1

Internet Privacy and Security: A Shared Responsibility

Recent events have focused an intense spotlight on online privacy and security. With
Cyber Security Awareness Month coming to close, I thought I’d explore why it’s
critical we not let this moment pass and just lapse into our normal complacency about
these issues once the media thunderstorm passes.
Now more than ever, as our digital footprints grow exponentially, we need to take
personal action to preserve our online freedoms. Why? The Internet benefits and
belongs to all of us — thus it is our joint responsibility to protect it.
The benefits of the Web have, of course, come at some cost, one of which is a loss of
privacy. We are also more vulnerable to data breaches and identity fraud. But there
are many things we can do to minimize the risks of both.
The threat from hackers and cybercriminals has expanded in relation to our
dependence on the Internet. As our reliance grows, opportunities for them to prey on
us increase. Online data breaches are not new. They have been around since the
creation of the first networks, but there is a risk that they could reach epidemic
proportions — cyber fraud is currently the fastest growing category of crime in the
U.S. — and eventually erode our freedom to use the Internet as we desire.
As with past epidemics what is required is a combination of collective and individual
action. It is not that much different from how we have managed medical plagues in
the past. When enough people stayed indoors, washed their hands or received
vaccinations, certain diseases were wiped from the planet. It took some time to
convince people to change their ways, but eventually as a society we worked together
to inoculate ourselves from many epidemics.
Taking it back to the Web, we should think of our digital identities as susceptible to
digital epidemics. Fifteen years ago, led by company IT teams, we started inoculating
desktop computers with anti-virus software. Now the battle has shifted to the cloud,
and we have to start walling off our digital communications, much of which are now
mobile. The more people that inoculate themselves from malware, spear phishing
attacks or hacker intrusions, the safer we all are.
Think about it, once you establish barriers to unwanted intrusions you wall off the
digital ailments that can spread so easily. Your online communications will be one
less component in a botnet assault. Your email account or Facebook profile can’t be
hacked to send a spear phishing request to a friend, colleague or business partner that
could lead to a larger data breach.
Although I view the act of taking personal responsibility for online privacy and
security as the single most important ingredient in stemming the tide of cybercrime,
there is also a role for government and law enforcement. We’re in the midst of an
interesting time as there aren’t comprehensive and functional data collection laws in
the U.S. and only some countries have variations of privacy acts, laws, and initiatives.
In the past 50 years, there have been several Supreme Court decisions to guarantee
our privacy rights — rights implied but not explicitly guaranteed in our Constitution.
But much of the ongoing furor today is in response to certain agencies not abiding by
such principles.
The ongoing NSA debate, tech giants advocating for transparency, medical identity
theft, and even Google’s Street View wire-tapping snafu, however complicated they
may be, illustrate one thing — online privacy and security are finally making
headlines. So let’s leverage the conversation for constructive benefit.
The great struggles — racial equality, gender equality, equal opportunity, and today,
universal health care, marriage equality and immigration reform — have all involved
crucial dialogue between our government and its citizens. And ultimately a legislative
agenda emerges to move society forward.
Of equal or even greater importance is whether or not we, the people, take action. We
as individuals need to demonstrate that privacy and security in the digital realm is a
top priority — that we are willing to take collective responsibility to protect ourselves
from growing threats to our online privacy and freedom.
A Pew Research Institute study from this summer revealed that 86 percent of
Americans have taken action to maintain anonymity online — deleting cookies,
encrypting email and/or protecting their IP address. Another telling metric from that
report states that 50 percent of Internet users say they are worried about the
information available about them online, up from 33 percent in 2009.
Additionally, an AnchorFree study from June 2013 that polled 1,200 U.S. and U.K.
college students revealed similar sentiments with 82 percent responding that they
were concerned about keeping their data private. Those are important developments
indicative of a changing tide in attitudes toward online privacy.
But everyone needs to do even more. A recent Verizon study of global law
enforcement data found that data breaches have more than doubled since 2009. Cyber
fraud perpetrated against individuals is growing at 15 to20 percent a year, according
to the FTC. The only way to build a culture defensible against data breaches, hacks,
and identity theft is to contain them within the realm of minor inconvenience and not
allow them to be contributors to a mass assault. The more we do to inoculate
ourselves against the digital flu, the less likely there will be digital pandemic.
It is no longer enough to install anti-virus software on your PC and dump your
cookies once a month. I urge everyone, first and foremost, to actively participate in
the debate about privacy and security. Equally important is for everyone to adjust their
online habits to help prevent privacy risks and security breaches. Choosing more
careful passwords, limiting where, when and with whom you share sensitive data, and
using a VPN to encrypt your data every time you go online are simple steps everyone
can take.
It is your responsibility to protect the Internet community for tomorrow’s users just as
much as it is mine.
David Gorodyansky is co-founder of AnchorFree.
2
DATA PRIVACY DAY 2020
SEPTEMBER 30, 2021
•
BETH STEWART

Led by the National Cyber Security Alliance (NCSA), Data Privacy Day began in the
United States and Canada in January 2008 as an extension of Data Protection Day in
Europe. Observed annually on January 28, Data Protection Day commemorates the
January 28, 1981 signing of Convention 108, the first legally binding international treaty
dealing with privacy and data protection.
As a returning Data Privacy Day Champion Organization, Pivotal IT is part of the
growing global effort among nonprofits, academic institutions, corporations,
government entities, municipalities and individuals to raise awareness at home,
at work and school and in their communities. Through collaboration and unified,
consistent messaging about privacy and protecting personal information, all Data
Privacy Day Champions are working toward the common goal of improving
individual and business consciousness toward respecting privacy, safeguarding
data and enabling trust.  

