Browsing category

Personally Identifiable Information (PII)

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

January 11, 2019
customer experience, Data Breach, Data Privacy, Data Protection, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, Malware, Network Security, Personally Identifiable Information (PII), Point-of-Sale (POS) Systems, Retail, Retail Data Breach, Retail Industry, Retail Security, Risk Management,

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: David Bales

November 29, 2018
Artificial Intelligence (AI), Cloud, Cloud Security, Data Breach, Data Privacy, Data Protection, Incident Response (IR), Managed Security Services (MSS), Payment Card Industry (PCI), Personally Identifiable Information (PII), Platform-as-a-Service (PaaS), Ransomware, Retail, Retail Breach, Retail Industry, Retail Security, Skills Gap, Software-as-a-Service (Saas), Threat Protection,

Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage

Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.

Just as with line-of-business functions like merchandising and operations, retailers’ cybersecurity functions must undergo a digital transformation to become more holistic, proactive and nimble when protecting their businesses, partners and customers.

Retailers Aren’t Prioritizing Security, and Attackers Are Exploiting the Gaps

According to the retail edition of the “2018 Thales Data Threat Report,” 75 percent of retailers have experienced at least one data breach in the past, with half seeing a breach in the past year alone. That puts retail among the most-attacked industries as ranked by the “2018 IBM X-Force Threat Intelligence Index.”

Underfunded security infrastructure is likely a big reason for this trend; organizations only dedicated an average of around 5 percent of their overall IT budgets to security and risk management, according to a 2016 Gartner report.

While retailers have done a great job addressing payment card industry (PCI) compliance, it has come at a cost to other areas. According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, 78 percent of publicly disclosed point-of-sale (POS) malware breaches in 2017 occurred in the retail sector.

In addition to traditional POS attacks, malicious actors are targeting retailers with new threat vectors that deliver more bang for the buck, such as the following:

  • Personally identifiable information (PII) about customers — Accessible via retailers’ B2C portals, attackers use this information in bot networks to create false IDs and make fraudulent transactions. An increasingly popular approach involves making purchases with gift cards acquired via fraud.
  • Ransomware — Criminals are exploiting poorly configured apps and susceptible end users to access and lock up data, so they can then extract pricey ransoms from targeted retailers.
  • Unprotected B2B vendor connections — Threat actors can gain access to retail systems by way of digital connections to their partners. A growing target is a retailer’s B2B portals that have been constructed without sufficient security standards.

What Are the Biggest Flaws in Retail Cybersecurity?

These new types of attacks take advantage of retailers’ persistent underfunding of critical security defenses. Common gaps include inadequate vulnerability scanning capabilities, unsegmented and poorly designed networks, and using custom apps on legacy systems without compensating controls. When retailers do experience a breach, they tend to address the specific cause instead of taking a more holistic look at their environments.

Retailers also struggle to attract security talent, competing with financial services and other deeper-pocketed employers. The National Institute of Standards and Technology (NIST) reported in 2017 that the global cybersecurity workforce shortage is expected to reach 1.5 million by 2019.

In addition, flaws in governance make retailers more vulnerable to these new types of security threats. To keep up with rapidly evolving consumer demands, many line-of-business departments are adopting cloud and software-as-a-service (SaaS) solutions — but they often do so without any standardized security guidance from IT.

According to the “2017 Thales Data Threat Report,” the majority of U.S. retail organizations planned to use sensitive data in an advanced technology environment such as cloud, big data, Internet of Things (IoT) or containers this year. More than half believed that sensitive data use was happening at the time in these environments without proper security in place. Furthermore, companies undergoing cloud migration at the time of a breach incur $12 per record in additional costs, according to the “2018 Cost of a Data Breach Study.”

To protect their data, retailers need tools to both identify security threats and escalate the response back through their entire infrastructure, including SaaS and cloud services. But many enterprises lack that response capability. What’s more, the “Cost of a Data Breach Study” found that using an incident response (IR) team can reduce the cost of a breach by around $14 per compromised record.

Unfortunately, cybersecurity is not always on the radar in retailers’ C-suites. Without a regularly updated cybersecurity scorecard that reflects an organization’s current vulnerability to attack, senior executives might not regularly discuss the topic, take part in system testing or see cybersecurity as part of business continuity.

3 Steps to Close the Gaps in Your Security Stance

Time isn’t stopping as retailers grapple with these threats. Retail cybersecurity leaders must also monitor the General Data Protection Regulation (GDPR), where compliance requirements are sometimes poorly understood, as well as the emergence of artificial intelligence (AI) in both spoofing and security response. In addition, retailers should keep an eye on the continued uncertainty about the vulnerability of platform-as-a-service (PaaS), microservices, cloud-native apps and other emerging technologies.

By addressing the gaps in their infrastructure, governance and staffing, retailers can more effectively navigate known threats and those that will inevitably emerge. Change is never easy, but the following three steps can help retailers initiate digital transformation and evolve their current approach to better suit today’s conditions:

1. Increase Budgets

According to Thales, 84 percent of U.S. retailers plan to increase their security spending. While allocating these additional funds, it’s important for retailers to take a more holistic view, matching budgets to areas of the highest need. Understanding the costs and benefits of addressing security gaps internally or through outsourcing is a key part of this analysis.

2. Improve Governance

Enacting consistent security guidelines across internally run systems as well as cloud- and SaaS-based services can help retailers ensure that they do not inadvertently open up new vulnerabilities in their platforms. Senior-level endorsement is an important ingredient in prioritizing cybersecurity across the enterprise. Regular security scorecarding can be a valuable tool to keep cybersecurity at the top of executives’ minds.

