Small to mid-range businesses (SMBs) are prime targets for cybercriminals because they often do not have established IT departments to assist with implementing “best practices.” And a common best practice to protect Personally Identifiable Information (PII) and other sensitive data is through encryption.

Encryption Explained in Simple Terms Everyone Can Understand

Think of encryption as a lock — even if someone gains access to your data, they can’t read it without the key.

Encryption uses a mathematical algorithm to convert your sensitive data to a random string of binary data, and the key to unlock that random string of data is a secret.

For instance, when you send an encrypted message, instead of sending it in “plaintext” (something everyone can read), you scramble it into something unreadable (“cyphertext”). Only someone with the right key can turn cyphertext back into a readable, plaintext message.

Even though your message may have traversed a public network you don’t control — like the Internet — encryption locks up your sensitive information so that even if cybercriminals intercepted it, they can’t read or use it.

Encryption helps keep your data private and secure, protecting everything from passwords to customer information, financial records, and personal details.

Encryption at Rest vs. Encryption in Transit

There are two ways to think about encryption:

1. Encryption at Rest. This protects data while it’s stored on a hard drive, a USB device, or in the cloud. Think of it like locking a filing cabinet: even if someone breaks into your office, they can’t read the files without the key. Examples: Encrypted databases, encrypted hard drives like BitLocker for Windows or FileVault for MacOS.
   

2. Encryption in Transit. This protects data while it’s being sent from one place to another, like when you send an email or enter your credit card info online. Imagine sending a sealed letter. Even if someone intercepts it, they can’t open it without breaking the seal. Examples: HTTPS websites (that little padlock in your browser), encrypted emails, and VPNs (Virtual Private Networks).

We constantly use both types of encryption to help secure confidential information from unauthorized parties.

Encryption as a Cybercrime Deterrent

Encryption is one of the best defenses against cybercrime because it makes stolen data useless. Here’s why:

• Even if hackers steal encrypted data, they can’t read it without the encryption key.
  

• To brute-force attack an encrypted container or message stream, the aggressor has to work through a very complicated mathematical quest to guess at the key. This guessing could take a standard microcomputer hundreds of years. That time it takes to guess the secret — to guess what the encryption key is — is the deterrent.
  

• Encryption discourages attacks because hackers prefer easy targets; low-hanging fruit. Encrypted data means more effort, so they often move on.
  

Without encryption, stolen data is an open book for cybercriminals. But with encryption, it’s just gibberish unless they have the right key, making it one of the most powerful tools for protecting your business.

Why Encryption Matters

Hackers will target small businesses because they assume you lack security protections. If you store customer details, payment information, or internal business data without encryption, you’re leaving your digital doors wide open. Encryption ensures that even if data is stolen, it remains unreadable.

Imagine for a moment if your laptop left your control, say, it was stolen at an airport, or, you accidentally left it in a hotel room. If the device isn’t encrypted, everything on it — every file, every picture, your cached website access and credentials — is accessible to someone who knows what they’re doing. If you’re feeling a sensation of panic, good: you’re starting to understand the benefit of encryption.

If the device is encrypted, who cares? It would take a standard person using a standard PC upwards of 500 years to guess the secret key and unlock the hard drive, and nobody cares that much about your data.

Step-by-Step Guide to Implement Encryption

1. Identify What Needs to Be Encrypted. Take an inventory of the confidential information you maintain. Good examples are Electronic PII, financial records, customer databases, and employee information.
   

2. Use Full-Disk Encryption for Devices. Enabling built-in encryption on Windows (BitLocker) and macOS (FileVault) protects everything stored at-rest on company devices. Modern phones (Android and iOS) are already encrypted so long as the user has implemented a passcode.
   

3. Encrypt Emails and Communications. Ensure the latest protocols are enabled to ensure the greatest extent of email confidentiality in-transit. Perhaps invest in a secure email platform to safeguard email communications.
   

4. Secure Cloud Storage with Encryption. Choose cloud providers that offer zero-knowledge encryption, meaning even they can’t access your files. A good example is Google Workspace.
   

5. Use Strong Passwords & Multi-Factor Authentication (MFA). Encryption is only as strong as the password protecting it. Ensure all encryption keys are securely stored and not reused.
   

6. Regularly Audit & Update Encryption Methods. Cyber threats evolve—so should your encryption. Stay updated on industry best practices.

Small Businesses and Encryption

Encryption isn’t just for big corporations any longer. It’s a must-have for SMBs looking to secure their data and build customer trust. Need help? I know a guy.

R

Maybe you’re like me and you use Duplicati to target cloud and local storage for backups.

However, you attempted to login to Duplicati through the interactive stub in the Systems Tray and attempted to login, only to receive a cryptic error: Failed to Get Nonce.

The error indicates that the browser is using a cached version of the login page. The nonce system was used up until 2.0.8.1, but is not used in 2.1.0.1+. It should be easy to resolve with a forced reload (Shift+F5) in Chrome, or, dump the cache. Try again.

