Posts

Data Breach Increases 33% in 2010 and You're Next

,

The latest identity theft statistics released by the Identity Theft Resource Center documented 662 data breaches* in the United States in 2010. The message couldn’t be more clear:

Corporations are not yet taking identity theft and data breach seriously enough to properly train their employees, executives, and board on the BOTTOM-LINE DESTRUCTION caused by data breach.

Sure, at this point, many organizations pay lip service to data crimes. They have a privacy policy and their marketing materials state that they do everything in their power to protect your private information. Everything, that is, unless it costs them money to do so. Many corporations tend to hide behind the excuse that in these lean times, they can’t afford to take any additional security steps. But they must understand the disproportionate costs of recovering from theft rather than preventing it. In the simplest of terms, the ROI on data theft prevention training can easily be a thousand-fold. Each record lost, according to the Ponemon Institute, costs, on average, $204 to recover. Lose 1000 records (considered a very small breach), and you are suddenly out $204,000! According to the same study, the average cost for a business to recover from a data breach is $6.75 Million. The average cost to implement identity theft, social engineering and data breach training? In most cases, less than $50,000.

The causes are generally simple: perhaps your security software and firewalls need updating; employees haven’t been properly trained to destroy sensitive documents they no longer need; executives are surfing on unprotected wireless in airports and hotels; sales teams are gearing up social networking strategies that accidentally release confidential or proprietary information. Whatever the cause, companies and business owners must to step up in 2011.

3 Steps to Step Up in 2011 and Eliminate Data Breach

  1. Aggressive Education. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property.
  2. Start with the Humans. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses.Strategy: Immunize your workforce against social engineering and poor decision-making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontiers that thieves are exploiting are your employee’s social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation.
  3. Security Audit. Once you have accounted for human weakness and error (above), focus on the technological sources of data theft: the weakly encrypted wireless router in your home or office, the unprotected wireless connection you use to access the Internet in an airport, hotel or café, poor passwords, lack of user-level access, failure to properly implement a firewall, security software or encryption, stolen laptops, smart phones and thumb drives.Strategy: Hire an outside firm to audit your security. Your internal staff will NEVER tell you what they are failing to protect out of ignorance or lack of budget. I don’t do security audits myself, as I am on the road speaking most of the time, but I’m happy to suggest some providers if you are interested.

I say this with no intention to cause undo fear: if you don’t take steps to prevent identity theft and data breach inside of your organization, you will be next. Maybe not today, but soon. Fear is only meant for those who choose to do nothing about this crime. I, unfortunately, used to be one of these people, as you will learn from the background story on how I started writing about identity theft and eventually became an identity theft speaker.

*What is a Breach?

The ITRC defines a breach as any event that potentially puts a person’s name, Social Security number, drivers license number, medical record or financial record (credit or debit card) potentially at risk either in electronic or paper format.

This study included all types of breach, and although we have become a very digital society, paper breaches accounted for almost 20% of all breaches.  Malware and computer attacks were only 17.1 % of stolen information.

Identity Theft's Latest Victim? Your Business.

,

Latest Identity Theft Trend is Stealing Your Business’s Identity to Falsify Accounts

In the past two weeks, I have been contacted separately by two local business owners to share how their business identity has been stolen and used to set up accounts with various companies on which thousands of dollars are charged and they (the actual owners) are left to pay the bills. There are no identity theft statistics on this type of crime, but I am certain that it is just coming onto the trend radar. In further proof that this is becoming a major problem for corporations, the Denver Post ran an article this morning titled “Corporate ID Thieves Mining the Store“.

Here’s how this incredibly easy form of business identity theft works:

  1. A thief scours the internet for your company information (Facebook is usually a good place to start, as is your local Secretary of State’s website). They are particularly interested in bids for government contracts, as they often contain a sample of your letterhead as well as your pertinent business information. If they can obtain the Federal ID# of your businesses, they have even more ammo to defraud you.
  2. Business name in hand, the thief logs on to your local Secretary of State’s website (the agency generally responsible for registering corporations and maintaining databases on corporations) and pays a small fee ($10) to alter the name of a corporate officer or the address of a company’s registered agent on public records. I would imagine that they generally register an identity stolen from another individual in order to cover their tracks further. In most states, there is no password to protect your official business filings from unauthorized users and changes. In Colorado, according to the Denver Post article mentioned above, officials say that “putting password protection on corporate data — where only a business owner or representative can make changes — is prohibitively expensive.”

