The more data an attacker already has about a user based on the information they purchased from one of these warehouses, the easier it will be for them to find and collect more user data, complete the user profile, and access anything that user touches.
When attackers can get this information through the underground, they don’t have to go out on the Internet to get it, and they don’t end up creating a footprint that the enterprise can follow, Beek adds. Attackers could prepare in secret, launch a major attack the first time they strike, and the enterprise would not have any early warning signs in order to prepare.
What enterprises can do
Stay abreast of evolving standards across and within industries on how to protect PII. The ISO/IEC 27018:2014 standard, “Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” is a standard that leaves place for amendments and revisions as the landscape changes. The NIST Special Publication 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” covers determining, reducing the number of instances of PII you really need to store, where you need to store it, and how securely you should store it, says Beek.
How enterprises can fight back
- Stay up to date on evolving standards
- Adopt the most affordable security technologies
- Acquire one-off solutions to any unmet standards
- Create obscure default security questions
Other standards include the DHS “Handbook for Safeguarding Sensitive Personally Identifiable Information”. The OMB, GSA, and other government organizations have PII rules and guidelines. PII standards exist within industries such as finance and healthcare and wherever industry and regulatory requirements demand them.
Adopt the fewest, most affordable security technologies, policies, and enforcements that together meet the broadest array of applicable standards. Then acquire one-off solutions for any unmet standards that remain.
Vendors continue to develop better obfuscation and encryption technologies and techniques for PII even as experts share their thought leadership in how to better leverage existing measures for securing PII. Security questions at logon time are one such measure that needs tweaking. “Enterprises need to obscure default security questions so that people’s answers are not easily retrieved from their public social media accounts or other readily available information,” says Beek.
Meanwhile, the party concerned can be clever with the answers they choose to use in response to those default sign-on queries. Try exchanging your answer to question A with your answer to question C, for example, and then memorize it. Attackers won’t get so far so fast when your pet’s name is ‘ChevySilverado’ and your first car was a ‘Mittens’. Likewise enterprises waiting for better PII security tomorrow should ensure today that any third-party vendor or enterprise customer who even might touch the PII that they are responsible for also enforces PII security measures that meet or exceed acceptable standards.
Sign up for CIO Asia eNewsletters.