"Layoffs and mergers create new challenges when it comes to keeping data secure.To make matters worse, tightening budgets are causing many organizations to cut back on security spending just when they really need to be upping the ante in terms of data security measures," presses Jeremiah Miller, director of the Investigation and Restoration Center at Tennessee-based Kroll Fraud Solutions.
Despite the growing risk, many employers still insist that a firewall makes them immune from outside threats and inside negligence.
"Overall, human resources does not acknowledge how explosive and sensitive the information that we have is," fears Skip White, corporate HR manager for SA Recycling in Anaheim, Calif. White, who has had trouble in the past convincing upper management of the severity of the issue, suggests presenting the urgent need for funding for and employee training against ID theft in terms they can understand: money and reputation.
A U.S. Cost of a Data Breach Study by the Ponemon Institute in Michigan found that after inspecting 43 organizations, the average cost of rectifying a breach was $6.6 million per breach. Merely sharing this number with upper management should convince decision-makers to forego curtailing on ID-theft prevention software and strategy and consider investing further capital to ensure their system is securely locked down.
"Be careful about scrimping on security," reaffirms Cisco IronPort product manager Sean Tippett. "There are e-mail security systems out there that are less expensive, but if one of these malicious e-mails gets through and is able to infect a network, essentially all the savings that you had achieved are blown away in a matter of seconds."
EBN compiled the top eight tips from industry experts and concerned HR/benefits pros on minimizing information theft risk and what to do if the worst comes to pass.
1. Take basic precautions.
If your company stores information on paper, storing files under lock and key is a must, as is setting up a sign-in, sign-out policy where an employee's entrance is monitored by a keypass, badge or something comparable.
The most common mode by which insiders steal information is by copying it onto a DVD or thumbnail. Forbidding personal laptops, thumbnails and the like from data storage rooms may be something to take into consideration.
2. Track employees with access to sensitive data.
Installing a risk-based authentication approach and tracking employee activity when in contact with sensitive data is imperative. Ensure that administrators operate on an "as needed" basis and have unique IDs.
Also, installing a limit on retrieving information can help ensure that data stays within company firewalls. Supplementing strong passwords (for example, those that mix alphanumeric characters and punctuation marks) with security questions and image recognition software is also advised.
Certain theft prevention software analyzes the behavior of an employee by examining the pattern in which they type their password, whether information was accessed on an authorized machine, the geographic location of that machine and the time of access.
Audit trails that track and report all activity, including help desk calls, should be stored for six months, as specified by HIPAA.
If nothing else, employers should remember that "trust is not a security policy," asserts Gordon Rapkin, CEO of Protegrity Corporation in Conn.
3. Increase employee awareness.
Experts cited employee ignorance of ID theft as the number one corporate vulnerability. According to a Ponemon Institute study, 88% of data breaches reported in 2008 were caused by insider negligence. Annual training meetings as well as periodic reminders from HR advising employees to keep up with software updates and dissuading them from downloading games or music online will help increase awareness.
While encrypting e-mails is a good measure of protection, you can fortify your data with e-mail protocols; by flagging e-mails as "not to be forwarded" or marking messages as "confidential" you can help avoid common mis-mailings.
Your company's safety is incumbent upon the knowledge and wariness of your employees, therefore diligent security training and enforcement should not be taken lightly. "Unfortunately, the weakest link in a company's security is the human aspect," says Matthew Cullina, CEO of Arizona-based Identity Theft 911, whether the threat originates from malintent or simple negligence.
4. Secure remote access.
VPN or remote access is only as good as the wireless network it runs from, which can be easily cracked. For this reason, many IT departments have disabled Wi-Fi access in their offices.
Protecting delicate information outside the office, however, can be much trickier. Many a laptop has been stolen from the backseat of a locked car. Employees should be constantly reminded not to leave laptops with company data unattended.
5. Beware of outsourcing.
To save yourself needless headache, only collect the information you need. Treat personal information, such as Social Security numbers and birthdates, as liabilities and maintain as little data as necessary.
If you outsource information, Cullina recommends housing your data within the U.S., Canada or Western Europe. Outsourced information to sites in India or the Philippines, for example, are nearly impossible to audit.
This advice is especially relevant to small-business owners, who often outsource HR responsibilities and lose control of information as it is effectively out of their hands — a dangerous prospect.
6. Implement secure hiring and firing practices.
The security process begins before an individual is even hired. Background checks are essential in ensuring a loyal and trustworthy workforce.
Furthermore, the applications from those not hired should be shredded and destroyed.
If an employee is terminated, IT should turn off their e-mail accounts and null their passwords immediately. Insisting that laid-off employees sign a confidentiality agreement is also recommended.
Keycards and other information passtools should be confiscated and, depending on the level of security the individual previously held, physically escorting them from the building may be wise. Experts also recommend escorting visitors to the bathroom, for example, for the same reason.
Before any firings take place, the company should have an exit strategy in place where IT and HR are in tune so each knows what should and will be destroyed and what information will not.
For example, the IT department should be aware that they cannot deactivate a former employees' insurance-provider identification due to COBRA.
7. Purge unnecessary data.
In order to avoid dumpster divers, shredding and bleaching paper records when they are no longer needed is highly suggested, as is following strict deadlines for information destruction.
For example, after an I-9 form reaches its maturation, the document should be annihilated, along with any backups.
For electronic data, running a digital shredder once files expire is required, as hackers begin their search for sensitive information in the trash.
8. Implement a security policy.
It's always important to not only have a security plan in place, but also a response plan in case the worst does happen. Questions employers should ask include:
- Who will review the policies and procedures on a predictable timetable?
- What are your physical and electronic security elements and how will they be tested?
Unfortunately, even if all the preceding advice is followed to a "T", companies will never lose the giant bull's eye implanted on their private information.
"The trouble with ID theft is that there is no magic bullet, no [way to say], 'If you follow these steps you're going to be immune,'" says Justin Yurek, president of ID Watchdog in Denver.
When generating a response plan, it is important to be familiar with your state's security laws, as nearly all have security breach laws and there has been a generous uptick in state privacy laws. Federal requirements, as well as legal issues tied to identity theft, also require compliance.
Often, it is also suggested that a company provide a free identity-monitoring service for employees and customers. Providing remedial support for employees is strongly recommended, as productivity will suffer if they are forced to take care of their personal informational breach on their own during work hours.
Hiring external support, especially before and during mergers, is also strongly recommended whether your records are stored traditionally or electronically.
Finally, since your company has taken the necessary steps to protect your personal data, it follows that you should hold vendors and partners to the same standard so the investment is not all for naught.
