Cyber criminals going after Personally Identifiable Information
Companies need to realize this trend, educate and apply best practices
MALAYSIAN companies should protect themselves from Personally Identifiable Information (PII) breach, urged Fortinet.
According to the network security vendor, PII represents data that could be used for identity theft, the company said in a statement. This includes any unique piece of data that can be linked to a specific person, such as name, address, date of birth or telephone and social security numbers.
Fortinet noted identity theft has become a growing problem as hackers and cyber criminals could easily access a company’s network and steal its customers’ sensitive data.
The security specialist said that in the last few years, broader adoption of compliance regulations across Asia Pacific including financial penalties has highlighted the importance of PII protection, compelling organizations to bolster their security mechanisms.
But yet, surveys show that identity theft incidents are still on the rise.
Fortinet noted that easy access to databases through cloud collaboration platforms and social networking, mobility and other IT trends have paved the way for cyber criminals to pilfer users’ most personal information from the Web.
“While financial penalties for non-compliance can be prohibitive, these fines can easily be exceeded by the costs of ‘clean-up’ and remediation, should customer PII be either accidentally or maliciously exposed in an actual data breach, said George Chang, Fortinet’s regional director for Southeast Asia & Hong Kong.
Chang (pic) said such clean up includes physical letters to the entire database, resources to deal with customer queries and possibly manufacturing costs of new credit cards, not to mention reputation loss.
“These accumulated costs could be enough to take a company out of business,” Chang said.
Fortinet advised companies to adopt the following best practices to mitigate the risks of PII breach:
1. Educate management and employees on risks
Management and employee education is a key factor in mitigating an organization’s risk, and should include identifying popular risky behaviors such as app installation and the use of unsanctioned software.
2. Adopt role-based data loss prevention solutions
Role-based data loss prevention solutions not only trigger record and alert IT administrators to such breaches, but also give security personnel the ability to react to them. Those mitigation techniques could range from archiving data transmission, to alerting management to quarantining a user or vector from further transaction until the threat was sufficiently addressed.
3. Comprehensively assess the location of all risk areas
Companies need to determine where all of their PII is stored, who has access to the information and how PII moves, both within and outside the confines of the organization. Once that information is discovered and catalogued, the responsibility will be on IT administrators to implement appropriate security policies protecting that data.
The coming of the Personal Data Protection Act