Category: data privacy

In an increasingly interconnected world, personal data privacy has become a growing concern that resonates with virtually every individual and organization. One company aiming to solve the data privacy challenge is OneRep, a firm focused on privacy and personal information removal from various online platforms and services. In a recent interview with Mark Kapczynski, SVP of strategic partnerships at OneRep, we explored the landscape of personal data privacy, understanding the trends and issues that shape it, and practical strategies for protection.

Navigating the Evolving Threat Landscape

It’s important to recognize how far we have come in our relationship with the digital world. From the excitement of the late ’90s, where being found online was a novelty, to today’s more cautious attitude, we are witnessing a transformation in how personal data is perceived.

The threat landscape has broadened and deepened with advancements in technology. Fraudsters now have access to tools that enable them to spoof personal identifiers, from voice to phone number. What makes this alarming is that the threats are not isolated but interconnected, creating an ecosystem where one vulnerability leads to another.

Problems with People Search Websites

People search sites are not merely a nuisance; they are dangerous, selling personal data and often providing misleading and inaccurate information. “The information that they have on you and I most of the time isn’t even accurate. So people are misled into these sites and then they’re sold a subscription product to all this consumer data,” adds Mark. Furthermore, these sites make it difficult for subscribers to cancel and nearly impossible for individuals to opt out or have their information removed.

Regulatory changes are playing a significant role in shaping the global privacy landscape. With stringent laws like GDPR in the European Union, we see a ripple effect, with similar data privacy regulations slowly emerging in other parts of the world, including the US. These legal shifts further underscore the importance of protecting personal data and anticipate an imminent global standardization of privacy laws.

Yet, despite all these advancements, there is an undeniable gap in education and awareness. The very innovations that empower security also allow attackers to create more targeted threats, leaving even seasoned professionals unprepared at times.

The Risks of Publicly Available Information

Publicly available information opens up several attack vectors, especially for C-level executives who are 15 times more likely to be targeted. These attacks can range from direct harassment or harm to the use of social engineering to impersonate or gain access to confidential information. Kapczynski illustrates the various scenarios: “I can get to executives that probably have more security privileges than other employees, and I can either impersonate them or socially engineer ways to get into their apps and IT environments, and get access to confidential information or corporate information and so on.”

The risk even extends to enabling financial fraud, including opening credit card accounts or taking loans in another person’s name.

OneRep: Bridging the Gap

In the midst of this complex environment, data privacy solutions like OneRep offer an approach that aligns with the current trends and seeks to empower and educate individuals.

OneRep acknowledges the need for a holistic approach. The company emphasizes not only the utilization of data removal services but also the importance of education. This dual strategy resonates with the larger trend of individual empowerment, where companies and consumers are actively seeking tools to control their online footprint.

OneRep’s user-centric approach is also reflective of the broader shift in the way people relate to privacy. As Kapczynski explains, there has been an “interesting shift” where people seek to be not found. This change in sentiment indicates an increasing awareness of the risks and a willingness to invest in data privacy.

A Competitive Edge Through Automation

The automation that underlies OneRep’s services is a core part of their value proposition. By removing human intervention from the process, they’re able to offer a highly valuable solution at a competitive price point, with an enhanced offering for executives.

This approach allows OneRep to not only protect high-profile, C-level individuals but also regular employees across various industries, from law enforcement to the legal and judiciary world and other sectors. One poignant example Mark cites is working with a county in California to protect social workers who may become targets for harassment due to the decisions they make about people’s families.

OneRep’s services aren’t limited to a specific demographic or use case. Mark explained that the company’s offerings include enterprise plans, consumer solutions, and API integrations with identity theft protection products and services. This flexibility, enables OneRep to create tailored solutions for various customers’ needs, covering executives, employees, contractors, and even freelancers.

