25 Tips for Protecting PII and Sensitive Data
We’re inundated with requests for our personally identifable information (PII) and even sensitive data yet we sometimes don’t put in the right controls to protect these assets. Organizations are constantly collecting, storing, and distributing PII and sensitive data but many individuals and even organizations still don’t quite understand the repercussions of mishandled data.
Here are the top 25 tips for protecting PII that provide some strategies for mitigating the risk of data loss and leakage.
Encryption is well known by security pros for preventing data loss. It’s a core tool for the strategies and tools within Data Loss Prevention (DLP). Encryption protects your business from cybercriminals accessing sensitive data or employees making an unintended mistake with your data.
Your data has a lifecycle – in use, at rest, and in motion. It’s considered best practice to encrypt across all these stages because data can be intercepted by threat actors at any stage.
Most commonly, organizations encrypt the following:
- Company Intellectual Property or Proprietary Data
- Company Financial Reports
- Personally Identifiable Information
- Research and Development Data
- Sensitive Customer Data
- Upcoming Product Launch Details
Your employees can even encrypt sensitive emails from their laptops, phones, tablets, or any other device used to send and store data.
In Gmail you can also encrypt your emails in transit using a Chrome extension or Firefox add-on:
Use Strong Passwords
Have you heard over and over that strong passwords are important to online security? It may seem like a broken record, but they really are! And, there’s a method to the madness.
The National Institute of Standards and Technology (NIST) recommends a password policy framework based on the following:
- Drop the crazy, complex mixture of upper case letters, symbols, and numbers. Use a user-friendly phrase with a minimum of eight characters and a maximum length of 64 characters.
- Don’t use the same password twice. Some sites will make you not use the last five passwords. So, think of a few!
- Choose something that is easy to remember and never leave a password hint out in the open or make it publicly available for hackers to see
- Reset your password when you forget it. But, change it once per year as a general refresh.
Never leave your passwords out on a sticky note on your desk or workspace! And remember to reset your passwords annually or as soon as you hear about a breach from an organization you access with a username and password.
If you have a lot of passwords, consider using a password management tool or password vault.
LastPass is a great password management/vault for individuals. It offers the free account or a $2/month membership that offers helpful advanced password features.
Two Factor Authentication and Multi-Factor Authentication
Another great way to protect your data is through two-factor and multi-factor authentication. These services add an additional layer of security to the standard method of online identification using passwords.
You normally enter a username and password. With two-factor authentication, you are prompted to enter one additional authentication method such as a Personal Identification Code, another password or even fingerprint.
With multi-factor authentication, you might be prompted to enter more than two additional authentication methods after entering your username and password.
Two factor and multi-factor authentication can help prevent cybercriminals from accessing your personal data because they may not have access to multiple devices you use to authenticate your identity.
Have you ever lost all your data after a computer crash or even worse a virus took hold of your computer? You probably wished you had a backup in place to restore your data if you didn’t already.
A simple backup rule to follow is the 3-2-1 backup rule. You keep three copies of your data on at least two different types of media (local and external hard drive) and one copy in an offsite location (cloud storage).
When ransomware, viruses, or malware corrupts a system, the best method to retrieve the data is a backup and data restore.
Safely Dispose or Destroy Old Media with Personal Data
Have you ever thought about disposing your data and how to do so properly? Employees and organizations sometimes forget that data disposal and destruction are essential to protecting sensitive data.
A security policy can point out how long data is kept as well as when and how employees can dispose or destroy data.
Your IT department may want to follow some guidelines when disposing or destroying data. Consider the following:
- Clearing: Overwrite the media
- Purging: Magnetic erasure of the media
- Destruction: Physical destruction of the media
You might also be surprised to know that local state governments in the United States have legislation regarding the proper disposal of personally identifiable information and sensitive data. Your company could be required by law to keep sensitive customer data for a certain period of time.
Install All Updates – Operating System, Application, Mobile
Do you dread updating your phone because of breaks or glitches? You might be hesitant to update your phone or tablet, but a hacker can use hidden vulnerabilities in your device to access your sensitive data.
The same applies to your laptop operating system and applications. You might be afraid to update due to glitches but it’s generally a best practice to automate your updates.
Software distributors and device manufacturers release hundreds of patches every month to remediate serious vulnerabilities. Did you know that more than 60 vulnerabilities are uncovered by threat actors per day? That number is rising as well!
You can automate your updates and patches by reviewing your device settings and letting it update automatically.
Use a Secure Wireless Network Not Public Wi-Fi
Sure, public Wi-Fi could be convenient when you’re traveling through the airport, at the local Starbucks, or on vacation in your hotel. But, you may not realize that hackers frequent these spots to perform Wi-Fi “sniffing” or use other methods to steal your PII and sensitive data on your device.
If you are using a public Wi-Fi network, it’s a good idea to turn off the network sharing feature. With networking sharing on, a cybercriminal can easily access your documents and other media stored on your device.
- Go to your Windows Control Panel.
- Access the Network and Sharing Centerwindow.
- Click Change Advanced Sharing Settings.
- Select the Public profile.
