By Brad Mueller, CLU, and Scott B. Tracy, CPA
CliftonLarsonAllen LLP
Horror stories about identity theft have made us vigilant about protecting our credit card numbers, Social Security number and other personal information. However,in our rush to protect personal information, it’s important we do not ignore the growing threat of corporate identity theft.
Stealing a company’s identity and using it to deliberately perpetrate fraud can cost millions and devastate an otherwise healthy, growing company. Identity theft has always been a risk, but the frequency and severity of corporate identity theft have been on the rise as technology overtakes every aspect of business. Wireless networks, smart phones, cloud computing and social media have all added to the vulnerability of data that must be managed and protected, and upped the stakes when the best protective measures fail.
Equal Opportunity Theft
Corporate identity theft is not always the product of hackers and hardened criminals. A disgruntled or rogue employee can be just as dangerous. A thief may just as easily get vital information from an unlocked file cabinet, or a document that ends up in the trash instead of the shredder.
Corporate identity theft is also not confined to banks and credit card companies, although financial services providers must meet strict government reporting and protection standards. Any business that routinely collects sensitive information like account numbers, business registration numbers, credit histories and other key data can be a target.
Types of Corporate Identity Theft
There are many ways that companies can fall victim to identity theft:
• Government reporting and regulatory information that is in the public domain can become fodder for criminals who seek an understanding of people and processes in a business.
• If not protected, company logos and graphics are easily downloaded to create fake documents and websites.
• Personal and corporate information is gathered through fake emails that appear to be from a trusted colleague to an executive such as the CFO.
• A convincing copy of a government or financial institution website is used to harvest personal and corporate information.
Corporate identity thieves may use identity information themselves or sell it to others. Generally, they are looking to quickly generate cash using vital information about a company to:
• Open lines of credit and illegally gain access to thousands or even millions of dollars
• Open high-limit corporate credit cards, make purchases and then sell the merchandise for cash
• Set up sham corporations or websites using false identity information
• Hijack social media to distribute false information
The result: A trail of ruined credit, financial liability and battered reputations that is time-consuming and costly to repair. A small business may never recover.
Preventing Identity Theft
There are no 100 percent foolproof methods for preventing corporate identity theft. As soon as one roadblock is thrown up, criminals create a detour and attack from a new direction. But doing nothing is not an option, and you don’t have to have thousands of dollars and personnel dedicated to IT security. It begins with a plan.
Have a Plan – Start with a risk assessment and create an enterprise-wide security strategy. Cover all aspects of information security, including prevention, detection and your response to an information breach. Small companies are especially vulnerable due to limited resources and expertise, but adequate protection is only possible when a plan is in place.
Educate and Inform – Include all employees, executives, partners, vendors and even customers. It begins with awareness of the threat and the potential consequences, and continues down to individual roles and responsibilities in prevention and reporting. Give your customers, vendors and subcontractors peace of mind by telling them what you’re doing to protect their information and the company.
Designate a Leader – Give responsibility for planning and implementation to a trusted top level manager. He or she should become your internal expert and the go-to person to report suspicious activities.
Create Written Policies – Define permissible use of company technology and specify steps every employee must take to safeguard information in every form. Agreeing to these policies should become a condition for employment and for doing business. Require at least annual review.
Implement Controls and Procedures – Include information security in your enterprise-wide fraud controls. Include records of actions and activities, multiple approvals of certain transactions and regular monitoring to detect irregularities. Perform frequent, random testing to assure that controls are working as intended.
Deploy Hardware and Software – This is not just computer hardware and software, although that will be a major concern. Hardware can also include locks on doors, filing cabinets, shredder bins and dumpsters. Access should be limited and passwords must be frequently changed. Software must be kept current to address evolving criminal techniques.
Monitor Activity – By the time identity theft is detected, the damage may already be done. That’s why it’s critical to regularly monitor accounts for suspicious activity, investigate unknown charges or users, or ask about late or missing statements and invoices. Make sure you remain in good standing with credit agencies, lenders and government regulators, and that irregularities are reported and addressed immediately.
Make Prevention a Priority
It is impossible to predict when or where the next corporate identity theft will occur, or to guarantee protective measures will be effective, but the time is passed when these threats can be ignored. From the sole proprietor to the multinational corporation, guarding against identity theft must become an immediate and ongoing priority.
Brad Mueller, CLU is a principal at Clifton Gunderson Wealth Advisors LLC (CGWA), a financial planning and investment advisory practice owned by CliftonLarsonAllen LLP (CLA). CGWA is an SEC-Registered Investment Advisor and a wholly owned subsidiary of CLA. Mueller specializes in wealth transfer, asset protection, and executive benefit programs for business owners, trusts and professionals. He can be reached at Brad.Mueller@cliftonwealthadvisors.com or (608) 662-9150.
At the time of this publication CGWA is in the process of integrating with CliftonLarsonAllen Wealth Advisors, LLC, also an SEC-Registered Investment Advisor and a wholly owned practice of CLA.
Scott B. Tracy, CPA is an assurance services partner with CliftonLarsonAllen LLP and is a national firm construction and real estate practice leader. He can be reached at Scott.Tracy@cliftonlarsonallen.com or (414) 721-7517.
About CliftonLarsonAllen
Clifton Gunderson and LarsonAllen are now CliftonLarsonAllen. Structured to provide clients with highly specialized construction insight, the firm delivers assurance, tax and advisory capabilities. The firm has a staff of more than 3,600 professionals, operating from more than 90 offices across the country. For more information about CliftonLarsonAllen, visit www.cliftonlarsonallen.com.
Associated General Contractors of America