Identity theft can hit businesses, too — here’s how to protect your firm

When most people think of identity theft, they tend to imagine a hacker using stolen credit card information to buy high-ticket items, or using Social Security numbers to open fraudulent accounts.

But “from a criminal’s perspective, it is significantly more cost-effective to steal business identities than consumer identities,” said Steve Cox, of the Better Business Bureau in Minneapolis.  Once these thieves become a firm’s fraudulent representative, they can open lines of credit, purchase equipment and electronics, and even rent temporary office space.

When assessing your firm’s security plan, be sure to create awareness about the risk and put controls in place that can help. Here are some ideas to reduce your theft risk:

Classify and manage data: According to Jeremiah Talamantes, founder and managing partner of Minneapolis-based consulting firm RedTeam Security, the first step in preventing commercial identity theft begins with taking steps to formally classify data. A written policy should classify data based on the elements that make up the data in terms of how the organization typically handles it.

For example, information about the firm’s financials should be classified as confidential, with a mandate that employees encrypt it in electronic form. Hard copies should be shredded once they are stored digitally.  This classification and management will thwart identity thieves who are trying to find unprotected data they can use to impersonate a company representative.

Train associates and partners in security topics, said Craig Wilson, director of information technology at law firm Winthrop & Weinstine. “We have a controlled environment, so identity theft would be very difficult for someone to pursue inside our firewall,” he says. “However, we’ve heard stories about how it’s blossoming in social media and we do take measures to make sure our firm is secure.”

For example, Wilson noted that an attorney from another firm had his identity stolen though a fraudulent profile on LinkedIn. The thief set up the system so that emails meant for the attorney would go to him instead. To prevent this type of career-killing move, Winthrop and Weinstine’s marketing department was very proactive when LinkedIn first went up, making sure that every attorney set up an account. Wilson says, “This aided in controlling the information the public had access to, as well as preventing false impersonations.”

According to the Small Business Administration, one of the surefire ways to put your company at risk for business identity theft is to put sensitive information online. This can include an employer identification number, account numbers, or financial documents. If you have to use an online service that requires this information, make sure the site is secure and its security certificate is up to date.

Not all commercial fraud and identity theft originates from external bad guys. The perpetrator may be a company insider, acting within the firewall. Separate duties, so more than one person must complete a task or approve a process. For instance, an arrangement could be made with the organization’s bank to require two separate approvals in order to establish a line of credit.

Internal identity theft risk can also be lowered by establishing good access-level controls. An intern shouldn’t have the same access to data as a firm’s partner, for example.

Monitor credit reports more often: Similar to individuals checking their credit histories with reporting bureaus, firms can use credit monitoring services with all three major business credit agencies (TransUnion, Experian, and Equifax). These services generally offer email alerts about any new or potentially malicious activity occurring on a company’s credit files. If your “accounting manager” is attempting to open a line of credit at 3:00 a.m., in other words, you’ll want to know about it.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld.