Protecting Your Business From Identity Theft
If you've ever dreamed of having the global media focused on your business, camped on your doorstep, scrambling for an interview, and hanging on your every word, then you might want to be careful what you wish for. Most small business owners like to be in the news, but when the global media descended on the owners of a small Hauppauge, New York software business on the morning of November 25, 2002 it was for all the wrong reasons. The federal authorities had just announced to the national media that the biggest case of identity theft in American history had been traced to information stolen from that small business.
But as journalists and news reporters swamped the company with cameras and questions, the worst news was yet to come. More than 30,000 victims had their identity compromised as a result of personal credit information pilfered from the business and the FBI identified the mastermind behind the crime as one of the company's own 65 employees. The 34-year-old former employee was alleged to have used an old password to steal customer passwords and account data and then sold the information to street-corner criminals one account at a time.
So far, losses have been estimated at more than $100 million but expected to increase significantly, as is the number of victims. There are as yet no estimates of the long term damage to the company and its reputation. According to Manhattan U.S. Attorney James Comey "With a few keystrokes, these men essentially picked the pockets of tens of thousands of Americans and, in the process, took their identities, stole their money and swiped their security."
The New York incident was a wake-up call for those business owners who believed that they had little to worry from the threat of cybercrime and identity theft. It also confirmed claims security experts have been making for a number of years – that the small business could be the biggest victim of cybercrime, and that the threats can come from anywhere. Even your own employees. As a small business owner there are many things you can do to minimize the risk of facilitating an identity theft crime, and to minimize the loss if your security precautions fail.
Learn to Think Security First!
Recognize the risk, and prioritize your protection. Given all the focus on cybercrime in the last few years it's easy to become complacent and fatigued every time a new story hits the headlines. But cybercrime is not going away any time soon, and identity theft is likely to become the single biggest threat to your small business.
"The Fair and Accurate Transactions Act (FACTA) was passed to help protect all of us against identity theft. But, a single provision in this new law opens up small employers, even those with a single employee, to lawsuits if they do not properly destroy (i.e., shred) any documents or papers containing personal information about their employees before throwing it away."
– Dr. Jeff Cornwall of Belmont University's Center for Entrepreneurship
Business owners need to start developing and implementing a security strategy today to ensure that they're not tomorrow's headline. Key to good security is learning to Think Security First! so that security awareness is as second-nature as being polite to customers, and kicks-in automatically into every business decision and action.
Have a Clear Security Policy and Strategy
Small business owners need to create a company-wide security policy that clearly states what the company security rules are, and the consequences for failing to obey them. This helps deter would-be thieves, alerts all employees to the need for security, and can offer some protection in case of any legal action. Your business also needs a clear security strategy for protecting the data that identity thieves are after. A basic security strategy should include setting access rules and controls, the use of security technologies, regular security testing and assessment, employee training, employee background checks, and incident response.
Conduct Regular Assessments
Business owners need to familiarize themselves with what identity thieves are after, and how they get to those targets. Even a simple risk assessment can highlight what security measures are in place, how well they're working, and what needs improvement. Regular assessments are a simple but effective way to discover security vulnerabilities before someone else does.
Conduct Regular Testing
Even if you feel you have locked down key vulnerabilities, it's always helpful to test security to make sure your assumptions are correct. It's especially important to test employee awareness and vigilance - to make sure employees are not opening suspicious email attachments, not creating weak passwords, and not ignoring obvious warning signals.
Control Access and Keep Logs
The fewer the number of employees who have access to sensitive files, the lower the risk of security abuse. So restrict access to sensitive files to those who need it by creating access lists that state clearly who has access to what files, and under what circumstances. For example, there are technologies today that can restrict what an employee can do with a computer record, prohibiting them from opening it or saving it to another drive, making a copy, printing it, or emailing it.
Access logs are also a great deterrent, as well as powerful evidence if a crime is committed. When employees know that their access to certain files is being recorded they may be less inclined to misuse that access. That's why it's important to keep logs of access to all sensitive files, make sure all employees know that the logs are in use, and make sure that employees cannot interfere with or circumvent those logs. It's also important to keep secure back-ups of all logs in case they need to be referred to months or even years later.
Teach Employees About the Risks and Their Need to Be Vigilant
Your employees are your first line of defense against external and internal crimes. The more they know about security, about the signs of a crime, and of how to respond, the less vulnerable your business will be. Introduce regular security training sessions to teach employee about their role and keep security fresh in their minds.
Encourage Reporting by Fellow Employees
The best sentries against a crime by an employee are fellow employees. And while many employees might be reluctant to think of themselves as spies, they must be made aware of the risk to their workplace and to their jobs from insider crimes, and of how important it is to report suspicious behavior by fellow employees. To help ensure that employees take security seriously, it's always helpful to make a personal connection — that cybercrime costs money and threatens jobs. If an employee suspects a co-worker is engaging in risky or criminal behavior, he or she is more likely to report that worker if they believe that behavior may have an impact on their job security.
Focus Your Security on ID Theft Targets
ID thieves need very specific information in order to launch an effective ID theft. The most valuable information is a Social Security number — yours, your customers' and your employees'. Other target information includes credit card data, bank accounts, and family information. That's why it's so important to identify the type of information thieves target, and where you store it, so you can focus most of your security on it. Prime targets are customer accounts, credit card records, and employee records.
These records should ideally be:
- Stored on a secure computer that is not connected to the internet.
- Kept in a room that is secure.
- Protected by strong passwords.
- Encrypted.
- Available only to those who absolutely need access and who have been approved.
It's also important to keep accurate records of who accesses the information, when, and for what purpose. And printed records also need strong physical security, including theft-proof data safes (and don't hide the key in a nearby drawer.)
Use All the Available Technologies
Firewalls, anti-virus protection, and spyware prevention on every computer, including home computers and laptops, will help keep external hackers out. Encrypting sensitive files like credit card records can help protect them from insiders, or if thieves get past the firewalls. And a good password management, system can help ensure that poor passwords are not exploited.
Have an Incident Response Plan
The worst case is that despite all your security precautions a determined thief or dishonest employee manages to steal confidential information and launch an identity theft. Now the press is on the phone, and worried customers are threatening to take their business elsewhere. How much the incident will ultimately cost your business will depend largely on how well you respond.
That response should include how any digital forensic evidence is preserved, including log files and emails; informing the appropriate authorities, including the FBI; how you deal with the suspected or accused employee (make sure you have good legal advice); responding to worried customers; and dealing with the press.
Think About Credit Monitoring
One of the greatest and most affordable employee benefits is credit monitoring. Even if your employees never have to use it, credit monitoring can offer valuable peace of mind to your employees for very little investment. And if employee information is ever stolen or compromised in your business, good credit monitoring can significantly reduce the short and long term financial and emotional impact, for you and your employees.
Don't Ignore Legal and Compliance Issues
The surge in data breaches in the last five years has resulted in a wave of federal and state regulations designed to force business of all size to better protect their data and their customers. Compliance requirements like the Payment Card Industry Data Security Standard (PCI DSS) and the FACTA Red Flag rules may also apply to your business, even if it's a very small business. Not only can these regulations be costly to implement, they may cost even more if you don't comply. Or worse, if you have a security incident or data breach. And of course, apart from the Federal data protection laws, most states now have their own data protection and identity theft laws to protect consumers.