If you absolutely need to use a public Wi-Fi network, then you must use a Virtual Private Network (VPN) application. Threat actors use public Wi-Fi to spoof your identity and create traps known as Honeypot attacks.
The VPN application will encrypt your connection to a server and allow you to access a private network yet share data remotely through the public network. Similar to a firewall, a VPN protects sensitive data on your device. It becomes difficult for a threat actor to obtain access to data on your device when you’re using a VPN.
If your organization has regional offices or remote workers, you probably also want to consider a VPN service as well. VPN will hide the physical location or IP address of your remote workers and prevent cybercriminals from determining the remote worker’s location.
If you’re using online checking, banking, or being asked to supply credit card data on an e-commerce platform, never use an HTTP site. It’s important that the sites you use that request sensitive information offer a secure HTTPS connection.
Every page on the website should begin with https://. It will verify that a store has taken extra measures to secure data passing through the website. You may also want to look in the top left of the browser search bar and look for the closed padlock icon and “Secure.”
Also, be aware that some sites may have https:// but have some missing requirements to become a fully secure HTTPS website. This is what it will look like:
Be Aware of Shoulder Surfing, Tailgating, & Dumpster Diving
Threat actors are creative when it comes to getting access to your data. Did you know that a common scheme used by cybercriminals is a tactic known as “No-Tech Hacking?”
There are three ways in which cybercriminals use no-tech hacking to obtain your sensitive data. Be mindful of the following:
- Shoulder Surfing is when a threat actor attempts to access your sensitive data by looking at the computer screen, cell phone, or tablet behind you or over your shoulders.
- Tailgating is when a cybercriminal attempts to gain unauthorized access to your physical location by using your credentials. The tailgater takes advantage of your access privileges at your business. (i.e., windows, entrances, and exits)
- Dumpster diving might sound gross, but cybercriminals will literally dump the businesses’ garbage in search of sensitive data.
Print this fun infographic to hang up in your office: http://blog.cipher.com/infographic-no-tech-hacking-your-data-compromised-without-the-use-of-technology
Avoid Uploading Sensitive Documents to the Cloud
You may not realize it, but some of your top cloud services, like Google Drive, Box.com, and iCloud may be using automatic backups. While it’s a good practice to backup your data to the cloud, you need to be aware of what types of data are backed up to your favorite cloud application.
Do an audit of what types of files are backed up to the cloud services you use. Do you want all your photos and other personal documents backed up to the cloud? Try to limit what you don’t want uploaded to the cloud.
Lock Your Device When Away
Did you remember to lock your phone, tablet, or laptop? Hackers will use this as an opportunity to access your personal data. Your device could be stolen or lost, and malicious actors will have an opportunity to get into your device.
On iOS you can change the Auto-Lock function on your Phone and Tablet with the following steps:
- Launch Settings from the Home screen.
- Tap on Display & Brightness.
- Tap on Auto-Lock.
- Tap on the Timing You Prefer
On Android you can change the Auto-Lock function on your Phone and Tablet with the following steps:
- Press the Menu button and tap Settings.
- Tap Security. Different versions of firmware use different names for this selection.
- Tap Timeout or Screen Timeout.
- Select a shorter time in the pop-up menu that appears.
- Go to your Windows Control Panel.
- Access the Power Optionswindow.
- Select Choose when to turn off the display and click Change Advanced Power Settings.
- Select the Require password on wakeupprofile.
Some organizations allow you to reset your own password but ask that you fill out a series of security questions. Common questions include “What is your mother’s maiden name?” or “Where was your first job?”
The trouble is that if you answer these questions with a truthful answer, you could be exposing your personal data. If the organization requesting these security questions is hacked or a hacker can find the answers to these questions, you could be exposing your employees and customers to even more problems. Think back to the massive Yahoo breach. Yahoo disclosed that not only were passwords and email addresses leaked but also sensitive personal security questions.
If you do opt for security questions, you could consider allowing your users to pick their own questions or provide a list of questions that limit answers with PII or sensitive data. From a personal perspective, you could also provide memorable fictitious answers so that your PII and sensitive data aren’t leaked in the event of a breach or hack.
Use a Firewall
Another step you can take to prevent a hacker from accessing your sensitive files and data is to use a firewall. Firewalls, both hardware and software based, can be used as a barrier between your internet connection and your device. The firewall will examine content and data packets and determine where it should be sent and if it’s a reputable source.
Your business likely uses a hardware firewall appliance to prevent hackers from accessing business servers. From a personal perspective, you can use firewall software to block and filter your data at the packet-level as well.
Anti-virus (AV) has long been the staple for protecting you from viruses since the late 1980s. It’s now essential yet just a starting point for your security applications and layered defense.
AV software will compile a database of known malware and other malicious viruses obtaining access to your device and sensitive data. Your AV solution should be from a trusted vendor and only run one AV tool on your device. Running two can mess up the malware signature databases, the scanning process, and slow down the performance of your device.
You might think that anti-malware and anti-virus software are one and the same. However, there’s a slight difference between the two, and it’s generally a good idea to have both.