Best Practices: A Practical Approach

The complex nature of personal data privacy requires a well-rounded strategy that considers multiple aspects. For organizations, it means building a human firewall through regular training sessions and awareness campaigns. Implementation of robust security measures and compliance with regulations is not just about legalities but about building trust and reputation.

For individuals, the strategy extends beyond just signing up for services like OneRep. It involves tactics such as using synthetic identities for different online interactions, staying informed, and being proactive in their approach to online safety. As Kapczynski advises, even simple measures can make it more challenging for fraudsters to do harm.

The path to personal data privacy is complex but achievable. In a world where privacy can often feel like a fleeting luxury, it is through concerted efforts, innovative solutions, and continuous education that we can hope to reclaim control over our personal data and face the complexities of digital privacy with resilience.

The post Personal Data Privacy: Trends, Challenges, and Solutions appeared first on Cybersecurity Insiders.

By Istvan Lam, CEO of Tresorit

According to a new report from the UK’s cyber security agency, the National Cyber Security Centre (NCSC), the number of ‘hackers for hire’ is set to grow over the next five years, leading to more cyber attacks and increasingly unpredictable threats. A rise in spyware and other hacking tools is also anticipated, which will have a profound impact on the UK’s digital landscape.

Cyber threats are already a huge concern for UK businesses, with cyber-attacks on SMEs up 39 per cent last year from 2020, so it’s not surprising this news is adding even more anxiety. What’s more, the new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a broader range of targets, meaning any business, of any size and across any industry could be at risk.

With this in mind, businesses would do well to take proactive measures to protect their sensitive information and communications. End-to-end encryption software is vital in this regard, providing businesses with a secure and reliable way to protect their data and prevent cyber-attacks.

How can this software protect businesses against the threat of cyber-attacks? How is it designed to keep data safe at all times and why exactly should businesses take this extra step to ensure financial data, personal information and intellectual property are kept safe? Is it really essential, does it provide optimum protection and what other measures can businesses take to minimize cyber threats?

How exactly does end-to-end encryption work?

Although many businesses believe all encryption types offer end-to-end protection for data at all times, end-to-end encryption isn’t in fact the standard for all encryption types; often data will only be encrypted while it is being stored, or while it is in transit. End-to-end encryption means that every file and relevant file metadata on the device in question is encrypted using a unique randomly generated encryption key, and files can only be accessed with a user’s unique decryption key so that data is stored as safely as possible. End-to-end encryption also provides an added layer of security for businesses that use cloud-based storage and collaboration tools. Tresorit’s content collaboration platform, for example, offers businesses ultimate protection, as files stored in the cloud are encrypted before they are uploaded, making it extremely difficult for hackers to access them.

In other words, end-to-end software is designed to protect communication channels by encrypting messages at the sender’s device and decrypting them at the receiver’s device, making it almost impossible for hackers to intercept and decipher the messages. And with the ever-growing threat of cyber-attacks and hackers for hire, this ‘gold standard’ of encryption, which ensures utmost security and privacy for data at all times, is crucial.

How risky is it to go without?

Cyber-attacks are designed to cause maximum disruption, exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, software or data destruction or deletion, thefts of funds, liability to third parties such as customers and supply chain partners and reputational damage.

Cyber security attacks such as data breach can be devastating and ultimately wipe out a company. End-to-end encryption can help prevent such breaches by making it virtually impossible for hackers to access sensitive information and with 43 per cent of UK businesses identifying a cyber security breach in the last year, organizations would do well to put this extra layer of protection in place.

What else can be done?

There are a number of other cybersecurity measures businesses can take other than end-to-end encryption, to minimize the risk of cyber threats. Organizations should ensure they implement regular security audits, run up-to-date antivirus software, use strong passwords, and put in place intrusion detection and prevention systems. Cyber security awareness training for employees is also vital for helping to reduce risks. Businesses should ensure employees are trained on a wide range of security topics such as how to respond to threat situations, Phishing and secure data handling.

