By Paul Mander, GM, Optery for Business
For years, the exploitation of exposed personal information through social engineering methods has consistently been a top source of organizational breaches. Despite the foundational role of infrastructure and awareness training, these measures alone have proven to be insufficient in stemming the tide of PII-based attacks. As the sophistication and volume of these attacks continue to escalate, an increasing number of companies are recognizing the need for a more proactive and comprehensive strategy.
With this shift, protecting your company from security threats has expanded to include the scanning and removal of PII from the open web not only for executives, but for the employee population at large. Scrubbing this personal information reduces the attack surface for phishing and other social engineering attacks, and many executives and other highly visible employees also want help keeping personal information like their home address off the web to protect them from attacks in the physical world.
Addressing the Problem of Data Brokers
One of the key challenges in this domain stems from data brokers, who are among the most prevalent sources of unwanted PII published online. The problem security teams face when trying to remove this data manually on behalf of employees, or encouraging their employees and executives to remove this information on their own, is that every data broker is different and has different procedures for removing information. The process can be as simple as sending an email or filling out an online form, or may require more action like uploading a government issued ID or utility bill to prove one’s identity. Attempting to remove PII for a single employee manually can take up to 50 hours the first month alone to go through hundreds of sites clearing out information, and an additional 5-10 hours per month going forward to stay on top of ongoing changes at the data brokers. New data brokers pop up all the time and PII is often added back onto broker sites after several months.
On account of this situation, IT teams and security professionals are increasingly turning to personal data removal services to automatically scan and remove employee PII from the web on an ongoing basis. As these services become more integral to cybersecurity strategies, it’s crucial to understand how to choose the most effective solution for your needs.
Here are our recommendations for the most important criteria to utilize when evaluating personal data removal platforms:
1. The Credibility of the Company
Perform a security review before selecting the vendor and incorporate an evaluation of the company’s corporate structure and leadership. Where are the executives located? Where is the customer support team located? Is the company a corporation headquartered in the same country as you are located in? Or is it a shell company subsidiary of a parent company located in a different part of the world? Be cautious of companies with undisclosed leadership, opaque corporate structures or signs of being a side business. Another point of concern is avoiding personal data removal services that simultaneously run data brokers or partner with them through affiliate relationships.
2. Enterprise Readiness and Security Credentials
Not every personal data removal service is enterprise ready. Validate the removal company’s commitments to its enterprise offerings by looking for things like a recent SOC 2, Type II security audit report. Confirm the product supports things like SSO / SAML / SCIM to ensure seamless account provisioning and deprovisioning, and secure account access.
3. The Availability of Self-Service Onboarding Options
Sometimes you don’t want to have to talk to someone in sales to start using a product, and you just want to be able to create an account and start using the product on your own immediately. Self-service onboarding options allow customers to move quickly and start protecting their team members right away. They also demonstrate the company’s commitment to customer empowerment and a user-friendly self-directed customer experience.
4. Being Able to Speak with Customer Success or Support
Given the criticality of the task of removing openly exposed personal data from the internet, it’s important that your data removal service is not just a tool in your stack, but rather a true partner to your business. The best data removal services allow you to talk with knowledgeable team members to learn more about the product or obtain support.
5. Transparency in Reporting
Most data brokers operate under the radar as black boxes. Your data removal service should not. Look for services that offer confirmation of where your employees’ profile information was found and removed, via screenshots and/or links to exposed profiles. The availability of free scans when first trying out the product is another key feature that will help you understand the efficacy of the service during the evaluation period.
6. Broad Coverage of Data Brokers
There are hundreds of data brokers that post information publicly and new ones emerge frequently. Confirm how many data brokers the data removal service covers by default. If they don’t have a list of data brokers you can review, that’s not a good sign, and if it’s only 50 – 100 that’s not nearly enough. We recommend looking for services that cover more than 200 data brokers and offer unlimited custom removals if you are able to find a data broker the service doesn’t currently cover.
7. Submits Removal Requests as an Authorized Agent with Limited Power of Attorney
With increasing regulation around personal data privacy, many data brokers require personal data removal services to have legal authorization to act on behalf of the individual whose data is being removed. Ensure you choose a data removal service that can act as an authorized agent on your employee’s behalf when removing data. This typically requires a signed Limited Power of Attorney, but is optional, and used to enable maximum protection.
8. Frequent Scanning
Personal data proliferates across the internet in real time, and the removal of personal data is an ongoing task. In fact, many data brokers will “re-spawn” profiles approximately 6 – 12 months after the last removal. The most effective personal data removal services include automated scanning and removals at least monthly and have features such as “scans on demand” that allow team members to run scans at any time for ad hoc needs.
9. Flexible Billing Options
Check to see if the company offers monthly and yearly billing options. Month-to-month billing options enable you to pay only for what you use, and allow you to cancel the service without penalty if your organization decides to go in a different direction. Be wary of services that try to force you into yearly or multi-year contracts as your only option.
10. Strong Technology supported by Human Intervention
The landscape around personal data removal on the internet is complex and evolving quickly. A data removal service that relies too heavily on humans to perform removals often takes longer to produce results and provides more limited coverage due to the time-consuming nature of the manual removal process. Conversely, services that rely exclusively on technology often struggle to handle edge cases and unique situations. The best data removal services will combine innovative technology with human intervention to maximize data removal in minimal time.
Choosing the right data removal service is an important decision for security professionals entrusted with the job of removing PII from the open web for employees and executives. Organizational credibility, enterprise readiness, security credentials, transparency in reporting, and strong technology supported by humans all contribute to an effective, reliable service. By considering these factors, you can make an informed decision and select the best personal data removal service for your needs.