Tactical Advice

Guard Against Identity Theft

Don't wait until it's the law. Implement strict data-control policies now to protect your company from tech-savvy thieves.
This story appears in the November 2005 issue of BizTech Magazine.

Identity theft is on the rise, and it's not just big banks and credit card companies that need to be concerned about protecting customer and employee information. Businesses of every size collect and store data that is attractive to thieves: Social Security numbers, account and transaction records, and other personal information about employees and clients.


Failing to adequately safeguard such information can mean lost business and a damaged reputation, not to mention the monetary losses and other harm to workers, customers and business partners.


Eighteen states have laws that require businesses to make data breaches public. Meanwhile, Congress has several bills pending that would require new privacy policies for handling personal data gathered by companies and other organizations. For instance, one bill would establish a national law requiring that any data breach be made public almost immediately. Another, the Social Security Number Privacy and Identity Theft Prevention Act of 2005, would restrict the use of Social Security numbers as identifiers. Lawmakers have also discussed the need to mandate data protection more broadly.



By establishing a few fairly simple data ground rules, companies can prevent the theft of identifiable personal information—or at least decrease the chances of such attacks occurring, says Sally Hudson, an analyst at research firm International Data Corp. in Framingham, Mass.


A best-practice approach to avoiding identity theft requires a company to make smart use of information technology, establish a data protection policy and take physical security into account.


Preventing identity theft essentially requires the use of multiple layered security and systems policies.


The federal government's National Institute of Standards and Technology suggests the best approach to protecting personal data from tampering is to make access difficult and to use knowledge-based authentication to grant users access on a need-to-know basis.


According to a recent NIST bulletin, an authentication system that requires users to provide something for all three of the following categories offers the highest security:


• something that the user knows, such as a password;


• something that the user has, such as an ID badge or token;


• something that is unique to the user, such as a fingerprint or face.


"Systems that incorporate all three factors are stronger than those that use only one or two factors," the bulletin notes. "Authentication using biometric factors can help to reduce identity theft and the need to remember passwords or to carry documents, which can be counterfeited. When biometric factors are used with one or two other factors, it is possible to achieve new and highly secure identity applications."


Rules of Engagement


But equally crucial is a written privacy policy detailing rules for the handling of data and specifically who has access to what information, Hudson says. The policy needs to state exactly how the company will use any personal data it collects, she adds. Once the policy is done, businesses need to make sure all employees know and understand the rules.


The policy should restrict access to certain data—a systems administrator can then combine the features of its authentication applications in tune with the access control features of its applications and databases, security experts say. In general, users should have authorization to view only the specific data they need to do their jobs because inside threats are a chief source of breaches. In fact, 84 percent of the most costly security incidents occur when insiders send confidential data outside the company, according to the Gartner research firm of Stamford, Conn.


9.3 million
Number of Americans who were victims of identity theft between July 2004 and July 2005.
Source: Better Business Bureau

"This is an area that is often overlooked by businesses," says Anil Miglani, senior vice president at Access Markets International Partners, a New York technology research firm and consultant.


To minimize internal vulnerabilities, Applied Medical Services has set strict controls on the access that its 40 employees and 75 contractors have to patient and other personal information. "Sometimes not giving people access to the information is the best way to protect it," says Dan Johnson, information analyst for the Durham, N.C., provider of medical-practice management services.


Software applications commonly allow systems administrators to set access parameters for users. The format for these parameters relies on role-based access controls (RBAC) that require sysadmins to define the access privileges for users by what they do. These privileges can then be handled in bulk, saving time and money, NIST points out. It also means that in a public-key infrastructure environment, for instance, a company can write its RBAC policy in Extensible Markup Language and store the attributes in X.509 certificates.


At Applied Medical Services, for instance, the company sets up its applications—particularly those with sensitive information such as billing records—so that users have access only to the specific data fields they need, Johnson says. Applied Medical keeps audit logs so it can track the identity of users who view, change or print any file containing personal information, he says.


Unless there's a strong business need to keep personal data available online, companies should keep it offline, Miglani recommends. If such data must be accessible online, then businesses must carefully monitor network access, he adds.


Additionally, employees must not be permitted to copy or transfer critical business data in any way, he advises. And businesses should make sure to terminate access immediately after an employee leaves the company.


Under Lock and Key


Protecting personal data is more than just an IT and policy issue. Companies need to think about physical protections for their hardware, particularly portable systems and storage devices that tap into or host files containing personal information.


Miglani suggests, for instance, that companies require employees to lock up or take home notebook computers at night. "If large companies can lose data while in transit, in spite of their vast resources to ensure safety and security of data, then small businesses are even more vulnerable," he notes.


Companies should also encrypt and password-protect all sensitive data. Encryption is especially important for any data that's sent via e-mail or carried on mobile devices.


Applied Medical, which transfers records back and forth among its contract workers, uses encryption on all sensitive data, Johnson says. The company avoids including personally identifying information in e-mail, he adds. Applied Medical also encrypts sensitive data stored on servers and backup systems.


As Congress debates national data theft legislation, one of the hottest areas of contention is whether businesses that encrypt their data should be exempt from requirements to notify consumers of data breaches. Such an exemption is included in the California law that took effect in July 2003, and the makers of security software are lobbying lawmakers to include such an exception in proposed federal legislation.


Meanwhile, although technology budgets and staff might be tight at many small companies, IDC's Hudson and AMI's Miglani say that's not a reason to skimp when it comes to protecting data. Instead, they suggest considering the potential cost of a data breach: Just one could spell doom for many small businesses.



CEO takeaway

If a breach occurs, act quickly:

First: Suspend all affected accounts immediately and lock down systems containing sensitive data to prevent further losses.
Second: Report the incident and suspected losses to appropriate law enforcement authorities, including the local police and the FBI.
Third: Notify all customers, employees and business partners that might be affected and let them know that personal data might have been compromised.
Fourth: Conduct a detailed review of the breach to identify systems vulnerabilities, and take steps to eliminate the weaknesses before resuming normal business activities.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.