Cybercrime is more of a threat than ever before. The damages caused by cybercrime in 2021 were estimated at around $6 trillion and are expected to reach $10 trillion by 2025. Cyber-criminal organizations are very well funded and, when persistent, can cause serious harm. Unfortunately, cybercrime has the potential to pay very well, which is why it is unlikely that cybercriminals will stop and why new players keep joining in on the cybercrime game.
It is not surprising that most executives accept this reality and simply believe that breaches are inevitable. With data breaches becoming an unavoidable part of risk management and customers putting their trust in companies to protect their sensitive information, security and privacy concerns are growing. The key to mitigating the risk lies in protecting your organization’s most sensitive asset – your customers’ PII.
Most organizations’ go-to security strategy is to implement zero-trust architecture. Zero trust means that organizations should not implicitly trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to their systems before granting access to any assets, especially PII.
Securing PII is very challenging for many organizations due to a variety of reasons:
- Usually, there is no visibility of the location and the classification of the PII across the organization
- The privacy expertise required to protect data by its classification might be scarce in the organization
- Lack of prescriptive guidelines on how to safeguard PII
- Protecting PII is a collaborative effort across multiple departments within organizations: legal, security, development, and privacy
The starting point to safeguard PII is knowing what to protect and where it is located.
Are Data Breaches Unavoidable?
Over the last decade, data breaches have experienced a sharp rise. 2021 was a record-breaking year, in which the number of breaches increased by 68% compared to the previous year, approximately 22 billion records were stolen, and 294 million people were impacted. Data leaks (often the result of sensitive data sent or exposed accidentally) and breaches (usually the result of a hack) can cost businesses millions of dollars in penalties and damage and put an organization’s reputation and operations at risk.
The industry consensus that data breaches are inevitable is the result of many factors:
- The complexities of today’s environments
- The increase in cloud adoption and hybrid environments that are spread out across different locations and teams
- The increase in organizations’ digital footprint and number of digital assets
- Attackers are more sophisticated, and they need to find only one vulnerability
- The human factor – Leaks and breaches can be due to internal actors and threats, from human errors to a deliberate data leak
- The disappearance of the organization perimeter, which was the base strategy for organization protection
Protecting all data equally is inefficient and can leave your most valuable assets vulnerable. IBM found that PII was the costliest data type for organizations to lose, with each lost or stolen record costing an estimated $180. While $180 may not seem like a big deal, consider that leaks usually involve thousands and even millions of records, and some regulatory bodies (e.g., CCPA and CRPA) fine per violation – so it adds up pretty quickly. In addition to financial costs, losing customers’ sensitive information can harm your brand reputation and destroy customer trust.
What Steps Can You Take to Secure PII and Where Can You Implement Them?
Considering the inevitability of a data breach, it is crucial to embrace this reality and prepare accordingly. Taking the right steps can keep your data secure and protected, minimizing the damage caused by attacks. Unfortunately, implementing these techniques is a monumental task. CISOs need to keep track of data scattered throughout operational networks, organizational networks, SaaS, endpoints, shadow IT, and various blind spots. With regards to PII, there are key steps that can be taken to mitigate the risk.
Proactive techniques such as tokenizing data, encrypting it, implementing access control policies, and storing it in vaults can ensure your data remains safe. Although these techniques are not required for GDPR compliance or other privacy laws, the GDPR does recommend them, and proper security goes beyond privacy compliance – it’s good for business, as it can increase customer trust and become a business differentiator. In addition, mitigating data breaches saves money on fines and damage control, saves trouble from downtime, and protects a brand’s reputation and customers.
Below are a few best practices you can implement to harden your security and privacy posture across the organization, making data unexploitable even if stolen and reducing the effort to comply with relevant privacy laws.
- Tokenization and Data Anonymization:
Tokenization is the process of swapping a piece of sensitive data for a random string of characters called a token that takes the place of the original data. The original data is now isolated in another place. This stops the information from making sense to outsiders looking in, making it unreadable to hackers. When applying this method to personal identifiers, like full names, the data immediately becomes pseudonymized. The relationship between the token and the original data is stored within a data vault, so the token can only be translated back into the original data by users or apps with the necessary permissions to the vault. Pseudonymized data differs from anonymized data, as pseudonymized data with the right key can be reverted to the original PII, whereas anonymized data cannot. This is why GDPR doesn’t consider anonymized data as personal data, while pseudonymized data is still considered personal data. See detailed explanation regarding pseudonymization by tokenization.
Encryption transforms the original data by turning it from plain text to ciphertext, which is unreadable without a key. Only entities with access to the key can revert the ciphertext back to its original form. This ensures that even if hackers do manage to access the data, they won’t be able to read it, keeping your users’ data secure even in the event of a breach.
- PII Vaults:
PII Vault is a new concept, similar to the evolution of secret management systems. There is a need to design a new secured home for PII, concentrating PII to a single location with very tight access controls. A PII vault can be an enabler to the above recommendations, assisting developers in implementing tokenization and various encryption options at rest and in motion.
Once PII is centralized, it becomes easier to comply with privacy regulations and implement requirements such as RTBF (right to be forgotten) and DSAR (data subject access request – the right to gain access to personal information being held by a business or organization), implement audit trails, or identify user behavior anomalies to name a few. Piiano offers a self-hosted PII vault, ensuring that sensitive information never leaves your environment.
These measures can’t prevent data breaches from occurring, as data still needs to flow from the vault through the system to ensure functionality, but they raise the bar against dumping databases (stored data is the most common target in attacks) and prevent attackers from accessing complete and useful data. This makes the data unexploitable, ensuring that even in the event of a breach, the leaked data is not PII and can’t be associated with individuals.
Proactively protecting your data before the inevitable breach occurs is essential. A breach will happen, and the only way to ensure that your users’ data remains secure is by implementing protective measures before it does. Putting prevention measures in place also simplifies the privacy compliance process and can reduce the scope of data you actively need to protect. For example, from a compliance standpoint, tokenizing sensitive data is considered (sensitive) scope reduction, which is an advantage over encryption.
PII protection should be a constant priority for all organizations working with customers’ sensitive data (i.e., B2C or B2B2C companies). Early implementation, such as combining security-by-design and privacy-by-design approaches as part of the SSDLC (secure software development lifecycle), allows the two techniques to operate in tandem, mitigating data risk and exposure. Implementing solutions that protect data at all stages of its lifecycle lets your users know their data is in safe hands – even when a data breach occurs.