The role of business leaders

Senior leaders of organizations have a huge responsibility when it comes to ensuring their business is cyber aware and ultimately cyber secure. They should be having essential discussions about cyber security with their organization’s technical experts and key stakeholders and should ensure that their company’s cyber security policy is communicated throughout the business with all staff given the necessary training. The NCSC has recently launched new resources as part of its Cyber Security Board Toolkit, to encourage senior leaders to treat cyber risks with the same importance as legal or financial risks and to make sure the potentially devastating consequences of an attack are filtered through the organization. It also includes a range of activities for organizations to participate in as well as key success indicators and materials to help organizations engage their staff on the topic.

Final thoughts

With a growing number of hackers for hire marketplace and an ever-increasing risk of cyber threats, businesses should take heed and ensure they’ve put the highest standard of security and protection in place for their company’s data and information. Cyber-attacks can have deadly consequences and can mean the end of the road for many businesses, so not only should companies embrace end-to-end encryption but they should take time to assess the range of cyber security protection measures they have in place, so that no stone is left unturned. Business leaders have a huge role to play when it comes to ensuring their organization can protect itself from, respond to and recover from a cyber-attack, data breach or service outage.

The post Rising Threat of ‘Hackers for Hire’ – How End-to-End Encryption Software Safeguards Businesses appeared first on Cybersecurity Insiders.

In recent times, hackers have traditionally targeted databases to initiate cyber attacks, aiming to pilfer critical credentials like account passwords. However, a recent study proposes a new angle: the exploitation of Artificial Intelligence (AI) technology to facilitate password theft.

A collaborative team of forensic experts, collaborating with scholars from esteemed institutions such as Durham, Surrey, and Royal Holloway Universities, has unearthed a startling revelation. They’ve found that AI tools can empower cyber-criminals to discern passwords by merely capturing a user’s keystroke patterns using a microphone.

The next time you utilize a microphone during a Zoom chat or while enjoying music, exercise caution, as the distinctive sounds of typing could be deciphered to deduce passwords from the recordings, uncovering the entered phrases.

Researchers involved in this experiment leveraged an iPhone positioned just 17 centimeters away from a Mac to decode words typed into the laptop. The intriguing aspect is that the differentiation between typing within a document or a web page remains somewhat enigmatic. Nonetheless, these scientists claim an impressive 95 percent success rate.

A similar assessment was conducted during the functioning of the Zoom meeting app, where researchers boast a 93 percent accuracy rate in password detection.

Dr. Ehsan Toreini, leading the Cybersecurity division at Surrey University, elucidates, “Since each keystroke produces a distinct sound, AI tools can deduce on-screen typing, providing us with an estimated idea of the phrase or password being input.”

This begs the question: could these advancements pave the way for acoustic cyber-attacks?

Undoubtedly, this could signify the future for cyber-criminals seeking to exfiltrate sensitive data. Acoustic attacks, involving sonic surveillance for capturing textual information, could indeed emerge as a new frontier for criminal endeavors, boasting an accuracy rate of nearly 96 percent.

Thus, this introduces another form of eavesdropping aimed at harvesting user passwords and other valuable credentials.

 

The post Exploitation of Artificial Intelligence AI technology to facilitate password theft appeared first on Cybersecurity Insiders.

By James Robinson, Deputy CISO Netskope

Over the past 30 days, the most pressing question facing CIOs and CISOs right now is, ”how much?” How much access to ChatGPT do we actually give our employees? Top security leaders are left to decide whether they should completely ban ChatGPT in their organizations, or embrace the use of it. So which option should they pick?

A simple answer is to implement a managed allowance. However, this may only work if your organization is doing all the right things with sensitive data protection and the responsible use of AI/ML in your own platforms and products. Your organization must effectively convey where and how it’s using AI to customers, prospects, partners, and third- and fourth-party suppliers in order to build successful and securely enabled programs that are governance-driven.

