SMBs, Identity Theft & Insider Threat: Bad SMB Security Impacts Organizations of All Sizes

There are many articles written about the insider threat, several have been done, and often the focus is on large organizations where those employees with malicious intent are often either in positions of trust way down in the org chart, or the perpetrator is the person at the helm of the organization.


However, many information security incidents and privacy breaches happen within small and medium sized businesses (SMBs) that never really gets much attention. Considering that, according to the most recent Small Business Association (SBA) study, for 2005,

“…of the nearly 26 million firms in the United States, most are very small ‚Äî 97.5 percent of employer and nonemployer firms have fewer than 20 employees. Yet cumulatively,these firms account for half of our nonfarm real gross domestic product, and they have generated 60 to 80 percent of the net new jobs over the past decade.”

This is a huge number of businesses.
The report continues on to indicate that
* The Office of Advocacy defines a small business as one with fewer than 500 employees. This 500-employee threshold also means about 99.9% of businesses within the U.S. are small.
* Small U.S. businesses were awarded $79.6 billion in contracts in 2005.
Unfortunately there is typically very little attention, time or resources devoted to information security or financial controls within many, of not most, of those SMBs. So, not only do the information security practices of SMBs impact 99.9% of businesses, the large businesses who are using the SMBs to process or handle their PII are also impacted.
Think about how many reported incidents were caused by the outsourced SMB organizations used by the large organization in the headlines.
Over the past few years I have performed well over 100 information security and privacy program reviews of outsourced vendors used by some very large organizations, and a majority of those were SMBs. The majority were also severely lacking in information security practices that, in this day and age, should be a matter of normal business practices.
SMBs are particularly vulnerable to insider fraud, and often by those leading or owning the SMB.
As one example, in April, 2006, Chistina Kim, owner of the Chosun House restaurant in Arcata, CA, was charged with using the personally identifiable information (PII) of her employees to commit over $1 million worth of fraud.
Kim was charged with 51 counts of bank fraud, mail fraud, and aggravated identity theft for using the PII of 12 of her employees and family members, most of which were students, from January 2001 to January 2004. However, it is reported she was actually stealing PII and using it for fraud from October 1998 through May 2005. This is a significantly long amount of time to be committing crime without being caught.

“According to the charges, Ms. Kim is alleged to have obtained social security numbers, driver’s license numbers, and dates of birth from persons who either worked at her restaurant or were family members. She would then use this personal information to create new false identities. In addition to creating new identities based on real people, Ms. Kim also created at least two identities using her own information, but with different social security numbers. Ms. Kim would then use these false identities to open up bank accounts and credit card accounts. She would receive lines of credit from the banks and credit card companies, and then use the monies to pay for personal expenses, which included a new home, designer clothes, shoes, and jewelry.
The charging document also alleges that Ms. Kim, under her father’s name, received a construction loan for $682,000. She also allegedly submitted false documentation to Farmers‚Äô Insurance Group regarding an alleged burglary at her house. Ms. Kim allegedly submitted false claims for numerous items stolen, including a Korean painting, identified as Diamond Mountains, by Chong Fon (circa 1676-1759), worth between $800,000 and $1,200,000.”

According to the April 16 issue of the BNA Privacy & Security Law Report (a subscription site) Kim pleaded guilty on April 11, 2007 to 48 of the counts.
* Kim must pay $1.1 million in restitution to the businesses she defrauded, which include Discover Card; Citibank; Providian Bank; Capital One Bank; Wells Fargo Bank; American Express; US Bank; Exxon Mobil; Shell Oil; Chevron; Washington Mutual; Chase Manhattan Bank; and Home Savings of America.
* Kim admitted that she defrauded Farmer’s Insurance of $900,000 “by inflating the price of items declared stolen in 2003 with altered price receipts and by falsely claiming ownership of a painting worth $800,000 to $1.2 million.”
* Kim admitted to making “luxury purchases with the lines of credit, used Social Security numbers, driver’s license numbers, and dates of birth from the students, her father, sister, and niece. Kim admitted to using her father’s identity to obtain a $682,000 construction loan. None of the lines of credit were repaid, the plea agreement said.”
* Kim agreed to forfeit the property and “could be sentenced to up to 30 years in prison on each count and ordered to pay a $1 million fine at sentencing July 24.”
Kim not only defrauded her employees and family members, but also impacted many large organizations.
We need to help SMBs implement better information security and privacy programs. We need to educate SMB employees how to identify information security problems and know the signs of internal fraud.
I have received many emails and calls from a wide range of SMBs over the years asking for help. One of the reasons I created The Privacy Management Toolkit was to help such organizations to create and manage their own information security and privacy programs in an economical way when they do not have many resources to establish a dedicated department, or even hire an employee to be dedicated, to information security and privacy.
Large organizations outsourcing to SMBs need to ensure the SMBs have strong information security and privacy programs in place.
SMBs need to take advantage of the free information security and privacy guidance made available by the government, such as the FTC.
Employees need to be aware of the information they have entrusted to their employers and be alert for signs of misuse.
Tax-funded organizations, such as Infragard, need to reach out to help SMBs implement strong information security programs, and help employees know how to protect themselves not only in their homes, but also while they are at work.
Helping SMBs to protect PII will be help to reduce the amount of information security incidents and privacy breaches. It will also help to identify SMB bosses who are crooks and stealing from their own employees and family members.

Tags: , , , , , , , , , , , ,

Leave a Reply