OWN YOUR PRIVACY

Each year, data breaches continue to grow in size and scope – exposing
consumers’ sensitive, personal information and businesses’ valuable data.
Against this backdrop, Data Privacy Day helps spread awareness about privacy
and educates citizens on how to secure their personal information and works to
encourage businesses to be more transparent about how they collect, store and
 use data. To promote these goals, Data Privacy Day’s 2020 theme is “Own Your
Privacy.”
‍
CONSUMERS ARE CONCERNED ABOUT PRIVACY
Consumers are becoming more concerned about who can access their
information and why. With the California Consumer Privacy Act taking effect this
year and other states considering similar legislation, data privacy will become a
central issue for businesses in 2020. A recent survey by Pew Research Center
found that majorities of Americans think their personal data is less secure now
than five years ago and that data collection poses more risks than benefits. For
example:

 A majority of Americans report being concerned about the way their data is being
used by companies (79 percent) or the government (64 percent).
 Fully 79 percent of Americans say they are not too confident or not at all
confident that companies will admit mistakes and take responsibility if they
misuse or compromise personal information, and 69 percent report having this
same lack of confidence that firms will use their personal information in ways
they will be comfortable with.
‍

PRIVACY IS GOOD FOR BUSINESS

Protecting your customers’ privacy is a competitive advantage. Respecting
consumers’ privacy is a smart strategy for inspiring trust and enhancing
reputation and growth.  Cisco's 2018 Privacy Maturity Benchmark Study
showcased the importance of having good privacy processes and also
highlighted some of the financial benefits. Some of the top findings from the
study include:

 Sales delays due to data privacy concerns are widespread and significant in
length. 65 percent of organizations reported that they have delays in their sales
cycle, and among all respondents, the average sales delay was 7.8 weeks.
 The sales delays varied by country and industry. The longest delays by country
occurred in Latin America and Mexico, and by industry in the government and
 healthcare sectors. Notably, the average sales delay was highly correlated with
the privacy maturity level of the organization.
 Sales delays also varied significantly by the organizational model adopted for the
privacy resources. A hybrid model, which has a mix of centralized and
decentralized privacy resources, had shorter delays (4.6 weeks), compared to
models with fully centralized (9.8 weeks) or decentralized resources (7.1 weeks).
 The level of privacy maturity also correlated with the likelihood and costs of data
breaches. 74 percent of privacy-immature companies experienced a cyber loss
of over $500,000 in the last year, compared to only 39 percent of privacy-mature
companies.
‍

TIPS FOR TRANSPARENCY AND TRUST

Privacy is everyone’s business: If you collect it, protect it. Follow reasonable
security measures to keep individuals’ personal information safe from
inappropriate and unauthorized access.
Transparency builds trust. Be open and honest about how you collect, use and
share consumers’ personal information. Think about how the consumer may
expect their data to be used and design settings to protect their information by
default.
Build trust by doing what you say you will do. Communicate clearly and concisely
to the public what privacy means to your organization and the steps you take to
achieve and maintain privacy.
Conduct due diligence and maintain oversight of partners and vendors. If
someone provides services on your behalf, you are also responsible for how they
collect and use your consumers’ personal information.
HELP EMPLOYEES BE PRIVACY AWARE
Encourage employees to update their individual account privacy settings by
visiting Update Your Privacy Settings on staysafeonline.org
Invite outside speakers to talk to employees about why privacy matters. Engage
your staff by asking them to consider how privacy and data security apples to
work they do on the daily basis, regardless of department.
Create a #PrivacyAware culture by encouraging employees to sign up as Data
Privacy Day Champions - it's free and the NCSA will provide a toolkit of special
resources. Share messages about privacy around the office and via
communication platforms.
For more information about Data Privacy Day and how to get involved
visit staysafeonline.org/data-privacy-day.

3
NATIONAL CYBERSECURITY
AWARENESS MONTH 2018
JANUARY 25, 2019

•
BETH STEWART

Since 2004, National Cybersecurity Awareness Month (NCSAM) has represented

a collaborative effort between government, nonprofit and industry to ensure that
all Americans have the information they need to stay safer and more secure
online. Co-led by the National Cyber Security Alliance (NCSA) and U.S.
Department of Homeland Security (DHS), NCSAM has grown exponentially –
reaching consumers and organizations nationwide and encouraging all internet
users to be #CyberAware.
As a returning National Cyber Security Month Champion Organization, we’re
excited to be able to help spread the word for this week’s theme: “It’s Everyone’s
Job to Ensure Online Safety at Work” by shedding light on how small and
medium-sized businesses continue to be a target for cybercriminals and
providing information, tips and resources to help small business protect
themselves, their employees and their customers against the most prevalent
threats.

#CYBERAWARE TIPS FOR EMPLOYERS

AND THEIR TEAMS
‍

Identify Your Businesses’ “Crown Jewels”  These are the assets and systems
that are critical to your business. Visit https://staysafeonline.org/cybersecure-
business/identify/ to learn how to identify your mission critical information

Protect Your Businesses’ Assets  Put appropriate policies and systems in place
to keep your digital assets secure. For example, an Acceptable Use Policy that
addresses personal devices and internet use.
Visit https://staysafeonline.org/cybersecure-business/protect/  To learn more
about building cyber defenses around your businesses’ critical assets and
systems

Be Able to Detect Cybersecurity Incidents  The faster you know about an

incident, the quicker you can mitigate the impact.
Visit https://staysafeonline.org/cybersecure-business/detect-incidents/  to learn
more about responding to cybersecurity incidents

Have a Plan for Responding  Planning for a response is critical to reduce risks to
your business, customers, employees and reputation.
Visit https://staysafeonline.org/cybersecure-business/respond/ to learn more
about responding to responding to security incidents and maintaining business in
the short term.
Recover Normal Operations  Move from the immediate aftermath of a cyber
incident to full restoration of normal systems and operations.
Visit https://staysafeonline.org/cybersecure-business/recover/  to learn more
about the immediate aftermath of a cyber incident and how to build your
cybersecurity posture to help prevent future incidents.
‍
Your employees are the first and last line of defense in keeping your organization
safe and critical information protected. Be sure to educate ALL staff about their
vital role in the security of your business and the value of protecting consumer,
employee and other critical information
‍

