Identity theft is on the rise. Is your organization part of the solution or part of the problem? Personally identifiable information (PII) is pouring through the security floodgates and ending up in the wrong hands at an alarming rate.
To protect your organization's employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes to avoid.
Keep users in the dark
Users will always be the weakest link in any enterprise network — and all of the gadgets and controls in the world won't change that. If your users don't know how to identify and handle PII, it's only a matter of time before one of them discloses this data to the wrong source.
The solution is simple: Educate your users on your company's policies and mechanisms to process PII. And don't forget to include regularly scheduled refresher courses.
Partner with the wrong businesses
You've made sure your security is rock solid, and you've trained your users. But can your business partners say the same? Do you collect or share information with businesses that have little or no security?
If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law enforcement about how a breach occurred? Your company will.
The solution is just as simple as the last dilemma: Educate and train your business partners on how to protect this sensitive information. Charge them for your expertise if you want, but get the job done.
Keep data around past its prime
What do you do with data once it's served its purpose? If you aren't destroying PII when it's no longer required, then you're not doing your job. That doesn't mean throwing it away either — that means destroying it.
Dumpster divers make a living off of old bank statements and credit card receipts. That's why you need to wipe out PII when it's no longer necessary. If your organization doesn't have a shredder, you need to get one today.
Don't worry about physical security
It's imperative that you implement physical access controls to prevent unauthorized people — including employees — from gaining access to PII. Get a door lock and a badge reader, and start controlling access.
Don't lock up your records
If you don't have specific storage areas on your network (as well as file cabinets) for PII, then how can your properly protect it? Take inventory of your network — and your paper copies — and develop a plan to protect that data. This would be a good time to research encrypting data-at-rest and locking some file cabinets.
Ignore activity on your network
I've said this before in columns, but it's worth repeating: If you're not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that's within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you're at it, develop a response and mitigation strategy for security incidents.
Audits? Who needs audits?
A lot of businesses either don't know what security events to audit or don't read their security logs — or both. If you're not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.
Identity theft may be on the rise, but you don't have to make it easy for thieves. You can help prevent identity theft both at home and at the office — you just need to take a few extra steps.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.