"Like I'm in the Twilight Zone"

Just the other day, that great '80s pop song "Somebody's Watching Me" came on the radio. Though it debuted more than 30 years ago, it feels even more relevant today than it did back then. 

In the 21st century, sensors, cameras, microphones and GPS locators are everywhere, feeding Big Data machines every little detail of our lives. As the song goes, "I always feel like somebody's watching me, and I have no privacy."
This past Sunday, Jan. 28, was Data Privacy Day. So, there's no better time than this week to get serious about your personal and business data privacy and security.
Read on to learn more about the ways in which we are all being watched, and what we can do to reduce the everyday intrusions into our private and professional lives. 

6 Ways Crooks Steal (Then Ransom) Your Data

Infographic marks Data Privacy Day, warns of ransomware threat

Ransomware is predicted to be one of the most popular cybercrimes this year. That's because w here there's an Internet connection, there's a datanapper. 

This infographic walks through the ransomware threat posed by the dark web and the Internet of Things (IoT), as well as in homes, workplaces, stores and even doctor's offices. Download it now.
Datanappers love the way we live, always connected and happily over-sharing. While you shop, get a check-up, work or stream movies on the couch, the bad guys are right there watching, waiting for you to drop your data or open a pathway to it.
So, what can we do to protect our data from getting napped and held for ransom? Here are three easy steps to mitigate a large portion of the risks:

Delete unused apps. Games, especially, are often fronts for data collection entities. Get rid of all you haven't used lately.
Patch your systems. This should be set up to happen automatically. Double check you have all of your devices set to auto install security patches and updates.

Back up your files. If you use a cloud service, double up and use a physical device, too. Make sure it is not attached to your computer except when actually backing up.   

To learn more about ransomware, keep an eye on my The Privacy Professor YouTube channel. We'll soon be posting a clip of my recent visit to the CWiowa Live morning show, during which we talked all things ransomware.  

heroPrivacy Hero: Meredith Leitch at Intel Corporation 
Raising privacy awareness through 'viral' videos  

Meredith has found a unique, fun and totally relevant way to engage employees in privacy awareness. A communications manager for Intel, Meredith is taking privacy awareness mainstream in the corporate world through her beautifully created series of innovative and humorous videos. She partnered with a company in the UK called Twist and Shout to produce the brief, completely relatable mini films that remind workplace viewers "Privacy is everyone's responsibility."
If you're interested in learning how Meredith created the series, take a listen to this Twist and Shout podcast episode .
Meredith, from all of us at The Privacy Professor, thank you for being a privacy advocate and champion! Your special effort to raise awareness of the small things we do each day that can endanger our privacy and security is worthy of much greater attention, and we hope you receive it. Kudos!

We want to know: Who is your privacy hero?
Each month in 2018, we'll introduce an individual who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply drop us a note and explain why we need to know your hero.
At the end of December, we will announce our Privacy Hero of 2018. He or she will receive a token of appreciation and commemoration of outstanding work.

tech5 Tech Resolutions for the New Year
Committing to even one of these would be a great first step

Ok, so we know resolutions don't always work. (In fact, I just read yesterday only 8% of them stick around). But, after Dennis Devlin pointed me in the direction of this list of 5 tech resolutions for 2018, I felt suddenly optimistic. Take a look to see if even one of these is a commitment you can make in 2018:

Update your software: Better yet, configure automatic updates.

Read privacy policies: And if you don't like what you see, or can't find the information you need, contact the provider.

Delete unnecessary apps: You know you have them. We all do. They are siphoning our data even when they're not in use.

Use a virtual private network (VPN): Keep your internet service provider from collecting (and sharing with unknown entities) data on your online behavior.

Protect your hardware: Physical security is important, so take steps to protect your screens. Go one step farther and protect your screens from looky-loo's with a privacy filter, like one of these from 3M.

To read specific recommendations for each of the above, read the New York Times' "5 New Year's Resolutions to Protect Your Technology." (Thanks for the pointer, Dennis Devlin!)

Talking with your kids is so worth it

A friend of mine sent over the following screenshots from her 12-year-old son's iPhone. She had been talking with him about how to spot a likely fake in text, on email and even in person (e.g. don't ever stick a mysterious USB into your laptop!). Turns out he was listening... have a look at their conversation. Son's messages are red; Mom's are blue.

Yay! This kind of story makes me smile. It just goes to show that awareness is monumental to thwarting crime!

I told this tale on a recent visit to the CWiowa Live morning show. You can watch that episode on demand now

I use those online file converters often, but I've never paid much attention to their terms. I wonder if they are taking my files and doing something with them. One I use often is pdf2doc.com. What are your thoughts?

