What is Your BCP* Score?
(*Business Crime Probability)
0 points for every YES answer; 1 point for every NO answer
1. We conduct criminal or civil background checks before hiring employees who have access to personal identifying information.
YES – 0 NO – 1
2. We provide cross-cut paper shredders, or locked shredding bins for each department, work station and cash register area.
YES – 0 NO – 1
3. We have a policy for protecting laptop computers containing sensitive information, both on premises and away from the business, and all employees have been trained on that policy.
YES – 0 NO – 1
4. We use an alternate number instead of social security numbers for employees, client/customer ID numbers.
YES – 0 NO - 1
5. We never send out mail with customers’ or employees’ SSNs and financial institution account numbers. We have trained staff about secure procedures for sending sensitive personal data by fax, email and phone. YES – 0 NO - 1
6. Non-essential doors and windows are kept locked at all times.
YES – 0 NO - 1
7. Sensitive information of customer and employees (timecards, badges, SSNs, addresses, work schedules, licenses) cannot be seen in our public areas. YES – 0 NO - 1
8. We provide a secure holding place for all outgoing and incoming mail, a place that is only accessible to approved employees. YES – 0 NO - 1
9. We use photos on employee’s ID cards.
YES – 0 NO - 1
10. We keep all personal data about employees and customers in locked files and restrict access to a select few supervisors and managers. YES – 0 NO - 1
11. We encrypt or password guard all sensitive data stored on computers and we allow access only on a ‘need-to-know’ basis.
YES – 0 NO – 1
12. We have trained employees in secure methods for collecting personal identifying information from customers and clients. For example, not asking people to repeat a SSN aloud in a public area.
YES – 0 NO - 1
13. We notify customers and employees in advance why data is being collected, to whom it will be distributed, and the subsequent use after fulfillment of the original purpose; and we never ask for more data than absolutely necessary. YES – 0 NO - 1
14. All visitors, job applicants, vendors, etc. are escorted by a company employee while in our facility. YES – 0 NO - 1
15. We provide the means for customers to "swipe” their own credit or
debit card and forbid employees from handling them.
YES 0 NO - 1
Scoring
· 8-15 points - You are at high risk of being a crime victim. We recommend you use the attached check list to reduce your vulnerability.
· 4-7 points - Your odds of being victimized are about average. Use the attached check list to identify additional changes that will reduce your risk.
· 0-3 points - Congratulations. Keep up the good work, but check the attached list for anything you may have overlooked.
(Original Probability Quiz was created by the
Identity
Theft
Resource
Center, but has been modified for this presentation)
Business Security Checklist
GENERAL RECOMMENDATIONS
1. Have clearly defined security policies for your business.
2. Train all employees in those security policies and provide frequent reminders.
3. Make sure that all employees know how seriously you take those policies and the consequences for the customer, the business and the employee if those policies are not followed.
4. Supervise employees – stay involved with their work on a regular basis.
5. Test your plan. Once you've put in place appropriate measures, have internal auditors or independent data security experts test them periodically, looking for holes.
6. Plan for the worst. No matter how good your information security system is, there is always the potential for a breach. Have a written response plan in place to deal with data recovery, customer notification, public relations, and legal issues.
7. Become informed on scams that target businesses and train your employees also.
8. Read the fine print before you sign anything.
9. Periodically look at your business through the eyes of a criminal.
DATA SECURITY
1. Only hold personal data you need. Nonessential data can be a liability rather than an asset. Do you really need customers' Social Security numbers? Do you have to store their credit card numbers forever? Archive data after use rather than storing in accessible customer master files, and discard or archive data for inactive accounts.
2. Store electronic data securely, preferably in encrypted form.
3. Avoid storing personal data on laptops, PDA’s, other mobile devices.
4. Limit access to only those who need it. Have a full audit trail of who accesses each record.
5. Restrict large-scale downloads and monitor employees for unusual access volume or timing.
6. Ensure good physical as well as information systems security over personal data.
7. Consider security aspects of transmitting personal data to customers and employees. Sending thousands of letters or e-mails with such data is asking for trouble, as they can be intercepted.
8. Do what you say you'll do. Only promise employees and customers a level of personal data security that you can deliver. Whatever you promise, ensure you adhere to it.
9. Make data security a priority with your employees. Background checks are essential on all employees who will have access to personal information. In the event of a security breach by an employee, the fact that you conducted background checks will help demonstrate that you took reasonable precautions to guard against theft.
10. In addition to background checks, employees should be required to sign non-disclosure agreements that prohibit them from misusing confidential data.
11. Enlist all employees to help protect the security of sensitive personal data. Develop a written data security policy that clearly explains what data is considered confidential and what steps employees are expected to take to safeguard that data.
12. Regularly train your employees on acceptable security practices and remind them of their legal obligation to protect customer information. Ensure they know their access to data is monitored and recorded to help prevent and detect data theft. Remind them this is a crime and that you will refer cases for prosecution.
13. Ask your casualty and liability insurer about computer intrusion and employee forgery and computer misuse coverage.
14. If you use vendors to handle, process or store personal data, ensure that their data security measures at least equal yours. Require them to sign nondisclosure agreements to protect data. Insist on periodic security audits and vulnerability assessments.
15. SHRED, SHRED, SHRED – and if sensitive documents are not shredded immediately, keep them under lock and key until they are.
MAIL SECURITY
1. Establish incoming/outgoing mail security procedures and notify customers and employees of procedures. Mail should be kept in a secure manner prior to pick up and after delivery to your business. An open box or basket in a public area is an invitation to mail theft.
2. Keep mail processing area separate from all other operations.
3. Restrict employees from bringing personal items into the mailroom: purses, backpacks, coolers. Establish a policy allowing the inspection of all items brought into, or taken out of the mailroom.
4. Maintain a list of employees who receive mail.
5. Suggest that outgoing sensitive mail be prepared by the mailer, and not by employees of the mailroom.
BUILDING & PROPERTY SECURITY
1. Require deliveries to be made in restricted confined areas and restrict drivers to an area separate from mail operations.
2. Provide secure storage for employees’ personal effects
3. Do not tolerate disturbances in your facility
4. All visitors, job applicants, strangers, vendors, etc should be escorted while in your facility
5. