What steps can individuals take to protect their privacy online?
So, what can you do to reduce the risk of threat actors accessing your personal information? What steps can you take as an individual and as a business?
Websites should be limited to business related information only to reduce the ability of an adversary to collect personal information on employees. You could consider whether you need to have email addresses and phone numbers listed for all employees, or whether a contact page form could serve the same purpose.
2. Email settings
As well as this, there are technical settings that can be implemented to reduce the number of phishing emails reaching an employee inbox.
Sender Policy Framework (SPF)
This is used to prevent domain spoofing by restricting who can send emails from your domain. It requires a policy framework, authentication method and specialised headers. A risk of using SPF as an isolated measure is that the message source is not validated.
Domain Keys Identified Mail (DKIM)
DKIM is used to verify the source of the email and to ensure its content has not changed in transit. By using this email security, standard spoofing an email from a trusted domain, which is a popular technique in phishing, is made harder.
Domain-based Message Authentication Reporting & Conformance (DMARC)
This ties the SPF and DKIM together with a consistent set of policies also linking the sender's domain name to what is in the ‘from:’ header of the email.
3. Be aware of who you connect with online
If you do not already know the individual behind a new connection request, take the time to do your due diligence. A fake entity could have been set up to gather information about the target, you! Regardless of your privacy settings, a threat actor will have greater access to personal information if they are part of your network. You bolted the door (set a password), locked it with multiple keys (adjusting privacy settings), but by accepting an unknown request you let the first person who knocked on the door into the house. Intelligence tools can be leveraged, and with little human input it is easy to be provided with trends, topics of interest, even potential sleeping times of the user!
4. Securing the login process
You should take steps as a company or as an individual to strengthen the security of your login process. Top tips include downloading a Password Manager such as 1Password and introducing a Multi-factor Authentication platform or application.
5. LinkedIn privacy settings
Estimates show that 90 percent of useful information acquired by intelligence services comes from public sources. A single profile can provide:
- Date of Birth
- Friends and Connections
- Work Address
- Home Address
- Pattern of Life – Working hours, sleeping hours, travel times and travel means as well as route taken
- Political Leaning
- Topics of Interest
- Potential earnings/statistics from an influencer profile
It could therefore be useful to review your privacy settings, which can be found by clicking your profile image in the top right, and under Account you will see “Settings & Privacy”.
Areas to review:
1. Due diligence on connections
- Click communications from the left navigation bar
- Review the sections under “Who can reach you”
2. Hide your activity
- Click your profile image in the top right
- Click Settings & Privacy
- Choose Privacy
- Next you should see Profile Viewing Options
- By choosing “Private Mode” others will not be able to see your activity feed or know you viewed their profile.
3. Data privacy & advertising data
- Review how LinkedIn uses your data, and which third parties also have access to it.
4. Limit contact information in your profile as well as when you visit others (Mobile / Home Address should be a no)
- Click Visibility from the left navigation bar
- Edit the profile viewing options (Adjust what people see when you visit their profile)
- Edit your public profile
- Who can see or download your e-mail address
- Who can see your last name (Is it necessary to have your last name on there?)
5. Account Access
- Review your active sessions and where you are signed in. A device you may no longer have you forgot to wipe may still have access.
- This is where you will also find Two-step verification
Apply the same thought process from LinkedIn across any social platform. Limit publicly visible information, carry out due diligence, check how your data is being used and review your sign ins.
Using a more obscure username will undoubtedly increase the time it takes someone to find any social media you are using. However, using the same social media handle across all of them will do the contrary.
Instil a security culture through training. Introducing a training programme will help employees to be able to spot and report a phishing or ransomware attack email.