A gift to yourself this year? How about a better privacy profile?

A headline today in the Motley Fool's great online financial site entitled The Best Gift to Give Yourself This Year, made me think about what might really be a great gift to give yourself, and at little to no cost. How about the notion of enhanced privacy? Or really what we are talking about is more anonymity, especially online.

In the last year I have seen and have personally used a number of great technological tools and best practices to help minimize my exposure and vulnerability to excess data proliferation.

Now, I am no technological Luddite or privacy alarmist, and I believe in and understand how the Internet works and how the low-cost model has benefited the modern world thanks to advertising. Yet, I am sure you have all seen quite often in the press the exaggerated reviews about services and applications that if used on your smartphone, would threaten the very existence of Western Civilization!?!!. I benefit fro many of these applications myself, but we are very very quickly coming to the point where the value proposition is tilting too favorably in the other direction against regular consumers. 

First up a couple of behavioral changes that you should consider adopting in 2013. For example, don't get in the habit of logging in to new applications or websites with your Facebook or Twitter or any other 3rd party credentials. I realize it is expeditious and convenient, but it allows not only the 3rd party site (Facebook, Google, Twitter, etc.) to continue to build a profile of you, but it lengthens the bread crumb trail of your actions and activities on the web. If you every want to disappear forever, you'll have a rough time of it since you left so many clues as to your possible whereabouts and past behaviour.

Second, start to take notice of new windows that pop-up in and around websites offering you the ability to control the cookie and ad choices that are shown to you.  You can begin to be much more proactive about what cookies some websites are allowed to leave on your machine when you visit that site. Most European websites (and some of the more forward-looking U.S. sites) now offer up an express consent option when you visit the site for the first time, to control how the site will track you now and in the future. A great product from a company called Evidon which services up the "AdChoices' icon on some websites will allow you to proactively opt-out of being tracked by hundreds of tracking companies with one click on a page on their website. Thru Evidon's Open Data Partnership (ODP), users can easily manage the profiles that different companies have created about them and their interests.

As for technology, and for the more paranoid among us, I have been using a browser called Tor lately that really hides or disguises your activities online. The service works by 'bouncing' your communications around a distributed network of relays around the world you connect to which is run by volunteers (i.e. you, if you use the browser). Tor prevents someone from watching your Internet connection and building a profile on you via the sites you visit. An added benefit is that the browser prevents the sites you visit from learning your actual physical location, and it lets you access sites which are blocked - which your IT guys at work will no doubt love. (as I was writing this blog,  I fired up the Tor browser and the IP address that my machine was displaying to the outside world made it appear as though I was in the Czech Republic. Good stuff!) 

This is just a short list of technologies and behavioral changes that you can easily adopt to  improve your privacy posture in the new year. Almost all of these services and activities are free. In most cases, the cost is nothing more than a few extra minutes of your time to set a profile or check a box on a website. Generally, there is nothing to pay for. All you need to do is start to pay attention.

Happy Holidays and Happy New Year!

"Secure data access in a mobile universe" - Interview with the Economist Intelligence Unit

I was recently interviewed by a journalist,  Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).  

The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:

Preventing the data from being stored on a mobile device at all is another strategy. Al Raymond, vice president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.

Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifically for business. Proper configuration and good usage practices must be monitored and enforced centrally, Aramark’s Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.

Aramark’s Raymond says his company takes an alternative approach to device-centric mobile security administration. Workers use the mobile device purely as a viewer, leaving company data on Internet-connected (remove this) securely accessible  corporate servers that do the heavy computing, and not on the device itself.

The average cost of a corporate data breach incident hit US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That’s more than double the average cost in 2005. Mr Raymond thinks that these figures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and a few major ones that may hit US$25m–US$500m.

Before the introduction of Aramark's formal mobile policy ten months ago, people had no defined rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and configurations, the company knows precisely who has access and to which data. "It's no longer a wink and a nod," Raymond says. The higher the visibility of your program, the more likely it will be adhered to.

Mr. Raymond says that, although his business doesn't require it, separate environments for business and personal use are important, but if the policies surrounding them, or any other security measures, are not enforced, there will be issues. He says he is always surprised, when speaking with his peers, at how much of security in large organisations is just "smoke and mirrors". The words are there, the enforcement isn't.