This is an original article from NIST Manufacturing Innovation Blog.
It might not be the most important subject on your mind when running your business, but online privacy is becoming increasingly important as we move closer to a fully internet-connected world.
What is Privacy?
Simply speaking, privacy is withdrawal from company or public view. Since at least 1890, there has been discussion about a person’s right to keep their personal matters secret. Privacy is closely related to information security, which is about protecting the confidentiality, integrity and availability of information. Privacy is more concerned with how data is collected, stored, processed and used. Guarding your online privacy can involve protecting any form of personal information such as photos, videos, drawings or documents.
In most cases, you cannot maintain your online privacy without keeping your information secure. This is why it’s important to consider both security and privacy to keep your business’s information safe. Getting Started with the NIST Privacy Framework describes the relationship between security and privacy in more detail, but for simplicity, this blog will only focus on the overlapping part of the relationship.
What Are Common Online Risks?
As we become more connected, the chances of personal information being leaked onto the internet increases. Data breaches, theft and information leaks often result from a lack of security on the user’s end. According to the 2020 Verizon Data Breach Report, 22% of breaches in 2019 were due to simple human error — things like an email being sent to the wrong person or an employee accidentally revealing their login credentials. These risks need to be assessed when dealing with personal and sensitive information.
In the business world, you have to balance the amount of information that you release to the public with advertising what your business does. Does something you’re about to send out or publish on social media reveal anything that it shouldn’t about the business?
For example, say an intern releases a photo of himself at the entrance of your business. That seems innocuous, but if the intern’s badge or your company’s security system is visible, an attacker could use that information to gain unauthorized access. It’s important to be aware and to carefully screen the information you release about yourself and your business.
Tracking Cookies and Digital Fingerprinting
Another thing to consider is the data collected about you and your employees on the internet. Tracking cookies and digital fingerprinting track your online activity. Cookies are small files with identifiable information placed on a website to track site data, record configuration files and identify users. Digital fingerprinting is a process that tracks everything from the movement of your mouse cursor to the size of your screen.
Cookies and fingerprinting can track your online movements and information, allowing criminals to more easily plan an attack. For example, if your customers are tracked on your company’s website, an attacker could use that information to send targeted emails, called spear phishing, that appear to be from your business. The links in these emails to fake websites can trick people into entering their login credentials, which can be used to break into your network.
Social Media Risks
Engaging with social media also presents a risk. Employees may share information about your company that you would rather keep private. For example, employees may share photos of their surroundings at work without realizing that the photo contains business-sensitive information in the background. Information leaked online can be used in a social engineering attack, where people are tricked into giving confidential information, or a physical attack like a break in. Your security protections may be excellent, but if an employee posts a picture with a password showing in the background, your security system will have little effect.
Businesses that operate a social media presence or website should also be aware whether their system is tracking people through cookies or fingerprinting. Many states have laws about how such information may be collected or used, and laws about when that information must be destroyed.
Guard Your Privacy
Consider what information should be shared. Before sending out images or messages, consider whether they contain sensitive information including:
- Anything that could be used by a criminal, such as a picture of your security systems
- Receipts for equipment or other potentially sensitive information about your company
- Anything personal, such as when a staff member is on vacation
- Potentially embarrassing information, like a customer’s search history
Here are some tips on maintaining online privacy:
Train Employees to Think Through What They Share Online
Train your employees not to reveal information that can be used against them or the company. For example, an employee might mention on social media that they have worked in a high position at a company. Later, when they post photos while on vacation, an attacker could see this as an opportunity to break in through the employee’s home or work account.
Employees should be trained not to share information about their job unless it’s cleared and approved. Any information online can be readily collected and shared by attackers. Even seemingly innocuous information when collected and aggregated can pose a risk. Information like IDs, login credentials, worksite photos, telephone numbers, supplier lists and employee schedules can be used by criminals.
Update Your Browsers and Programs
Keep all programs, operating systems and web browsers up to date and patched to make sure they are protecting your information. Running the latest version of any program ensures that you are not vulnerable to attacks designed for the older version. Using the latest version also protects you from any old bugs or vulnerabilities an earlier version may have had. If stability is a priority, security patches keep the program current without performing a full update.
Use a Network-Level Website Blocker
Avoid websites that use adware or malware in their advertising. A network-level website blocker prevents users from connecting to these websites. In addition, turn off autofill and autocomplete functions which are often offered by browsers and search engines. They can collect private and sensitive information, so it’s especially important to turn these off on shared machines.
Turn Off Browser History (or Reduce Its Scope)
Browser history is often used to allow faster loading of frequently visited websites and to provide personalized advertisements. However, it can be used by criminals to blackmail employees into providing sensitive business information or money in return for not releasing this information to the public. If your company’s security policy requires keeping some browser history, make sure it’s only retained until a certain point in time and that old information is destroyed when not needed.
Turn Off Tracking
When given the option, turn off tracking, which informs websites and browsers that you do not want to be tracked. Some websites may not work without tracking enabled. In those cases, try incognito or private mode for browsing. When you need to use a website that requires tracking, do not use a computer that has access to sensitive information.
Use Advertisement Blocking Extensions
In addition to being annoying, online advertising can deliver malware to your network. Blocking advertisements greatly reduces this risk. Network level ad blockers are easier to manage, but usually more expensive than relying on individuals to add these extensions to their browsers
Block Cross-Site Cookies
Cookies are tracking bits embedded into websites to save data such as site preferences. This data can identify a user across the internet. Disabling cookies completely would make some websites unusable, so blocking only cookies that save settings across multiple websites (cross-site) cookies is a good middle ground. Cookies that aren’t necessary should be blocked, so another option is using a list of sites where cookies are allowed.
Block Flash Player
As of January 2021, Flash Player is not supported, meaning the manufacturer no longer intends to develop patches for it, including security patches. Unless your company specifically requires Flash Player for its day-to-day operations, it should be blocked from being installed on local machines or your network.
Block Internet Access Where It’s Not Necessary
If a machine does not require internet access for your business operations, then do not allow it to connect. Physically isolate that machine if necessary to prevent physical attacks. Put devices that require network access, but no internet access on a separate VLAN/LAN. For machines that only need internet access sporadically to run updates, just connect them to the internet as needed.
IMEC and the MEP National Network is Ready to Help You
Knowing how to mitigate risks and maintain online privacy can be overwhelming, especially for small and medium-sized manufacturers with limited resources. Experts at IMEC and other MEP Centers are available to help you with these and other cybersecurity issues. If you reside outside of Illinois, click here to contact your local MEP Center.
What Can you do now
Department of Defense prime contractors and subcontractors are required achieve Cybersecurity Maturity Model Certification (CMMC) by 2025 in order to earn or retain DoD contracts. IMEC is offering a 15-part CMMC Cybersecurity Training Series for Manufacturers will guide you through the process towards CMMC certification, verifying to the DoD that you have adequate cybersecurity controls and policies in place to meet DoD security standards.
Live, virtual training begins July 7, and will meet monthly through September 2022. This series will:
- Translate the Cybersecurity Maturity Model Certification (CMMC) framework into language that manufacturers – not cybersecurity experts – can understand. Recordings of monthly training will be available for all participants.
- Provide an up-to-date deep dive into each of the CMMC control families and domains
- Outline monthly action step for you to make ongoing progress toward CMMC compliance –while still operating your company
- Provide 1-on-1 monthly guidance to make regular progress on the CMMC requirements
- Save $100,000+ in consulting costs for an external provider to complete the process of demonstrating compliance with CMMC in policies, procedures and practices