Prove You Care by Prioritizing Privacy
With Valentine's Day just around the corner, I'm devoting this month's Tips message to the less obvious ways people can show they care for one another. When we care about someone, we put him or her first. We take special precautions to keep them safe, and we go above and beyond to make life easier for that person.
But caring is not just for family members, friends or people in love; it's a conscious choice made by every day by admirable company executives, technology developers, healthcare workers, civic leaders and others in influential positions. Increasingly, these individuals can demonstrate caring for their employees, consumers, patients and constituents by taking the steps to keep their personal information private and secure.
Read on for what I hope will inspire you to consider ways you can show you care by prioritizing privacy... both for yourself and the important people in your life.
War Driving on Data Privacy Day
What a fun day I had on Wednesday! For the sixth year in a row, I was successful in securing the Iowa governor's proclamation of January 28, 2015, as Iowa Data Privacy Day. The date coincided with the international Data Privacy Day organized by the National Cyber Security Alliance.
To bring even further awareness to the date, I appeared on two news broadcasts in Des Moines, Iowa
On each of the segments, I got to share the results of my recent "war-driving" exercise, during which I drove the residential streets of Des Moines to see which of our capital city's neighborhoods had the best (and worst) incidents of unsecured home wireless networks. It was a very eye-opening (not to mention, time-consuming) experience. (My son and I logged over 8 driving hours for this project!). We found more than 3,300 wireless networks in the six residential neighborhoods we drove through.
You can see the results of my war-driving research here, and watch one of the two news segments on Great Day's YouTube channel, and see the news segment on the Des Moines ABC affiliate here.
I'd love to hear how you celebrated Data Privacy Day in your neck of the woods. Drop me a note to share your activities.
10 Important Actions for Securing Wi-Fi Networks
Please feel free to download and share this list of 10 Wireless Security Tips I created for consumers and businesses.
1. Use WPA2 Encryption. Do not use other older versions, they are all breakable.
2. Make Sure all Wireless Access Points are Secured. Don't forget to check your printer to be sure it is not a wireless access point, or apply the same security to it if you want it to be one; it will defeat all the security you have put into your router.
3. Put the Wireless Router in a Location with Security in Mind. For example, if you put it in the basement or in a room furthest away from the street it will be harder for the free war-driving apps to identify it.
4. Do *NOT* Use Default Passwords. Create new, strong passwords for all wireless access IDs, especially the Admin Password!
5. Change the Default SSID Name (the name you give to your wireless network). Make it something that will not tell a hacker anything about you, or the type of router you are using.
6. Periodically Review Your Device Lists. See the types of devices that are connected to you network; you may find an unwanted intruder by doing so.
7. Turn off Guest Networking. It usually only takes one click to turn it off. If you want to turn it on for your house guests, do so while they are at your house, then turn off when they leave.
8. Use MAC Address Filtering. Creating a MAC address filter allows you to grant or deny access to your wireless network based on specific devices.
9. Keep your Routers Updated with the Latest Security Patches. Router vendors create and post new firmware for their products to their sites. Sometimes, often to patch security holes. Newer routers can be set to send you a notification when firmware updates are available.
10. Use Firewalls. Most routers have some sort of firewall or WAN protection built into them to guard the device from digital threats.
Guard the Backdoor
In a recent blog post for ISACA, I explored the dangers of backdoors, such as hardcoded passwords, built into various security technologies.
It's a sure thing. This incredibly dangerous practice will almost surely result in significant system outages and program mistakes. History demonstrates so-called "secret" technology has put associated systems at risk, leading to breaches and other costly security incidents.
Consider a real-life example. In 2013, security company Barracuda had an undocumented backdoor in its security tool. When publicized, it became extremely unsafe and Barracuda's customers said they didn't want it. There is no such thing as a "secret" backdoor if even one human knows about it.
Humans are the weakest link. Even trusted insiders present the greatest threat to systems and information. Regardless of whether you thought he was right or wrong in his actions, Edward Snowden has become the poster child for the high risks and consequences of trusted insiders that break their promises to keep the secrets.
Innovation becomes the victim. When weak security caused by things like backdoors is exposed, it harms the nation economically. With every passing privacy breach, consumers and businesses - both domestic and international - lose trust. Forrester Research estimates recent allegations about U.S. data surveillance activities may have reduced U.S. technology sales overseas by as much as $180 billion.
More Attention for the Internet of Things
Las Vegas has a way of shining a spotlight on issues, and at the recent Consumer Electronics Show in Sin City The Internet of Things was certainly on display.
In my estimation, there were four to five times more smart devices at this year's show than just one year ago. Yet the engineers of these connected devices - everything from door locks (scary!) to ceiling fans - still have not built sufficient data and privacy security controls into their innovations.
For example, many of these smart devices, such as those used to control energy systems or other types of gadgets and devices, do not require passwords or do not come with passwords enabled as a default. If the consumer doesn't know to actively set a password on, let's say, their energy control gadget, someone may be able to wirelessly access it and change settings or take data. They may also be able to get to it from the consumer's poorly secured wireless home network (which, as my research above shows, is pretty widespread). This not only has privacy impacts, but could also physically impact home residents by having their thermostat turned off, or turned to very high temperatures.
Aside from simply turning off privacy-aware consumers, these engineers may be risking a big fine from the FTC should their innovations fall onto the agency's radar. Just last month, the FTC gave a warning to engineers and developers, cautioning them to build in more protection. From the Consumer Electronics Show, FTC Chairwoman Edith Ramirez made a particularly interesting point about Internet of Things (IoT) innovations, "... the small size and limited processing power of many connected devices could inhibit encryption and other robust security measures."
