Mitigating Exposed PII Dramatically Lowers Risk of Data Breach via Social Engineering

Chief Information Security Officers can dramatically improve the efficacy of their efforts to interrupt costly and disruptive social engineering attacks on their organizations by addressing the root cause of these losses instead of simply mitigating the symptoms.  Every day, CISOs fight a pitched and ongoing battle to harden the security of their organization’s information systems – applications, databases, computer networks and web equities – while overlooking a critical vulnerability. Improving cybersecurity hygiene across the entire workforce – if it is considered at all – is not emphasized enough compared to other strategies aimed at interrupting the rising tide of social engineering crimes.  Cybersecurity hygiene involves more than just strong password protocols and employee training videos about phishing schemes.  It requires specially focused strategies and tactics to prevent a data breach, data leak or other kind of data spill.

This document examines the statistics surrounding the current state of cyber crime in American industries and offers a useful perspective about the scope and scale of the problem. It also presents a compelling argument for embracing a proactive posture regarding the protection of the workforce’s Personally Identifiable Information (PII) – the critical and frequently overlooked first step in mitigating data breaches and other risks posed by proliferating social engineering crimes.

InfoSec Must Focus on External Data Privacy

There is an important distinction to be made when it comes to hardening an organization’s information security through improved PII protection protocols.  That is, the distinction between internal and external data and data privacy.  The best CISO can leverage best practices and be extraordinarily vigilant with all the assets and data structures under his or her direct control.  However, they cannot single-handedly ensure every employee, contractor, vendor or supply chain partner with legitimate access to organizational systems adheres to the same level of data hygiene standards.  

For this reason, bad actors are increasingly looking for ways to exploit weaknesses in the data privacy of individuals working for a target organization.  They’re even increasingly focusing their social engineering scams on employees working for external partner organizations which often maintain integrated data systems and applications like ERPs, supply chain management platforms and others.  As a result, the numbers of data breach instances are rapidly rising.

Targeting the PII of supply chain partners’ employees for example, has become a successful strategy for thieves to break into secure systems and extract value.  Whether their strategy is to install ransomware, or simply to steal credit card numbers and other sensitive user data from their victims’ information systems, criminals are finding it easier to slip in, exploiting the unprotected external data of individuals to gain access to high value data in encrypted systems.

The 2022 Incident Response Report from cybersecurity firm, Palo Alto Networks, publishes a visualization illustrating criminals’ increasing preference for exploiting external data privacy gaps.  Note that in 2022, attacks on internal data structures through brute force credential attacks and through hacking to exploit software vulnerabilities were responsible for a combined 40% of initial, unauthorized access (data breach) to information systems.  On the other hand, Phishing, Social Engineering and otherwise compromised credentials made up 48% of unauthorized access.  

Social engineering attacks exploiting the external PII data of individuals requires far less time and effort on the part of cyber criminals and is rising in popularity as the primary methodology for perpetrating these attacks. 

This trend is validated further in the 15th Annual Verizon Data Breach Investigation Report or DBIR which notes the brutal growth of cyber crimes over the last 12 months.  In particular, this report calls out supply chain breaches as one especially fruitful profit center for criminals.  DBIR, in its introduction noted, 

“The past year has been extraordinary in a number of ways, but it was certainly memorable with regard to the murky world of cyber crime. From very well publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”

And when it came to social engineering as a subset of all data breaches, it was no surprise that 82% of reported intrusions involved the human element and a full 100% of all threat actors were external.  Since there is little an organization can do to exert control over the cyber hygiene of its extended network of affiliates and partners, the answer must focus on methods for improving cybersecurity hygiene to address the external component which, before the emergence of Privacy Bee, had historically been considered impractical.  This is why organizations are engaging Privacy Bee to improve cybersecurity hygiene outside the walls of their operations. 

Fifty Times More Likely to Be Victimized

If there is any question that poor cybersecurity hygiene is truly the root of the problem when it comes to social engineering risk, look no further than the Q4 2022 report from RiskRecon.  This enterprise security and risk management company was founded by Mastercard to deliver risk assessments, diagnostics and due diligence to large organizations, helping protect their supply chains and vendor/partners.  The report, titled “RiskRecon Rating Correlation to Destructive Ransomware Event Frequency” reveals a startling statistic.  Organizations with poor cybersecurity hygiene were fifty times more likely to fall victim to cyber attacks like ransomware.  

This analysis was based on RiskRecon’s polling of 179,914 companies. In their study, organizations with clean cybersecurity hygiene (rated ‘A’ on a scale of ‘A to F’) experienced a damaging ransomware event frequency of just 0.04% or just 0.4 out of 1000 companies.  Compare this to the 2.1% frequency of ‘D’ to ‘F’ rated companies where 21 out of 1000 companies were ensnared by costly ransomware episodes, and it becomes clear that hygiene is a critical factor to avoiding risks like ransomware.

Worse yet, the frequency of ransomware attacks is up drastically between 2016 and 2022.

