28 January is Data Protection Day (or Data Privacy Day in the US) and is observed in almost fifty countries world-wide. Data Protection Day was established in 2007 as an annual occasion to raise awareness of data protection best practices and the importance of protecting data; consumer data, health care data, proprietary data, personally identifiable data, essentially all data that is not explicitly intended to be in the public domain.
With so many data breaches occurring around the world, and the bad data protection practices that are at least partially involved in these and other breaches, taking a day now to raise awareness is a great idea. Since data protection is everyone’s responsibility, we wanted to share a list of the 32 things you should be doing right now to help protect data and keep it private. Some of these are personal, others are more things to do at the office, but all are important.
Take the opportunity this Thursday, 2016-01-28, to improve your own data privacy as well as the protections your organization takes with its data.
Here are some things you can do now to ensure that your personal data is more secure. Just because you are not a major corporation or a celebrity, don’t assume your personal data is not at risk or that you are not a target. Phishing attacks can use everything they find about you online to target you and may leverage data stolen in corporate breaches to seem even more legitimate when placing you in their sights.
1. Change your passwords
Seriously, you know you haven’t changed your email password since 2008. Go change it, and every other password on any site you use now, and make sure you use a unique and complex password on every service you use.
2. Enable two-factor authentication everywhere you can
Better still, for any site that supports it, enable two-factor authentication.
3. Review the privacy policies of the websites and applications you use
And actually read them, don’t just click Agree, so that you know exactly what they can do with your personal data. Some might make you wonder if the service is worth using.
4. Review your privacy settings and opt-out of anything you don’t explicitly want
And some of them might at least enable you to opt-out of that sharing. Review your account settings, tighten up protections and restrictions, and opt-out of anything that is optional or unnecessary for how you use the service.
5. Review your social media settings and update if necessary or retire if no longer used
How many of you have an abandoned Twitter account, an unchecked email account, an orphaned Facebook account, or a forgotten MySpace page. Take a moment to go through and delete anything you are not using anymore, and redact anything you don’t want to still be online. Yes, once on the Internet it is there forever, but you can at least make it harder to find out who your high-school English teacher was, since that is a surprisingly common security question.
6. Stop sharing everything
If you want to brag about your vacation, do it after the fact. When you post about you upcoming travel plans, you are announcing to the world when you are going to be out of the office, away from home, and unreachable.
7. Update your WHOIS data and take advantage of your registrar’s services if available
It’s against the rules to post fake data with domain registrations, but you can put less revealing data, such as your home address in or take advantage of your registrar’s services to represent you. It costs a couple of dollars extra, but is well worth the extra layer between you and cold callers or phishers.
8. Review your children’s/spouse’s/significant other’s/parents’ settings and help them to make their data private
All of the above should apply to your family as well. You know better than to post your upcoming travel itinerary, but do your kids?
9. Ensure your systems are fully patched and up to date
So many exploits are against vulnerabilities that could be patched. It’s really simple. Turn on automatic updates, and when prompted, apply them.
10. Ensure your systems all run fully up-to-date and current antimalware
Anyone running a computer without antimalware software is just asking for trouble, and yes, that includes Macs. There’s even antivirus software for mobile devices, which is good since there’s malware that targets them.
11. Unsubscribe from anything you don’t really want to receive
Do you spend the first five minutes of every morning deleting messages in your inbox without reading them. Take ten next time to unsubscribe from any you don’t want to receive anymore. It will reduce the junk in your inbox and the amount of tracking data the senders keep on you.
12. Ensure “do not track” is enabled in your browsers
See https://www.eff.org/deeplinks/2012/06/how-turn-do-not-track-your-browser and follow the steps to disable tracking in your browser of choice.
13. Review all data you store in the cloud
There’s a ton of data available for mining in the cloud, and some of what you are keeping there may be years old and of no real use to you anymore. Delete what you don’t really need anymore, and make doubly sure you have reset your password to protect that data. Finally, review what machines are synching that and with whom you have shared data, and drop what is no longer needed.
14. Enable encryption on your hard drives and portable media
Really, encryption should be on by default in everything, but it’s not, so it is up to you to encrypt your portable media, and your laptop hard drive. Just make sure that the decryption method is not a simple password taped to the case.
It’s even more important to ensure you organization is protecting the privacy of all data under their control. Proprietary data that gets out could serious impact your competitive advantages in your market, and the loss of customer data could ruin your company or cost millions in credit monitoring and litigation. Just ask Target, whose costs related to the data breach that exposed customer data including credit card data were estimated as approaching half a billion US dollars.