4 HOW TO MINIMIZE THE

IMPACT OF THE EQUIFAX DATA
DISASTER
MARCH 29, 2019

•
BETH STEWART

IF YOU’RE A REGISTERED VOTER OR

HAVE A CREDIT CARD, IT’S VERY LIKELY
THAT YOU HAVE HAD YOUR PERSONAL
DATA STOLEN WITHIN THE PAST SIX
MONTHS.
There were 791,820,040 identities stolen in the United States alone in 2016. 
Between the last half of 2016 and the first half of 2017 the number of reported
data breaches increased 13 percent and the
number of data records lost or stolen during that time increased 164%.
Unfortunately, this isn’t even the whole story when it comes to records; more
than 500 of the
The scary part is these statistics do not include the recent Equifax breach, which
compromised personal data of 143 million consumers, 209,000 credit card
numbers and 182,000 dispute
documents with personal identifying information.
When a credit card number is stolen, it is relatively easy to shut down the
compromised card and get a new one.  The data compromised in the Equifax
breach included birthdates, addresses, driver’s license numbers and social
security numbers - information that is forever valuable and that can be used to
create a new “you”.
Unlike a credit card that can be cancelled with a quick phone call, in five years
your social security number will be the same. That nine-digit number is the
gateway to your financial ties, tax records, credit rating and employment history. 
It’s also used as interconnected identification and treated as an authenticator to
make sure you are who you say you are.
With this data cybercriminals have opened the door for total identity theft and
unfortunately, protection from the long-term effects of this breach falls to the
consumer - so what can you do?
‍
‍Prepare yourself; this will happen again

• Assume your information was compromised and that you will be affected
• Change the log in information and passwords of any accounts connected to or
that could be affected by the breach.  If the username/password has been used
on other sites, change those also.  For details and information about creating
stronger   passwords check out our blog post about the recent changes to the
NIST Password Guidelines.
• Obtain a copy of your credit report from all three reporting agencies (Equifax,
Experian and TransUnion) to check for unusual activity, especially over the past
four months.  You are entitled to free copies of your reports once every 12
months via   the annualcreditreport.com site. CreditCards.com provides a
great interactive credit report sample with a walkthrough of the most common
elements that appear in each of the three credit bureau reports, as well as a link
to a free annual credit report   from TransUnion. 
• Check and monitor credit card accounts, bank accounts, as well as hotel and
airline loyalty accounts for suspicious activity and fraudulent charges. 
• Place a free fraud alert on your credit file with one of the three reporting
agencies.  This is a renewable, 90 day alert requires lenders to verify your
identity before issuing credit and notifies you when anyone opens a new account
in your name.  Only   one of the three bureaus needs to be notified for a fraud
alert (whichever bureau you contact is required to notify the other two.)  Victims
of identity theft can request an Extended Fraud Alert, which lasts 7 years.
• Consider freezing your credit.  Placing a freeze on your credit file prevents
anyone (including you) from applying for credit until the freeze is unlocked by
you.  A freeze also prevents anyone from viewing or making changes to your
credit report.  You   must contact Equifax, TransUnion and Experian individually
to place a freeze and set up your personal identification number (PIN), which
allows you to temporarily lift, replace or remove the freeze. In South Carolina
there are no fees to place or   remove a freeze.  For North Carolina residents, the
fees can vary depending on the credit bureau, consumer age and if the protected
customer has been a victim of ID theft.
• File your taxes early! Having monitoring or a credit freeze in place does not
prevent tax related identity theft, which is already on the IRS’ Dirty Dozen List. 
Unfortunately, the protections the IRS currently has in place (filing an identity-
theft affidavit or   obtaining a filing PIN) are only available for victims of tax-
related identity theft.  Having your Social Security Number exposed in a data
breach is not enough.
• Monitor your tax record.  The IRS offers online access to tax records so
taxpayers can view the details of their tax accounts. If someone files a return in
your name you will be able to take action quickly.
• Watch out for phishing, phone and other scams that claim to be connected to
the breach or updates from Equifax.  Equifax will be sending paper mail to those
impacted by the breach - they will not contact you directly by phone or e-mail.
• If you discover you have been a victim of identity theft, you should file a report
online with Federal Trade Commission or contact them by phone at 877-438-
4338.  The FTC advises victims to also alert local law enforcement with the
following items:   Copy of your FTC identity theft report, Proof of address such as
a utility bill, Government-issued ID with a photo and any other proof such as a bill
or IRS notice.
‍

5
SPARTAN HIGH CYBER VIKINGS
JANUARY 25, 2019

•
BETH STEWART

VARÐ-VEITA: THE OLD NORSE PHRASE

MEANING TO DEFEND, KEEP, PRESERVE,
WATCH.
In the realm of cybersecurity, there is a vast shortage of people qualified to do
so.  More than 1.8 million cybersecurity jobs will go unfilled by 2020, a 20 percent
increase over 2015.  The shortage is widening not only due to lack of qualified
workers, but also the soaring rise in cybercrime. Malware-as-a-service
operations, exploit kits and other crimeware are readily available, making it easy
for low-tech criminals to get into hacking and they are doing so in record
numbers.
"WHO DARES, WINS" – THE SAGA OF HRAFNKEL FREYSGOTHI,
C.9
Cybersecurity is one of the least populated technology fields. Not only are
comprehensive cybersecurity undergraduate programs less common than
traditional computer science degrees,many recent graduates who are qualified
choose to take a different route; such as game or mobile app development.  But
fear not, the One senior, one junior, and three sophomores make up the 2017
Cyber Vikings, currently competing against 2,757 open division teams from
across the country in the National Youth Cyber Defense Competition. Part of
National Youth Cyber Education program, the competition was created to
motivate students towards careers in cybersecurity and other science,
technology, engineering, and mathematics (STEM) disciplines.
Coach Dennis Roberts guides the team as they hack into computer systems,
learning to decrypt data, identify threats and discover vulnerabilities.  The team
did well in the first round of the competition, which took place in November.  In
December they will be advancing to the second round of the competition, which
determines their placement and advances to the State, Regional and National
competitions.
All of us at Pivotal IT are proud and excited about be sponsoring this great group
of talented students interested in cybersecurity and we will keep you updated
with their progress!
In the meantime, if you would like to learn more about the Cyber Patriot program
or would like to get involved, be sure to check out the U.S. Air Force
Association's Cyber Patriot resource page.

