How to pivot a PII strategy against the growing threat of cyberattacks

How to pivot a PII strategy against the growing threat of cyberattacks

Stockholm-based Petra Tesch, Chief Information Officer, Vizrt, asks how can a company ensure its Personally Identifiable Information (PII) is adequately protected?

Petra Tesch, Chief Information Officer, Vizrt

Cyberthreats are increasing and becoming more serious by the day, so it’s crucial for organisations to stay one step ahead when safeguarding their digital assets. Personal identification information (PII) sits on the firing line, meaning companies must be vigilant in their defences. 

In the hands of threat actors, PII can lead to severe consequences for customers, and if a company’s infrastructure suffers a leak in customer data, it can significantly and permanently damage a business.

In the interests of everyone involved, how can a company ensure its PII is adequately protected?

The challenges today  

PII is any data that could identify a specific individual. However, the data stored today is far more complex than in previous years. Not only are names or emails now being stored, but we’ve also seen the normalisation of advanced technologies adoption such as biometric scans, with digital fingerprints and facial recognition systems being used to unlock devices. The data associated with these tools is immense. At the same time, personal data is growing in value. Bad actors can use any of this data to create false accounts in a person’s name, create debt or steal an identity completely. 

With more than 300 million terabytes of information being created daily, ransomware attacks are growing as a result and the risk is becoming severe. In a recent parliamentary report, the UK government stressed that ‘ransomware has wrought devastating damage on countless victims and poses a major threat to the UK’s national security’. 

However, even if organisations are investing in security solutions, even the most robust of defences are no stronger than the weakest link in the chain. This is proven by the fact that in the second quarter of 2023, the number of breached data records in the UK was around 420,000, and phishing attacks also remain a genuine concern, posing a significant risk to individuals and organisations as cybercriminals employ increasingly sophisticated tactics to compromise sensitive information.

With technology becoming more advanced, the threat will only increase in the coming years as cybercriminals exploit the vulnerable with more sophisticated technologies. When confronting this threat, the best way to protect a business and PII is to take a holistic approach to cybersecurity. That way, any business will have a better chance at keeping customer data, end-users and critical infrastructure secure.

Digging into data

With data seemingly becoming more valuable, organisations may be tempted to store as much PII as possible for longer than necessary. But this isn’t quite as straightforward or beneficial as it seems. Companies might think that more data equals a greater advantage over their competitors, especially when it comes to marketing or personalisation efforts, but the overall risks can sometimes outweigh the benefits. 

Why? Because data is only as good as how it is used. Untouched data can sit dormant and, if unprotected, can be leveraged to exploit a company or customer. 

Minimising the data that is stored to ensure that only essential information is held is critical to reducing threats. For example, if a business only needs a name or email address, only that information should be recorded. All businesses need to refrain from falling into the trap of recording more than they need. 

When tackling this challenge, the first step is to delete any old, unneeded PII to ensure it is inaccessible to potential attackers and to do this securely and permanently. Minimising threats pertaining to PII isn’t necessarily about installing expensive software or new infrastructures that’ll catch strange activity, but cutting down on the information stored. 

Unfortunately, this is not as simple as pressing the delete button several times. An experienced and knowledgeable team must execute data reduction and minimisation. This ensures the data is removed effectively from complex IT infrastructures and in line with company policies. Having the right staff on hand is, therefore, critical when pivoting.

Take precautions and train employees

Customers trust that the companies they do business with are handling their information correctly. Regardless of size, mishandling sensitive data can have devastating consequences for a business. These include hefty penalties, reputational damage and loss of trust.

To mitigate these risks, companies should invest in comprehensive training programmes for their staff to ensure they understand the importance of handling PII securely. This includes educating employees about relevant privacy regulations, implementing secure data-handling practices, avoiding phishing attempts and fostering a culture of privacy awareness throughout the organisation. 

Another approach is to restrict how employees can store sensitive customer information, especially in smaller businesses where individuals handling customer inquiries also have access to other parts of the company. For example, data stored on employee laptops is at higher risk of loss or theft than when it is maintained by internal systems with proper controls.

Similarly, work and personal accounts must be kept separate, with no employees transferring company data containing personal information to individual machines or accounts. Additionally, customer data should only be moved to cloud services sanctioned for company use.

When ensuring PII is secure, existing processes and teams are the most important place to look first. If a business doesn’t have the appropriate skills or policies to keep PII safe, you may need to reconsider alternate solutions or suppliers that can do this effectively.

The bottom line  

Safeguarding PII has become paramount as data breaches hit unprecedented levels. 

Data may be king, but businesses storing vast amounts of personal information must understand the best methods to protect these digital assets. Minimising the amount of dormant data available is an excellent place to begin while ensuring staff are adequately trained in PII security is crucial too. 

Reassessing how you manage and secure PII will prevent cyberattacks, preserve customer trust and protect your company’s reputation. There has never been a more vital time to pivot your PII practice. 

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive