A decade ago, no one had heard the term “identity theft.” Today, as many as 10 million Americans are victims of this nascent crime each year, according to the Federal Trade Commission, at a total cost of nearly $50 billion. Identity theft complaints increased 50 percent between 2002 and 2004.

Despite the prevalence of the problem, many businesses have failed to protect their customers from would-be thieves. On June 17, MasterCard Intl. announced a security breach of its customers’ information that could expose up to 40 million cardholders to fraud. That was just the latest in a string of breaches at many high-profile companies, including Citigroup Inc., Bank of America Corp., DSW (Discount Shoe Warehouse), and LexisNexis.

“I would say the majority of [security breaches are a result of] laziness,” says Steve Epner of Brown Smith Wallace, a technology consulting firm in St. Louis. “People just haven’t made it a high priority. If they’ve never had a problem with stolen information, they don’t care.”

Identity theft occurs when someone uses someone’s name, address, Social Security number, bank or credit card account number, or other identifying information without the victim’s knowledge with the intent to commit fraud or other crimes. A stolen wallet can provide theives with all of the above, but the threat has increased exponentially in the last decade courtesy of the high-tech world.

Computer hackers can remotely access a business’s network to steal confidential customer information, including credit card numbers, and use the information to appropriate the customers’ identities. Hackers also are interested in e-mail lists, which can be sold for top dollar to spammers or the business’s competitors.

The problem will get worse before it improves, says Epner. Each new technology becomes a challenge for hackers. Recently, criminals discovered how to break in to telephones and PDAs equipped with Bluetooth wireless technology and steal all the information stored in the devices.

Distributors typically understand the importance of protecting their customers’ data, but it is often less clear how to do it in a meaningful way.

“The U.S. government and Microsoft have been hacked. If they can’t afford to build a hack-proof system, you can’t either,” Epner says. “But most of us, with basic care, can take care of the little things that will hit us.”

Legal Issues
Protecting customers from fraud has always been a moral issue for businesses. Soon, it may become a legal matter.

Identity theft has been a federal crime only since 1998. There are few laws on the books that protect citizens from this type of fraud or that hold businesses accountable for losing their customers’ data. That could soon change.

In March, U.S. Senator Jon S. Corzine, D-N.J., unveiled the Identity Theft Prevention and Victim Recovery Act. The legislation would require financial institutions and other commercial entities to establish security systems that safeguard the sensitive personal information in their care. Under a provision patterned after U.S. securities regulations, the bill would also require corporate officers to attest that their companies have adequate measures in place to secure customers’ personal data.

“Make no mistake about it, identity theft poses a very real threat to our economy, and it is on the rise,” said Sen. Corzine in a press release. “In fact, it’s our nation’s fastest growing crime. With so many instances of fraudsters seeking to abuse an individual’s good name, it is clear that more must be done to prevent the proliferation of identity theft.”

Taking Action
Distributors shouldn’t wait until their company has a problem to think about security. “It is so easy and inexpensive to protect yourself against 90 percent of all of the threats out there that to not do it is ridiculous,” Epner says. There are several steps distributors must take to ensure the secrecy of their customers’ personal information.

1. Shred: The simplest and least expensive security measure a company can take is to never print anything with customer data on it. When confidential information is printed, it should be shredded before leaving the building.

“We don’t just throw lists out the door,” says Harry Babb, vice president of operations for Waxie Sanitary Supply in San Diego. “We shred everything.”

Waxie is an exception to the rule, Epner says. Although shredders are inexpensive and easy to use, most companies don’t even take this simple precaution.

“People throw things away in the garbage, like reports that have Social Security numbers, and you think, could anybody really be that stupid?” Epner says. “The answer is yes, every day of the week.”

2. Firewall: Computers have made business easier — and more susceptible to thieves. Protecting electronic data is perhaps the most important and most difficult thing a distributor must do.

Any distributor that has multiple computers connected via a network, or intranet, should add a firewall to the system. Available as hardware or software, a firewall is designed to prevent unauthorized outside users from accessing your network. All information entering or leaving the network passes through the firewall, which blocks anything that doesn’t meet security criteria.

“If you don’t know what a firewall means, ask your 13-year-old kid and they’ll put it on for you,” Epner says. “It won’t cost much money and it will protect you against almost everything that can be a threat.”

