The Iowa Secretary of State did a great job sending email messages during Cybersecurity Awareness Month. They put out an entire newsletter series in October. We especially loved, "4 tips and tricks for staying cyber secure while working at home." Work-from-home data security and privacy practices have been a strong focus for our team in recent months.

Google's Scam Spotter provides a set of pretty nifty tools to raise privacy awareness. Being able to spot and avoid scams, particularly during COVID-19, is critical. Does Google do a lot of privacy-invasive things? Yes they do. But, it's equally as important to recognize the positive actions they take.

Mashable shared a really important privacy tip with readers this month: How to blur your house on Google Street View. In addition to showing how it can be done, the article also pointed out why a homeowner may want to do this. Among the reasons are that the service can sometimes offer unobstructed views of a home's interior and even show people in embarrassing situations.

NIST's The Phish Scale helps employees avoid becoming victims of phishing scams, something that is particularly important now as many remote workers are conducting business outside usual firewalls and other data security controls. The Phish Scale goes beyond typical phishing training programs by giving the CISOs who run them a deeper understanding of whether a particular phishing email is harder to detect.

CNN is another media outlet receiving a Privacy Beacon for excellent privacy-aware reporting. Recent coverage shared instructions on spotting deep fake videos and images, which are becoming a real problem now that access to AI software and advanced editing tools is so easy. Among the clues the article shared was to look at actions like head motion and blinking, as those natural movements are difficult to replicate.

A Business Insider story recently reported that Facebook’s artificial intelligence (AI) tool flagged an ad from a Canadian garden center. The ad contained an image of Walla Walla onions, which Facebook's algorithm identified as having violated rules against "positioning products or services in a sexually suggestive manner.”

Although Facebook reinstated the ad after a subsequent manual review, this is a perfect example of how easily AI-based technology can go awry. In fact, as Facebook’s head of communication said in a public apology, AI doesn’t know an onion from a “you-know-what."

We simply can’t rely on AI alone. Yet, so many people, organizations and even security companies believe AI can do no wrong. No doubt, AI is accomplishing some very big, very meaningful things, and there's great potential for even more. But, we're not all the way there yet.

Human judgement must supplement AI outcomes for now (maybe for always). We only have to look to The Office's Michael Scott for a demonstration of how abandoning common sense while interacting with automation can go horribly wrong. Fans of the American TV show will remember the hilarious incident in which Michael drives into a lake because his car told him to. This is just one example of how blindly trusting AI can fail us.

Using AI can make your life easier, but it doesn’t completely absolve us of the responsibility for important decisions. Be thankful you have common sense and use it.

A Forbes contributor encourages readers to consider whether convenience is more important than privacy when it comes to a feature called Significant Locations in Apple iOS.

The feature, which is essentially a hidden location tracking center, is tucked away in the privacy settings. By default, it is on and running.

Settings > Privacy > Location Services > System Services > Significant Locations

I’m sure many people just learning about this will be creeped out. Fortunately, you have the option to remove Significant Locations. Simply follow the navigation in yellow above and direct the tool to delete a single or all locations.

Apple claims that what happens in iPhone stays in iPhone, and that Apple can’t access the data. Even if we buy that, this is still a huge privacy issue. As the BBC recently reported, smart devices and the data they contain are often exploited for domestic abuse. The feature may provide users with personalized services related to their location (e.g., predictive traffic routes), are those conveniences worth the invasion of privacy?

A covert feature in a popular smartwatch for kids was recently found by researchers at a Norwegian cyberthreat response company. They looked at an app on the XPLORA 4 smartwatch called Persistent Connection Service.

The researchers sent an encrypted control message to the watch to see what kind of action it would trigger. The action, scary enough, was to track locations and take a picture, which was then sent to the vendor’s cloud server... all without approval. Even scarier, the researchers found this is just one of a few unusual control messages built into the watch.

There is a potential bright side to the story, however. After the Norwegian researchers contacted the smartwatch manufacturer, they reportedly deployed a security patch. That bright side dims a little bit, though, when you think about all the smartwatch wearers (kids!) who won't initiate an update to get the patch. What's more, it boggles the mind to think that this device made it to shelves with such an apparent disregard for security and privacy in the first place.

As we approach gift-giving season, please be smarter than the devices you buy, especially if you intend to give them to children. Do your homework, and if you come across any questions, shoot me a note. I'd be happy to give you my opinion.

Their latest rollout is a point-of-sale device allowing consumers to pay for merchandise using their hands. Apparently cash, cards and smart devices are not enough.

The so-called palm recognition technology is known as Amazon One. The innovation is built to identify people through their hands by "reading" lines and ridges to create individual “palm signatures.”

