August 31, 2020 By Michelle Greenlee 4 min read

As more work shifts to remote, organizations continue dealing with security challenges. Employees are now connecting to internal network resources from varied devices, and many may be connecting with personal devices. Working from off-site locations presents more chances for accidental and malicious data disclosure alike. Protecting personally identifiable information (PII) in difficult environments becomes ever more important. 

Personally identifiable information is an attractive target. The 2020 Cost of a Data Breach Report found 80% of security breaches included PII, more than any other compromised data type. Personally identifiable information continued to rank among top targets, along with stolen or compromised authentication credentials.

Endpoint security is as important as protecting systems they access. Lost or stolen devices continue to be a concern for organizations. According to the 2020 Cost of a Data Breach Report, lost or stolen devices are part of the top seven key factors that amplify the cost of a data breach. 

Protecting Personally Identifiable Information 

Protecting personal information is a continuous process. Following cybersecurity best practices to meet or exceed required regulatory standards can help organizations minimize risk while maintaining individuals’ privacy. Ensure your organization is doing all it can to secure and protect PII. Below are some steps for protecting PII:

Minimize Data Processed, Collected and Retained

Minimize risk by restricting data collection and storage to only what is legally necessary to do business. Obtain appropriate permissions from individuals before collecting personal data. Collect information at the required time. Limit access to data through systems controls and usage policies. 

Encrypt Data During Transmission and Storage

Encrypt data in all states and encrypt PII during transmission and when it reaches its destination. Encryption standards should meet requirements of privacy regulations and laws that may affect your industry.

Limit Data Access and Movement

Data disclosure through employees and third-parties are consistently on the rise. Access to data should be limited. Restrict data movement within systems. Restrict, monitor and evaluate access through third-party partners on a regular basis. 

Comply with Data Acquisition and Retention Regulations

Privacy laws and industry regulations affect the way data can be processed, stored and for how long. Compliance is best done by following regulatory requirements applicable to your respective industry. Organizations must ensure their practices, policies and procedures align with regulatory standards, as well as the privacy and security frameworks they’ve chosen to adhere. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two recent additions to the growing list of privacy laws and regulations governing the use and storage of data for residents based in a specific locale.

Develop Organizational Data Governance Policies

Develop a set of policies that govern data access and use within your organization. Policies should ensure the organization’s practices meet regulatory requirements. Compliance with external regulations will affect how an organization must disclose a data breach. Internal policies should require appropriate response and remediation protocols.

Focus on Data Loss Prevention

Consider deploying next-generation data loss prevention programs to limit lost data due to employees leaving or potential insider threats. A comprehensive program can help provide context during difficult situations that might otherwise include few insights into prior actions. Explore previous months activities in context with recent events. This provides a clear view of potential issues or peace of mind that no serious disclosure was made. 

Define a Data Destruction Schedule

Some forms of PII grow stale over time. Ensure data is accurate. Schedule time to eliminate unnecessary data at regular intervals. Revisit data destruction policies for effectiveness within your organization, and adjust them to best meet your organization’s privacy objectives.

Maintain Access Control Policies

Tracking device check-in/out, as well as the actual data on devices. Deploy device encryption and restrict device usage (travel, personal usage, etc). Ensure theft response protocols are up-to-date and serve the needs of the organization. Include these endpoints as part of your endpoint management.

Train Employees on Proper PII Access and Handling

Proper PII handling education should be part of an overall security strategy to help defend against accidental data leaks, and discourage intentional disclosures. 

A large number of accidental data leaks can be prevented with regular security training. This includes guidance on how to identify personal information. Employees need explicit instruction on what is considered personally identifiable information within the organization. Do not assume employees at all levels possess the knowledge necessary to discern their role in data protection. Attitudes around data can vary widely within an organization.

Building a Culture Around Security Awareness

Identifying PII can be difficult if employees haven’t been appropriately trained on what is considered PII and how it is to be handled within the organization. A culture of security awareness helps employees better understand roles and responsibilities with data and information systems. Employees who are risk aware can better assess potentially risky situations, hopefully avoiding them.

Employees should understand the context for limiting access to some systems. It may seem unjust or overly controlling to prevent access without this knowledge. Disallowing higher level access to systems may not be well received by some employees without the all-important context. Affected employees may find the decision very unfair.

Consider starting an insider threat program. Insider threats continue to be among the top security risks each year. Creating a program that allows employees to anonymously report malicious behaviors and also monitors systems for illicit activities can help prevent data losses.

Final Thoughts on Securing PII

Personally identifiable information continues to be an attractive and a high-value attack target. Protecting this precious data requires continuous monitoring and a solid understanding of how data flows through the organization and who has access to it. Train employees and third-party vendors to handle the data appropriately. Limit access to personal data to necessary business use and only to those who have appropriate training. Develop appropriate measures to govern data collection. Destruction and storage should be done to meet the standards of privacy regulation affecting your line of business. Revisit all that you’re doing at regular intervals to ensure data remains secured appropriately. 

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today