Organizations that simply “shut off” access to ChatGPT may feel initially more secure, but they are also denying its many productive uses and potentially putting themselves—and their entire teams—behind the innovation curve. To avoid falling behind, organizations should consider prioritizing the implementation of a managed allowance of ChatGPT and other generative AI tools.

Governing ChatGPT within your organization

Netskope has been deeply focused on the productive use of AI and ML since our founding in 2012. Like everyone, we’ve just observed an inflection point for generative AI. Unless you were a data scientist, you likely weren’t doing much with generative AI before November 2022. And as a security practitioner, developer, application builder, or technology enthusiast your exposure was focused on use not development of the features. But since the public release of ChatGPT, everyone is able to access these services and technologies without any prior knowledge about the tool. Anyone with a browser today, right now, can go in and understand what ChatGPT can and can’t do.

When something quickly becomes the dominant topic of conversation in business and technology this quickly—and ChatGPT definitely has—leaders have essentially two choices:

  • Prohibit or severely limit its use
  • Create a culture where they allow people to understand the use of this technology—and embrace its use—without putting the business at risk

For those on your team who are allowed access to ChatGPT, you must enable responsible access. Here at the dawn of mainstream generative AI adoption, we’re going to see at least as much disruptive behavior as we did at the dawn of the online search engine decades ago, and where we saw different threats and a lot of data made publicly available that arguably should not have been.

Managing third and fourth-party risk

As organizations implement the productive business use of generative AI by the appropriate users, we will also see the rise of copilots being used. This will force security companies to be responsible for obtaining critical information from their third- or fourth-party suppliers regarding AI-associated tools. These questions can help guide the assessment:

  • How much of a supplier’s code is written by AI?
  • Can your organization review the AI-written code?
  • Who owns the AI technology your suppliers are using?
  • Who owns the content they produce?
  • Is shift-left licensing involved, and is that a problem?

AI is here to stay. With the right cultural orientation, users within organizations are better able to understand and use the technology without compromising the company’s security posture. However, this needs to be combined with the right technology orientation, meaning modern data loss prevention (DLP) controls that prevent misuse and exfiltration of data, and are also part of an infrastructure that enables teams to respond quickly in the event of that data’s misuse.

The post Don’t Shut Off ChatGPT, Implement a Managed Allowance Instead appeared first on Cybersecurity Insiders.

By Dimitri Shelest, Founder and CEO of OneRep

The increase in remote and hybrid work since the COVID-19 pandemic has revolutionized the way that companies operate. It has also introduced a new array of cybersecurity threats. Bad actors have more weak points to target companies than ever before.

They also have more ammunition. The internet is awash in personal data they can use to make their scams more credible to isolated employees working outside the perimeters of corporate security. Companies must adapt to this changing threat matrix by addressing securing the expanded perimeters, educating and empowering employees, and taking ammunition in the form of data out of the hands of criminals.

The main focus should be on people. People are the weakest link in any cybersecurity effort. They make mistakes, don’t always comply with security procedures, and can fall prey to carefully calculated scams. According to a 2021 data breach survey of 500 IT leaders and 3,000 employees, 84% of data breaches with a business impact resulted from an employee’s mistake. Almost three quarters of organizations said breaches were caused by employees breaking security rules.

And it’s people that attackers are targeting. Almost all cyberattacks today contain an element of social engineering–the theft and use of data to manipulate and trick people.

Inside the office, companies can mitigate risks with physical security in the form of firewalls, enterprise grade routers and modems, and threat-detection software. They can control what systems people use to work and communicate, and tightly control access to those systems. They can provide in person training, conduct tests and monitor compliance. Even so, the same study reports that 73% of organizations have suffered serious breaches from phishing attacks.

Data is the fuel for these attacks, and the volume of personal information available online nearly doubles every year. All this data is collected legally by companies, and often sold to data brokers who in turn sell it to people search sites. There are many legitimate uses for this data, but bad actors are also using it to make their attacks more personalized and effective.

