Return to Author Return to Main PageIn my last article, we saw how the common business is using customer data without consent for secondary use. The aim of this article is to examine some of the common errors professionals may make resulting in an accidental privacy breach.
With the advent of flexible office workplaces which permit stay at home work to be undertaken, it's likely businesses may not consider how working between locations may result in breaches in privacy. In my opinion, information walking out of the office door is subject to being lost because the office no longer has control of the data. Once the information is out of the office door and you lose the information, its gone rarely to be seen again. So ill start this article with removable media.
Removable media would account for a large proportion of data breaches. For clarity sake, removable media are classified as USB sticks/thumb drives, SD cards, portable hard drives, mobile phones, tablets, laptops, cd's, disks, MP3 players etc. The biggest problem with removable media is the owner may forget and accidentally leave it at a public location such as the train or bus etc. Removable technology has increasingly become much more efficient storing data while maintaining a small physical media foot print. This unfortunately means removable media is extremely easy to misplace or drop accidentally en route to another location, without being aware the device is missing. Additionally, theft of removable media is now even easier as the media is small and portable.
Ill go out on a limb here as say I would be surprised if many people would actually encrypt the data held within removable media. I say this because I do not know of a single person either professionally or personally who knows anything about encryption never mind actually using it. Without encryption, files are exposed to a simple click of the mouse and the file will open. Just imagine how many personal files are floating around outside offices on a single day.
Removing hard copy files out of the office is still a privacy breach risk to be considered. Especially if you accidentally leave the files somewhere when distracted. The best policy an office can have is not to permit client file removal from the office, or at least have a lockable bag to place the important documents in.
Disposing old client files and other hard copy documents securely is a must. The professional has several options to consider, firstly a company who specialises in securely disposing of hard copy files. A second option is to acquire a paper shredder which not only shreds longitudinally, but also horizontally into small confetti pieces.
I will keep this brief as I have already discussed this point in another article “The real reason privacy is important”. An easy mistake is to forget to securely delete the data on all IT devices if the item is to be resold, thrown away or even recycled. Just deleting the files will not guarantee data retrieval does not occur, at the very least reformat the media before you discard your storage device.
Any device which stores other clients signatures must also be securely deleted if the device is to be no longer used (much the same way as a hard drive).
If your not already aware, hackers just love mobile phones because of the wealth of information that is stored in them can be easily exploited. From your personal documents, calendaring appointments, mobile phone numbers, addresses and not to mention all of the text messages just sitting there in a small device ready for the taking. These days is it very common to observe unsecured smart mobile phones present on the streets. The risks associated with mobile phones is generally relating to exploiting Wi-Fi and Bluetooth, misplaced phone, stolen phone, failure to implement passwords on phones and all too common dangerously downloading unsecured phone apps which end up being Malware in disguise.
The risks associated with employees placing client information contained within the phone should be of great concern with respect to privacy. Other issues with mobile phones is they travel to a vast array of locations, e.g. the office, a friends house, on holidays, to a party, on public transport, shopping centres and to the movies etc. I’m sure you get the picture, the point is the client’s data if stored in the mobile phone is taken on a glorified road trip which greatly exposes the potential of a privacy breach, if compared to just leaving the necessary information in the office. If a file is just left in the office, the main concern relating to the loss of information is mainly due to break and enter or files being stolen while in the office. Using mobile phone's or other removable media devices to store client data significantly increase risking sensitive information is accessed, especially if the data within are not encrypted. The sake of forgoing security for convenience is something professionals in particular must seriously rethink.
