With businesses holding so much information about customers, employees and other stakeholders, it’s no wonder why they’re the target of online hackers. Businesses are threatened by fraudulent stealing of personal information such as names, credit card details and Social Security numbers. When a new employee joins the team, their information is required to complete the payroll process. When a new customer buys from the brand, they need to enter credit card information to pay for the order. With this in mind, businesses have a responsibility to keep this information away from the wrong hands.
Security and privacy are on the agenda for all stakeholders. For this reason, we’ve compiled some information on PII data and how businesses can keep this information protected. Unfortunately, we’re seeing a spate of ad account hackings which is exposing millions of data points to the world. It’s time for us all to take PII data protection even more seriously.
Short for Personally Identifiable Information, PII data is any information that can be traced to an individual or that identifies onel. Attackers aim to de-anonymize, which means differentiating between people online. Leveraging PII data is one of the easiest ways for them to do this.
There is a vast amount of information that identifies us or traces back to us. As a business owner, customer and/or internet user, this includes medical records, Social Security numbers, genetic information, financial records, card information, social media and digital identity, and more.
Is every piece of information considered PII? No, there is non-personally identifiable information online too. This includes device IDs, IP addresses and computer cookies. A hacker would need more than this to identify or trace back to you using this information.
While larger businesses tend to have an in-house team hired to protect PII data, smaller businesses will normally outsource to a contractor to get the right strategies implemented. The size of your business is irrelevant—you still have PII data that could harm your business and customers if exposed. Therefore, you should take a proactive approach.
What would happen if PII data wasn’t protected properly? Well, the worst-case scenario would be a breach/hacking. Here, the attackers would get access to all PII data and potentially publish it to the world. Customers could have their credit card information displayed and scammers will attempt to make money from these accounts. Meanwhile, your business could get fined for the lack of security and the hit to your reputation would be tremendous. Instilling confidence and trust in consumers to provide their personal details again would be almost impossible.
We’re certain no business wants to go through this experience, so we’ve laid out some steps to keep all PII data safe for your customers, employees and business.
Do you know where all sensitive data is stored? You might think about office computers, but what about digital copiers, mobile devices, USB drives, laptops, home computers, hard drives, tablets and other devices? Of course, there’s also the physical data. Just because the world has moved online doesn’t mean our tangible data is invincible.
The more you think, the more sources of PII data you’re likely to uncover. For example, stakeholders provide information through the call center, website, contractors, and more. Here are some questions to answer to get the ball rolling with this inventory:
Once you answer these questions, you’ll be one step closer to implementing a strategy that keeps ALL information secure.
Before you worry about securing information, can you reduce the amount of PII data you keep? Why set up an extravagant strategy to protect a large amount of PII data when you don’t need half of it? You should only keep the information for which you have a legitimate business need.
You only need Social Security numbers for reporting employee taxes. If you’ve been using SSNs to identify customers or employees, it’s time to move on from this outdated system. Some companies allow their apps to collect information beyond what they need or keep credit card expiration dates and account numbers when they aren’t required. What you’re actually doing is making your job harder.
Once you remove information you don’t need, change your systems so that you don’t collect it in the future. This way, you won’t have to go through the same process every few months and you’ll continue to collect only the information you need.
To stay secure, you should also implement proper disposal systems when information is no longer needed. Sensitive physical copies can still be a gold mine for identity thieves. Shred or burn all physical records and take care when disposing of computers, hard drives, USB drives and other devices.
With the latter, we recommend wipe utility programs. If you haven’t seen these before, they will erase all data from devices for a very small price. As it deletes all files, you’ll gain peace of mind that all PII data of stakeholders is safe. If employees work from home, make sure they don’t keep sensitive documents irresponsibly.
Protection comes in many different forms:
Physical Security - Wherever possible, keep all physical files and documents in locked cabinets and or rooms so as to restrict access. At the end of each day, ensure all files are returned to their safe place and keep an inventory while shipping sensitive files.
Electronic Security - Unless necessary, we advise keeping all sensitive data on a computer that doesn’t have internet access. From here, you should have anti-malware programs and firewalls set up while encrypting all information you send online.
Other tips for electronic security:
Prevention is better than a cure, but you need to be ready to detect any breaches. One such way is to use an intrusion detection system. As the name suggests, this will alert you to any detected breaches. With this type of tool, ensure that you perform updates because this will address any new and evolved threats. On devices, you should also keep an eye on who is logging into your accounts; this includes ad accounts, websites and more.
For any data protection plan to work, you need reliable employees who buy into the idea. At all times, your staff should understand the importance of data protection and their role in the process. When a team is well-trained, they will only use the right devices, know how to spot issues and work together to keep all PII data safe.
When hiring, there’s no reason why you can’t do background checks and references. Have a good idea of who you’re hiring and make sure they sign a confidentiality agreement. Manage access levels carefully and ensure security is an important pillar of your business.
Finally, be willing to review your data systems and evolve as threats grow and change. Even with the best security plan in the world, there’s still the possibility of a breach. Therefore, you should have a response ready for security incidents. If there’s a compromise on a device, close it down, remove it from the network and seek professional assistance. With a strong system, you should be able to isolate a single area when threats occur.
If a full breach takes place, you’ll need to contact all stakeholders and inform them of the situation. Hopefully, the security measures you introduce from this guide will prevent this from ever happening.