Let’s talk about data breaches. These two simple words can either send chills down your spine or leave you feeling “meh.” It all depends on your perspective. I think most consumers are feeling “meh” – they’ve seen it enough. They are apathetic about their personal information being exposed over and over again. Their name, email addresses, phone numbers and other personal details are already all over the internet or have been included in countless breaches, so what’s the big deal? If their information is exposed in a breach, they will receive a notice. Credit monitoring services may be provided. There may even be monetary compensation provided. Then another. Rinse and repeat. Consumers are numb.
However, suppose you are a business owner, a CISO responsible for data protection or in charge of privacy and compliance. In that case, you are likelier to be in the “chills” category rather than feeling “meh” about it. And for good reason. Data breaches have a real impact on businesses of all types and sizes and can be costly.
A data breach is defined as “a security incident where unauthorized individuals gain access to sensitive or confidential information. This can include personal data like Social Security numbers, bank account details and healthcare information, as well as corporate data such as customer records, intellectual property and financial information.” Personal information is the most common type of data exposed in a data breach. For the vast majority of us, this means names, email addresses and phone numbers. Companies have many valid reasons to invest in protecting this data, such as avoiding the significant costs of a breach and maintaining the trust of their customers. On top of that, it’s simply the right thing to do.
If you’re reading this, there’s a good chance you have a solid grasp of the seriousness of the topic. Perhaps you’ve already invested in the people, processes and technologies intended to help your business avoid a breach, weather the storm when it does happen and recover from what could be devastating for your business.
Many companies do invest in information security. We have people, policies and procedures, and we buy or build technologies to detect and stop a breach. Intrusion detection systems (IDS), logging (lots of it), analysis and correlation tools, MDR/EDR, and many other acronyms are in play. Many of these technologies are helpful – even essential – but they focus on the bits and bytes of what’s happening with the data within your environment. It is machines speaking to machines until a human checks in and tries to make sense of it all.
When a data breach makes the news, what is it that you hear about first? It’s the number of consumers impacted and the types of data involved. More often than not, names, email addresses and phone numbers. Why? Numerous regulations call for the protection and appropriate handling of consumer information and carry significant fines and penalties for violations – this is why it can be a bigger problem for a business than for an individual.
Assumed Seeds complements more traditional monitoring and detection tools by opening your eyes to the human view. Assumed uses artificial contacts to observe and monitor the personal information directly flowing within your processes – the names, email addresses and phone numbers, which should be at the top of your mind during a breach. It’s a relatively simple concept that doesn’t get nearly enough attention. Assumed gives you a human perspective on the most important information during a breach. Assumed can surface indicators of leaks, help you to identify personal data abuse and provide insight into your data processes. I’ll stop short of declaring Assumed your first line of defense against a breach. However, I am confident that when combined with more traditional technologies and approaches, Assumed helps to complete the puzzle, giving you a 360-degree view of your information security posture. Assumed will help you understand the human element of what is happening, prompting you to dig further into the bits and bytes of how it happened by leveraging your existing logging and monitoring capabilities. You will be well prepared to detect and respond to an incident when every passing moment matters.
You can do more when protecting the personal information under your control; it doesn’t have to be overly complex or expensive. In matters of controversy and contention, you often hear the phrase “follow the money.” In the case of data protection, perhaps it is appropriate to follow the “PII.”