Think of everything you've posted online over the past year — photos, blog entries, comments on websites, and so on. Now consider how much of that content says something about you as an individual, from your habits to where you live to what you buy. The Internet is awash in personally identifiable information (PII), and we should never forget that this is a major cybersecurity liability for individuals and companies alike.
Some forms of PII can be used to infiltrate a victim's accounts and networks directly, such as account numbers and passwords. However, even seemingly innocuous forms of PII can put employees and companies at risk — the more cybercriminals know, the easier it is for them to manipulate and defraud their victims. For example, if cybercriminals have access to employees' email addresses, they can launch a password spraying attack in which they test a single password on every available account until they break into one
PII security has to be a priority all the time — it's not enough to make sure employees are using good password hygiene, avoiding malicious links and attachments in emails, and so on. They also have to be mindful of their digital behavior in other domains — which cloud services they're using (and what security protocols those services have), whether they work on personal devices, and what other personal details they disclose.
Cybercriminals' Most Important Resource
Although cybercriminals have a range of motives for why they infiltrate secure accounts and systems, the use and theft of information is always at the center of their attacks. According to IBM's 2020 Cost of a Data Breach report, 80% of breaches include "records containing customer PII." This finding is mirrored by Verizon's 2020 Data Breach Investigations Report, which observes that "email addresses are Personally Identifiable Information (PII) and ... Personal is the most common variety of data to be breached in this year's report."
The amount of PII for cybercriminals to steal and exploit is increasing all the time. There are billions of social media users (15.5 people join every second) and even more Internet users. Meanwhile, e-commerce and other digital services continue to surge, which encourages people to spend more and more of their time online. This means vast quantities of PII are constantly in circulation, and cybercriminals are always looking for ways it can be leveraged to either break into a company's networks or convince employees to disclose sensitive information.
While we're never going to reach a point where employees stop sharing material online (nor should we want to), it's crucial for them to learn how to do so as securely as possible.
Cybercriminals Are Always Trying to Exploit PII
According to the most recent data from Nielsen, the average American adult spends almost 12.5 hours in front of various screens (smartphones, tablets, computers, etc.) daily — an increase from just over 11 hours in 2018, and a number that has steadily been climbing for years. This has led to an explosion of online PII, which cybercriminals have used to dramatically increase their attacks in recent years.
Even when employees don't think they're posting information that could be potentially compromising, the risk that it will be used against them is ever-present. For example, the publication of work email addresses doesn't just give cybercriminals a collection of targets for password spraying attacks — it also provides targets for other forms of malware, which can be sent to those addresses in the form of attachments or malicious links. Employees don't just have to be cognizant of what they're sharing, either — they have to pay close attention to account security in general. Pew reports that 39% of social media users have "logged into another website using the credentials from their social media accounts," a number that rises to 56% among 18–29-year-olds.
Passwords are the most sensitive form of PII, and employees can't afford to be careless with them. Pew also finds that 13% of Americans have had their accounts "taken over without permission" — a reminder that whatever password they were using on Facebook, Twitter, Instagram, etc., could then be tried out on their company email or any other secure network that requires login credentials.
How to Keep Sensitive PII Away From Prying Eyes
There are many ways employees can keep their PII secure — from password managers (which just 12% of Americans say they use, according to the Pew report) to other forms of cybersecurity hygiene, like the refusal to click on suspicious links and attachments. However, PII protection also requires a fundamental shift in how many employees use digital platforms.
We've all heard jokes about the people who post updates about every last detail of their lives, from what they had for breakfast to what they think about their co-workers. But in reality, many of us have a tendency to overshare online, and this provides a target-rich environment for cybercriminals. While most people know not to publicize sensitive information like bank account or Social Security numbers, it's important to understand the ways in which even ostensibly harmless posts can be used for nefarious purposes.
To take just one example: Imagine an employee posts a picture of his messy workspace to get a few laughs. If they're like the 49% of Americans who write passwords down to remember them (according to the Pew study), they might have a sticky note with sensitive account information on the computer monitor or somewhere else on the desk. Employees have to get into the habit of thinking about threats like this and adjust their behavior accordingly.
While the existence of online PII will always be a necessary byproduct of our increasingly digitized lives, there's no reason it has to be this massive source of fraud and cyber-insecurity. By being more mindful of how and where they share PII, employees will deprive cybercriminals of their most useful tool.
The post "How Personally Identifiable Information Can Put Your Company at Risk" was written by Zack Schuler , CEO/founder of NINJIO, and can be found on DARKReading.