How to Prevent Identity Theft in Your Business
Of all the security issues companies face, identity theft is one of the scariest, since it has the power to damage your relationship with key customers and employees. Here are some tips on how you can keep private information secure.
Philip Toledano
Businesses devote time and resources to attracting and retaining customers, but these days all it takes is one data breach or other loss or theft of personally-identifying information about customers to lose their business for good. That's why a major concern of businesses entrusted with the custody of personal data about customers or employees or third parties has become preventing identity theft.
Businesses have been stockpiling more and more personally identifiable information (PII) about customers since the advent of the digital age. PII -- including credit card numbers, social security numbers, birth dates, addresses, etc. -- is often collected in the course of sales, applications for credit or loans, and in the course of employment. This information is often maintained by businesses in computer databases or on disks or is transmitted over networks, such as the Internet. Stealing PII often leads to identity theft -- a crime through which someone uses stolen personal information to get credit cards, take out loans, and/or perpetrate other fraud.
In recent years, many U.S. states have adopted laws that put some of the burden of fighting identity theft on businesses. California led the way in 2002 with a law requiring that companies notify customers when their PII is lost, stolen, or has possibly been otherwise compromised. Since then, 45 states, the District of Columbia, and several U.S. territories have passed similar laws.
While large corporations may keep more PII, sometimes smaller firms are targeted by ID thieves because they don't have as rigorous data security. "In in a large business there is typically a well-defined set of people who have responsibility for security of computers and information assets. In small to medium businesses, that activity is not as clearly well defined," says Lawrence R. Rogers, a senior member of the technical staff at the CERT Program of the Software Engineering Institute, part of Carnegie Mellon University. "In Mom-and-Pop businesses that collect personal identifying information, they may have someone who installs patches and secures information. It's the same information a big business would have -- although not as much -- but perhaps it's more vulnerable because it's easier to attack."
The following sections will cover the ways thieves use businesses to perpetrate ID theft, how to use encryption to fight ID theft, and other steps businesses can take to better protect data.
Dig Deeper: The Right Way to Respond to a Data Breach
Preventing Identity Theft: How Thieves Use Businesses for ID Theft
The Internet has helped fuel the spread of ID theft. Thieves for decades have sought to profit from identity scams, but it used to be that they had to pilfer paper files from record rooms or sort through your trash to find personal information. Nowadays, business information is aggregated on computers and one stolen or lost laptop computer could compromise the PII of millions of customers. In addition, the Internet can be used by thieves and organized criminal gangs to steal information from a business computer halfway around the world and trade it on an underground black market.
"Fraud is becoming a high tech business. It's also borderless and international. You can commit a fraud against an organization that's not even in your mother country," says Allan Bachman, education manager of the Association of Certified Fraud Examiners (www.acfe.org), an international organization dedicated to fighting fraud and white-collar crime.
Data thieves are just hackers and they are in it to sell this information to others who can use it to carry out financial fraud. "The information has a very short shelf life. Your social security and credit card only goes for about $50 on the black market because it can only use it for a short period of time before it's discovered," Bachman says. That's why thieves are targeting bigger repositories of data. It's like the old adage about asking a criminal why they would rob a bank. The answer is usually because that's where the money is. "That's why data breaches occur," Bachman says. "That's where the data is."
A date breach can be costly for a business. In 2009, the average cost of a data breach rose to $202 from $197 per customer record in 2008, according to The Ponemon Institute, a Michigan-based research center focusing on privacy and data protection. The study found that the average cost of a data breach tallied $6.6 million, ranging from between $613,000 to nearly $32 million.
Here are some of the ways data breaches occur:
- Insider Mistakes -- Sometimes employees with the best of intentions mistakenly violate data security policies or fall victim to tricksters. These mistakes can include losing a laptop that contains unprotected PII. Data can also be intercepted if it is sent over e-mail or saved to flash drives and removed from company premises. Sometimes hackers devise schemes -- they include phishing, spear phishing, and social engineering -- to get employees to inadvertently reveal information that gives them the keys to your company's PII.
- Malicious Insiders -- A small but growing segment of employees perpetrate data breaches for their own financial gain. They may have kept customer files after being terminated and decided to sell them to thieves. They may be spying for rival companies. They may be carrying out white-collar crime.
- Outside Attacks -- A 2009 report on data breaches by Verizon, the telecommunications giant, found that 74 percent of data breaches resulted from external sources. The study found that 64 percent of breaches resulted from hacking and that malware was involved in perpetrating 38 percent. As cybercrime has become the purview of organized crime, coordinated attacks on businesses have grown in number. These attacks can include breaking into a company's computer network through a variety of means, from exploiting vulnerabilities to malware attacks to figuring out default passwords. The attacks have become so sophisticated that hackers can map out a business' system and locate and capture PII. Verizon also found that nearly all records were compromised from online assets, such as servers and applications.
Dig Deeper: The Dangers of Identity Theft
How to Use Encryption to Fight ID Theft
The best way to protect PII in digital form is to use encryption. Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are examples of technologies used to encrypt data that is transmitted over networks. Encryption should also be used to protect PII stored on disk, tape, CD-ROM, or any other type of media used to hold data when at rest, Rogers says. "Understand that encryption technologies do not defend against data being captured by the bad guys; rather, its aim is to make any data that falls into the wrong hands unintelligible and therefore useless," he adds.
More specifically, the computing time and resources needed to decipher and then subsequently use encrypted data is presumed to be significantly longer than the lifetime of that data. "It's analogous to using a paper shredder -- someone could get their hands on all those paper scraps, and spend time fitting them back together, but the point is it would take most people way too long for this to be of much use," Rogers says. "The arms race, pitting the sophistication and configuration of encryption technologies against the resources and ingenuity of an adversary, is never-ending, though."
Encryption technology is available for businesses in a variety of products today. But even after you select a product you need to continue to evaluate the market because encryption technologies get stronger and stronger every year, because adversaries continue to look for and find new methods to defeat encryption. This means that a well-researched and informed decision today may turn out to be a poor choice in the not-too-distant future.
With encryption technology, you use what are called keys to decrypt your data, so, secondarily, the management of these keys is also important, Rogers says. Deciding who "owns" these keys and who can access them must reflect the needs of the business, the practicalities of personnel changes, and the awareness of insider threats.
Rogers recommends taking the following steps to protect your business data with encryption:
