Surveys from the Bureau of Labor Statistics discuss how telework was on the rise before the COVID pandemic, increased substantially due to the pandemic, and is projected to continue in a post-pandemic and highly digital world. However, as workspaces are redefined in the digital era, there are also new risks that need to be mitigated in regards to cybersecurity and identity theft for remote workers.
The Costs of Identity Theft to Employees and Businesses
A survey on the impacts of identity theft noted that 32% of respondents claim identity theft caused issues with their place of employment. Some victims of identity theft who participated in the survey also commented that they lost their current job, lost future job opportunities, and even experienced their pay or insurance benefits being withheld.
Victims of identity theft also reported impacts on their interpersonal relationships such as:
- Increases in arguments and fights with family and friends.
- Feelings of loss of trust.
- Feelings of isolation.
- Lack of support from family and other relationships.
Furthermore, those that experienced identity theft also dealt with financial repercussions. Out of the respondents for the survey, 29.8% reported asking family and friends for financial assistance, and 37.3% of respondents that could not receive financial support went without fulfilling the need. An alarming 42.8% noted that their identity theft resulted in debt, and 40.5% could not pay their bills.
Additionally, employers store a large amount of employees’ personal information for which they may be liable, which makes them a tempting target to cybercriminals. A data breach to a business may result in an employee’s sensitive information being stolen and used to gain access to financial accounts or to create false new ones. Employers that do not protect employee data may be held liable to federal laws, state laws, and privacy legislation.
How Cyber Criminals Harvest Personal Information
There are many ways that cybercriminals access data through lack of security, such as:
- Weak or stolen passwords or credentials.
- Application vulnerabilities and back doors.
- Too many or over complex access permissions.
- Insider threats that provide access to data.
- Improper or oversharing of sensitive information.
- Physical attacks to improperly stored physical copies of information.
- User error and improper configuration of security measures.
- Lack of training to employees on proper security measures.
Methods Cybercriminals Use to Access Sensitive Data
There are a diversity of methods and tactics that cybercriminals may use to access sensitive data and steal identities. This may include:
- Malicious software, commonly known as malware, is software that is loaded without intention that allows a hacker to exploit or gain access to connected systems. The malicious coding of malware can:
# Self-replicate in different parts of a file system.
# Install applications that capture keystrokes and passwords.
# Commandeer system resources without the user being aware.
# Block access to files or parts of the system, which can be used as ransom for payment.
# Break essential components of a system or code which may render a device or program inoperable.
- Hacking takes many forms, some include:
# Exploiting a vulnerable software or network system to gain entry to sensitive data.
# Distributed denial-of-service attacks (DDoS) make a machine or network unavailable to intended users by disrupting the services of the host connection to the server.
# SQL injections disrupt the queries an application makes to a database. This can allow a hacker access to view, modify, or delete data.
# Man-in-the-middle attacks (MitM), also known as eavesdropping attacks, occur when a hacker intercepts data in transit.
- Data harvesting is the collection and extraction of data from online sources. This may include metadata from social media, email attachments, or documents that have been published. This information is generally leveraged in a larger scheme to appear credible, such as a phishing or social engineering scam.
- Phishing scams are crafted and fraudulent communications that appear to come from a credible or reputable source. The goal of a phishing scam is to obtain sensitive data from an individual or to gain entry to install malware.
- Social engineering utilizes data harvesting and psychological manipulation to trick an individual or user into giving away sensitive information to what they perceive as a credible source.
- Doxing and cyberbullying include threatening to reveal sensitive information about someone to coerce them into meeting a cybercriminal’s request, such as granting access to the storage of sensitive information.
- Exploiting a company-wide data breach. A company-wide data breach can provide access to the sensitive information stored for hundreds or multi-millions of users.
Employer Responsibility and Actions to Protect Employee Information
Employers often hold sensitive financial and HR information about employees that can lead to identity theft if accessed through cybercriminal activity. This may include a person’s name, date of birth, tax records, and Social Security numbers, alongside other personal information that a business has collected from their employees through email and other employee monitoring practices.
The following best practices for business cybersecurity are necessary to protect employee information, devices, and workflows, as well as to support remote workers and their ability to manage company and employee information and data:
- Developing a data privacy program. This includes surveying the entirety of the business, employees, and data to create both internal and external privacy policies and emergency preparedness plans.
# A privacy program should also include a disaster recovery response plan for any successful or failed breaches or attacks.
# Furthermore, a data privacy program should also include policies and privacy features and restrictions on sharing information. This may include regulating file-sharing programs or avoiding link sharing that can provide unintended access to users.
- Implementing employee education for:
# Properly utilizing operating systems.
# Installing and upkeep of anti-virus programs, software, and firewall updates.
# Recognizing potential phishing or social engineering scams and how to report them.
# Understanding liability and the importance of safe and secure practices when sharing and keeping information and documents secure.
- Keeping IT infrastructure up to date. For remote teams, this may include updating work-from-home infrastructures, such as utilizing managed service providers that can actively manage IT, software inventories, technical support to staff, and account access.
