To a cyber fraudster who’s out to make some money, there are more options than hacking in to bank accounts or credit card databases. In fact, compared to those methods, some approaches are easier, more lucrative and, unfortunately, far more damaging to the victims. Theft of personally identifiable information (PII) is a popular and highly problematic cyber security issue, and the recent attacks at Sony and Google have brought the problem to the forefront of many organizations’ security concerns.
Personally identifiable information — any data that can be used to determine the identity of an individual — is practically everywhere online. Many companies keep PII in their databases to better serve their customers and, in some cases, provide core business functions. When hackers get their hands on this information, it can be sold for a premium on the black market. And the company responsible for losing the data faces steep fines and loss of consumer confidence. In severe cases, it has even led to the closure of an organization.
While most financial institutions understand the sensitivity of the information they protect, organizations in other industries are less likely to recognize the need to protect their PII. This often means cyber security is a lagging priority, even though PII is stored in their systems. And this lack of security makes them prime targets.
It’s essential for any business that works with PII to understand the critical importance of protecting their data. If your firm deals with such information, there are some best practices you can implement to keep your PII locked down:
- Privacy training. Even the most solid technical security solutions can fall short if employees aren’t privacy and security savvy. In fact, hackers frequently engage in an attack method called social engineering to trick employees in to giving away access to systems. Any organization that’s serious about protecting PII needs to make thorough privacy training a core competency.
- Incident response. In cyber security, your ability to respond quickly and appropriately to a breach is just as important as your ability to avoid one. To mitigate the damage caused by a breach, it’s absolutely critical that all parties know their role in response, and that all regulatory obligations (such as incident reporting) are part of a clearly defined incident response plan.
- Policy and governance. To make a privacy effort work, the effort needs clear and detailed documentation, along with a governance structure for accountability of the process.
A robust privacy protection plan may be an overwhelming task for companies that have limited experience with advanced cyber security. But with the help of an experienced partner, the task is well within reach for firms of all sizes. Lunarline supports our clients with the training, planning and technical implementation that go in to a solid privacy solution.