Cybersecurity Today: Creating Strong Passwords
Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're looking for more advanced material, we recommend a dive into the...
Last year, there were over 1.1 million cases of identity theft in the United States alone. At least 422 million individuals were impacted. Hackers are still finding it easy to access sensitive data–personal information that reflects an individual’s identity and PII is key to how they plan cyber attacks. Yet, organizations continue to struggle to heighten cyber security awareness.
Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're looking for more advanced material, we recommend a dive into the blog archives!
PII stands for personally identifiable information. This is key information that hackers and identity thieves can use to steal an identity for nefarious purposes. PII ranges from the mundane—first and last name, address, phone numbers—to the specific—date of birth, social security or government ID numbers, passport information, etc.
Taken individually, these pieces of information are rarely useful to hackers. But combine them or with other bits of data (even things considered public knowledge, like your high school mascot, your pet’s name, etc.)... they begin to make online shopping, investment management, and personal banking extremely vulnerable to hackers gaining access for malicious purposes.
First, the best thing that can be done, when available, is to always use Multi-Factor Authentication (MFA). Second, improve password strength and avoid using PII in your password. 59% of Americans use their name or date of birth as part of their password. That data, combined with the commonality of password reuse, makes large-scale automated attacks possible, as we discuss below.
Remember, more than 90% of attacks are made possible by human error, which in many cases, traces back to password problems, whether they are leaked, poorly constructed, or easily guessable.
PII is of high value to attackers, who acquire it via several means, including deceptive social engineering activities or just purchasing it via darknet marketplaces. Attackers' goals range from revealing the personal details of a person’s private life to defamation or harassment.
The nature of these attacks takes several forms:
Regulatory governance compliance standards like the General Data Protection Regulation (GDPR) in Europe, Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS) offer guidelines for securing personally identifiable information. These standards help define a set of practices for internal access, backups, archives when VPNs or MFA should be required, and who within the organization can view PII.
Standards are good for input when designing security policies and data governance practices, but they are only a start. Making a lasting difference requires a change in the mindset of users, one that they will internalize, making cybersecurity part of the organizational culture. That cultural shift should engage people throughout an entire organization, to prevent potential breaches long before phishing, social engineering, and other tricks are used to steal PII.
Employees need to be more than made aware of best practices or educated on them, they need to internalize a culture of cybersecurity. They should viscerally recognize what data and documents constitute PII. They need to understand and identify phishing and social engineering, be taught to recognize a potential attack, and have an easy and effective means of reporting it.
Cybersecurity training, policies, and procedures that oversee data and the people who access it should be reviewed regularly, and employees' awareness should be measured and tracked programmatically. This type of approach will ensure that breaches are more likely to be prevented, rather than reevaluating practices as part of an incident response plan.
Of course, understanding how data should be handled, secured, and protected is always considered part of a health cybersecurity program; but for your employees, an ounce of prevention is generally worth a pound of cure when it comes to handling PII.
By understanding PII and how it can be stolen, organizations can take appropriate steps to protect it and educate staff on the digital security measures for online safety, at home and at the office.
Learn More:
How to Protect Your Identity and Data During Tax Season
NIST: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Do you want to know more about how we can help you and your employees with identifying and safeguarding PII? Request a demo with us today and check out our unique awareness training. We won’t ask for your birth mother’s maiden name.
Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're looking for more advanced material, we recommend a dive into the...
5 min read
Here at Cybermaniacs, we believe that cybersecurity education should extend beyond the workplace to encompass the entire family. Our goal is to...
4 min read
The outbreak of COVID-19 reshaped the world in ways we could scarcely have imagined. Beyond its obvious health and social impacts, the pandemic...
6 min read