Here are top fifteen ways in which corporate information is stolen by physical means:

1. Dumpster Diving – Someone will physically go through trash or recycling bins searching for employee records, addresses, credit applications and other documents containing personal information.

2. Card Skimming – There are devices which are capable of recording the information from a credit card or ATM card’s magnetic strip. These devices will be used by unscrupulous employees, particularly at restaurants and other businesses where the credit card is often out of the owner’s sight.

3. Purse and wallet theft – Purses and wallets are stolen from employees in the workplace.

4. Computer theft – This is a very common tactic as of late. Computers with unencrypted data will be stolen. Account information and other sensitive data is often stored on workstation computers; data thieves are well aware of this.

5. Unlocked File Cabinets – Companies need to keep files on their employees and customers. You need to make sure that access to these documents is restricted during the day and ensure that these cabinets are securely locked at night.

6. Bribing employees – Thieves will pay employees to steal sensitive information for them; this information is then used to commit fraud and identity theft.

7. Social engineering attacks – Thieves will pose as fellow employees, landlords or others who would normally be permitted access to sensitive information. People will often give out this information to someone they are led to believe is officially allowed to receive it.

8. Mail Theft – Incoming or outgoing mail will be stolen, often from the receptionist’s desk.

9. Office Burglary – A break-in is perpetrated to steal documents and computers containing sensitive data. The true purpose of the break-in will often be covered up with the theft of other equipment or vandalism.

10. Phone Pretexting – Similar to the web-based tactic of “phishing”, data thieves will call posing as employees of a legitimate company who need to update records; many employees will unhesitatingly give out personal information about employees when targeted with this technique.

11. Shoulder surfing – Usually done by employees or consultants, passwords will be observed as they are typed by someone looking over an employee’s shoulder.

12. Desk snooping – Thieves will search a desk or work station for notes containing passwords (commonly used in most offices).

13. Customer List Selling or Renting – Some companies will rent or sell their customer’s information sans their consent or knowledge to marketing companies. Almost inevitably, this information will end up in the hands of criminals at some point.

14. Help Desk Support – Help desk personnel often fail to realize that identity thieves may call them posing as an employee having a technical issue so they will often give out a new password to someone posing as an employee. Since as many as 50% of help desk calls are for password resets (according to the Gartner Group)

15. Bogus service calls – Data thieves will sometime pose as a repair person to obtain access to a computer network. The thief may install key loggers or backdoors, or use a packet sniffer to record network communications.

As a business owner, you need to be informed of the methods employed by data thieves to gain access to company information and implement good security practices such as shredding documents, using P.O. boxes and requiring regular security training for employees. While almost nothing will prevent data thieves from trying, having good security measures in place may lead data thieves to seek out an easier target.

While businesses will sometimes spend a fortune on non-disclosure agreements to make sure that business partners do not divulge company information, they will at the same time often fail to train their own employees how to protect the company from data theft.

Having a good security system in place is a must today; but if it is cumbersome on your employees they will circumvent it, leaving your data vulnerable to attack and a faulse sense of security. A balance has to be maintained and one of the best way to create balace it to keep employees informed about security and how a data breach can threaten their work environment.

A Symantec report says that most breaches at small to midsize businesses are caused by people, not malware. Click here to read the entire article.

Look at all the four vulnerability point: Building – Employee – PC – Network and start implementing training, policies and solutions that are inexpensive and work.

Recently they produced an online video chocked full of basic information that hits on many of the same topics we at IDProtectionExpert.com discuss. Click the link below to view their training video and then come back and listen to what our different experts have to say on specific areas.

FTC – Protection Personal Information: A Business Guide

 The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. But when one also adds in Gramm-Leach-Bliley Act (GLBA) where this law recently redefined what constitutes as a financial institution, more businesses are affected. According to GLBA:

 ”Financial institutions” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.  

 Therefore, health care providers, real estate agents, accountants, book keepers, retail stores, utilities, car dealerships, schools, etc. all fall under GLBA which intern tie to FACTA, that institutes the Red Flag Rules.

 When a data breach of either paper or electronic information occurs, all customers, patients, employees and/or vendors must be notified. A breach does not only mean when a thief or hacker breaks in, but improper disposal of sensitive documents, lost computers or storage devices with unencrypted data, dishonest employee, open posting of passwords, etc. Statistics show that careless employees’ actions account for the majority of the incidents that data thieves rely on to collect sensitive information.

 The Red Flag Rules give very little information to companies as to what policies and procedures should be put in place. Rather the FTC states that “the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.” Typical government uselessness.

 So here are some tips:

1. Protect the building: ID badges, access control, CCTV, locked file cabinets, limited access to incoming faxes, etc.
2. Protect the employees: Security training and awareness, clean desk policy, shredding of papers, email security, etc.
3. Protect PC and Computers: Anti-virus software, data encryption, password managers, etc.
4. Network Protection: Firewalls, VPNs, monitoring, password policies, limited web access, file access monitoring programs, etc.

 With the complexity and the cross-integration required to develop a security policy, it is best to bring in security consultants and experts to work closely with your exiting CSO, CIO and IT managers. The security consultants are not there to replace anyone but rather to be a valuable tool to prevent a breach that now costs a company about $6.6 million per incident (source: Ponemon Institute ).

Most companies will never report the theft of their intellectual property. If such information got out then you can imagine what the company’s stock or investor’s valuation would be worth.

There are many ways in which a company can be compromised: dishonest employees, hackers, corporate espionage, carelessness, dishonest cleaning crews, break-ins, and the list goes on. What every corporate executive must understand is that there are four points of vulnerabilities that have to secured:

• Building
• Employees
• PC’s
• Computer Network

Actually, many times a company does not even know they have been breached. For example, if an outsider uses a legitimate User Name and Password to access the network, that breach goes undetected. Since so many employees cannot remember all their passwords they write them down on notes by their computer. All it takes is one dishonest employee or contractor to find the note, copy it and sell it on the internet for the company to be exposed.

The report goes on to say that the problem and costs may be far greater than anyone expects. You don’t have to be a large international corporation to be a target. Small startup companies are very valuable.

So if you don’t want your designs to appear in Asia, Russia, Pakistan, South America, Eastern Europe or anywhere else in the world, security has to be a key component to your business plan. We are already seeing that banks and VC will not lend or invest if you don’t have sufficient security in place.

Download the 20-tips