There are many different file converters out there, but this one, in particular, is interesting. It states that all uploaded files are deleted after one hour, but how do we know that's true? It makes you wonder why they are even providing this service.
Their site offers no information about who is running the site; nor do they have a privacy or security policy. That should be a red flag for any website, let alone one that very obviously is in receipt of your files.

When you encounter a mysterious online service like this, there are a couple things you can do to investigate:

Look up the site's owner(s) on whois.icann.org. In this case, the registrar is listed as enom.com with a P.O. Box mailing address in Panama. All other information has been hidden. Fishy.

Research the site with a trusted source. In this case, I found information on CNET that says pdf2doc is published by i9Soft, a seemingly French company with no readily findable website and an out-of-date Twitter account that hasn't been touched since 2012. It's also unclear whether the software reported on by CNET is related to the online version.

Personally I'd skip using this site and any others like it that don't clearly articulate what they do with your files. It's unclear what they are taking from you when you are on their site. Importantly, I'm not just talking about the files you upload. They could also be pulling all kinds of data on your behavior, your personal details and more.

Photo by  Anas Alshanti  on  Unsplash    

If the FBI gives you a warning, heed it

In December, a cancer care provider in Florida, 21st Century Oncology, Inc. (21CO), was fined $2.3 million for potentially violating HIPAA privacy and security rules.
What stood out to me when I read this news was the two-time warning the clinic had received from the FBI. Even after learning (twice!) that patient information had been illegally obtained by an unauthorized third party (in this case, an FBI informant), leadership still did not take corrective actions.

In my experience, this typically happens because CEOs/owners do not believe it's likely their patient data will be exposed. Nor do they believe it's likely their compliance failings will be caught by regulators. As such, they don't see the financial ROI of investing in good data privacy and security measures.

This is especially true for small to mid-sized companies. When confronted with the possibility of an intrusion, a fine, an insider threat or any other security risk, the first question is often: How likely is that to happen?

Unfortunately, IT leaders, although no doubt talented and educated, are not soothsayers. And because they cannot predict with any level of certainty the likelihood of a particular threat actually occurring, their data privacy and security proposals are often rejected.

So, what can be done?

It comes down to culture. CEOs/owners, as leaders of their organizations, have a responsibility to protect the patients and employees who work for them. This should not be a question of if their data is going to be breached; it should be a question of when. Medical records are some of the most financially lucrative on the dark web.

At the same time, IT leaders must acknowledge the cost of their proposals and do their best to articulate the ROI. Likelihood, while not a perfect science, can be calculated by looking at both past events, current trends and what the experts predict for the future. Tools like those provided by SIMBUS, LLC, can be a big help to IT and compliance teams that need to model risk for CEOs and other decision makers.

Until more health care organizations prioritize creating and maintain a culture of security, I'm afraid we are going to see many more cases like 21CO's. 

PPInewsPrivacy Professor On The Road & In the News  

On the road and in the ethernet...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the places I have been recently and a few of the events I have scheduled for the upcoming season.

April 24Teaching online GDPR Compliance MasterClass for IT GRC Forum 

April 26: Teaching ISACA ILLOWA Chapter 1-day ISACA ILLOWA Spring Seminar on Privacy Management & Privacy Impact Assessments (8 CPEs) at the ProCircular facilities in Coralville, Iowa.

May 30-31: Giving Keynote SecureWorld, Atlanta, Georgia. 

Privacy Professor in the news...


I'm so excited to be hosting Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . The first episode, which aired Jan. 26 and is available on demand, features guest Michelle Dumay, a medical cannabis patient advocate. Michelle's personal story and expertise made for an incredible debut show on what it takes to help cannabis providers to secure their customers' and patients' data and privacy.

Do you have an idea for a show topic? Or would like to suggest someone who would be a great guest? Please let me know!

Bright Talk

Credit Union Times

SIMBUS, LLC Blog Posts

Voice America's Leadership Beyond Borders with Kimberli J. Lewis

CWIowa Live

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On January 9, we talked about the Meltdown and Spectre chip flaws, as well as how smartphone microphones, apps and smishing scams are making adults and kids vulnerable to data security and privacy risks. I also visited the studio on January 29 to talk about Data Privacy Day both in my homestate of Iowa, USA, and around the world.

You can catch up on many of my visits to CWIowa Live with my on-demand library on YouTube.

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

For nearly a decade, we have been honored to work alongside Iowa's governor to declare Jan. 28 Iowa Data Privacy Day. The event coincides with the international Data Privacy Day, coordinated by the National Cyber Security Alliance. 

I hope you will devote some time this week to upping your own privacy awareness and security. There are so many things you can do, both simple and complex. Don't get overwhelmed. Take small, incremental steps to protect yourself, and above all, stay aware!

Here's to a fantastic 2018 Data Privacy Day (Week)! 

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter