What's Under That Costume?
It's a spooky time of year, folks. All manner of tricksters and treaters are donning disguises designed to fool even the most whip-smart among us.
But it's not just Halloweentime that brings out the disingenuous.
As our world becomes increasingly digital, it's easier to pretend to be something you aren't.  Let's take a look at a few of the ways we might be fooled this month and beyond... 


Halloween background with silhouettes of children trick or treating in Halloween costume. Raster version.
disDisguised As Just Another Employee

Consumer and client trust very hard to regain
My sons when they were 2 and 4.
Insider threats continue to loom large. At Verizon, one employee was caught
sharing phone records and location data of customers with private investigators for a little extra money on the side. 

At Wells Fargo, employees opened unauthorized accounts to achieve individual sales targets... during a period of over 5 years!  

Each of these individuals did it under the disguise of "just another employee," and at the expense of the consumers who trusted them to keep their information out of the wrong hands.
Whether or not we can refer to the Wells Fargo incident as insider fraud is debatable. We do know reportedly unrealistically high sales requirements provided much of the motivation for thousands of employees to do these actions. Thankfully, it's someone else's job to determine whether employees were following the rules or breaking them. What is clear, however, is that the bank's customers were fooled, and sadly, many lost money during this ruse.
In the case of Verizon, we see the influence of private investigators (PIs), who have been known to view and present themselves as law enforcement. Although we do not know all the details of this particular case, the employee may have been more compelled to provide the information to the PI out of a false sense of duty. 

THE TAKEAWAY: An extremely wide swath of motivations can cause an individual to take advantage of his or her position, and authorized access to personal information of clients, consumers and patients. Be mindful of the data privacy and security threats posed by those closest to your digital information assets. At work, ask yourself if you are doing anything to make the temptation to steal from, spy on or expose your end users.  

sstrStrike A Happy Medium With Insider Threat Mitigation 

Privacy is all about context
Especially with recent headlines, employers run the risk of becoming "too" diligent with insider threat mitigation. Take this company, for instance. Ironically called Humanyze, the organization has built an employee badge that goes way beyond logging time. In addition to performing real-time voice analysis, the badges have sensors that track where an employee is and motion detectors that record how much he or she moves. (Movements inside bathroom locations are omitted... in the name of privacy... ha.)
Talk about extreme!
Employers absolutely should have controls to monitor for the bad behavior of employees. At the same time, it's important to remember the Golden Rule. Would you want to work for an employer that insisted on monitoring your heart rate or your cortisol levels ( such a thing is coming if MIT researchers have anything to say about it)?
Thank you to my Facebook friend Christina A. for pointing to this issue!

THE TAKEAWAY:  If you're wondering whether a control or precaution crosses an ethical privacy line, consider the context. Indeed, privacy is all about context. While your doctor may need to understand how your heart rate changes throughout your visit, your favorite retail store does not. 

yahYahoo May Not Be Thinking of Everything

New data breach details often emerge over many months
Elastigirl and Dash joined Prince Phillip during this Halloween outing.
If there's anything consumers have learned in this brave new world of hacking, breached companies don't always know (or reveal) all the details of their incident at the outset. It's become fairly common for these organizations to increase the amount or expand the type of information exposed in a breach over time.
Whereas Yahoo indicates 500 million customer accounts were compromised, that number could increase as its investigators learn more about the exposure. Perhaps more importantly, though, is Yahoo has indicated no financial information was accessed by the hack. 

A couple of points there: 1) Yahoo may learn of that exposure at a later date; 2) the type of information exposed (names, email addresses, phone numbers, dates of birth, concealed passwords and, in some cases, security questions and answers both unencrypted and encrypted) could easily help a criminal find his way into a consumer's online or mobile banking account. And that's simply because many people use the same passwords and security questions and answers across platforms. 

THE TAKEAWAY: Don't be lulled into a false sense of comfort by any company's initial data breach announcement. One thing's for sure, the details rarely ever get better over time. Keep an eye on your financial accounts and credit reports, and change your passwords frequently across platforms. 

MORE TIPS:  To minimize the impact of the Yahoo breach, change:
  1. Your Yahoo password (or delete your account if you are no longer using it)
  2. Your Yahoo security questions and answers 
  3. Other site passwords and answers (If you use your exposed Yahoo credentials elsewhere, they, too, need to be changed!)
vorViruses Masquerading As Legitimate Emails, Software Updates

Emails with infected Word docs disguised as invoices sneak past anti-virus software
Slipping past anti-virus protections, this new string of malware comes to potential victims in the form of an email that appears to be collecting on a debt. According to malware researchers , there are two things that make this particular threat noteworthy:
  1. The Word doc attached to the email provides much more legitimate-looking instructions telling users to enable macros.
  2. Once executed, the macro-based malware uses a more sophisticated loading process designed to detect and bypass traditional security. 
THE TAKEAWAY:  If an email looks even slightly suspicious (like having an invoice attached for something you did not purchase!), delete it immediately... and do not click on that attachment! 

