The impact of personally identifiable information
Personally identifiable information (PII) is one of the richest data resources on the web. PII can tell you just about everything when it comes to a person, identifying their behaviors, likes, dislikes, and history. In a terrible irony, information wasn’t hijacked from people on the web, we gave it away willingly.
Since the days of the earliest social networks, we’ve provided details about ourselves to the known world, not often considering the consequences. Understandably so, it’s hard to imagine who and what has access to our information on a large scale. You upload a photo to a social media profile and you might not think hundreds – if not thousands – of strangers could see it.
On its own, that’s not an inherently bad thing. But it’s the build-up of this personalized data – stretching over years – which starts to create fault lines in security, personal and otherwise. Back in the earliest times of the internet, you’d receive suspicious emails about insane monetary sums.
Today, those same methods are employed, but founded on collected PII. That’s what makes them so lethal in today’s threat climate.
Our habits working against us
In the cybersecurity realm, information is power. Consider the kinds of things you’ve posted over the past year. From a comment on forums to pictures posted, videos, anything, it all creatures a digital mosaic of you. It doesn’t have to be perfect, only give an impression of your personality.
Why? Threats are developed with PII in mind. Social engineering relies on factors like this to covertly develop their predatory messages, ultimately hoping to target business networks for a payday.
Even having knowledge of company emails is enough for a malicious-party to begin a defrauding campaign. Imagine at least 100 messages sent from official names and sources, one of which asking for a password, such as “hey I forgot the login to x network, do you have it?” In that casual hypothetical, it’s easy to forget security standards “in the moment.” And it’s that “moment” that contradicts and disrupts even the most robust cybersecurity infrastructure.
An attacker with one login, even if caught shortly after, could access parts of the network, install subtle monitoring software, and use stolen data to build a deadly ransomware attack. This BEC-style attack is a fairly simple attack method, despite its effectiveness.
A culture of secure behavior
PII stands then, as one of the biggest risks to your enterprise – if not the biggest. For one reason, as we’ve discussed, is the sheer plethora of information available to attackers. Imagine if an attacker goes through a worker’s FB profile that isn’t set to private. They could view their posts, pictures, and get a general idea of their behavior. Even in the cases where profiles are private, there’s still some information available to a malicious entity.
Secondly, it’s because the “culture” of security isn’t common. Not everyone thinks of the net in the framework of cybersecurity. With their own personal responsibilities and lives, it’s easy to view cybersecurity as a nebulous concept left to IT experts. It’s understandable because cybersecurity concepts – including their respective software – are indeed a complicated subject. To a regular person trying to do their job, it can feel overwhelming.
Despite this, though, it’s imperative to establish a culture of security. Outside professional environments, even, a person should consider what they post and how it could potentially affect them.
It isn’t to suggest that everything we say and do online has to be monitored and minded under a strict set of rules, only know that it’s information usable against us. That’s the key thing to remember regarding suspicious activity – data relevant to our lives employed in such a way we may give up important data about ourselves like a login or additional personal info.
So how do we proceed with ingraining this in a general worker mindset?
In frankness, there is no one easy or one-size-fits-all solution to creating a safety culture. That comes down to a matter of personal responsibility, among things.
Teaching that is one aspect, enforcing it is another of good cybersecurity hygiene. Ultimately, you can’t really control what people do, even with regulations and penalties in place. But you can encourage and educate them about social engineering, giving them an idea of how to protect their data from malicious actors, along with your enterprise network.
Still, even with good intentions, doing so can prove difficult. If you need help, consider advice from an MSP.