When to use PII discovery in the audit process

Billy Austin

magnify.png

If you perform assessments as a career, you know the importance of providing great results. An effective security or compliance report may mean the difference between a potential security incident or data breach.

While your company may have exceptional skill sets and technologies, if you don’t know how to use them in an assessment process, their value diminishes.

There are unlimited opportunities to leverage personal identifiable information (PII) discovery during a routine audit or assessment. After all, your traditional vulnerability scanning process shouldn’t be the same old report with vulnerable computers on the network. Rather, it should align with what your customer needs and how they could improve their overall security posture.

The key to leveraging any PII Discovery is to use it in a way that has impact, depending on your customer.

How do you know when the timing is right?

Evaluate each of the examples below to determine which situation is best for your customer or management team. If you have enough PII Discovery examples, you may consider using them at several times during your assessment process.

1. Grabbing attention

A powerful assessment that contains measurable results can be the one thing that makes a client take notice. If you’re having trouble getting a response from the recipient of the report, use a PII Discovery to get their attention.

Remember, exposing unencrypted PII data opens eyes. If you’ve had trouble getting attention, provide them a short one-page report highlighting a metric that impacts the bottom line.


ssn.pngSally's computer discovered 143 instances of social security numbers
Bob's home laptop discovered three instances of XYZ sample of PII

 

 

 


2. Demonstrate value

If you have your customer’s attention, the first part of any value-based security assessment is to focus on their goals.

- What are the assessment requirements?
- What positive results are they expecting to achieve?

Once you reach a stage where you truly understand your client's pain points, it’s the perfect time to inform them how your assessment can solve problems.

Security and compliance stakeholders are cynical; they want to know that you can do what you promise. An effective PII Discovery provides tangible evidence in the eyes of your client. Stating that you can reduce costs by 50% is one thing. Showing that same cost savings combined with both vulnerability and unencrypted sensitive data is more impactful and can increase your value over others.

3. Differentiate your assessment

Once you’ve demonstrated your value, you need to show your differentiation. Other security specialists are always a phone call away. If your customer is contemplating a long-term security-as-a-service contract, most likely they’re reviewing your competition. A PII Discovery that exhibits your differentiation is an effective way to show how your assessment is more effective than others'. Here are three PII Discovery assessment talking points and actions to consider:

3.1 Illustrate a sample report uncovering a few types of PII, such as unencrypted cardholder and social security data on a computer in different folders and document types.

3.2 Demonstrate an assessment capability immediately on the spot that is important to your client, and one you know your competition doesn’t have. How about visiting your web site, with a 'Scan Now' button providing a quick vulnerability assessment check. Now discuss the relationship between the conditional risk and impact.

Conditional Risk – If | And | Then = Impact

(If you store unprotected data, And your device is vulnerable, Then you are at risk and prone to be Impacted by a data breach.)

3.3 Include BYOD, remote workers and mobile devices as part of the assessment. Most vulnerability and/or compliance assessments are performed by a network scanner, which is great for scanning static devices that are physically on the network. BYOD and mobile security present new attack vectors that are invisible to historical assessment approaches. When it comes time for routine audits, demonstrate your capabilities by assessing both stationary and on-the-go devices for both vulnerabilities and unprotected PII.

Don’t make your customer take your word for it, if your assessment will truly uncover the combination of vulnerabilities and sensitive data for both computing and mobility, educate the customer that you have the tangible evidence and capability.

4. Mitigate data breaches and risk

Before the assessor has been selected, your client is focused on how your methodology maps to their pain points and budget. This is when you need to highlight how your PII Discovery can help alleviate their fear of a security incident or data breach while delivering an assessment experience combined like no other.

PII Discovery is a fundamental component of effective value-based security assessments. It can carry a lot of weight with your customer. Don’t dismiss the threat posed by remote workers and smart devices, as the real risk to your crown jewels may very well be in the pocket or connecting from home.

Exposing unprotected sensitive data combined with the power of vulnerability discovery provides insurmountable intelligence to thwart off security incidents and data breaches.