Source: RiskRecon’s “Managing the risk of destructive ransomware in the supply chain with RiskRecon cybersecurity ratings and insights RiskRecon Rating Correlation to Destructive Ransomware Event Frequency”

Worst of all, ransomware is only one serious threat enabled by poor cyber hygiene and the resulting data breaches.

Mushrooming Social Engineering Crime Numbers

Ransomware is only one of the cyber crimes growing in frequency and scope today.  Since the emergence of COVID-19 and the wholesale migration of industries to remote work, tens of millions more employees in the US work online than they did prior to the pandemic.  Even as the pandemic recedes, many of these resources continue to work either entirely or partially by remote.  This change is one of the long-term legacies of COVID which continues to upend the paradigm for the employer-employee relationship.  This “new normal” presents significant challenges to the CISO as the line between employees’ personal and professional online activities dissolves to a greater extent.  Cyber criminals are absolutely exploiting this vulnerability, and the statistics are grim.

Source: FBI Internet Crime Report 2021

Breaking down the types of social engineering attacks provides even greater perspective into the avenues by which criminals exploit poor cyber hygiene to effectuate their scams.  The chart above illustrates the top five crimes compared by frequency over the last five years.  While all five categories of cyber crime represent an avenue for social engineering scams to proliferate, it is notable that the “phishing” scams – including all forms like spear phishing, smishing, vishing, and pharming – represent the largest segment by a wide margin.  This is important because while cyber hygiene matters when it comes to preventing all these types of crimes in your organization, it is the compromise of a workforce’s PII that most directly results in successful phishing schemes.

What Makes Phishing Such a Successful Scam and Exigent Threat?

Phishing has been an effective scam for criminals.  Targeting private citizens with spoofed emails purporting to be from reputable companies has become a tried-and-true vehicle to separate a consumer from his personally identifiable information and as a result, his money.  Seeking more lucrative targets, it only makes sense that cyber criminals would apply phishing strategies to corporate or institutional targets where the potential for greater payoffs could be higher.   While many corporations and large enterprises have engaged in campaigns to train and educate their workforces about how to avoid being ensnared in these scams, business email compromises still netted the criminals a total of $2.4 billion in 2021 according to the IC3.  That is 19,954 reported instances of unauthorized transfers of funds directed by employees fooled by phishing emails directed broadly at corporate email domains.  

Spear Phishing attacks take the criminal strategy to the next level.  Whereas phishing attacks are generic in nature, spear phishing is a much more targeted approach and strategically focuses on specific individuals within an organization.  These attacks are typically multi-stage in nature and leverage data exfiltration strategies which are commonly unfolded over weeks or even months.  An article in CSO Magazine boils the “long-game”, spear phishing strategy down into three steps.  

Step One: Infiltration
Typically delivered via sophisticated spoofed emails and containing malicious links to spoofed websites for illicit data capture or to install malware.

Step Two: Reconnaissance
Wherein the scammer, upon achieving access to the user’s email or other account information, is able to learn more about the organization and find strategic targets and opportunities to exploit.

Step Three: Extract Value
Sending bogus bank account information to a target when they are about to render payments; soliciting sensitive HR info; pretending to be a supervisor directing the worker to render payment; these are all ways the criminal can extract value via spear phishing.  And, because these emails all appear to come from legitimate, familiar sources –in some cases even mimicking the language, signature and style of the spoofed sender – they are often highly effective.

Steps One and Two are greatly enabled by the ready availability of PII for sale by Data Brokerage organizations, which aggregate, categorize and sell all manner of sensitive information on individuals to virtually anyone who wants it.  Spear phishing is extremely effective when its content is tailored and personalized to the target, and when it exhibits all the hallmarks of familiarity that disarm targets’ vigilance.  For this reason, it is logical to conclude the availability and easy accessibility of employees’ entire online histories, including sensitive information about their personal lives, is an irresistible attraction to thieves seeking to craft highly effective spear phishing emails.  

Cyber criminals regularly acquire PII from data brokers and other sources to improve their success rates at infiltrating organizations, perform ongoing recon and then, ultimately, extract value from their victims.

The social engineering strategies employed by criminals are ruthlessly effective.  Some of the successful scams reported to the FBI include examples of phishing emails leveraging medical information relevant to an employees’ spouse and children.  Others could involve calls or texts from cyber criminals pretending to be a target’s mortgage company prompting action to rectify some (bogus) unfinished business regarding a recently sold home or property. Still others involved calls or emails from thieves posing as the target’s wireless phone company calling about their personal cell phone number.   

All this PII data – medical data, property sale/purchase data, consumer purchase data, and more – is for sale, cheap, from a burgeoning marketplace of data brokers, and the people search, background check and other sites served by the brokers.  Clearly the demand for the PII sold by the data brokerage industry validates the utility of the product for all uses – legitimate and corrupt.  

All this PII data – medical data, property sale/purchase data, consumer purchase data, and more – is for sale, cheap, from a burgeoning marketplace of data brokers, and the people search, background check and other sites served by the brokers.  Clearly the demand for the PII sold by the data brokerage industry validates the utility of the product for all uses – legitimate and corrupt.  

