These days, far too many people accept the possibility for theft of their personally identifiable information (PII). And yet, PII security is critical to prevent business damages you might not expect.
Stolen personal data endangers more than your personal life. It poses tremendous risk to your organization, as well.
From regulatory fines to fraudulent tech talent, here’s why PII security is so critical, and how to keep stolen data from haunting you down the road.
What is PII?
The University of Pittsburgh’s internal Guide to Identifying PII defines it as “any information that can be used to distinguish or trace an individual’s identity.” The guide then goes on to note examples such as a person’s social security number (SSN), credit card number, biometrics personal address, or computer MAC address.
And, there are key laws in place to alert and protect anyone whose PII is stolen.
HIPAA, PCI-DSS, and various state regulations require prompt notification to victims, and can trigger fines against a breached entity. In fact, one organization was recently fined $500K for failure to notify victims of a data breach.
Now, keep in mind that different rules apply to different organizations (healthcare, financial institutions, etc.). So, if your business falls prey to a data breach, you’ll want to check with your attorneys to determine which regulations apply.
Ignore PII security and the laws surrounding it, and you could end up facing more than you bargained for.
How is PII Typically Stolen?
The largest data breaches have historically come from online databases.
- Yahoo, 2013-2016, 3 billion user accounts
- Equifax, 2017, 147 million credit records
- Facebook, 2019, 540 million records
While much smaller than these giant-sized data breaches, ransomware attacks also provide a major source of leaked data. Though most organizations don’t disclose the full extent of such attacks, HIPAA compels healthcare providers to publicly disclose breaches.
Again, different laws apply to different industries.
Tips to Prevent Stolen PII
To prevent stolen PII, first perform a search to discover where you store and use your data.
Often, network searches for PII data surprises executives, with hidden repositories or workflows created without management’s approval.
Once located, consolidate this data to specific, encrypted storage repositories. Limit access to these encrypted repositories only to employees who absolutely need it for work.
Additionally, consider enforcing this accessd through user groups in Active Directory, network segmentation, password protected repositories, etc.
Once you secure your data, ensure continued PII security through penetration testing and security monitoring.
PII & BEC Scams
Leaked data also powers business email compromise (BEC) scams, making PII security that much more important. The FBI estimates that BEC scams cost US businesses $2.4 billion, with international losses as high as $43 billion.
Many BEC attacks attempt to trick employees into making payments through impersonated vendors or company executives. These identities are made believable by accurate, but stolen, PII.
Some BEC scammers were even detected comparing notes with ransomware operators. As a result, experts now expect new attacks to appear that combine these two threats.
A Dangerous Combo: Deepfake + Personal Data
An even more dangerous combination comes when BEC attackers use PII to create deepfake identities.
Since 2019, victims complained to the FBI of deepfake audio and video used on virtual meeting platforms (Zoom, Teams, etc.).
Attackers now use LinkedIn or stolen corporate data, in combination with audio or video available from press conferences or conventions, to program deepfake versions of the executive. Attackers then use these deep fakes to order money transfers or vendor payments, which they ultimately route into their own bank accounts.
The FBI also recently warned of a new scam to watch for. In this one, attackers use stolen PII to assume a real person’s identity, in order to apply for remote tech positions. The shortage of experienced IT talent increases the pressure on employers to fill positions, who often neglect thorough background checks.
Sounds strange, right? Why would a scammer want to fake their way into a real job? Do they really want a legitimate job?
Nope, not even close.
Scammers use this pressure to hire in order to win tech jobs in which they’re granted access to corporate networks.
They then use this access to perform a host of attacks, such as BEC, ransomware, or anything else they’d like. After all, why would they fight their way through security systems when a company will readily give it to them for free?
Your PII Security Matters
The primary defense against BEC scams is verification. However, this verification should occur outside of the original channel of communication.
Instead of replying to emails, call executives and vendors for additional information. Instead of replying to voice mails, text through Teams or email vendors.
Insist your employees always follow company procedures, and to never supply login credentials or PII via email or unverified websites. IT staff can help by allowing visibility of full email extensions and file extensions to critical employees, or by securing the PII.
For organizations trying to fill technical positions, locate alternative ways to reach the legitimate candidate to confirm interest, such as through LinkedIn, Twitter, or references.
Of course, outsourcing can also bypass this problem entirely by engaging a vendor instead of filling open positions.
PII security is too important to ignore – both for yourself and your business. But, it’s not always as easy as you’d hope.
If you need help securing your PII, or any other IT systems, Blue Bastion, with the added support of Ideal Integrations, is here to help.
Just contact us at 412-349-6680, or fill out the form below, and we’ll provide a no-obligation review of your IT personnel needs and demonstrate how we can provide the cost-effective peace of mind you deserve.