Exposed personal information can be a cybersecurity risk because bad actors can use it to commit fraud or identity theft. Once personal information, such as a person’s name, address, previous addresses, or phone numbers, is exposed, it can be used to access online accounts, phish the individual, or phish their colleagues.
Over the past decade, the threat of exposed personal information has become increasingly well-known. It’s now common to use expensive, bespoke “executive protection” services to manage that risk – for thousands of dollars per year per executive.
Once an attacker has access to personal information, they can create a sense of trust and make it more likely for a person to fall for a scam or click on a malicious link. Additionally, they can use exposed personal information in more advanced attacks such as account takeover, where the attacker takes over a person’s account by resetting the password using personal information.
The problem now is that these same threats are targeting every single member of the organization. Protecting executives alone isn’t enough.
Personal information is increasingly being stored and shared online. This includes not only the personal information of individuals but also the sensitive information of companies and organizations. The growing concern is that this exposed personal data can be used to target phishing campaigns and other attacks, making it essential for individuals and organizations to remove personal information from the internet – and it’s being stored and sold not only illicitly on the dark web, but also the open web by semi-legitimate “data brokers.”
One of the most common ways that hackers use exposed personal information is for phishing campaigns. By using personal information that is available online, such as email addresses and phone numbers, hackers can make their phishing attempts more convincing and increase the chances of success. This is a concern not only for executives and high-level employees but also for low-level employees, particularly those in accounts payable who may have access to financial information.
These individuals are currency, the chink in the armor of most organizations. Because they are below the executive level, they are not part of traditional executive protection services; on the other hand, because these employees have access to privileged and financial information, they are the direct targets of bad actors.
Various tools and platforms can be used to monitor and remove personal information from the internet. For example, Agency offers reputation management services that can monitor the internet for personal information and remove it as necessary. Other tools, such as browser extensions and mobile apps, can be used to check for personal information on specific websites and remove it. However, removing personal information from the internet is now more affordable than ever.
Individuals and organizations can take steps to reduce the amount of personal information available online, such as regularly reviewing and removing personal information from social media profiles and online directories, regularly issuing takedown requests across hundreds of data brokers, and being careful about the information that is shared online.
Removing the personal information of every employee from the internet is an essential aspect of corporate cybersecurity. In the past, it was an expensive and time-consuming process and only financially feasible for executives. But now, the threat surface has changed. For organizations, it is possible to do information removal for the entire company; conversely, for bad actors, it’s now worthwhile to use any personal information available.