I wont deny it, using hands free calling is extremely convenient at any time. In Australia when driving and talking on the phone it is also required by law to use hands free phone calls. Using a phone in the car can create two issues resulting in accidentally breaching privacy. Firstly, I have frequently heard people talking in their cars with the window open, or perhaps the volume in the car is up so its easier to hear a conversation outside of the car as the speaker sound can resonate through the car. Secondly, while I wont discuss how to breach Bluetooth, The fact is that Bluetooth is generally not very secure and open to being intercepted. Needless to say, if in public it's usually better just to pick the phone up and talk as per normal. If however your driving don't talk about sensitive details and be mindful what you discuss because you would be surprised what people do with information especially with the advent of social media.
While tempting, using any internet Wi-Fi hot spots that you do not own runs the risk of a privacy breach. A common hacking practice is to intercept people's Wi-Fi connections by the third party setting up a different Wi-Fi internet connection which emulates a trusted Wi-Fi that you would expect to be seeing, e.g. Mc Donald's, Shopping centres, Airports etc. If you have sensitive information on your device and you are connecting to the internet via a unknown Wi-Fi hot spot, the smartest rule of thumb is just don't use Wi-Fi hotspots at all.
There is an old saying that a safe computer is one unplugged from the wall, however I would add the safest computer is the one with an axe through it. Keeping this is mind, with the trend pushing towards the internet of things (IOT) data breaches via hacking methodologies and other system exploits will continue to be a hot topic for quiet sometime.
Planned obsolescence is a typical business objective and is also relevant to this article because with technology, both software and hardware tend to have a limited design life where the end of life (EOL) support plug is pulled. Therefore it is imperative that all of the IT equipment has the latest security patches and old unsupported hardware or software is replaced. The downside risks of using software and hardware past the supported stages is new vulnerabilities are not fixed, thus allowing potential intrusions into the network easier. This is not to say newer products don't come with vulnerabilities, however at least the vulnerabilities will be addressed. As time moves further from the last (EOL) support date, the vulnerabilities in the product will become more knowledgeable and with this a greater number of intrusions are likely to occur. In the case of Microsoft operating systems, the life cycle phases are typically development, release, maintenance (main stream support), extended support, product end of life. Windows XP is a classic example where it is still widely used today by many people even though the actual (EOL) support was 8th April 2014. What this means, at the time of writing this article the XP operating system has now been three years without any vulnerability updates which is asking for trouble if that computer uses the internet at any stage. Microsoft also issued a warning regarding the: Potential risks of staying with windows XP. A huffingtonpost article even made consumers aware of a Zero day exploit that was present in Windows XP Internet Explorer after the EOL of Win XP. I could cite a whole bunch of articles which have focused on the issue of still using Windows XP internet connected computers. However suffice to say if your system is still using XP your not doing yourself, your business and especially your clients any favours. It really doesn't take much to breach a flawed internet connected computer and in many cases the user would not even be aware they have been hacked, or what personal information has been siphoned from your computer. The hacker may well continue to be siphoning information from your computer, because once a person has access to a computer often is the case they will continue to revisit that computer seeking new information they may be able to use. Ironically as I am proof reading this document to publish it tomorrow, today 13/05/2017 a world wide Cyber attack has occurred, with XP the most vulnerable however all windows operating systems can be affected.
In this subheading I have talked about software so far, so ill briefly talk about hardware because the similar issues also arise regarding (EOL). An example I'll give is a hardware firewall. While the hardware firewall may still work well, the manufacturer will generally set a deadline to cease support at some stage in order to up sell to newer models. I tend to think a common error relating to old hardware is that it is a physical appliance and people may not recognise the software inside is what is usually vulnerable not the hardware itself. However like all products which have microprocessors, they all run code and that code is what contains the vulnerabilities and back doors. To give an example of hardware firewall vulnerabilities there was an article written by Tim Green in 2015 with regards to the vulnerabilities of the Juniper Firewall Vulnerability that previously existed. My point of highlighting this is not to say this model of firewall is bad, it is to highlight once a hardware product has reached (EOL) stage vulnerabilities are not likely to be fixed. If you think of it, it makes perfect sense. Why would a company fix an old product when it can use an issue to up sell to a newer model to keep the business afloat.
