Identity Theft: An Inside Job

Opinion: To deter identity theft, companies need more than IT security.

Companies that engage in financial transactions are bound by law to establish and enforce information security programs to prevent identity theft. However, current laws focus primarily on IT security. Certainly, IT security is essential, but IT security alone is insufficient. Why? Because computers and network systems do not steal identities—people do. Recent research at the Identity Theft Crime and Research Lab at Michigan State University, and since corroborated in several other studies, indicates that most identity thefts occur in the workplace.

Contrary to common thought, most identities are not stolen by Dumpster divers; by robbers of mailboxes, autos and homes; or by purse and wallet snatchers. Most identity thefts are committed by contract workers in entry-level jobs. Many times, these hires are selected via outsourced staffing agencies that fail to use adequate screening. These workers arent the only internal threat. Suppliers and vendors with access to pass codes, passwords, or departmental and building key codes are often culprits. And upper management can also be guilty.

In addition, outside hackers often work with inside predators. These insiders comprise the relatively few workers who steal co-workers and customers identities. In addition to IT security, therefore, a comprehensive information security program must include personnel security.

Unfortunately, traditional personnel management is outdated for 21st-century business problems. Today, every facet of the personnel function must include security procedures, beginning with personnel recruiting and including personnel selection, acceptance of the honest company culture, and recognizing employees who support the internal security of personal information.

But IT security and personnel management security are still insufficient. A comprehensive information security program must also secure work processes. An information work process involves tasks performed across job positions that require knowledge of personal identifying data.

An example is bank loans. From initiation by the consumer to final approval by the bank officer, several job positions have access to the customers personal data. Information process risk assessments can identify a departments information work processes, identify susceptibilities to theft in those processes and propose ways to secure work process weaknesses.

I recommend the formation of teams of employees and managers to handle personnel management and work process security. When these corporate activities are addressed, together with IT security, businesses can know they have done all things possible to prevent identity theft.

Judith M. Collins is a professor at the School of Criminal Justice, Michigan State University, and author of "Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees." Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.