15. Raise employee awareness of the importance of data protection
Your users are your last line of defense, your most vulnerable attack surface, and the most fallible part of your data protection measures. Train them, equip them, and educate them to help protect corporate data, especially customer data.
17. Enforce the use of encryption, EVERYWHERE
This is a no brainer. Encrypt EVERYTHING. Use encryption in transit for anything that isn’t publicly accessible/anonymous access, encrypt all hard disks everywhere, whether in a server or a desktop or a laptop, enforce encryption on USB and other portable media, and use MDM or EAS policies to encrypt data on mobile devices.
18. Review and update filesystem ACLs, data custodian assignments, and administrative permissions
Make it a requirement to review all data ACLs, data ownership, and admin group memberships at least annually. Any permissions or group memberships that cannot be validated should be removed.
19. Disable unused accounts and delete unneeded ones
Run a script to disable any account that hasn’t been used in the past 30 days, and then another to delete any that haven’t in 90 days. There is no good reason to keep those around.
20. Review and revise your WHOIS data
Take a look at all the corporate names you have registered and network ranges you control, and make sure the admin/tech contact data is accurate but that it also doesn’t give away any specific person’s details. Use a distribution list for the email contact and list the switchboard number for telephone.
21. Conduct vulnerability scans on your external networks (all of them!)
The bad guys are already doing this all the time to you (whether you realize it or not) so better if you see what they do so you can address it before they exploit it!
22. Conduct vulnerability scans on your internal networks
Estimates vary widely but one thing every security expert will agree upon is that insider threats are both common and real. Make sure your defenses are as strong internally as externally.
23. Review and update your firewall ACLs, closing anything you cannot verify needs to be open
Legacy firewall rules have been an attack vector for plenty of breaches. Review your firewall rules every month, and if you don’t know why a PERMIT is in place, remove it. Better to break something (knowing is half the battle) than to leave open a path an attacker could exploit in the future.
24. Ensure you are using a messaging hygiene system
No messages, in our out, should pass through without being screened for malware, spam, and phishing.
25. Train your users on phishing
But still, some will get through, so make sure you spend extra time teaching your users how to spot phishing messages. Especially as they may be targeted as a member of your organization, but on their personal email account.
26. Ensure all your systems are fully patched, up to date, and stay that way
There really is no easier way to protect systems than to keep them patched. Use patch management software to ensure 100% compliance.
27. Confirm antimalware is current, up to date, and is performing real-time and scheduled scan on every system
Any system without antimalware should be removed from the network with extreme prejudice (bolt cutters to the Ethernet cable) and the sysadmin publicly shamed. Seriously, there is NO reason good enough to justify a machine running without antivirus software on a corporate network. None.
28. Review your compliance with all applicable laws, contractual obligations, and internal policies
This may need your legal counsel’s help, but it’s important to make sure you are in compliance with all the laws and regulations that impact you. Things like local laws, state laws, and national laws are key, but so are things like PCI DSS, HIPAA, and in many cases, the laws where your customers are, even if you aren’t.
29. Review your data breach response plan, or create and practice one if you don’t have it already
You have a DR plan, now make sure you have a DB plan too. Practice it and be sure you can execute it if anything happens. How you report any breach, how you provide protection to your employees and your customers, and how you recover are all key.
30. Talk to your insurance agent about coverage
These days, it really is more a case of when you will get hacked, rather than if you will get hacked. And a hack that includes customer data loss can be extremely expensive to recover from. Talk to your insurance company about policies to help protect you should the worst occur.
31. Review all data exposed on your corporate websites and update as appropriate
Run through every page of your public facing website and make sure you are not giving out TMI. Make sure your company directory is not exposed to the Internet, unless that is something you really want to do.
32. Review your email policies on Out of Office responses
OOF replies can be very helpful but can also give away a lot of information. Find the right balance for what your business needs, and if you don’t need your internal users telling every single person who might email them that they are on a cruise for the next two weeks, block those OOF replies sent to external senders. And if your sales team has to have those go out, make sure they know how to reduce the amount of sensitive information they reveal. Say replies will be delayed, list an alternate contact, and leave the details of where/when/why out of it. Perhaps even limit external OOF to only those senders who are in contact lists.
Knowing is half the battle-and now you know. Take responsibility for your personal data protection and work with your colleagues so that everyone takes responsibility for corporate data protection. The 28th may be Data Protection Day, but the importance of what it highlights is a year-round thing.