6
HOW TO CREATE AN
ACCEPTABLE USE POLICY
FEBRUARY 7, 2019

•
BETH STEWART

DEVELOPING AND IMPLEMENTING AN

ACCEPTABLE USE POLICY IS ONE OF THE
FIRST STEPS IN CREATING A COMPANY
WIDE CULTURE OF TECHNOLOGY RISK
MANAGEMENT.
Sometimes referred to as an Internet Policy, an Acceptable Use Policy (AUP) is a
formal set of rules governing computer, network and data usage that can help
limit your exposure to data breaches, minimize cyber risks and protect your
business’ reputation. We’ve talked about the Importance of an Acceptable Use
Policy in our earlier blog posts, but recent technology developments, laws and
regulations have made creating an effective AUP more challenging than it was
just a few years ago, so we want to provide you a with more detailed suggestions
for creating an Acceptable Use Policy.  
While there is some content considered a standard part of an AUP, it is important
to arm yourself with as much information as possible to customize your policy to
fit your unique processes and operations.  An effective policy not only outlines
the rules (and the potential consequences for breaking them), but also explains
why the rules exist.  Including these details in Acceptable Use Policy can help
your staff to better understand the vital role they play in the security of your
network.  
Below are important elements to consider including when creating and
customizing an effective Acceptable Use Policy:
SCOPE
Your AUP should clearly define the systems, devices, communications and
information that fall within the policy’s scope.  Don’t forget to include often
overlooked items such as password requirements, corporate text messaging,
voice-mail,storage media, company software and cloud computing accounts.
CODE OF CONDUCT
One of the most important parts of your Acceptable Use Policy is the Code of
Conduct, which outlines the expectations and behavior for end users while
connected to your network. Prohibited activities should be clearly defined and
include items such as activities that violate any local, state or federal laws,
disclosing or sharing confidential information about your company, its clients or
partners,using appropriate language online, ensuring activities do not disturb or
disrupt other users on the network.
BUSINESS USE
As an employer, you are providing technology resources to help advance your
business interests. Your policy should include a clear definition of business use,
inform employees of expected ethical conduct while using these resources, and
their accountability for all use of corporate accounts.   
TRAINING
Cybersecruity training can help to ensure end-users adhere to your AUP.   When
the reasoning behind your policy is understood, employees are more likely to
recognize the value of it and to adhere to it.  By educating your employees about
how quickly your entire network can be infected by irresponsible browsing, a
stealthily malware downloaded onto a single computer or connecting an
unauthorized personal device, you are also helping them understand your
policies are not meant to “micro-manage” or deny them all access rights to the
internet.
COMPLIANCE & LEGAL REQUIREMENTS
Specific regulations, requirements and accrediting organizations vary from field
to field, such HIPAA for the healthcare industry, GLB Act for financial and
insurance industries and the General Data Protection Regulation (GDPR) for any
industry that collects or processes information from clients in the European
Union.  Some fields must adhere to more than one compliance standard. For
example, a healthcare provider that accepts credit card payments and processes
them internally would fall under both HIPAA and PCI compliance.  In any case,
your Acceptable Use Policy should address both, recommend best practices, and
clearly outline all compliance requirements. 
DATA
Small businesses make up more than 90% of business in the United Sates and
play a central role in the supply chain.  Even the smallest networks can provide a
hacker access to credit card data, bank accounts, employee financial and
personal data, intellectual property, supplier networks and connected
organizations.
Defining what data your company collects and how that data is processed,
stored, accessed and disposed of is an important part of your Acceptable Use
Policy. Why is the data valuable?  What data should be backed up?  What data
should be encrypted in transit and at rest?  Examining your internal data
processes can help you identify and address any weaknesses that may exist in
how sensitive data is currently being handled and accessed. By defining what
data is important and why you can create an expectation that your staff can apply
generally if they forget a specific rule defined in your Acceptable Use Policy. 
PERSONAL DEVICES
If you allow personal devices of any kind they need to be included as part of your
Acceptable Use Policy.   Rules for what organizational data is allowed on
personal devices and expectations for how that data is accessed, transmitted
and stored should be clearly outlined.  You should also address any required
mobile device management software, antivirus software, security controls,
identity management measures and remote wipe tools.    
SOCIAL MEDIA
Social Media platforms can offer tremendous benefits for marketing and
communication, but they can also pose serious security risks. Some of the
greatest risks are the accidental disclosure of sensitive information, and accounts
being compromised by phishing/malware attacks either directly or though
password reuse and single sign on.  Your Acceptable Use Policy can provide you
the ability to actively put restrictions in place to help you mitigate security risks
and limit the amount sensitive information shared on social sites. 
INDUSTRY SPECIFIC THREATS
While it may seem like cyber criminals send malicious emails to businesses on a
whim, research illustrates that is not the case.  There are many factors that can
make a small business a lucrative target, including the data and information a
company processes and stores, to an organization’s place in the industry supply
chain. The most targeted industries can change drastically from year to year.
Arming yourself with industry specific security information can help you craft an
acceptable use policy to addresses your specific risk factors.  Knowing that your
industry may be a target can also help you advise and educate your employees
accordingly which can help to lessen the chances of a successful attack.   
ENFORCEMENT AND CONSEQUENCES
There are many options to help you discreetly enforce your Acceptable Use
Policy such as restricting access to sensitive information,configuring laptops and
desktops to prevent installation of applications and content filters and/or firewall
rules to block prohibited activities.  
Having employees sign your Acceptable Use Policy does not guarantee all
employees will fully comply and use your network resources only for business
purposes, which is why you should only create polices that you intend to enforce
and include the consequences for violating the policy in the policy itself.  Since
violations can vary in extent, consequences should as well – depending the
severity of the violation and the end user’s intent.  
 