3. Invest in MSS

A growing number of retailers have realized that starting or increasing their use of managed security services (MSS) can help them achieve a higher level of security maturity at the same price as managing activities in-house, if not at a lower cost. MSS allow retailers’ internal cybersecurity to operate more efficiently, address critical talent shortages and enable retailers to close critical gaps in their current security stance.

Why Digital Transformation Is Critical to Rapid Response

Digital transformation is all about becoming more proactive and nimble to respond to consumers’ rapidly growing expectations for seamless, frictionless shopping. Retailers’ cybersecurity efforts require a similar, large-scale transition to cope with new threat vectors, close significant infrastructure gaps and extend security protocols across new platforms, such as cloud and SaaS. By rethinking their budgets, boosting governance and incorporating MSS into their security operations, retail security professionals can support digital transformation while ensuring the business and customer data remains protected and secure.

The post Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lisa Terry

November 19, 2018
Data Privacy, Data Protection, Data Security, facial recognition, Personally Identifiable Information (PII), Privacy, social media,

Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All

We all hear about privacy, but do we really understand what this means? According to privacy law expert Robert B. Standler, privacy is “the expectation that confidential personal information disclosed in a private place will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.”

It’s important to remember that privacy is about so much more than money and advertisements — it ties directly to who we are as individuals and citizens.

What Is the Price of Convenience?

Most users willingly volunteer personal information to online apps and services because they believe they have nothing to hide and nothing to lose.

When I hear this reasoning, it reminds me of stories from World War II in which soldiers sat on the sideline when the enemy was not actively pursuing them. When the enemy did come, nobody was left to protect the soldiers who waited around. That’s why it’s essential for all users to take a stand on data privacy — even if they’re not personally affected at this very moment.

Some folks are happy to disclose their personal information because it makes their lives easier. I recently spoke to a chief information security officer (CISO) and privacy officer at a major unified communications company who told me about an employee who willingly submitted personal data to a retail company because it streamlined the online shopping experience and delivered ads that were targeted to his or her interests.

This behavior is all too common today. Let’s dive deeper into some key reasons why privacy should be top of mind for all users — even those who think they have nothing to hide.

How Do Large Companies Use Personal Data?

There is an ongoing, concerted effort by the largest technology companies in the world to gather, consume, sell, distribute and use as much personal information about their customers as possible. Some organizations even market social media monitoring tools designed to help law enforcement and authoritarian regimes identify protesters and dissidents.

Many of these online services are free to users, and advertising is one of their primary sources of revenue. Advertisers want high returns per click, and the best way to ensure high conversion rates is to directly target ads to users based on their interests, habits and needs.

Many users knowingly or unknowingly provide critical personal information to these companies. In fact, something as simple as clicking “like” on a friend’s social media post may lead to new ads for dog food.

These services track, log and store all user activity and share the data with their advertising partners. Most users don’t understand what they really give up when technology firms consume and abuse their personal data.

Advanced Technologies Put Personal Data in the Wrong Hands

Many DNA and genomics-analysis services collect incredibly detailed personal information about customers who provide a saliva-generated DNA sample.

On the surface, it’s easy to see the benefit of submitting biological data to these companies — customers get detailed reports about their ancestry and information about potential health risks based on their genome. However, it’s important to remember that when users volunteer data about their DNA, they are also surrendering personal information about their relatives.

Biometrics, facial recognition and armed drones present additional data-privacy challenges. Governments around the world have begun using drones for policing and crowd control, and even the state of North Dakota passed a law in 2015 permitting law enforcement to arm drones with nonlethal weapons.

Facial recognition software can also be used for positive identification, which is why travelers must remove their sunglasses and hats when they go through immigration control. Law enforcement agencies recently started using drones with facial recognition software to identify “potential troublemakers” and track down known criminals.

In the U.S., we are innocent until proven guilty. That’s why the prospect of authorities using technology to identify potential criminals should concern us all — even those who don’t consider privacy to be an important issue in our daily lives.

Who Is Responsible for Data Privacy?

Research has shown that six in 10 boards consider cybersecurity risk to be an IT problem. While it’s true that technology can go a long way toward helping organizations protect their sensitive data, the real key to data privacy is ongoing and companywide education.

According to Javelin Strategy & Research, identity theft cost 16.7 million victims $16.8 billion in the U.S. last year. Sadly, this has not been enough to push people toward more secure behavior. Since global regulations and company policies often fall short of protecting data privacy, it’s more important than ever to understand how our personal information affects us as consumers, individuals and citizens.

How to Protect Personal Information

The data privacy prognosis is not all doom and gloom. We can all take steps to improve our personal security and send a strong message to governments that we need more effective regulations.

The first step is to lock down your social media accounts to limit the amount of personal information that is publicly available on these sites. Next, find your local representatives and senators online and sign up to receive email bulletins and alerts. While data security is a global issue, it’s important to keep tabs on local legislation to ensure that law enforcement and other public agencies aren’t misusing technology to violate citizens’ privacy.

Lastly, don’t live in a bubble: Even if you’re willing to surrender your data privacy to social media and retail marketers, it’s important to understand the role privacy plays in day-to-day life and society at large. Consider the implications to your friends and family. No one lives alone — we’re all part of communities, and we must act accordingly.

The post Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Eric Jeffery

July 13, 2018