0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
27 tayangan16 halaman
This paper provides administrative and information systems managers with useful information regarding the various forms of identity theft affecting businesses and organizations today. Due to the large amounts of Personally Identifiable Information (PII) necessarily processed and stored by businesses and organizations of all sizes, they have become lucrative targets for identity thieves. Identity theft can take many forms ranging from the extremely low-tech to the decidedly technologically advanced. The authors chose a helpful problem/solution format in which pervasive identity theft concepts are discussed, followed by guidelines and strategies for prevention and mitigation. The intent is that these solutions will be adopted in some form, and embodied in a comprehensive information security policy. Included is the extensive three-month-long research by the authors, as well as insights and solutions solicited from students in the Information Technology and Administrative Management (ITAM) program at Central Washington University (CWU)
This paper provides administrative and information systems managers with useful information regarding the various forms of identity theft affecting businesses and organizations today. Due to the large amounts of Personally Identifiable Information (PII) necessarily processed and stored by businesses and organizations of all sizes, they have become lucrative targets for identity thieves. Identity theft can take many forms ranging from the extremely low-tech to the decidedly technologically advanced. The authors chose a helpful problem/solution format in which pervasive identity theft concepts are discussed, followed by guidelines and strategies for prevention and mitigation. The intent is that these solutions will be adopted in some form, and embodied in a comprehensive information security policy. Included is the extensive three-month-long research by the authors, as well as insights and solutions solicited from students in the Information Technology and Administrative Management (ITAM) program at Central Washington University (CWU)
This paper provides administrative and information systems managers with useful information regarding the various forms of identity theft affecting businesses and organizations today. Due to the large amounts of Personally Identifiable Information (PII) necessarily processed and stored by businesses and organizations of all sizes, they have become lucrative targets for identity thieves. Identity theft can take many forms ranging from the extremely low-tech to the decidedly technologically advanced. The authors chose a helpful problem/solution format in which pervasive identity theft concepts are discussed, followed by guidelines and strategies for prevention and mitigation. The intent is that these solutions will be adopted in some form, and embodied in a comprehensive information security policy. Included is the extensive three-month-long research by the authors, as well as insights and solutions solicited from students in the Information Technology and Administrative Management (ITAM) program at Central Washington University (CWU)
Addressing Identity Theft in Businesses and Organizations
Prepared by James Shell and Marina Melnik IT 486: Critical Issues in Information Technology Central Washington University Prepared for: Terrance Linkletter June 5, 2014
IDENTITY THEFT IN BUSINESSES 2
Table of Contents Abstract.................................................................................3 Introduction...........................................................................4 Types of Identity Theft......................................................4 Conclusion........................................... 13 References.............................................................................15
IDENTITY THEFT IN BUSINESSES 3
Abstract This paper provides administrative and information systems managers with useful information regarding the various forms of identity theft affecting businesses and organizations today. Due to the large amounts of Personally Identifiable Information (PII) necessarily processed and stored by businesses and organizations of all sizes, they have become lucrative targets for identity thieves. Identity theft can take many forms ranging from the extremely low-tech to the decidedly technologically advanced. The authors chose a helpful problem/solution format in which pervasive identity theft concepts are discussed, followed by guidelines and strategies for prevention and mitigation. The intent is that these solutions will be adopted in some form, and embodied in a comprehensive information security policy. Included is the extensive three- month-long research by the authors, as well as insights and solutions solicited from students in the Information Technology and Administrative Management (ITAM) program at Central Washington University (CWU) Keywords: identity theft, PII, data breach, information security
IDENTITY THEFT IN BUSINESSES 4
Introduction Identity theft is the crime of obtaining personal identifying information from another person or group for fraudulent or deceptive purposes; usually resulting in some type of financial gain for the thief. Personally identifiable information (PII) generally includes an individuals name, address, phone number, credit card number, checking or savings account number, and Social Security or Social Insurance numbers. Additionally, identity data for businesses and organizations includes financial information such as account and routing numbers and access codes, copies of government issued licenses, and customer lists. Types of Identity Theft in Organizations Businesses and organizations are especially rich targets for identity thieves. Identity theft as it pertains to businesses and organizations is similar to identity theft that applies to individuals and typically falls into the following three categories: Organization Financial Identity Theft Employee Identity Theft Customer Identity Theft Organizations which fall victim to identity theft may be exposed to data breaches of all types. Here are some statistics from a recent study which focused on data breaches in general: 53% of small businesses experienced a data breach and 55% of those businesses had multiple breaches. 49% of breaches included theft of business information. 59% needed to manage public damage to their brand and corporate reputation because of the breach. The average cost to fix business identity theft is $194,000 per breach. 60% of small businesses close within six months of a breach. IDENTITY THEFT IN BUSINESSES 5
