I hope you enjoy the images throughout this month's Tips Message. Some were captured in my own backyard, others on a recent trip to Melbourne, Australia. What an amazing first-time trip to this part of the world!

  As Predictable as Changing of the Seasons


It seems we can barely go a day without hearing news of another data breach or security hack. As I'm writing this, the U.S. White House is reporting it has just been hacked. The exploitation of security vulnerabilities, it seems, is about as predictable as the changing of seasons.


Whether it's spring or fall where you live, you are no doubt surrounded by immense opportunities to make a difference in the safeguarding of information. 


Read on to see what is happening in the world around you and keep in mind the different ways you might make a difference. Maybe it's as simple as changing your passwords more frequently; maybe it's as major as proposing a new training or security policy to your company's CEO. Whatever your contribution, please know it is important and appreciated. 


Spring into Privacy Action


Highest office in U.S. shines light on card fraud

Consumers in the U.S. got another hint as to the threat posed by cybercriminals this month. That's because U.S. President Barack Obama signed an executive order, which he coined BuySecure, to create improved security of credit- and debit-card payments. The same day, the Federal Bureau of Investigation (FBI) released a report advising financial companies to beef up their security after 500 million financial records were hacked in the U.S. over the past 12 months.

It is good to have this encouragement for everyone to address privacy and information security from the federal government. Every little bit helps. Ultimately, however, we are each responsible for our own actions (or inactions, as the case may be). It will be interesting to see how much impact reports and executive orders ultimately have on the average American's security measures.

I referenced Obama's BuySecure in my recent appearance on the Great Day morning show. Have a listen and then let me know what you predict the impact will be.


More industries wake to privacy issues


Connected medical devices, when operating with lax security, are among the scariest threats consumers today face. It's tempting to think, "No one wants to do little-old-me harm," or worse, "No one wants to do my patients harm." But the fact is, sometimes hackers just hack. They don't need an elaborate, diabolical plan. They simply want to prove they can. And it is also important to remember that without security controls, mistakes made with medical device settings could lead to tragic consequences.


What's more, the data contained on medical devices could not be more intimate. Imagine combining data on a patient's heart rate at a particular time of day in a particular location. Think of the conclusions (both real and false) that could be made by analyzing the most private details of a person's day.


So far this year, the FDA has approved nearly two dozen digital health-related smartphone-connected medical devices and standalone apps. In recent months, I've been working with a group of 252,000 medical device folks to help them understand the need for security controls and HIPAA practices. This is not only to prevent attacks or lessen the chances of unwanted data collection and sharing; it's also to reduce the impact of mistakes. After all, these devices are often controlling when and how much medicine is sent into our bodies. 


Here is one of the free tools I provide to help them understand how to create more secure medical devices that will also help to protect patient privacy. 

South Wharf is a suburb of (actually enclosed within) Melbourne. Its population... 66!


Summer Sizzles with Hot Threats


DDoS creeps in through common apps


Distributed Denial of Service (DDoS) attacks are nothing new. What is new is the number of seemingly benign programs that can lead to these attacks against consumers and businesses alike. Take Skype, for example. A voice-over-Internet (VoIP) application, Skype allows users to resolve other Skypers' usernames to return an IP address. Once a DDoS hacker has that, he has everything he or she needs to send useless data to your network and cause any number of issues.


Fortunately, there is a fix, as explained on this thread at Arena Junkies. For most of us, these tips will go beyond our skill sets. However, sharing it with your IT department head or other such expert may prevent DDoS attacks at your organization.


The threat is coming from inside


The insider threat is a long-time, and yet growing, problem. A high-profile incident in the U.S. recently shined a bright spotlight on the issue when a Chicago airport employee set fire to a facility, effectively shutting down one of America's busiest travel hubs. The actions of one rogue employee were felt for days.  


While the incident itself was indeed troubling, I was more surprised there was no roll-over contingency operations center in place in the event something catastrophic took out the O'Hare operations center. It goes to show that every business needs to be prepared for the unimaginable. Here's more on developing your own business continuity and disaster recovery plans. 

Fortunately, a wallaby crossing your path isn't the same as a black cat. (Look close and you can see this one has a joey on board, peeking out!)


Fall Colors Inspire New Ideas


Social media affects parents as much as kids


Just when you think you've got your own online behavior in check, at least one judge has a warning for you - your children's Facebook posts are your responsibility, too.


Georgia Judge John J. Ellington presided over a case in which a teen was accused of posting cruel remarks about a fellow classmate. Although the judge indemnified the parents from responsibility for the actual post, he did find them negligent in failing to remove the post (it remained online for nearly a year).

A word to the wise, keep an eye on the accounts of your kiddos. If you're looking for detailed advice and best practices, check out this Mashable article.   


New ransomware variants hit the streets

The U.S. and Canada recently teamed up to raise awareness of ransomware, a type of malware that infects a computer and restricts access to it until a ransom is paid. Don't let your computing devices be taken hostage!


US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect against a ransomware infection:

  • Perform regular backups of all critical information to a separate device, and store backups offline.
  • Maintain up-to-date anti-virus software, operating systems and software patches.
  • Do not follow unsolicited web links in emails and use caution when opening email attachments.
  • Follow safe practices when browsing the web.  
A koala I met while visiting Phillip Island... it came right up to me!