Your Acceptable Use Policy should be reviewed by an attorney before being
distributed to your staff. Once complete, a signed copy of the policy should be
included in each employee file, backed up with your vital records and included in
your business continuity plan.
If you would like a copy of an Acceptable Use template or more information on
how Pivotal IT can help you enforce your security policies and keep your data
secure, contact us.
 

7
7
7
LOCAL CALL SPAM? HERE'S HOW
TO BLOCK ROBOCALLS ON
LANDLINE AND MOBILE
MARCH 29, 2019

•
BETH STEWART

IT IS ESTIMATED THAT OVER 45 PERCENT

OF ALL CALLS MADE ON ANY GIVEN DAY
ARE ROBOCALLS.
‍
It happens…often. 
Mobile phone and landline, business phone and personal.  The number looks
legitimate, perhaps even the area code and prefix appear to be local – you
answer the call only to be met
with silence, a robocall or the unmistakable sounds of a call center.  Welcome to
Spoofing or, in the case of spam calls spoofed to look like a local or familiar
number - Local Call Spam or Neighbor Spoofing.
Caller ID spoofing used to require an advanced knowledge of telephony
equipment which could be quite expensive. However, with the popularity of  and
availability of open source software, any one can spoof calls with minimal costs
and effort.  There are even spoofing services, where customers pay in advance
to receive a PIN number – which is used along with the desired destination
number and the number they wish to appear on a caller id.  The call is then
transferred with the spoofed number chosen by the third party.
According to the 2017 Call Fraud Report from Pindrop, there has been a 113%
increase in fraudulent calls within the past year, with more than 46% of phone
calls in the United States being spam.  Active phone lines are valuable to
scammers, so answering a spoofed call can often result in opening your line to
even more spam calls. The problem has gotten so big that earlier this month,
the FCC filed a complaint in federal district court seeking to stop two related
operations that allegedly facilitated billions of illegal robocalls nationwide.
Scammers can use numbers from the local police department, bank or any other
reputable business so you think you’re talking to a legitimate representative –
hoping they can trick you into giving away valuable
personal information so it can be used in fraudulent activity or sold illegally. 
Common scams include:
You are promised a reduction in your credit card interest rates for an upfront fee
and confirmation of your personal information, which can then be used for
identity theft.
From “free” home security systems to week long cruises that require your credit
card information for a small “processing fee.”
The caller claims you have a virus on your computer and they need access to
your machine to fix it.
Posing as the IRS, scammers demand a prepaid card for taxes you owe or
claiming you have a refund and requiring personal information to confirm.
Offering you a lower rate, once you disclose your personal information.
Emails and calls from someone posing as the FTC (Federal Trade Commission)
advising that your registration on the National Do Not Call Registry is about to
expire. Registrations never expire. 
PROTECTING YOUR LANDLINE FROM SPOOFED CALLS 
In addition to the National Do Not Call Registry, in November of 2017, the
Federal Communications Commission (FCC) adopted new rules allowing phone
companies to proactively block illegal calls that are likely to be fraudulent.  Since
then, many of the major telephone companies provide resources to help
consumers block or filter annoying calls:
‍

8
THE IMPORTANCE OF AN
ACCEPTABLE USE POLICY
APRIL 9, 2019

•
BETH STEWART

AN ACCEPTABLE USE POLICY OR AUP IS

AN INTEGRAL PART OF YOUR
INFORMATION SECURITY POLICY.
An Acceptable Use Policy is also one of the few documents that can physically
show “due diligence” with regards to the security of your network and the
protection of sensitive information and client data in the event of a breach or
regulatory audit.
Sometimes referred to as an Internet and E-mail Policy or Acceptable IT Use
policy.  An AUP serves many of the same functions as the long winded Terms of
Service that you see when signing up for a new service.  Despite the difference
in terms, these policies provide statements as to what behavior is acceptable
from users that work in or are connected to a network.
The findings of the recently released SANS Institute 2016 Threat Landscape
Study and fourth annual Checkpoint Security Report may help to provide some
additional perspective on why an Acceptable Use Policy is imperative for your
organization.  The study reveals a 400 percent increase in the loss of business
data records over the past 3 years.  The most common entry point for threats into
a network?  End user actions.
The arguments between productivity, protection and privacy can make mobile
device security a difficult topic to address.  Users are now more comfortable
blurring the lines between personal and work when it comes to personal mobile
devices, not always thinking about the implications.  Most employees do
not want to be the cause of a network breach or data loss, yet one in five will do
so either through malware or malicious WiFi¹.  All it takes is one infection on one
device to impact both corporate and personal data and networks.
We have spoken to clients and prospective clients that respond to our question
about having an Acceptable Use Policy with a quizzical look and even
indifference.  Depending on the type of data that passes or is stored on
your network, and who/what has access to your network – apathy is a recipe for
disaster.  Counting on an end user alone to “do the right thing” is not a viable
security strategy.
Creating an effective AUP begins by collaborating with personnel from human
resources, finance, legal, IT,  and security.  The questions below can provide a
good starting point when creating your policy:
When is it OK to send information outside the enterprise via e-mail, blogs and
message boards, media sharing and instant messages - When is it not?
What types of information is prohibited in the e-mail system? Personally
Identifiable Information? Payment data?  Internal memos? Customer data? 
What procedures will be necessary to discourage risky behavior and enforce
established policies? Who will be in charge of enforcing them?
As you create your AUP be sure to:
Have an understanding of what records and data are vital to the survival of your
organization and the internal and external forces that can affect them.
Create policies that consider business assets, processes and employee access
to files and data.
Address employee-generated content, communication channels and connected
devices.
Evaluate security measures (physical and network-related) and potential
solutions.
Monitor and enforce policy via security technology and human oversight.
Train employees to recognize risks and refrain from insecure behaviors.
A signed copy of the policy should be included in each employee file, backed up
with your vital records and included in your business continuity plan.
If you would like a copy of an Acceptable Use template, help creating your AUP
or more information on how Pivotal IT can help keep your network and data
secure, don't hesitate to contact us.

