The crisis of the theft of the working person (and how you will save the day)

The cost of entry into the digital age

Identity theft is everywhere. This is the crime of the millennium; it is a disaster of the digital age. If it did not happen to you, it happened to someone you know. According to the Federal Trade Commission (FTC), Javelin Research estimates that about 9 million identity theft occurred last year, which means that about 1 out of 22 adult Americans were victims in just one year. Until now - the knocking of a tree - I personally spared, but in the course of the company's management of the thefts of corporate identity, I ran into some amazing stories, including close friends I did not know before, One friend had her credit card, which repeatedly used to pay dozens of laptops, thousands of dollars of groceries and rent in several apartments - in New York, shortly before the attacks of September 11. The FBI finally got involved and found an insider in a credit card company and links to organizations suspected of supporting terrorists.

So, what is this big scary threat, is it real, and is there anything that can be done, apart from installing antivirus software, checking credit card statements, placing your social security card in a safe deposit box and cross-use one-time. with fingers? And even more important for
corporate audience - what is the threat to corporations (oh, yes, there is a serious threat) and what can be done to keep the company and its employees safe?

First, the basics. Identity theft - as the name implies - any use of the identity of another person to commit fraud. An obvious example is the use of a stolen credit card to purchase items, but it also includes actions such as hacking corporate networks to steal corporate information, engage in using a fraudulent SSN, paying for medical care using the insurance of another person, taking out loans and lines capital for assets owned by someone else, using the identity of another person during the arrest (so that explains my impressive rap list!) and much more. In the late 1990s and early 2000s, the number of identity thefts increased dramatically, but over the past 3 years they have cried for about 9-10 million victims a year - still a terrible problem: the most common crime among consumers in America. And the value of the business continues to grow, as thieves are becoming more complex - the loss in business from identity fraud in 2005 was only a staggering $ 60 billion. Individual victims lost more than $ 1,500 each, on average, due to out-of-pocket expenses and required dozens or even hundreds of hours to lose to recover. In approximately 16% of cases, losses amounted to more than $ 6,000, and in many cases victims could not fully recover, with credit destroyed, large sums and recurring problems even with the simplest daily activities.

The main reason for the criminal theft of crime is the very nature of our digital economy, which makes it an extremely difficult task. Watch yourself as you go through the day and see how many times your personality is required to facilitate daily activities. Turn on the TV — the cable channels you receive are monthly billed to your account, which is stored in the cable company’s database. Check your homepage - your Google or Yahoo or AOL account has a password that you probably use for other accounts, perhaps your financial accounts or your secure corporate login. Check your inventory - and understand that anyone who has this information can filter your money in seconds. Get in the car - you have a driver's license, car registration and insurance, all associated with the driver's license number, which is a surrogate national identifier, and can be used to impersonate you for almost any transaction. Stop at coffee or pick up some products and use one of your many credit cards or a debit card associated with one of your bank accounts — if any of them are compromised, you could quickly wash up.

And in the office - a real playground with databases with the most secret data! The HR database, the associated tracking system, the payroll system, the benefit registration system, and various corporate data stores all store your SSN and many other sensitive pieces of identifying data. In addition, the system of objects, security, bonuses and commissions, as well as systems to improve efficiency and productivity, network accounts and email accounts, as well as all your accounts related to a specific task. Not to mention the various one-time and periodical reports and extracts from the database, which are held every day, every day, through Compensation, Finance, audit firms, IT and many others. What about all the backups and replicated databases, as well as all external systems, all different retirement and 401 (k) and other retirement account systems? Small, easily forgotten systems that track mentor appointments and birthdays and vacation accruals. Online payroll systems? Corporate travel systems? And do not forget how each outsourcing system multiplies the risk - everyone has backup copies and copies, extracts and audits; each is available to multiple internal users, as well as their own service providers. How many databases and laptops and paper reports through this network of suppliers and systems do your data have and how many thousands of people have access to it at any time? The list quickly goes from unexpected to frightening to frightening, the longer the trace of the data follows.

