You’ve heard the term “inside job” to refer to theft of goods and money. A new study by Utica College’s Center for Identity Mangement and Information Protection recently found that a large percentage of identity theft that takes place at retail businesses is undertaken by employees. Researchers studied data supplied by the U.S. Secret Service covering 517 cases it investigated between 2000 and 2006. Quite a few (176) were perpetrated by by employees.
Why does this matter? It matters because good security practices (and the Payment Card Industry DSS mandates it) to isolate employee roles and business data and only allow the data to be exposed to employees who require access to it. These internal controls are much like those that you use to prevent employees from writing company checks without authorization. The security concept is called compartmentalization.
The logic is pretty simple and yet powerful. Don’t share with someone who doesn’t actully need the information. It’s sort of like when you loan keys to a neighbor. You wouldn’t loan your keys to all your neighbors. You would only loan them to the one you trust the most and who is most likely to be around to help you. Treat customer data the same way.
I’ve said it before, and I’m starting to sound like Fox Moulder, but when it comes to information security trust no one.