top of page

Tips for Protecting PII and Sensitive Data

Here we see the few tips for Protecting PII and Sensitive Data.

* Encryption

Encryption is well known by security pros for preventing data loss. It’s a core tool for the strategies and tools within Data Loss Prevention (DLP). Encryption protects your business from cybercriminals accessing sensitive data or employees making an unintended mistake with your data.

Your data has a lifecycle – in use, at rest, and in motion. It’s considered best practice to encrypt across all these stages because data can be intercepted by threat actors at any stage.

Most commonly, organizations encrypt the following:

Company Intellectual Property or Proprietary Data

Company Financial Reports

Personally Identifiable Information

Research and Development Data

Sensitive Customer Data

Upcoming Product Launch Details

We can even encrypt sensitive emails from their laptops, phones, tablets, or any other device used to send and store data.

* Use Strong Passwords

Have you heard over and over that strong passwords are important to online security? It may seem like a broken record, but they really are! And, there’s a method to the madness.

The National Institute of Standards and Technology (NIST) recommends a password policy framework based on the following:

Drop the crazy, complex mixture of upper case letters, symbols, and numbers. Use a user-friendly phrase with a minimum of eight characters and a maximum length of 64 characters.

Don’t use the same password twice. Some sites will make you not use the last five passwords. So, think of a few!

Choose something that is easy to remember and never leave a password hint out in the open or make it publicly available for hackers to see

Reset your password when you forget it. But, change it once per year as a general refresh.

Never leave your passwords out on a sticky note on your desk or workspace! And remember to reset your passwords annually or as soon as you hear about a breach from an organization you access with a username and password.

If you have a lot of passwords, consider using a password management tool or password vault.

* Two Factor Authentication and Multi-Factor Authentication

Another great way to protect your data is through two-factor and multi-factor authentication. These services add an additional layer of security to the standard method of online identification using passwords.

You normally enter a username and password. With two-factor authentication, you are prompted to enter one additional authentication method such as a Personal Identification Code, another password or even fingerprint.

With multi-factor authentication, you might be prompted to enter more than two additional authentication methods after entering your username and password.

Two factor and multi-factor authentication can help prevent cybercriminals from accessing your personal data because they may not have access to multiple devices you use to authenticate your identity.

* Backup Data

Have you ever lost all your data after a computer crash or even worse a virus took hold of your computer? You probably wished you had a backup in place to restore your data if you didn’t already.

Backups are one of the most overlooked steps in protecting your PII and sensitive data. IT managers and security pros use backup to restore their organizational data.

A simple backup rule to follow is the 3-2-1 backup rule. You keep three copies of your data on at least two different types of media (local and external hard drive) and one copy in an offsite location (cloud storage).When ransomware, viruses, or malware corrupts a system, the best method to retrieve the data is a backup and data restore.

* Safely Dispose or Destroy Old Media with Personal Data

Have you ever thought about disposing your data and how to do so properly? Employees and organizations sometimes forget that data disposal and destruction are essential to protecting sensitive data.

Your employees should know how to dispose of data. You can have a dedicated section in your security policies and reiterate its importance during a security training.

A security policy can point out how long data is kept as well as when and how employees can dispose or destroy data.

Your IT department may want to follow some guidelines when disposing or destroying data. Consider the following:

Clearing: Overwrite the media

Purging: Magnetic erasure of the media

Destruction: Physical destruction of the media

* Be Aware of Shoulder Surfing, Tailgating, & Dumpster Diving

Threat actors are creative when it comes to getting access to your data. Did you know that a common scheme used by cybercriminals is a tactic known as “No-Tech Hacking?”

There are three ways in which cybercriminals use no-tech hacking to obtain your sensitive data. Be mindful of the following:

Shoulder Surfing is when a threat actor attempts to access your sensitive data by looking at the computer screen, cell phone, or tablet behind you or over your shoulders.

Tailgating is when a cybercriminal attempts to gain unauthorized access to your physical location by using your credentials. The tailgater takes advantage of your access privileges at your business. (i.e., windows, entrances, and exits)

Dumpster diving might sound gross, but cybercriminals will literally dump the businesses’ garbage in search of sensitive data.

* Turn on Private Browsing When Surfing the Web

Have you ever seen the private browsing modes on your device and wondered what the heck is that? Chrome calls it the “Incognito Mode” and others “Private Browsing Mode.” In a time when everyone was concerned about their digital footprint, the private browsing mode emerged.

Private browsing, however, is a bit limited in its ability to minimize your data footprints. It’s typically a good way to minimize your trail of online activities.

It’s helpful when checking personal emails or social media from a device that’s not yours. Lastly, it helps prevent other people from accessing these personal accounts and obtaining access to your sensitive data.

* Be Aware & Knowledgeable of Phishing Scams

Phishing and social engineering schemes are becoming so well crafted that they resemble, almost identically, the services we use on a daily basis. You might come across a phishing scheme that looks almost identical to your favorite online ecommerce or music store.

Recognize a Non - Phishing Emails:

Legit companies don’t request your sensitive information via email

Legit companies usually call you by your name

Legit companies have domain emails

Legit companies know how to spell

Legit companies don’t force you to their website

Legit companies don’t send unsolicited attachments

Legit company links match legitimate URLs


bottom of page