Why Your Business Needs Employee Identity Theft Protection
Identity theft has been around since the advent of the internet. Unfortunately, thanks to our increased reliance on online technology and more sophisticated hacking techniques exacerbated by a shift to remote work (driven by the pandemic), it’s getting worse.
In fact, the pandemic has made it easier for bad actors to use stolen credentials to apply for federal COVID-19 relief programs like unemployment benefits, small business loans, and other federal programs. As of December 2021, cybercriminals have stolen an estimated $100 billion in COVID relief funds.
According to the FTC, money stolen from identity theft scams totaled $5.8 billion in 2021, an increase of 70% from 2020. These losses came from more than 2.8 million fraud reports.
For years, we’ve treated identity theft as a personal issue for individuals to fend for themselves. But the truth is, employees are often the most-targeted individuals for identity theft, and cybercriminals use them as an entry point into your company’s valuable data. So, an individual’s corporate identity and PII should also be cause for concern.
Let’s talk about how corporate identity theft can impact your employees and your organization, and what employee identity theft protection can do to help.
Hackers Attack Employees to Gain Access to Critical Company Infrastructure and Data
Every employee is a potential entry point, especially critical teams that harbor sensitive information like privileged IT, HR, finance, or legal departments.
In fact, hackers are now soliciting IT employees and other privileged users to purchase access to critical systems as an insider threat. A survey released in 2022, found that 65% of surveyed IT and security executives or their employees have been approached to assist in these cyberattacks, a 17% increase from a similar survey in November ‘21.
In many cases, cybercriminals target specific individuals to get to their employer – or, more specifically, their employer’s wealth of sensitive data. By stealing someone’s identity, you could gain access to their work account information and, thus, all the data stored within those systems.
For example, the recent Colonial Pipeline cyberattack involved compromised credentials from a single rank-and-file employee—who typically have fewer digital protections than executives—to obtain the data that disrupted fuel pipeline operations of the entire east coast of the U.S.
One successful attack could lead threat actors to a virtual goldmine of employee and customer data, which they can use for further cyberattacks, like ransomware or selling on the dark web.
Employers May Be Liable for Employees’ Identity Theft
Employers should be concerned about employee identity protection because, in some cases, they may be liable if threat actors compromise employee credentials and PII, or customer data due to the employer’s negligence. This is the case if their organization’s acts or omissions lead to an employee’s identity being stolen, like a member of the HR team falling for a phishing scheme that jeopardizes company data.
What Is Employer-Paid Identity Theft Protection?
Employer-paid identity theft protection is a type of work-funded benefit that protects its employees from the damaging effects of corporate identity theft.
There are two common approaches to employee identity theft protection as an employer.
1. Employee Insurance Benefit
An employee identity theft benefit program protects your employees from the aftermath of identity theft. This often includes coverage of financial losses and case management for victims of identity theft.
Like with medical benefits, your employee makes payments towards an insurance policy. These payments ensure the employee is covered if their identity is stolen.
This form of protection is reactive—instead of preventing your employees from getting their identities stolen through cybercrime, it protects them against the consequences of identity theft when it happens.
2. Cybersecurity Provider
You may also work with a cybersecurity provider specializing in identity theft protection. An employee protection program will defend your employees against new and existing threats to their identity.
Working with a cybersecurity provider is a proactive approach to identity theft protection, unlike employee insurance. With services like an exposure risk assessment, you can quickly discover if your employees’ credentials have been stolen and are already exposed on the deep, dark or surface web.
Why Every Employer Should Offer Identity Theft Protection
Every company should offer employee identity theft protection to secure their sensitive data and employee credentials. Why?
Because identity theft is incredibly prevalent—emails and passwords contained in data breaches have increased 10% year-over-year. You may think you have it covered by protecting your C-suite executives, but in fact, rank-in-file employees are targeted 77% more often than executives.
Protecting your employees is in your best interest, which benefits an employer in a couple of ways:
- Doing so can build better trust between you and your employees.
- Using credentials stolen from your employees, allows bad actors to more easily access sensitive information about your company, which could jeopardize your operations.
How Do You Protect Your Employees from Identity Theft?
Aside from cybersecurity protocols and insurance programs, how else can you protect your employees from identity theft? Here are some initiatives to consider:
1. Conduct Employee Training
Whether it’s instructor-led, a video course, or a mandatory webinar, your employees should acquire some formal training on protecting themselves from identity theft threats. Your training should include:
- Different types of identity theft: Identity theft takes many forms, with some being more malicious than others. Your training should identify the most common types for your business, including Social Security fraud, online shopping fraud, and synthetic ID fraud (among others).
- The effects of identity theft: What are the consequences of identity theft? If your employees know what they stand to lose, they’re more likely to take the necessary steps to secure their identity and thwart attempts to be swayed by fraudsters when approached with cash offers.
- How to reduce/prevent identity theft risk: This is where the real training begins, going over common warning signs of attempted fraud and steps to secure sensitive information.
2. Require Authentication Protocols
Multi-factor authentication requires a user to provide two pieces of information or evidence to verify their identity. Many email domains are moving toward this model. They will send a confirmation code to a phone number registered with the email. This authentication process provides an extra layer of security for your company’s sensitive information.
3. Restrict Access to Highly-Sensitive Information
Consider limiting access permission to certain sensitive documents within your company. Only grant access to sensitive information to employees who need to access that information regularly.
For example, you should limit who can see the financial information about your company to your human resources department and certain members of your C-Suite (provided your executives are well-protected). That way, even if a bad actor gains access to an employee’s log-in credentials, they won’t be able to access hypersensitive information.
Employee Identity Theft Protection You Can Trust
Employee credentials are constantly being sold on the dark web by threat actors looking to profit from compromising and breaching your organization. Democratizing security and protecting all of your employees, not just your executives, can save your organization the time, cost, and reputational damage resulting from employee credential data breaches and build trust between you and your employees.
To proactively protect against employee identity theft, you need Constella’s Employee Protection Platform. Our proactive approach limits your exposure and allows for rapid action when a breach occurs so you can minimize potential financial and reputational damage.