The majority of workplace phishing attacks are BEC (business email compromise) schemes impersonating executives or vendors in order to get money. Cybercriminals can also phish for confidential information and credentials for company systems to plant ransomware. They may also seek to harass employees with spam and robocalls, interrupting their productivity and potentially causing them to miss an important call from a customer or prospect. In some cases, they may even threaten employees and their families.

These attacks are more effective in a remote setting, for a variety of reasons. Home networks are typically less secure than business networks. Employees may also be working from cafes or other locations outside the home.

The use  of new collaboration and productivity tools geared towards remote work has created new vulnerabilities. These applications often have only minimal security settings which are sometimes reset when the vendor does a software update. Remote desktop tools used to access work computers from a home setting also make it easier for cybercriminals to access the company’s network.

Employees often engage in personal communications on work devices and work tasks on personal devices. This can expose the company to existing malware or viruses that they may not even realize are already on their personal devices.

Isolation also plays a critical role in aiding fraudsters. Employees don’t have coworkers in their immediate vicinity to do a gut check with if they think a communication looks suspicious. If a tech problem seems suspicious, they may have a harder time immediately getting in touch with security or IT personnel. They also may not be as aware of changes to security rules or engaged with security training–if they’re getting trained at all.

Companies can protect their employees and themselves by utilizing a combination of security measures. Implementing identity management solutions like Multi-factor Authentication (MFA) and Single Sign-on (SSO) tools add an additional layer of protection for company systems and resources. IT can also make sure they’re applying the latest updates and patches to the software applications that remote workers use on a regular basis. Setting them up with a VPN (virtual private network) at home is another way to bolster security.

All employees should also receive regular training on recognizing threats and security hygiene best practices. It’s also important to ensure employees know how to report threats or mistakes and feel comfortable doing so. Delays in reporting an attack or breach can allow contagion to spread quickly.

Companies can also help employees remove the fuel for phishing attacks by enrolling them in a data privacy service that removes personal data from people search sites. According to data from my company, OneRep, which provides such a service, the average individual has data profiles on 46 of these sites. In the era of big data, these profiles have become quite robust, with much more data than just name, address and phone number.

While people search sites are legally required to remove data records upon request, this can be a Sysyphean task. It is very time consuming to request removal from so many sites, and our internal data shows that much of this information ends up right back on these sites within just a few months.

One click on a bad link can cause a huge amount of damage to an organization. The core tenets of cybersecurity are to protect people, environment and technology. The changing nature of where and how we work has created a much larger attack surface across all three.

Companies must use all the tools at their disposal to secure their data, networks, systems and devices wherever employees use them. They must keep employees informed and engaged with the security effort and empower them to act. And they must deprive would-be attackers of one of their key weapons–personal data–by helping employees keep their data private.

Author Bio:

Dimitri Shelest is a tech entrepreneur and the CEO at OneRep, a privacy protection company that removes public records from the Internet. Dimitri is an avid proponent of privacy regulation framework and likes to explore cybersecurity and privacy issues as a writer and reader on various platforms. For more information, visit www.onerep.com.

The post Combating Cybercrime in the Age of Remote Work appeared first on Cybersecurity Insiders.

Data is rapidly becoming the most valuable commodity, permeating practically every aspect of life. However, with this explosion of data comes the daunting challenge of data privacy. Companies are constantly investing in a multitude of applications, each leading to a collection of vast amounts of personal information. From customer support teams to sales teams and e-commerce operations, the collection of personal data is ubiquitous.

Yet, the consumer’s expectation for transparency regarding how their information is used is steadily increasing, and in many cases manifested in legal requirements. Consumers desire control over how their personal data is used, which forces businesses to be fully aware and in control of the information they collect. This task, however, is far from simple. The sheer volume of data and applications often results in the loss of oversight, often exacerbated by corporate ‘Shadow IT’— the unauthorized use of unknown applications containing sensitive data outside of IT’s control and visibility.

