What’s the best way to protect the personal identifiable information, (PII), you need to keep? It depends on the kind of information and how it’s stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of your contractors and service providers.

PHYSICAL SECURITY

Store paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing (PII), in a locked room or a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.

Remind employees not to leave sensitive papers out on their desks, and lock their computers, when they are away from their workstations.

Implement appropriate access controls for your building. Tell employees what to do and whom to call if they see an unfamiliar person on the premises.

If you maintain offsite storage facilities, limit employee access to those with a legitimate business need. Know if, and when, someone accesses the storage site.

If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow you to track the delivery of your information.

ELECTRONIC SECURITY - passwords, laptops, firewalls, wireless access and detecting breaches.

Identify the computers or servers where sensitive personal information is stored.

Identify all connections to the computers where you store sensitive information. These may include the Internet, electronic cash registers, computers at your branch offices, computers used by service providers to support your network, and wireless devices like inventory scanners or cell phones.

Determine the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments may range from having a knowledgeable employee run off the shelf security software to having an independent professional conduct a full scale security audit.

Encrypt sensitive information that you send to third parties over public networks, like the Internet, and consider encrypting sensitive information that is stored on your computer network or on disks or portable storage devices used by your employees. Consider also encrypting email transmissions within your business if they contain any (PII).

Scan computers on your network to identify the operating system and open network services. If you find services that you don’t need, disable them to prevent hacks or other potential security problems.

For example, if email or an Internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.

Pay particular attention to the security of your web applications; the software used to give information to visitors to your website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an “injection attack,” a hacker inserts malicious commands into what looks like a legitimate request for information. Once in your system, hackers/bots transfer sensitive information from your network to their computers. Relatively simple defenses against these attacks are available from a variety of sources.

Password Management

Control access to sensitive information by requiring that employees use “strong” passwords. Tech security experts say the longer the password, the better. Because simple passwords like common dictionary words can be guessed easily, insist that employees choose passwords with a mix of letters, numbers, and characters. Require an employee’s user name and password to be different, and require frequent changes in passwords.

Explain to employees why it’s against company policy to share their passwords or post them near their workstations. Use password activated screen savers to lock employee computers after a period of inactivity. Lock out users who don’t enter the correct password within a certain number of log on attempts.

Warn employees about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of your IT staff. Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords.

Caution employees against transmitting (PII) — Social Security numbers, passwords, or account information via email. Unencrypted email is not a secure way to transmit any information. Same for instant messenger programs.

Laptop Security

Assess whether (PII) really needs to be stored on a laptop. If not, delete it with a “wiping” program that overwrites data on the laptop. Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Wiping programs are available at most office supply stores.

How many times have you seen in the news where a laptop with sensitive information gets lost or stolen?

Require employees to store laptops in a secure place. Even when laptops are in use, consider using cords and locks to secure laptops to employees’ desks.

If a laptop contains sensitive data, encrypt it and configure it so users can’t download any software or change the security settings without approval from your IT specialists. Consider adding an “auto-destroy” function so that data on a computer, that is reported, stolen will be destroyed when a thief uses it to try to get on the Internet.

Train employees to be mindful of security when they’re on the road. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If someone must leave a laptop in a car, it should be locked in a trunk. Everyone who goes through airport security should keep an eye on their laptop as it goes on the belt.

Firewalls

Use a firewall to protect your computer from hacker attacks while it is connected to the Internet. A firewall is software or hardware designed to block hackers from accessing your computer. A properly configured firewall makes it tougher for hackers to locate your computer and get into your programs and files.

If some computers on your network store sensitive information and others do not, consider using additional firewalls to protect the computers with sensitive information.

Wireless and Remote Access

Determine if you use wireless devices like inventory scanners or cell phones to connect to your computer network or to transmit sensitive information. If you do, consider limiting who can use a wireless connection to access your computer network. You can make it harder for an intruder to access the network by limiting the wireless devices that can connect to your network.

Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called “spoofing”, impersonating one of your computers to get access to your network.

Detecting Breaches

Maintain central log files of security related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised. And it must be updated frequently to address new types of hacking.

Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized.

EMPLOYEE TRAINING

Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy, and any legal requirement to keep customer information secure and confidential.

Know which employees have access to consumers’ (PII). Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.”

Have a procedure in place for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. Terminate their passwords, and collect keys and identification cards as part of the check out routine.

Create a “culture of security” by implementing a regular schedule of employee training. Update employees as you find out about new risks and vulnerabilities. Make sure training includes employees at satellite offices, temporary help, and seasonal workers. If employees don’t attend, consider blocking their access to the network.

Impose disciplinary measures for security policy violations.

SECURITY PRACTICES OF CONTRACTORS AND SERVICE PROVIDERS

Before you outsource any of your business functions ie: payroll, web hosting, call center operations, data processing, or the like, investigate the company’s data security practices and compare their standards to yours. If possible, visit their facilities.

Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Many corporate executives mistakenly believe that, by outsourcing the work to vendors, they have also transferred the liability that may arise when a breach occurs. Unfortunately, it is not that easy. Business process-outsourcing and IT vendors may contractually agree to indemnify their customer for breach of confidentiality or privacy, but the legal and regulatory liability primarily remains with the data owner.

If an ID theft occurs because a thief steals (PII) from your computer or files, you could be held accountable by the federal government, the state government and the victims.

Do you have a mitigation plan in place? Watch these free videos on identity theft. Click Here.

EXAMPLE

There have been incidents reported associated with multiple gas station chains in different parts of the nation where criminals do the ATM skimming trick to capture info on people who stick their credit cards into the gas pumps to buy gas.

The convenience store failed to have wireless security, so that anyone with wireless on their PC could download all the info going through that convenience store network ... they don't have to be parked in plain sight in the parking lot to do this ... and generally when the news comes out that there has been such a breach, it is kept secret for a long time, what kind of stupidity was going on at the store that led to information being breached.

You can encrypt the data, attempt to limit access, enact secure policies, but when one apathetic employee has access to vast amounts of data with little or no oversight … ultimately you'll end up having a breach.