Mar 30, 2010

How to Prevent Identity Theft in Your Business

Identify Data Requiring Encryption. Undertake a risk analysis of all your business' information assets. The data that is most important to the business mission, or otherwise specifically required by governance, are prime candidates for encryption in order to enhance their level of confidentiality.

Determine Information Lifetime. Once these information assets have been identified, their useful lifetime must be determined. For example, in the case of a credit card, the combination of the credit card number, its expiration date, and Card Verification Value (CVV) code have a lifetime that ends at that card's expiration date.

Select Appropriate Encryption Technologies. In order to decide which encryption technology is appropriate to use to guard an information asset, you must consider its useful lifetime and the way it is organized. For example, Rogers says, a database containing customer information could have each record encrypted as it exists on disk. One approach is to use an appropriately strong full-disk encryption (hardware- or software-based) to protect that information as it resides on disk. Another is to encrypt each record as it is written to disk by ensuring the applications that use that information asset are using appropriate encryption software. A different, and again appropriately strong, encryption technology is needed to protect copies of that information -- called backups -- that reside on tape, CD-ROM or DVDs, or any other media. This protects against lost of customer information through theft of those backups. Finally, customer data that is being processed by an application and resides in physical or virtual memory also needs to be secured. The technologies used here need to reduce, but cannot eliminate entirely, the amount of time when the unencrypted form is potentially visible to an adversary. Management of virtual and physical memory, all temporary files created by an application, and any additional unencrypted information access points must be thoroughly examined, understood, and secured appropriately.

Set Policies and Procedures. Write new or update existing organizational policies regarding appropriate use of encryption technologies and related assets (pass phrases, escrowed keys, and revocation information). Write or update procedures describing how these technologies and assets are used, modified, and destroyed.

Identify Encryption Key Access Criteria. All encryption technologies use one or more keys as part of the encryption and decryption process. The strength of these keys–usually measured in bits–as well as the owners and users of these keys must be determined. Many technologies further guard keys with passwords and pass phrases which would also need to be created. Follow all governing policies and procedures.

Install Encryption Technology. The selected technologies must be installed and configured and appropriate access granted as needed. This may mean that applications need to be changed to incorporate these technologies.

Create Keys and Key Escrow Mechanisms. Some encryption technologies provide a method to render a key obsolete, and often require the pass phrase used to create the key to do so. Once the keys and their related pass phrases are created, the information needed to make the key obsolete, along with clear text versions of pass phrases and the created keys, should be escrowed. One suggested escrow method is to copy all of this information to removable media and then physically secure that media. Access to these physically secured copies must be highly controlled. The originals from whence copies were made should be appropriately destroyed in accordance with all appropriate data destruction requirements. Copies needing to be destroyed in the future should be destroyed using the same methods and technologies. These methods used are governed by policies and described in procedures.

Train Users. Train users to operate the technology in conformance to all appropriate policies and in line with all relevant procedures. Included in this training must be the method by which the appropriate authorities in the enterprise are notified of any anomalous activity detected by any user.

"The encryption hardware and software selected must be re-evaluated regularly, to make sure they are still providing the required protection," Rogers says. "Remember that encryption technologies can be rendered obsolete by events completely external to the enterprise. This may mean that the entire encryption infrastructure needs to be overhauled rapidly to insure that PII remains appropriately confidential over its useful lifetime."

Similarly, he says, all policies governing its use and all procedures defining its use need to be periodically reviewed to attest to compliance and execution.

Dig Deeper: How to Encrypt Data

Preventing Identity Theft: Additional Steps to Secure Data

In addition to using encryption to protect data, businesses can take other simple steps to help protect them from being used by criminals to perpetrate ID theft. Here are some of the simple steps that experts recommend:

Make sure your business computers have anti-virus and anti-spyware protection.
Make sure your network is protected with a firewall.
Keep software and browsers updated with security patches.
Educate employees about scams thieves use online, via e-mail, and over the phone to try to get them to divulge information that could give them the keys to your business' confidential data.

Preventing Identity Theft: Additional Resources

Ten Ways to Prevent Identity Theft from Staples.com
Tips for the business owner on how to secure employee and customer data.

Verizon Business RISK Team 2009 Data Breach Investigations Report
Telecommunications giant had its digital forensics team analyze more than 90 data breaches around the world that compromised more than 285 million records.

Ponemon Institute Fourth Annual Cost of a Data Breach Report
The Ponemon Institute reported that data breaches have a serious financial impact on businesses.

Symantec Internet Security Threat Report
Security software maker Symantec conducts ongoing analyses of threats impacting users of the Internet.

Insider Threat Research
Efforts underway at the CERT Program at the Software Engineering Institute, part of Carnegie Mellon University.

FROM OUR PARTNERS

Select Services

New Data on Success: New book BUSINESS BRILLIANT by Inc.com blogger Lewis Schiff
The rugged Torque: Buy 1 Kyocera Torque, get 4 free. Only at Sprint. Restrictions apply.
Undesk your desk phone:: ShoreTel Dock for iPad/iPhone. BYOD better.
Servers up to 45% off: Technology optimized for today, but scalable for growing business needs.
PCs You can Trust: Discover how an ASUS PC with leading reliability is fit for your business
Louisiana Advantage: Custom-fit opportunity. Louisianaadvantage.com
Old Dominion: No matter what you ship, your business is our business. Visit odpromises.com.
Save on business PCs: Get business performance: Ultrabook™ styles, PCs, and more! Click for deals