Cybersecurity “Fails” to Address PII Exposure

Executive Takeaways

  • Cybersecurity solutions alone cannot protect sensitive data and systems from the evolving threat landscape. External Data Privacy (EDP) is essential for creating an efficient, holistic security solution.
  • The unaddressed security gap in many organizations’ defenses regarding employee PII exposure is a significant factor in cyberattacks, leading to several different attacks with severe consequences.
  • While cybersecurity measures protect internal systems, they do nothing to secure employees’ external PII.
  • Employees’ external data is often a critical attack element used to select and target victims and craft more authentic messages.
  • EDP is a unique solution that proactively seeks out and reduces an organization’s threat surface by scanning, removing, and monitoring its employees’ PII.

Have you ever wondered why the number of cyberattacks continues to increase, despite the vast sums spent on cybersecurity? PII exposure is at least partly responsible.

Cybersecurity has become a significant concern for organizations of all sizes in recent years, with cyberattacks becoming more frequent and sophisticated. As a result, companies have invested heavily in cybersecurity solutions to safeguard their data and networks. This spending spree will likely continue for at least the next few years [1].

Spending isn’t the problem or the solution.

While cybersecurity is essential, it can’t protect sensitive data and systems from the evolving threat landscape by itself. This article will explore why cybersecurity “fails” at times and why integrating external data privacy (EDP) is essential for creating an efficient, holistic security solution.

The Problem of PII Exposure

Criminals are lazy as well as clever. That’s why they don’t walk into banks with shotguns anymore. It’s easier to go and steal stuff online [2].

Alan Woodward, Internationally renowned computer security expert

While many enterprises have done well in codifying and implementing internal data privacy policies and procedures, few have done the same with external data. Even fewer have done anything about the problem of PII exposure [3].

Consequently, there remains an unaddressed security gap in many organizations’ defenses.

As a result, threat actors increasingly use external employee PII to circumvent technical controls. The most common way they do this is via social engineering and spear phishing.

According to Verizon’s Data Breach Investigation Report (DBIR), 82% of data breaches “involved the human element, including social attacks, errors, and misuse,” and nearly 40% relied strictly on social engineering [4].

Indeed, this PII-enabled security vulnerability is at least partly to blame for the continued rise in cyberattacks. Even technically gifted hackers are opting more for PII-infused social engineering attacks.

PII-enabled Attacks

Employee PII exposure enables several different attacks that carry tremendous consequences for organizations. These include:

  • Phishing and spear phishing attacks: Attackers often use publicly available PII such as name, email address, and job title to craft email attacks. These attacks are designed to compromise systems and steal sensitive data (e.g., intellectual property, user credentials, etc.) and/or money.
  • Social engineering attacks: Employee PII is often used to impersonate employees to gain the victim’s trust and trick them into revealing sensitive information. Social engineering attacks often lead to data breaches and financial losses.
  • Identity theft: Exposed PII may be used to commit identity theft before being used to compromise organizational systems or data.
  • Business email compromise (BEC): Attackers use exposed PII to impersonate employees and send fraudulent emails requesting money transfers or sensitive information.
  • Credential harvesting: Exposed PII may be used to craft convincing messages that get employees to reveal their login credentials. These credentials are often used to compromise systems and data.

Learn about the Privacy Bee platform and how it can de-risk your organization.

Cybersecurity Does Not Address PII Exposure

Cybersecurity doesn’t attempt to address the problem of proliferating PII, as PII exposure lies outside of its purview.

While traditional cybersecurity measures such as firewalls, intrusion detection systems (IDS), and antivirus software are essential for protecting internal systems, they do nothing to secure employees’ external PII [5]. As the threats posed by data breaches and cyberattacks evolve, enterprises must address this vulnerability or continue to suffer the consequences.

Enterprises can not address this vulnerability by thinking along the lines of cybersecurity because the modern cybersecurity framework centers around protecting internal resources using technical means. The problem is that attackers are doing the opposite, as mentioned earlier.

In short, scanning, removing, and monitoring for PII exposure requires an alternative solution.

External Data Privacy

External Data Privacy (EDP) is a unique solution that addresses the critical issue of employee PII exposure. Unlike traditional cybersecurity measures that reactively protect internal systems, EDP proactively seeks out and reduces an organization’s threat surface by scanning, removing, and monitoring its employees’ PII.

Also, PII is the only framework integrating risk mitigation measures for vendors and other partners into its privacy platform. In this way, EDP is a legitimate data breach and vendor risk management (VRM) solution. There are many other potential privacy- and non-privacy (e.g., productivity) use cases for EDP.

In addition to removing employee PII, Privacy Bee also puts users back in control of their data. While the solution immediately issues removal requests and opts the user out of mass marketing efforts, Privacy Bee also maintains a comprehensive database of over 117,000 companies from which users can tweak their privacy preferences, including opting out of communications and requesting that the company delete any information it holds on the user.

Reducing Employee PII Exposure is a Security Must

The integrity of a person can also be compromised when they alter their behavior due to the adversary’s actions. Examples include responding to a phishing email or falling victim to a pretexting scenario. These are the two main types of integrity violations we see in our data [4].

Verizon’s 2022 Data Breach Investigations Report (DBIR)

Ad the human element will always be a factor in attacks, there are two feasible options for mitigating social engineering risk: reducing employee PII exposure and employee training.

Despite well-designed social engineering awareness training, there will always be employees who ignore or forget what they’re taught. All it takes to compromise the organization is one employee to lose awareness and act carelessly.

On the other hand, if the attacker can’t get to that employee, it doesn’t matter.

The solution is clear: we must limit the information used to locate and compromise employees. An EDP solution achieves this by eliminating employee PII from across the internet, including critical sources such as People Search Sites and Data Brokers.

By combining EDP with cutting-edge cybersecurity solutions and regular awareness training, organizations can achieve a three-pronged approach to security that delivers a comprehensive and holistic solution.

You can take the first step toward a more private enterprise by scanning employees for exposure risks.

References

[1] Pratt, M.K. (2021, December 20). Cybersecurity spending trends for 2022: Investing in the future. CSO Online. https://www.csoonline.com/article/3645091/cybersecurity-spending-trends-for-2022-investing-in-the-future.html

[2] Baraniuk, C. (2017, July 26). It’s a myth that most cyber-criminals are ‘sophisticated’. BBC Future. Retrieved from https://www.bbc.com/future/article/20170726-why-most-hackers-arent-sophisticated

[3] Rahnama, H., & Pentland, A. (2022, February 25). The New Rules of Data Privacy. Harvard Business Review. https://hbr.org/2022/02/the-new-rules-of-data-privacy

[4] Verizon. (2022). 2022 Data Breach Investigations Report. Retrieved from  https://www.verizon.com/business/resources/reports/dbir/

[5] Zheng, Y., Li, Z., Xu, X., & Zhao, Q. (2022). Dynamic defenses in cyber security: Techniques, methods, and challenges. Digital Communications and Networks, 8(4), 422-435. https://doi.org/10.1016/j.dcan.2021.07.006

Previous article

Enterprise Use Cases for External Data Privacy: Part II
Next article

Your Newly Vulnerable Attack Surface and How to Reduce It

Shrink Your Attack Surface - Make it Difficult for Hackers to Find Entry via Social Engineering

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?