I suspect the reasons vary to why people hang on to old software and hardware, although to give a little insight these reasons may be: expense related, not liking the new updated software or hardware, not aware of new products or time constraints regarding updating. With regards to using old security hardware I will state this, using an (EOL) product is still better than using no product at all, because at least the hacker needs to be aware of certain vulnerabilities in (EOL) products, where as if you have no products to help defend your network you are totally naked from privacy breach and other forms of attack. Although keeping in mind that your days are always numbered if you have not update which can been seen by today's world Cyber attack.
Ever sat on a train bored and found yourself sitting next to a person with a laptop doing work? I have, and I've been astounded with the information I've seen on peoples laptop screens. The last time I was on a train I sat next to a person who used their mobile phone to log into a bank and I was able to watch their login and password being entered not to mention their bank balance while they were paying a invoice. I just couldn't believe how ignorant this person was regarding the lack of care to such sensitive information. I have nicknamed this type of behaviour as 'a nose picking syndrome' :) people do all sorts of things in the car forgetting eyes are everywhere watching. Even though working out of an office does sound very appealing and I'm sure it is better for the workers mental health, the reality is that privacy breaches one way or another will just continue to increase due to lack of care guarding information from preying eyes.
Another rampant trend is people talking business on their mobile phones in public transport and other public areas. Many people forget when talking on the phone a person tends to raise their voice level a couple of notches, especially when their is an increase in background noise. Ultimately we need to be very mindful when talking on mobile phones in public, especially with the content we talk on the phone. It's best not to talk business on the phone in public places, however if you do need too, you will have to be cognisant of not repeating names, phone numbers or other traceable information. Additionally, if you must use a device for work on public transport, ensure your Wi-Fi and Bluetooth connections are off when not in use and try to sit alone without others sitting next to you if your inputting information into a laptop, tablet or phone. As a general rule of thumb, if someone is sitting next to you, then its time to stop working. At the end of the day, remember there is no life and death situation that requires you to work every single second of a 24 hour cycle.
My last point in this subsection is to be mindful there are recording devices everywhere in public areas especially public transport. Camera will be located in hallways, stations, shopping centres and not to forget other peoples mobile phones are now days recording devices. It would not be difficult for a rouge employee of a company to go through public camera footage such as shopping centre staff watching for people keying in login an passwords into your devices.
It doesn't really matter which web browser you use. The reality is web browsers just like operating systems will frequently have security vulnerabilities and need to be updated with the latest security patches. A second point of interest is the security of the connection to the web pages you visit, this is identified with a URL ICON symbol typically of a padlock which is located usually to the left of the URL address bar (in the case of Seamonkey bottom lower right of the screen). Typically the padlock will either show green or a locked padlock when a secure connection is present between your computer and the web page you are on e.g. your bank website. The green or locked padlock URL icon is representing a secure URL connection (HTTPS). Likewise any unsecured connection URL address bar will just show HTTP. Additionally, you can also click on the padlock symbol to reveal a pop up box that will also inform you if the connection is secure or not. A secure connection to a website is dependant on the website hosting a secure connection in the first place. Typical secure websites using SSL (HTTPS) are banking, insurance, governments pretty much anything that requires you to input personal and financial information that must be protected. If you happen to be using what is known to be a secure website, yet the padlock URL symbol appears not locked, don't continue with this page instead reload the page until the page is secure. An alternative, you can close and restart the web browser. If the page does not show a secure padlock after reloading the page, it's possible the organisation has not set the page up correctly.
Avoid storing email addresses in the email program as viruses generally seek these address lists in order to reproduce. Secondly, always encrypt all e-mails being sent out, the automatic setting on most email programs don't encrypt the files sent unless you have either set the program to do it manually, or you manually encrypt each file you send. The amount of unencrypted email being sent is absolutely frightening. If your not having to enter a password to read the actual email, the chances are the email or the file sent in the email is not encrypted. This means any person choosing to intercept your internet connection can read all the incoming and out going emails with ease.
