3 Corporate Identity Theft Truths UnmaskedFor a business, theft isn’t just about the unlawful acquisition of physical assets; it’s also about the pilfering of ideas, plans, and confidential data—all of which can have income potential unrivaled by that of tangible goods. And while the thought of theft may conjure images of masked, tiptoeing, trench-coat-clad thieves, the truth is that with intangible goods up for grabs, anyone can steal your company’s data from anywhere and at any time—with no actual mask required.

Truth #1: Any individual with the desire, knowledge, and means can steal corporate data.

Any individual with a desire to steal—and the knowledge, tools, and means—can take a corporation’s data, information, and plans. That includes current employees, contractors, disgruntled ex-employees, random hackers, and even opportunistic office visitors.

Truth #2: The risks associated with corporate identity theft are often greater than imagined.

A company’s most valuable confidential information can be found in many places. It may be stored in a cloud accessible by hackers. It may be saved on the computers at the corporate offices, in a filing cabinet at the office, in a wastepaper or recycling bin, or even in a box intended for shredding that simply hasn’t made it to the shredder yet. Or the data may actually be in-transit—including an active session between a remote laptop and a local database or “the cloud.” Further, if employees log-in remotely and leave the computer or laptop unsecured, someone can even access data from that location. And, if employees access stored company data from a public network (such as a café or airport), then they could also be creating a breach upon which data thieves may capitalize.

Often, some of the most valuable stolen data includes financial particulars and identifying government-issued information such as Social Security numbers. A business might have these items on file for its clients. However, the business itself is also at risk as business credit card and bank statements can be used to steal a corporate identity and make purchases for expensive items that are later sold online. Owner-employee Social Security data on file with the payroll department could also be acquired—along with personal employee data such as direct-deposit information, home addresses, phone numbers, e-mail addresses, and more.

But perhaps the greatest risk is the money in the entity’s bank, which is subject to cyber thieves. A common scenario is that fraudsters attack a small-medium business (SMB) entity, steal its identity (specifically banking credentials), hi-jack the entity’s computer, and use it to empty the entity’s bank account. The stolen money is then wired overseas where it cannot be retrieved, and unfortunately, the loser in this dangerous scheme is then the victim business. And many SMBs are not even aware of this risk to begin preventing it.

Truth #3: Much of corporate identity theft is preventable.

“An ounce of prevention is worth a pound of cure.”

Never is that adage likely more appropriate than penetration tests and security breaches. So where should a business begin? Preventing corporate identity and data theft is a process similar to protecting a company from any other kind of robbery.

  • Enlist professional assistance. For starters, enlist professionals to perform a risk assessment and/or penetration test (a test in which an IT specialist tests the entity’s systems and controls for weaknesses that would allow a hacker or insider to penetrate its defenses and steal valuable data, objects, or information—such as the entity’s identity) to properly identify areas of risk and the level of risk. The results of that assessment drive the subsequent action steps to improve prevention techniques.

It is difficult, if not impossible, to protect an entity when it doesn’t even know a problem exists. Regular penetration testing can unveil serious flaws in systems, security, and controls that could lead to serious losses—such as identity theft—or an embarrassing incident that is exposed to the public.

  • Create a written policy. Additionally, developing a written policy for employees to follow can largely improve prevention. The policy should explain how to handle private corporate data and any documents that contain this data. It should also spell out how to treat customer data, and how to keep it secure in both paper and electronic formats.

Before implementing the employee policy, a company should make certain that it has executed all of the security measures it plans to outline in the manual. Examples include having access to: a shredder for immediate document destruction, password protection for network-stored data, a secure storage system, etc.

  • Develop internal accountability. It is important that someone be accountable for monitoring and maintaining compliance with data security measures. This individual should also be trained in identifying potential weak spots in security, as well as developing and implementing solutions.

Take off the mask with CRI.

Securing your company from identity theft is a job for your entire team. The security that these steps create not only protects your company from fraudulent charges, but it also protects your employees and clients by keeping you in business. And asking for help where needed is a great idea. Our IT professionals have assisted entities in protecting themselves from the dangers of the modern crime sprees conducted in cyber space. That protection comes in the form of guarding online cash transactions, safeguarding data/information of the entity, and defending the entity’s identity from theft and abuse. Contact us if you have questions or are ready to get started.   Do you have questions about how to protect your business from corporate identity theft or need assistance creating a data security policy? Or, if you think your data might not be as secure as you think, do you need a penetration test? Contact CRI’s IT and fraud CPA professionals. We are pros at data security, and we might even masquerade as people interested in more than numbers and data.