Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Zack Schuler
Zack Schuler
Connect Directly
E-Mail vvv

How Personally Identifiable Information Can Put Your Company at Risk

By being more mindful of how and where they share PII, employees will deprive cybercriminals of their most useful tool.

Think of everything you've posted online over the past year — photos, blog entries, comments on websites, and so on. Now consider how much of that content says something about you as an individual, from your habits to where you live to what you buy. The Internet is awash in personally identifiable information (PII), and we should never forget that this is a major cybersecurity liability for individuals and companies alike.

Some forms of PII can be used to infiltrate a victim's accounts and networks directly, such as account numbers and passwords. However, even seemingly innocuous forms of PII can put employees and companies at risk — the more cybercriminals know, the easier it is for them to manipulate and defraud their victims. For example, if cybercriminals have access to employees' email addresses, they can launch a password spraying attack in which they test a single password on every available account until they break into one.

Related Content:

4 Predictions for the Future of Privacy

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

PII security has to be a priority all the time — it's not enough to make sure employees are using good password hygiene, avoiding malicious links and attachments in emails, and so on. They also have to be mindful of their digital behavior in other domains — which cloud services they're using (and what security protocols those services have), whether they work on personal devices, and what other personal details they disclose.

Cybercriminals' Most Important Resource
Although cybercriminals have a range of motives for why they infiltrate secure accounts and systems, the use and theft of information is always at the center of their attacks. According to IBM's 2020 Cost of a Data Breach report, 80% of breaches include "records containing customer PII." This finding is mirrored by Verizon's 2020 Data Breach Investigations Report, which observes that "email addresses are Personally Identifiable Information (PII) and ... Personal is the most common variety of data to be breached in this year's report."

The amount of PII for cybercriminals to steal and exploit is increasing all the time. There are billions of social media users (15.5 people join every second) and even more Internet users. Meanwhile, e-commerce and other digital services continue to surge, which encourages people to spend more and more of their time online. This means vast quantities of PII are constantly in circulation, and cybercriminals are always looking for ways it can be leveraged to either break into a company's networks or convince employees to disclose sensitive information.

While we're never going to reach a point where employees stop sharing material online (nor should we want to), it's crucial for them to learn how to do so as securely as possible.

Cybercriminals Are Always Trying to Exploit PII
According to the most recent data from Nielsen, the average American adult spends almost 12.5 hours in front of various screens (smartphones, tablets, computers, etc.) daily — an increase from just over 11 hours in 2018, and a number that has steadily been climbing for years. This has led to an explosion of online PII, which cybercriminals have used to dramatically increase their attacks in recent years.

Even when employees don't think they're posting information that could be potentially compromising, the risk that it will be used against them is ever-present. For example, the publication of work email addresses doesn't just give cybercriminals a collection of targets for password spraying attacks — it also provides targets for other forms of malware, which can be sent to those addresses in the form of attachments or malicious links. Employees don't just have to be cognizant of what they're sharing, either — they have to pay close attention to account security in general. Pew reports that 39% of social media users have "logged into another website using the credentials from their social media accounts," a number that rises to 56% among 18–29-year-olds.

Passwords are the most sensitive form of PII, and employees can't afford to be careless with them. Pew also finds that 13% of Americans have had their accounts "taken over without permission" — a reminder that whatever password they were using on Facebook, Twitter, Instagram, etc., could then be tried out on their company email or any other secure network that requires login credentials.

How to Keep Sensitive PII Away From Prying Eyes
There are many ways employees can keep their PII secure — from password managers (which just 12% of Americans say they use, according to the Pew report) to other forms of cybersecurity hygiene, like the refusal to click on suspicious links and attachments. However, PII protection also requires a fundamental shift in how many employees use digital platforms.

We've all heard jokes about the people who post updates about every last detail of their lives, from what they had for breakfast to what they think about their co-workers. But in reality, many of us have a tendency to overshare online, and this provides a target-rich environment for cybercriminals. While most people know not to publicize sensitive information like bank account or Social Security numbers, it's important to understand the ways in which even ostensibly harmless posts can be used for nefarious purposes.

To take just one example: Imagine an employee posts a picture of his messy workspace to get a few laughs. If they're like the 49% of Americans who write passwords down to remember them (according to the Pew study), they might have a sticky note with sensitive account information on the computer monitor or somewhere else on the desk. Employees have to get into the habit of thinking about threats like this and adjust their behavior accordingly.

While the existence of online PII will always be a necessary byproduct of our increasingly digitized lives, there's no reason it has to be this massive source of fraud and cyber-insecurity. By being more mindful of how and where they share PII, employees will deprive cybercriminals of their most useful tool.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.