Identity Theft in the Organization - Research Paper Example

 Identity Theft in the Organization Introduction Identity theft is defined as a situation in which a person steals the whole identity of a person that he or she has studied for some time; it may be the identification number or social security number. This is obviously without the consent of the victim and the thief uses the information to involve him or herself in fraud or other forms of crime. On average, 9 million Americans have their identities stolen annually. In numerous organizations, it is usually not possible for clients to know who deals with their personal identification details and in addition, how trusted they are. However, in other organizations this is something that is known. This is especially in hospitals where the patients use their social security numbers and in financial institutions. This paper discusses the issue of identity theft, how major institutions govern the information of clients and additionally, recommendations on how to stop identity theft. Body How organizations should monitor employee web surfing and emails To start with, the organization can create the post of an ethics officer. The web surfing history of the employee is something that should be monitored closely if organizations want to be sure of the operations that an employee is carrying out. In addition, this is something that if an organization fails to adhere to, may lead to the loss of not only the data of the clients but overall bad image of the organization. There are numerous ways and means of monitoring an employee’s web surfing and email history (Henk, Tilborg, & Jajodia, 2011, p. 1248). An ethics officer is someone who is employed by an organization to ensure that employees do not go against the rules and ethics of the work station. This is a post that is however given to a very trusted employee since he or she is trusted to guide the other employees so as not to steal data from the organization. The workstation is something that is clearly important if the organization is dealing with matters that may lead to identity theft and therefore, there should be rules and regulations that govern the way the employees perform and conduct themselves. On the other hand, sometimes the employees fail to adhere to these rules and it is at this point that the ethics officer comes in. One of the major rules in an organization is that the employee should not in any way jeopardize the information of the client maliciously and use it for his or her own benefits. In other words, an employee should not be involved in identity theft. Monitoring the cookies information is also important Henk, Tilborg, & Jajodia, 2011, p. 1249). The other excellent way of ensuring that employees do not tamper with the information of the client is to install video surveillance in order to have a direct view of the information that all the employees are dealing with. In numerous organizations that deal with the sensitive information of the client, video surveillance is one of the key measures put in place. Video surveillance is something that is not widely used due to cost but has been in the scope of the business world for many years. The videos that should be used should be installed in strategic places. These strategic places should be the ones that the employees can not notice and in addition, they should be areas where the customer information is stored. It would be a waste of resources and time to install video surveillance at points in which the employees cannot hack the client’s information. This is because in the first place, the main aim of installing this surveillance system is to come out with a clear measure on how to guard the employee information. Thus, it is important to install the video surveillance equipments in rooms where the computers which have the client's information, are operated from. Traditionally, in an organization where identity theft has occurred, it is found that these areas are the ones that are not seriously guarded and the laxity leads to the theft. Installing the aforementioned security system would help to control the employees since they will be afraid of manipulating the clients’ information and cannot visit sites that may help them to get malicious motives on the client’s information (Henk, Tilborg, & Jajodia, 2011, p. 1248). The other way of monitoring the employee’s emails and web surfing history is to constantly remind them that they risk losing their jobs and on top of that, they would be criminally prosecuted if they are found to be violating and manipulating the information of the employees. This would create two things. One is fear and this would not come out of manipulation but it would come out of personal will and it would help the organization since the employees will not by any chance manipulate the client’s information. It is something quite perplexing that most of the employees who are involved in identity theft tend to say that they were not informed of any mistakes they were committing and hence in one way or the other they committed the mistake. Informing the employees would ensure that they do not in any way say that they were not given an upper hand in terms of information (Henk, Tilborg, & Jajodia, 2011, p. 1247). The other method is monitoring the segment of the browser history. This segment of the browser always shows the sites that the employees visited and were unwarranted. It is important to come out with this strategy in order to detect a fraud even before it happens. However, before doing this, the organizational heads are obliged to inform employees of their rights and the limits that they have when they want to view their information (Henk, Tilborg, & Jajodia, 2011, p. 1248). On the other hand, a clever employee will always delete the history and cookies and this means that the employer has to create security measures in the computer that will ensure no employee visits heuristic sites and is able to hide it. This can be done through the creation of a folder that secretly hides all the information regarding the sites the employee visited without him or her noticing. This is something that would not only help the organization prevent the crime but it would also help it to know the employees who may pose a threat to the organization. The other way of ensuring that the employee does not bridge the ethics of the work through identity theft is to monitor the way the employee visits sites in the internet. This