9
CYBER SAFE SHOPPING
JANUARY 25, 2019

•
BETH STEWART

THE HOLIDAY SHOPPING SEASON IS

HERE AND WHETHER YOU'RE PART OF
THE HUSTLE AND BUSTLE OR FILLING
YOUR CART FROM THE COMFORT OF
YOUR HOME, THE INFORMATION AND
TIPS BELOW CAN HELP YOU MAKE IT A
SAFE SHOPPING SEASON!
Start with a Clean Machine - Make sure all of your web-connected devices and
applications are up to date with the most current software versions and free from
malware and other infections.
Lock down your Login - usernames and passwords are no longer enough to
protect your key accounts like email, banking and social media. Enable the
strongest authentication available to fortify your accounts, such as bio-metrics,
security keys or unique one time codes.
Watch out for Counterfeit Apps - There has been a recent surge of counterfeit
apps found on both the Google Play and Apple App stores.  For a safe shopping
experience, downloading the app directly from the retailer's website may be your
safest bet.  As always, be sure the URL of the site you are visiting begins with
"https:" instead of "http" and look for the padlock icon.
Get savvy about WiFi Hotspots - Wireless kiosks are popping up everywhere.
But before you connect, understand the dangers of untrusted networks.  Avoid
banking transactions and logging onto your key accounts when out and about.
Adjust your phone's security settings to limit who can access your phone and
what information is shared.
Be wary of emails requesting information - Legitimate businesses will not solicit
purchase or account information. Never provide sensitive information through
email. If you receive an unsolicited email from a business, directly log on to the
authentic website by typing the address, do not click the link.
Do business with reputable vendors - Malicious websites take great strides to
look legitimate (and often succeed).  Before making a purchase at a new store,
check reviews and verify the website is legitimate prior to supplying any personal
or payment information.
Find and Turn Off Leaky Apps -  Recently, its been reveled that as many as half
of popular shopping apps collect user data without explicit consent.  Many
privacy and sharing settings are turned on by default, check within the app
settings to limit what information is collected and shared and to control access
permissions.
Discounts, coupons and free offers for downloading apps can be tempting, but
keep in mind that if an offer is too good to be true, it probably is (and if it's
free, you are the product). For more information on safe shopping this holiday
season visit the Cyber Safe Holiday Shopping Resource provided by the National
Cyber Security Alliance and Stop.Think.Connect.
We will be taking a close look at privacy policies, terms & conditions and how you
can protect your privacy in our upcoming blog series, so until then - shop safe
and check back soon!

SOCIAL (MEDIA) SECURITY PART

2
JANUARY 25, 2019

•
BETH STEWART

Social Media platforms can give a small business SEO, communication with

customers, sales leads, a free** place to showcase products and more. The
downside is often company pages are created and managed by personal
accounts and the security best practice of having a unique sign in for each
account can be easy to overlook (especially when prompted by an app or service
provider to sign up or sign in with a Facebook, Google or other
account.) **Generally speaking, If you are not paying for the service, YOU are
more than likely the product.
THE RE-EMERGENCE OF USERNAME AND PASSWORDS FROM
THE 2012 LINKEDIN BREACH SHOWS HOW QUICKLY AND EASILY
IT CAN BE TO GAIN ACCESS TO MULTIPLE ACCOUNTS WHEN
THEY ARE NOT PROPERLY SECURED.
As our blog series concludes, we take a closer look at security and privacy
settings for Twitter and Google.
TWITTER
Click on your profile picture and select settings from the drop down menu. 

Under the account tab you will find general settings including auto video playback
and the option to request a copy of your Twitter archive.
‍
In the security and privacy tab, the first section you will see is login verification. 
This is Twitter’s two factor authentication (2FA) which requires a mobile phone
number connected to your account for SMS text verification.
Due to increasing security concerns over the security of SMS based account
verification, the newest draft of the Digital Authentication Guidelines released by
the NIST, recommends moving away from SMS based messages as a form of
authentication.  If you are interested in using Twitter’s log in verification, our
partners at SOPHOS have a fantastic walk through for setting up Twitter’s 2FA.
Privacy settings are found just below the security section. 

Here you can alter settings for photo tagging, control who receives your posts
and opt out of adding a location to your Tweets (which is enabled by default.)  To
opt out of targeted advertising and for the most privacy, be sure leave “Tailor
Twitter based on my recent website visits” and “Tailor ads based on information
shared by ad partners” unchecked.
The apps section will show you the applications that currently have access to
your Twitter account.  

Be certain to revoke access to any unrecognized apps and those you no longer
use.
‍
At the bottom of the navigation menu you will find a section called “Your Twitter
Data”. 

As we covered earlier in this series, this section shows your login history, helping
you to identify unauthorized use of your account.
GOOGLE
In an attempt to make it easier to protect and secure your information, the
internet giant provides step by step Security and Privacy Checkups and other
services in the Google Dashboard.  
From any Google service, click your profile picture and select My Account to
access your dashboard.

Under Security Checkup, selecting Get Started will begin a walk through of your

security setting including adding contact numbers and email addresses used for
account recovery. This This continues to details of devices connected to your
account, with the ability to report suspicious devices or activity. 
The security section concludes with what services and applications have access
to your Google account and links to remove them.  Once completed, you will be
returned to the dashboard and the date of your security checkup is listed for easy
reference.
The Privacy Checkup shows what information is viewable to visitors, used
between connected services, shared as endorsements and the ability to edit
each setting. The Learn More link provides a further explanation of how the data
is collected and what information is saved and shared.
‍
The final section of the privacy walkthrough is where you find the details for ad
personalization and targeted advertising.  Once selected, a screen appears
advising you of new features for your account and a somewhat vague
explanation of how targeted advertising works across the platform and your
connected devices. 

