Understanding Internet data privacy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nationnews.com/nationnews/news/71954/understanding-internet-privacy

Using the Internet responsibly and safely is an ever increasing challenge
for many of us, no matter how old, young or techno-savvy we are. For most,
the Internet has woven its way deeply into many aspects of our daily,
personal and professional lives and continues to grow.

However, whether you “understand it or not”, the Internet
ever-connectedness we crave has many risks and false expectations
associated with its use, particularly with data privacy in mind.

Data privacy (or data protection) is the relationship between the
collection and dissemination of data, technology, the public expectation of
privacy, and the legal and political issues surrounding them. An
unfortunate reality in understanding data protection, and the impact of
associated failures, is that often data breaches are nameless, faceless
crimes, as compared with the more tradition crimes. This lack of
understanding has made it difficult for many regional public and private
sector leaders to grasp its seriousness and the overall impact on regional
economic stability and development.

In simple terms, as data moves across the Internet, the responsibility for
the protection of that data is shared by various system owners across a
wide range of Internet infrastructure, data storage platforms, and
connections.

With that said, it is simply unrealistic to expect that your data will be
always protected – in motion or at rest. They are simply too many
technical, management and operational data protection security controls
that can fail, do fail or that have never been put in place by system
owners. Within your individual control, the primary method of ensuring the
protection of your personal data remains “not to share it in the first
place” and that includes on social media, as cyber predators often use
knowledge of your social media activities to profile and target you for
attack.

Many of us in the Caribbean are also simply too quick to provide personal
data online without consideration for the legitimacy or security posture of
the online requestor. Additionally more of us are using the Internet to
perform important business and financial transactions on home or work PCs
with a lack of consideration for whether the Internet device being used has
been updated appropriately from the operating system and anti-virus
protection perspectives. The irony of this failure to update systems is
interesting as often the updates are “free”, and simply need to be
installed.

As an IT security auditor, I routinely come across many systems that have
not been updated for months or even years, which plays right into the hands
of cyber predators who search “daily” for just such systems to exploit.

Depending on the tools used, it can take a hacker minutes to identify
weaknesses or vulnerabilities across an entire range of business,
organisational or government systems. Likewise for the typical home
PC/mobile device, system weaknesses or vulnerabilities can be identified in
seconds. Outside of your control, where your personal data is being stored
and maintained by businesses, organisations and governments, the
expectation of data privacy parallels the cyber\information security
maturity of the entity with it.

Unfortunately, in spite of a significant rise in cyber-crime activity in
the Caribbean in the last two years, many public and private sector
businesses, organisations and government leaders are failing to proactively
invest in the implementation of international best practices and standards
for data protection. Many are failing to see the return on investment in
investing in effective data protection, until a major data breach occurs.

The growing news of global and regional data breaches has simply not been
enough to “trigger” many leaders into action due to a “nothing has happened
to us yet, so why invest in it” mindset. This short-sighted mindset in many
ways is like shooting themselves in the foot, as it has been proven
worldwide that it typically cost ten times more to recover from a data
breach as compared with proactively investing in data privacy controls. In
some cases, the reputation damage to a business, organisation or government
caused by a data breach is very difficult to recover from, if at all.

Interestingly enough, much of today’s IT management focus on data
protection has been from the Internet-facing side of the equation. However,
if you take a look at a few of the major globally reported data breaches,
very often they occur as the result of the “insider threat”, where
employees with access to sensitive or private data intentionally or
unintentionally disclose/misuse it.

> From the unintentional perspective, ineffective, inadequate, or
non-existent roles-based IT security awareness training is often one of the
main root causes of many data breaches. From the intentional perspective,
ineffective personal screening, or assignment of too many system rights and
privileges to staff that do not have a “need to know” are often key
contributing factors in data breaches. Additionally, as a key data
protection security control, many organisations are failing to implement
account management processes and procedures for the timely removing or
disabling of accounts belonging to former employees. As a result of this
account management shortcoming, often we see access to sensitive data by
former employees remaining active for many months or even years.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!