But let’s say you’re still experiencing the problem and can’t login to your localhost:8200 (http://localhost:8200/ngax/index.html). Drop to DOS with an elevated command prompt and try this command:

"C:\Program Files\Duplicati 2\Duplicati.Server.exe" --webservice-password=1234 --server-datafolder "C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati"

Then try to login to the localhost:8200 with 1234. You can change the password again once you’re in.

But let’s say you’re still encountering problems with its access token, and you’ve got the Windows service for Duplicati loaded. Try this:

1. Clear/preserve your Application Log in Event Viewer.

2. Go into services.msc and stop the Duplicati Server service.

3. Start the Duplicati Server service.

4. Go into the Application Log.

5. You might see events entered by Duplicati that it was unable to start the 8200 instance because of a problem with its keys. It will provide a link to reset those keys within the event details.

6. Click on that and you’ll be walked through a reset.

Now, maybe you’re playing with multiple instances. Look closely. If you accessed Duplicati’s web-based UI from the stub, you might be in the localhost:8300 instance of Duplicati. Yes, confusing; the Windows Service, by default, only works against the 8200 instance, so if you ever wondered why your backups configured in the 8300 instance aren’t automated and working — that’s why. So how do you fix that? Try this:

1. Access the 8300 instance.

2. Export your backup configs to a *.json file.

3. Log out of the 8300 instance.

4. Access the 8200 instance using that localhost:8200 command from earlier.

5. Import your backup config.

6. When it runs for the first time, it’ll report a problem with the database. Run the repair option. It’ll rebuild your local database.

7. After, you’ll be ready to run your backups again under the 8200 instance which is processed by the Windows service.

8. Delete the backup in the 8300 instance.

R

You’re a small business.

You handle Personally Identifiable Information (PII) all the time.

You can invest in the best firewalls, encryption tools, and cybersecurity software, but if your employees don’t know how to safeguard PII correctly, your business is still at risk.

In fact, human error is one of the leading causes of data breaches. That’s why employee training isn’t just an IT concern — it’s a business survival strategy.

Why Employee Training Matters

Your employees interact with PII daily: customer names, addresses, payment details, account numbers … if they don’t know how to protect this information, cybercriminals can exploit their mistakes. Phishing emails, weak passwords, misplaced documents, and accidental data sharing are all common pitfalls.

What Should PII Training Cover?

1. Recognizing Phishing Attacks. Employees should be able to spot suspicious emails, links, and attachments designed to steal sensitive data.
   

2. Strong Password Practices. Implement passphrases, multi-factor authentication (MFA), and secure password managers to reduce vulnerabilities.
   

3. Handling Data Securely. Teach employees where and how to store, access, and dispose of PII. Locking down USB drives, shredding documents, and using secure cloud storage are key.
   

4. Social Engineering Awareness. Scammers often impersonate coworkers, IT support, or even customers to gain access to PII. Employees should verify requests before sharing data.
   

5. Incident Reporting. If a breach happens, immediate action is critical. Employees must know who to report to and how to contain the damage.

Behavioral Training: The Human Firewall for Protecting PII

Technical Controls alone can’t keep Personally Identifiable Information (PII) safe. Your employees and their behaviors are the first line of defense against breaches. That’s why behavioral training is just as important as security tools. Small mistakes, like clicking a phishing link or writing down passwords, can expose sensitive data. Teaching employees to think before they act is key to protecting customer and business information.

Key Behavioral Training Areas

1. Phishing and Social Engineering Awareness. Employees need to recognize suspicious emails, fake login pages, and fraudulent phone calls. They should be trained to verify requests, never click unknown links, and report anything suspicious.
   

2. Secure Password Habits. Weak passwords are an open invitation to hackers. Employees should be required to use passphrases instead of simple passwords, enable multi-factor authentication (MFA), and avoid writing down or sharing login credentials.
   

3. The Principle of Least Privilege. Employees should only access the data necessary for their role. Training should emphasize that curiosity isn’t an excuse for looking at sensitive data, and accessing unauthorized information can have serious consequences. Management should craft job descriptions that emphasize least privilege in action: certain levels of employees should only see certain levels of information.
   

4. Safe Data Handling. Employees must understand the risks of leaving documents unattended, storing PII on personal devices, or discussing sensitive information in public places. Shredding physical documents and locking screens when away from a workstation should become second nature.
   

5. Incident Response and Reporting. Employees should not fear repercussions for reporting a security mistake. Encouraging quick reporting of lost devices, phishing attempts, or suspicious activity can prevent bigger breaches. Incident Response is critical. Most states demand a time-frame for reporting data breaches or losses to consumers. Further, without reporting, there can be no corrective action to improve the information system.

The Importance of People

Security isn’t just an IT responsibility, it’s about fostering a company-wide culture to value PII — to treat it with kid-gloves. Behavioral training transforms employees from potential risks into active defenders of your business’s data.

Training isn’t a one-time event. Cyber threats evolve, and your employees need ongoing education to stay ahead. A well-trained team isn’t just your first line of defense. It’s your strongest.

R