This is a bold new digital world, where every step requires instant authentication of your identity - not based on your pretty face and lifelong personal relationships, but on a few numbers stored somewhere. Much more effective, isn't it? Thus, your various digital identifiers — your driver's license number, your SSN, your user IDs and passwords, your card numbers — should be stored everywhere and, as such, are accessible to all people. This explains the huge and growing phenomenon of corporate data breaches. Surprisingly, over the past 18 months, more than 90 million identities have been lost or stolen in these bridges, and the pace is accelerating. Simple arithmetic combined with a financial incentive is a growing body of identification data available to many people that has significant value.

And as soon as any of these digital identifiers is compromised, they can be used to impersonate you on any or all of these thousands of systems and to steal your other digital identifiers to commit further fraud. This is the scale of the problem. Much worse than a stolen, stolen credit card of Citibank - identity theft can easily turn off everything you do and requires great efforts to identify and connect every potential hole. Once your identity is stolen, your life can become an eternal bitcock-mole - fix one exposure, and another pops up through the terrible width of all accounts and systems that use your personality for any purpose whatsoever. And make no mistake - once compromised, your identity can be sold again and again through the vast shadow international data market ID, beyond the reach of US law enforcement agencies, and is extremely flexible in adapting to any attempts to close it.

Waiting Waiting?

Over the past two years, there have been three major legal changes that have significantly increased the cost of stealing corporate data. First, new provisions of the Fair and Accurate Credit Transactions Act (FACTA) came into force, which imposed significant fines on any employer who could not protect employee information — either by act or omission — was allowed as a result of the loss of identity data employee Employers may incur civil liability up to $ 1,000 per employee, and additional federal penalties may be imposed at one level. Different states have the right to impose higher penalties. Secondly, several publicly announced court cases provided that employers and other organizations that maintain databases containing information about employees have a special obligation to provide guarantees over data that could be used to commit fraud using personal data. And the courts awarded punitive damages for the stolen data, in addition to actual damages and fines established by law. Third, several states, beginning with California and rapidly spreading from there, passed laws requiring companies to notify affected consumers if they lose data that can be used to steal personal data, regardless of whether the data were lost or stolen. or the company bears any legal responsibility. This led to a significant increase in awareness of corporate data breaches, including some mass accidents, such as the infamous ChoicePoint break in early 2005, as well as an even greater loss of a laptop containing more than 26 million veteran identifiers a couple of months ago.

At the same time, the problem of employee data security is becoming exponentially more difficult. The continued expansion of outsourcing services — from background checks, recruiting, testing, payroll and various benefit programs, right up to full HR outsourcing — makes it all the more difficult to keep track of, let alone manage all potential risks. The same goes for IT outsourcing - how do you control systems and data that you don’t manage? How do you know where your data is, who has access, but does not have to, and what criminal and legal system regulates any impacts occurring outside the country? The continued trend towards more remote offices and virtual networks also complicates data flow control or standardization of system configurations - how you can stop someone logging in from a CD burner, full data extracted from personnel management system or data storage, or copy it to a usb drive or transfer it via infrared to another local computer? And recent legislative minefields, from HIPAA to Sarbanes Oxley, not to mention European and Canadian data confidentiality rules, as well as patchwork of rapidly developing US federal legislation and data privacy laws,
control, sometimes past the point of reasonableness. Who among us can say that they all understand this, not to mention complete satisfaction?

The result: an ideal storm - more data loss and theft of personal data, much more difficulty in managing and connecting holes, a much greater visibility of mistakes and a big responsibility - all boils in the boiler of a legitimate society, where loyalty to one and the same An employer is a long-gone concept, and all too many employees look at their employer as a set of deep pockets that can be chosen when it is possible.

And it's all about “human data” - a simple two-word phrase that underlies the Human Resources and IT mission. An enterprise has a problem - its data about people suddenly becomes more valuable, is attacked and the risk grows - and they look at you, baby.

The good news is that at least this is a known issue. In fact, although I hope that I scared you pretty well when I learned that identity theft is not all advertising - this is a real, long-term problem with large transactions - the reality is hard to keep up with the hype. Identity theft is big news, and many people, from solution providers to media entertainment tricks of every page, have been bothering for years for years. Everyone who is in the meeting room on board is aware of the general method of stealing big data and computer security problems, as well as the risks of divers, etc. Even Citibank's announcements have contributed to raising awareness. Thus, you have permission to offer a reasonable way to solve this problem — a serious programmatic approach that will easily pay for itself in reducing corporate responsibility, as well as avoid bad publicity, employee dissatisfaction, and loss of productivity.

