With less than two days to go until changes to the Privacy Act for the Notifiable Data Breach (NDB) scheme comes into effect it seems everyone’s thoughts are turning to privacy. Whilst it is up to organisations and businesses that store your customer data to ensure it remains secure, now is a good time to revisit your security measures to be certain your sensitive personal information remains in safe hands.
So, what are the possible risks of being reckless with your personal information? For an organisation the penalties can be severe. Once the Privacy Act NDB comes into effect on February 22 organisations will need to ensure that customer information is properly protected or face massive fines. If your data is lost, they will need to inform you and the Office of the Australian Information Commissioner, should this information create a serious risk to you if it has fallen into the wrong hands.
According to Chris Hockings IBM Security, it is timely for us all to reflect on the possible risks when providing sensitive personal information, known as Personally Identifiable Information (PII), and the steps we can take to protect such information.
“Whenever you sign up to any kind of platform or subscription (e.g. Facebook, online shopping, news websites, etc.), you may be required to provide personal information such as name, DOB and email. So, what if the details you provide were to be made public or were stolen due to a security breach? What would the ramifications be for you as an individual?” Hockings asks.
“With the NDB regulations, you’ll be notified if your personal data is lost during a breach, should that data loss pose a risk to you. In the past we may not have had visibility of a breach of our sensitive data, but today this new requirement aims to give individuals clarity around the circumstances of data loss.”
Whilst Hockings suggests the onus is on organisations to keep your data secure he tells KBB we all have a hand to play when it comes to making sure our private information stays private.
Here’s Hockings’ top tips to protect your digital identity
An ideal password is a long, nonsensical phrase
We’re currently going through a transition away from passwords towards more seamless login methods. In the future, we will witness more use of fingerprints, facial recognition, mobile authentication solutions, etc. to login to internet sites. However, today passwords are still the core method of access for most systems and many of us do not take the care needed to create strong ones. Whatever password policy is in place at a site, it’s human nature to try to create a simple password that satisfies the bare minimum requirements. Consider creating a password that is more akin to a ‘passphrase’ – several unrelated words tied together, at least 20 characters long. These are harder to crack than your traditional eight-character password and will often not involve something that has special meaning to you or the site.
Store passwords in a digital vault
Never reuse the same password for multiple accounts; if one account were to be compromised, then an identity based attack has a much broader scope or opportunity. It’s near impossible to try and remember all your different passwords, so use a password manager that stores them in a ‘digital vault’ – often they will also help you to generate a stronger password. Instead of trying to remember multiple passwords, you’ll only have to login (hopefully with strong authentication) to the vault to access your passwords.
Lie on your security questions
The answer to these questions can often be found online i.e. neighbourhood you grew up in, mother’s maiden name, etc. Consider coming up with fake answers (that you should also securely store somewhere) so that they are harder to crack. Alternatively, you can select to answer more opinion-based questions such as your favourite colour or movie – this kind of information is less likely to be found online. Understand that if an organisation were to be the victim of a data breach, your answers to security questions could be useful for hackers to create a ‘profile’ of you.
Double dip on security checkpoints
Many services allow for two-factor authentication (2FA), which adds an extra security checkpoint when certain risk factors are present, such as logging in from a new location/device. Try to choose accounts that you might use for logging into many sites and add 2FA to those accounts. By doing this, you can reduce the number of registration processes you need to go through, strengthen the authentication process for all these systems and also provide an easy way to disable the accounts in a central place for this network of services.
Get down with biometrics
Biometric authentication uses physical and behavioural characteristics as a means of protection. As previously mentioned, we’re approaching a future where the use of passwords as the sole method to establish identity isn’t enough. The use of device level biometrics (Apple TouchID, FaceID, etc), are being adopted widespread by organisations in providing secure access to online services. Although this approach provides a more frictionless experience in accessing online accounts, you should be vigilant by not exposing biometric data beyond the most trusted set of devices and systems. Today device manufactures are working hard to ensure that those biometric profiles cannot be extracted from the single device you register them on.
Although organisations do have the responsibility to protect your data, this doesn’t mean you don’t have a part to play. Be aware of what information you relinquish and don’t risk your information being made available by blindly forfeiting it to an organisation, just so you can register for its service; ask yourself if it’s worth it and if it is, take all the necessary steps to protect your personal identity.