is different from viewing the browser history as this is done thorough personal observation. An employee may be spending too much time, yet he or she is not productive. This is a clear indicator that he or she is up to something (Henk, Tilborg, & Jajodia, 2011, p. 1248). For that reason, it is imperative that the employer ensures that the employee is always checked. This means that the employee will be always suspicious and it would reduce the chances of him or her stealing or going unpunished with the crime that he or she may be perpetrating. However, above all, it is imperative that an organization is keen on the ethics that are involved in this type of business. It would be unnecessary for an organization to come out with unclear strategies that would in the end lead to numerous civil litigations. The contemporary world is governed by brains and not brawn and therefore it would be for the best interest of the organization to come out with clearly spelt policies to ensure that the employees on top of being monitored do not have a leeway of filling privacy suits (Henk, Tilborg, & Jajodia, 2011, p. 1248). When security measures that an organization implements are sufficient to comply with its obligations The UNODC states that there is the need to come up with a common way and means of ensuring that the security measures that are taken are sufficient and it should be through the various approaches. The modern organization has various ways, and means of tackling the security issue and this can only be done through a variety of ways including creating a security check that surpasses the limit. A security check that surpasses the limit is one that cannot be hacked into by the employees. An example is coming up with an organizational structure that is made of the finest security approaches when it comes to matters of securing the employees and clients. It common knowledge that the employee who is dealing with the internet technology is someone that may have very good abilities of overriding the technology that is put in place by the organization and that is why he or she should always be given a challenge by the installation of a method that he or she cannot hack. With this in focus, the organization will know when the clients’ are secure and when the employees can no longer get access to dangerous sites. An example is ensuring that the browser the employee is using is so secure that he or she cannot delete the browsing history after he or she has used the computer all day. This security measure does not only help the organization become limitless in its efforts to guard itself but it also helps the organization know of the employees who are acting maliciously. The organization would know that the method which it is using is working when it notices that the employee can no longer delete the history and in this sense some of the employees are caught in the act when they visit the malicious sites (Smedinghoff, 2005, p. 20). It is in the best knowledge of the society and the organization officials that the individuals who perform identity theft usually does so by involving the internet in one way or the other. The obligations of an organization vary as some will be structured in such a way that they protect the interests of the employees and the clients at the same level but guard the security details with utmost vigil (Smedinghoff, 2005, p. 20). These organizations therefore, ensure that they cannot be legally sued for infringing the work ethics and they therefore come out with ways and means that are always on the good side of the law. A good example is the money bookers company that has an all round system in terms of security and therefore, it has a well guarded policy on identity theft which includes fast freeze of the client’s money (Smedinghoff, 2005, p. 20). In the contemporary business organizations or even the health sector especially the sections which deal with the personal information of the clients, there are numerous ways and means of ensuring that they are safe apart from the ones that are mentioned above. On the other hand, when an organization has installed all the necessary video channels that monitor the employees’ movement and their web records then to some point the security of the client is adequate. No man is perfect, and that is the reason why not every other employee can be left to guard the sections that can easily be manipulated to steal the identity of the clients. This is the key reason as to why when an organization has chosen an ethics officer, it has to be sure that he or she can perform the duties that he or she is assigned to, it is very important that an organization comes out with clearly laid down strategies that do not infringe on the rights of employees. However, with an ethics officer, he or she has to be fully trusted because he is responsible for the security of the business. When the officer makes rounds across the business premises and especially in the financial areas that deal with the personal client information and detects that they are sound, it is then presumed that the security measures that have been taken are sufficient enough to comply with the obligation of protecting the customers (Smedinghoff, 2005, p. 21). When an organization is in doubt of even one of its employees and he or she is responsible for visiting a dangerous site and can easily manipulate the information of the clients, it is always in its best interests to come out with a strategy of either monitoring him or firing him or her at once. This is a good way of ensuring that the organization meets the obligations of protecting the client. It would not be wise for the business to retain the employee if in doubt. Numerous organizations that deal with the security details of the employee and would not wish to lose them always ensure that they meet the standards that they have put forth in the agreements. Meeting these standards in reality is something that the organization always ponders. Consequently, if the organization has top notch security and employees are monitored on a daily basis, it is an added advantage to the continual of its existence (Smedinghoff, 2005, p. 21). When the security measures that the business puts in place are stable for a long time and nobody is able to override them, then it means that to this point it is able to meet the obligations that it set forth to the client. In the real sense, there are numerous loopholes that can be taken in order for a client