- Including remote access software with your work from home policies can bolster security through remote monitoring and management of collaborative access, communication channels, and file transfer servers. Remote access and support for employees and devices can also provide real-time monitoring and alerts for system resources, as well as keep systems protected with the latest updates, patches, and security tools.
- Utilizing network discovery tools can allow businesses to automatically search and find all devices that are connected to the network. Network discovery can be integrated into remote management software to bolster network security by spotting, identifying, and investigating devices and potential security breaches with constant network scans.
# Careful management of a network is especially crucial for business models that operate with a bring your own device (BYOD) business model that allows remote workers to utilize personal or handheld devices for work-based operations. BYOD business models should also be accompanied by remote worker training and support to ensure that personal devices that have access to sensitive information stay secure.
Data Security Tips for Remote Workers
The COVID pandemic instigated identity theft trends that targeted and focused on Americans working from home. The transition to remote work that was instigated by the pandemic is projected to continue in the future, with an estimated 70% of the workforce estimated to work remotely by 2025.
While remote work makes large changes to the economy and workflows — fewer office spaces, increased engagement, and performance management — it also includes a deeper reliance on information and data security from remote work practices, operations, and devices. Consider the following data security tips for working remotely:
- Use best practices when creating passwords and credentials for devices that you use for any remote work activities. Passwords should include both uppercase and lowercase letters, numbers, and symbols.
- Keep devices updated as manufacturers release software updates. Many updates include enhanced measures for security vulnerabilities found in their software. In addition to manufacturer updates, remote workers should ensure that their security software is regularly updated.
- Learn to identify phishing and work-from-home scams that target remote workers.
- Avoid storing unnecessary, personal information, or accessing personal accounts on work-specific devices.
- Stay up-to-date on workplace policies for:
# How your company shares information internally and externally.
# Your workplace’s disaster preparedness and recovery plans.
# The IT infrastructure and how to utilize it for support, security, and assistance.
# How your workplace stores, protects, and disposes of sensitive data.
- Practice caution when video conferencing and screen sharing. This includes only using videoconferencing platforms that have been secured for business as well as ensuring that any important documents or information are not open or visible during a screen share presentation.
- Use a private VPN when working with sensitive data, and never use public Wi-Fi when working with or sharing private data and information.
- Never leave remote work devices unattended in public spaces which can provide opportunities for theft.
Steps to Take When You Suspect Your Personal Information Has Been Exposed at Work
If a data breach occurs at your workplace, or you feel that your personal information may have been exposed, consider the following steps.
- Proactively notify your employer and follow through with your workplace privacy, data security, and emergency policies.
- Ask and check for immediate updates from the company and follow through with any provided steps.
- Immediately change your usernames and passwords for both personal and work devices and software.
- Sign up for two-factor authentication or two-step verification when possible for additional layers of security to your logins and accounts.
- Contact your financial institutions and credit reporting bureaus. Monitor your personal accounts and regularly check your credit report. Be aware of and report any new or unrecognized activity or unauthorized purchases.
- Check to see if your employer offers free credit monitoring services for those impacted by the breach and sign up for credit or identity monitoring services.
- Contact your nearest police precinct and notify them of your situation to establish a legal basis for any future fraud disputes.
- Contact and file a formal report of the breach and identity threat with the Federal Trade Commission.
Resources for Identity Theft Victims
Aside from reporting to the Federal Trade Commission, there are other valuable resources that individuals can use when actively dealing with or preventing identity theft. These include:
- The United States Department of Justice, which provides informational resources on common identity theft scenarios, prevention techniques, and additional resources for identity theft victims.
- The United States Postal Inspection services perform identity theft investigations. You can contact them by calling 1-877-876-2455.
- The U.S. Secret Service is responsible for investigating and reporting on fraud and scams. The website offers information for protection and prevention, as well as what to do if you suspect fraud or criminal activity. You can also file a formal complaint if you are a victim of fraud and identity theft.
- The Internet Crime Complaint Center (IC3) is sponsored by the Federal Bureau of Investigation and the National White Collar Crime Center. After submitting a complaint to the IC3, your case may be referred to a federal, state, local, or international law enforcement or regulatory agency for further investigation.
- Police1 offers a national and comprehensive directory of federal, state, and local law enforcement agencies in the U.S. If you suspect you are the victim of fraud and identity theft, it is essential to contact your local police department to file a claim.
- The U.S. Social Security Department provides resources for those who suspect their Social Security number may be stolen and used fraudulently.
- Credit Monitoring: You should regularly check your credit report for inaccuracies and suspected fraud. You can request a free credit report from AnnualCreditReport.com. You can contact the credit reporting bureaus directly if you suspect fraud and identity theft. These include:
- There are also Useful Guides to Working Remotely that discuss tools, workspaces, workflow, and other innovative work-from-home tips.
- Security.org offers a free password strength tool that can check the security of your password, as well as provide information and support on the importance of password security, and how to make a secure password.