To combat the rampant increase in cyber incidents, various industries are increasing security requirements to help keep your sensitive information out of the wrong hands.
These days, companies have to be hyper-vigilant about emerging cyber threats. Hackers are constantly looking to exploit security gaps within your IT environment to launch a cyber attack. Human error is responsible for an estimated 90 to 95 percent of cyber incidents.
Knowing this, bad actors are using increasingly sophisticated schemes to trick people into unknowingly taking some action, such as download an infected file or share user information.
These methods, common in phishing schemes, give cybercriminals a backdoor way to circumvent traditional security measures and infiltrate your IT infrastructure.
This can potentially expose or compromise sensitive information belonging to your employees, customers, vendors, and others connected to your network.
Such openings give cyber criminals an easy way to launch malware, ransomware, or other potentially devastating cyber attacks. Hackers can then buy or sell such information on the dark web.
In a ransomware attack, for instance, hackers could hold your customers’ private information “hostage” until a ransom is paid. As another example, malicious actors could use stolen credit card information to make clone cards for unauthorized purchases.
Millions of stolen personal information help supply the dark web, a thriving online criminal marketplace.
So, what’s the best way to protect personally identifiable information (PII)? What information is considered PII? Will protecting such information help me meet regulatory requirements?
After reading this article, you will learn what PII is, best practices to safeguard it, and why it is critical to your businesses’ overall security position.
PII is any personal information tied to an individual that can be used to discover that person’s identity.
It is often collected by businesses as a necessary way to fulfill a customer’s request for coverage or service, offer a personalized experience, or use as a marketing tool.
That information can include (but is not limited to):
According to Experian, personal information can be very profitable for cyber criminals. Some PII is worth considerably more than others. Social security numbers are only worth about $1 online on the dark web. Medical records, on the other hand, can fetch upwards of $1,000, while U.S. passports can bring in $1,000 to $2,000 each.
While money is usually their main goal, cyber criminals don’t just use stolen PII for financial gain.
In 2018, hotel chain Marriott suffered a data breach in which the personal information of 500 million guests was stolen, according to a news report published by PBS. The hackers responsible for the attack were reportedly working for the Chinese government as part of an espionage plot, according to the news story.
Implementing strong security protocols and controls will help ensure individuals’ privacy and significantly reduce the chances of stolen or compromised PII leading to identity theft, fraud, or a cyber attack.
With security measures in place, you also shield your business from the significant harm a data breach could cause, including reputational damage, legal problems, customer defections, and revenue loss.
PII is considered to be one type of controlled unclassified information (CUI).
While Cybersecurity Maturity Model Certification (CMMC) establishes security requirements for to protect CUI and Federal Contract Information (FCI), defense contractors aren’t the only businesses that have to follow PII security mandates.
Many industries have their own security and privacy regulations, including medical and healthcare, financial services, education, technology, and utilities.
Other regulations that dictate how organizations must handle PII include: Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPRA), the federal Privacy Act of 1974, and the Fair Credit Reporting Act (FCRA).
In addition, a number of states have adopted their own privacy laws, including Connecticut, New Hampshire, New Jersey, Texas, Delaware, California, Colorado, and Virginia.
Companies operating in those states must meet compliance for either the state or federal regulations, whichever is the most strict.
Under CMMC, companies are grouped into three different levels, according to how sensitive the information is that they handle and the type of assessment they are required to have completed.
Level 1 companies are those that handle FCI. Level 2 and 3 businesses handle highly sensitive CUI. These businesses must meet more stringent compliance requirements.
All contractors handling FCI and or CUI need to satisfy the CMMC security controls for their level in order to keep their government contracts.
What’s more, insurance companies are continually changing their requirements to strengthen cybersecurity protections and minimize business risk.
So, having strong security measures to protect PII can help you satisfy regulatory and cybersecurity insurance requirements, as well as maintain your business’ integrity and reputation.
While doing business, organizations collect, store, process, and dispose of vast amounts of data, including personally identifiable information belonging to individuals both within and outside the company.
After reading this article, you now understand why protecting PII is a critical part of your company’s comprehensive cybersecurity defenses.
At Kelser, we’re committed to writing articles like this to provide important technology-related information that can help keep your business running smoothly.
If you already have an internal IT team that can implement the proper cybersecurity controls to meet regulatory and other requirements, then you’re all set.
If you’re like other small and medium-sized businesses, however, you may benefit from the expert guidance and resources of a managed IT services provider (MSP) to ensure you have the right security protocols and tools for your business.
The benefits of using managed IT support include: proactive monitoring, threat detection, incident response measures, and compliance preparation.
Regardless of which choice you make, it's important that you determine your security risk by carefully examining your IT landscape to identify areas of weakness. By doing so, you establish a good starting point toward finding solutions to shore up those gaps and keep your sensitive data safe.