Protect your PIE...I mean, PII...
By Zayn Jaffri
When you sign up for a website or create an account you might find yourself filling out a pretty generic form.
If you sign up for a paid service, they might ask you for a credit card number or a billing/shipping address. Each of these are an example of PII, or Personably Identifiable Information. Once a customer has inputted this information and uploaded it to a company's server, it's the duty of the company to ensure that the data is used appropriately (I'm looking at you Zuckerberg) and kept secure.
Small Basic Featured Program - Database Sample - Microsoft Tech Community - 337551When you hit the "sign up" button, all the data you entered is uploaded to a database. A database looks almost like an Excel sheet where it takes your info and inputs them into cells for easy access. This data can be entered as is or as encrypted data that is indecipherable without a key. Databases are then covered with a digital blanket of security measures.
It may seem like your data is safely buried but all it takes is one mis-click by an employee and the entire system is compromised.
Not too long ago, an unfortunate breach occurred in this exact manner. The SANS Institute, which trains cybersecurity professionals on a global scale did an oopsie. An employee received a phishing email and clicked on it opening the gates to invasion. 28,000 records of PII were stolen.
Databases stored using the cloud are sometimes left unprotected and forgotten which make for an easy target. These customer accounts are sold as a bundle for untraceable Bitcoin.
By taking your data offline you are helping to prevent a ransomware attack on your company's protected PII.
In 2019 a cyberattack disabled many of Monroe College's technology systems. Students, faculty and staff members were locked out of the college's website, learning management system and email, with hackers demanding payment of around $2 million in Bitcoin to restore access.
Typically, these attacks start with a phishing email, just like what happened to the SANS institute. If someone unwittingly clicks on a link in a fraudulent email or enters their personal log-in information (just like we did earlier in our heads), hackers can install malicious software or ransomware, which will encrypt and block access to the users' computer files. The hackers then demand money for the encryption key. If there are no backups of the system elsewhere, institutions are left with few options.
That's where the 'Golden Rule' for data protection strategy comes in (3-2-1-1); three copies of your data, two backup copies on different storage media, one of them located offsite and one located offline.
Good records management includes both backup and archiving. However, while these terms are often used interchangeably, it is important to distinguish between them when considering a records management process. Backup is used for rapid recovery of current (typically highly transactional) data, while archiving is used for large scale preserving and retrieving (of all or big) data in the event of a disaster, ransomware attack, legal retention regulation or research & analysis. In simple terms..., think of backup as short-term and archival as long-term.
But do not lose hope, there are ways to be safe. It is easy to talk about all the hacks that can happen and feel overwhelmed and underpowered. But, PII is very much protectable with proper handling and training.
The easiest way is to train employees to recognize phishing scams and other malicious attempts at data thieving. Because hackers are constantly evolving, their methods, employees and ground level workers must be constantly aware of what they are navigating through.
Basic cybersecurity habits like these not only keep your PII safe, but they also secure your company's reputation. While larger companies who have had breaches like Yahoo in 2013-2017 (3 BILLION records) can survive the hurt reputation, smaller companies whom rely on customers on a more personal level should understand ways to safe guard both their employees and customer PII.