Here’s what’s up this week:
- Microsoft Secretly Collects Data from Enterprise Office ProPlus Users
- Microsoft Guidance on Flawed SSD Encryption
- How to Get Your Users To Stop Opening Phishing Emails
Microsoft Secretly Collects Data from Enterprise Office ProPlus Users
Microsoft collects data on a large scale about the individual use of some enterprise Office apps without explicit consent, so admins may want to take steps to protect them.
Privacy Company, based in the Netherlands, has reported the “large scale and covert collection of personal data” of Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR) users. Users and administrators are neither asked for consent nor told the data is being collected.
Further, the report shows that the way Microsoft solutions are behaving here makes the company a data collector under GDPR, which has more restrictive rules than a data processor. The report asserts GDPR violations. As this report was being written, Microsoft committed to creating new zero-exhaust settings.
The report provides guidelines for administrators who are concerned. Some are easy, such as apply the new zero-exhaust settings. Others are a bit tougher, like do not use SharePoint Online, OneDrive, or the web-only version of Office 365.
Get the full report from Privacy Company titled, Impact assessment shows privacy risks Microsoft Office ProPlus Enterprise.
Microsoft Guidance on Flawed SSD Encryption
Last week researchers showed that common hardware-encrypted SSD drives can be hacked, and this week Microsoft offered guidance to deal with it.
It’s like this. You need to use Bitlocker encryption instead of the not-so-secure hardware encryption.
- Group policy can be deployed to force Bitlocker encryption
- If hardware encryption enabled, Bitlocker will not encrypt the drive
- You have to find the hardware encrypted drives, decrypt them, and then encrypt with Bitlocker
Get the “how to” details in this Microsoft advisory titled, ADV180028 | Guidance for configuring BitLocker to enforce software encryption.
How to Get Your Users To Stop Clicking Phishing Scams
Researchers have figured out the problem with users who click on scams too easily, and offer some general guidelines for stopping them.
Dr. Matthew Canham, a post-doctoral scholar with the Institute of Simulation and Training at the University of Central Florida, wants to beat the phishers. To do this, he is studying the people who click on phishing scams.
It turns out, they are nice people. They don’t imagine evildoers are scamming them because they don’t think about scamming others. Not surprisingly, stressors, greed, and sex are strong click-bait.
While some people might not learn quickly, they do learn. The solution is basically to train people repeatedly. Recommendations include:
- Give an initial full training (15 mins to an hour)
- Hold monthly 5 minute refresher trainings
- Send fake phishing emails the company (but maybe don’t dupe your CEO….)
- Give prizes for people who are not fooled by test/fake emails, bigger prizes for getting several in a row right
- Make people feel like part of a team achieving a common goal, not outcasts
For more read this article from CSO Online, How to reach that person who will click on anything.