Reducing the risk employee identity theft

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.propertycasualty360.com/2015/04/16/reducing-the-risk-employee-identity-theft?t=corporate-risk

Employees – they’re an organization’s greatest asset and, sometimes they’re
also the greatest liability.

Employers have an obligation to keep their employees’ best interests top of
mind, but they also need to keep a watchful eye on them. This can be
particularly true when it comes to identity theft.

We’ve all seen the screaming headlines on high-profile cyber breaches.
Typically, these events are focused on financial data stored by big
retailers (which is why they’re big news) and are often the result of
mysterious hackers working halfway around the globe.

However, cyber breaches aren’t always the stuff of movies or the trending
topic of the day. Frequently a breach is far more mundane, and very often
employees are at the center of these breaches, whether as victims or
perpetrators.

A duty to protect employees

Everyone understands that employers must protect personal data. Typically
the focus is on customer data, however employee data is just as important
and just as vulnerable.

Identity theft is on the rise and the human resources department is a
logical target for would-be identity thieves because it’s a treasure trove
of personal data: social security numbers, home addresses, bank account
numbers and other confidential information. Data theft does not have to be
a cybercrime; it could be a matter of a file cabinet not being secured and
a lot of paper-based confidential employee information can be found sitting
in a drawer.

When a breach occurs and an employee has her identity stolen, there is
almost always a corresponding drop in productivity as she puts her life
back together. The identity theft victim has to deal with credit card
companies, banks, organizations where she has memberships, social media
platforms… the list can be shockingly long.

Employees also cause risk

While there are significant incentives for employers to protect employees
from the possibility of identity theft, it’s also vitally important to
protect the organization from employees.

Frequently, theft comes from an otherwise trusted employee. According to
the Association of Certified Fraud Examiners, the more senior an employee
is in a company, the greater organizational losses tend to be. There’s some
logic to this since these are professionals with access to information.
When you add the pressures of high-level positions with the typical bumps
and bruises of life—divorce, mounting bills, and the like—the temptation to
pilfer personal information can become too great for some people to resist.

Employee negligence can also lead to data breaches and identity theft. They
may not mean any harm, but employees can be careless. They can lose their
business smartphone, laptop or other equipment. Maybe they always choose
123ABC as their device password. Greater care needs to be taken with
equipment and passwords to protect information.

What employers can do

It’s dangerous for employers and employees to think they know everything
about protecting personal information. Employers should be actively and
continually engaged in a conversation about security. Many companies
require employees to sign an employment agreement that makes it clear that
the business owns all work-related data and that employees must be careful.
However, that is frequently the end of the conversation.

Employers must educate their workforce on an ongoing basis. By raising
awareness of the employees’ responsibilities and the susceptibility to
identity theft, employers can create a more secure environment.

It begins with having better paper security because not all data theft is
cyber theft. Employees, especially those in HR, must understand the
importance of locking file drawers and not leaving personal information out
in the open. There should also be a policy for shredding documents and it
must be enforced.

Employers must also have clear cut rules about securing personal devices.
Personal laptops, tablets and smartphones are often filled with
work-related information, and employees must be vigilant about safeguarding
these devices. Employees have a tendency to ignore security measures (like
using passcodes) because they view them as inconvenient. An ongoing
conversation should address the critical nature of this so-called
inconvenience. Reinforce the need to report a loss or theft immediately so
that data loss can be minimized. Also, set rules for social media to
prevent employees from inadvertently sharing confidential information
online.

Finally, employers have to do more than talk the talk on data security –
they need to set an example and invest in security measures that help keep
information protected as tightly as possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!