Employee personal data has long been recognized as a vulnerable threat vector for modern enterprise cybersecurity. However, even though more employees than ever avail themselves of identity theft and credit monitoring services, their employers are rarely any safer.
While employees are increasingly concerned about personal identity security, the incidence of both identity theft and phishing attacks continues to soar. The number of identity theft cases more than tripled since 2018, and phishing attacks grew by a whopping 350% during the COVID-19 quarantine. Crucially, 38% of respondents in a recent study said their coworker fell victim to a phishing attack within the last year.
This paradox emerges because of the reactive nature of most personal information protection solutions and a misunderstanding of the benefits they bring to businesses. Rather than network protection, the actual service offered by many identity theft and credit monitoring solutions is more akin to remediation.
As a result, identity theft and credit monitoring scarcely increase personal data security for employees or their organizations. From our experience working with enterprise CSOs in every sector, we have even found that companies who rely too much on these kinds of services frequently become more rather than less vulnerable to cyber threats. The more employers feel protected by ineffective systems, the further employees are likely to stray from cyber hygiene basics.
With more powerful malware, a tightening regulatory environment, and greater consumer security consciousness raising the stakes for organizational cybersecurity, understanding how personal data monitoring impacts cybersecurity has never been more vital.
As the gap between real protection and false security widens, organizations need to appraise their personal information security posture critically. Figuring out what works in protecting employee privacy is becoming increasingly important as social engineering scams used by threat actors continue to evolve.
The emergence of techniques such as spear phishing, where targeted phishing emails are aimed at specific individuals within an organization, shows how cybercriminals leverage personal information to increase a phishing attack's credibility. If a cybercriminal can find the home address, full name, or marital status of an individual within a corporate network, crafting a convincing phishing email becomes far easier. By leveraging executive personal information to gain the trust of individuals high in the corporate hierarchy, a practice known as "whaling," cybercriminals can quickly initiate devastating cyberattacks.
In 2016, a whaling attack on the social media company Snapchat, where a cybercriminal impersonated its CEO to gain an executive's trust, resulted in a massive leak of employee payroll information. Similarly, the CEO of FACC, an Austrian Aerospace Company, was fired after he lost nearly $60 million by falling victim to a whaling attack.
Worryingly, the personal information that threat actors use to facilitate these kinds of attacks is easily accessible. Whether as a result of a data breach or, more frequently, through publicly accessible information collated by data brokers and people search websites, employee personal information is often readily available.
With most US companies concerned about the cybersecurity impact of employee social media use, employees themselves can also be serial offenders when creating personal information security gaps.
In response to the growing threat that personal information presents, the market for information protection solutions is rapidly expanding, with an expected compound annual growth rate (CAGR) of 13% annually over the next 6 years.
However, many organizations are eager to offer more protection to employees as part of a corporate benefits package but are unclear about how that protection actually works. To help clarify this issue, it's useful to think of information security solutions as belonging to one of three main categories.
By scanning changes to an individual's credit file at the three major credit monitoring agencies — Equifax, TransUnion, and Experian — credit monitoring services allow individuals to keep an eye on their credit score in one place.
While anyone can check their credit score by themselves, paid credit monitoring services automate the process and make it easier for individuals to keep track of changes.
For employees, the advantage of credit monitoring as a workplace benefit is the capability to watch out for abrupt changes to their credit scores, which indicate that they are the victim of fraud.
Like credit monitoring services, identity theft protection solutions are best thought of as insurance policies for personal information. However, these kinds of products offered by providers such as Identity Guard, Norton, and OneRep, go a step beyond just looking at an individual's credit score.
As well as conducting credit checks, identity theft protection takes a more comprehensive look at things like court records, loan applications, and utility orders to see whether an individual's personal information is being fraudulently used.
With identity theft impacting record numbers of Americans, identity theft protection is now a popular elective benefit.
Credit monitoring and identity theft protection services provide insurance that employees will be notified if their information is misused, but they do little to increase cybersecurity for enterprises.
By the time an employee sees real benefit from these kinds of services, their data has already been exposed, and new cybersecurity risks to their employer created. The reactive nature of credit and identity protection also means that while individuals can notice and remediate fraud faster and easier, the problem of personal data exposure remains outstanding.
Like the service offered by DeleteMe, privacy protection solutions work to solve the root of the problem of personal data exposure. By looking for and removing unnecessary exposure of an individual's personal and professional data, proactive privacy protection drastically reduces the likelihood of fraud occurring in the first place.
For enterprises, this kind of solution also bolsters cybersecurity by minimizing employee personal information leakage and, in turn, taking valuable ammunition away from threat actors.
While every type of solution has its place, true protection for employee personal information results from a layered approach.
At the most basic level, employees need practical training in how to minimize their personal information footprint both at work and at home. As well as emphasizing the potential security risks of an insecure approach to personal information, effective training should also show employees the benefits (i.e., reduced spam and greater personal safety) that privacy brings.
However, training alone is rarely effective. While regular training is crucial, security awareness training programs that teach employees how to spot social engineering scams are usually forgotten in a few months and need to be continually reinforced to remain effective.
On top of training, employee personal information should also be protected by proactive personal information retrieval and removal service. Ultimately, the best way to protect employees and enterprises from the kind of fraud that leverages personal information is to cut the supply of personal data off at the source.
Credit monitoring and identity protection services can form the third layer of a proactive approach. While these services do little to increase enterprise security, they can help reassure employees that they will find out if their data is misused before the problem gets out of hand.
Even though it doesn't appear on a corporate balance sheet, employee personal information is a valuable corporate asset. With over 90% of organizations regularly experiencing targeted phishing attacks, minimizing employee data exposure needs to be a critical part of every enterprise's security posture.
However, rather than offering employees solutions that only work after the fact, organizations need to create a layered, proactive solution that delivers real security value. Employee privacy is too important to remain a personal matter.