Be Wary of Inside Hackers as much as Outside Hackers

This week’s blog is adapted from an article posted by Maggie Overfelt as a special to  It reminds us that the small things matter.  When it comes to identity theft protection, we myst be vigilant at the individual and institutional level.
While systems are vulnerable and measures should be taken to secure systems from outside hackers, businesses must be wary of the inside hacker. Smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day — that’s difficult to track–and that is happening.

 Communication with employees in a position to turn rogue is key. A big deterrent in identity theft cases; if an employee feels like the company cares for them, they’re less likely to take advantage of the situation.

Experts recommend preventing the display of sensitive data in plain sight.  Company should institute a clean desk policy ensuring workers file away papers containing data before they leaver their desks, implement inactivity time outs for any tech devices, and switch to an e-faxing system which eliminates exposure of sensitive patient data on paper that’s pile up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company’s fear of embarrassment, reputational damage, or the perceived risk — real or not — that their trade secrets will be exposed in a court proceeding.

The Department of Justice and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market.

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it’s a costly phenomenon for organizations once they have realized it has occurred, which is often during forensic examination of user devices after individuals left a company.

That’s usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

That’s just the hard costs, what you have to pay for notifying customers or any type of remediation services.  The bigger picture is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry.

Our efforts must be local and global–individual and system wide–it’s a lot of work–but it is an invaluable investment.

For more on identity theft best practices, please visit

by Judith