We are constantly hearing about cyber threats to our online security, and I think it is a sure bet that we can expect it to continue to happen. And while it is VERY important to be as educated about online security as possible (consider this an ongoing education, by the way!), you should also be very aware of how thieves can gain access to your physical data.
The theft of sensitive information from companies can happen in two ways: physical data breaches or online breaches of security. Physical identity theft refers to cases where the identity thief needs to get in close to their targets or to the information they are trying to obtain. These sorts of identity theft efforts include dumpster diving to search for documents which contain information such as account numbers, social security card or credit card numbers, addresses and like. Basically, any information which contains personally identifying information on a customer, vendor or employee is of use to identity thieves. Mail may be stolen or thieves may pose as company representatives over the phone in an effort to extract information from unwary employees.
Here are top fifteen ways in which corporate information is stolen by physical means:
1. Dumpster Diving – Someone will physically go through trash or recycling bins searching for employee records, addresses, credit applications and other documents containing personal information.
2. Card Skimming – There are devices which are capable of recording the information from a credit card or ATM card’s magnetic strip. These devices will be used by unscrupulous employees, particularly at restaurants and other businesses where the credit card is often out of the owner’s sight.
3. Purse and wallet theft – Purses and wallets are stolen from employees in the workplace.
4. Computer theft – This is a very common tactic as of late. Computers with unencrypted data will be stolen. Account information and other sensitive data is often stored on workstation computers; data thieves are well aware of this.
5. Unlocked File Cabinets – Companies need to keep files on their employees and customers. You need to make sure that access to these documents is restricted during the day and ensure that these cabinets are securely locked at night.
6. Bribing employees – Thieves will pay employees to steal sensitive information for them; this information is then used to commit fraud and identity theft.
7. Social engineering attacks – Thieves will pose as fellow employees, landlords or others who would normally be permitted access to sensitive information. People will often give out this information to someone they are led to believe is officially allowed to receive it.
8. Mail Theft – Incoming or outgoing mail will be stolen, often from the receptionist’s desk.
9. Office Burglary – A break-in is perpetrated to steal documents and computers containing sensitive data. The true purpose of the break-in will often be covered up with the theft of other equipment or vandalism.
10. Phone Pretexting – Similar to the web-based tactic of “phishing”, data thieves will call posing as employees of a legitimate company who need to update records; many employees will unhesitatingly give out personal information about employees when targeted with this technique.
11. Shoulder surfing – Usually done by employees or consultants, passwords will be observed as they are typed by someone looking over an employee’s shoulder.
12. Desk snooping – Thieves will search a desk or work station for notes containing passwords (commonly used in most offices).
13. Customer List Selling or Renting – Some companies will rent or sell their customer’s information sans their consent or knowledge to marketing companies. Almost inevitably, this information will end up in the hands of criminals at some point.
14. Help Desk Support – Help desk personnel often fail to realize that identity thieves may call them posing as an employee having a technical issue so they will often give out a new password to someone posing as an employee. Since as many as 50% of help desk calls are for password resets (according to the Gartner Group)
15. Bogus service calls – Data thieves will sometime pose as a repair person to obtain access to a computer network. The thief may install key loggers or backdoors, or use a packet sniffer to record network communications.
As a business owner, you need to be informed of the methods employed by data thieves to gain access to company information and implement good security practices such as shredding documents, using P.O. boxes and requiring regular security training for employees. While almost nothing will prevent data thieves from trying, having good security measures in place may lead data thieves to seek out an easier target.
While businesses will sometimes spend a fortune on non-disclosure agreements to make sure that business partners do not divulge company information, they will at the same time often fail to train their own employees how to protect the company from data theft.
Having a good security system in place is a must today; but if it is cumbersome on your employees they will circumvent it, leaving your data vulnerable to attack and a faulse sense of security. A balance has to be maintained and one of the best way to create balace it to keep employees informed about security and how a data breach can threaten their work environment.