Thieves may use an organizations financial information to obtain loans under that organizations name and good credit. Employee identities can be reconstituted into false medical insurance documents, social security cards, or also used to obtain loans under that employees name. Illegally or unethically obtained Customer lists and identities can also be misused in a similar fashion to employee identities, but are also sold or provided to competitors. With these customer lists, competing organizations have access to key personnel and possibly pricing which they may undercut to lure customers away from the victim organization. Methods of Identity Theft in Organizations Systemic Causes Sometimes company data is compromised as a result of the system it exists in. Employees or information systems may be transmitting or storing sensitive information without a legitimate business need to do so, or the information may be handled in a manner which makes it easily accessible to thieves. For instance, employees who are not part of Human Resources or Finance departments may be tasked with archiving employee applications, counseling and review paperwork, contracts, financial statements, or payroll information. Often, these same documents can be perused on an unsecured file share on the company network In some systemic cases, data can be exposed by critical business software, the actual operation of which is not clearly understood by officers or employees. The Seattle coffee giant Starbucks and their mobile app are an example of errant software. Early in 2014 Daniel Wood, a Minneapolis-area computer-security specialist, said he was able to break into the apps unencrypted plain text file containing customer phone number information. Though the company could not determine if customer information had been compromised by the app flaw, and have since altered their app to encrypt all personal information, the fact remains that a IDENTITY THEFT IN BUSINESSES 6
popular business tool which accounted for roughly 11% of transactions in the third quarter of 2013, was putting customers at risk. Limit handling and access of documents containing PII to those employees with a legitimate business need-to-know. Lock file cabinets containing hardcopies of sensitive documents and use file permissions based on user accounts to restrict access to electronic PII documents on network resources. Analyze organizational workflows and activities to identify and eliminate instances where PII is recorded or stored unnecessarily. Any publicly available software must be thoroughly vetted by skilled software engineers for vulnerabilities which may expose employee, customer, and organizational PII. Insider Theft According to a 2009 Ponemon Institute survey, 60 percent of employees who quit a job or are asked to leave, abscond with company data. Customer names, transaction histories, and pricing information (customer identities) could be damaging to an organization if they fell into the hands of competitors. Respondents admitted to regularly taking data off site as part of their daily operations; increasing the risk of data theft (Figure A). 79 percent of those respondents said they had done so without company authorization. Figure A Surveyed Methods for Removing Data IDENTITY THEFT IN BUSINESSES 7
Conduct criminal history background checks on prospective employees and Limit employee access to PII to those with a need-to-know. Implement a well-documented and common knowledge information security policy and enforce it. Conduct surprise audits to ensure policy is being followed and to uncover any policy revisions which may be necessary. Have all employees sign a nondisclosure agreement in regards to PII and all proprietary company data to both deter theft as well as provide the organization with legal avenues to pursue employees who abscond with private information. In general, foster an open and trusting working relationship with employees; however, when a decision is made to terminate or layoff an employee with access to PII, lock or delete their user account before confronting them (Polevi,2012). Mail Theft Mail theft can be performed by an individual thief or by an organized ID theft ring that can even include that manufacture of postal uniforms, impersonation of mail carriers, or theft of mail delivery trucks. Incoming and outgoing business mail can contain blank checkbooks, checks, financial records, credit cards, employee payroll records, and bank statements. All of those items have the potential for identity theft. Businesses with a lot of foot traffic are vulnerable to any stranger walking in to the business and picking up a bag or a pile of mail and walking out. The mail thief could be a supplier, contractor, employee, friend, or even family member. Avoid having mail delivered to a curbside mailbox. Have it delivered directly to authorized personnel if possible. If mail must be delivered to a curbside mailbox, make sure it is a locking mailbox firmly secured into the ground. Collect mail as soon as possible every day to minimize the amount of time thieves have to steal it. (Privacy Matters, n.d.) IDENTITY THEFT IN BUSINESSES 8
Dumpster Diving Dumpster diving is when a thief gains access to the business-owned dumpsters or trash and recycling receptacles, and steals PII documents. Bagdasarian states in his article that many internal business investigations showed that companies have thrown out paperwork such as payment slips containing cardholder information and even unprocessed consumer checks that have been mistakenly thrown away. That information does not only include a paper trail, it also includes nametags, CDs, Hard drives, memory sticks, and business credit cards. It is an effective way to find any corporate information and this method is used not only by individual thieves, but it is the way of competitors to find out how the business is doing and what it is up to. (Bagdasarian, n.d.) Any documents containing PII, including notes between colleagues, should be shredded in a high-quality shredder. Any credit cards removable media should be treated similarly to paper documents, and shredded or destroyed before discarding them into a dumpster. Most modern shredders include CD and credit card shredding capabilities. (Massi, 2007, p. 44) Employees should not take these items home unless authorized. Steve Thompson, a freelance security writer, suggests that if employees are authorized to take PII off-site, they must follow the same destruction procedures as at the office, or bring all work documents back to work to be properly destroyed (Thompson, 2007). Security cameras should be installed at the location of the business' dumpsters, and video should be reviewed regularly to discover and deter all dumpster divers. Social Engineering Social engineering is a way to get information through psychological manipulation. It is easy to trust someone and become the prey of a well-prepared identity thief. However, if a IDENTITY THEFT IN BUSINESSES 9
company provides consistent training, its employees can be well prepared to not release the sensitive information that leads to identity theft. Individuals who use social engineering techniques usually follow a common pattern of activity that a Gartner analyst Mogull, calls the Social Engineering Attack Cycle, as illustrated in Figure B.
