Businesses devote time and resources to attracting and retaining customers, but these days all it takes is one data breach or other loss or theft of personally-identifying information about customers to lose their business for good. That's why a major concern of businesses entrusted with the custody of personal data about customers or employees or third parties has become preventing identity theft.
Businesses have been stockpiling more and more personally identifiable information (PII) about customers since the advent of the digital age. PII -- including credit card numbers, social security numbers, birth dates, addresses, etc. -- is often collected in the course of sales, applications for credit or loans, and in the course of employment. This information is often maintained by businesses in computer databases or on disks or is transmitted over networks, such as the Internet. Stealing PII often leads to identity theft -- a crime through which someone uses stolen personal information to get credit cards, take out loans, and/or perpetrate other fraud.
In recent years, many U.S. states have adopted laws that put some of the burden of fighting identity theft on businesses. California led the way in 2002 with a law requiring that companies notify customers when their PII is lost, stolen, or has possibly been otherwise compromised. Since then, 45 states, the District of Columbia, and several U.S. territories have passed similar laws.
While large corporations may keep more PII, sometimes smaller firms are targeted by ID thieves because they don't have as rigorous data security. "In in a large business there is typically a well-defined set of people who have responsibility for security of computers and information assets. In small to medium businesses, that activity is not as clearly well defined," says Lawrence R. Rogers, a senior member of the technical staff at the CERT Program of the Software Engineering Institute, part of Carnegie Mellon University. "In Mom-and-Pop businesses that collect personal identifying information, they may have someone who installs patches and secures information. It's the same information a big business would have -- although not as much -- but perhaps it's more vulnerable because it's easier to attack."
The following sections will cover the ways thieves use businesses to perpetrate ID theft, how to use encryption to fight ID theft, and other steps businesses can take to better protect data.
Preventing Identity Theft: How Thieves Use Businesses for ID Theft
The Internet has helped fuel the spread of ID theft. Thieves for decades have sought to profit from identity scams, but it used to be that they had to pilfer paper files from record rooms or sort through your trash to find personal information. Nowadays, business information is aggregated on computers and one stolen or lost laptop computer could compromise the PII of millions of customers. In addition, the Internet can be used by thieves and organized criminal gangs to steal information from a business computer halfway around the world and trade it on an underground black market.
"Fraud is becoming a high tech business. It's also borderless and international. You can commit a fraud against an organization that's not even in your mother country," says Allan Bachman, education manager of the Association of Certified Fraud Examiners (www.acfe.org), an international organization dedicated to fighting fraud and white-collar crime.
Data thieves are just hackers and they are in it to sell this information to others who can use it to carry out financial fraud. "The information has a very short shelf life. Your social security and credit card only goes for about $50 on the black market because it can only use it for a short period of time before it's discovered," Bachman says. That's why thieves are targeting bigger repositories of data. It's like the old adage about asking a criminal why they would rob a bank. The answer is usually because that's where the money is. "That's why data breaches occur," Bachman says. "That's where the data is."
A date breach can be costly for a business. In 2009, the average cost of a data breach rose to $202 from $197 per customer record in 2008, according to The Ponemon Institute, a Michigan-based research center focusing on privacy and data protection. The study found that the average cost of a data breach tallied $6.6 million, ranging from between $613,000 to nearly $32 million.
Here are some of the ways data breaches occur:
- Insider Mistakes -- Sometimes employees with the best of intentions mistakenly violate data security policies or fall victim to tricksters. These mistakes can include losing a laptop that contains unprotected PII. Data can also be intercepted if it is sent over e-mail or saved to flash drives and removed from company premises. Sometimes hackers devise schemes -- they include phishing, spear phishing, and social engineering -- to get employees to inadvertently reveal information that gives them the keys to your company's PII.
- Malicious Insiders -- A small but growing segment of employees perpetrate data breaches for their own financial gain. They may have kept customer files after being terminated and decided to sell them to thieves. They may be spying for rival companies. They may be carrying out white-collar crime.
- Outside Attacks -- A 2009 report on data breaches by Verizon, the telecommunications giant, found that 74 percent of data breaches resulted from external sources. The study found that 64 percent of breaches resulted from hacking and that malware was involved in perpetrating 38 percent. As cybercrime has become the purview of organized crime, coordinated attacks on businesses have grown in number. These attacks can include breaking into a company's computer network through a variety of means, from exploiting vulnerabilities to malware attacks to figuring out default passwords. The attacks have become so sophisticated that hackers can map out a business' system and locate and capture PII. Verizon also found that nearly all records were compromised from online assets, such as servers and applications.
How to Use Encryption to Fight ID Theft
The best way to protect PII in digital form is to use encryption. Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are examples of technologies used to encrypt data that is transmitted over networks. Encryption should also be used to protect PII stored on disk, tape, CD-ROM, or any other type of media used to hold data when at rest, Rogers says. "Understand that encryption technologies do not defend against data being captured by the bad guys; rather, its aim is to make any data that falls into the wrong hands unintelligible and therefore useless," he adds.
More specifically, the computing time and resources needed to decipher and then subsequently use encrypted data is presumed to be significantly longer than the lifetime of that data. "It's analogous to using a paper shredder -- someone could get their hands on all those paper scraps, and spend time fitting them back together, but the point is it would take most people way too long for this to be of much use," Rogers says. "The arms race, pitting the sophistication and configuration of encryption technologies against the resources and ingenuity of an adversary, is never-ending, though."
