With data breaches often appearing in the news, customers and enterprise leaders alike may be concerned that the enterprise isn’t doing enough to protect customers’ personally identifiable infomation (PII). As today’s chaotic economy makes for a hungry threat landscape, what methods can the enterprise apply to better protect the increased PII data flow?

In some cases, the enterprise is not storing data correctly. In others, not enough measures are in place. The consequences of a data breach are more far-reaching than a simple dollar amount. Damage to an organization’s reputation and customer confidence can be detrimental to the bottom line. Adding to the complexity, many organizations often share user data with other companies for marketing or other purposes, creating a perfect storm for more PII breaches.

Why is PII so Difficult to Protect?

PII refers to any data that identifies a specific individual. Common PII data include phone numbers, social security numbers, email addresses and home addresses. With technology, the scope of PII has expanded substantially and can include login IDs, IP addresses, digital images and even social media posts. Other data like biometric, behavioral and geolocation data can also be classified as PII.

No matter which industry your organization belongs to, even those outside of healthcare and finance, protecting customers’ PII is essential. How should the enterprise go about storing private data?

The Problem With Passwords

When speaking with security expert Frank Abagnale, he advises that the authentication method of a username and password is outdated technology and the biggest factor for security breaches. By adding more layers of complexity, users are only frustrated and resentful.

Abagnale suggests removing passwords altogether as a security mechanism. Risk mitigating solutions like storing passwords using secure hashing algorithms and other cryptographic techniques may help in the short term. However, you are still vulnerable to attacks like brute force, dictionary and rainbow attacks. And of course, when PII is accessible with a password, your company is still susceptible to phishing emails.

In the future, protecting PII may benefit from a similar technique currently used by deploying cryptographic keys on a user’s smartphone for authentication purposes.

Best Practices for Protecting PII

Passwords and authentication methods aren’t likely to change anytime soon. Until the business world is ready to embrace a drastic mindset shift and adapt to new practices, we need to work with what we’ve got.

For the enterprise looking for takeaways on how to protect PII, here are six steps to follow:

1. Identify the “What” and the “Where” 

The first step in safeguarding PII is to get a solid grasp of what PII you are collecting and where you store it. You should also determine whether the data is collected correctly and is using proper security measures.

2. Identify Compliance Regulations

Different industries are required to comply with specific compliance laws and regulations governing the collection, storing, handling and transmitting of PII. Regulations may also be a function of your customers’ data or location and not specific to your industry.

Your industry may need to comply with one or more of the following common regulations:

3. Conduct a PII Risk Assessment

To identify any vulnerabilities or weaknesses in your security strategy, it’s essential you establish the following:

  • What you’re doing to ensure regulatory compliance
  • For unregulated PII, what reputational, operational and security risks exist?
  • List of threat sources from most to least likely
  • Risk management strategies

4. Secure Deletion of Unnecessary PII

Storing PII that you don’t need for business may be a security risk. Take the time to search through this data and identify what should be deleted.

Data may include:

  • Customers you no longer do business with
  • Outdated employee records (those who have not been with the company for over a year)
  • PII found on unused devices

5. PII Classification

PII can take on many levels of sensitivity. Credit cards, for example, are much more sensitive than your email list. Classifying data by its impact on confidentiality and privacy is a crucial step in PII protection.

6. Security Program and Policy Review 

Frequent reviews to your organization’s security program mustn’t be overlooked. These should include analysis of the tools and solutions to protect PII. As data privacy laws are updated, your policies may need to be updated to reflect the changes. Security policies should incorporate best-practice security controls from trusted frameworks like the National Institute of Technology’s (NIST) Framework, System Organizational Controls (SOC) 2 or Center for Internet Security (CIS) Controls. Finally, your policy should include a section in which security awareness training concerning PII is clearly defined.

Top-Down Organizational Awareness 

With the threat landscape surrounding PII skyrocketing, companies must ensure their employees are aware of how they can do their part to protect PII data and understand the current threats.

A crucial element to any security awareness program is buy-in from top-level executives. Organizational cultures in which awareness is a top-down structure almost always come out ahead. C-suite executives who participate in red team/blue team type activities are better positioned to grasp where the company’s blind spots are and can plan for PII protection accordingly.

It’s unclear what the catalyst will be for positive change. With data breaches constantly occurring, protecting PII is more crucial than ever.

What will it take for the tide to turn? Perhaps it’s adopting different methods for storing authentication data, leveraging AI and technologies we may not have heard about yet, better organizational awareness, or simply following some of the steps outlined here. Being proactive as an enterprise certainly won’t hurt.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today