Winter Doldrums Don't Stifle Mistakes 

Data analytics lumps us into categories


If I had a nickel for every time some said the following to me, I'd be a wealthy woman:


I don't care if my privacy is invaded. I don't have anything to hide.


While that may be the case, big data analytics puts even the most innocent elements of our lives under a microscope. Something as small as a Google search or a Facebook "Like" can lump you into a group of people with whom you would never, in "real life," associate or be connected to in any way. And, it could also label you as participating in a topic or plan that you really have no involvement with whatsoever.


Making assumptions is human. Take a recent confrontation between a city cop and a disc golfer, for example. The police officer assumed that because the man he stopped on the road plays disc golf, he also uses marijuana. Obviously, not the kind of professionalism one would expect from the police.


But humans are not perfect, right? We're also not the only entities capable of making assumptions. As Big Data analytics grows and becomes more available, marketers, law enforcement, government officials, insurance companies and more will rely on it to categorize and make decisions about you. What assumptions will they make and what impact will it have on your life, your job, your insurance premiums and more? It's something we need to be aware of, and more of us need to question those using Big Data analytics about.


Facebook will share data


According to Time Magazine and many others, Facebook is set to share data on its millions of users with companies looking to sell targeted ads outside the company's social network. And in Australia, at least one of those companies is a major credit card provider, Mastercard.


While Facebook promises this data will be anonymized, that does not mean analytics can't "figure out" who you are or reveal the intimate details of your life, your habits and your personal connections. As users, we must all be aware that our activities and preferences are being tracked, stored and now shared with marketers. And for all the marketers out there, you must also be aware of your responsibilities to keep the data you are mining safe and secure.


I recently shared 14 things to keep in mind while marketing on social media. Have a look and let me know if I've missed anything. 


The colorful princess parrot watched us go by.

New HIPAA Risk Awareness Evaluation Tool!

Over the years, I've seen a great need for organizations to be able to quickly and economically determine the high-level HIPAA compliance risks that exist throughout their organization. I've also done work for many covered entities (CEs) to determine the risk levels of their business associates (BAs).


I've had a vision for being able to provide this help online since 2010. Therefore, I'm really excited to have finally found a great business partner who has been able to create this first-of-its-kind HIPAA Risk Level Evaluator!  


For the next few weeks or months (I've not established a set time yet) I'm providing a scaled-back version of it free. I'd love for you to take a few minutes to answer the questions, view the report that is generated and give me feedback. I can then make any tweaks and changes based upon your feedback. For those of you who have already sent me feedback, a heartfelt THANK YOU! I'm making changes as you read this based upon some great suggestions. I welcome more feedback from everyone else. 


After this initial free introductory period, am currently planning to sell a more feature-full and capabilities-rich version of it for $295. Please Click Here to be taken to the evaluation. And again, please send me an email to provide your feedback! Plus, if you're curious about the additional features of the retail version, I can describe those to you also.



A Gift to You to for the End of National Cyber Security Awareness Month


In honor of National Cyber Security Awareness Month, I created a free one-page infographic for the general public to use to help them remember some of the most common types of information security and privacy risks that they need to address throughout the course of their daily lives. Print it off and put it on the wall by your computer to help keep you and your family and friends aware of the many privacy and information security risks that are out there, and what you can do to help defend against them.







Privacy Professor on the Road

Only two public events to go until my speaking tour is concluded for 2014. 


November 16: I will provide tips to protect your personal information as we head into the holidays to my North of Grand (NoG) neighbors, and all others who want to attend, at the NoG Annual meeting at the Scottish Rite Park Penthouse. See the bottom of page one in this season's neighborhood newsletter


November 20: Facilitating a privacy initiatives breakfast for invited executives at the ISACA Information Security and Risk Management (ISRM) Conference in Las Vegas, NV.


Questions? Topics?

Do you have any topics you'd like to see me discuss on the Great Day KCWI morning show? Or, any you'd like for me to answer in my next monthly Privacy Professor Tips? Please let me know by sending an email!


Need Help?


If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you!


You Have My Permission to Share


I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Feel free to forward this in its entirety to others. If you want to use only excerpts, then please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission for excerpts does not extend to the images in this email. These are all my personally taken and owned photos. If you want to use them, contact me.


Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.comrebeccaherold@rebeccaherold.com






Happy Halloween!
Regardless of where you call home, I hope you get to enjoy at least a mild change of beautiful nature as the seasons pass. Not all locales experience the dramatic swings in temperatures as we do here in the middle U.S., but I imagine there is simply a different feeling in the air anyway as holidays approach, different plants and produce are in bloom, and the length of the days change. And I know I will be thinking about all I have to be thankful for here in the U.S. as I gather with my family on November 27th to celebrate Thanksgiving Day.


As you enjoy the changing of the seasons, take a moment to consider the changes you can make to your own privacy and security measures. There is always room for improvement...I know I am constantly finding ways to improve!

 Have a safe and beautiful season, and see you next month!

The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564