Encryption technology is available for businesses in a variety of products today. But even after you select a product you need to continue to evaluate the market because encryption technologies get stronger and stronger every year, because adversaries continue to look for and find new methods to defeat encryption. This means that a well-researched and informed decision today may turn out to be a poor choice in the not-too-distant future.
With encryption technology, you use what are called keys to decrypt your data, so, secondarily, the management of these keys is also important, Rogers says. Deciding who "owns" these keys and who can access them must reflect the needs of the business, the practicalities of personnel changes, and the awareness of insider threats.
Rogers recommends taking the following steps to protect your business data with encryption:
- Identify Data Requiring Encryption. Undertake a risk analysis of all your business' information assets. The data that is most important to the business mission, or otherwise specifically required by governance, are prime candidates for encryption in order to enhance their level of confidentiality.
- Determine Information Lifetime. Once these information assets have been identified, their useful lifetime must be determined. For example, in the case of a credit card, the combination of the credit card number, its expiration date, and Card Verification Value (CVV) code have a lifetime that ends at that card's expiration date.
- Select Appropriate Encryption Technologies. In order to decide which encryption technology is appropriate to use to guard an information asset, you must consider its useful lifetime and the way it is organized. For example, Rogers says, a database containing customer information could have each record encrypted as it exists on disk. One approach is to use an appropriately strong full-disk encryption (hardware- or software-based) to protect that information as it resides on disk. Another is to encrypt each record as it is written to disk by ensuring the applications that use that information asset are using appropriate encryption software. A different, and again appropriately strong, encryption technology is needed to protect copies of that information -- called backups -- that reside on tape, CD-ROM or DVDs, or any other media. This protects against lost of customer information through theft of those backups. Finally, customer data that is being processed by an application and resides in physical or virtual memory also needs to be secured. The technologies used here need to reduce, but cannot eliminate entirely, the amount of time when the unencrypted form is potentially visible to an adversary. Management of virtual and physical memory, all temporary files created by an application, and any additional unencrypted information access points must be thoroughly examined, understood, and secured appropriately.
- Set Policies and Procedures. Write new or update existing organizational policies regarding appropriate use of encryption technologies and related assets (pass phrases, escrowed keys, and revocation information). Write or update procedures describing how these technologies and assets are used, modified, and destroyed.
- Identify Encryption Key Access Criteria. All encryption technologies use one or more keys as part of the encryption and decryption process. The strength of these keys–usually measured in bits–as well as the owners and users of these keys must be determined. Many technologies further guard keys with passwords and pass phrases which would also need to be created. Follow all governing policies and procedures.
- Install Encryption Technology. The selected technologies must be installed and configured and appropriate access granted as needed. This may mean that applications need to be changed to incorporate these technologies.
- Create Keys and Key Escrow Mechanisms. Some encryption technologies provide a method to render a key obsolete, and often require the pass phrase used to create the key to do so. Once the keys and their related pass phrases are created, the information needed to make the key obsolete, along with clear text versions of pass phrases and the created keys, should be escrowed. One suggested escrow method is to copy all of this information to removable media and then physically secure that media. Access to these physically secured copies must be highly controlled. The originals from whence copies were made should be appropriately destroyed in accordance with all appropriate data destruction requirements. Copies needing to be destroyed in the future should be destroyed using the same methods and technologies. These methods used are governed by policies and described in procedures.
- Train Users. Train users to operate the technology in conformance to all appropriate policies and in line with all relevant procedures. Included in this training must be the method by which the appropriate authorities in the enterprise are notified of any anomalous activity detected by any user.
"The encryption hardware and software selected must be re-evaluated regularly, to make sure they are still providing the required protection," Rogers says. "Remember that encryption technologies can be rendered obsolete by events completely external to the enterprise. This may mean that the entire encryption infrastructure needs to be overhauled rapidly to insure that PII remains appropriately confidential over its useful lifetime."
Similarly, he says, all policies governing its use and all procedures defining its use need to be periodically reviewed to attest to compliance and execution.
Preventing Identity Theft: Additional Steps to Secure Data
In addition to using encryption to protect data, businesses can take other simple steps to help protect them from being used by criminals to perpetrate ID theft. Here are some of the simple steps that experts recommend:
- Make sure your business computers have anti-virus and anti-spyware protection.
- Make sure your network is protected with a firewall.
- Keep software and browsers updated with security patches.
- Educate employees about scams thieves use online, via e-mail, and over the phone to try to get them to divulge information that could give them the keys to your business' confidential data.
Preventing Identity Theft: Additional Resources
Ten Ways to Prevent Identity Theft from Staples.com
Tips for the business owner on how to secure employee and customer data.
Verizon Business RISK Team 2009 Data Breach Investigations Report
Telecommunications giant had its digital forensics team analyze more than 90 data breaches around the world that compromised more than 285 million records.
Ponemon Institute Fourth Annual Cost of a Data Breach Report
The Ponemon Institute reported that data breaches have a serious financial impact on businesses.
Symantec Internet Security Threat Report
Security software maker Symantec conducts ongoing analyses of threats impacting users of the Internet.
Insider Threat Research
Efforts underway at the CERT Program at the Software Engineering Institute, part of Carnegie Mellon University.