By Michael Perry
October is National Cyber Security Awareness month (#CyberAware). In support of this campaign, we’re releasing educational blog post and infographics each week covering different cybersecurity topics. Our final topic for the month will cover security versus privacy. While you might already be familiar with these concepts, we invite you to share this article with friends, family, and colleagues.
Two concepts that have been a source of debate since the emergence of the Internet are privacy and security. Typically, these two ideologies are discussed in terms of government actions; however, there is also a personal element to consider. While privacy and security should go hand in hand if you want to maximize your online safety, many people do not realize that the two are not the same.
Protecting yourself online requires a heightened awareness of what you’re sharing and how that information can be used. Typically, online security involves the technical aspects of protecting your personal or corporate data, such as two-factor authentication, disabling plug-ins, keeping software up-to-date, and being skeptical of email attachments and links from unknown/unsolicited sources. On the other hand, online privacy requires making a conscious effort to minimize the information you share. This could include making your social networking profiles private, being mindful of the information you provide on any online site, and disabling your GPS coordinates on apps and photos, for example.
The use of social media is a perfect example of how the security/privacy paradigm is often misunderstood. You may have enabled two-factor authentication for your social media accounts to help prevent unauthorized access, but what information are you, yourself, putting out there that could be giving away too much? Answers to security questions that banks or other online sites may require to confirm your identity are often the same as information you have publicly shared. This makes it easy for cyber criminals to gain access to accounts or impersonate people on or offline for nefarious purposes.
Cross-post, or cross-promotional, sharing – when you link or reference one social networking account within another (e.g., sharing an Instagram picture on Twitter or Facebook) – has become a common, though often over-looked, problem. Cybercriminals have access to vast amounts of open source data that can be used to launch sophisticated impersonation or social engineering attacks. When you combine what you share on sites such as Facebook, Twitter, Instagram, Yik Yak, Reddit, and others, cybercriminals have a clearer picture of how to target or impersonate you specifically. Also, keep in mind that bad actors can learn a lot about you from your friends and family member’s profiles. Comments and shared links can indicate interests that may help cybercriminals crack your passwords or security questions.
Here are some common scenarios where privacy should be taken into account with security:
- Demographic Information: People are quick to list where they grew up, where they currently live, where they work, etc. on their online profiles. However, cybercriminals often look for this type of data when targeting victims. For example, third-party vendors will often ask for demographic information to verify your identity, and if you have provided all of this information via a social media platform, it could be easy for a threat actor to impersonate you.
- Application Accessibility: When downloading an app, most people don’t pay attention to the information they’re allowing the app to access on their devices. Why does a gaming app need the same (or more) information than a banking app? Does it really need access to your photos and contact list? If the gaming app company were hacked, the threat actors would have full access to all of this information.
- Bring Your Own Device (BYOD) Environment: The majority of employees will connect their work email to their personal devices. However, if your phone gets breached, then proprietary corporate data, login credentials, personally identifiable information (PII)/PHI, sensitive client information, and much more can be compromised.
- Password Re-use: Most people use similar, or the same, passwords for almost every account. Make your password harder to breach by password padding. There are also many tools available to help you develop stronger passwords, from password ciphers to mnemonics.
Following all of the recommended security procedures doesn’t necessarily mean you are immune to an attack, so taking extra precautions and be mindful of what you should and shouldn’t share online can increase your safety significantly.