The number of headlines describing data breaches within large companies has everyone wondering: can enterprise security do enough to protect personally identifiable information (PII)? Whether it’s related to improper storage or inadequate protection, breaches are often the result of a strategy that isn’t thoroughly developed.
The consequences of a breach are often described in terms of dollars lost through compromised information and downtime, but the impact goes much further. Loss of reputation and public trust, as well as customer confidence, all compact the bottom line.
The Challenge: PII is not limited to phone numbers, social security numbers, and addresses. The digital landscape of the economy means that PII also extends to digital images, login identification, and even social media profiles. Even data related to geolocation, biometrics, and behaviors are included in PII. What used to be primarily a concern for those in finance and health care is becoming a central concern for all industries.
Organizations have typically combatted the problem with passwords. When simple passwords proved too easy to hack, increasing the complexity of passwords seemed to be the answer. But adding more layers to the password process only frustrated consumers, and even the most robust password protocols won’t stop an attack through phishing. Here are six enterprise security steps you can put in place to better protect your customers’ PII:
- Define and Determine Location: The first step to protecting PII is knowing exactly what is being collected and where your enterprise is storing it. You should also determine if your practices are adequate for safe collecting and storage.
- Review Compliance Regulations: The rules for safe PII collection and storage vary by industry and by the government having jurisdiction over where you do business. You need to get details on the rules governing the collecting, storing, transmitting and handling of PII, and examine how regulations function according to your customers’ location and your own. You may be impacted by one or more of the following sets of regulations:
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- Payment Card Industry Security Standard (PCIDSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Assess Your Risk: Identify vulnerabilities in your enterprise security plan to include a list of potential threats, the steps you’re taking to ensure compliance with regulations, and risk management strategies.
- Develop Secure Deletion Practices: Many enterprise security teams overlook the important step of deleting unnecessary PII. Storing information you don’t need may be a security risk. Data that needs to be deleted may include prior customers, outdated employee information, and PII stored on unused devices.
- Classify PII: Data needs to be identified by levels of risk. A list of email addresses, for instance, is less vulnerable than credit card data.
- Schedule Reviews: An enterprise security plan requires frequent analysis and review, with opportunities to incorporate new best practices in your industry.
One of the most important steps for enterprise security is the buy-in of your executives. They must be convinced of the exact nature of the risk associated with compromised PII and work to create a culture where protection of PII is prioritized. With the right approach, executives can also proactively watch for vulnerabilities as well as provide training to ensure that breaches related to employee errors are minimized.
If your organization is considering your enterprise security strategy and how best to protect PII, contact us at Cory Communications. We can walk you through these steps and help minimize your risk with the right security tools.