A Synopsis of Personally Identifiable Information (PII) for End-User Security

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

A Synopsis of Personally Identifiable Information (PII) for End-User Security

Published: August 7, 2015 | By: ryan | Views: 2028
save

Updated October 2018
A Synopsis of Personally Identifiable Information (PII) for End-User Security - Cybrary

Regarding, end-user security, the term PII is commonly referenced. PII, or Personally Identifiable Information, consists of data that can allow an individual to trace and/or contact another person. This type of information may indicate an individual’s name, address, the type of car a person owns, credit card numbers, the names of family members, email addresses, telephone numbers, the locations of schools that an individual has attended and a person’s driver’s license number.

Knowing the limits of what to provide, and when, can be a critical element in end user security. In some cases, criminals are far more clever than simply sending an email asking a user to enter their social security number into a random, creepy website.

Given the sensitivity and criminal capabilities behind access to PII, many organizations are tightly regulated and required to treat the storage and transfer of PII in a very secure manner. These regulations often effect the jobs of many – even non-technical staff members within an organization. Therefore, it’s critical that all members of an organization know what PII is, and how to treat it when they see that they are handling it.

 

Protecting Data within an Organization
Many websites that request personal information feature security software that encodes all data in each server. These programs can also alert web designers if a database has been breached, and the software may evaluate the actions of visitors who are using unknown IP addresses. These processes do not generally play a part in the interaction between PII and an individual within an organization.

 

Regulations and Laws That Affect Information in the United States
According to HIPAA‘s policies, a company may not provide an individual’s personally identifiable information to a third party unless the customer signs a waiver. The regulations also prevent companies and medical facilities from displaying the information in a non-encrypted manner. HIPAA’s regulations have helped to decrease the sale of personal data, so far.

Additionally, the Payment Card Industry Security Standards Council has created regulations that require financial institutions that issue credit cards to:

  • add effective firewalls to their networks
  • frequently update software that may prevent a virus
  • give a distinctive identification number to each individual who can access personal data

Furthermore, each bank’s software will track the activities of everyone who views a customer’s information. Every year, a major financial institution that issues credit cards must undergo an independent review of its security policies, and smaller banks have to complete extensive questionnaires and auditing.

 

Regulations in the European Union
Established in 1995, the Data Protection Directive requires organizations to send notifications to customers before collecting the data of buyers. The customers can access their personal information in an enterprise’s files and may modify the data. The policy also indicates that a third party is not permitted to analyze an individual’s information unless an official reason can be provided to the citizen.

 

Attackers Obtain Personal Information to Use for Later Criminal Purposes
When an attacker accesses an organization’s website, they might use a software program that automatically searches for and then gathers all personally identifiable information within that system. The application may easily organize the data by analyzing each customer’s age, address and name, and consequently, the attackers can simultaneously target many victims in a specific geographical area. The collection of such data can lead to attacks or criminal activity, often well after the breach takes place.

Commonly, these types of PII breaches lead to a few different forms of attack down the road. One common form is for the attackers to scour the information for revealing signs that may allow them access into other reaches of a network. For example, data about one’s mother’s maiden name, may give the attacker an easy pass to reset a password and gain access to a secured part of a network. Another common use of course, is for the attacker who performed the breach, to then sell the data on the dark web, to others with criminal intent.

Perhaps more scary than a virtual attack, is the threat of a social engineering attack from someone who has gained PII. Social engineering is when an attacker uses a false ploy or role to gain access to a network or data system. For example, an attacker may physically be able to play the role of someone who works for a company in order to gain access to a secured physical section of a building.

More commonly though, an attacker can used accessed PII to play that role over the phone or computer, by using the PII to crack through the authentication process and gain access to data. According to one study, social engineering likely contributed to more than 35 percent of data breaches that occurred during the last three years.

Although it’s still commonly overlooked, more so in less regulated industries, the proper handling of one’s own, or organizationally stored personally identifiable information is perhaps one of the most important concepts in end-user security awareness. Organizations that overlook this, and don’t train their staff to properly handle this data, are setting themselves up for almost certain breach, and possible public shaming. Needless to say, risk management professionals that do not take this process seriously enough, won’t maintain their position for too long.


Stay secure with Cybrary’s End User Security training course, free.

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel