The most invaluable treasure of businesses nowadays is data: name, age, gender, addresses, Social Security number, income, employment, birth date, employee information and credit history — to name some consumer information that businesses should protect as a mother does a child. If you give that extra effort to protect your customers, you are sure to see the return in loyalty.

Yet many businesses still are inadequately protecting such treasure against the scourge of identity and information theft. Consider these stats, from the Orange County Register (via the Akron Beacon Journal):

• In 2005 alone, the security of 56.2 million people's computerized personal data was compromised;
• More than half (51 percent) of identity thefts are done by employees or contractors inside a company; and
• Federal law holds employees liable for loss or theft of employee information, fines of which can be $2,500 per employee.

Just last month, the Federal Trade Commission (FTC) announced that consumer data broker ChoicePoint, Inc., which last year acknowledged the breach of 163,000 personal data records, must pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights and federal laws.

So how can companies better protect their customers and employees' privy, purported-classified information? The following are the Council of Better Business Bureau's basic self-defense rules for businesses maintaining people's personal information:

• If you don't need it, don't collect it. This seems obvious, but many businesses collect more information than they need. The more you have, the more tempting it becomes to a thief and the more damaging it is to your customers if the information is stolen.
• If you need it once, don't save it longer. Companies sometimes collect information that is necessary to complete a single transaction, then compulsively file that information away (either in a paper file or in a computer file). Again, if you aren't required by law to keep the information, and you seldom, if ever, use it, then get rid of it. If you don't keep it, it can't be stolen.
• If you've got it but you don't need to save it, dispose of it carefully. A lot of identity theft happens in the trash barrel or dumpster. Even the smallest business can afford an inexpensive paper shredder. Make sure you use yours to destroy customer or employee records.
• If you have to keep it, think security. First, make sure those paper records that contain personal information are kept under lock and key when they aren't in use. Make sure computer terminals are password protected. Limit the eyeballs that have access to these records — only those who have an absolute need-to-know should have access to personal information. Do not allow customers or others to wander around the private areas of your business.
• Don't broadcast personal information. Instruct your employees to be sensitive to personal-information issues. Turn computer screens so they can't be viewed by anyone other than the operator. Instruct employees who need access to personal information to have customers jot that information down, not repeat it out loud where it can be overheard by others.
• Don't use Social Security numbers as account numbers. Although uncommon, this practice is simply dangerous — indeed, downright stupid — to you and your customers.
• Don't give out employee/customer information to anyone whose identity can't be positively confirmed. Posing as government agencies or health insurance providers, information thieves and stalkers have found that a well-crafted, believable story can often get past the best locking file cabinets or password-protected computers. Often, they simply call small-business owners or personnel departments and ask for the personal information. Your organization should have very strict policies on when and how employee or customer information is shared.

As for online-specific security, the advice we provided in our "Prevent Computer Attacks at Home" can apply equally to small and midsize businesses (SMBs). However, businesses face a number of special challenges that most consumers do not.

That having been said, let us recap such basic consumer rules that apply aptly to businesses, as well, and add the Council of Better Business Bureau's business-specific rules:

• Limit Access. Make sure your computer server(s) is/are placed in a secure location, with a controlled environment. Limit access to a few trusted employees whose duties include responsibility for the computer system. Mission-critical data should be available to employees on a "need-to-know" basis, separately password protected and, if possible, encrypted.
• Passwords. Use a password protection system for authorizing network logins. Avoid using simple passwords; instead, they should use cryptic phrases that combine numbers, upper and lowercase letters. The system should require all users to change passwords when they first log on and then regularly thereafter (at least every 90 days), and it should "lock out" prospective users if they fail to enter the correct password three times in a row.
• Virus Protection. Install antivirus protection software on all of your computers. Scan your computer systems for viruses on a regular basis. Never disable antivirus software, and check frequently with your software provider for virus updates.
• Firewalls. Equip your computers with firewalls. Firewalls should be installed at every point where the computer system comes in contact with other networks — including the Internet, a separate local area network (LAN) at a customer's site, or a telephone company switch. Check to make certain your Internet Service Provider (ISP) has filters to help keep out intruders.
• Download and install security "patches." Most software vendors release updates and patches to their software to correct vulnerability bugs. Frequently check with your software vendors for new security patches, and download and install them on a regular basis. Or you may choose to use the new automated patching features that perform these tasks for you.
• Back up your computer data. Back up your computer data on a regular basis, at least weekly. Make sure your employees know to do weekly backups of all their important data.
• Regularly check for suspicious activity. Almost all firewalls, encryption programs and password schemes include an auditing function that records activities on the network. Businesses should check logging data and audit trails regularly to look for unusual or suspicious activity.
• Be aware of file-sharing risks. Hard-drive file sharing on a network can lead to virus invasions or competitors being able to look at the files on your computer. Unless you really need the ability, turn off the file sharing. At the very least, do not share access to your computer with strangers!
• Educate your employees. Develop and enforce a companywide computer and physical security policy, one that instructs employees:
o Not to open e-mail from unknown sources;
o What to do when they receive suspicious e-mail;
o To disconnect from the Internet when not online;
o To consider the risks of file sharing;
o How to perform data back-up procedures; and
o Of actions to take if their computers become infected.

Brief employees and management regularly on these policies, new security threats, corrective measures and incident reporting procedures. Further, make it a rule that your organization remove a departed employee's network access immediately. You may also want to disconnect that employee's terminal from any form of external access (such as a dial-up modem connection).

Finally, you may want to consider purchasing encryption software. Even if an intruder manages to break through a firewall, the data on a network can be made safe if it is encrypted. You can purchase stand-alone encryption packages to work with individual applications, in addition to good encryption software that is in the public domain.

Guard your data. Protect your customers. Protect your business.

References

How businesses can protect computer data
by Jan Norman
Orange County Register (via the Akron Beacon Journal), Feb. 20, 2006

Council of Better Business Bureau, I.D. Theft

Microsoft's Security Guidance Center

CK Business Electronics' Six Essential Security Tips