(June 21, 2023) No information security solution can prevent every data breach. Human beings — not just the IT pros but all users — must protect systems and personally identifiable information.
One key to data breach prevention is understanding and effectively managing personally identifiable information (PII). PII refers to information that can be used to identify a person. It also includes information that can’t identify a person in and of itself, such as email addresses and phone numbers, but could be used to identify, trace, or locate a person when combined with other information.
Securing PII has long been a problem, but the scope of the risk has increased significantly in recent years. In the past, PII was accessed only by a few select individuals who queried the data and generated reports. Data masking and similar techniques protected PII from exposure. Today, business intelligence, data analytics, visualizations and related tools have natural language query features and drag-and-drop simplicity. Business users throughout the organizations can access PII.
What Is PII and What Are the Risks?
PII includes a person’s name, Social Security number, birth date, driver’s license number, passport number, biometric data, etc. Information that can be combined to identify a person could include their employer and job title, medical records, financial account information, and educational information.
This information is pure gold for cybercriminals. While a credit card number and CVV might sell for as little as $15, PII is worth hundreds of dollars. Not surprisingly, PII is the primary target of hackers when they steal data. A new study by the Imperva Threat Research Team found that hackers steal PII in 42.7 percent of data breaches. Credit card data is stolen in just 3.4 percent.
Protecting PII is a top priority in government and industry regulations. For example, Health Insurance Portability and Accountability Act (HIPAA) regulations are intended to safeguard protected health information (PHI) from compromise and unlawful sharing. The EU General Data Protection Regulation (GDPR) gives EU citizens significant rights to and control over PII, and the onus is on organizations to prove compliance. Other governments, including the State of California, have implemented similar measures.
If you fail to meet regulatory requirements and suffer a data breach, you could face significant fines. You may also suffer reputation damage, lose customers and have to pay for remediation.
How to Protect PII
In the past, organizations focused on centralized control of PII to ensure security and compliance. PII was kept within the data center and protected by perimeter security. Today, many users store PII on their personal devices, in their email accounts and on cloud platforms. Organizations struggle to meet regulatory compliance requirements because they don’t know where all their PII is located. PII is often exposed because users fail to protect it, or fall victim to a phishing attack, social engineering or other scam.
A four-pronged approach can help organizations address this challenge:
- Maintain an up-to-date inventory of data. Complete visibility into data stores allows you to ensure PII is protected and to respond promptly to suspected attacks.
- Implement a layered security approach. Antimalware protection, endpoint protection, encryption and other controls work with perimeter security to provide better protection.
- Tune security devices to detect abnormal behavior. Your security tools should be able to differentiate between normal and abnormal activity so that IT personnel are provided with actionable alerts. Consider implementing a Security Information and Event Management (SIEM) solution that aggregates event data from multiple sources and provides real-time analysis.
- Provide security awareness training. Users need to understand what PII is and the risks to the organization if it’s exposed so they can serve as a first line of defense against attacks.
Organizations store more PII than ever, and hackers are eager to get that data. More than 422 million Americans were affected by data breaches and leaks in 2022 alone. Mainstream can help you implement a comprehensive security strategy to protect PII and reduce the risk of a costly breach and noncompliance.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile