Employers collect and store vast amounts of personally identifiable information from job candidates and employees: Social Security numbers, birth dates, driver’s licenses, protected health information, financial and investment account information, emails and passwords, and more.
All of this data—often the domain of accounting and payroll departments—is valuable to identity thieves who employ methods ranging from simple dumpster-diving to sophisticated cyber attacks on businesses of all sizes and across all industries. Common cyber threats take the form of phishing emails, and malware, denial of service, ransomware and password attacks.
For a glimpse at the widespread nature of the problem, consider these breach statistics: Nearly 700 breaches were reported between January and September of 2016, exposing more than 28 million records . One in five data breach victims experience fraud, according to Javelin Strategy & Research. And in 2015 alone, more than 13 million people experienced identity theft.
Malicious insiders—disgruntled existing and former employees—also pose threats to the security of valuable personnel data. In fact, 77 percent of breaches are caused by insider threats . Often, the employees may be under financial duress and tempted to make money quickly and easily.
Take the case of identity theft victim Allison Keller*. Keller thought she had a charmed life working with her best friend booking comedy clubs in the Midwest. When she started getting calls from debt collectors she discovered her friend accessed her Social Security number through the company’s employee information database and used it to open three credit cards and run up $90,000 in charges in Keller’s name.
How it happens
Many workplace breaches are a result of poor security, as in the Keller’s case, and negligence. Devices are often lost or stolen. Employees accidentally mail sensitive data to incorrect recipients. In the office, workers may fail to use screen locks to secure their computers. Or they’ll share passwords to a system that houses sensitive data.
Unhappy employees may be wooed by competitors to trade secrets and other intellectual property, or a company’s financial data. There’s also the risk that they’ll simply want to inflict harm on the business as a way to seek revenge.
Fortunately, there are steps employees and employers can take to protect this valuable data.
Tips for employees
1. Password-protect devices. That includes desktop computers, tablets and company-issued phones to keep prying eyes away from sensitive information.
2. Store personal items in a secure location. Purses, wallets, car keys and smartphones should be kept in a locked drawer or cabinet when you’re away from your desk.
3. Guard your Social Security number. Avoid sharing this information with coworkers or leaving it in an easily accessed location.
4. Avoid storing personal information or accessing personal accounts on workplace computers.
5. Be vigilant. Pay attention to overly inquisitive coworkers, prying eyes and the latest news on scams.
Tips for employers
1. Develop a data privacy program to implement security best practices.
2. Educate employees. Invest in a robust training program to help workers recognize identity theft risks and follow best practices for data security.
3. Limit access to sensitive information, and keep it separate from lower-priority operational data.
4. Keep operating systems, software, firewalls and antivirus programs updated.
5. Institute a cyber liability policy structured to meet your business needs.