There is a large “I Agree” button at the bottom of the page, but we recommend
selecting more options and learning about the features and how they can affect
your account before enabling the service.
The Google Safety Center (formerly Google Good to Know) is another service
you can access for information about your security and privacy settings, app
management and free resources for parents and educators to help children stay
safe online.
We hope you’ve enjoyed this short blog series on Social Media Security.
Contact Pivotal IT at (864) 327-4075 to learn more about our robust security
solutions. From hardware and software to security training workshops for your
organization, we are here to help you reach your security goals.

SOCIAL (MEDIA) SECURITY

JANUARY 25, 2019

•
BETH STEWART
 IF IT'S FREE - YOU ARE THE PRODUCT
In this Pivotal IT blog series we will be guiding you through securing some of the
most popular media sites.
‍
THE RELEASE OF UNENCRYPTED USERNAMES AND
PASSWORDS FROM THE 2012 LINKEDIN HACK SERVES AS A
POWERFUL REMINDER TO REVIEW YOUR PROFILE SECURITY
SETTINGS AND WHY IT IS SO IMPORTANT TO USE A UNIQUE
PASSWORD FOR EACH ACCOUNT.
‍
LINKEDIN
From the drop down menu, select privacy and settings. 
‍

‍
Under the account basics tab you will find the date your current password was
created and the ability to change and update your password.

The account basics tab also provides details on your active sessions, listing all
the places you are signed into LinkedIn. This information can help you identify
unauthorized use of your account.  You can sign out of sessions individually or all
at once and should do so anytime you reset your password.
‍
Under the privacy tab, you will find selections for data sharing with third parties,
advertising preferences and two factor authentication.

To opt out of sharing basic profile and contact information with third party
applications and “trusted third party platforms” select no for both choices under
sharing data with third parties. To enable  two-step verification, you will need to
provide a phone number.  Turning this feature on will sign you out of all active
LinkedIn sessions.
‍
FACEBOOK
Facebook’s Privacy Check-up is a fast, easy way to check your basic security,
but we’re going to drill down into what data is being collected and made
accessible to third party apps and advertisers through and connected services.

After selecting “See More Settings” you will find editable categories on the right.
The App settings page will show you what apps are currently connected and
logged in with your Facebook account. It’s important to note that turning if you
turn off the platform completely, you will no longer be able to use applications or
websites connected to your Facebook account.

‍
Selecting each app attached to your account will provide the details of the
service and what information it collects.  You can remove any item not labeled as
“required” by the app by clicking the checkmark to deselect it.
‍Verify each app connected to your account by clicking on the application name. 
For the privacy conscious, a review of “Apps Others Use” section is a
recommended.  Here we can see the information anyone with the ability to view
your profile (not just friends) can "take" with them to the apps, games and
websites they view.

‍
Facebook recently introduced a way to show ads across the web, not just to its
own users. A new privacy setting was also released, giving users the ability to
limit how their Facebook activity shows up in ads outside the platform.  
Opting out of Facebook tracking your behavior across websites and apps to
determine what ads you see is nothing new. But now you can also opt out of your
information and activity on Facebook providing information for the ads.  Under
Apps in the right navigation menu you will find ad preferences.

The first section allows you to turn off interest based ads and also provides a link
to the Digital Advertising Alliance, where you can opt out of interest based
advertising for all participating companies across the web. The second section
provides control for information shared off the Facebook platform and the ad
preferences section contains the catalog of things you have expressed interest in
on Facebook, websites and other services connected to your account. Turning
off the platform completely means you cannot play games or use applications.
You can limit the information by de-selecting the information you do not want to
share.
‍
Social media can have tremendous benefits but can also can have serious
security risks for organizations. Two of the greatest risks are malware and
disclosure of sensitive information.  We hope this blog series will help you
mitigate the security risks and limit the amount sensitive information you disclose.
Be sure to check back soon, when we take a look at privacy and security for
Twitter and Google.

DARK PATTERNS - DECEPTION

BY DESIGN
SEPTEMBER 19, 2019

•
BETH STEWART

FROM THE PRE-CHECKED BOXES THAT

SUBSCRIBE YOU TO A NEWSLETTER, TO
THE DISGUISED FINE PRINT THAT GIVES
A COMPANY PERMISSION TO SELL YOUR
PERSONAL INFORMATION, DARK
PATTERNS ARE EVERYWHERE.  
When talking about a website, the phrase “bad design” may conjure up images of
terrible color schemes or mismatched fonts, but from a privacy and security
perspective, “bad design” takes on a whole new meaning.
Dark Patterns are purposefully designed tricks used within the interfaces of
websites and apps crafted to nudge you into signing up for or purchasing things
you didn’t mean to. During their ongoing investigation into Dark Patterns,
researchers at Purdue University identified five strategies that most Dark
Patterns fall under: Nagging, Obstruction, Sneaking, Interface Interference and
Forced Action.
Below are some of the most common examples of Dark Patterns for each of the
five strategies and their sub-types.
Nagging: A redirection of expected functionality that persists over more than one
interrelation or when a desired task is interrupted by other tasks not directly
related to the one the user is focusing on.  One example of this is the prompt for
enabling notifications in the Instagram app, where the only two options are “Not
Now” and “OK”, giving the user no ability to discontinue notifications.   Other
examples of this Dark Pattern include pop-ups that hide the interface, auto-play
audio and video.
Not much of a choice here

 
‍Obstruction:  Making an interaction more difficult than it needs to be in order to
prevent an action.‍
Brignull’s “Price Comparison Prevention” - This Dark Pattern purposefully makes
comparing the prices of products and services difficult.  Tactics include hiding
model numbers/product IDs and preventing important product information on the
website from being copied to stop users from pasting the information into a
search bar or different website.
Brignull’s “Roach Motel” - A situation that is easy to get into, but hard to get out
of.  This usually occurs when a user is easily able to sign up for a service, but
closing an account is difficult (or in some cases impossible.)  This Dark Pattern
typically requires a user to call to cancel the account, where they are further
pressured to maintain the account (if you’ve ever tried to cancel SIRIUS XM,
you’ve experienced this first hand.)  Another example is The New York Times,
where in order to cancel an online subscription, users are required to call during
specified business hours.  
‍
Easy to get in, not so easy to get out

