Last year, there were over 1.1 million cases of identity theft in the United States alone. At least 422 million individuals were impacted. Hackers are still finding it easy to access sensitive data–personal information that reflects an individual’s identity and PII is key to how they plan cyber attacks. Yet, organizations continue to struggle to heighten cyber security awareness.
Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're looking for more advanced material, we recommend a dive into the blog archives!
What is PII?
PII stands for personally identifiable information. This is key information that hackers and identity thieves can use to steal an identity for nefarious purposes. PII ranges from the mundane—first and last name, address, phone numbers—to the specific—date of birth, social security or government ID numbers, passport information, etc.
Taken individually, these pieces of information are rarely useful to hackers. But combine them together or with other bits of data, (even things considered public knowledge, like your high school mascot, your pet’s name, etc.)... they begin to make online shopping, investment management and personal banking extremely vulnerable to hackers gaining access for malicious purposes.
Improving Your Password Strength
First, the best thing that can be done, when available, is to always use Multi-Factor Authentication (MFA). Second, improve password strength and avoid using PII in your password. 59% of Americans use their name or date of birth as part of their password. That data, combined with the commonality of password reuse, make large-scale automated attacks possible, as we discuss below. Remember, more than 90% of attacks are made possible by human error, which in many cases, traces back to password problems, whether they are leaked, poorly constructed or easily guessable.
How Bad Actors Leverage PII
PII is of high value to attackers, who acquire it via several means, including deceptive social engineering activities or just purchasing it via darknet marketplaces. Attackers' goals range from revealing the personal details of a person’s private life to defamation or harassment.
The nature of these attacks takes several forms:
Targeted attacks. These are generally undertaken for purposes such as blackmail, stalking, retaliation, or compromising security. In these cases, bad actors have a specific goal in mind, and some of them even market an “as a service” offering on the dark web.
Automated or large-scale attacks. As referenced above, with PII in hand, even the slightly more secure (so more thoughtful than Password123!) passwords become guessable. In other words, your high school mascot and the month and day you were born, followed by an exclamation point is NOT all that secure. “Brute force” guessing, aided by automation, is used by hackers to try common permutations and combinations, allowing them to gain access.
Customer Support Access. Ever call for phone support and get asked about the street you grew up on, or an old address? Imposters have cottoned this, and using PII can access critical records. They can then change passwords, make purchases, drain your accounts, or even take out loans in your name!
PII and Regulations
Regulatory governance compliance standards like the General Data Protection Regulation (GDPR) in Europe, Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS) offer guidelines for securing personally identifiable information. These standards help define a set of practices for internal access, backups, archives, when VPNs or MFA should be required, and who within the organization can view PII.
Standards are good for input when designing security policies and data governance practices, but they are only a start. To make a lasting difference requires a change in the mindset of users, one that they will internalize, making cybersecurity part of the organizational culture. That cultural shift should engage people throughout an entire organization, so as to prevent potential breaches long before phishing, social engineering, and other tricks are used to steal PII.
Education and Culture
Employees need to be more than made aware of best practices or educated on them, they need to internalize a culture of cybersecurity. They should viscerally recognize what data and documents constitute PII. They need to understand and identify phishing and social engineering, be taught to recognize a potential attack and have an easy and effective means of reporting it.
Cybersecurity training, policies and procedures that oversee data and the people who access it should be reviewed regularly, and employees' awareness should be measured and tracked programmatically. This type of approach will ensure that breaches are more likely to be prevented, rather than reevaluating practices as part of an incident response plan.
Of course, understanding how data should be handled, secured and protected is always considered part of a health cybersecurity program; but for your employees, an ounce of prevention is generally worth a pound of cure when it comes to handling PII.
Do you want to know more about how we can help you and your employees with identifying and safeguarding PII? Request a demo with us today and check out our unique awareness training. We won’t ask for your birth mother’s maiden name.