As more work shifts to remote, organizations continue dealing with security challenges. Employees are now connecting to internal network resources from varied devices, and many may be connecting with personal devices. Working from off-site locations presents more chances for accidental and malicious data disclosure alike. Protecting personally identifiable information (PII) in difficult environments becomes ever more important.
Personally identifiable information is an attractive target. The 2020 Cost of a Data Breach Report found 80% of security breaches included PII, more than any other compromised data type. Personally identifiable information continued to rank among top targets, along with stolen or compromised authentication credentials.
Endpoint security is as important as protecting systems they access. Lost or stolen devices continue to be a concern for organizations. According to the 2020 Cost of a Data Breach Report, lost or stolen devices are part of the top seven key factors that amplify the cost of a data breach.
Protecting Personally Identifiable Information
Protecting personal information is a continuous process. Following cybersecurity best practices to meet or exceed required regulatory standards can help organizations minimize risk while maintaining individuals’ privacy. Ensure your organization is doing all it can to secure and protect PII. Below are some steps for protecting PII:
Minimize Data Processed, Collected and Retained
Minimize risk by restricting data collection and storage to only what is legally necessary to do business. Obtain appropriate permissions from individuals before collecting personal data. Collect information at the required time. Limit access to data through systems controls and usage policies.
Encrypt Data During Transmission and Storage
Encrypt data in all states and encrypt PII during transmission and when it reaches its destination. Encryption standards should meet requirements of privacy regulations and laws that may affect your industry.
Limit Data Access and Movement
Data disclosure through employees and third-parties are consistently on the rise. Access to data should be limited. Restrict data movement within systems. Restrict, monitor and evaluate access through third-party partners on a regular basis.
Comply with Data Acquisition and Retention Regulations
Privacy laws and industry regulations affect the way data can be processed, stored and for how long. Compliance is best done by following regulatory requirements applicable to your respective industry. Organizations must ensure their practices, policies and procedures align with regulatory standards, as well as the privacy and security frameworks they’ve chosen to adhere. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two recent additions to the growing list of privacy laws and regulations governing the use and storage of data for residents based in a specific locale.
Develop Organizational Data Governance Policies
Develop a set of policies that govern data access and use within your organization. Policies should ensure the organization’s practices meet regulatory requirements. Compliance with external regulations will affect how an organization must disclose a data breach. Internal policies should require appropriate response and remediation protocols.
Focus on Data Loss Prevention
Consider deploying next-generation data loss prevention programs to limit lost data due to employees leaving or potential insider threats. A comprehensive program can help provide context during difficult situations that might otherwise include few insights into prior actions. Explore previous months activities in context with recent events. This provides a clear view of potential issues or peace of mind that no serious disclosure was made.
Define a Data Destruction Schedule
Some forms of PII grow stale over time. Ensure data is accurate. Schedule time to eliminate unnecessary data at regular intervals. Revisit data destruction policies for effectiveness within your organization, and adjust them to best meet your organization’s privacy objectives.
Maintain Access Control Policies
Tracking device check-in/out, as well as the actual data on devices. Deploy device encryption and restrict device usage (travel, personal usage, etc). Ensure theft response protocols are up-to-date and serve the needs of the organization. Include these endpoints as part of your endpoint management.
Train Employees on Proper PII Access and Handling
Proper PII handling education should be part of an overall security strategy to help defend against accidental data leaks, and discourage intentional disclosures.
A large number of accidental data leaks can be prevented with regular security training. This includes guidance on how to identify personal information. Employees need explicit instruction on what is considered personally identifiable information within the organization. Do not assume employees at all levels possess the knowledge necessary to discern their role in data protection. Attitudes around data can vary widely within an organization.
Building a Culture Around Security Awareness
Identifying PII can be difficult if employees haven’t been appropriately trained on what is considered PII and how it is to be handled within the organization. A culture of security awareness helps employees better understand roles and responsibilities with data and information systems. Employees who are risk aware can better assess potentially risky situations, hopefully avoiding them.
Employees should understand the context for limiting access to some systems. It may seem unjust or overly controlling to prevent access without this knowledge. Disallowing higher level access to systems may not be well received by some employees without the all-important context. Affected employees may find the decision very unfair.
Consider starting an insider threat program. Insider threats continue to be among the top security risks each year. Creating a program that allows employees to anonymously report malicious behaviors and also monitors systems for illicit activities can help prevent data losses.
Final Thoughts on Securing PII
Personally identifiable information continues to be an attractive and a high-value attack target. Protecting this precious data requires continuous monitoring and a solid understanding of how data flows through the organization and who has access to it. Train employees and third-party vendors to handle the data appropriately. Limit access to personal data to necessary business use and only to those who have appropriate training. Develop appropriate measures to govern data collection. Destruction and storage should be done to meet the standards of privacy regulation affecting your line of business. Revisit all that you’re doing at regular intervals to ensure data remains secured appropriately.