Traditionally a worry for individuals, identity theft is now a concern for businesses. It can erode the loyalty of employees and make clients think you’re too risky to be associated with.
Breaches, Fines, and Damages
Breaches of personally identifiable information (PII) or the inappropriate use of PII can result in large fines. In Europe, the first wave of significant fines under the General Data Protection Protection act has crashed upon the unlucky businesses. H&M (Hennes & Mauritz Online Shop) has been fined the equivalent of USD 41 million.
And, GDPR doesn’t just apply to European businesses. If you employ Europeans or trade or operate in Europe—and if you have a website accessible from Europe and there’s an email address on it that people can use to contact you, that counts as trading—the GDPR applies to you, too. That’s how Google was fined USD 58.5 million.
Of course, the GDPR is just one regulation. In the U.S., data protection legislation is scattered throughout the United States Code in acts such as the Driver’s Privacy Protection Act of 1994 (DPPA), the Children’s Online Privacy Protection Act (COPPA), and the new Californian Consumer Protection Act (CCPA).
As if the fines weren’t bad enough, the reputational damage that accompanies a breach or other data-related non-compliance can have a tremendous impact on a business and its relationships with customers and clients. Business relationships require attention. It takes time and effort to nurture and maintain them. But they can be broken and lost overnight by bad PR. Sometimes, there is such a thing as bad publicity.
All businesses hold the PII of employees, suppliers, and customers. They need to be aware that they are responsible for the gathering, safeguarding, and legitimate use of that data. According to the 2020 Cost of a Data Breach report by IBM, the financial impact on a business per lost PII record is USD 150.
If the stolen PII allows a threat actor to impersonate a member of your staff so that they can communicate convincingly with a customer, supplier, the bank, or someone in your accounts department who has the authority to transfer money, the cost will be much higher.
PII and Identity Theft
Identity theft is an umbrella term covering a variety of frauds involving credit cards, hire-purchase deals, leases, online purchases, and online banking. Identity theft is often associated with stolen or otherwise leaked PII.
From the moment that computers became common in the mainstream business world, companies have been collecting, storing, and processing PII. Any single piece of data about a person is PII. You don’t need to store the entire digital jigsaw of data that definitively identifies someone for your data to count as PII. If you hold even one piece of the jigsaw, that snippet of data is classed as PII and must be protected just as strongly as a complete data dump of that person.
From the threat actor’s point of view, obtaining a complete data record about someone is like hitting paydirt. But little bits of information are still useful to them, just like many smaller nuggets—if you find enough of them—can make up a worthwhile haul. The more PII you hold, and the larger the number of people you hold data on, the more attractive a target you are.
But that doesn’t mean smaller firms are going to be ignored by the criminals. And in fact, they may be a preferred target because they are unlikely to have as rigorous a set of cybersecurity protections and controls in place as an enterprise-scale organization, nor have a dedicated body of staff to implement and oversee them.
Gone are the days of scrabbling round in people’s bins or a company’s dumpsters looking for paper-based information to build a viable identity theft persona. This type of fraud has become high-tech and highly valuable. Inevitably, it has caught the attention of organized crime. The data thieves are either operating for organized crime groups, who will use the stolen PII to perpetrate frauds, or they are smaller cybercriminal operations who will sell the data on the Dark Web.
Some stolen PII provides a short window of opportunity to the threat actors. Soon after the information is used by the threat actors, it is noticed by the victim. The victim alerts the service provider—such as the bank, credit card company, online shopping, or Social Security—and the account is frozen, or whatever other action needs to be taken. But sometimes the fraudulent actions are not detected for quite some time.
Why Breaches Happen
Accidents happen, such as leaving a laptop on a train or emailing a spreadsheet to the wrong person. Some accidents happen because policies and procedures are not followed—often in times of pressure or stress—and mandated practices are ignored or corners are cut.
Phishing and spear-phishing attacks are used by the threat actors to coerce staff members into inadvertently installing malware, such as rootkits and remote access trojans (RATs). Job pressure comes into play here, too. Harassed and struggling staff are less likely to stop and run through a mental checklist to determine whether an email or its attachment is real or malicious.