Existing Solutions and Their Shortcomings

Traditional solutions to this issue have primarily been workflow-driven, with a focus on assigning responsibility to employees to declare the applications they use. However, this approach is fundamentally flawed, as it assumes all employees will comply with workflow rules and actively participate in understanding and reducing risk.

Other solutions struggle with the immense task of tracking the increasing number of applications in use. Okta’s Businesses at Work report suggests that an average user interacts with an estimated 196 applications, however Netskope’s Cloud & Threat report shows that the number could exceed 1500 distinct applications in larger organizations. Navigating this labyrinth of applications to ensure data privacy is an enormous challenge for businesses of all sizes.

DataGrail: A New Approach to Data Privacy

DataGrail, founded in 2018 emerged with an innovative solution to these data privacy challenges. The company’s mission is to provide businesses with an integrated solution that both addresses the growing concern for privacy and manages the proliferating number of business applications.

DataGrail built its solution from the ground up with a unique approach. Instead of relying on workflow or network scanning, they leverage existing ecosystems, looking at the relationships between applications. This method enables DataGrail to uncover and expose the use of different applications that may otherwise fly under the IT radar.

Unveiling Risk Intelligence

One of DataGrail’s flagship offerings is Risk Intelligence. This innovative concept is about uncovering Shadow IT and providing visibility about how businesses are collecting personal information and how it’s being used across an organization. DataGrail’s patented technology allows the platform to identify applications and the type of personal information existing within them, providing unprecedented visibility and control to organizations over their data privacy landscape.

The Integrated Approach

DataGrail differentiates itself by integrating with more than 2,000 different applications, offering a vast coverage scope. If an application contains sensitive information, like Social Security numbers or addresses, it is prioritized, helping businesses minimize the risk of unknown applications housing sensitive information.

The Road Ahead

As the digital landscape evolves and data sources continue to explode, DataGrail plans to invest in their suite of products and innovate in the data discovery and risk intelligence fields. The company is committed to expanding their ecosystem approach, keeping pace with the rapidly evolving data landscape.

In conclusion, DataGrail stands at the forefront of data privacy management, offering an integrated solution that addresses the increasing challenges posed by the digital age. Their unique approach to identifying and prioritizing risky applications, coupled with an expansive ecosystem of integrations, sets them apart in the industry.

DataGrail’s innovative Risk Intelligence not only uncovers Shadow IT but also provides organizations with an unprecedented level of visibility and control over their data privacy landscape. With their patented technology and commitment to compliance, DataGrail is pioneering a new way for businesses to navigate the data privacy maze, bridging the gap between the rising demand for transparency and the complex task of personal information management.

The post Navigating the Data Privacy Maze: How DataGrail Advances Privacy Management appeared first on Cybersecurity Insiders.

Data compliance is a crucial and essential factor in organizations that should be carefully followed for data management. Data compliance is more than maintaining relevant standards and regulations and ensuring that the data is secured. The substantial amount of data that is processed and used in organizations must be managed properly. All phases of data […]… Read More

The post 4 tips to achieve Data Compliance appeared first on The State of Security.

The second quarter of 2022 offered plenty of positing on privacy, both in the U.S. and internationally. In the U.S., we saw the addition of another state privacy law, and a spark of hope in privacy professionals’ eyes with the introduction of tangible federal legislation. Plus, the Federal Trade Commission (FTC) is positioned to act […]… Read More

The post Privacy in Q2 2022: US, Canada, and the UK appeared first on The State of Security.

The first months of 2022 began slowly for privacy, but by the end of the first quarter we had our marching orders for the rest of the year. In the U.S., we saw an explosion of state privacy bills being put forward (again), the Senate utilized a seldom used maneuver to push President Biden’s Federal […]… Read More

The post 2022 Q1 Privacy Update — A new year sparks new initiatives appeared first on The State of Security.