Security

Prevent identity theft by avoiding these seven common mistakes

Identity theft may be on the rise, but you don't have to make it easy for thieves -- take steps to protect the personally identifiable information (PII) of your employees and clients. You can start by avoiding these seven mistakes.

Identity theft is on the rise. Is your organization part of the solution or part of the problem? Personally identifiable information (PII) is pouring through the security floodgates and ending up in the wrong hands at an alarming rate.

To protect your organization's employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes to avoid.

Keep users in the dark

Users will always be the weakest link in any enterprise network -- and all of the gadgets and controls in the world won't change that. If your users don't know how to identify and handle PII, it's only a matter of time before one of them discloses this data to the wrong source.

The solution is simple: Educate your users on your company's policies and mechanisms to process PII. And don't forget to include regularly scheduled refresher courses.

Partner with the wrong businesses

You've made sure your security is rock solid, and you've trained your users. But can your business partners say the same? Do you collect or share information with businesses that have little or no security?

If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law enforcement about how a breach occurred? Your company will.

The solution is just as simple as the last dilemma: Educate and train your business partners on how to protect this sensitive information. Charge them for your expertise if you want, but get the job done.

Keep data around past its prime

What do you do with data once it's served its purpose? If you aren't destroying PII when it's no longer required, then you're not doing your job. That doesn't mean throwing it away either -- that means destroying it.

Dumpster divers make a living off of old bank statements and credit card receipts. That's why you need to wipe out PII when it's no longer necessary. If your organization doesn't have a shredder, you need to get one today.

Don't worry about physical security

It's imperative that you implement physical access controls to prevent unauthorized people -- including employees -- from gaining access to PII. Get a door lock and a badge reader, and start controlling access.

Don't lock up your records

If you don't have specific storage areas on your network (as well as file cabinets) for PII, then how can your properly protect it? Take inventory of your network -- and your paper copies -- and develop a plan to protect that data. This would be a good time to research encrypting data-at-rest and locking some file cabinets.

Ignore activity on your network

I've said this before in columns, but it's worth repeating: If you're not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that's within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you're at it, develop a response and mitigation strategy for security incidents.

Audits? Who needs audits?

A lot of businesses either don't know what security events to audit or don't read their security logs -- or both. If you're not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.

Final thoughts

Identity theft may be on the rise, but you don't have to make it easy for thieves. You can help prevent identity theft both at home and at the office -- you just need to take a few extra steps.

20 comments
info
info

we use click2call caller id to prevent unauthorized use and to get caller ID's for followe up and secuity! great services at www.2callus.com

Jake Cola
Jake Cola

Identity theft is something that happens to the other guy, right? Always. Just who is that 'other' guy? It's he or she who doesn't assume a defensive posture because, well, it's something that happens to the 'other' guy. Unfortunately, most people don't visit a physician, change lifestyles, or eat better until something goes wrong. When conditions are homeostatic, people tend to ignore prevention until the illness-thief creeps in and changes everything. Checking organizational health measures the balance and effect of many different internal conditions - the equivalent of a physical. Some of those include: 1. The hiring process. Do new employees undergo extensive background checks? Is a profile immediately disabled when someone (anyone) terminates employment? 2. Does I.T. have a policy in place? Is it kept up-to-date and are employees given personal introductions to the policy? Do standard operating procedures (S.O.P.'s) provide for routine 'check-ups' like workstation audits, performance review, and workstation tidiness? 3. Are employees allowed to take work home? 4. Is network auditing routinely reviewed? 5. Are USB ports on workstations disabled? Do workstations have CD or DVD drives enabled? 6. Are workstations routinely canvassed for rogue software? Does I.T. depend on one level of protection, layered, or grey-listing? 7. Is a disaster plan in place? 8. Are confidentiality agreements in use and, if so, has every person accessing I.T. equipment completed one, including employees? 9. Are failed hard drives simply discarded or physically destroyed? 10. Is workstation internet access limited to only those sites necessary to conduct business? There are many, many more areas where weaknesses hide. Set aside time to regularly review your operation and, at the same time, improve the chances for avoiding unauthorized access to important data. Remember these two important points: 1. Theft of any kind is often an inside job. 2. A company's reputation is only as good as its security.

e_asenbauer
e_asenbauer

how may I find a keystroke logger program

rvk
rvk

And how, pray tell, does one convince a bank that it is not good practice to require users to use their SSN as the users login name? I tried pointing out that not only was this inviting identity theft, but it was an irregular use of SSN that was at best highly questionable. I was told my issues were noted and could possibly be addressed in a future release of their web software!!!

Craig Herberg
Craig Herberg

"Prevent identity theft" is a wonderfully lofty goal. These are all good recommendations to "mitigate risk of identity theft." Some good additions include providing the least amount of access to the fewest number of people and reviewing data needs BEFORE collecting. Good article -- unfortunate headline. Craig Herberg http://info-safety.com

Editor's Picks