If you look at my older posts, you’ll see I’m pretty big on security. Methods of attack are changing and with the exception of hacking the Pentagon it’s getting much more difficult to penetrate big corporate security.

Many large financial firms have been victims of security breaches; included in this illustrious list are … TD Ameritrade, J.P. Morgan, Fidelity Investments, Ameriprise — even credit agencies are susceptible. If you want to get really paranoid check this some of these identity theft stories.

But a new pattern is emerging. Would-be attackers aren’t just using the Internet or phone lines now. That type of "brute force" hacking is difficult to do these days. The security on sites is better than it used to be and security forensics is getting to the point where an attackers’ location can be pinpointed quickly.

The new wave of attacks are called "social engineering attacks". Put broadly, social engineering is exploiting the weakness of humans in the security chain. Lost laptops, computers left running without secured screen savers, passwords on sticky notes stuck to the bottom of a keyboard, unlocked file cabinets. These kind of attacks are simple… do you really know who your janitor is or who he/she might work for on the side?

According to a Scott & Scott report, 85% of businesses have had a data breach involving the loss or theft of customer or employee data. 74% of those breaches were caused by human mistakes or malicious employees.

Some time ago I had to go through a brutal security audit on behalf of a client. The steps that we needed to put in place to secure our data are were extreme. Key carded doors, obscuring screens, criminal background and financial checks on all employees (if you failed you were fired), obscuring all windows. We joked at one point that employees would have to work nude and be subjected to a cavity search when leaving.

While all of this seemed extreme, in the balance was the financial information of more than 10,000 people. Think about the information you have in your office, not just for clients but for prospects as well. Account Numbers, Social Security Numbers, Addresses, Birth Place, Age… everything someone needs to become that person.

Considering the tight controls our government has on entrance visas and the difficulty of obtaining false identities. It would not be hard for a determined person with the information in your office to fully assume another persons identity.

Identity theft is a multi-billion dollar industry. If someone can get an identity it could be weeks or even years before the victim is aware of the problem. People here illegally use someone else’s social security number for years without the victim being aware. They take out loans, credit cards get jobs everything.

Now, imagine a criminal who is not as interested in building a life. They get several credit cards or a loan and go shopping. It can cost the victim thousands of dollars to get the situation corrected and it may be years before they are fully recovered.

And so it comes time for me to beat the security drum again. Here are some things you can do to help prevent one of these breaches.

1. Use strong passwords, no dictionary words, fourteen or more characters that combine letters, numbers and symbols.
2. Every computer should have password-enabled screen savers.
3. Don’t store sensitive data on laptops or removable devices and store offsite backups at a secure facility, not in your house.
4. Keep file cabinets locked at all times. Preferably they should lock when you close them and be solidly constructed with combination locks (no lost keys).
5. Use privacy screens for your monitors and place your back-office staff away from wandering clients.
6. Isolate and securely lock your servers.
7. Shred *everything* with a cross-cut shredder. Or use a company who specializes in document destruction.
8. Store documents electronically instead of in a file cabinet. Once the client has signed the paperwork and it has been sent to the home office, scan the document and destroy the original.
9. Do background checks on all employees. I know this is a touchy one but if you hire someone convicted of identity theft in the past you have a big potential liability.

So those are some great ways to get started. Some the methods are costly. Document imaging can be expensive, and it’s extremely expensive to build a secure server room and to isolate operations staff. But a lawsuit or story in the local paper could put you out of business.