Data Privacy


By Mathew Scott, VP at J.S. Held

Introduction

In a world that revolves around the collection and use of various forms of data, the continuously ensured privacy of data being collected and stored is a major factor in cybersecurity hygiene, i.e. habitual practices for ensuring the safe handling of critical data and for securing networks. Managing the privacy of one’s data includes managing not only who has access to your data, but also confirming what data is being collected and how the data is being used or even stored.

These days, our personal digital footprint—the unique set of traceable digital activities, actions, contributions, and communications we create as we use the internet, social media, and other applications—is more detailed and extensive than before. It is easy to simply click “I accept” on every prompt that appears on a computer screen in order to gain access to a website or to utilize a software application, but it is just as important to use caution before accepting and to regularly review the type of data we allow to be seen, tracked, and/or collected, and by whom.

Transparency Regulations, Consent & Privacy Settings

Most websites and software applications are now obligated, by the European Union’s General Data Protection Regulation (GDPR) and other local legislation, to report to the user the data they collect and how they use it. This increase in transparency regarding data collection has made it easier for the end-user to see and manage what data entities intend to collect, who the data will be shared with, and how the data will be used.

Despite these requirements, however, one’s ability to access and modify the data being collected, and the subsequent information extracted from it, is not standardized. This can make it more difficult to exert control over certain privacy settings and preferences. For reference, it is possible to locate privacy settings by searching for privacy language or settings within an application, product, or website account being used. As an example, searching for “Linkedin privacy settings” via a search engine will direct the searcher to a support page on Linkedin’s website with descriptions of various categories of settings and direct links for customizing personal data collection and usage. To simplify the process of managing privacy settings, the National Cybersecurity Alliance assembled a list of links to make it easier to find these data settings for many popular websites and applications in one place: https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

How to Strengthen Cybersecurity & Reinforce Data Privacy

While securing data is important, it is often ignored for the more direct concerns of securing user accounts and computing devices. Below are several ways in which cybersecurity hygiene can be improved and maintained such as to reduce risks presented by hackers, fraudsters, and other threat actors.

  1. Use a password manager, cipher, or management system, and remember:
    1. Use longer passwords which are harder for hacking programs/software to obtain via “brute force” methods.
    2. Avoid using information such as date of birth, the name of a website, the names of children, relatives, or pets (and other similar pieces of information) when creating passwords, as these can often be searched for on public web or social media profiles, or simply guessed.
    3. Consider using a passphrase instead of a password. Passphrases can be something such as “BatteryHorseStaple” or any such long series of unrelated words strung together.
    4. Use different passwords for everything. This is especially important because once a password is breached, it frequently gets added to a list used in subsequent hacking attempts. One effective? tool that anyone can use to check whether accounts or passwords have been compromised is Have I Been Pwned.
    5. Use many different passwords to make it more difficult to guess. Analysis performed on publicly available password information from historical breaches revealed that some of the most common information used in hacked or stolen passwords includes:
      1. Birthdates
      2. The year the password was created
      3. Significant dates (anniversaries, children’s birthdays, etc.)

For further reading on password security, Cybernews published an article in late December of 2021. The article addresses more patterns observed across the 15 billion passwords analyzed. Cybernews also provided access to another password security tool.

  1. Work Together

Cybersecurity tips frequently highlight the need to be vigilant and cautious of links and communications from all types of sources. This is good advice, but another less commonly observed recommendation is to help improve security for the people in your life who are most vulnerable. You are more likely to receive and open a message from friends, family, colleagues, or clients, so why not help those individuals practice proper cybersecurity, too? Consider taking the following steps.

  • Initiate a conversation and help them implement strong and diverse passwords, adhering to the tips listed above and keeping in mind the following components of a strong password:
    • Length (12+ Characters)
      • Computers can guess incredible quantities of passwords in a short amount of time. The longer a password is the more combinations of characters it may include, forcing hacking software to spend much more time and effort guessing.
    • Avoidance of common patterns, words, and phrases
      • Words like “password” or the name of the website being registered for are easy for threat actors to guess.
    • Use of symbols, numbers, and a mix of upper and lowercase numbers
      • A cipher, as mentioned before, can help with swapping out characters to include more numbers and symbols, while also providing an easier way to remember passwords if a password manager is not used.
      • Recall the passphrase mentioned earlier, “BatteryHorseStaple.” An example of a cipher would be changing this phrase to something like “B4tteryH0rse$t4ple.”
    • Private (not shared with other people)

Frequently it is against both the End User License Agreement (EULA) or company policy to share passwords or accounts with others. It is good cybersecurity hygiene to avoid sharing passwords or accounts with others as this adds additional risk. Even adhering perfectly to all best practices does not mean that whomever you share an account or password with will do the same.

  1. Combining the lessons

Cybersecurity can have real-world implications in unexpected ways. Managing data and who can see it is important, whether they are viewing it publicly and legally or have managed to guess, brute force, or re-use a password from a breach. Consider a scenario in which you are on vacation. Imagine being on a trip and posting photos to social media or talking about the trip you are going on later this month. If your privacy settings allow anyone to see this, they would know that you will not be home, which makes you a good target for a break-in or robbery. The same information could also be used to impersonate you and commit identity theft. Additionally, remember that important accounts that directly impact daily life, such as banking, investments, retirement, medical, professional, or enterprise accounts can also be used by threat actors if unsecure data ends up in the wrong hands.

Conclusion

As we make our way through 2022, more daily routine activities require internet connectivity, accounts, passwords, and data. Factors such as more widespread implementation of OAuth (The ability to sign in with Google or Facebook on other websites) create additional security exposure to consider. However, many applications and websites now also offer improved security measures, too, such as multi-factor authentication (MFA) or two-factor authentication. These security measures ensure that even if a threat actor has a password, without specific authorization they cannot sign into an account, and notification is issued to change a compromised password.

Managing many accounts and/or voluminous data can be daunting, but it is important for the cybersecurity hygiene of individuals and their employers. The benefits include fewer risks of breaches and better awareness of your own digital footprint. Establishing good habits and correcting bad ones will adjust your cybersecurity hygiene going forward, and it is important to keep up to date with changes in the landscape as technology evolves.


Matt Scott is a VP in J.S. Held’s Equipment Consulting Practice. Matt provides analysis of various computing platforms to determine the root cause of failure. In addition, Matt provides digital forensic services of computing assets to identify actions as a result of a cyberattack and threats related to the operation of malware and ransomware. Matt works with the insurance, legal, law enforcement, and public communities to assist with the identification of suspicious activity. 
Matt can be reached at matt.scott@jsheld.com or +1 614 991 0523.


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.