Identity theft is on the rise. Is your organisation part of the solution or part of the problem? Personally identifiable information (PII) is pouring through the security floodgates and ending up in the wrong hands at an alarming rate.
To protect your organisation's employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes that you need to avoid.
Keeping users in the dark
Users will always be the weakest link in any enterprise network — and all the gadgets and controls in the world won't change that. If your users don't know how to identify and handle PII, it's only a matter of time before one of them discloses this data to the wrong source.
The solution is simple: educate your users on your company's policies and mechanisms to process PII. And don't forget to include regularly scheduled refresher courses.
Partnering with the wrong businesses
You've made sure your security is rock solid, and you've trained your users. But can your business partners say the same? Do you collect or share information with businesses that have little or no security?
If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law-enforcement about how a breach occurred? Your company.
The solution here is as simple as that of the previous dilemma: educate and train your business partners on how to protect this sensitive information. Charge them for your expertise if you want, but get the job done.
Keep data around past its prime
What do you do with data once it's served its purpose? If you aren't destroying PII when it's no longer required, then you're not doing your job. That doesn't mean throwing it away either — that means destroying it.
Some identity thieves make a living out of old bank statements and credit card receipts. That's why you need to wipe out PII when it's no longer necessary. If your organisation doesn't have a shredder, you need to get one today.
A lax approach to physical security
It's imperative that you implement physical access controls to prevent unauthorised people — including employees — from gaining access to PII. Get a door lock and a badge reader, and start controlling access.
Sentry Posts Blog
Guarding the network
What you need to know — and what you and your peers have to tell us — about security management in our new community group blog
Keeping records unlocked
If you don't have specific storage areas on your network (as well as file cabinets) for PII, then how can you protect it? Take inventory of your network — and your paper copies — and develop a plan to protect that data. This would be a good time to research encrypting data-at-rest and locking some file cabinets
Ignore activity on your network
I've said this before in columns, but it's worth repeating: if you're not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that's within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you're at it, develop a response and mitigation strategy for security incidents.
Failing to organise security audits
A lot of businesses either don't know what security events to audit or don't read their security logs — or both. If you're not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.
Final thoughts
Identity theft may be on the rise, but you don't have to make it easy for thieves. You can help prevent identity theft both at home and at the office — you just need to take a few extra steps.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations in the US for the Southern Theater Network Operations and Security Center.
