Posted on by

Ignorance is never bliss: What a whitehat taught me about data privacy

I recalled how that session at Echelon Asia Summit 2019 was ‘paranoia at first sight’ for me.

Co-founders Dexter Ng and Andy Prakash, armed with only some basic info commonly found on anyone’s business card, proceeded to demonstrate how easy it was for hackers to scam potential victims.

I wasn’t the only one shaken after the event, it seems. One of my e27 colleagues revealed that since then, she would set a regular notification on her calendar to remind herself to change all of her passwords.

Fast forward to 2020. We greeted the new business normal with much trepidation. While I’m aware that there seems to be an increase in fraudulent activity as a result of the evolving digital landscape, it wasn’t until I caught up with Ng again that I grasped the severity of the situation.

He painted the picture by recounting as many horror stories as he could in the limited time we had.

“In this era, where businesses are going digital, information is king and we have seen too many instances of data breaches leading to illicit data mining,” Ng began his narrative.

“No one wants their data to be publicly disclosed inciting identity fraud or harassment. We discovered that a significant number of businesses don’t have a Data Protection Officer appointed or even know what the mandatory PDPA obligations are.”

Also Read: AI-empowered data platform Sentient.io secures Series A funding led by Digital Garage Group

According to Ng, this gap in the market was what led Andy Prakash to start Privacy Ninja, a tech startup that aims to empower companies to protect their data, trust, and loyalty by improving their people, process, and policies.

To be spoofed is to believe

Because I had to see for myself what Ng was talking about, I volunteered as a tribute. In under three minutes, Ng had spoofed my work email account to make it look like I was attempting to borrow money from him. By the looks of it, the entire thing looks legit, from my name down to my email signature.

Imagine this business email spoofing scenario playing out multiple times across the globe, and taking different forms: a request from your boss to release payment, a request for sensitive data from a stakeholder, and the list go on.

Authorities caution that scammers are likely to take advantage of the circuit breaker period by attempting to trick more people since the working arrangements can lead to less oversight. In fact, Ng shares on their homepage blog that for the past week, a group of blackhats has been selling a steady stream of user databases from alleged data breaches.

The various levels of online creepy

If business email spoofing is terrifying, then prepare to be even more petrified. Hackers can easily check out previous passwords of your email accounts, so if your current one is too weak or follows the same pattern as your previous ones, you’re setting yourself up for future headaches.

Also Read: Data management startup Delman secures US$1.6M seed funding from Intudo Ventures, others

In his demo with me, Ng only needed about a minute to pull up the string of old passwords of my personal email account.

My weak former passwords revealed in under a minute

The final demo for the day was what Ng dubbed as ‘call spoofing’. Call spoofing happens when the caller ID is changed to any number other than the calling number. In my case, I didn’t inform Ng whose number I gave him, but by the screenshot of his phone below, he knew as soon as he spoofed the number to call me.

Sorry, Mom 😛

For employees, knowledge is power

Profit loss, identity theft, and stolen bank information are only some of the possible issues individuals may face in the wake of a data breach. Here, Ng shares some nuggets on how employees can better secure themselves especially in these uncertain times:

  • When in doubt, call up the person in question. It only takes a few minutes to verify if you’ve indeed received a legitimate message.
  • Don’t use the same passwords across all accounts because if data gets leaked, you’re in big trouble. You don’t want your life’s worth of data to end up at the hands of virtual thieves.
  • No user account registration means no data can be lost. Be mindful of where you agree to sign up and what data that site can collect from you.
  • Don’t use the same browser for everything you do. For example, you may use Chrome for Gmail, Google Meet, or Facebook, then use Firefox or Brave browser for online shopping or personal banking. It’s an open secret that Google and Facebook track and continue to monitor your browsing activity even when you close their tabs or logout. 

As such, education and awareness is key to securing your data privacy, and data protection training is the first step in any organisation’s data protection journey. In fact, during this work-from-home period due to the COVID-19 pandemic, Privacy Ninja has conducted live webinar training for employees from various companies for its PDPA Compliance & Awareness course.

Also Read: Between data and gut feeling, which one do Singaporean customers trust to make decisions?

“Employees gearing up to take on the Data Protection Officer role in their company or staff handling personal data would greatly benefit from training, and learn not only the PDPA obligations for compliance, but also best data protection and cyber hygiene practices,” Ng explained.

For businesses, being safe than sorry can’t be more true

“The last time when companies only needed to focus on protecting the office, it was already difficult for them. Now they have multiple endpoints (laptop and mobile devices) accessing their company files from different locations all over.”

“Company data has become more challenging for SMEs to protect, especially those who don’t even have an IT team or an IT personnel in the company,” he added.

One way to solve this is through data protection softwares. For Privacy Ninja, they’ve made it easier and more affordable for SMEs to keep their sensitive data private with their Privacy Data Protection endpoint software, and for home users, they recommend Bitdefender software and a company called BitCyber is the appointed distributor in Singapore.

“We can identify sensitive documents via keywords or regular expressions,” Dexter revealed. “Once sensitive files are identified, employees working from home won’t be able to share those sensitive files on platforms such as Facebook, WeChat, Telegram, or WhatsApp. From whatever platform the company chooses to restrict company documents, we are able to configure for them.”

Getting a PDPA check-up: one small step for SMEs, one giant step for business empowerment

It’s not only company data that businesses should be looking after. With Singapore proposing to tighten the data protection laws, companies must also be at the forefront of PDPA knowledge and compliance. As PDPA laws and stiffer penalties for info leaks are in place, learning about these and complying to the terms are not even an option, but a fiduciary duty among businesses.

Also Read: Afternoon News Roundup: Bukalapak denies reports of user data breach

“This is why Privacy Ninja is also offering a complimentary PDPA compliance checkup where in a matter of minutes, businesses will be able to tell their level of compliance,” Dexter asserted.

With work from home now part of the new reality, the chances of fraud among businesses and even employees surge exponentially. Now that you know this much, it’s high time that you step up and fight tooth and nail to protect your company data privacy and yours.

Editor’s note: e27 aims to foster thought leadership by publishing contributions from the community. Become a thought leader in the community and share your opinions or ideas and earn a byline by submitting a post.

Join our e27 Telegram group, or like the e27 Facebook page

Image credit: 123rf.com / ID 60342843

The post Ignorance is never bliss: What a whitehat taught me about data privacy appeared first on e27.