Congress has sent proposed legislation to President Trump that wipes away landmark online privacy protections. According to The Washington Post, that means removing limits from what companies like AT&T, Verizon and others can do with information like your Internet browsing habits, app usage history, location data and Social Security number. It will also reduce rules requiring providers to strengthen safeguards for your data against hackers and thieves.
Not only will Internet providers be able to monitor your behavior online: without your permission, they will be able to use your personal and financial information to sell highly targeted ads. The providers could also sell your information directly to marketers, financial firms and other companies that mine personal data — all of whom could use the data without your consent. In addition, the Federal Communications Commission, which initially drafted the protections, will be forbidden from issuing similar rules in the future.
If this alarms you as much as it does us, the Electronic Frontier Foundation has extensive resources available to help you reclaim your privacy. First and foremost is Surveillance Self-Defense: Tips, Tools and How-to’s for Safer Online Communications. Browse the section for authoritative information on securely removing deleted information from your computer, the most secure email systems, and the basics of encryption as well as an overview of encryption tools.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. You may not support their stance on all Internet-related issues, but they are an excellent resource if you are concerned with the security of your data. Their site merits revisiting whenever you want to assume more control over your online privacy and security…or just want more insight into what your options are.
Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.
What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?
We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.
How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?
Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.
What are the most common cyber threats facing high net worth individuals and their families?
High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.
If you could give them one piece of preventive advice, what would it be?
Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.
Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?
Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.
This is the third in a series of interviews with experts whose work relates to online reputation management.
No company wants to be put in the position of Sony: hacked, with thousands of valuable internal documents published widely online. But the proliferation of hacking and the ease with which even government databases can be accessed makes it clear that there is very little security on the Internet.
This crisis presents one more important lesson. While we have little control over our Internet security, we can control what we say online, including in emails. We can:
– Be brief.
– Stick to the facts.
– Avoid acknowledging, participating in or responding to conversations that would be embarrassing or harmful to us or others if made public.
– Pick up the phone when you want to keep a conversation private.
The immediacy and convenience of email communication can make it difficult to adopt those guidelines. But they represent a large step for safer online discussions, something we should all strive for.