As mentioned above, anti-virus software creates a database of known viruses and vaccines to remediate them if the device becomes infected.
Malware is a bit of an umbrella term for all malicious software types: Trojans, spyware, worms, adware, and more. An anti-malware software will help you created a layered defense within your security, meaning having multiple security controls in place to protect your PII and sensitive data.
Use Next-Gen Endpoint or Next-Gen Antivirus Protection
The rapid growth of new advanced threats like zero-day exploits and ransomware has lead to traditional anti-virus and anti-malware being a bit ineffective. There are now areas in which the traditional anti-virus subscriptions just doesn’t fit the bill.
With Next-Generation Endpoint Protection also known as Next-Gen Anti-Virus Protection (NGAV), the application learns the behaviors of your device and identifies anomalous activity without having to query a signature database of virus and malware vaccines. In other words, the NGAV will proactively look for malicious activity on your device and stop it before it infects your systems.
Enterprise businesses are using NGAV to put a stop modern ransomware and zero-day exploits from taking your data hostage.
Have you ever seen the private browsing modes on your device and wondered what the heck is that? Chrome calls it the “Incognito Mode” and others “Private Browsing Mode.” In a time when everyone was concerned about their digital footprint, the private browsing mode emerged.
Private browsing, however, is a bit limited in its ability to minimize your data footprints. It’s typically a good way to minimize your trail of online activities.
It’s helpful when checking personal emails or social media from a device that’s not yours. Lastly, it helps prevent other people from accessing these personal accounts and obtaining access to your sensitive data.
Review Your Social Media & Mobile App Privacy Settings
As social media users, we tend to overshare details, and the platforms we share our data over tend to take advantage of that. As a social media consumer, you should regularly (annually, biannually, or quarterly) review your privacy settings.
Privacy settings across social and mobile apps vary greatly. You can limit who sees various posts, who can contact you on social media, and who can find you on social media. You can also limit who can post to your timeline and “tag” you in certain posts.
All around, it’s a very good idea to dive into these settings and become more aware of how you’re sharing your PII and sensitive data across social media.
Don’t Fill Out Your Social Media Profile with Too Much Information
Social media has an infectious way about inviting us to display our personal data on our profiles. It may seem like “fun” to share your birthday, hometown, or other details. In an “always-on” world of social media, putting your personal information online can be a BIG risk. Security experts agree that you should only display the very minimum about yourself on social media.
If you show your home address, birthdate, or any other PII information, it will dramatically increase your risk of a security breach. Hackers use this information to build highly sophisticated social engineering schemes – using your personally identifiable information to hack into companies and answer highly personal security questions.
Review Website Privacy Policies
Global privacy regulations, like the General Data Protection Regulation (GDPR), are cracking down on organizations that misuse their customer data. Recent data breaches are forcing companies to take more preventative measures when handling the lifecycle of customer data.
Use a Secondary or Disposable Email Account
You might want to consider a secondary or disposable email account when you’re needing something temporarily. If you’re prompted to provide PII or sensitive data on forms, you may want to consider setting up a secondary email address to download content.
This allows you to separate your business or personal email address which may contain sensitive documents and data. A dedicated email address for content downloads and promotional messages will keep this separated from sensitive data and documents. You might try it for short-term research, online applications, sweepstakes, any content downloads, or free trials.
Manage & Clear Cookies in Your Web Browser
Websites use browser cookies to confirm a visiting user’s identity (site preferences, login status, and plugins) as they browse the site. Without cookies, you might be prompted to enter your login credentials every time you browse through a site.
Cookies are stored locally on your device. So, it becomes another way that hackers can steal your PII and sensitive data. In the case of the Yahoo data breaches, hackers were able to filter through 32 million users and their cookies to eventually obtain access to their accounts without passwords.
It’s a good idea to clear your cookies ever so often. This will reduce the amount of personal information on your device that cloud lead to data loss.
Be Choosy About When You Share Your Social Security Number
When it comes to sensitive data, your Social Security Number (SSN) is one of the riskiest identifiers to give out. Cyber thefts can use your SSN to steal your identity and obtain even more sensitive data on your records.
It’s important that you’re aware of how you give out your SSN and even the last four digits of it. You should also not carry around your social security card around with you. Thieves can steal your personal belongings and use it for fraudulent tax filings, credit card signups, or even purchase a car!
Remember to stop and think the next time you’re asked to share your SSN.
Be Aware & Knowledgeable of Phishing Scams
The Figure below shows that phishing attempts are the number one cause of security breaches for an organization.
Phishing and social engineering schemes are becoming so well crafted that they resemble, almost identically, the services we use on a daily basis. You might come across a phishing scheme that looks almost identical to your favorite online ecommerce or music store. Just take a look at how clever these phishing schemes are:
Here’s a few important tips to remember about phishing:
- Bottom line – Don’t open email from people you don’t know
- Hover over a link (but don’t click it!) to discover where it directs to
- Be suspicious of the emails sent to – look and see where it came from and if there are grammatical errors
- Malicious links can come from friends who have been infected too. So, be extra careful!
Did these tips help you understand the importance of protecting PII and sensitive data? Tell us below in the comments!