10 common things that may expose your data
I was pulled aside by a solicitor a few weeks ago because he wanted my opinion as to whether using online copy-and-paste translation sites might compromise client data.
For a moment, I was transported back to 2015 to a conference room in Washington, D.C., where I attended the presentation of a report containing the findings of a Mozilla investigation using the Delphi method. One of the speakers—I'm embarrassed to say I can't recall who—spoke about teaching his teenage daughter to drive. He marvelled at how she needed to engage in a cognitive process before engaging in the types of behaviour that experienced drivers do as a matter of course. When she reached a stop sign, for instance, she would need to think about to which direction she should turn her attention before edging out into the perpendicular road. He compared his young daughter's approach to driving to our approach to technology and the Internet.
Many of us lack the experience, sophistication, and knowledge with respect to the identification, triage, and mitigation of technological risks to know how we should evaluate the dangers, acceptable risks, or gambles of using tech.
So, it is in this spirit that I have constructed a list of things that I have identified or recognised as risks. These are in no particular order:
1. Online translation software
While plenty of people speak—in whole, or in part—another language, many of us still struggle when encountering unfamiliar words or turns of phrase. I recently fielded a question from a solicitor about the security of some of these online translation platforms. I had to tell him that, in my estimation, somebody in his firm should examine the privacy policies of these sites to see whether cutting and pasting passages from client documents could violate privilege. I wouldn't trust some online translation websites with any client-related dated.
2. Third-party keyboards for mobile
Many people struggle with Original Equipment Manufacturer (OEM) keyboards. By these, I mean the default keyboard that comes on the device. Plenty of the most popular alternative keyboards sometimes collect information entered by users, with the permission of the users, of course, to synchronise the users' "experience" across devices. If that's the case, then anything a user types in his/her keyboard, including email addresses, including passwords, can potentially be collected and stored somewhere online.
3. Browser Extensions
Some browser extensions require an incredible amount of "privileges" to access the data you see and enter on the web.
4. Single sign-in
The saga of Mat Honan—about which he wrote in Wired here—exposes the risks of over-reliance on one chief email address for all our communication, shopping, banking, healthcare, etc., shows how a data breach or careless password can expose each of us to significant vulnerabilities. I, for one, have an email address for communicating with friends and family, one for online shopping and memberships, and another 2 secure, encrypted accounts that I use for tax-related matters, banking and financial matters, and health matters. I also use multi-factor authentication.
Plenty of super-smart people do dumb things. For instance, a member of my extended family who will remain nameless insists on storing website credentials in the contacts list in his local email client. He labours under the baseless belief that he doesn't use the Cloud—despite the fact that he relies on a major US-based email provider.
Another relative got an email sent from a friend's email address in broken English with a bizarre explanation of being robbed in Sofia, Bulgaria, and desperately pleading for an immediate wire transfer of $5,000 USD. To put this in context, the couple who "sent" this request were a retired pediatric oncologist and university professor from New York who spoke a half-dozen languages between them at a level of proficiency higher than that presented in this email! Suffice it to say, before sending a wire, this relative contacted me, and I suggested he call the couple. Turns out, they were at home, in New York, and did not need $5,000 wired to Bulgaria.
I know a few people who think that their security practices are so rigorous, so careful, so complete that they remain invulnerable to a breach. One friend used three different encryption protocols to protect his data. However, when we went back a year later to restore a file that had become corrupted, he could only recall 2 of the 3 passwords, so the data remains encrypted to this day. His security practices were so thorough, that he concealed the data from himself.
7. Failure to rank vulnerabilities
A friend who's a consultant who is very security conscious -- but not security savvy -- takes a lot of steps to protect his data on his electronic devices. He changes his passwords regularly, always downloads upgrade patches within a few days of their release, routinely uses anti-malware software on his computer. However, he has a number of Internet of Things (IoT) devices that each present vulnerabilities and risks to the integrity of his local area network.
8. Bad human behaviour
I know a lawyer can never remember to "sleep" or "lock" her computer when she leaves her office. Anybody with access to her desk could access her machine.
9. USB Flash Drives
Plenty of people carry a USB flash drive with slide decks or other documents they need to share with colleagues. People often neglect to encrypt the drives or files contained on the drives. Lose the drive, anybody can just get your files. OR, somebody finds a drive somewhere and plugs it into their machine to see what's on it. Maybe some juicy confidential files! Or, aggressive malware that exploits some vulnerability in your machine!
10. Improper vetting of system privileges and sys admins
IT Staff always struggle with the degree of autonomy to give users. Give them limitless privileges on the machine, and you can end up with a malware-infested machine within you local area network. Give them too few privileges, and they call you in every few minutes to change their wallpaper, update their word processor, or install mission-critical conferencing software.
System Admins can have limitless access to enterprise data, and, on occasion, you can have admins with access to client files and privileged or confidential information without realising. So, vetting of privileges goes both ways!
So, these were, in no particular order, and in no scientific way, a list of the things that I've observed can create risk in a personal or enterprise computing environment.