Could Your Employees Be Corporate Thieves?

Individual and corporate need for ID theft protection is only likely to increase, experts agree, as the economy continues to stress American workers.

In 2008, 9.9 million cases of identity theft were reported, up from 8.1 million in 2007, reports the fifth annual study by Javelin Strategy & Research. Corporate information is at a heightened risk as mass layoffs continue to leave disgruntled former employees desperate for money. What's more, companies are actually spending less to safeguard sensitive information. These factors could cause massive destruction, whether with malicious intent or not, to company reputations and their bank accounts.

"Layoffs and mergers create new challenges when it comes to keeping data secure. To make matters worse, tightening budgets are causing many organizations to cut back on security spending - just when they really need to be upping the ante in terms of data security measures," says Jeremiah Miller, director of the Investigation and Restoration Center at Tennessee-based Kroll Fraud Solutions. He understands from personal experience that all too often the first thing companies cut in tough times is security spending.

Despite the growing epidemic, the corporate community fails to pay these risks their full due with many still insisting that a firewall makes them immune from outside threats and inside negligence. In other words, companies don't assign the appropriate weight to security investments as they should.

"Overall, human resources does not acknowledge how explosive and sensitive the information that we have is," says Skip White, corporate HR manager for SA Recycling in Anaheim, Calif. White, who has had trouble in the past convincing upper management of the severity of the issue, suggests presenting the urgent need for funding for and employee training against ID theft in terms they can understand: money and reputation.

Michigan's Ponemon Institute investigated 43 organizations and found that the average cost of rectifying a breach was $6.6 million per incident. Merely sharing this information number with upper management might be enough to convince the company's decision makers to forego curtailing identity theft prevention software and strategy efforts and reconsider investing further capital to ensure their system is secure.

"Be careful about scrimping on security," says Cisco IronPort product manager Sean Tippett. "There are e-mail security systems out there that are less expensive, but if one of these malicious emails gets through and is able to infect a network, essentially all the savings that you had achieved are blown away in a matter of seconds."

EBA compiled eight pieces of advice from industry experts and concerned HR managers on protecting both the company and individual employees from the seemingly ever-widening identity theft threat.

What's more these experts offer their best advice for both groups in the event the worst does come to pass and they find themselves a victim of identity theft.

The basics

If your company stores information on paper, storing files under lock and key is a must. As is setting up a sign-in, sign-out policy where an employee's entrance is monitored by a keypass, badge or something comparable. The most common mode by which insiders steal information is by copying it onto a DVD or thumbnail drive. Forbidding personal laptops, thumbnails and the like from data storage rooms may be something to take into consideration.

Authentication

Installing a risk-based authentication approach and tracking employee activity when in contact with sensitive data is imperative. Ensure that administrators operate on an "as needed" basis and have unique IDs. Also, installing a limit on retrieving information can help ensure that data stays within company firewalls. Supplementing strong passwords (for example, those that mix alpha-numeric characters and punctuation marks) with security questions and image recognition software is also advised.

Certain theft prevention software analyzes the behavior of an employee by examining the pattern by which they type their password, whether or not information was accessed on an authorized machine, the geographic location of that machine and the time of access. Audit trails that track and report all activity, including help desk calls, should be stored for six months, as specified by HIPAA. If nothing else, employers should remember that "trust is not a security policy," says Gordon Rapkin, CEO of Connecticut's Protegrity Corporation.

Training your staff

Experts cited employee ignorance of ID theft as the No. 1 corporate vulnerability. According to the Ponemon Institute study, 88% of data breaches reported in 2008 were caused by insider negligence. Annual training meetings are advisable, as well as periodic reminders from HR advising employees to keep up with software updates and dissuading them from downloading games or music online.

While encrypting emails is a good measure of protection, you can fortify your data with email protocols. By flagging emails as not to be forwarded or marking messages as confidential, you can help avoid common miss-mailings.

Your company's safety is incumbent upon the knowledge and wariness of your employees, therefore diligent security training and enforcement should not be taken lightly. "Unfortunately, the weakest link in a company's security is the human aspect," says Matthew Cullina, CEO of Arizona-based Identity Theft 911, whether the threat originates from malicious intent or simple negligence.

Remote access

VPN or remote access is only as good as the wireless network it relies on, which can be easily cracked. For this reason, many IT departments have disabled Wi-Fi access in their offices. Protecting delicate information outside the office, however, can be much trickier. Many a laptop has been stolen from the backseat of a locked car. Employees should be constantly reminded not to leave laptops with company data unattended.

Outsourcing

To save yourself needless headaches, only collect the information you need. Treat personal information, such as social security numbers and birthdates, as liabilities and maintain as little data as necessary.

If you outsource information, Cullina recommends housing your data within the U.S., Canada or Western Europe. Outsourcings to sites in India or the Philippines, for example, are nearly impossible to audit. This advice is especially relevant to small business owners who often outsource HR responsibilities and lose control of information, as it is effectively out of their hands - a dangerous prospect.

Hiring and Firing

The security process begins before an individual is even hired. Background checks are essential in ensuring a loyal and trustworthy workforce. Furthermore, the applications from those not hired should be shredded and destroyed.

If an employee is terminated, IT should turn off their email accounts and null their passwords immediately. Insisting that laid-off employees sign a confidentiality agreement is also recommended. Keycards and other information pass tools should be confiscated, and depending on the level of security the individual previously held, physically escorting them from the building may be wise. Experts also recommend escorting visitors to the bathroom, for the same reason.

Before any firings take place, the company should have an exit strategy in place where IT and HR are in tune so each knows what should and will be destroyed and what information to keep. For example, the IT department should be aware that they cannot deactivate a former employee's insurance provider identification due to COBRA.

Purging data

To avoid dumpster divers, shred and bleach paper records when they are no longer needed. Follow strict deadlines for information destruction. For example, after an I-9 form reaches its maturation the document should be annihilated along with any back-ups.

For electronic data, running a digital shredder once files expire is required, as hackers begin their search for sensitive information in the trash.

Have a security policy in place

It's always important to not only have a security plan in place, but also a response plan in case the worst does happen. Questions you should ask include:

Who will review the policies and procedures on a predictable timetable?

What are your physical and electronic security elements? How are they tested?

Unfortunately, even if all the preceding advice is rigorously followed, companies will never lose the giant bull's eye implanted on their private information.

"The trouble with ID theft is that there is no magic bullet, no 'if you follow these steps you're going to be immune,'" says Justin Yurek, president of ID Watchdog in Denver. An Employer's only hope is to have a back-up plan in place.

When generating a response plan, be familiar with your state's security laws as nearly all have security breach laws, and there has been a generous uptick in state privacy laws. Federal requirements as well as legal issues tied to identity theft also require compliance.

Oftentimes, it is also suggested that a company provide a free identity monitoring service for employees and customers. Providing remedial support or even voluntary ID theft specific insurance coverage for employees is increasingly recommended as productivity will suffer if they are forced to take care of their personal informational breach on their own.

Hiring external support, especially before and during mergers, is also strongly recommended no matter if your records are stored traditionally or electronically. Finally, your company has taken the necessary steps to protect your personal data, it follows that you should hold vendors and partners to the same standard so the investment is not all for naught.