Figure B The Social Engineering Attack Cycle (Hiner, 2002)
Impersonation and Conformity. The act of an identity thief pretending to have the authority to acquire sensitive information is called impersonation. The identity thief can pretend to be an employee, client, or contractor. This technique is most effective combining a convincing impersonation of a superior and an emergency or "situation that requires an immediate response." (Manjak, 2006, p 8) Conformity is when an identity thief can convince an employee that everybody else has already performed what the thief is requesting, which might be supplying critical documents or providing passwords, social security numbers, or account numbers. The thief usually convinces IDENTITY THEFT IN BUSINESSES 10
an employee that a manager has already approved what he or she is requesting and that other peers have already complied. A business should have clearly defined duties for all employees, employees should know who has the authority to direct them and employees should verify the authenticity of such authority. This can be done with a simple phone call or email but a policy and procedure should exist where an employee can consult it and all employees should be trained. Shoulder Surfing and Eavesdropping. This social engineering method is perpetrated upon an employee logging on to his or her computer or accessing a secure application. The identity thief is visually monitoring the employee, or literally looking over their shoulder, and memorizing their username and the keystrokes for their password. In some cases, a thief might use a cell phone to record or snap a picture of PII. The identity thief could use stolen credentials to log in as the victim employee; accessing any electronic PII the victim has access too. Similar to shoulder surfing, eavesdropping is the simplest method of stealing information. This kind of theft occurs when the identity thief intentionally listens to conversations employees are having over the phone or in person. PII including name, phone number, address, credit card number, PIN, account number, or social security number may be collected and misused. The simplest way to protect business from both techniques is to train employees to be aware of their surroundings and to wait until the person in question leaves. To protect businesses from eavesdropping thieves, companies should provide as much office privacy as possible for all employees that work closely with customers that provide PII on the phone or in person. For shoulder surfing protection, all employees must be trained to never leave their computer unattended while they are logged on. In addition, businesses can provide privacy protector IDENTITY THEFT IN BUSINESSES 11
screens for all monitors that are located in a high traffic area. Nobody else but the person in front of the screen would be able to see information on that computer. Computer and Software-based Increasingly, identity thieves are relying on computer software to collect PII and other sensitive data. An employee workstation or corporate server could be compromised with malicious software (malware) which quietly collects PII and other sensitive data in background processes, and transmits it to thieves over the Internet. Malware can sometimes be installed on a business' computer simply by inserting infected removable media. It is even easier to install malware if a thief has both physical access to a computer and stolen credentials to log on with. An employee who clicks on buttons or links in a compromised website or email may execute scripts compelling the computer browser to execute scripts to download and install malware (Cullen, 2011, p.117). The pervasiveness of wireless connectivity has created another avenue for identity thieves. Utilizing a combination of hardware and software, identity thieves can impersonate wireless access points. Such malicious access point acts as a man-in-the-middle (MITTM) relaying - and capturing - all communication between an employee and network or internet resources as illustrated in Figure C. In rarer cases, a thief with physical access to a wired network can insert a similar wired device to sniff or capture sensitive information. IDENTITY THEFT IN BUSINESSES 12
Figure C Wireless MITM Attack Scenario To combat malware, IT personnel should ensure that networked computers are running up-to-date firewall and anti-malware software. Computer security logs should be screened regularly for suspicious behavior (Zelster, 2011). Filtering technology at the router level, or through a proxy server should be utilized to prevent employees from visiting compromised websites and to screen incoming and outgoing email messages for signs of malware. To protect against MITM attacks, wireless access points should utilize encrypted keys and communications between endpoints, such as an employee and a server resource, should always utilize encrypted authentication such as SSL (MITTM, Wikipedia). Theft of Mobile Devices Increasingly, employees are in possession of mobile devices such as smartphones, tablets, and laptop computers. An identity thief who manages to steal a mobile device may have unfettered access to a wealth of PII. Protect mobile devices with passwords and encrypt laptop hard drives with a comprehensive product such as the source-available TrueCrypt, or Microsofts BitLocker. Ideally, in addition to encryption, the devices should be further secured with some sort of IDENTITY THEFT IN BUSINESSES 13
biometric such as a fingerprint scanner. Employees should utilize laptop cable-locks when working on laptops to deter snatch-and-grab thieves. Data on Leased, Recycled, or Sold Computer Equipment: Information on old or unused computer equipment that is improperly disposed of may subject a business to loss of intellectual property, identity theft, legal penalties, or damage to their corporate reputations. Computers, laptops, tablets, smartphones, even digital copiers, all have some type of data storage where business information such as contacts, documents, passwords, or bank information may reside. Identity thieves could access much of this data, compromising the business. If a business wishes to keep data from old equipment, they should back it up onto another device. The business can then choose a method to completely remove the data. A certified refurbisher or recycler will use secure data destruction methods to accomplish this; alternatively, a device can be wiped in-house using specialized software designed to strict government standards. One more option is to physically destroy the drive or memory card.
