By now, you've heard that identity theft is among America's fastest-growing crimes, with nearly 10 million cases last year alone, and you're probably already taking measures to prevent yourself from becoming a victim.
For instance, you use a paper shredder to convert old bills, receipts, and bank documents into confetti. You review your credit-card statements monthly, looking for mystery charges; you obtain your overall reports from the three major credit-reporting agencies annually, looking for accounts you never authorized. You don't leave personal mail -- incoming or outgoing, opened or sealed -- sitting in the open where someone could walk off with it. Your best friend couldn't guess your PIN. You guard your Social Security number like a jealous lover.
Congratulations. You've taken some big steps toward shielding your own identity. Now how about doing the same for everyone whose personal information is sitting in your company's computers?
After all, an ID hijacker needs only a Social Security number, a birth date, and a few other details to open bank and credit-card accounts in somebody else's name. Chances are you've collected all kinds of confidential data about your employees, contractors, and customers. If you've stored it on your systems, it's vulnerable to theft.
Obviously, standard security measures, such as firewalls, provide some protection against cyberthieves. So do commonsense practices. "You can do a lot by just not storing that information" in the first place, says Phebe Waterfield, security analyst for the Yankee Group, a Boston-based technology research and consulting firm. She recommends using something other than Social Security numbers for identifying employee records or customer accounts. And, of course, you should never store confidential data on laptop computers, floppy disks, or CD-ROMs -- all easily lost or stolen.
But given how quickly ID theft is growing (80% in one year, according to a Gartner Inc. survey, those precautions aren't enough to safeguard sensitive information. Besides, you may not want to wall off your systems; you probably need to share some information with employees, contractors, clients, partners, and others.
Instead, consider developing a comprehensive identity- and access-management campaign. Translated, that means that you provide information access on a "need-to-know" basis. You monitor who's looking at what. And you verify that all users are who they say they are.
Among the technologies used in identity and access management are:
Authentication. These tools verify that the user logged on as Webster J. Parker is, in fact, Webster J. Parker. The most common version, the lowly personal password used again and again, won't deter serious thieves, who can quickly crack the code. More sophisticated options include handheld "keys," such as smart cards, and "two-factor" solutions, which require both a password and a physical device, such as a token, for access.
Single sign-on (SSO). Generally, these solutions let companies provide each authorized user with one secure identity -- often a user name paired with a smart card or token -- for accessing all company systems. That prevents the out-of-control proliferation of log-in names and passwords that can compromise security.
Biometrics. These devices identify users based on unique physical characteristics, such as handprints, retinas, facial features, or voices. Fingerprint and thumbprint readers that can be attached to individual computers are already on the market for less than $100 apiece. However, keep in mind that even legitimate users may object to providing prints or consider a retina scan invasive. And voice and facial-recognition technology are far from foolproof; currently, variables such as laryngitis or eyeglasses can distort the results.
Account administration. This practice, often called "provisioning," refers to managing users' system-access accounts. That's far more important than it sounds. Dormant accounts -- for instance, those previously assigned to former contractors or ex-employees -- can provide loopholes for thieves seeking access to private information. While small businesses can manually add and delete accounts, fast-growing companies may need technology that automates the process.
Digital signatures. These e-signatures verify who's sent a message or signed a document. Because they're encrypted and include a time stamp, they're difficult to fake.
At this point, it's impossible to guarantee that any technology can shield people's identities. Recently, consumer activists and reporters demonstrated just how easily anyone in the know can buy supposedly private information -- they effortlessly purchased public officials' Social Security numbers and personal credit reports from online vendors.
Even so, businesses are increasingly being expected to safeguard their customers' private information -- and being held accountable if they don't. California recently passed a tough new law that, among other things, requires companies to seek customer permission before sharing their financial information and to print only the final few digits of credit-card numbers on purchase receipts. Congress is considering related requirements in its proposed amendments to the 33-year-old Fair Credit Reporting Act.
Ultimately, then, taking action to protect your customers may be the best way to protect yourself.
