Tips for Protecting PII and Sensitive Data
Here we see the few tips for Protecting PII and Sensitive Data.
Encryption is well known by security pros for preventing data loss. It’s a core tool for the strategies and tools within Data Loss Prevention (DLP). Encryption protects your business from cybercriminals accessing sensitive data or employees making an unintended mistake with your data.
Your data has a lifecycle – in use, at rest, and in motion. It’s considered best practice to encrypt across all these stages because data can be intercepted by threat actors at any stage.
Most commonly, organizations encrypt the following:
Company Intellectual Property or Proprietary Data
Company Financial Reports
Personally Identifiable Information
Research and Development Data
Sensitive Customer Data
Upcoming Product Launch Details
We can even encrypt sensitive emails from their laptops, phones, tablets, or any other device used to send and store data.
* Use Strong Passwords
Have you heard over and over that strong passwords are important to online security? It may seem like a broken record, but they really are! And, there’s a method to the madness.
The National Institute of Standards and Technology (NIST) recommends a password policy framework based on the following:
Drop the crazy, complex mixture of upper case letters, symbols, and numbers. Use a user-friendly phrase with a minimum of eight characters and a maximum length of 64 characters.
Don’t use the same password twice. Some sites will make you not use the last five passwords. So, think of a few!
Choose something that is easy to remember and never leave a password hint out in the open or make it publicly available for hackers to see
Reset your password when you forget it. But, change it once per year as a general refresh.
Never leave your passwords out on a sticky note on your desk or workspace! And remember to reset your passwords annually or as soon as you hear about a breach from an organization you access with a username and password.
If you have a lot of passwords, consider using a password management tool or password vault.
* Two Factor Authentication and Multi-Factor Authentication
Another great way to protect your data is through two-factor and multi-factor authentication. These services add an additional layer of security to the standard method of online identification using passwords.
You normally enter a username and password. With two-factor authentication, you are prompted to enter one additional authentication method such as a Personal Identification Code, another password or even fingerprint.
With multi-factor authentication, you might be prompted to enter more than two additional authentication methods after entering your username and password.
Two factor and multi-factor authentication can help prevent cybercriminals from accessing your personal data because they may not have access to multiple devices you use to authenticate your identity.
* Backup Data
Have you ever lost all your data after a computer crash or even worse a virus took hold of your computer? You probably wished you had a backup in place to restore your data if you didn’t already.
Backups are one of the most overlooked steps in protecting your PII and sensitive data. IT managers and security pros use backup to restore their organizational data.
A simple backup rule to follow is the 3-2-1 backup rule. You keep three copies of your data on at least two different types of media (local and external hard drive) and one copy in an offsite location (cloud storage).When ransomware, viruses, or malware corrupts a system, the best method to retrieve the data is a backup and data restore.
* Safely Dispose or Destroy Old Media with Personal Data
Have you ever thought about disposing your data and how to do so properly? Employees and organizations sometimes forget that data disposal and destruction are essential to protecting sensitive data.
Your employees should know how to dispose of data. You can have a dedicated section in your security policies and reiterate its importance during a security training.
A security policy can point out how long data is kept as well as when and how employees can dispose or destroy data.
Your IT department may want to follow some guidelines when disposing or destroying data. Consider the following:
Clearing: Overwrite the media
Purging: Magnetic erasure of the media
Destruction: Physical destruction of the media
* Be Aware of Shoulder Surfing, Tailgating, & Dumpster Diving
Threat actors are creative when it comes to getting access to your data. Did you know that a common scheme used by cybercriminals is a tactic known as “No-Tech Hacking?”
There are three ways in which cybercriminals use no-tech hacking to obtain your sensitive data. Be mindful of the following:
Shoulder Surfing is when a threat actor attempts to access your sensitive data by looking at the computer screen, cell phone, or tablet behind you or over your shoulders.
Tailgating is when a cybercriminal attempts to gain unauthorized access to your physical location by using your credentials. The tailgater takes advantage of your access privileges at your business. (i.e., windows, entrances, and exits)
Dumpster diving might sound gross, but cybercriminals will literally dump the businesses’ garbage in search of sensitive data.
* Turn on Private Browsing When Surfing the Web
Have you ever seen the private browsing modes on your device and wondered what the heck is that? Chrome calls it the “Incognito Mode” and others “Private Browsing Mode.” In a time when everyone was concerned about their digital footprint, the private browsing mode emerged.
Private browsing, however, is a bit limited in its ability to minimize your data footprints. It’s typically a good way to minimize your trail of online activities.
It’s helpful when checking personal emails or social media from a device that’s not yours. Lastly, it helps prevent other people from accessing these personal accounts and obtaining access to your sensitive data.
* Be Aware & Knowledgeable of Phishing Scams
Phishing and social engineering schemes are becoming so well crafted that they resemble, almost identically, the services we use on a daily basis. You might come across a phishing scheme that looks almost identical to your favorite online ecommerce or music store.
Recognize a Non - Phishing Emails:
Legit companies don’t request your sensitive information via email
Legit companies usually call you by your name
Legit companies have domain emails
Legit companies know how to spell
Legit companies don’t force you to their website
Legit companies don’t send unsolicited attachments
Legit company links match legitimate URLs