A journey of thousands of miles

In general, what I recommend is simply that you truly understand the theft prevention and management approach as a program — a permanent initiative that is structured and managed just like any other serious corporate program. This means that the iterative activity cycle, the account manager and the real performance and sponsorship. This means going through the cycles of the base layer, identifying key points of pain and priorities, viewing the state and scope of the next generation, planning and designing work modules, executing, measuring, evaluating, tuning, and then repeating. Not rocket science. The most important step is the recognition and learning the focus of the problem - put his name and a magnifying glass. Do as thorough a basic review as you can, study the company in terms of this fundamental risk, turn on your executive management and manage your current improvement program. After a few cycles, you'll be surprised how much better you have on the handle.

As part of your identity theft program, you will target the following main objectives. We will briefly review each of them and name the critical areas for solution and some key success factors.

1) Prevent actual identity theft as much as possible

2) Minimize your corporate responsibility in advance for any identity theft (not the same as # 1)

3) Effectively respond to any incidents in order to minimize both the damage caused to employees and corporate responsibility.

From an enterprise point of view, you cannot achieve the prevention of identity theft without paying attention to the processes, systems, people and policies in this order.

o First run the processes and data flows. Where does personal identification come from, and why? Eliminate it where possible. (Why should the SSN be in the day tracking system? Or even in the HR system? You can strictly restrict which systems keep this kind of data, while maintaining the required audit and regulatory reporting for the few who perform this particular function) And, by the way, assigning or hiring someone to try to “social engineer” (trick) to penetrate your systems and also ask employees to help identify all the small “undercover” fast and dirty exposure points in your processes and systems can be very effective bubbled ways to quickly get a lot of scary information.

o For those systems that store this data, implement access restrictions and usage restrictions as much as possible. Remember that you are not dragging out the data that drive business functions; you simply restrict access and the ability to extract personal information of your employee. The only ones who should have access to them are the workers themselves and those who have certain job regulation functions. Treat this data as you will treat your personal and private assets - family heirlooms. Strictly restrict access. And remember - these are not only those who should have access, this is a problem, these are also those who have hacked - those who have stolen the identifier of one employee to steal more. Therefore, your mission is to make sure that your network and system passwords and access controls are truly secure. For example, multiple redundant strategies are required — for example, strong passwords, multifactor authentication, access auditing, employee training, and employee security agreements.

o Train your people — simply and rudely — so that this data is personal, and not copied or used anywhere, except when necessary. This is not a theft of laptops, a big problem; This means that laptops inappropriately contain employee personal data. Предоставляйте своим людям, включая любых подрядчиков и поставщиков услуг, которые обслуживают вас, - руководство, чтобы не подвергать эти данные риску и, при необходимости, инструменты для его безопасного использования: стандартизированный мониторинг компьютерной системы, шифрование, надежное управление паролями в системах, которые содержат это данные и т. д.

o Разработка политики для конфиденциального и безопасного хранения конфиденциальных данных сотрудника и обеспечения того, чтобы ваши сотрудники и ваши поставщики услуг были подотчетны, если они этого не делают. Ясно, что просто и решительно сообщать эту политику, а затем укреплять ее сообщениями и примерами от руководителей высшего звена. Сделайте это особенно ясным для каждого из ваших внешних поставщиков услуг и попросите их иметь политики и процедуры, которые дублируют ваши собственные гарантии и несут ответственность за любые сбои. Это может показаться сложной задачей, но вы обнаружите, что вы не одиноки - эти поставщики услуг слышат это от многих клиентов и будут работать с вами, чтобы установить расписание, чтобы туда добраться. Если они этого не понимают, возможно, это хороший сигнал, чтобы начать искать альтернативы.

