Client Data Security - Why and How

I have finally decided to break the jinx of not keeping my blog updated. I shall update it once a week. Here's the post for this week.

In today's fast changing business world, regulations related to security are pervasive, so much so that with every new project (whether in the same or a different geographical region as that of the client), comes a whole set of laws to carry out (to the letter) as far as client data is concerned. If there is anything that the law misses, it is covered in the contract.

The next question is - why do client put these clauses (related to their data privacy) in their contracts?
They put it there because if the information leaks/gets modified, the client is liable to suffer monetary & intangible losses (lawsuits, fines from government, damaged image, lost clients, etc.).

Hence, in order to make sure that we understand and commit to the security and privacy of client information, they put the relevant clauses in the contract.

Bottom line - client data is sacred, and any security issue related to it can come back to haunt us (legally and otherwise). Hence, it makes business sense to protect our client data.

This poses some challenges.

The challenge is - No one, in their right minds, would want to put client data at risk. However, by virtue of our work & our focus towards it, security sometimes takes a back seat. This is reflected in our activities (we can also call them habits, as they keep happening from time to time). Some of them are (the list below is indicative):-

1. Noting some crucial information on a piecec of paper and keeping it at a public place;
2. Sharing password so that any client information that you have is now easily accessible to others;
3. Not keeping your anti-virus software updated;
4. Clicking on a link in mail without checking it first;
5. Discussing/sharing sensitive client information with people who do not need it to do their work;

Human beings are creatures of habit. Habits are very important in security. If i have a habit of sharing my password, there is a high chance that people near me (with good or bad intentions) can get access to it; further, if i have a habit of not locking my machine while going away, it is possible for someone to look at a crucial information (of client or personal) & make use of it.

Below are some habits that are found to be helpful in increasing the security quotient of a project, and should be used by all to ensure that we do not compromise the security of client information:-

1. Secure your passwords
While it is not always practically possible to remember a password that resembles Garnier Fructis (Long and Strong), one should understand that once you put a sensitive information like password somewhere other than your brain, you should protect it, lest it get into someone else's hands.

2. Do not share your passwords
Once a password is shared, it is no more yours. If you have to share it (due to project requirements), make sure that you do not re-use that password for any other purposes and that you change it as soon as possible.

3. Keep your anti-virus software updated
While anti-virus software usually are put on auto-update by default, it pays to be vigilant and update it manually if the update gets failed (e.g., due to bad network conditions).

4. Be careful while clicking a link
Most of the bad code (virus/trojan/worm, etc.) require your effort (unknowingly, of course) to get onto your machine. We do so by clicking on some link without checking it first, thereby getting a bad code on our machine.
Always check a link (by putting your mouse over it, not clicking) before clicking it. If the link is pointing to a direction (e.g., an IP address or some mis-spelt address), do not click it.

5. Do not share client information with anyone who does not need it
Now this is tricky! How to find out if the person who is asking it needs it? A rule of thumb is - if the person does not belong to your project and is not authorized by your respective manager / superior, he/she should not have that information.

6. Lock your machine while leaving it unattended
Leaving your machine un-attended is a dangerous habit as almost all the access rights/privileges are attached to our machine identities. As one moves up the corporate ladder (and sometimes depending on the project requirements), one gets access to information that is confidential in nature. This habit of leaving the system/desktop/laptop unattended & unlocked may prove disastrous (Think someone-stealing-a-file-that-your-VP-sent-for-your-eyes-only)!

Bait for Your Identity

I overheard this interesting talk last sunday while harassing some poor developer to close an NC, have a dekko. But before that, a very short intro of the characters.

Character #1 - Baba Gyandev, aka if-google-had-a-body-this-would-be-it, BG in short

Character #2 - Baby Busy, aka this-will-never-happen-to-me, BB in short, BG's follower#1

Character #3 - Paranoid Pandu, aka even-my-breadth-should-be-encrypted-to-save-it-from-sniffing, PP in short, another follower of BG

Context – BG & his disciples are in a very good mood (thanks partly to the planetary alignments - for BG, recent appraisals - for BB, and the latest encryption software that he purchased - for PP), but mostly because of the royal seafood meal that they just had.

BB – This place is good, we should come here more often.

BG (after a big gurgling sound that emanated from the deepest corners of his intestine, making everyone else in the restaurant look for cover) – Yeah, fish is good.

BB – I don't know why some people have devoted themselves to anti-fishing causes on Internet, it is not if we are trying to finish all the fishes!

PP – That was not this fish, BB, it is called Phishing, and it is very dangerous.

BB (with some alarm on her face) – Oh!

BG - PP, please do not terrorize her. BB, while it is true that phishing is a concern, it can be managed by some very easy-to-do things.

BB - Baba, please tell me more about this. What is this about?

PP - It is about stealing your identity.

BB - My identity? What identity?