‍
Intermediate Currency – Users are required to spend real money to purchase a
virtual currency to use a service or purchase goods.  Most often seen as video
games and in-app purchases for mobile games, the aim is to disconnect users
from the real dollar value spent, which can result in users spending the virtual
currency differently than they would with real money.
Sneaking:  An attempt to hide, delay or disguise information that is relevant to the
user, in order to make a user perform an action they may object to if they had
knowledge of it.
One example of sneaking comes from Salesforce.com, which requires the user
to consent to a privacy statement before they can unsubscribe from an email
newsletter.  This privacy statement allows for Salesforce to sell the user’s
information to other countries.
‍
A hefty price to unsubscribe

‍
Brignull’s “Forced Continuity” – If you ever signed up for a free trial that requires
a credit card, forget the expiration date and been automatically charged and
signed up – you’ve experienced forced continuity.  This Dark Pattern takes
advantage of users’ forgetting to check and keep up with expiration dates.
Brignull’s “Hidden Costs” – A late or obscured disclosure of certain costs.  In this
Pattern, the advertised price is changed late in the transaction due to taxes, fees,
limited time conditions or outrageous shipping costs.  An example of this can be
found on the website for the Boston Globe, where a site wide banner claims a
user can subscribe for 99 cents a week, but if you follow the process to
subscribe, it is revealed that the advertised pricing only lasts for four weeks.
Brignull’s “Sneak into Basket” – This Dark Pattern sneaks an additional item or
items to a user’s online shopping cart, often claiming to be a suggestion based
on other items purchased by the user. An example of this can be found when
purchasing a domain from godaddy.com.  The selection page shows pricing for
one year of domain registration, but after selecting the domain and proceeding to
the shopping cart page, the price is inflated due to additional items that require
specifically opting out being snuck into the basket: 2 years of domain registration
instead of one year as showing on the selection page.
‍
Automatically adding two years to the cart - pretty sneaky!

‍
Brignull’s “Bait and Switch” – This pattern makes it appear that a certain action
will cause a certain result, only to have it cause a different, likely undesired
result.  One example of this is the “X” button of a pop up performing any action
other than closing a pop-up window. Another example found in the mobile game
“Two Dots”, where the buy more moves selection button is moved to position to
where the button to start a new game is normally positioned.  This manipulation
of muscle memory increases the likely of being accidentally triggered by the user.
‍Interface Interference: Any manipulation of the user interface that favors specific
actions over others, confuses the user or limits the discovery of possibilities of an
important action.   ‍
Hidden Information – Options or actions relevant to the user that are not made
readily accessible. This Dark Pattern attempts to disguise relevant information as
irrelevant and can manifest as content or options hidden in fine print, a terms and
conditions statement or discolored text. An example of the latter is when the text
or link to unsubscribe from a newsletter or mailing list is colored the same as the
background in attempt to make it more difficult to see.    
Preselection – Any situation where an option is selected by default before any
user interaction.  For example, when Twitter recently updated their email
notifications, they automatically opted all users into receiving e-emails a for
several items, including “Top Tweets and Stories” activity.
‍
Just what everyone needs...more email

‍
Aesthetic Manipulation – Any design crafted to focus a user’s attention on one
thing in order to distract or convince a user.  This Dark Pattern has four specific
subtypes:  
Toying with Emotion – Use of color, language or style to persuade a user into an
action.  Two examples of this can be found when trying to deactivate a Facebook
account.When starting the process, users are shown friends that “would miss
them” and tries to convince the user to stay by offering a counter argument to
whatever reason they selected for deactivating their account.    
False Hierarchy – Giving one or more options to a visual or interactive interface
in order to convince a user to make a selection.  For example, when trying to
unsubscribe from Yahoo’s newsletter, the design encourages users to click a
large, blue “no,cancel” button.  In order to actually cancel the subscription, the
user must select one of the small, light gray text options under the large blue
button.
Brignull’s “Disguised Ad”– Ads disguised as interactive games, download buttons
or other prominent interaction or information a user is looking for.  
Brignull’s “Trick Questions” – Use of confusing wording,double negatives or
leading language to manipulate user interactions.  This Dark Pattern is commonly
seen when registering with a service, where check boxes are shown, but their
meaning is alternated, so the first choice means opt out and the second choice
means opt in.
Forced Action:  Any situation in which users are required to perform a specific
action to access or continue to access functionality ‍
An example of Forced Action is something most of us are familiar with - shutting
down a PC running the Windows 10 operating system.  When there is a system
update available, the choices are “Update and Shut Down” and “Update and
Restart”, leaving no choice but to proceed with the update.  
‍
So much for options

‍
The earlier example of sneaking illustrated on Salesforce.com is also part of this
Dark Pattern since the user must agree to allow the site to sell their information
to other countries in order to access functionality (in the case, unsubscribing).
Social Pyramid/Friend Spam – Commonly used in social media applications and
online games, this Dark Pattern incentivizes or requires users to recruit others in
order to use a service. The Farmville app provides a great example of both social
pyramid/friend spam and the final sub type Gamification, by pressuring users to
invite friends because certain goals and features within the game are useless or
inaccessible without online friends also playing.
Gamification – Certain aspects of a service can only be “earned” through
repeated use of aspects of the service.  For example, the mobile game Candy
Crush Saga occasionally gives players levels that are impossible to complete in
order to urge them into purchasing extra lives or power ups.  If the player does
not purchase anything from the game, it will slowly revert in difficulty in order to
keep users playing.
The Federal Trade Commission Act regulates the use of deceptive online
marketing, advertising and sales - but unfortunately has no legal authority to
regulate companies that use Dark Patterns to trick and deceive users. Although
there is no clear solution to the Dark Pattern issue, raising awareness is key and
the ability to spot Dark Patterns can go a long way in helping you avoid them
(and the companies that use them).
If you are interested in joining the fight against these deceptive design tricks, be
sure to visit the Dark Patterns website created by Harry Brignull - which he
founded to "shame and name" websites and companies that use Dark Patterns.