How to Prevent Identity Theft in Your Business

How to Use Encryption to Fight ID Theft

The best way to protect PII in digital form is to use encryption. Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are examples of technologies used to encrypt data that is transmitted over networks. Encryption should also be used to protect PII stored on disk, tape, CD-ROM, or any other type of media used to hold data when at rest, Rogers says. "Understand that encryption technologies do not defend against data being captured by the bad guys; rather, its aim is to make any data that falls into the wrong hands unintelligible and therefore useless," he adds.

More specifically, the computing time and resources needed to decipher and then subsequently use encrypted data is presumed to be significantly longer than the lifetime of that data. "It's analogous to using a paper shredder -- someone could get their hands on all those paper scraps, and spend time fitting them back together, but the point is it would take most people way too long for this to be of much use," Rogers says. "The arms race, pitting the sophistication and configuration of encryption technologies against the resources and ingenuity of an adversary, is never-ending, though."

Encryption technology is available for businesses in a variety of products today. But even after you select a product you need to continue to evaluate the market because encryption technologies get stronger and stronger every year, because adversaries continue to look for and find new methods to defeat encryption. This means that a well-researched and informed decision today may turn out to be a poor choice in the not-too-distant future.

With encryption technology, you use what are called keys to decrypt your data, so, secondarily, the management of these keys is also important, Rogers says. Deciding who "owns" these keys and who can access them must reflect the needs of the business, the practicalities of personnel changes, and the awareness of insider threats.

Rogers recommends taking the following steps to protect your business data with encryption:

Identify Data Requiring Encryption. Undertake a risk analysis of all your business' information assets. The data that is most important to the business mission, or otherwise specifically required by governance, are prime candidates for encryption in order to enhance their level of confidentiality.

Determine Information Lifetime. Once these information assets have been identified, their useful lifetime must be determined. For example, in the case of a credit card, the combination of the credit card number, its expiration date, and Card Verification Value (CVV) code have a lifetime that ends at that card's expiration date.

Select Appropriate Encryption Technologies. In order to decide which encryption technology is appropriate to use to guard an information asset, you must consider its useful lifetime and the way it is organized. For example, Rogers says, a database containing customer information could have each record encrypted as it exists on disk. One approach is to use an appropriately strong full-disk encryption (hardware- or software-based) to protect that information as it resides on disk. Another is to encrypt each record as it is written to disk by ensuring the applications that use that information asset are using appropriate encryption software. A different, and again appropriately strong, encryption technology is needed to protect copies of that information -- called backups -- that reside on tape, CD-ROM or DVDs, or any other media. This protects against lost of customer information through theft of those backups. Finally, customer data that is being processed by an application and resides in physical or virtual memory also needs to be secured. The technologies used here need to reduce, but cannot eliminate entirely, the amount of time when the unencrypted form is potentially visible to an adversary. Management of virtual and physical memory, all temporary files created by an application, and any additional unencrypted information access points must be thoroughly examined, understood, and secured appropriately.

Set Policies and Procedures. Write new or update existing organizational policies regarding appropriate use of encryption technologies and related assets (pass phrases, escrowed keys, and revocation information). Write or update procedures describing how these technologies and assets are used, modified, and destroyed.

Identify Encryption Key Access Criteria. All encryption technologies use one or more keys as part of the encryption and decryption process. The strength of these keys–usually measured in bits–as well as the owners and users of these keys must be determined. Many technologies further guard keys with passwords and pass phrases which would also need to be created. Follow all governing policies and procedures.

Install Encryption Technology. The selected technologies must be installed and configured and appropriate access granted as needed. This may mean that applications need to be changed to incorporate these technologies.

Create Keys and Key Escrow Mechanisms. Some encryption technologies provide a method to render a key obsolete, and often require the pass phrase used to create the key to do so. Once the keys and their related pass phrases are created, the information needed to make the key obsolete, along with clear text versions of pass phrases and the created keys, should be escrowed. One suggested escrow method is to copy all of this information to removable media and then physically secure that media. Access to these physically secured copies must be highly controlled. The originals from whence copies were made should be appropriately destroyed in accordance with all appropriate data destruction requirements. Copies needing to be destroyed in the future should be destroyed using the same methods and technologies. These methods used are governed by policies and described in procedures.

Train Users. Train users to operate the technology in conformance to all appropriate policies and in line with all relevant procedures. Included in this training must be the method by which the appropriate authorities in the enterprise are notified of any anomalous activity detected by any user.

"The encryption hardware and software selected must be re-evaluated regularly, to make sure they are still providing the required protection," Rogers says. "Remember that encryption technologies can be rendered obsolete by events completely external to the enterprise. This may mean that the entire encryption infrastructure needs to be overhauled rapidly to insure that PII remains appropriately confidential over its useful lifetime."

Why Hackers Love Small-Business Networks

Alphabet Soup: What are WEP and WPA?

Providing a Safety Net for Confidential Data

New Ammo to Battle Online Fraud

What to Look for in a Data Encryption Solution

Device Detection Protects Your Site from Fraud

No Downturn for Privacy Practices

The Basics: What is Encryption?

Sign-up for our Technology Newsletter

FROM OUR PARTNERS

Select Services

Forced to pay more?: Salesforce costs up to 65% more than Microsoft Dynamics CRM. Compare.
Collaborate in the cloud with Office, Exchange, SharePoint and Lync videoconferencing.: Begin your free trial at Microsoft.com/office365
Get on the same page: Show and tell by sharing your screen instantly at join.me. Free.
Shred No-Handed!: Hands Free Shredding From Swingline Lets You Do More Productive Things!
Winning new customers?: SMB experts share their secrets at PersonallyPB.com/smb
Turn Fans into Customers: Social Campaigns from Constant Contact. Sign up now - it's free!

Start-up \| Mondays News, trends, and tactics to help you launch your business idea today.	Technology \| Thursdays Keep up with (and make sense of) business technology trends and tools available today and tomorrow.
Small Business Success \| Mondays and Thursdays Grow fast, beat the competition, and take off with actionable advice and personal stories from serial entrepreneurs, experts, and others who have done it before.	The Goods: Your Business Toolbox \| Thursdays We vet new gadgets and offerings to make it easier for you to run your business better.
Finance \| Tuesdays How to raise capital, set budgets, price products, account properly, and map out an exit strategy.	Innovation \| Fridays Stay sharp with cutting-edge ideas, insights, and strategies for entrepreneurs.
Leadership & Managing \| Tuesdays Everything you need to know about hiring, team building, and company culture to take your business to the next level.	Inc. Wire \| Daily The news—from all over the web—entrepreneurs need to know now.
Sales & Marketing \| Wednesdays Brand, market, and sell your product or service, and how to use the latest apps, social media, and mobile devices to do it.

Email address:

Login using:

Or login directly through Inc.com

Subscribe to Inc.com's Free Newsletters

How to Prevent Identity Theft in Your Business

Read more:

Sign-up for our Technology Newsletter

Select Services

Join our community

Login using:

Or login directly through Inc.com

Use your Inc.com account:

Forgot login ?

Create an Inc.com account:

Subscribe to Inc.com's Free Newsletters

How to Prevent Identity Theft in Your Business

Read more:

Sign-up for our Technology Newsletter

Select Services