Dropbox share alert is not what it appears

If you or your colleagues frequently use Dropbox to share large files, be sure you are checking any email that appears to be from the company very carefully. A new phishing scam posing as Dropbox is spreading, and like many others, it is a master of disguise. 

Here's what it looks like:

THE TAKEAWAY: Never click; always hover. Before clicking on a link in any email (suspicious or not), hover over it with your mouse. Your computer should display (typically in the lower left-hand corner of your screen) the actual URL of that link (see the image above). 

Ransomware poses as Windows update
According to InfoSecurity , another easy-to-fall-for threat is making the rounds... this one in the form of a Windows update. Displaying a fake update screen, the ransomware tricks Windows users into downloading a file called "Critical Update."
The tough thing about this particular threat is that the pop-up appears very legit. Users believe they recognize the update screen, so they simply follow the prompts and quickly find themselves in hot water. The clever authors of the ransomware keep up the pretense throughout the downloading process. Users believe it's the "Windows update" keeping them from switching to other open applications, but really, it's the fact each of their files is being encrypted. 

THE TAKEAWAY: Keep up on the latest threats to reduce the chances of falling for charades like these. For example, three videos from the FTC to keep you and yours cyber aware. 
intInternational Privacy Regulations Rarely Look Alike

Facebook has not seen the last of global regulators
My little ninja, the Grim Reaper and me as the Wicked Witch of the West
Young companies with roots in the U.S. are facing some privacy headwinds as they expand globally. That's because laws and regulations governing data security and privacy are much different  in  the U.S. Generally, they allow for more collection of personal information in the largely unregulated social media and online apps and services space.  
Take Facebook, for instance. Earlier this month, a German privacy regulator ordered the social media giant to stop collecting and storing data of German users of its messaging app WhatsApp. 
THE TAKEAWAY:  Doing business internationally requires education and awareness of different privacy and data security rules. If your company is expanding, be sure someone is championing the cause and that this individual has a clear understanding of applicable privacy laws and requirements. 

celeCelebrities Become Unintentional Front For Cybercriminals

Use caution when searching these names

SeventhPrivacy Professor On The Road & On The Air

On the road again 

One of my favorite things to do is visit with leaders in different industries - healthcare to energy and beyond. 

Below is a schedule of where I'll be over the next few months.

October 18:  (Webinar) " IT Security & Privacy Governance in the Cloud ," IT GRC Forum

October 25:  (Live Presentation) "Vendor Management," Privacy + Security Forum, Washington, D.C.  

November 10: (Live Session) " Where's Your Data? Privacy Challenges for IT Leaders," Data Privacy Asia Conference, Singapore

November 11: (Live Workshop)  "Going Digital? Think Privacy Impact and Security Design," Data Privacy Asia Conference, Singapore
A fresh webinar, materials available

The materials from my webinar, "Using ISACA's Privacy Principles to Create an Effective Privacy Program" are now available

Halloween doesn't get all the October fun. It's... 

I'm excited to be a sponsor of National Cyber Security Awareness Month (NCSAM), as well as a NCSAM Champion ! Look for my Tweets throughout October and some information on TV .

A couple recent honors

Thrilled to be accepted as an IAPP Fellow of Information Privacy (FIP)
Honored to be named a Top 100 Influencer for Data Security

Taking to the air waves

CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

In the news

Report on Patient Privacy and   Report on Medicare Compliance

I was thrilled to be sourced for the September 2016 issues of these subscription only publications. See one copy of it hereContact AIS Health or Theresa Defino for information on becoming a subscriber. 

Secure World has begun to republish the monthly Tips message. If you happen to miss one or the email filters file somewhere unknown, you might check there (or just give me a shout; I'm always happy to resend.)

Questions? Topics?

Have a topic I should discuss on the  CW Iowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

My sons just before trick-or-treating, Halloween 2010
Imagine my delight to celebrate both Halloween and Cyber Security Awareness in the same month!

Be on the lookout for disguises... they're not all fun and games.

Have a terrific Cyber Security Awareness Month and a spook-tacular Halloween!

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images, some of which are my own personal photos. If you want to use them, contact me.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter