Protect the Personally Identifiable Information Your Business Maintains

Personally identifiable information (PII) security risks for businesses are increasing, but what can you do? NSF information security expert Tony Giles advises many large and small businesses on information security best practices. He offers this helpful advice for business owners who want to help ensure their customers’ PII is protected. Let’s start with physical security for businesses.

• Locked and secure.“Make sure that files containing personally identifiable information are kept in locked file cabinets when a team member is not working on a specific file, “he says. “Also, remind employees not to leave sensitive papers on their desks when they are away from their workstations.”
• Safer storage. Store paper documents or files, thumb drives and backups containing personally identifiable information in a locked room, limit access to employees with a legitimate business need and control who has a key and the number of keys assigned.
• Log off. Remind all employees, especially those new to the firm, to put files away, log off their computers and lock file cabinets and office doors at the end of the day. Staff should follow the written building access procedures that have been laid out.
• Be aware. All employees should know what to do if an unfamiliar person is seen walking around in the building unescorted. It all concerns secure access and a clear understanding of who is permitted to enter.
• Shipping. Giles also offers a simple recommendation when it comes to items being shipped. “Use an overnight shipping service that allows you to track the delivery of the device with your information,” he suggests. A surprising number of businesses don’t follow this primary security practice.
• Tracking. Take stock of your assets and devices by creating an asset inventory list as a cross-reference for tracking and hardware maintenance purposes.

A related and vitally important category is electronic security. Most importantly, for business owners to understand their systems' vulnerabilities and follow experts' advice.

1. Identify the computers and servers where sensitive personal information is stored.
2. Catalog these items. Include electronic cash registers, internal computers, external computers used by service providers, and other electronic devices.
3. Giles recommends encrypting sensitive information sent to outside partners using public networks like the internet. Encryption efforts should extend to the company’s entire computer network, including portable storage devices and email communications.
4. Install anti-malware software on all the computers and servers within your company’s network. You can check security forums or websites like www.us-cert.gov for updates on new software vulnerabilities and help ensure approved fixes and patches are deployed promptly to correct any identified system weaknesses or intrusions.
5. Make sure to implement the least privileges for access to PII. If your business does not have the expertise to conduct a complete security audit, hire an independent security firm or professional to help with the process.

Taking these basic steps to protect the PII your business maintains will help guard against data breaches and identity theft. These all-important measures can be implemented to improve managing your business in an ethically responsible way.