Do you have a complete list of your critical PII assets, where they reside, and how they are accessed?
If you answered no, don’t worry – you are not alone.
Of the two concepts discussed previously in the Protect Your PII series, this third one, Know Yourself, is the most important. You will never effectively secure what you don’t know, and to effectively secure yourself you must know yourself.
Let’s start with a snippet from one of the best security strategists of all time, Sun Tzu.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
—Sun Tzu, The Art of War
Our “enemy” in this case is loosely defined as cybercriminals looking for PII. They are willing to obtain PII using any tactics possible, and they typically have the technical skills and resources to achieve their objectives. Since there’s an economy behind cybercrime, cybercriminals will generally look for the lowest hanging fruit first - easy targets cost less. Or, they look for the biggest score – volume discounts apply.
It’s safe to say we know the “enemy” wants our PII. So, check the know the enemy item off the Sun Tzu list.
The next item on the list, know yourself, is the weakest link within personal and business security. Knowing yourself is the process of defining what’s important. It’s defining your most critical assets. Few people and companies do this. Instead companies tend to go with the latest and greatest silver bullet. It’s quick and easy - albeit far from effective. People seldom do this because we have trained ourselves to believe nobody would want our critical assets, our PII in this case.
The first two steps on your way to know yourself are:
First, ditch the misconceptions that your PII isn’t valuable. Your PII is money. Your PII is a cybercriminal’s potential stepping stone to something else. Like pieces of a puzzle, cybercriminals will put together elaborate systems to get your PII. They are smart, tenacious, and should never be underestimated.
Second, define your critical assets and document them. Get out a sheet of paper and write down all your most important critical assets. This list should include financial accounts, retirement accounts, life insurance accounts, home loans, medical information, just to name a few.
Brainstorm. Think this through.
Critical assets/PII can exist in the form of online accounts, accounts with no online access, or documents.
An online account, for example, could be your online banking that includes your checking account, credit card, and home loan.
An account with no online access might be a life insurance policy that has physical paperwork, but no online access.
Documents might be your social security card, passport, driver’s license, etc.
Here’s a list of PII examples to refresh your memory.
· Social Security Number (SSN)
· Date and place of birth (DOB/POB)
· Mother’s maiden name
· Medical information
· Financial information
· Email address
· Driver’s license number
· Passport number
Your goal is to define your important critical assets, their function, importance, how they are accessed, where they reside, and later… the credentials.
But for now, just brainstorm, write everything down, then store your list in a safe place. Please don’t leave it sitting at the restaurant or BlackHat convention. We will go over securely storing this information digitally in the next Protect Your PII blog.
Here’s a quick sneak peek of what we are striving for in the next step.