Confronting Identity Theft

The cyber crime whack-a-mole contest continues; a recent blog entry discusses the persistence of identity theft and suggests steps that can be taken against it. 

In “The Return of Identity Theft: The Risk Fights Back,” Alison J. Cohen of the Ferenczy Benefits Law Center LLP and David Kruse of Tetra Defense warn that “identity thieves are getting more creative and sophisticated” and that the effect of their efforts is compounded by the current environment. 

During the pandemic, work from home has increased, often on insecure networks; Cohen and Kruse note that more clients are sending information to service providers through unsecure email. 

The most significant threats at this time, Cohen and Kruse say, are ransomware, wire transfer fraud and penetration of business email. They argue that there are two reasons for this: They can be very profitable to cyber criminals, and it’s hard to prosecute perpetrators. And, they add, most organizations are not readily able to protect themselves from such attacks. 

The Consequences

If a cyber attack happens, what are the consequences? Cohen and Kruse note that if confidential information about participants is exposed, under most laws the company must take two actions regarding participants: inform them of the attack and offer them free credit monitoring. In dollars and cents, that translates to $1.50 per affected participant to inform them by mail, and possibly as much as $30 per participant for credit monitoring. In addition, the crime itself can result in additional expenses. 

But that is not the end to the potential consequences, Cohen and Kruse suggest. For instance, they say, it is possible that a company will seek compensation from whatever company developed the computer system that was breached. And a company will suffer losses due to the expenditure of time, the effect of stress that results from a cyber attack, and the costs due to negative effects on relationships with clients. 

Action Steps

Cohen and Kruse have a variety of suggestions regarding how one can prevent a cyber attack and protect sensitive data about the firm and participants: 

• Insurance. The authors warn that standard insurance often does not cover cyber events, and even if it does, it is likely that any payments will be insufficient to cover the event and related expenses. Rather, Cohen and Kruse suggest, a cyber insurance policy would provide better coverage for such a circumstance. 
• Multi-factor Authentication. This, Cohen and Kruse note, requires users to provide a secondary piece of information to gain access to a system. They argue that it is especially important when users access a system remotely. 
• Patch and Update Systems and Services. Cohen and Kruse suggest deploying security-related patches “as soon as possible.” This should take place with network infrastructure, servers, workstations and services and applications installed on them.
• Monitor Exposure to the Internet. Cohen and Kruse suggest limiting the exposure of email servers, file transfer mechanisms and remote access services and web servers to the Internet. 
• Anti-malware Tools. Cohen and Kruse posit that advanced anti-malware tools are preferable to more traditional signature-based antivirus protection. But they argue that it is equally important to actively monitor the tools’ output and the alerts they generate. “Getting warned is only helpful if you see and heed the warning,” they write.
• Training. Cohen and Kruse believe that information security awareness training should be a priority, and that every employee should be viewed as a human firewall. “Proper training is an essential aspect of an information security program,” they argue.   
• Sometimes Less Is More. Cohen and Kruse suggest that implementing a strong security program need not necessarily entail significant costs and administrative complications. They observe that often, companies already have the tools they need but need to activate and configure them in a better way. 
• Adopt a Positive View of Information Security. Cohen and Kruse argue that information security is often considered an impediment, and that to be effective, such a program needs the contributions of someone with specific expertise. And they suggest that strong collaboration between information security and information technology will increase efficiency.