With data breaches often appearing in the news, customers and enterprise leaders alike may be concerned that the enterprise isn’t doing enough to protect customers’ personally identifiable infomation (PII). As today’s chaotic economy makes for a hungry threat landscape, what methods can the enterprise apply to better protect the increased PII data flow?

In some cases, the enterprise is not storing data correctly. In others, not enough measures are in place. The consequences of a data breach are more far-reaching than a simple dollar amount. Damage to an organization’s reputation and customer confidence can be detrimental to the bottom line. Adding to the complexity, many organizations often share user data with other companies for marketing or other purposes, creating a perfect storm for more PII breaches.

Why is PII so Difficult to Protect?

PII refers to any data that identifies a specific individual. Common PII data include phone numbers, social security numbers, email addresses and home addresses. With technology, the scope of PII has expanded substantially and can include login IDs, IP addresses, digital images and even social media posts. Other data like biometric, behavioral and geolocation data can also be classified as PII.

No matter which industry your organization belongs to, even those outside of healthcare and finance, protecting customers’ PII is essential. How should the enterprise go about storing private data?

The Problem With Passwords

When speaking with security expert Frank Abagnale, he advises that the authentication method of a username and password is outdated technology and the biggest factor for security breaches. By adding more layers of complexity, users are only frustrated and resentful.

Abagnale suggests removing passwords altogether as a security mechanism. Risk mitigating solutions like storing passwords using secure hashing algorithms and other cryptographic techniques may help in the short term. However, you are still vulnerable to attacks like brute force, dictionary and rainbow attacks. And of course, when PII is accessible with a password, your company is still susceptible to phishing emails.

In the future, protecting PII may benefit from a similar technique currently used by deploying cryptographic keys on a user’s smartphone for authentication purposes.

Best Practices for Protecting PII

Passwords and authentication methods aren’t likely to change anytime soon. Until the business world is ready to embrace a drastic mindset shift and adapt to new practices, we need to work with what we’ve got.

For the enterprise looking for takeaways on how to protect PII, here are six steps to follow:

1. Identify the “What” and the “Where” 

The first step in safeguarding PII is to get a solid grasp of what PII you are collecting and where you store it. You should also determine whether the data is collected correctly and is using proper security measures.

2. Identify Compliance Regulations

Different industries are required to comply with specific compliance laws and regulations governing the collection, storing, handling and transmitting of PII. Regulations may also be a function of your customers’ data or location and not specific to your industry.

Your industry may need to comply with one or more of the following common regulations:

3. Conduct a PII Risk Assessment

To identify any vulnerabilities or weaknesses in your security strategy, it’s essential you establish the following:

  • What you’re doing to ensure regulatory compliance
  • For unregulated PII, what reputational, operational and security risks exist?
  • List of threat sources from most to least likely
  • Risk management strategies

4. Secure Deletion of Unnecessary PII

Storing PII that you don’t need for business may be a security risk. Take the time to search through this data and identify what should be deleted.

Data may include:

  • Customers you no longer do business with
  • Outdated employee records (those who have not been with the company for over a year)
  • PII found on unused devices

5. PII Classification

PII can take on many levels of sensitivity. Credit cards, for example, are much more sensitive than your email list. Classifying data by its impact on confidentiality and privacy is a crucial step in PII protection.

6. Security Program and Policy Review 

Frequent reviews to your organization’s security program mustn’t be overlooked. These should include analysis of the tools and solutions to protect PII. As data privacy laws are updated, your policies may need to be updated to reflect the changes. Security policies should incorporate best-practice security controls from trusted frameworks like the National Institute of Technology’s (NIST) Framework, System Organizational Controls (SOC) 2 or Center for Internet Security (CIS) Controls. Finally, your policy should include a section in which security awareness training concerning PII is clearly defined.

Top-Down Organizational Awareness 

With the threat landscape surrounding PII skyrocketing, companies must ensure their employees are aware of how they can do their part to protect PII data and understand the current threats.

A crucial element to any security awareness program is buy-in from top-level executives. Organizational cultures in which awareness is a top-down structure almost always come out ahead. C-suite executives who participate in red team/blue team type activities are better positioned to grasp where the company’s blind spots are and can plan for PII protection accordingly.

It’s unclear what the catalyst will be for positive change. With data breaches constantly occurring, protecting PII is more crucial than ever.

What will it take for the tide to turn? Perhaps it’s adopting different methods for storing authentication data, leveraging AI and technologies we may not have heard about yet, better organizational awareness, or simply following some of the steps outlined here. Being proactive as an enterprise certainly won’t hurt.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…