Recent Posts

Categories

Stay Informed

An image of a woman using a marker to draw an picture that reads "personal data protection."

The IT Industry, like most, is full of acronyms.  While it may be common in the IT community, it may not be something everyone is familiar with.   As regulations are changing about privacy and cyber security is becoming more top of mind, business owners will be faced with answering the question – how will you handle PII?

An image of a person sitting in front of a laptop, with a holographic image of different information that is considered PII. (personally identifiable information)

What is PII?

PII stands for Personal Identifiable Information.  This is anything that can be used to identify an individual.  This information includes information such as:

  • Full Name
  • Social Security Number
  • Driver’s License Number
  • Email Address
  • Phone Number
  • Home Address
  • Birthdate
  • Financial Information (i.e. bank account, credit card number, investment accounts, etc.)
  • Medical Records

There are different classifications of Personal Identifiable Information (PII), whereas obviously some need to have more safeguards than others.  Sometimes it is not the information individually, for instance if I have a Birthdate, that is useless.  But, if I have the birthdate, name, address, and bank account, a criminal can cause havoc with all that associated information.

An image of a man sitting in front of a computer that has a fraud alert warning on it.

Why is PII Important in Cybersecurtiy?

Personal Identifiable Information (PII) is a valuable commodity to cyber criminals.  They use it to steal money, impersonate people, or even create new identities (often to steal money or trick someone else to gain more money, power, or access).  So, while it may not seem that important to protect yourself on the outside, it is.

It is important for a business to protect the data they have about people, because if it does get into the wrong hands, the business must pay!  A business could face real financial loss whether with technical clean up, fines, legal fees, and compensation to affected individuals.  The reputational damage to a business due to the loss of trust and credibility from customers and employees can lead to a business having to close their doors.  Not to mention the legal consequences if a business is not following an expected compliance or regulation.

Therefore, it is important in cybersecurity because of the damage it can cause to a business and an individual.  Protecting it should be a priority.

An image of wooden blocks spelling out "keeping you data safe" with handcuffs sitting on top of the s and e in safe.

What are the Best Practices for Protecting PII?

The first rule of thumb is do not keep personal identifiable information (PII) unless it is necessary, and only keep it as long as you absolutely have to.  This minimizes the PII data you need to worry about.

You should always encrypt PII Data at rest and in transit.  That means, the database tables or wherever that information is stored should be encrypted or hashed.  This way if someone does infiltrate your system or get a hold of the data, it is useless because it is unreadable without the proper decryption key.  This is equally important to encrypt the data in transit.  For instance, if you are emailing it or sending it across the Internet, it should be encrypted then as well.  This way, if it is picked off, it will also be useless to a cybercriminal.

Where applicable, it is best practice to separate the PII data.  That means you should keep first and last name in a different database than an address or Social Security Number, it makes it more difficult for a cybercriminal to match up the data.  Often, one piece of information by itself is not enough to do anything with.  It is when that SSN is matched with a name, it is now valuable.  It is the difference of having both the username and password, versus just having a password.

Limiting Access on an as needed basis is a way to minimize risk.  For instance, your entire staff should not have access to PII, especially the more sensitive data.  Even if you do have a CRM, not every person should have the ability to see all the data, export that data or to send it outside the organization.

Training your employees in cybersecurity best practices and your company’s policy on how to protect PII will go a long way.  Creating a security minded culture can be your strongest defense against cybercriminals and minimize the risk of leaking sensitive information.

If you implement regular audits and assessments to identify vulnerabilities and compliance with data protection regulations, you can prevent data breaches and improve your security posture.

Plan for the worst and hope for the best.  Let’s be realistic, in today’s world, the more valuable information you have, the more of a target you will become.  With the increases in attacks and vulnerabilities, it is best to be prepared for when a breach occurs.  Having an incident response plan allows you create a plan that helps you identify risks and breaches, act quickly to mitigate damage, and save face with transparent communication.

Wrapping up PII

Personal Identifiable Information is valuable data to cybercriminals.  Knowing what it is and how your business will manage it is becoming increasingly important.  As new privacy laws and data regulations are being created and enforced, following today’s best practices will help protect your business.

Related Posts

Scattered hundred-dollar bills partially covered by colorful autumn leaves.

End-of-Summer IT Refresh: 5 Ways to Prep Your Business for Fall

An image of a table with flower pots, a clock, and a sign that reads "simplify your life."

Simplifying Your IT: Lessons from Simplify Your Life Week

An image of a server room connecting to a cloud.

Private vs. Public Cloud: Which Is Right for Your Business?