Several things are concerning about this development. For starters, uploading the bio data of millions into potentially vulnerable cloud servers is like dangling bait off the side of a boat... a boat floating in the deep, dark web. Cyber criminals are salivating at the prospects of stealing that kind of personal data to round out the identity profiles they're busy building on each of us. Remember, no technology is 100% secure, which makes implementing layers of security so important.

Less tech-savvy criminals may see other opportunities with this kind of technology, especially as it's used for other authentications, such as entering a building or secure space. Forcing someone into a state of unconsciousness (or worse, death) could allow them access to any number of things.

Please remember as you engage with new methods of payment and authentication that the technology is just that... new. The bugs and kinks have yet to be worked out. It bears repeating, no technology is 100% secure! Are you willing to be the guinea pig that helps Amazon and other developers like them discover the patches that need to be made to make them as safe as possible?

Not only was the cold-call email bad etiquette, several factors made it a clear violation of data privacy.

Of course, GDPR and CAN-SPAM are not the only regulations that would govern this kind of mass, unsolicited emailing effort. For example, California has also passed a law that affects email marketers -- the California Consumer Privacy Act (CCPA). Under that set of rules, companies must disclose the information they've collected on customers, such as an email address, and clearly communicate how they intend to use it. There are many among other requirements under the CCPA, like providing consumers the ability to opt-out of personal data use. And, there are many similar laws around the world providing consumers the right not to receive spam.

Even though I believe this particular email was likely a naïve mistake by someone who wanted to drum up business in his new role, he could still face legal action -- as could his employer. Violations of this kind can result in hefty fines and penalties.

In September, a hacker published Social Security numbers, grades and other private information online after it was stolen in just such an attack. The victimized school, which received a ransom demand for unlocking computer servers, refused to pay up. In retaliation (or maybe just because the hacker could), the data was uploaded to the Internet for all to see.

This is not happening just to schools. It's happening to all types of organizations, healthcare and public health sectors, in particular. And, it's only getting worse with employees working remotely. In many cases, workers are going about their duties online as usual, but without the benefit of on-site security controls. These individuals MUST receive training specific to their new environment, or we're going to see ransomware attacks increase to a level we've not seen before.

It's important to know that today's ransomware attacks often go beyond locking down data. They can also have life and death consequences. As we write this, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an important advisory alert, “Ransomware Activity Targeting the Healthcare and Public Health Sector.” Everyone who works in or for a healthcare provider, insurer or clearinghouse organization should read this alert to avoid falling for the tactics described.    

Already experts predict a dramatic uptick as companies continue to operate with remote workers. One estimation has businesses in 2021 falling victim to a ransomware attack every 11 seconds.

Speaking of remote worker risks, I'll be speaking about remote and work-from-home security and privacy at the November 5 Silicon Valley ISACA chapter webinar, “Security & Privacy Compliance in Work from Home Situations,” from 6pm – 7pm PST. Please attend if you can.

Also, our team has assembled a series of training tools and resources to help employers keep their team's awareness and procedures up-to-snuff. To check them out, visit Privacy & Security Brainiacs.

I’ve experienced hecklers on my social media sites in the past. But, my recent podcast on voter security really had them coming out of the woodwork.

The show discussed the results of solid and objective research on various U.S. voting methods, including verifiable findings that actual fraud is rare. Throughout, I was extra careful not to show overt support for any political party or pundit. Still, internet “trolls” and even some people I’m acquainted with on LinkedIn and Facebook were not deterred. I'm not surprised. Online harassers love to stir up trouble, starting uncalled-for fights for myriad reasons. But when they cross the line, it is important to take action, given the increasing hate we see in this world.

If you’ve ever been attacked online, you know it can be both disappointing and hurtful, but also scary. Negative and bullying comments sometimes even turn into vile name calling and physical violence threats, which I personally experienced.

FOR EMPLOYERS: Incorporate online behavior rules for employees to follow when they post on behalf of your business, from your business network or accounts or are associated with your business (e.g., LinkedIn or online industry groups). I’ve seen many negative and hateful comments on LinkedIn, which is not only disappointing, but far outside the purpose of professional networking online. (Why does LinkedIn allow users to create posts that do not support its stated mission to “connect the world’s professionals to make them more productive and successful?" How do hateful and harassing comments, or threats, support productivity and success?)

Bad behavior by employees online can have negative impacts, not only on the cyberbullying targets of your employee, but also on your business. Here's just one example of a recent headline-making incident: Former eBay Employee Pleads Guilty in Aggressive Cyberstalking Campaign.  

Words matter. In the U.S., everyone has a right to free speech, both the good and the bad. And certainly the right of individual expression is important. But, when words turn into harassment and threats, they become a personal and public safety issue that must be addressed. While simply ignoring online trolls will sometimes work, and may be best to do when such situations pop up, if it continues on, action may need to be taken.