In our latest interview, we virtually sat down with George Bailey, a cybersecurity consultant for a university technical assistance organization. He, obviously, knows many things about security and privacy and — lucky for us — was eager to share his thoughts. Here’s what he had to say…
Can you shortly introduce yourself?
My name is George Bailey, I am the lead cybersecurity consultant for a university technical assistance organization. We engage with businesses in our state to improve their cybersecurity posture by providing cyber education and professional services. I have held a full-time cybersecurity role since 2004. Prior to working in cyber, I held a number of system engineering and administration roles. For the last 10 years I have been assisting SMB organizations to improve their cybersecurity hygiene through the implementation of several information security frameworks and assessments.
What do you see as the main challenges for our privacy today?
The proliferation and hoarding of Personally Identifiable Information (PII) with no apparent strategy by many organizations on how to properly control access and safely dispose of when data is no longer needed is one the primary challenges with privacy I see today. The “let’s collect information just in case we need it later” mentality is leading to massive data breaches and abuses of data resulting in the degradation of our privacy.
What can we as individuals do about it?
The textbook answer would be for individuals to read every privacy policy, EULA, the mission statement of the organizations for which they conduct business with or share their information. However, in the reality of the world we live in – that is not always practical, and the practice is rarely followed. For example, I am very well informed regarding the abuses of PII among large enterprises, but do I take the time — every time — to read privacy policies and decide if the risk is too great – No I don’t. If I don’t do it, and I KNOW better, it is safe to assume a majority of others don’t read it as well.
There are a number of technological aids that individuals can enable to try to reduce the massive proliferation of PII that is collected automatically by engaging with a service, site, or company. Among them are disabling location services and ad tracking on mobile devices; locking down web browsers in regards to cookies, execution of scripts, and advertising IDs.
Can VPNs help? Do you use one?
In certain situations, not only can VPNs help, they are an absolute must. VPNs aren’t going to hide you from organizations you engage with on a regular basis, but they do protect you from adjacent computers on the network using your ISP and do prevent many cybersecurity attack vectors that you might experience while using public or untrusted networks. I use a VPN on a regular basis, mostly for interacting with work resources. I also use a VPN when I am not on my personal home network.
What do you do to protect your personal information?
I follow strict personal rules regarding interacting with email; phishing is a primary means for collecting information. I try to secure my web browsers as much as I can; there is a compromise though as some sites just don’t work well when you disable a lot of browser functionality.
Also, I disable all the features on my smartphone that make it a smartphone, I might as well go back to using a flip phone. I limit my use of social media to a minimum, and only share content that I am willing to lose complete control over.
Do you have some other advice for our readers so they could, at least partially, regain their privacy?
Decide personally where you are going to draw the line regarding what information you’re willing to lose control of, once you know your appetite for the amount of privacy you require or the data elements that are most important to you. Start making an inventory (even if just in your head) of who you interact with that may be crossing your line or you have shared your most private information with. Once you have an idea of who that is, go and review their privacy practices. If it is a mature organization, they will likely have a Privacy Officer, send them email and ask questions about how they use, share, dispose of your data. If your private information is regarding your health, ask your physicians for an “accounting of disclosures” — they are permitted by law to account for all impermissible disclosures of your data within a six-year period.
Start using a password vault (e.g., LastPass, OnePass, KeePass, etc.), and enforce yourself to use strong, UNIQUE passwords for each site, service you interact with. Make your email password one of the longest and strongest. When I mean long, I am recommending a 20+ character password. When using a password vault, you don’t have to remember what the password is, so there is no excuse to make it a long one.
Use a VPN when on untrusted, public, or free Wi-Fi. Remember you get what you pay for, so if you are getting free Internet service or the network is not provided by an organization you trust your privacy to, you shouldn’t count on decent security or privacy controls being deployed. On the contrary, you should assume your computer and your Internet traffic is under constant attack while on networks YOU don’t control. This concept is the same for VPN services, if the service is free you have to ask yourself – why? Are you the consumer of their service, or are you the product of their service.
Don’t login or perform private transactions on shared resources; for example, don’t login into your patient portal from your in-laws computer if you are sensitive to the privacy of your health information. This doesn’t mean you don’t trust your in-laws, it means you don’t trust their computer, their ISP, the security controls on their computer that may be set at different privacy thresholds than you prefer.
Lastly, don’t be afraid to ask questions of organizations asking for your information. Just because the spot is on a paper form, it doesn’t mean you have to complete it.