Remember the saying 'curiosity killed the cat'? This is very relevant with regards to receiving emails. If you receive an email from a unknown person or the sender has an odd looking email address, it is best to avoid opening these e-mails as it could contain a virus or some other form of Malware. Not matter how enticing the email subject line is don't buy into it, don't open it. In the event that you do open the email and the information is NOT relevant to you, never click on any URL links within the email, nor should you open files from that sender as this could either infect your computer with a virus or with regards to website links grant access to your computer depending on the type of Malware link used in the email. My motto with e-mails is 'if I haven't asked for it and I don't recognise the sender, I don't open it', if for some reason the email is open and it contains links or files and I don't know who the sender is, don't click it. Instead delete the email ASAP”. Follow these basic rules and you will go along way to preventing a Cyber intrusion.
Over the years I have noticed different professionals using external email accounts such as Yahoo mail or Gmail etc. However I have always viewed any type of third party based software service as not secure for professional use no matter what claims have been made regarding security. Simply put, anything accessible externally with ease just means others can do the same with your account and the information contained within. Examples are confirmed here & here or here. I have also noticed professionals using external cloud based programs for organising such as calendaring systems. Personally, I think this is a very dangerous example how people can be ignorant regarding the dangers of cloud based programs. Imagine a psychologist was using a cloud based program such as google calendar and the account was breached. Your personal information such as time of your appointment, your full name and possibly your contact number could be accessed. How would you feel as a client knowing this information breach could have been avoided by the psychologist not using cloud based systems. My point is that if your a professional who seriously values the privacy of your clients, you must never use a cloud based program to store your clients information or any other identifying information for that matter. Don't be blinded by automatically assuming these cloud based services are assured by warranty, often is the case in the terms of use they have someway absolved responsibility one way or another. However lets say the client's names were omitted in place of a reference client number and the contact number was not used, this would greatly mitigate against privacy breach and at least be a more acceptable way to use such a service.
In my opinion, if a professional gives a client an external third party email address as a source of communication for professional purposes, this is only highlighting that professional is acting on the cheap, not taking privacy seriously and totally ignorant of the vulnerabilities external services contain. For example, most cloud based programs are served from large data centres and these data centres are likely to backup account details to either other servers or other data centres as a form of redundancy backup. If I lost you, what this means is your data is likely to be saved at more than one location, and if your saving client documents and other files via those third-party email addresses, then yes there is likely to be multiple copies of that data somewhere else. Not to mention what on earth happens with the data in the event of a company take over bid.
Consideration of third parties terms of conditions would also be commonly overlooked. If we examine Google terms or Yahoo terms and conditions there are several important things to consider. Firstly, It says you should look at these terms regularly for changes that may apply. This is all well and good as a legal document. However I ask you honestly, have you at least read the terms in full prior to signing up to the service in the first place? I doubt it because its well known many people don’t fully read terms and conditions, if at all. Secondly how many times have you actually come back to check if changes to the terms of use had occurred on a regular basis? If at all. Again not likely. So the point being is this; theoretically the external service could change its terms of use at any time and you wouldn’t know if you don’t frequently check. While I am not knowledgeable with Facebook, in the past I have listened to many people complain how policy settings had inadvertently changed privacy settings. If you do not frequently look for changes in terms and conditions, you may be victim to such policy changes.
So lets get this straight, google or yahoo don’t warrant (indemnify) against faults or other issues that may cause loss, damage, loss of income etc., they will comply with the law if they are approached which could mean information is released from your account prior to you objecting to the disclosure of information in a court proceeding, the terms can change at any time and your expected to review the terms regularly. And this is not sufficient risk for a professional to maintain client privacy? At least if your using your own services you cut out the middle man, whereby it's just you and your internet service provider. At least with your service provider you can program an independent email software to automatically delete the email content from the ISP once the messages have been received and downloaded to your local computer. Thus giving you greater control and in the event of a court subpoena, the chance to object to disclosing the information.