    “In other words, the State of Colorado provides less protection for your corporate data than the average online dating service.”

  3. Now that the imposter is a “corporate officer” of your business with full authority to act on behalf of your corporation, the thief applies for a credit account in your business’s name, generally at a large national retailer (Home Depot, Lowes, AT&T, Sprint and Verizon see to be the top choices). If necessary, they use your poached letterhead to facilitate the process of setting up the account.
  4. The retailer, before extending credit, verifies with Dun & Bradstreet that you are in fact an official officer of the corporation. And where does Dun & Bradstreet get its information about your business? From the Secretary of State’s office, the very source of your illegally modified information. In other words, all parties in the process are relying upon falsified source data that remains unprotected on government websites.
  5. Using the newly established business account with terms (i.e., the thief doesn’t have to pay for what they buy, it is invoiced to the company for payment at a later date), the thief makes large purchase of equipment of services, often worth tens of thousands of dollars.
  6. Equipment in hand, the thief leaves the store never to be seen again. Your business, of course, receives the bill, and begins the arduous, time consuming and expensive process of proving that you never made the purchase, a difficult task given that the account was established by what the retailer considers to be a legitimate officer of your corporation.

Far fetched? Not at all. The problem is compounded by the fact that sales associates at many national retailers receive incentive bonuses for every sale they make. Why wouldn’t they push the sale of 50 mobile phones through the system when they receive a large commission to do so. It’s much easier than selling one handset at a time.

Both actual cases I worked with involved phone companies, and each business owner has struggled desperately to prove that they did not make the purchase and do not owe on the account. In one of the cases, the business in question already had an account established with the phone company – same company name, address, phone number, etc. – and the phone company failed to ask any questions as to why they would want a second account. In many of the cases, the thieves use the same stolen business identity over and over again in different cities (rarely do they even shop in your actual city), causing the owner untold hours of time repairing their damaged Dun & Bradstreet ratings, fighting with collection agencies and sitting on hold trying to explain to large corporations that don’t have any incentive to believe what you are saying.

In a spiraling economy, taking your eye off the ball can mean you lose the game. In the meantime, you can take these steps to being affecting change and protecting your valuable business data:

  1. Contact your local Secretary of State’s Office and encourage them to resolve the issue as quickly as possible. You just might be the first person to let them know that this problem exists. At minimum, ask them to begin protecting your corporate data with a password that only the verified and legitimate corporate officers of your corporation can access.
  2. Review your corporate filing with the Secretary of State’s Office regularly to make sure that there is no altered or false information in their database. If there is, contact them immediately.
  3. While in your corporations’ listing on the Secretary of State’s website, make sure that you set up any security measures they have provided. For example, if they have email alerts anytime your profile changes, make sure you take them up on it and have a current email address in the profile. This will send you an alert anytime someone changes your file.
  4. Monitor your Dun & Bradstreet account regularly to make sure that no liens or encumbrances have been placed on your credit profile. If there is incorrect or unrecognizable data on your report, contact D&B’s fraud department immediately at 1.800.234.3867.
  5. Set up a Google Alert for your corporation’s official name, TIN and any DBAs to monitor unexpected internet activity on behalf of your organization.
  6. If you are a contract-based vendor, include a clause in your contract prohibiting the publication of your TIN/EIN/SSN in any electronic or internet form without your prior written consent.
  7. Protect your TIN, letterhead and company information as if it were currency, because it is.

Check back over the next few days for information on how to recover from this crime if you are a victim.

John Sileo speaks professionally to organizations that wish to avoid the costs associated with identity theft, data breach, social media exposure and insider theft. His satisfied clients include the Department of Defense, Blue Cross Blue Shield, the FDIC, Pfizer and hundreds of corporations of all sizes. Learn more about his entertaining and effective presentations on identity theft, data breach and fraud training or contact him directly on 800.258.8076.