By: Nihad Hassan
September 21, 2021
How To Secure PII From Threat Actors
By: Nihad Hassan
September 21, 2021
As the world continues its movement to become fully digital, people's dependence on digital technology to conduct all types of work increases. These days, most data is created digitally and never goes into the paper. According to Statista, the total amount of data created, captured, copied, and consumed globally is forecasted to increase rapidly to reach more than 180 zettabytes in 2025. Among this massive volume of digital data, a large portion of it is sensitive.
Unfortunately, cyberattacks are increasing rapidly. Cybercriminals have various motivators to conduct their malicious activities, but acquiring PII and other sensitive information remains at the top of their lists. Acquiring such information becomes critical to facilitate different types of cyberattacks (e.g., social engineering attacks that are considered the most dominant cyberattacks require knowing sensitive information about the target before executing an attack).
Personally identifiable information (PII) is any information that can distinguish an individual identity, either alone or in combination with other information. Remember, PII refers to different pieces of information that exist both online and offline; they are used to recognize a specific person's identity. The following list the most common types of PII:
- Full name
- Email address
- Phone number
- Mailing address
- Passport number
- Social security number
- Driving license
- Financial information (bank account number, credit card info)
- Patients health information (PHI)
- Online accounts username (e.g., Facebook, Twitter profile name)
- Date of birth
- IP address, Cookies, and user device digital fingerprint
There are other non-PII that can recognize an individual indirectly when combined with other PII. Examples include first or last name, race, workplace name and position, study place, and living address.
Securing PII has become a top priority in the business world. Data becomes the lifeblood of organizations that they cannot do any work without it. Providing a customized experience for online customers depends significantly on storing information about each customer or user, and most of this information can identify users' identities uniquely.
Data protection regulations, such as the European GDPR, PCI DSS for payment cards, and HIPAA for patients' information are merging globally. Failing to secure the PII of your customers and visitors will make your company subject to various regulatory fines. Without forgetting the huge losses resulting in losing customers' trust and reputation in the long run.
We cannot protect something that we do not have information about. For instance, organizations must implement a data classification policy to distinguish PII information and work to secure it properly.
What is a data classification policy?
Before implementing any security control to secure PII, it is essential to classify and group your data based on their sensitivity; this will accordingly determine the appropriate security controls for each type of data. Read the data classification policy for more information.
Seven ways to secure PII
After classifying the information your organization is storing in its IT system and knowing the location of each piece of data (cloud storage, on-premise, backup tapes), it is time to discover ways to secure these assets. The following list the most prominent seven ways to secure essential data, including PII.
Use data encryption
Anything stored, transmitted, or processed on digital systems must be encrypted first. Encryption converts data into unreadable format (known as ciphertext) using an encryption key, so unintended parties cannot read it without the relevant decryption key.
By encrypting PII, the risk of a data breach decreases significantly; encryption is also required as a mandatory procedure by many compliance bodies, such as GDPR, PCI DSS, and HIPAA.
Delete unused PII
Organizations tend to collect large volumes of data as a part of their daily operation; it is important to only keep the required information for providing the intended service for a specific period. If the PII of some customers is no longer needed, it must be deleted instantly without any delay.
PII stored in a public cloud should be encrypted first, so when deleting it, remnants of data are not recoverable by other third parties. PII available on backup tapes must also be deleted securely. There are different data destruction algorithms for destroying logical data securely, such as DoD 5220.22-M (ECE), Gutmann data sanitization algorithm, and GOST-R-50739-95. Data destruction is covered thoroughly in my "Data Destruction Policy" article.
Install security solutions
Endpoint devices, servers, and any computing devices with access to the corporate network must be protected with antivirus or antimalware. Network gates should be guarded using Firewalls and IDS/IPS systems. For networks containing highly valued data, such as financial and medical health organizations, it is critical to utilize advanced network security solutions, such as Network Detection and Response (NDR), SOAR, and SIEM to stop advanced cyberattacks APT and ransomware. NDR solution can stop non-malware threats such as insider threats, data leakage, and policy violation.
Create a policy for BYOD
Bring Your Own Device (BYOD) is the basically allowing employees to use their devices in the workspace. This trend became common when organizations allowed their staff to work remotely. If an organization implements a BYOD practice, the organization must enforce a relevant policy to prevent employees' devices data breaches by threat actors.
Use a VPN to protect data at transit
Never transit PII without using a reliable Virtual Private Network (VPN). A VPN establishes an encrypted tunnel between your computer and the remote server. Everything traversed through this channel is encrypted and cannot be seen by external observers.
VPN must be enforced for all employees or other third parties who have remote access to the corporate network.
Use IAM solution
Today's organization network is hybrid; hence, it contains both on-premise and cloud assets. Monitoring, tracking, and governing user access in such a complex hybrid environment is a daunting task. Utilizing a dedicated solution to handle these tasks centrally becomes critical to avoid leaking PII by mistake.
Identity and Access Management (IAM) is a solution for saving users' credentials and access levels. IAM provides other vital functions such as:
- Facilitate different authentication methods to access to protect resources – such as Single Sign-On and biometric authentication.
- Enforce organization security policies regarding user access to protected resources, both on-premise and in cloud environments. For example, changing a password periodically and creating complex passwords.
- Define the access level for each user based on its identity (authorization).
End-user cyber security training
Regardless of their work roles, all employees must attend cyber security training to avoid becoming easy targets of cyberattacks. For instance, phishing is the most used attack technique by cybercriminals to steal PII and gain access to protected resources. According to Vadesecure's report titled "Phishers' Favorites Top 25 H1 2021, Worldwide Edition", PII was the primary goal in these attacks.
In today's information age, organizations need to store, process and transmit a considerable volume of PII as a part of their daily work. PII is a top target for malicious actors because they can sell it on the Dark Web for a high price or utilize it to conduct other cyberattacks such as ransomware and APT attacks. Understanding how to protect PII became critical for any organization handling customers' and users' personal information. Failing to protect PII adequately will make your organization subject to huge fines and penalties by regulatory bodies, without forgetting users' lawsuits that will damage your business reputation for a long time.