When Personal Identities Are Stolen, The Bad Guys May Get The Business
Security experts say it's time for enterprises to get more involved in protecting employees' personal data
At the outset of the new millennium, John Sileo knew nothing about identity theft. He was an everyday business executive -- the kind you find in any successful firm -- until his identity was stolen.
Sileo's harrowing story -- which he now tells frequently as a speaker and author -- is the ultimate cautionary tale about the increasingly tight relationship between personal information and business data. His personal data was stolen and used to embezzle more than $300,000, costing him thousands of dollars in legal defense fees and nearly putting him in jail. It was a personal nightmare.
But in the end, Sileo warns, it was his company that suffered most. The financial losses were so great and the bad press so overwhelming, the company finally went out of business. And this, he says, is the lesson many companies have yet to learn.
"Most companies focus exclusively on protecting their business data, and they treat personal data protection as a separate issue that's outside their realm of responsibility," Sileo says. "But these days there's almost no line left between the employee's personal activities and his business activities. I can do just about every part of my job from my home or on the road that I can do in the office. And if my personal information is stolen, you can bet it will come back to haunt the business."
When an employee's personal devices are compromised, the attacker may not only get access to company information residing on them, but also passwords or other access to the corporate network, security experts observe. In some cases, attackers use personal information to develop social engineering attacks that could fool an executive into giving up business data, or providing information that a criminal can use to set up accounts on the company's behalf.
"There is a change in the mindset of the criminals going on out there," says Tim Rohrbaugh, vice president of information security at Intersections, a firm that specializes in identity protection technology and services. "We see them doing research on people, going to SEC filings to collect information about executives, and targeting specific individuals within the company. They don't make a distinction between personal data and business data. They're just looking for the right buttons to push to open the cash register."
Rohrbaugh's comments are supported by the 2010 Verizon Business Investigations Report, which reports the causes behind actual business data breaches investigated by the company's IT forensics unit. In that report, Verizon Business cites social engineering as the cause of 28 percent of all data breaches.
"It's a simple issue of somebody trying to be somebody else," Rohrbaugh says. "And with more and more people putting their own information out on social networks and other systems, it's actually getting easier."
According to statistics published earlier this year by research firm Javelin, the number of identity fraud victims increased by 12 percent between 2008 and 2009, and the amount of fraud increased by 12.5 percent. This was the highest rate of increase in the seven years the company has been issuing the report -- but statistics for 2010 won't be published until next month.
"About half of the people who have their identities stolen don't know how they were defrauded," says Robert Vamosi, a research analyst at Javelin. "In many of the other cases, they trace it to a specific incident, like the loss of a credit card. They don't necessarily tell their companies about it. They don't always see the connection between the loss of their personal data and the threat to corporate data."
Yet personal identity theft can have a direct impact on the business, says Neal O'Farrell, executive director of the Identity Theft Council, a nonprofit organization that focuses on educating users and helping identity theft victims.
"Armed with employee data and insider knowledge, hackers can embark on an extended attack on the business," O'Farrell observes. "While it's possible to change things like passwords, it's not so easy to change employee names, job titles, job descriptions, co-worker and customer contacts, etc. All this information can be used to execute very focused social engineering attacks in the future."
A breach that involves the compromise of employee data could be even more damaging to a company's public perception than an external hack, O'Farrell says. "There is a perception that if companies can't even control their employee data -- which should be pretty static and easy to protect -- there may be little confidence in corporatewide data protection," he says.
So what role should enterprises play in protecting employees' personal information? The first step is to add personal information security training to the corporate security awareness program, experts say.
"If you don't train your people on the personal side of the threat, then they won't give a damn," Sileo says. "We're all more self-interested than we are interested in the welfare of company data. Teach your people to take care of their own data, and be aware of the consequences of losing it. If they understand those things, there's a good chance that they'll extend the knowledge and practices over to their corporate systems."
Companies should also consider offering identity theft protection services to their employees -- not as a benefit or perk driven primarily by the human resources department, but as a means of protecting business data on personal devices, driven by business managers and the IT organization, Rohrbaugh says.
Vamosi notes that many businesses currently keep identity theft protection and resolution services on retainer, so they can tap those services if data theft or other breaches occur. In fact, businesses are accounting for an increasingly larger portion of the revenues earned by identity theft protection services, he says.
"Over the last few years, the number of [individual] customers signing up for identity theft monitoring services has actually gone down," Vamosi says. "But when we talk to the services themselves, they say they are doing well. That's because businesses are making up more and more of their revenue."
In a perfect world, companies would extend their security initiatives to protect employees' personal data as well because it helps build a culture of security and makes the company a better place to work, Sileo says. "It fits well with the idea of putting a gym in the building," he says. "It makes people feel better about the company they work for."
In reality, though, most companies don't initiate personal identity theft programs until they have been hit with a security breach, Sileo concedes. "The difference between a company that cares about this level of security and one that doesn't is usually getting hit," he says. "They just don't see the havoc that [personal identity theft] can cause until it happens to them. That's why I'm out there talking about it -- maybe by hearing what happened to me, they can get a sense of what it's like and do something about it before it happens to them."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like