to lose his or her information to identity thieves. One of the possible ones is losing the identity to family members who clearly know him or her. An organization is deemed to be efficient if it can track this theft and stop it at an instance. Therefore, the organization is viewed as to be best when it can do the same when the theft comes from in within its confines and that means monitoring of employees (Rainer & Cegielski, 2009, p. 118). The other way of ensuring that the client is safe is to make sure that the passwords to the security areas are changed as frequently as possible. This means that the organization has to keep changing the pass codes and passwords for the administrator section of computers and in addition to that, to clearly state that it is within its mandate to check the information of every employee and his movements across the internet and not only when he is working. This would mean that the organization would have access to the information of the employees while at work and also away from work. This measure would be quite effective in ensuring that there are reduced cases of identity theft and in addition to that, there are no loopholes in tempering with the client information. The modern day business world is changing and the more the security devices that guard the information of the clients are created, the more the fraudsters come up with new ways and means of countering them. This is the reason why an organization should not stick to one mode of security control but to numerous ways and means of ensuring that the personal information of the client is safe. An organization would be deemed to be effective if for instance, it serves 90% of its clients for more than 50 years and they never have cases of identity theft or something related to that (Rainer & Cegielski, 2009, p. 118). Overly, when the security measures f an organization are frequently changed, monitored by a single person who will be held responsible in case of a deal gone bad, when the employees cannot delete the browsing history and when the clients are satisfied for a long period, then it would mean that the security measures that have been implemented comply with the obligations of the organization. When organizations organize routine changes in security and ensure that there are different security guards daily and they report that there are no incidences of theft or malice towards the changing of the client information, then the organization can be safely labeled as one that is safeguarding the client’s interests. Therefore, when the organization finds that the guards that it sends to the station come out with different reports, its safety is at risk. These routine changes are important to ensure that the employees do not work in cohorts with the guards in their ventures of identity theft (Rainer & Cegielski, 2009, p. 118). A method for a medical or financial organization to determine its security measures are sufficient In order for an organization to ensure that the security measures that it has taken are sufficient, it needs to conduct a risk assessment. In a risk assessment, the organization comes out with strategies in which it can know its weakness. This therefore leads to identification of the factors that may risk the information of the client. In doing the assessment, the organization needs to know what each customer holds in the organization. It is quite evident that the employee who has the most assets in the business is one that is most likely to be a target than one who has little and that is why the organization officials usually come out with clear demarcation and security. This means that the security of the clients who own very high assets is ensured in the organization and therefore, the system would be deemed to be sufficient. The organization should also develop a plan which assesses the procedures of management in the organization and this would make the security become even tighter, thus leading to low levels of theft (AHIMA e-HIM Work Group on Medical Identity Theft, 2008, p. 68). The organization is also bound to create security controls that are complex which would mean that the employee cannot hack into them. All these factors are part and parcel of the risk assessment. The other obligation that the organization would have is to continuously and not occasionally test the security measures which it has used in order to determine whether they are sufficient enough for the organization. It general knowledge that the longer the security system stays in place, the more it is bound to be hacked by the malicious employees. An organization should also constantly monitor and update its system in order to ensure that the clients’ information cannot be hacked into due to worn out equipment. Technology is a factor that is usually changing and this means is that in order for the organization to be safe, it has to change with the technology (Rainer & Cegielski, 2009, p. 118). The other task that the organization should perform is to identify the potential threats each and every new day. This constant identification ensures that the employees will always be in check and would not risk being caught. The other method is to ensure that the client or owner gives the level with which an asset which he or she gives should be treated and this would range from the lowest to the highest security. The information of the client may be his or her earnings statement which when viewed by a low income employee may trigger him or her to steal from the client. The organization should also run a check on its current security policies and procedures (Bidgoli, 2006, p. 226). This would help it to know the sections that it would change in order to come out with a better security check. In addition to that, the organization should also identify the technical and administrative controls that it has and this would help it to know which ones are vulnerable. The organization should finally prepare a security control matrix. This matrix is essential in identifying the security requirements and identifying the gaps that need to be worked on (Bidgoli, 2006, p. 226). An Organizational Plan for Information Systems to Address Potential Identity Theft Issues Overcoming identity theft needs the involvement of multiple parties in an organization, who perform various security checks to avoid identity theft issues. The organizational plan to be executed with the help of these multiple parties would include solutions that