Минимизация корпоративной ответственности связана с наличием «разумных гарантий». Что это значит на практике? - никто не знает. Но вам лучше пройти тест на «разумный запах». Точно так же, как овалы, судьи будут знать «разумные гарантии», когда они их видят, или нет. Вы не можете предотвратить все, и вам не требуется, но если у вас нет паролей в ваших системах и нет физического контроля доступа к файлам вашего сотрудника, вы будете прибиты, когда там будет кража , Поэтому вам нужно сделать достаточно обзор и элементы управления, которые я изложил выше, и вам также нужно сделать это в хорошо документированном, измеренном и общедоступном виде. Короче говоря, вам нужно поступать правильно, и вам нужно публично показать, что вы это делаете. Он называется CYA. Это способ юридической ответственности, дети. И в этом случае, есть очень веская причина для этой строгости. Он обеспечивает вид всесторонних и полных результатов, которые вы хотите, и это очень поможет вам, когда вы повторяете циклы улучшения.

Вот почему вы хотите приложить усилия для создания официальной программы и сравнить то, что делают некоторые другие компании, и определить комплексный план и показатели после того, как вы выполните свои базовые и показательные шаги, а также сообщите о результатах своим руководителям и повторите их для непрерывного улучшение. Потому что вам нужно как знать, так и показывать, что вы делаете все, что можно разумно ожидать, чтобы обеспечить персональные данные сотрудника, которые находятся на вашем попечении.

И все же, несмотря на все ваши гарантии, наступит день, когда что-то пойдет не так с точки зрения предприятия. Вы абсолютно можете существенно уменьшить вероятность и размер любого воздействия, но когда за последние 18 месяцев было потеряно или украдено более 90 миллионов записей из тысяч организаций, рано или поздно будут скомпрометированы почти все данные. Когда это произойдет, вам нужно перейти на копейку в режим восстановления и быть готовым быстро вступить в действие.

Но не просто быстро - ваш ответ должен быть всеобъемлющим и эффективным, в частности, в том числе:

o Прозрачная, активная коммуникация - сначала для сотрудников, а затем для общественности.

o В сообщении должно быть указано, что произошло, что была назначена небольшая уполномоченная целевая группа, чтобы были применены временные процедуры «блокировки», чтобы предотвратить дальнейшее аналогичное воздействие, что расследование продолжается, что пострадавшим от сотрудников будет оказана помощь в восстановлении и возмещение расходов на восстановление и услуги мониторинга для предотвращения фактических краж личных данных с использованием любых скомпрометированных данных.

o Конечно, все эти утверждения должны быть правдивыми, так что:

o Необходимо определить и обучить специалистов и менеджеров целевой группы HR, ИТ, безопасности и управления рисками, а также заранее определить процедуры «призыва к действию».

o Они должны иметь право применять временные процедуры блокировки персональных данных сотрудников. Процедуры визуальных сценариев (потеря ноутбука, потеря ленты на ленту, перерыв в работе в сети, кража физических файлов HR и т. Д.) Должны быть предопределены.

o Необходимо создать шаблонные коммуникации - сотрудникам, партнерам и прессе.

o Квалифицированные следственные службы должны быть отобраны заранее

o Экспертные ресурсы по сбору средств для кражи идентификационных данных и службы мониторинга угроз кражи персональных данных должны оцениваться и выбираться заранее.

Ничто не является более важным для защиты вашей компании, чем хорошо спланированный и эффективный ответ в течение первых 48 часов инцидента. Если вы не заблаговременно подготовлены и хорошо тренируетесь, это будет невозможно. Если да, то на самом деле это может быть положительный опыт общения с общественностью и резко сократит воздействие юридических, финансовых и служащих.

Кража личных данных не является вспышкой в ​​кастрюле - она ​​встроена в то, как мир сейчас работает, и это повышает не только риск, но и ущерб. Компании подвергаются особому риску, потому что по необходимости они раскрывают данные своего сотрудника другим сотрудникам и их поставщикам и партнерам, и они несут ответственность за риск, который это создает. Те, кто в HRIS, какой конкретной функцией является управление данными о людях, должны взять на себя ответственность за эту возникающую ответственность и обеспечить, чтобы их компании были максимально безопасными и как можно более подготовленными.