Small businesses collect a ton of data — customer records, employee files, financial transactions — but do you really need to keep all of it forever?

The more Personally Identifiable Information (PII) you store, the bigger your risk if a data breach happens. That’s why a data retention policy is essential. Managing the data you keep around helps you decide what to keep, for how long, and when to securely dispose of it.

Data Retention Explained in Simple Terms

Think of data retention like cleaning out your garage. Over the years, you collect stuff. Some of it is important (like tax documents), but a lot of it is junk you don’t need anymore. If you never clean it out, it piles up, becomes a mess, and if someone breaks in, they could steal everything, including things you should have gotten rid of.

The concept of data retention works the same way. Businesses collect a ton of information all the time — customer names, emails, payment details, employee records — but keeping that information forever is risky. A data retention policy helps businesses decide:

• What data to keep (important records, legal documents).

• How long to keep it (some data needs to be stored for tax or legal reasons).

• When and how to safely delete it (so it doesn’t fall into the wrong hands).

By deleting what you don’t need, you can reduce the risk of data breaches, keep your systems clean, and stay compliant with privacy laws. Less data = less risk. It’s that simple.

Why a Data Retention Policy Matters

Holding onto data indefinitely increases your liability. Cybercriminals target small businesses precisely because they often have weak security and store old, forgotten PII. A data retention policy ensures that:

• You only keep data as long as needed for business and legal reasons.

• You securely dispose of old PII, reducing the impact of a potential breach.

• You stay compliant with privacy laws like CCPA, GDPR, and state regulations.

How Data Retention Policies Safeguard PII

A data retention policy is like a security guard for your business’s data—it decides what stays, what goes, and when. When it comes to Personally Identifiable Information (PII) (like customer names, addresses, or payment info), holding onto it longer than necessary is a security risk.

Here’s how a data retention policy protects PII:

1. Reduces Data Exposure. The less data you store, the less there is to steal. If cybercriminals breach your system and you’ve already deleted old customer data, they can’t steal what isn’t there.
   

2. Ensures Secure Disposal. A policy ensures that PII is deleted properly—whether through encryption, digital wiping, or shredding paper records—so sensitive data doesn’t get leaked or misused.
   

3. Limits Insider Threats. Employees shouldn’t have access to outdated or unnecessary data. A retention policy prevents unauthorized access to old records that could be misused or mishandled.
   

4. Keeps You Legally Compliant. Privacy laws like GDPR, CCPA, and various state laws dictate how long businesses can store PII. A policy ensures you delete data on time to avoid fines and legal trouble.
   

5. Improves System Security. Storing too much old data clutters your system, making it harder to manage security. A leaner, well-organized data environment is easier to protect from cyberattacks.

By regularly reviewing and deleting unnecessary PII, your business stays secure, compliant, and minimizes damage in case of a breach. Less data, fewer risks!

How to Build a Smart Data Retention Policy

1. Identify What Data You Collect. Make a list of all PII you store (customer details, payment records, employee data).
   

2. Set Retention Periods. Some records need to be kept for tax or legal reasons, but others (like outdated customer info) should be deleted.
   

3. Secure Disposal Methods. Use encryption, shredding, and digital wiping tools to erase data permanently. Set up Technical Controls that take care of deleting information through automation.
   

4. Train Your Employees. Make sure your team understands what data they can store, share, and delete.
   

5. Review & Update Regularly. Cyber threats evolve, so should your policy. Review every 6-12 months.

Reduce The Risk

Less data = less risk. By deleting what you don’t need, you protect your customers, your business, and your reputation. Don’t wait: start cleaning house today!

R

Small to mid-range businesses (SMBs) are prime targets for cybercriminals because they often do not have established IT departments to assist with implementing “best practices.” And a common best practice to protect Personally Identifiable Information (PII) and other sensitive data is through encryption.

Encryption Explained in Simple Terms Everyone Can Understand

Think of encryption as a lock — even if someone gains access to your data, they can’t read it without the key.

Encryption uses a mathematical algorithm to convert your sensitive data to a random string of binary data, and the key to unlock that random string of data is a secret.

For instance, when you send an encrypted message, instead of sending it in “plaintext” (something everyone can read), you scramble it into something unreadable (“cyphertext”). Only someone with the right key can turn cyphertext back into a readable, plaintext message.

Even though your message may have traversed a public network you don’t control — like the Internet — encryption locks up your sensitive information so that even if cybercriminals intercepted it, they can’t read or use it.

Encryption helps keep your data private and secure, protecting everything from passwords to customer information, financial records, and personal details.

Encryption at Rest vs. Encryption in Transit

There are two ways to think about encryption:

1. Encryption at Rest. This protects data while it’s stored on a hard drive, a USB device, or in the cloud. Think of it like locking a filing cabinet: even if someone breaks into your office, they can’t read the files without the key. Examples: Encrypted databases, encrypted hard drives like BitLocker for Windows or FileVault for MacOS.
   

2. Encryption in Transit. This protects data while it’s being sent from one place to another, like when you send an email or enter your credit card info online. Imagine sending a sealed letter. Even if someone intercepts it, they can’t open it without breaking the seal. Examples: HTTPS websites (that little padlock in your browser), encrypted emails, and VPNs (Virtual Private Networks).

