BreachExchange mailing list archives
Understanding Internet data privacy
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 10 Sep 2015 19:33:48 -0600
http://www.nationnews.com/nationnews/news/71954/understanding-internet-privacy Using the Internet responsibly and safely is an ever increasing challenge for many of us, no matter how old, young or techno-savvy we are. For most, the Internet has woven its way deeply into many aspects of our daily, personal and professional lives and continues to grow. However, whether you “understand it or not”, the Internet ever-connectedness we crave has many risks and false expectations associated with its use, particularly with data privacy in mind. Data privacy (or data protection) is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. An unfortunate reality in understanding data protection, and the impact of associated failures, is that often data breaches are nameless, faceless crimes, as compared with the more tradition crimes. This lack of understanding has made it difficult for many regional public and private sector leaders to grasp its seriousness and the overall impact on regional economic stability and development. In simple terms, as data moves across the Internet, the responsibility for the protection of that data is shared by various system owners across a wide range of Internet infrastructure, data storage platforms, and connections. With that said, it is simply unrealistic to expect that your data will be always protected – in motion or at rest. They are simply too many technical, management and operational data protection security controls that can fail, do fail or that have never been put in place by system owners. Within your individual control, the primary method of ensuring the protection of your personal data remains “not to share it in the first place” and that includes on social media, as cyber predators often use knowledge of your social media activities to profile and target you for attack. Many of us in the Caribbean are also simply too quick to provide personal data online without consideration for the legitimacy or security posture of the online requestor. Additionally more of us are using the Internet to perform important business and financial transactions on home or work PCs with a lack of consideration for whether the Internet device being used has been updated appropriately from the operating system and anti-virus protection perspectives. The irony of this failure to update systems is interesting as often the updates are “free”, and simply need to be installed. As an IT security auditor, I routinely come across many systems that have not been updated for months or even years, which plays right into the hands of cyber predators who search “daily” for just such systems to exploit. Depending on the tools used, it can take a hacker minutes to identify weaknesses or vulnerabilities across an entire range of business, organisational or government systems. Likewise for the typical home PC/mobile device, system weaknesses or vulnerabilities can be identified in seconds. Outside of your control, where your personal data is being stored and maintained by businesses, organisations and governments, the expectation of data privacy parallels the cyber\information security maturity of the entity with it. Unfortunately, in spite of a significant rise in cyber-crime activity in the Caribbean in the last two years, many public and private sector businesses, organisations and government leaders are failing to proactively invest in the implementation of international best practices and standards for data protection. Many are failing to see the return on investment in investing in effective data protection, until a major data breach occurs. The growing news of global and regional data breaches has simply not been enough to “trigger” many leaders into action due to a “nothing has happened to us yet, so why invest in it” mindset. This short-sighted mindset in many ways is like shooting themselves in the foot, as it has been proven worldwide that it typically cost ten times more to recover from a data breach as compared with proactively investing in data privacy controls. In some cases, the reputation damage to a business, organisation or government caused by a data breach is very difficult to recover from, if at all. Interestingly enough, much of today’s IT management focus on data protection has been from the Internet-facing side of the equation. However, if you take a look at a few of the major globally reported data breaches, very often they occur as the result of the “insider threat”, where employees with access to sensitive or private data intentionally or unintentionally disclose/misuse it.
From the unintentional perspective, ineffective, inadequate, or
non-existent roles-based IT security awareness training is often one of the main root causes of many data breaches. From the intentional perspective, ineffective personal screening, or assignment of too many system rights and privileges to staff that do not have a “need to know” are often key contributing factors in data breaches. Additionally, as a key data protection security control, many organisations are failing to implement account management processes and procedures for the timely removing or disabling of accounts belonging to former employees. As a result of this account management shortcoming, often we see access to sensitive data by former employees remaining active for many months or even years.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Understanding Internet data privacy Audrey McNeil (Sep 11)