Identity theft, also known as identity fraud, is generally seen as a crime against consumers, but it poses a significant threat to businesses as well. Identity fraud victims normally have to spend considerable time and money to clear their credit reports and restore their financial reputations. For businesses and organizations that lose customer, participant or employee data to thieves, the loss of reputation—which could result in the loss of current and future customers—can be disastrous. Businesses that lose such data also run the risk of lawsuits and legal penalties.
Rampant But Under-Reported?
One of the problems with estimating the impact of identity fraud on businesses is that companies are reluctant to report data losses because of the damage they could do to their reputations, and that kind of damage is itself difficult to quantify. However, we’ve all seen the headlines about numerous recent incidents of bulk disclosure of personal information due to the loss or theft of portable computers and dissemination by disgruntled and opportunistic employees.
Government agencies and corporations alike in a wide variety of industries have been outed for inadequate data protection this year. For example, recently the AP reported that the Government Accountability Office found 47 weaknesses in an electronic billing system used by the Centers for Medicare and Medicaid Services that have left the records of millions vulnerable. Clearly this is a problem businesses and agencies must address.
What Opens the Door to Theft?
Businesses may leave many doors open to theft by dishonest employees or outsiders. Sloppy business practices are major enablers of identity fraud.
Sloppy business practices encompass a variety of behaviors—neglecting to destroy vital information when it’s no longer needed, neglecting to verify information from applications for employment, weak password policy and enforcement, inferior authentication of system users, using Social Security numbers or EINs as identifiers.
Of course, business decisions are often based on budget. Because security is a “tough sell,” businesses frequently wait until a serious incident occurs before taking action.
Following are some techniques that have proven effective in tightening business practices to thwart data loss.
• Background security checks on employees. All too often companies hire without bothering to check references and criminal background records.
• Limit employees’ access to those areas and systems necessary for their work. Everyone doesn’t need access to everything. Only those individuals who actually have a need for access to applications and records should be authorized to access them.
• Institute a clear desk policy. Sensitive information left out on desks is an open invitation to theft.
• Document and explain procedures and policies for system and device use. Doing this will clarify the company position and also protect the company legally.
• Train employees on corporate policies, system use and security. Documentation, whether online or in hard copy, is not enough. All employees need to receive training so that they understand the corporate mentality, why certain systems and procedures are in use, and how to use them properly.
• Implement secure storage for sensitive documentation. Every business needs to assess the risk from information being compromised. Since businesses differ, their security requirements also differ. Solutions should be implemented according to need.
• Institute secure disposal of confidential information. Eliminate Dumpster diving, theft of discarded originals, and illegal copying by establishing, implementing and training personnel on the proper handling and disposal of sensitive paper-based and digital data.
• Implement effective access control measures for password management, user registration and de-registration. Registration is normally handled when an employee joins a company. That registration should be modified when a person changes jobs or acquires additional duties, and of course, upon resignation or firing, the individual needs to be de-registered.
• Implement, review and maintain a comprehensive audit system that provides historical data access records. Whether manual or automated, a comprehensive audit system and review log must be implemented. There are numerous products now available that in addition to providing an historical record will also send an alert if something out of the ordinary occurs.
• Institute secure procedures for exchanging information. Safe exchange of information, both within a company and between companies or entities, can be achieved through the use of encryption, user authentication and other techniques that verify the participants and safeguard the data. It’s essential to provide written procedures to accompany the techniques.
• Encrypt sensitive and personal information stored on Web sites. Intercompany and intracompany data should be encrypted using standardized and accepted products.
Business is about managing risk. But only after identity theft or data theft becomes a visible problem and customers go elsewhere because of loss of trust do many companies feel motivated to take action. Investing time and money now to implement preventive measures will save time and money later when dealing with losses from an actual incident.
D.E. Levine CISSP, CFE, FBCI, CPS, a contributing editor of Security Technology & Design and co-author of several security books, can be reached at