How to protect our PII and sensitive information from fraud

Fighting ransomware, phishing and other cyber threats

Portfolio Marketing Manager, Fraud & Compliance, IBM

We live in a world where information is created, exchanged and maintained in greater volumes and faster speeds than ever before. Some of that information is for public consumption, and the rest—sensitive information, or any information that is privileged or property—is not. Sensitive information, including nonpublic information (NPI) and personally identifiable information (PII) has created the need for information security.

This need is in the form of a set of business policies and practices that are put into place to protect all nonpublic information. Threat detection and prevention activities are often broken into two distinct tracts. One tract focuses on compliance issues including fraud, waste and abuse; the other tract focuses on security control failures such as information security breaches and information theft. The goal of both business operations is the same: protect PII and sensitive information, and keep the organizations and the people they serve safe.

4 key questions about information cyber security

Erik Rasmussen, associate managing director at Kroll Cyber Security and Investigations, answered several questions about the current environment organizations find themselves in when trying to protect sensitive information. The questions focus on the current threat environment and sustainable security solutions.

1. What do you believe is today’s most pervasive threat to sensitive information for both government organizations and private industries?

Ransomware and phishing attacks are two of the most pervasive threats to sensitive information these days. Based on the encryption alone, if an entity is attacked by this threat, and there are no backups to the data being encrypted, there is little a victim can do. In fact, newer versions of ransomware are now being coded to detect, encrypt and delete backup files and systems.

We are increasingly seeing this threat to organizations in the healthcare industry and hospitality industry. The general threat of theft of data—for example, NPI, PII or payment card data—is now coupled with the threat to encrypt entire servers unless the victim organization pays a ransom. Phishing is a pervasive threat because it is an attack vector for several types of intrusions that lead to theft of intellectual property or theft of payment card data. Or it simply allows an attacker to maintain a presence in a compromised network for an extended period of time.

2. Is there a way to minimize threats associated with technology advancing faster than security? Is the solution practical and sustainable?

A robust combination of human analytical capability and machine analytical capability is an appropriate way to minimize threats inside an organization. Technology is allowing the aggregation of large amounts of data that can be helpful for the defense of an organization’s network. But without the right amount of human analysis behind it, and a standardized way to report on that data, the data is of little use.

The most technologically advanced [security information and event management] SIEM in the world is only as good as the team who analyzes the data it produces. As another example, endpoint security monitoring usually employs excellent software and hardware solutions to track and report threats inside a network. However, the analysts that manage this monitoring solution provide the context and discretionary power to allow stakeholders to act based on a more informed decision about those very threats.

3. Organizations often talk about their fear of the malicious insider. Why is detecting an insider threat much more challenging than detecting an external one?

Entities are becoming very good at detecting insider threat because technology and policies—[data loss prevention] DLP tools, more robust acceptable use policies and so on—are evolving to monitor an employee’s behavior. And organization stakeholders are buying into developing programs to put employees on notice that their activity is being constantly monitored and is subject to review.

However, the increasing use of cloud technology is one area that is allowing insiders to siphon off large amounts of data. Cloud technology is excellent, but companies should develop better controls to restrict access to these services or develop internal cloud technology capabilities. Another problem that needs improvement is the time to detection. Detection is occurring, but the perception of how long the insider had been compromising data—shorter periods of time such as weeks and days—versus the reality—longer periods of time such as months and years—remains a concern. Numerous organizations, such as the Software Engineering Institute, author excellent best practices documents organizations can follow to develop stronger programs.

4. Is there any way to completely eliminate the threat of information falling into the wrong hands?

No, the threat cannot be completely eliminated, but the right kind of training, tools and people can rapidly mitigate and slow down the loss of the information and potentially increase the cost to the adversary to inflict this kind of injury on an organization.

Cyber-threat mitigation and the dark web

Organizations face tremendous malicious threats daily. Fraud schemes and tactics are continuously evolving. The cyber-threat landscape is wide and comes in many forms. Sophisticated malware can bypass detection and hide in plain sight. Businesses, employees and customers face the risk of social engineering, phishing, vishing and SMS phishing (SMiShing) schemes. Organizations need to remain cautious of the insider threat as well as falling victim to data breaches that can put themselves and those they serve at risk.

The dark web and peer-to-peer networks have opened the doors to illicit and illegal marketplaces where criminals can buy illegal goods and services, trade secrets, sell stolen PII and much more. The term dark web specifically refers to a set of websites that hide their IP address but are publicly visible. This ploy means that these sites do not turn up in search results. Deciphering who owns and runs these sites is challenging, but the sites are publicly accessible—assuming you know how to find them.

Technological advances, siloed business and security functions, and malicious threats endanger the safety and security of sensitive information. With sophisticated malware that can bypass detection and hide in plain sight, having the right policies, processes and tools in place to mitigate these threats is vital.

Learn more about protecting PII & preventing fraudulent activity