We constantly use both types of encryption to help secure confidential information from unauthorized parties.

Encryption as a Cybercrime Deterrent

Encryption is one of the best defenses against cybercrime because it makes stolen data useless. Here’s why:

• Even if hackers steal encrypted data, they can’t read it without the encryption key.
  

• To brute-force attack an encrypted container or message stream, the aggressor has to work through a very complicated mathematical quest to guess at the key. This guessing could take a standard microcomputer hundreds of years. That time it takes to guess the secret — to guess what the encryption key is — is the deterrent.
  

• Encryption discourages attacks because hackers prefer easy targets; low-hanging fruit. Encrypted data means more effort, so they often move on.
  

Without encryption, stolen data is an open book for cybercriminals. But with encryption, it’s just gibberish unless they have the right key, making it one of the most powerful tools for protecting your business.

Why Encryption Matters

Hackers will target small businesses because they assume you lack security protections. If you store customer details, payment information, or internal business data without encryption, you’re leaving your digital doors wide open. Encryption ensures that even if data is stolen, it remains unreadable.

Imagine for a moment if your laptop left your control, say, it was stolen at an airport, or, you accidentally left it in a hotel room. If the device isn’t encrypted, everything on it — every file, every picture, your cached website access and credentials — is accessible to someone who knows what they’re doing. If you’re feeling a sensation of panic, good: you’re starting to understand the benefit of encryption.

If the device is encrypted, who cares? It would take a standard person using a standard PC upwards of 500 years to guess the secret key and unlock the hard drive, and nobody cares that much about your data.

Step-by-Step Guide to Implement Encryption

1. Identify What Needs to Be Encrypted. Take an inventory of the confidential information you maintain. Good examples are Electronic PII, financial records, customer databases, and employee information.
   

2. Use Full-Disk Encryption for Devices. Enabling built-in encryption on Windows (BitLocker) and macOS (FileVault) protects everything stored at-rest on company devices. Modern phones (Android and iOS) are already encrypted so long as the user has implemented a passcode.
   

3. Encrypt Emails and Communications. Ensure the latest protocols are enabled to ensure the greatest extent of email confidentiality in-transit. Perhaps invest in a secure email platform to safeguard email communications.
   

4. Secure Cloud Storage with Encryption. Choose cloud providers that offer zero-knowledge encryption, meaning even they can’t access your files. A good example is Google Workspace.
   

5. Use Strong Passwords & Multi-Factor Authentication (MFA). Encryption is only as strong as the password protecting it. Ensure all encryption keys are securely stored and not reused.
   

6. Regularly Audit & Update Encryption Methods. Cyber threats evolve—so should your encryption. Stay updated on industry best practices.

Small Businesses and Encryption

Encryption isn’t just for big corporations any longer. It’s a must-have for SMBs looking to secure their data and build customer trust. Need help? I know a guy.

R

Maybe you’re like me and you use Duplicati to target cloud and local storage for backups.

However, you attempted to login to Duplicati through the interactive stub in the Systems Tray and attempted to login, only to receive a cryptic error: Failed to Get Nonce.

The error indicates that the browser is using a cached version of the login page. The nonce system was used up until 2.0.8.1, but is not used in 2.1.0.1+. It should be easy to resolve with a forced reload (Shift+F5) in Chrome, or, dump the cache. Try again.

But let’s say you’re still experiencing the problem and can’t login to your localhost:8200 (http://localhost:8200/ngax/index.html). Drop to DOS with an elevated command prompt and try this command:

"C:\Program Files\Duplicati 2\Duplicati.Server.exe" --webservice-password=1234 --server-datafolder "C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati"

Then try to login to the localhost:8200 with 1234. You can change the password again once you’re in.

But let’s say you’re still encountering problems with its access token, and you’ve got the Windows service for Duplicati loaded. Try this:

1. Clear/preserve your Application Log in Event Viewer.

2. Go into services.msc and stop the Duplicati Server service.

3. Start the Duplicati Server service.

4. Go into the Application Log.

5. You might see events entered by Duplicati that it was unable to start the 8200 instance because of a problem with its keys. It will provide a link to reset those keys within the event details.

6. Click on that and you’ll be walked through a reset.

Now, maybe you’re playing with multiple instances. Look closely. If you accessed Duplicati’s web-based UI from the stub, you might be in the localhost:8300 instance of Duplicati. Yes, confusing; the Windows Service, by default, only works against the 8200 instance, so if you ever wondered why your backups configured in the 8300 instance aren’t automated and working — that’s why. So how do you fix that? Try this:

1. Access the 8300 instance.

2. Export your backup configs to a *.json file.

3. Log out of the 8300 instance.

4. Access the 8200 instance using that localhost:8200 command from earlier.

5. Import your backup config.

6. When it runs for the first time, it’ll report a problem with the database. Run the repair option. It’ll rebuild your local database.

7. After, you’ll be ready to run your backups again under the 8200 instance which is processed by the Windows service.

8. Delete the backup in the 8300 instance.

R