is more you should do.

Conduct annual security and data privacy awareness training for your staff, reminding them of the sensitivity of data they are protecting, the many threats, and the risks to your customers and your business if systems are breached.

notice tim green
Provide tips and reminders

Along the same lines, distribute tips to employees to help raise awareness of social engineering scams like spam phishing and spoofing -- but don't overdo it or they're likely to stop paying attention. For example, remind employees not to use their work email for personal matters and how to best protect sensitive data.

Reminders are important in keeping your staff focused on data security and privacy concerns.

encrypt brewbooks
Use encrypted connections

Check that encryption and encrypted services are being used for communications and data sharing to protect data in transit, especially for any services that access or update sensitive information. This keeps network snooping tools from being able to grab private data off the wire.

cookies mgm
Check on those cookies

Be careful with cookies -- they are often used for data mining. Though cookies are intended to make your use of websites easier, they may contain credit card or personal information that is related to your online activities and they can be targeted by malware.

Periodically remove cookies from your system or set your browser to remove them on exit.

Consider:

  • deleting cookies when you're done browsing;
  • using a firewall to protect your system so that malware is less likely to get a foot in; and
  • securing your browser to the extent possible.
spam christiaan colen cropped
Don't reply to spammers

Never reply to spammers (even to cuss them out). It only encourages them and gives them more information. Even just your confirmation that they've got someone "live" on the other end will be of value to them and will likely lead to additional spam. Anything more you share is a bonus. Don't give them a bonus.

corp court donkeyhotey
Protect your reputation

Your reputation is important to maintain. Share with care. What you post is, for all intents and purposed, posted in perpetuity.

For individuals, life as you know it can be very seriously damaged if you become a victim of identity theft. What you post online can come back to haunt you. It can affect your career if a potential employer runs across it. It can be read and misconstrued by people you care about. Even just mentioning that you're leaving for vacation can be risky (someone might notice and break into your house while you're gone).

For companies, the cost associated with breaches of customers' private information can be outrageous. Fortune Magazine said last year that, on average, the cost of a breach had risen to $4 million.

How would your organization stand up to the Corporate People's Court?

privacy settings kheel center
Check privacy settings

Almost everyone uses social media, but you have to make sure your information is safe.

Check the privacy settings on your social media accounts and be careful what you share. Make sure your default setting is to share only with trusted friends. Consider setting up multiple groups and make your posts available only to the most restrictive group that meets your needs (e.g., family and close friends, versus everyone you know). And watch out for imposters! Sometimes people set up accounts so that they appear to be someone you know.

Always share with discretion. Avoid posting anything that might embarrass you -- or anyone else -- later.

Remember that on most social media sites, some information is available to everyone -- friend or not. This includes user names, photos, gender, usernames, etc.

Consider using an anonymous browser like Hotspot Shield for some of your online activity.

A good resource for setting your privacy settings is available from the University of Texas at Austin's Center for Identity.

shadow vinod velayudhan
Use a shadow account

Along the same lines, consider using a secondary “shadow account” (rather than your normal personal account) for your very public social media activities to limit your personal exposure. Anyone offended by anything you say or overly interested in finding out more about you will not get much deeper than your very public rantings.

Don't post details about your work life on personal social media sites.

(Hat tip to Globalscape and Optiv for speaking with me and contributing some of the ideas for this slideshow.)