Companies must protect customers' information

Two major events in recent months focused attention on the fastest-growing area of cybercrime: identity theft.

The first occurred at job-hunting powerhouse Monster.com, where a Ukrainian hacker ring used an employer account to access personal information from prospective job applicants.

The information was later used for a massive "spear phishing" campaign - a recent, more dangerous take on traditional phishing methods. Spear phishing e-mails contain the recipient's personal information, in an attempt to make them more credible and increase the likelihood of a response.

Shortly thereafter, it was revealed that the same hackers also accessed personal information from the USAjobs.gov site, which is administered by Monster.com.

The second event was the discovery of personal data from thousands of U.S.-based computer users on a server in France, collected from "free gift" offers on various Web sites. The compromised server was apparently well known in hacking circles, and the data were being used for spam and identity theft attempts.

Corporate responsibility

There are many levels of federal regulation, and in some states, to protect customer data stored electronically.

Compliance with these regulations, however, tends to vary widely. If your organization collects and stores customer data, the cost of regulatory compliance may seem steep, but it is even more costly trying to repair the damage done when the information has been compromised.

Compliance aside, there are basic steps that companies can take to protect customer information:

• Personal data should be collected through secured servers, even if no e-commerce transactions are processed and stored in encrypted file systems.
• Security measures should include strong intrusion detection and prevention systems and Internet traffic should be monitored for signs of suspicious activity.
• Companywide security audits should be conducted regularly, to identify potential weaknesses and stay current with emerging threats.
• All employees should be provided with security training that includes defense against social engineering techniques (e.g., phishing).

Consumer awareness

As individuals in a world where data are increasingly stored online, we need to be aware of where, when, and how that information is used.

The first step is to be careful who we entrust with the information. This includes doing business only with reputable companies, and reading privacy policies carefully.

The old adage - if it sounds too good to be true, it probably is - applies especially to free gift offers, sweepstakes, free magazine subscriptions, and other solicitations received by e-mail.

All computers and home networks should be secured (see Tech Talk, October 2007), and security software should be kept current.

The best weapon against social engineering attacks is being an educated consumer; the US-CERT Web site has useful information on how to avoid becoming a victim.

As businesses, we have a responsibility to protect our customers' information.

As consumers, we need to do our part in guarding sensitive data.

The vigilance of both parties to any transaction is essential to fight back against cybercrime.

Ken Doyle is a principal consultant for Loquent LLC, a Madison-based company that offers technology training and consulting services.