Managing Employee PII in the Technology Sector

Executive Takeaways

• Companies must limit the exposure of external employee PII to reduce cyberattacks and other threats.
• Poor employee PII management can result in compliance issues, financial losses, potential legal liabilities, reputational damage, and loss of trust from customers and employees.
• Tech companies are vulnerable to intellectual property theft, employee poaching, data breaches, third-party risks, and compliance risks.
• Employee PII enables social engineering attacks, identity theft, physical theft, and ransomware attacks.
• Mitigating the risk of PII exposure requires limiting the availability of employee PII on data brokers, people search sites, and third-party vendors. An External Data Privacy (EDP) solution can help.

With modern threats leveraging exposed employee PII, businesses must prioritize the security of their employees’ personally identifiable information (PII).

In addition to deploying solutions to safeguard prized internal information, tech companies must do the same with external data. Of course, this includes employees’ PII, which is often used in the service of cyberattacks and other threats.

Consequently, this article aims to thoroughly discuss the importance of properly managing and safeguarding external employee PII. In addition, we provide detailed instructions on how to do so.

Managing Employee PII is Critical for Countering Modern Threats

External employee PII is any information outside of employer systems that can be used to identify and contact an employee.

Free, publicly available employee PII gives attackers easier access to organizations’ sensitive data. This access puts them at risk of cyberattacks and other threats. The availability of this data can be attributed to:

• Data brokers, People Search Sites, and third-party vendors who have listed your employees’ details for sale.
• Google search results rank your company’s personal information near the top.
• Common personal information that is exposed could lead to cybersecurity vulnerabilities and executive threats.
• Hundreds of online and offline databases where this information can be publicly searched.

As a result, tech companies must take action to limit this exposure to reduce the associated threats and risks.

Risks and Threats of Poor Employee PII Management in Tech

There are several threats and risks of not correctly managing employee PII. These include compliance issues, financial losses, potential legal liabilities, reputational damage, and loss of trust from customers and employees.

Intellectual property (IP) theft: It’s not just China that big tech companies need to worry about, but competitors. Even some of the most prestigious brands have been found guilty of IP infringement (e.g., Google, thrice). IP theft resulting from data breaches is a particular security concern of tech companies.

Employee poaching: Poaching is widespread across industries, but technology companies are particularly vulnerable. The high demand for skilled workers and the competitiveness of the industry make tech companies prime targets for poaching. Losing key employees to competitors can result in various adverse consequences, including lost revenue, decreased competitiveness, and other damaging impacts.

Data breaches: Tech companies must also protect against the theft of valuable IP and other highly sensitive data. Threat actors target tech companies heavily, often stealing trade secrets, patents, and other proprietary resources. Similarly, sensitive health, finance, and government data may also be targeted, and the consequences of such breaches can be severe.

Third-party risks: Tech companies often rely on third-party vendors and suppliers for various services, including cloud computing, data storage, and software development. Consequently, tech companies must ensure third-party vendors’ compliance with security protocols, including those pertaining to External Data Privacy (EDP) risk.

Compliance risks: The tech sector is subject to various regulations and laws related to data privacy and security, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Failure to comply with these regulations can result in significant financial penalties, legal liabilities, and reputational damage.

PII-Infused Attacks in Big Tech

Employees’ external PII is increasingly used to enable social engineering attacks, including phishing, spear phishing, and business email compromise (BEC).

Several attacks can be at least partially enabled by employee PII exposure. Here are a few examples:

• Spear phishing attacks: Attackers use employee PII such as names, email addresses, and job titles, to craft convincing emails appearing to be from a legitimate source, such as a trusted company or business partner. The phishing email may ask the employee to click on a malicious link, download a file, or enter sensitive information.
• Social engineering attacks: Attackers use employee PII to impersonate or gain the employee’s trust to steal sensitive information or access company systems. For example, an attacker might use an employee’s name and job title to pose as an IT employee and request the employee’s login credentials.
• Identity theft: Attackers use employee PII such as social security numbers, birthdates, and home addresses, to steal an employee’s identity and commit fraud. This information may then be used to execute an attack on the employee’s organization.
• Physical theft: Attackers can use employee PII to gain physical access to company facilities or assets. For example, an attacker may use an employee’s stolen ID badge to access a secure area of the company’s building.
• Ransomware attacks: Attackers can use employee PII to gain access to company systems and deploy ransomware. Ransomware can encrypt the company’s files and demand payment for the decryption key. If the attacker has access to employee PII, they may also threaten to release the PII publicly if the company does not pay the ransom.

Sources of Employee PII

Proactively mitigating the abovementioned risks requires focusing removal efforts on the most prominent disseminators of employee PII. This includes Data Brokers, People Search Sites, and third-party vendors. By limiting the availability of information on these platforms, organizations can reduce the likelihood of threat actors acquiring employee PII and ultimately reduce the risk of attacks.

In addition, giving employees back their right to control what companies do with their data is essential in protecting PII and deterring threat actors. This may also allow employees to opt out of certain data collection efforts, such as industry mass marketing and targeted advertising.

An External Data Privacy (EDP) solution offers these and more capabilities.

How EDP Mitigates PII Exposure Risk in Big Tech

EDP companies like Privacy Bee help mitigate PII Exposure risk by seeking out and removing employee PII from across the web. As Data Brokers and People Search sites are the more prolific publishers and sellers of PII, EDP solutions focus more of their removal efforts here.

However, EDP doesn’t stop with Data Brokers and People Search Sites. Additional features that reduce the threat surface include:

24/7/365 vulnerability monitoring: Real-time privacy threat scanning for public PII exposure or threats, including data breaches.

Privacy Risk Score: A simple score calculating your organization’s exposure risks and ways to improve them.

Custom privacy preferences: A centralized location where employees can configure which companies they trust to have their data, and which should delete their information.

Removal from major industry mass marketing lists: Immediate opt out of every major industry’s mass marketing campaigns (e.g., Publishers Clearing House, credit pre-screens, etc.) 

EDP-centric vendor risk management (VRM): A free application to analyze third-party vendors for EDP risk, the most common attack vendor for compromising vendors.

Learn more about privacy bee’s platform and start de-risking your organization today.