---

Data Broker Market Demand and Growth Forecast

The scope of the threat cannot be understated, and a simple Google search illustrates just how pervasive the problem is for CISOs tasked with protecting not just the proprietary data and networks of their organizations, but increasingly the data of their workforce.  The well-known, veteran data collection companies like credit reporting bureaus Experian, Equifax and TransUnion have been joined by hundreds of new entrants into the field. Some of the data brokerage pioneers like Epsilon and Acxiom have been around for a decade or more.  Many more, with names most have never heard of, have emerged in more recent times.  Companies like, AnyWho, Classmates.com, InfoTracer, PeekYou, PeopleFinders, People Looker, PeopleSmart, Number Guru, Spokeo and scores more.  One can begin to grasp the size of the market reading this long (but nowhere near exhaustive) list of data broker sites.

Moreover, the market has grown segmented and specialized.  Some of these sites are intended to provide criminal background checks.  Some promise to reveal information to singles about their new love interests.  Still others provide reverse phone number look ups, genealogical data, former school mates, public records and any other affinity group one might want to tap into.  With this level of segmentation, cyber criminals can be very precise in their approach.  In the absence of any Federal legislation or other governmental regulation of the data brokerage industry, there appears to be little restriction on its growth in spite of how the data may be misused by criminal enterprises.

In 2021, the data brokerage market was estimated to be valued at $257 billion.  According to Transparency Market Research, the market is expected to nearly double by 2031, reaching market capitalization of $462.4 billion – expanding at a CAGR of 6.8% annually.  Growth drivers of the data brokerage market are identified as interest from companies using consumer PII to improve marketing, advertising, risk mitigation, fraud detection and people search capabilities.  Not reported is the percentage of Data Brokerage customers who purchase the data to perpetrate criminal activities.  Nevertheless, one thing is clear.  Protecting the PII of your workforce is the best way to circumvent social engineering and mitigate the risk your organization faces from cyber crime.  Shockingly, this strategy is not yet at the forefront of best practices or widely adopted by corporate CISOs. Here is why it should be. 

Protecting the Workforce by De-risking PII Exposure

Social engineering can only be fully effective when the cyber criminal has access to the highly personal and accurate data of any employees.  And that info is, as this paper has established, exposed in Data Brokers and People Search Sites, helping fuel rapid expansion of new and improved sources of PII for sale. By cleaning up these exposures it becomes far more difficult for bad actors to successfully spear phish the workforce.  This decreases the risk of a successful intrusion and data breach and the resulting costs to your organization in terms of monetary loss, interruptions to business continuity, and/or reputational damage.  But how can a busy CISO achieve the daunting challenge of deleting all their employees’ info from hundreds of Data Brokers and People Search Sites?

How can a busy CISO achieve the daunting challenge of deleting all their employees’ Personally Identifiable Information from hundreds of data brokers and people search sites?

The Cybersecurity & Infrastructure Security Agency of the U.S. government (CISA) offers vulnerability scanning as part of their cyber hygiene services.  The scanning service evaluates external network presence by executing continuous scans of public, static IPv4s for accessible services and vulnerabilities.  The service also provides weekly vulnerability reports and ad-hoc alerts.  However, they recognize that organizations must further protect themselves by identifying assets that are searchable online and enabling measures to reduce that exposure.  

To accomplish this, enterprise organizations have been engaging personal data protection services like Privacy Bee to arm every member of their organization – employees, vendors, partners, etc. – with state-of-the-art tools to remove themselves from the countless lists and databases traded by data brokers.  Privacy Bee is a must have for CISOs serious about hardening external data security and seeking to avoid a costly data breach.

All-in-one business privacy management from Privacy Bee includes a robust suite of privacy-centric solutions and is affordable compared against the potential losses associated with a criminal data breach.  ZDNet agrees saying, “Privacy Bee does seem like a small price to pay to prevent a massive headache in the future when the next data breach inevitably occurs.”  With Privacy Bee for business, you’re affording your organization the best available protection and de-risking including the following benefits. 

De-risk Identity Theft with a proactive process that incentivizes your workforce to remove themselves and their valuable PII from all but their most trusted interactions on the web. It even protects their non-work-related activities and information from external data exposure.  Unlike identity theft insurance which only helps clean up the mess of a data spill or data leak after it’s too late, Privacy Bee’s solution proactively fights to protect against identity theft.  

Vendor Data Controls use centrally configured “Trusted Companies” across all your entire workforce, whitelisting your current vendors.  Privacy Bee legally compels previous vendors to delete any employee data they may still be retaining.  Configured trust for your active vendor pool ensures your employees will receive only proper communications from your vendors without anything being blocked as a privacy risk.

Integrated Privacy Feed Privacy Bee hosts a large base of consumers declaring privacy preferences every day. Rather than receiving emails, the solution offers a suite of privacy integrations to help you honor their wishes (API Feeds, Plugins, Zapier, etc).

There are many other benefits to be gained by engaging Privacy Bee for your organization.  Benefits that accrue to the CISO, but also the workforce, investors, boards of directors, HR departments and your customers, all flow from a practicable, practical and affordable investment into data privacy.  Privacy Bee handles all training and support, making the solution easy to deploy and maintain.