Disgruntled employees can engineer PII data breaches to enact what they see as vengeful justice against the company. Others might steal PII to try to benefit financially. They might be plants that managed to get a job with your company, but really they are working for a competitor and they are conducting industrial espionage.
The majority of PII data breaches are due to external threat actors. Because identity theft has become a lucrative (criminal) business and organized crime has taken an interest, the attacks are coordinated and sophisticated. They may mount phishing attacks, exploit vulnerabilities, or use dictionary attacks to work out what passwords are in use.
Encryption Is Your Friend
Encryption is your friend, but it is not a universal cybersecurity panacea. You still need to use the appropriate technological defenses, robust IT governance with policies and procedures, and staff training in cybersecurity awareness to try to protect your systems.
Data should be encrypted on storage devices, such as hard drives, external drives, and backup systems. Both off-site and local backups should be encrypted. All mobile devices including laptops, smartphones, tablets, memory sticks, and CD-ROMs should be encrypted.
Encryption won’t stop the theft of the data. Hopefully, your other defensive measures will. But encrypting the data should prevent cybercriminals from benefiting from having it. It’s like using a dye pack with paper money. If the safe is stolen, the dye pack explodes, indelibly staining the money and rendering it useless. The dye pack won’t stop a safe from being stolen and blown open, but there is no payoff for the criminals.
Also, a breach of encrypted data is a far less pernicious misdemeanor in the eyes of data protection legislation than the loss of plain-text PII.
Encryption technology is available for businesses in a variety of products today. Often, it is an integral part of a product offering, such as Microsoft 365 email.
Products are available to allow you to encrypt your on-premises systems, too. Be aware that after you choose and deploy an encryption product, you must still periodically review the various encryption products. Even a best-of-breed encryption program could be shown to have a flaw in its algorithms that leave its encryption vulnerable to exploit. So, don’t make your product choice and forget about it. Make sure your product decision is still valid today.
Encryption brings its own governance and maintenance overheads. Encryption routines use encryption keys. These are strings of seemingly random characters and symbols that are used with the algorithm to encode and decode the data. And like all important keys, they must be safeguarded and access to them governed and controlled. You need to address these topics when planning to deploy wide-scale encryption across your company.
If you don’t have a data asset registry, perform a data audit and create one. As a minimum, you need to know what data you hold, where it is stored, who needs to access it, and how sensitive or critical it is. Local legislation—such as GDPR—may require you to be much more granular than this.
Categorize Your Data
Categorize the data into bands, such as:
- Restricted data: Breaches of this category data will cause significant damage to the company, one way or another. The highest levels of control and protection must be applied to this data.
- Private data: All company data that is not restricted and not public is considered to be private. Unauthorized access to private data carries a moderate risk to the company. A reasonable level of control and protection must be applied to this data.
- Public data: Requires little or no control and protection.
Establish the Data Expiration Period
If the data has a date after which it is unlikely to be useful, and you know your encryption cannot be defeated within that time period, your data can be considered safe.
Some data, such as credit cards, have a clear expiry date. If someone obtains the credit card number and the Card Verification Value (CVV) code they only have up to the card expiry date to use them.
Other data, such as elements of PII, will have a period within which it is reasonable to expect a victim of identity-related fraud to notice something is amiss, such as strange entries on a bank statement.
Perform Due Diligence and Market Research
Guided by the foregoing steps and your data asset register—and budget, of course—review the encryption tools that are available and select the best match for your needs.
Set Policies and Procedures
Create or refresh existing policies and procedures to provide control and guidance in the use of the encryption tool and the control and safeguarding of the encryption keys.
Conduct Staff Training
Provide training sessions for your staff so that they understand the reasons behind the changes, what the new methods of working are, and what is expected from them. Make it clear that these measures are designed to protect them and their data.
Include this type of briefing as part of the induction process for new employees.
Don’t Forget the Basics
Remote connections to your business or to cloud-based resources must be made using secure and encrypted protocols, and all applications and operating systems must be patched with the latest upgrades and security patches.
Remember that encryption protects stolen data—it won’t stop data from being stolen.