Importantly, the FTC does not audit against any specific rules, so IoT enginners and developers are operating in murky waters. If the FTC determines these innovations are deceiving consumers or have been built with blatantly lacking protections, the agency won't hesitate to come after them.
Everyone is a Patient Sometime
People are at their most vulnerable when sick or injured. For that reason, it's critically important - not to mention morally and ethically sound - for healthcare providers to be extra diligent with their patients' personal information.
I'm not only referring to grand sweeping policies or technical controls; I'm also thinking of the day-to-day activities of doctors, nurses and other healthcare workers. For instance, I was shocked to find a clinic I regularly visit had patient charts facing outward on each of its exam-room doors. Just by walking down the hall, I could very easily learn the medical histories and current issues, not to mention the associated patient names and addresses, of the patients just on the other side of the door. The most distressing part of the experience was that when I said something to the doctor, my concern was met with little more than the shrug of the shoulders.
If the clinic had such a laissez-faire attitude about its paper-based privacy controls, I could only imagine the vulnerabilities one might find after digging around the clinic's digital environment.
Another large issue facing the healthcare community is the vulnerabilities of medical devices connected to various networks through the Internet. I've put together a checklist for the developers and providers of medical devices. I'd love to have those of you working in or adjacent to the medical-devices field share it far and wide!
Making Your Life Easier... even after yours is over
What will happen to your email account, your online photo storage or your social media accounts after you're no longer around to manage them? Making plans now can make those decisions much simpler for the ones you leave behind. Here are a few things to consider:
- Every day, 8,000 Facebook users die around the world.
- It is difficult to gain access to the social accounts of deceased family and friends.
- Some U.S. states are pushing companies like Google to make family access easier.
- There are services that will allow individuals to schedule social posts that can run even after they die (things like birthday or anniversary well-wishes are popular).
- My friend Christopher Burgess's company Red Folder says today's estate planners are receiving more requests for help with planning the inheritance of digital assets.
- Christopher is graciously offering a 20% coupon to my Privacy Professor Tips readers. Enter the following discount code when you make an order at https://my.redfolder.co: RF-0996nXba6336
Smart Grid Privacy Becomes a Hot Topic
By 2015, there will be 1 trillion connected devices and objects generating 2.5 GB per day of data... Big Data! Many people do not consider that the energy consumed in their homes is already a part of the Big Data phenomenon.
So what's the big deal, you might ask. The report created by the privacy group I've led for the NIST Smart Grid Interoperability Panel, NISTIR 7628 Volume 2 Revision 1, starting on logical page 291, addresses that common question thoroughly.
As discussed in in NISTIR 7628 Vol 2, all sorts of inferences about people's private lives are possible when energy data is analyzed. Everything from the number of family members to the types of appliances in a house can be determined with the right set of information. Of course, how granular someone could get to determine activities or behaviors depends largely on how frequently meter reads occur and a wide range of other factors.
To generate more awareness of the associated privacy risks and to provide guidance to smart-grid device developers, utilities and those creating laws and standards for the smart grid, I've written "Data Privacy for the Smart Grid." In simple, everyday language, the book explores a variety of very real concerns with smart grid privacy.
Privacy Threat Round Up
These threats may not be new, they continue to find new victims every day.
Privacy Professor on the Road
I have a growing list of events confirmed. Here is where I will be for certain in the coming months:
Feb 16: Teaching a half-day class, "Mitigating Risks and Privacy Concerns with Geo-Data/Privacy and Risks of IT Systems" at the Alaska Surveying and Mapping Conference in Anchorage, AK.
March 4: Facilitating a round table privacy discussion "Data Privacy - Evolving Customer/Regulator Expectations" at the Utility Analytics Summit in Phoenix, AZ.
March 17: Co-presenting the session, "GAPP vs. Gaps: Managing Enterprise Privacy" at the ISACA NA CACS Conference in Orlando, FL.
March 18 & 19: Providing a 2-day class, "Conducting a Privacy Impact Assessment," at the ISACA NA CACS Conference in Orlando, FL.
April 14: Providing a closed privacy discussion/class to the executives and board members of a large multi-national corporation in Tennessee.
A Discount Gift to You!
For a limited time, I am offering several of my information security and privacy tools and products at a 25% discount! See them at www.privacyprofessor.org.
Do you have any topics you'd like to see me discuss on the Great Day KCWI morning show? Or, any you'd like for me to answer in my next monthly Privacy Professor Tips? Please let me know by sending an email!
If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Department of Health and Human Services, as well as all the State Attorneys General are increasing their compliance reviews, and fines/penalties), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you!
You Have My Permission to Share
I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Feel free to forward this in its entirety to others. If you want to use only excerpts, then please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission for excerpts does not extend to the images in this email. One of the photos is my personal photo. For the others we have paid for their use only within this tips message, which you can forward within this message, but cannot remove and use elsewhere. If you want to use them, contact me.
My parents in the early 1970s before a Valentine's dance at the high school where my dad taught math
If you're so moved, make the entire month of February your time to show how you care for the people in your life... and not just your personal life. What are ways, big or small, you can change your behaviors, activities and controls to better protect their privacy?
I have a really good feeling, especially if you've made it to the end of this Tips Message, that you're going to come up with some really good ideas. And I can't wait to hear them!
Have a terrific month, and we'll talk again in March!