In this digital age, much of our lives are spent online in some capacity. Whether that time is spent checking e-mail, “Googling” directions or information, marketing our business, or downloading the latest app – all of our activities have a consequence. Those consequences are the focus of data security because much of your security is dependent upon you and your understanding of those consequences.
As you might imagine, the topic of data security is expansive and certainly not one that can be covered in this short article. The point here is to provide you with a short list, which you can use to define your “data security profile.”
What is meant by “data security profile” and why is it important to you? Your profile is defined by the content of information that is known or shared by you, your online presence i.e. how you use the Internet and your online activity in general, and by your personal awareness of potential threats and general security knowledge. This information permits you to identify where your risks are and knowing that, gives you the means to protect yourself from online threats.
Data Privacy v. Data Security
Your data security profile begins with understanding the difference between Data Security and Data Privacy. Data security, relates to the confidentiality, integrity and access to data. This is the technological and procedural controls that we place around our data to achieve these goals. (e.g. passwords, encryption, software and hardware solutions, etc.)
Whereas data privacy relates to how we manage data. Privacy describes the way in which we gather, store, use, share, and delete data. The field of privacy helps us to understand what is permissible and what is inappropriate with regard to our usage of data. (e.g. Terms of Use, Privacy Policies and data sharing, date of birth, address, gender, etc.) Much can be learned from just a few items of public personal information. For example, based on just your gender, age, and residence – one can easily estimate your yearly income!
The two are interrelated but administered in very different ways. It is important to understand the distinction because you can have a physically secure system without having any data privacy whatsoever. To achieve security you must address both data and privacy issues concurrently.
Information Governance
Information Governance is the process of knowing what sensitive data is and if and where you use it. Sensitive data includes personally identifiable information, personal health information, banking and payment card information, for example.
In many respects, how we use our devices drives what data resides on those devices. Do you use your device for strictly personal activities or do you also use it for business purposes? Do you use applications that store passwords and other data? Do you engage in social networking and use related applications? Do you use data sharing and/or syncing across applications and platforms, etc.
The list goes on, but you get the general idea… The objective is to consider each of the ways in which you use your device, what information those uses leverage or require, and whether that information is considered sensitive requiring protection.
What are the threats?
Cyber threats and cyber crimes are always evolving and in this digital age, you can be certain that the crimes will continue and they will become more sophisticated. Keep in mind that most online or mobile threats are crimes of opportunity. Although some cyber criminals may select specific targets, they are often seeking potential vulnerabilities – any vulnerability that will allow them access. It is only once s/he has access that the resultant crime unfolds e.g. identity theft, credit card fraud, ransomeware, etc.
Most importantly, recognize that all threats are not introduced with malicious intent. In many cases, they are introduced by poorly written applications and software programs that have flaws which hackers and the like can exploit. A great example is the recent case of the popular smartphone game Pokémon Go™ that inadvertently gave the game maker an inordinate level of access into players’ devices. For those users that used a Google account for sign in, the company was given “full access” to the player’s Google account. Once it discovered the error, the company initiated a client-side fix “to request permission for only basic Google profile information” but only after countless players downloaded the game. This illustrates how real the danger is. Here a reputable game maker inadvertently delivered a flawed product that had the potential to expose unacceptable levels of personal and potentially sensitive information.
The subject of cyber threats is another expansive topic. They key take away is the importance of understanding the threats are out there, and recognizing how your online conduct may expose you to those threats so that you can take steps to minimize your exposure.
Insider Threat
Excuse the cliché, but in many cases, we are our own worst enemies when it comes to data security. In many respects, data security comes down to self-policing. In some cases, we get complacent or lazy but in most cases, we simply feel we do not have the time to educate ourselves on what risk is out there, or to research the integrity of the product we are downloading or the site we are downloading it from. Failing to do so exposes us to the risk of downloading a virus or other vulnerable app or sharing too much information that could provide a hacker with a door into our world. Ultimately, we must understand the implications of how we use our devices and be vigilant in doing so because the threats are ever-changing.
How to Protect Against Those Threats?
As mentioned defining your data security profile permits you to identify where your risks are and in knowing that, you already possess the means to protect yourself from threats.
Some of the ways to protect yourself and your data may seem obvious because we frequently hear about them. But the reason for that frequency is because too many times people ignore the warnings and find themselves “hacked”, and unfortunately, it could have been avoided but for a few simple measures.
To list a few:
- Screen lock – PIN, fingerprint, facial recognition, etc.
- Passwords – strong passwords, dual authentication
- Encryption – both iPhone and Android have phone models that include means to fully encrypt your phone. This may be the best and easiest mechanism to protect data on your device. If you do nothing else, Do This!
- Download from reputable and known sources only – this does NOT mean that the application is safe, but reputable sources (e.g. Playstore, Apple, etc.) typically perform at least some level of assessment before making an application available to its users
- Antivirus and malware detection software
- Use of firewalls and DMZs
- Keep your device software updated
Ultimately your data security profile will be defined by your awareness. Awareness by self-policing your conduct and the implications it may have. Awareness by researching a product or source before you use it. Awareness by knowing what data resides on your devices and if and how you are sharing that data. And awareness by understanding what threats are “out there” so that you may protect yourself from them.