3. Intrusion detection: Many people believe a firewall alone provides complete protection from hackers. “If you believe that, I have bridge I’d like to sell you,” says Babb. A comprehensive computer security system should offer multiple layers of protection. In addition to the firewall, companies ought to consider installing an intrusion detection system, or IDS.

A firewall simply restricts access to the network to a few designated points. This often keeps hackers out, but a firewall cannot detect when someone is trying to break into your system. An IDS is more dynamic, recognizing attacks against the network.

“IDS is a big deal and everyone should have it. It is like someone sitting on your network and constantly watching what’s going on,” says Neil Bakker, IT Manger for Dalco in New Brighton, Minn. “It alleviates a lot of stress.”

4. Virus protection: The most common way for a thief to access a computer system is to infect it with a virus. Viruses with “back doors” install a program onto computers that turns them into open sources that are easily hacked.

Bakker suggests companies perform a security vulnerability scan of their networks. Distributors can hire a company to do it (they are easy to find online), or Microsoft has a scan program that shows distributors where the system is vulnerable to a virus and how to fix it.

“It’s one of those things that’s baptism by fire. No one wants to spend money on it until they have problems,” Bakker says. “A virus can be the bridge to get someone into your network and steal data.”

5. Encryption: The most sensitive data a distributor typically stores is its customers’ credit card numbers. While it is best to keep this information off the electronic network, it simply isn’t always possible.

To protect credit card information, companies should restrict the number of employees who have access to it. Also, they should invest in encryption programs, particularly if the company offers online ordering. Dalco’s customers frequently order from its website. The company uses secured socket layer (SSL), a protocol developed for transmitting confidential information via the Internet, to encrypt credit card numbers so they cannot be stolen.

6. Password protection: For all the attention paid to computer hackers, the biggest threat to company data probably comes from the people inside the building.

“Security is a global issue, it’s not just about electronics,” Babb says. “With retail stores, the greatest theft doesn’t come from people shoplifting, it comes from the employees. Security is the same. You could suffer the greatest losses from employees.”

Information always should be given to employees on an as-needed basis. Use rotating passwords to restrict access to the network and its systems. Whenever possible, place employees at “dumb terminals” (those without Internet access) to prevent them from transmitting files via the Internet.

7. System removal: The most threatening person to a company is a departing employee. Someone with an axe to grind or with ambitions of becoming a competitor can cause many problems. The moment an employee’s tenure ends, his or her access privileges must be terminated.

“When employees leave, you have to get them off the system,” Epner says. “A lot of people are very sloppy about this.”

8. Update: With good security systems in place, most threats can be eliminated. However, technology is constantly evolving and each new change brings new potential problems. “Too many people see technology as an event rather than a process,” Epner says. “They put in a new system and then ignore it. You have to continue to train and implement new security. It needs to be something you do everyday.”

Becky Mollenkamp is a Des Moines, Iowa-based freelance writer, and a frequent contributor to SM


Feeling Secure?
Are you looking for up-to-date information on the ever-expanding computer security world? Then Astalavista Security Group may be the website you’ve been searching for. This Web page (a “hacker computer enthusiast” created it in 1997) has become one of the most respected and frequented security sites on the Web.

The site includes security news, the top 50 security tools, and a security directory of recent security problems. There are also methods to prevent or eliminate them. Whether you are an expert or a beginner in the area of computers, Astalavista.com can provide you with the necessary tools to protect your company’s computers from Web-related threats.

One-Stop Security Web-Source
Those in charge of IT security at your office will be thrilled to persue the contents of www.sans.org, a clearinghouse of information dedicated to the technical aspects of computer system protection.

Some features of interest: an “Internet Storm Center,” which lists the most current — and pressing — security threats, and free research and e-newsletters.

Much of the site’s contents are free. Security training — the company’s backbone — comes at a price, however. The SANS
Institute offers several educational programs, geared toward security professionals.

Online Access to SM Buyer’s Guide
Search SM’s Buyer’s Guide listings online at www.cleanlink.com/sm. Just find “Buyer’s Guide” in the left column, click, and you’ll be transported to listings for manufacturers, wholesalers, brand names and products — all without leaving your computer.