When Personal Identities Are Stolen, The Bad Guys May Get The Business

Security experts say it's time for enterprises to get more involved in protecting employees' personal data
So what role should enterprises play in protecting employees' personal information? The first step is to add personal information security training to the corporate security awareness program, experts say.

"If you don't train your people on the personal side of the threat, then they won't give a damn," Sileo says. "We're all more self-interested than we are interested in the welfare of company data. Teach your people to take care of their own data, and be aware of the consequences of losing it. If they understand those things, there's a good chance that they'll extend the knowledge and practices over to their corporate systems."

Companies should also consider offering identity theft protection services to their employees -- not as a benefit or perk driven primarily by the human resources department, but as a means of protecting business data on personal devices, driven by business managers and the IT organization, Rohrbaugh says.

Vamosi notes that many businesses currently keep identity theft protection and resolution services on retainer, so they can tap those services if data theft or other breaches occur. In fact, businesses are accounting for an increasingly larger portion of the revenues earned by identity theft protection services, he says.

"Over the last few years, the number of [individual] customers signing up for identity theft monitoring services has actually gone down," Vamosi says. "But when we talk to the services themselves, they say they are doing well. That's because businesses are making up more and more of their revenue."

In a perfect world, companies would extend their security initiatives to protect employees' personal data as well because it helps build a culture of security and makes the company a better place to work, Sileo says. "It fits well with the idea of putting a gym in the building," he says. "It makes people feel better about the company they work for."

In reality, though, most companies don't initiate personal identity theft programs until they have been hit with a security breach, Sileo concedes. "The difference between a company that cares about this level of security and one that doesn't is usually getting hit," he says. "They just don't see the havoc that [personal identity theft] can cause until it happens to them. That's why I'm out there talking about it -- maybe by hearing what happened to me, they can get a sense of what it's like and do something about it before it happens to them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading