A Synopsis of Personally Identifiable Information (PII) for End-User Security

Updated October 2018 Regarding, end-user security, the term PII is commonly referenced. PII, or Personally Identifiable Information, consists of data that can allow an individual to trace and/or contact another person. This type of information may indicate an individual's name, address, the type of car a person owns, credit card numbers, the names of family members, email addresses, telephone numbers, the locations of schools that an individual has attended and a person's driver's license number.Knowing the limits of what to provide, and when, can be a critical element in end user security. In some cases, criminals are far more clever than simply sending an email asking a user to enter their social security number into a random, creepy website.Given the sensitivity and criminal capabilities behind access to PII, many organizations are tightly regulated and required to treat the storage and transfer of PII in a very secure manner. These regulations often effect the jobs of many - even non-technical staff members within an organization. Therefore, it's critical that all members of an organization know what PII is, and how to treat it when they see that they are handling it. Protecting Data within an OrganizationMany websites that request personal information feature security software that encodes all data in each server. These programs can also alert web designers if a database has been breached, and the software may evaluate the actions of visitors who are using unknown IP addresses. These processes do not generally play a part in the interaction between PII and an individual within an organization. Regulations and Laws That Affect Information in the United StatesAccording to HIPAA's policies, a company may not provide an individual's personally identifiable information to a third party unless the customer signs a waiver. The regulations also prevent companies and medical facilities from displaying the information in a non-encrypted manner. HIPAA's regulations have helped to decrease the sale of personal data, so far.Additionally, the Payment Card Industry Security Standards Council has created regulations that require financial institutions that issue credit cards to:

• add effective firewalls to their networks
• frequently update software that may prevent a virus
• give a distinctive identification number to each individual who can access personal data

Furthermore, each bank's software will track the activities of everyone who views a customer's information. Every year, a major financial institution that issues credit cards must undergo an independent review of its security policies, and smaller banks have to complete extensive questionnaires and auditing. Regulations in the European UnionEstablished in 1995, the Data Protection Directive requires organizations to send notifications to customers before collecting the data of buyers. The customers can access their personal information in an enterprise's files and may modify the data. The policy also indicates that a third party is not permitted to analyze an individual's information unless an official reason can be provided to the citizen. Attackers Obtain Personal Information to Use for Later Criminal PurposesWhen an attacker accesses an organization's website, they might use a software program that automatically searches for and then gathers all personally identifiable information within that system. The application may easily organize the data by analyzing each customer's age, address and name, and consequently, the attackers can simultaneously target many victims in a specific geographical area. The collection of such data can lead to attacks or criminal activity, often well after the breach takes place.Commonly, these types of PII breaches lead to a few different forms of attack down the road. One common form is for the attackers to scour the information for revealing signs that may allow them access into other reaches of a network. For example, data about one's mother's maiden name, may give the attacker an easy pass to reset a password and gain access to a secured part of a network. Another common use of course, is for the attacker who performed the breach, to then sell the data on the dark web, to others with criminal intent.Perhaps more scary than a virtual attack, is the threat of a social engineering attack from someone who has gained PII. Social engineering is when an attacker uses a false ploy or role to gain access to a network or data system. For example, an attacker may physically be able to play the role of someone who works for a company in order to gain access to a secured physical section of a building.More commonly though, an attacker can used accessed PII to play that role over the phone or computer, by using the PII to crack through the authentication process and gain access to data. According to one study, social engineering likely contributed to more than 35 percent of data breaches that occurred during the last three years.Although it's still commonly overlooked, more so in less regulated industries, the proper handling of one's own, or organizationally stored personally identifiable information is perhaps one of the most important concepts in end-user security awareness. Organizations that overlook this, and don't train their staff to properly handle this data, are setting themselves up for almost certain breach, and possible public shaming. Needless to say, risk management professionals that do not take this process seriously enough, won't maintain their position for too long.

---

Stay secure with Cybrary's End User Security training course, free.