When Personal Identities Are Stolen, The Bad Guys May Get The Business

Security experts say its time for enterprises to get more involved in protecting employees personal data

At the outset of the new millennium, John Sileo knew nothing about identity theft. He was an everyday business executive -- the kind you find in any successful firm -- until his identity was stolen.
Sileos harrowing story -- which he now tells frequently as a
speaker and author
-- is the ultimate cautionary tale about the increasingly tight relationship between personal information and business data. His personal data was stolen and used to embezzle more than $300,000, costing him thousands of dollars in legal defense fees and nearly putting him in jail. It was a personal nightmare.
But in the end, Sileo warns, it was his company that suffered most. The financial losses were so great and the bad press so overwhelming, the company finally went out of business. And this, he says, is the lesson many companies have yet to learn.
Most companies focus exclusively on protecting their business data, and they treat personal data protection as a separate issue thats outside their realm of responsibility, Sileo says. But these days theres almost no line left between the employees personal activities and his business activities. I can do just about every part of my job from my home or on the road that I can do in the office. And if my personal information is stolen, you can bet it will come back to haunt the business.
When an employees personal devices are compromised, the attacker may not only get access to company information residing on them, but also passwords or other access to the corporate network, security experts observe. In some cases, attackers use personal information to develop social engineering attacks that could fool an executive into giving up business data, or providing information that a criminal can use to set up accounts on the companys behalf.
There is a change in the mindset of the criminals going on out there, says Tim Rohrbaugh, vice president of information security at Intersections, a firm that specializes in identity protection technology and services. We see them doing research on people, going to SEC filings to collect information about executives, and targeting specific individuals within the company. They dont make a distinction between personal data and business data. Theyre just looking for the right buttons to push to open the cash register.
Rohrbaughs comments are supported by the 2010 Verizon Business Investigations Report, which reports the causes behind actual business data breaches investigated by the companys IT forensics unit. In that report, Verizon Business cites social engineering as the cause of 28 percent of all data breaches.
Its a simple issue of somebody trying to be somebody else, Rohrbaugh says. And with more and more people putting their own information out on social networks and other systems, its actually getting easier.
According to statistics published earlier this year by research firm Javelin, the number of identity fraud victims increased by 12 percent between 2008 and 2009, and the amount of fraud increased by 12.5 percent. This was the highest rate of increase in the seven years the company has been issuing the report -- but statistics for 2010 wont be published until next month.
About half of the people who have their identities stolen dont know how they were defrauded, says Robert Vamosi, a research analyst at Javelin. In many of the other cases, they trace it to a specific incident, like the loss of a credit card. They dont necessarily tell their companies about it. They dont always see the connection between the loss of their personal data and the threat to corporate data.
Yet personal identity theft can have a direct impact on the business, says Neal OFarrell, executive director of the Identity Theft Council, a nonprofit organization that focuses on educating users and helping identity theft victims.
Armed with employee data and insider knowledge, hackers can embark on an extended attack on the business, OFarrell observes. While its possible to change things like passwords, its not so easy to change employee names, job titles, job descriptions, co-worker and customer contacts, etc. All this information can be used to execute very focused social engineering attacks in the future.
A breach that involves the compromise of employee data could be even more damaging to a companys public perception than an external hack, OFarrell says. There is a perception that if companies cant even control their employee data -- which should be pretty static and easy to protect -- there may be little confidence in corporatewide data protection, he says.
So what role should enterprises play in protecting employees personal information? The first step is to add personal information security training to the corporate security awareness program, experts say.
If you dont train your people on the personal side of the threat, then they wont give a damn, Sileo says. Were all more self-interested than we are interested in the welfare of company data. Teach your people to take care of their own data, and be aware of the consequences of losing it. If they understand those things, theres a good chance that theyll extend the knowledge and practices over to their corporate systems.
Companies should also consider offering identity theft protection services to their employees -- not as a benefit or perk driven primarily by the human resources department, but as a means of protecting business data on personal devices, driven by business managers and the IT organization, Rohrbaugh says.
Vamosi notes that many businesses currently keep identity theft protection and resolution services on retainer, so they can tap those services if data theft or other breaches occur. In fact, businesses are accounting for an increasingly larger portion of the revenues earned by identity theft protection services, he says.
Over the last few years, the number of [individual] customers signing up for identity theft monitoring services has actually gone down, Vamosi says. But when we talk to the services themselves, they say they are doing well. Thats because businesses are making up more and more of their revenue.
In a perfect world, companies would extend their security initiatives to protect employees personal data as well because it helps build a culture of security and makes the company a better place to work, Sileo says. It fits well with the idea of putting a gym in the building, he says. It makes people feel better about the company they work for.
In reality, though, most companies dont initiate personal identity theft programs until they have been hit with a security breach, Sileo concedes. The difference between a company that cares about this level of security and one that doesnt is usually getting hit, he says. They just dont see the havoc that [personal identity theft] can cause until it happens to them. Thats why Im out there talking about it -- maybe by hearing what happened to me, they can get a sense of what its like and do something about it before it happens to them.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
When Personal Identities Are Stolen, The Bad Guys May Get The Business