How to Protect Your Customers’ Personal Identifiable Information
8 Nov 2024
Protecting customers’ Personal Identifiable Information (PII) has fast become a critical duty of care for every organisation.
What is PII, and why is it valuable?
PII includes information such as Tax File Numbers, Medicare numbers and other health records, credit card details, student addresses and more.
Cybercriminals attempt to access PII for financial gain, either directly – by selling it to data brokers on the dark web – or indirectly, by identity theft. Stolen PII can be used by hackers to open bogus credit card and bank accounts, and to socially engineer attacks using methods such as phishing and ransomware.
Organisations need to zealously protect the PII provided to them by customers – not only for the sake of maintaining trust, but also to guard against heavy sanctions for non-compliance by regulators such as ASIC and the ACCC.
And those compliance requirements are ramping up. Just last month, Australia’s federal government introduced legislation to parliament which will revolutionise Australia’s cyber security preparedness by imposing new protection standards and reporting requirements on local businesses.
International Obligations
However, compliance requirements for the protection of PII don’t stop at our national borders.
For example, businesses with customers in Europe need to comply with the EU’s General Data Protection Regulation. Local businesses trading in the US need to comply with America’s Health Insurance Portability and Accountability Act, Federal Information Security Management Act, Payment Card Industry Data Security Standard, Gramm-Leach Bliley Act and California Consumer Privacy Act.
Rising Risks and Impacts
Recent statistics demonstrate the growing risk and significant impact of PII data breaches.
Verizon’s Data Breach Investigation Report for 2024 shows that some 60% of data breaches involve some form of personal information. And IBM’s 2024 Cost of a Data Breach Report revealed the global average cost of a data breach now exceeds A$7 million.
Protecting PII
Stepping up to the needs of PII guardianship requires both technology solutions and sound business practices.
Layered defences, with integrated solutions that address encryption, threat protection, and data loss prevention, enable safe collaboration without risking malware, mishandled data, breaches and non-compliance.
Given most breaches involve a human element, technology solutions need to be automated and easy for employees to use. Software needs to be able to manage:
How access to data is granted;
How access is authenticated;
How access is tracked and controlled; and
How access be speedily revoked, when needed.
Layered Protection
A standalone managed file transfer (MFT) solution – such as GoAnywhere MFT - is a great first layer of defence. It provides security for files at rest and in-transit.
However, integrating Threat Protection as an additional layer enables you to take appropriate action when there’s PII in the data moving in and out of your organisation.
Based on rules you predefine, our Advanced Threat Protection Bundle can mask, remove, or permit PII to be moved within your organisation and beyond, via a Secure ICAP Gateway.
Medical Case Study
A medical enterprise needed to transfer attachments between employees and trading partners containing detailed billing information. They had long used a managed file transfer solution to exchange patient records within and outside the organisation. However, they realised they needed to further safeguard patients’ PII via deep content inspection.
The organisation integrated GoAnywhere MFT with Secure ICAP Gateway, adding anti-virus protection as well as structural “sanitisation” of files being transferred. Their combined MFT/Advanced Threat Protection now works to:
Inspect for malware and viruses;
Intercept content based on threat protection and data loss prevention requirements;
Run rule sets such as renaming, script removal, keyword searches to control if content is allowed in or is blocked; and
Sanitise PII content to permit ongoing transfer (or block it, if content cannot be adequately sanitised).
Thanks to layered protection, the organisation can now exchange patient records free from viruses and malware, while only disclosing a use-appropriate level of PII.
Controlling PII Disclosure
Adding granular rules-based controls to data handling is the “killer feature” of Advanced Threat Protection. For example:
You can permit some specified individuals to transmit PII, but not everyone.
You can apply role-based access to PII.
You can audit who is sending what information.
GoAnywhere MFT’s encryption can be enhanced by limiting who can transfer PII data and what that data contains. The automatic detection and sanitisation of files removes some of the human factor risks so that employees can focus on their work instead of fussing with manual interventions.
Augmenting technical solutions with employee training further reduces human factor risks.
Here to Help
Generic Systems Australia are the Asia-Pacific region’s experts in deploying Managed File Transfer and Advanced Threat Protection. We’ve assisted dozens of organisations to protect their PII and secure their file transfers, while keeping their businesses running smoothly.
If you’d like to discuss how we can help you, please feel welcome to contact me. I’m always happy to have an obligation-free chat and explain how simply we can transition you from outdated protocols and approaches.
I can even arrange a simple, zero-cost Proof of Concept.