With data breaches often appearing in the news, customers and enterprise leaders alike may be concerned that the enterprise isn’t doing enough to protect customers’ personally identifiable infomation (PII). As today’s chaotic economy makes for a hungry threat landscape, what methods can the enterprise apply to better protect the increased PII data flow?
In some cases, the enterprise is not storing data correctly. In others, not enough measures are in place. The consequences of a data breach are more far-reaching than a simple dollar amount. Damage to an organization’s reputation and customer confidence can be detrimental to the bottom line. Adding to the complexity, many organizations often share user data with other companies for marketing or other purposes, creating a perfect storm for more PII breaches.
Why is PII so Difficult to Protect?
PII refers to any data that identifies a specific individual. Common PII data include phone numbers, social security numbers, email addresses and home addresses. With technology, the scope of PII has expanded substantially and can include login IDs, IP addresses, digital images and even social media posts. Other data like biometric, behavioral and geolocation data can also be classified as PII.
No matter which industry your organization belongs to, even those outside of healthcare and finance, protecting customers’ PII is essential. How should the enterprise go about storing private data?
The Problem With Passwords
When speaking with security expert Frank Abagnale, he advises that the authentication method of a username and password is outdated technology and the biggest factor for security breaches. By adding more layers of complexity, users are only frustrated and resentful.
Abagnale suggests removing passwords altogether as a security mechanism. Risk mitigating solutions like storing passwords using secure hashing algorithms and other cryptographic techniques may help in the short term. However, you are still vulnerable to attacks like brute force, dictionary and rainbow attacks. And of course, when PII is accessible with a password, your company is still susceptible to phishing emails.
In the future, protecting PII may benefit from a similar technique currently used by deploying cryptographic keys on a user’s smartphone for authentication purposes.
Best Practices for Protecting PII
Passwords and authentication methods aren’t likely to change anytime soon. Until the business world is ready to embrace a drastic mindset shift and adapt to new practices, we need to work with what we’ve got.
For the enterprise looking for takeaways on how to protect PII, here are six steps to follow:
1. Identify the “What” and the “Where”
The first step in safeguarding PII is to get a solid grasp of what PII you are collecting and where you store it. You should also determine whether the data is collected correctly and is using proper security measures.
2. Identify Compliance Regulations
Different industries are required to comply with specific compliance laws and regulations governing the collection, storing, handling and transmitting of PII. Regulations may also be a function of your customers’ data or location and not specific to your industry.
Your industry may need to comply with one or more of the following common regulations:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Payment Card Industry Data Security Standard (PCI DSS)
3. Conduct a PII Risk Assessment
To identify any vulnerabilities or weaknesses in your security strategy, it’s essential you establish the following:
- What you’re doing to ensure regulatory compliance
- For unregulated PII, what reputational, operational and security risks exist?
- List of threat sources from most to least likely
- Risk management strategies
4. Secure Deletion of Unnecessary PII
Storing PII that you don’t need for business may be a security risk. Take the time to search through this data and identify what should be deleted.
Data may include:
- Customers you no longer do business with
- Outdated employee records (those who have not been with the company for over a year)
- PII found on unused devices
5. PII Classification
PII can take on many levels of sensitivity. Credit cards, for example, are much more sensitive than your email list. Classifying data by its impact on confidentiality and privacy is a crucial step in PII protection.
6. Security Program and Policy Review
Frequent reviews to your organization’s security program mustn’t be overlooked. These should include analysis of the tools and solutions to protect PII. As data privacy laws are updated, your policies may need to be updated to reflect the changes. Security policies should incorporate best-practice security controls from trusted frameworks like the National Institute of Technology’s (NIST) Framework, System Organizational Controls (SOC) 2 or Center for Internet Security (CIS) Controls. Finally, your policy should include a section in which security awareness training concerning PII is clearly defined.
Top-Down Organizational Awareness
With the threat landscape surrounding PII skyrocketing, companies must ensure their employees are aware of how they can do their part to protect PII data and understand the current threats.
A crucial element to any security awareness program is buy-in from top-level executives. Organizational cultures in which awareness is a top-down structure almost always come out ahead. C-suite executives who participate in red team/blue team type activities are better positioned to grasp where the company’s blind spots are and can plan for PII protection accordingly.
It’s unclear what the catalyst will be for positive change. With data breaches constantly occurring, protecting PII is more crucial than ever.
What will it take for the tide to turn? Perhaps it’s adopting different methods for storing authentication data, leveraging AI and technologies we may not have heard about yet, better organizational awareness, or simply following some of the steps outlined here. Being proactive as an enterprise certainly won’t hurt.