Remembering passwords is a hassle I understand, however there are a couple of things you do need to know. Firstly the obvious, don't use passwords that contain your name, date of birth or any other personally relevant information and change the passwords regularly. Secondly, ensure your passwords are at least 12 characters long, contain upper and lower case letter, numbers and even some symbols (e.g. shift + 5 = %). Thirdly, obviously don't store the passwords anywhere. Fourth, never use the same password for multiple applications. And finally, never store passwords in the email and browser programs because it is an way for Viruses, Trojans, Java scripts and all other types of Malware to access this data.
Over the years I have received many attempts to request client information inaccurately, when certain professionals and organisations should just know better. With this sub heading your most probably thinking what is (FRT)? (FRT) is a computer program concept I recently developed because I wanted to offer something to help protect clients privacy from inappropriate information release by ensuring lawful file requests are made. In by doing so, this program not only protects the client from having information released inappropriately, the program also simultaneously protects the professional from releasing the client information when it may not have been required in the first place.
The program at this stage doesn’t have a flashy GUI, is experimental but hey, at least it works quiet well in the command line. The concept of this program is the delivery of a guided question and answer through a command based prompt that will save your responses for each question into a text file, while suggesting any relevant actions when the program concludes. The program is currently divided into four typical types of file requests a psychologist typically receives e.g. Court Subpoena, Lawyer Request, Client Request and Government Department Request. While I designed the program with a focus for psychologists, interns, social workers and counsellors, the reality is that just about any person who has a file request could use this program. The program uses information from NSW state and/or Australian Federal Law when possible.
In some occasions professionals or other employees may work in more than one location. It is usually convenient to use cloud based programs that enable us to access information where ever we are. However with most things IT related, with convenience comes with a degree of loss of control. Therefore giving rise to a greater risk to a privacy breach which I mentioned under sub heading 'third parties'. So in this case while the same online risks apply, I will mention an additional risk to be mindful which easily overlooked. The risk is by using another organisations service to access different data from another organisation could potentially pose a privacy breach.
For example: If your printing a report or scanning documents in workplace 1, and the documents are from workplace 2, this data is potentially saved in workplace 1 without your knowledge. Information such as backups of emails, many faxes contain hard drives which store data as the pages are scanned, documents saved on a desktop PC maybe backed up by the organisation server. The only way to guard against cross contaminating multiple organisation data is by only accessing and undertaking the work relevant to the office you are currently in. However, another way to mitigate this issue is to use your own laptop, therefore any emails, documents that are downloaded and read is contained onto that device.
In my office I always opted to maintain my own services in house and never opted for third party cloud based software especially those free email and calendaring systems. I had installed both software and hardware firewalls, as well as fully updated Anti-Virus / Anti-Malware and legitimate operating software. While in house services cost a lot more, the reality is I am in business and it is essential to offer the best possible security measures to protect client data. How does your professional protect your data?
Always remove all access rights from computer networks, logins, emails etc. from employees once employment ceases. This will prevent any external access from people who are no longer employed with the service. If your office does not already have such a policy, it is wise to implement this protective mechanism.In case you think i'm going to far here is a great example employees accessing networks after employment has ceased.
You would be surprised to hear of the amount of people who do not change the admin / default password in the routers / firewalls. These people who don't change the default settings are not tech savvy and are unaware changing passwords needs to occur. Failure to change default login and passwords is most surely gong to end up in tears. Suffice to say, just consider all hackers will easy find default login and passwords for routers and firewalls and the like with a quick google search for hardware manuals.