tackle on the legal and law enforcement, managerial, technological, and economical solutions to the organization. The identified parties to help execute the security policies and checks should be able to coordinate their actions because the process of confirming the identity of an individual always entails several steps and methods, carried out by several parties. In addition, the coordination process of the parties involved in ensuring that the security of the organization is up to date is very significant because in the virtual environment, that is the online environment, identity validation, verification, and authentication involves no face-to-face identity confirmation (Ji, Smith-Chao, & Min, 2008, p. 144). In the management of the security of identity information against identity theft, the roles involved in the client’s information include the ownership of the information, its issuance, its use, its protection, and finally, its abuse. The organization ought to identify the major players in the information security management, their defined roles, and the relationships that they have with each other player. Therefore, the functions of the primary players in identity security system would include the identity owner, the individual who issues the identity, the person who checks against the identity of individuals, the individual who is tasked with protecting the identity of clients, and the person who has the potential to steal the identity of others. It is important to note that these specific roles identified in the identity security system are related via a network of relations that identify the primary responsibilities and connections of the several organization members, who form part of the identity validation, verification, and identity authentication procession. Moreover, the organizational plan for information system should be able to define all the crossing points of the client’s information; and further integrate all the elements of the system through perception and feature (Ji, Smith-Chao, & Min, 2008, p. 145). This plan has four key stakeholders and a potential aggressor in the system. The primary focus of the aggressor in the system would be the identity owner, who is the individual defined and identified by the stored information. The data of the clients within the organization include the physical, financial, biographical, and psychological data. The organization, which is the issuer of the identity, should be responsible for acquiring, creating, and producing the identity information and documents relating to their client. The plan should also involve the identity owner being checked by the identity checker, who is responsible for determining the validity of the identity documents and information presented by the alleged identity owner. The checking of identity information encompasses three phases namely identity authentication, verification, and validation. At this stage, the identity checker must coordinate with the identity issuer to ensure that the information provided by the possible identity owner meets the security standards set within the organization. Subsequently, the identity protector, within the security chain, will be tasked with the responsibility of determining if in case the standard security of the security system in the organization has been compromised in any way. Besides, this individual is responsible for punishing and prosecuting the identity thieves identified by the organization. These identity protectors are expected to work in collaboration with the identity checkers and issuers to uphold a watchful guard. This individual is also expected to create an effective post-incident relationship with the identity owners (Ji, Smith-Chao, & Min, 2008, p. 145). The importance of this organizational plan for information systems is that it is able to identify the most important stakeholders and their subsequent interconnections with other parties involved in the security system. This feature of the plan is very essential because several identity theft specialists have identified that inadequate coordination of the pertinent parties involved in the chain of identity security is a primary reason in propagation of identity theft crime in various organizations. The coordinated efforts and measures will include the use of trusted authenticators, international regulations on fraud and identity theft, and lastly use of shared identity databases within the organization (Adler, 2006, p. 48). Conclusion From the discussion on the identity theft issue in organizations, it is clear that major organizations focus on governing and securing the information of their clients. This will be effectively accomplished through identification of the roles and the relations of the stakeholders in the identity sequence in organizations, besides coordination involving all the parties in the identity chain. However, regardless of all the steps and measures taken to mitigate and combat the identity theft issue in organizations, it has remained challenging to the security experts to determine the connection between the data violation and identity theft, more specifically, because the victims of identity theft do not know how their personal information are accessed. Another serious challenge has been the inability of the identity owners to detect that identity theft has occurred and that they are the victims of such fraud. Most information breaches recorded in history have not resulted in identity thefts. For that reason, it is often speculated that the reasons for identity theft are still unknown. References AHIMA e-HIM Work Group on Medical Identity Theft. (2008). Mitigating Medical Identity Theft. Journal of AHIMA ,Volume 7, 63-69. Bidgoli, H. (2006). Handbook of Information Security, Information Warfare, Social, Legal, and International Issues and Security Foundations. New Jersey: John Wiley and Sons. Henk, C. A., Tilborg, V., & Jajodia, S. (2011). Encyclopedia of Cryptography and Security. Massachusetts: Springer. Rainer, K. R., & Cegielski, C. G. (2009). Introduction to Information Systems: Enabling and Transforming Business. New Jersey: John Wiley and Sons. Russell, R., Bidwell, T., & Cross, M. (2002). Hack Proofing Your Identity in the Information Age. Philadelphia: Syngress. Smedinghoff, T. J. (2005, October 15). The New Law of Information Security. Retrieved March 13, 2012, from Johns Hopkins University: http://www.cs.jhu.edu/~rubin/courses/sp06/Reading/newlawis.pdf Read More