Deb Shinder explains how identity theft isn't just an crime against individuals; it also applies to organizations and can negatively affect your company's reputation. Here's how to fight it.
Identity theft is one of the most commonly reported cybercrimes, and one that can have devastating personal and professional effects. One could argue that any crime that involves using someone else's credentials - whether through a blunt force attack, social engineering, or intercepting and decrypting passwords in transit - constitutes a form of identity theft. But what we usually mean by the phrase is the use of someone else's credentials (name, date of birth, social security number) to conduct financial transactions - opening a bank account or applying for a credit card or buying things or signing up for a service - without that person's consent.
Identity vs. reputation
In the online world, the general consensus about what constitutes identity covers a broader scope. The term is often used to refer to what would more accurately be called reputation. In that sense, not only does an individual have an identity that can be stolen, but so does your company or organization. When an attacker hijacks your Twitter account and sends out tweets that you would never send, that attacker is impersonating you and misappropriating your online identity. When an attacker hacks into your website and replaces a web page that represents your company to the world with one carrying a different message, in a sense that attacker is assuming your company's identity.
There are subtle - but also effective - ways that an attacker can damage your company's reputation or that of its officers and employees. For example, he could hijack the person's or organization's Facebook page or other social networking account and post information there that's detrimental to the company's reputation. Or he could just create a profile in the name of the company and/or its representatives and post whatever he wants there.
As an IT pro, it's your job to protect the identities and reputations of the organization, its individual members/representatives, and yourself. How do you do that?
We know that prevention is always better (and usually less expensive) than cure, and taking steps to protect against identity theft and/or damage to reputation is usually easier than cleaning up the mess after it happens. We've all heard the horror stories of individuals who have spent years attempting to undo the black marks on their credit reports after being victimized by identity thieves. Similarly, some companies have never recovered after an embarrassing website defacement or have had to hire expensive reputation management companies to repair the damage.
Preventing identity theft in both the narrow and broader senses relies on the same set of security measures that protect you against other types of attacks. We won't go into all that here, but it goes without saying that you need a comprehensive multi-layered "defense in depth" strategy for protecting your network and on-premise systems.
In the case of personal information, user education is a key component because social engineering and phishing are the primary means by which identity thieves gather personal identity information. Protecting from social networking hijacks can be especially problematic. Here again, user awareness and education are important. Some degree of protection can be had by adjusting privacy settings, but a business presence on a social networking site generally exists to reach the general public. There should be only one or two people charged with administering the business site, for accountability purposes, and they should be people who are savvy about social networking account compromise dangers and know, for example, not to run untrusted third-party apps that are offered through the sites.
Protecting your own web sites involves standard security precautions for Internet-facing servers. Ensure that the web servers' operating systems and applications are updated and protected by firewalls, antivirus/antimalware software, etc. Just as an individual should notify banks, credit card companies, etc. when suspecting an account has been compromised, companies should do the same when in a position where the business account information may have been accessed without authorization.
Cloud computing can complicate security issues. In theory, cloud providers will have better resources (and perhaps more external pressure) to implement the best security. However, companies that have moved some or all of their data, applications and other computing functions to the cloud have less direct control over or even knowledge of the security mechanisms that are in place. It's important to communicate with your cloud provider about specific concerns to ensure that flaws in their security systems don't expose information that could lead to theft of your company's or employees' identities.
Finding and utilizing the law
If your best efforts fail and your company's identity or that of an individual in your company is stolen, you (or your company's management) will be faced with the decision of whether to report the crime to the authorities. As I've discussed in previous installments of this column, the answer isn't as obvious as it might seem at first glance. There are valid reasons a victimized company might choose not to report a cybercrime, and you have to weigh the severity of the attack and the magnitude of the losses incurred against the inconvenience and disruption that may occur if your equipment is seized as evidence, taking into consideration the realistic odds that a law enforcement investigation will be able to identify and prosecute the perpetrators. On the other hand, some organizations may, as a matter of principle, adopt a hard line and pursue any cybercrime to the full extent of the law regardless of negative factors.
The first step in that process is to know what laws have been broken and under what jurisdictional authority, so that you know who to call (local police, special state units, federal agencies, etc.). Take some time familiarize yourself with the pertinent laws in your state or country. Many states have identity theft laws but they may be narrowly drawn. Ferreting out the applicable laws may not be easy. For example, the Texas Penal Code statute under which most cases of identity theft are prosecuted won't be found under the "Theft" chapter, where you might expect it. It also won't be found under the "Computer Crimes" chapter, where you might logically look next. Instead, you'll find it in the "Fraud" chapter, in a section titled "Other Deceptive Practices." The offense title is "Fraudulent use or possession of identifying information."
It's important to note the definitions of terms that may be included in specific subsections or may be at the beginning of a section or chapter and apply to all the subsection within that section or chapter. In this case (TX Penal Code Sec. 32.51), "identifying information" is defined as information that, alone or in conjunction with other information, identifies a person. Specific examples are given, which include name, social security number, date of birth, government-issued identification number, biometric data, unique electronic identification numbers, routing codes and account numbers and telecommunications access devices (smart cards, PINs, etc.).
A key point here is the word "person." That tells you that this offense can't be committed against a company or organization. Or does it? If we go way back to Chapter 1 of the Penal Code, in Sec. 1.07 we find definitions that cover all chapters. And if we look down at subsection (a)(38), we see that "person" means an individual, corporation or association. I happened to know that because I taught Texas Penal Code for many years. I would guess that most people would never think to look for a definition of "person." This is a good example of the reasons you should probably get an attorney involved when you start trying to interpret the fine points of the law. Another reason is that even if you find a law that seems to fit the facts, there might be another one that fits them better, or would be easier to prosecute.
Identity theft isn't just a problem that affects individual consumers; it's also an issue for organizations and the individuals who run them. As an IT pro, it's important for you to develop a security plan and user training that's specifically targeted at protecting against identity theft of all kinds and the damage to an organization's reputation - as well as the monetary and productivity losses - that can result.