This week in Brussels, Apple’s chief executive Tim Cook somewhat surprisingly castigated how personal data is handled by businesses and organizations. Aside from praising Europe’s General Data Protection Regulation (GDPR) and calling for similar measures to be brought to the U.S., Cook warned of how our data was being “weaponized against us with military efficiency”.
Now, Cook’s public overtures are likely to have been motivated by a variety of factors, including the need for large technology companies to win back user trust in the wake of the data breaches and data misuse controversies that have become public knowledge over the past 12 months. Whatever the intentions behind his pronouncements, Cook’s words – which coincide with Cyber Security Month’s final theme, Emerging Technology and Privacy – prompt us to pay closer attention to how we can play a more active role in controlling how much of our personal data is shared with third parties.
Technology and privacy: How much to share?
The privacy debate itself is a timely one that I simply cannot do justice to in this blog post. Briefly, for context, there are several overlapping lines of argument. First, there are those of an Orwellian persuasion who forewarn the dangers of state and corporate surveillance resulting from mass data collection. Conversely, there are those who sanction data collection in the name of security and combatting threats to our daily lives. A third approach is one often taken by technology providers, who claim they can improve user experience by providing more targeted content and marketing using their users’ personal data.
Regardless of where you stand, at the heart of the debate is the question of how much of our personal data we are willing to share, and with whom. When it comes to technology providers in particular, we should always question what data the service or application needs from us, and for what reason.
Mobile applications are a great example: is it appropriate that the app I’m installing requires access my device location? Or worse, does it need screen overlay permissions to capture my text messages and other personal activities?
Regulations such as GDPR have made it easier for individuals to request information from companies on what, why and how they are collecting and processing data on their users. The hope is that these measures will kick organizations into gear and make them more transparent about the uses of their technology. We shouldn’t, however, become complacent. Next time you sign up to a new online service or install an application:
- Check the permissions and settings required. If something doesn’t seem right, then trust your instinct and don’t allow or install.
- Consider whether you want to register using your personal or corporate email. For certain services such as online banking you will, but for others you may be better off using a temporary or secondary email along with an online handle/moniker.
- Don’t reuse passwords. When registering for a new service, don’t use the same password that you use for your personal email or online banking. As I’ll explain later on, this increases the risk of account takeovers.
- Always operate under a cloak of suspicion and caution. Think twice about what information you’re posting online and who might be able to view it, particularly on social media. Just because you are using the “private message” function doesn’t mean that your communications are secure. If you need to send sensitive data or discuss confidential matters, opt for communication platforms and email providers with end-to-end encryption.
Cybercriminals and privacy
Time and time again, when there is a major breach of a well-known organization, concerns quickly shift to how cybercriminals might look to weaponize or monetize user data.
Depending on the type of data compromised, attackers can use:
- Email addresses for phishing and spam
- Exposed passwords for account compromises
- Personally Identifiable Information (PII) and payment details for various types of fraud
- Behavioral data such as interests and social networks for microtargeting.
These datasets are often traded on criminal forums, marketplaces and chat channels (Figure 1).
Figure 1: Two file sharing links containing Facebook data posted on the Exploit[.]In criminal forum in October 2018
Whether you are an organization or an individual, every service you use increases your attack surface, providing more opportunities for breaches and for attackers to access your personal data. Our latest ShadowTalk podcast covered some of the risks associated with third parties and suppliers, and will be useful listening for organizations battling with third party risk management.
Privacy from the broadest possible perspective
Both this week’s Cyber Security Awareness theme and announcements such as Tim Cook’s should serve as a reminder to consider our privacy practices from the broadest possible perspective. Without negating its importance, data privacy is not simply about how much data we hand over to large bodies such as technology companies. We also need to be cognisant of what data we are exposing ourselves, what data we are leaving within easy reach of cybercriminals, and what security practices we are or aren’t implementing to make their jobs harder.
Some practices to reduce your online exposure include:
- Limit how widely you share your email address and use multi-factor authentication. An exposed email on Facebook or a particular forum might be all the invitation someone needs to target you with phishing emails. Ensure you use multi-factor authentication (MFA) where possible to help prevent account compromises.
- Ensure file sharing services such as FTP, rsync and SMB are authenticated and configured correctly. The same goes for NAS drives and cloud storage solutions such as Amazon S3 buckets where you might back up or archive your data.
- Restrict access to important data to only those who are required to have it. For individuals, this could be the permissions requested by mobile applications or online services. For businesses, avoid unauthorised users from accessing sensitive data by ensuring read/write access is only granted where there is an explicit business requirement.
- Look for your compromised data online. You can use sites like haveibeenpwned.com to detect when your data has appeared in publicly available breaches or leaked datasets.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.