Conclusion Protecting a business and its clients from identity theft is an important piece of the larger Information security puzzle. Ethics, as well as legal ramifications, mandate that every organization dealing in any fashion with personally identifiable information have policies and procedures for protecting it. Martin Manjak (2006) wrote, "The success of any enterprise depends on a well-informed, dedicated, and ethical workforce." (p. 5). A well-documented information security policy must be internalized by management and employees; and revisited regularly to ensure compliance and effectiveness. Businesses should trust their employees to follow the security procedures in order for the business to operate effectively. This applies in IDENTITY THEFT IN BUSINESSES 14
varying degrees to anyone who is affiliated with an organization, which includes part-time staff, contract employees, business partners, consultants, and vendors (Manjak, 2006). As thefts of personal identifiable information show no signs of abating, managers must remain vigilant and steadfast in their dedication to information security.
IDENTITY THEFT IN BUSINESSES 15
References Adams, A. A., McCrindle, R. J. (2008). Pandoras box: Social and professional issues of the information age. West Sussex: John Wiley & Sons Ltd. Bagdasarian, H. (n.d.). Dumpster Diving. Retrieved from http://www.identity-theft- awareness.com/dumpster-diving.html Cullen, T. (2007). The Wall Street Journal complete identity theft guidebook. New York: Three Rivers Press. Gonzlez, ngel (2014). Starbucks iPhone App Vulnerable, Security Specialist Says. The Seattle Times. Retrieved from http://seattletimes.com/html/businesstechnology/2022679329_starbucksflawxml.html Hiner, J. (2002). Change your companys culture to combat social engineering attacks. Retrieved from http://www.techrepublic.com/article/change-your-companys-culture-to- combat-social-engineering-attacks/ Man-in-the-middle attack. (n.d.). Retrieved June 05, 2014 from Wikipedia: http://en.wikipedia.org/wiki/Man-in-the-middle_attack Manjak, M. (2006, December 19). Social engineering your employees to information security. Retrieved from http://www.sans.org/reading-room/whitepapers/engineering/social- engineering-employees-information-security-1686 Massi, R. (2007). People get screwed all the time: Protecting yourself from scams, fraud, identity theft, fine print, and more. New York: HarperCollins. Polevi, L. (2012). 5 Tips to keep employee theft from running you out of business. Retrieved from http://blog.intuit.com/employees/5-tips-to-keep-employee-theft-from-running-you- out-of-business/ Privacy Matters (n.d.). Mail theft and identity theft. Retrieved from http://www.privacymatters.com/identity-theft-information/mail-theft.aspx Recalde, M. E. (2005). Workplace identity theft: Proactive measures employers can and should take To combat it. Sheehan, Phinney, Bass & Green PA. Retrieved from http://www.sheehan.com/publications/good-company-newsletter/Workplace-Identity- Theft-Proactive-Measures-Employers-Can-And-Should-Take-To-Combat-It.aspx IDENTITY THEFT IN BUSINESSES 16
SuperUser (n.d.). Truecrypt v. PGP v. Bitlocker For Whole Disk Encryption? Retrieved from http://superuser.com/questions/166617/truecrypt-v-pgp-v-bitlocker-for-whole-disk- encryption Symantec Corp. (n.d.). More than half of ex-employees admit to stealing company data according to new study. Retrieved from http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01 Thompson, S. (2007, Mar 6). How to protect your business from dumpster diving. Retrieved from http://voices.yahoo.com/how-protect-business-dumpster-diving-223093.html Zelster, L. (2011). 4 steps to combat malware enterprise-wide. Various Research. Retrieved from http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html