BG - Bhaktjano, we are not going to talk about the identity that all of us are always looking for, inwardly (who am i? What am i on this earth for, stuff like that). That talk will come if you treat me seafood in Taj Banjara. The identity that we are talking about is that of us on the information superhighway called Internet.

BB - Identity on Internet? What is my identity on the Internet?

PP (with some irritation) - Don't you have a facebook account? Or yahoo/aol/hotmail/gmail ID? Or any other ID on any other website (irctc/icici/sbi/any-other-bank)?

BB - So what? Those are just login IDs, not my identity, mr.-know-it-all!

BG - Please don't fight, kids. BB, in today's online world, everything is connected to everything else on the Internet. You can share content of one website on another, e.g., share an online article or a review of latest movie that was put on some other news site, on your facebook account; you do a lot of financial transaction online. All of this requires that those sites know you. They give you login IDs so that they can recognize you, the next time you logon. So, all these IDs that we have online constitute our online identity. It is what we are and how people will recognize us when online.

BB - Yeah, i remember opening a recurring deposit account online in ICICI. They neither made me write a letter nor call me for an approval. I started it online and it automatically deducts money from my account every month.

PP - That was because they knew it were you, because they knew the login ID belonged to you.

BG – Correct. But now, the issue is - Crime always follows money. Bad people have realized that many (if not all) of the transactions are happening online now, it makes more sense if we can somehow get those IDs and passwords.

BB - Hmmm..... Baba, how do these people do it? Where does Phishing comes into picture?

BG - They will create copies of the well-known websites, with similar spellings, and put them online. Then they wait for you to land there.

PP - They do not always wait for your to come, they try to lure you to it. Remember that LinkedIn invitation that you said you had got from me? And the facebook invitation from your husband?

BB - Yeah, i do. I also remember that you had a look and then asked me to delete them and not to click on any link in that mail.

PP - Because it was a SPAM, meant for anyone who would believe and click on them, thereby landing on the fake site. The person will provide his actual user ID and password, and then, la-la land!

BB - How to stop it?

PP - These people are a reason why i am very skeptical while online. I don't trust Internet!

BG - PP, in that case, stop buying house because land mafia may take it over, stop buying gold or silver ornaments because they can be stolen, stop carrying money in pocket because they can be , well, picked up. And while you are at it, stop living (PP looks at BG in shock) because there are criminals out there who murder for living.

BB starts laughing.

BG (with increased calmness) - Just because there are some issues with a technology or a facility, you don't stop using it. Atleast not when you get so much benefits from it. More so, when you can save yourself using some common sensical tips.

BB - Please tell me some tips so that i can save my identity online.

BG - the first step is, don't click on any link blindly. Check it first. Is it pointing to what it says it would.

PP - A link to facebook should not go to some random site like gimme-your-password.com

BG - True. In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Always check them before clicking.

PP – Also, look at the language of the mail. e.g., look at the mail below (credit - http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx):-

BG – In other words, do not click on links within emails that ask for your personal information.

PP – True. Actually, no organization in its right mind would ask for it in mail. If it does, there is something 'phishy' there.

BG – Never enter your personal information in pop-up windows.

BB – What is wrong with pop-ups if it comes up after the original site has loaded? It means it has come from the site, right?

PP – Not necessarily. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.

BB - Means, i should never give confidential information in pop-ups.

BG – Correct. Also, phishing doesn't always need Internet.

BB - ?????

BG - You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.

PP – If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information.

BG – In other words, don't give (or offer to give) your account ID and password to some guy over phone just because he claims to be from IT-Support. I know you did that yesterday.

BB (blushing) – that was because i needed some document very badly but was not able to logon to my machine. I had raised a ticket too.

PP – How do you know that this guy had called because of that ticket? I was there, too and you did not verify his identity.

BB (getting a little angry) – There is nothing interesting in my account, even if the user gets the password.

PP – yeah, true, but you re-use passwords, right? Which means one password of yours can open many accounts of yours !

BG – Actually, it is not just a matter of having something interesting in your account. Once your account is compromised, it will be used by bad people to lure your friends and contacts.

PP – For example, if i get your twitter / facebook / gmail ID, i can just ask your friends from little money (i can guess who are your friends by looking at your past activities), and if they are like you, they will transfer money first and then call. And this is just for starters.

BB is silent.

After some time, BB breaks the silence.

BB – So what should i do to stop it from happening?

BG – Be suspicious if someone contacts you unexpectedly and asks for your personal information. It could be in any format (online or offline), but ultimately, you have the responsibility over your information, Keep it secure!

PP – You can also keep changing your passwords regularly and use security features available with major sites (like two factor authentication of gmail, privacy features of facebook, etc.).

BG – Keep your browser and operating system updated and secure because many phishing attempts are hidden in viruses and other bad code.

BB – Baba, what if i accidentally gave some information? What should i do then?

BG – Contact related officials immediately and inform them.

PP – for example, if you accidentally gave your banking related information, then contact the bank immediately. In case of an online account, change the passwords immediately and notify the website.

BB – Thank you, BG and PP.