Filed Under:Risk Management, Cybersecurity

Identity theft exposure: Protecting employees in and out of the cubicle

In today’s digitized world, the chances of identity theft affecting your business are high. (Photo: iStock)
In today’s digitized world, the chances of identity theft affecting your business are high. (Photo: iStock)

It used to be that a place of business was its own independent silo with respect to employees interacting with colleagues and clients.

Employees went about their business in their offices and cubicles speaking privately about work amongst themselves and those with whom they were doing business.

Fast forward to the current digital era where the lines between those four walls and the outside world are now blurred — a large part due to the prevalence and on-demand access provided by mobile devices.

Personally identifiable info is everywhere

Research has shown that the number of total connected devices will be more than 24 billion in 2020, and within that, mobile connected devices will rise to 12 billion in 2020. The ubiquity of device usage also means that at the end of the day, our personally identifiable information is everywhere. Today’s workplaces encourage the use of technology to succeed and maintain goals effectively.

This means that businesses and employees are at risk more than ever before — vulnerable to identity theft that puts themselves, their employers and the company at risk of a data breach.

Email vulnerabilities

We’ve all heard about widespread data breaches including those hitting Target, Anthem Blue Cross Blue Shield, and eBay — and there are many you don’t hear about among smaller businesses across the country. It may surprise you to know that data breaches increased by 40 percent in 2016 with an average total data breach cost of $7 million, according to IBM.

Many companies are very focused on corporate IT security but are susceptible to hackers, especially through email vulnerabilities. Ninety-five percent of data breach attacks on enterprise networks start with spear phishing, a targeted email engineered to look legitimate and fool even tech-savvy users; the email installs malware and tries to gain system access.

Employee error

According to an Association for Corporate Counsel survey, “employee error” turns out to be the most common reason for a data breach. An example of the kind of employee error mentioned in the survey, and also discussed above in relation to spear phishing, — “accidently sending an email with sensitive information to someone outside the company.”

Related: 15 states and metro areas most vulnerable to ID theft and credit card fraud

This really is something just about all of us have heard about or experienced directly. It can occur as the result of a phishing scam. This type of fraud happens when a cybercriminal disguises an email to make it appear as if it is from the organization’s executive — often from HR or accounting asking for sensitive information such as a social security number or even a W-2 form.

Other leading causes behind a data breach include disgruntled employees, relaxed BYOD (bring your own device) policies, and actual physical loss of a device.

Let’s face it, no matter how diligent an HR team is, you just can’t predict how employees behave. Employees can certainly be careless about sharing passwords, and in some cases, can even be persuaded to sell sensitive company passwords. And, losing a device is as easy as leaving a laptop in an Uber or leaving a cell phone in a restaurant.

Daunting challege

No matter how it happens, it’s a daunting challenge to keep your employees protected, when threats come from all directions

Mobile devices and unstructured BYOD policies also lead to security risks and exposure. Not only does the average large enterprise have more than 2,000 unsafe mobile apps installed on mobile devices, employees can often access and then store customer data and confidential client information on their mobile phones.

When email, or other sensitive data, is retrieved over cellular networks and opened on a mobile device, your organization loses visibility into data access.

Having HR partner with your organization’s IT team to ensure everyone at every level is being vigilant will help to address security vulnerabilities.

Proactive steps can go a long way

If a company can go a step above and hold regular monthly or quarterly company meetings on how to be safe in the new digital workplace, and even engage employees in testing scenarios like a fake phishing scam, it makes a difference. These proactive steps can go a long way to inform employees and keep personal and corporate data safe.

At minimum, HR teams and executives should have a proactive plan in place which includes:

  • Refresh your employee policies: Clearly state usage best practices around email, internet, social media, and mobile devices/BYOD.

  • Train your employees on security measures: Don’t assume new, or even seasoned employees, know security best practices --  technology and scams change fast. Train all employees and managers on how to protect confidential information and why it matters.

  • Establish a telecommuting policy: With companies increasingly adopting telecommuting policies, it’s critical to convey to employees that when they work outside of the office, sensitive company information is no longer in the control of the four walls of the office. Outline acceptable use of both company-issued and removable media devices, and confidentiality requirements around company documents and information.

  • Know how to identify risky employee behavior: If an employee’s behavior is in question, investigate it. It could signal a threat to the security of sensitive corporate information.

  • Maximize exit interviews: Ensuring you have a proper exit interview procedure in place is critical in terms of making it part of a strategic HR effort to protect confidential information. Ask the employee for all work-related passwords for any computers, devices, accounts, and files he or she has had access to; work with your IT team as necessary to change the passwords. Conduct a return of property review; have the employee disclose all company information or devices in his or her control. Collect all keys, access cards, badges, company credit cards, and other property.

In today’s digitized world, the chances of identity theft affecting your business are high. Employee education and training decreas the odds, as does having in place effective HR policies that are regularly reviewed and updated.

Related: Data breaches in 2017: No relief in sight

Steven Bearak is the CEO of Framingham, Massachusetts-based IdentityForce, a company commercialized from nearly four decades of in-depth experience around personal identity and security services and products. 

Originally published on BenefitsPro. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.


6 factors impacting identity theft risks

A new risk assessment tool analyzes the identity threat landscape.

Featured Video

Most Recent Videos

Video Library ››

Top Story

5 things to know about the NAIC's new cybersecurity model law

The NAIC's newly-adopted Insurance Data Security Model Law provides guidance for carriers, agents, brokers and their business partners.

Top Story

5 insurance advisor marketing mistakes to avoid

The right marketing tactics can help insurance agents and brokers reach their goals.

More Resources


eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.