Given hacking, zero days and back doors in software appear to be occurring on a regular basis, the reality is that any computer widely connected to the internet is always vulnerable to a security breach resulting in massive amounts of data breaches. One concept to consider is to have a separate network for sensitive information not accessible to the internet. ASIO and other government agencies would have this type of tiered approach to access information of differing importance. Thus the extremely sensitive information would not be sitting on a everyday server with 24 hours internet access. And if they don;t, well I want my tax payers money back :)
This next topic is difficult and is likely to fly over peoples heads, however not to mention this issue to protect your self I feel is robbing you of a chance to gain further protection. IP/MAC address filtering is a very important method not to be ignored because this method isolates what network capable devices can or can't connect to a network. The Media Access Control address (MAC address) is the device's sole ID for each communications port for your device e.g. Wi-Fi port, Bluetooth port, Ethernet Port, VOIP phone, computer, fax, printer, scanner, firewall, router etc. Every device that has a communications port will have a separate MAC address which appears in a alpha/numeric fashion. Where as the IP address is the numerical assigned and determines the transmission path of the data. There are many ways to obtain your computers IP/MAC address, e.g. In windows in the command line you can type 'ipconfig', in Linux command line you can type 'ifconfig',
The IP address may look something like 192.168.1.1
While the MAC address may look something like fe86::114:1cfd:po23:qg177
So by knowing these two attributes, we are able to determine which path the information is transmitted and which devices are sending or receiving data. More importantly with a MAC address, I can set which device can connect to my computer or not. Simply put, if there are 5 people in my waiting room with laptops, but I only want two of the five people to access my network. If I enter the two peoples laptops MAC addresses into my firewall MAC filter, the firewall would then automatically grant the two people access to my network. If however the other three people tried to access my network with their laptops, the MAC Filtering in the firewall would automatically block any connection attempt to my network.
While not an exhaustive, Below are some of the things that will help you avoid accidental beach of client information. Some of these items are interchangeable between in an office environment and working on the move.
So the message of the day is this, if you are in business or a sole professional and handling sensitive and private information you should never go on the cheap using freebie services or neglecting to update software and hardware. My recommendation to anyone client of a professional service reading this article is if your seeing a professional who is using a free email service for employment purposes, old operating systems, leaving removable media around the office etc. this is suggestive they are going on the cheap or unaware of security risks. Why not have a word with that professional, make them aware to the risks to your privacy. After all it is your privacy at risk. Do you really want to go with a cheap professional? I wouldn't. Likewise, I believe all professionals who are running services should have a certain degree of understanding of technology they use and its vulnerabilities or at the very least have a service provider attend their systems to ensure the best possible security in order to prevent data theft.
It is inexcusable for a professional dealing with private information to plead absolute ignorance regarding how their use of technology had resulted in a privacy breach. As professionals we are trusted to keep information safe in addition to upholding the privacy act. Pleading ignorance should not be excusable for data breaches if that professional has not even attempted to secure the technology they use. An example would be a professional leaving an unencrypted USB at a restaurant, losing a mobile phone with client data or even a professional typing up client reports with a computer connected to the internet without any antivirus or malware protection. There used to be a saying that if you don't have anything nice to say then don't say it at all. Well I would suggest the same goes with technology, if you don't understand the new fan-dangle applications and how the technologies you use can pose a risk then quiet frankly you either should get a professional to set up your network and educate yourself with the technology or don't use that technology.
Security experts generally state its not a matter of if you will get hacked but when. While I agree with this statement, there is a massive chasm between being hacked trying everything possible to prevent it and being hacked with no or minimal preventatives in place. Especially if your dancing around in public using technology in a way others can observe what your doing. Legally speaking one word which so often is seen in legal documents is “Reasonable”. Please ask your self, have you placed a reasonable effort in defending to protect your clients data or have you been blasé and acted on the cheap and in a care free manner?
Until next time...
Darren Hamburger
Page Last update:15/05/2017
Return to Author Return to Main Page
Copyright © 2017 Darren Hamburger. All rights reserved.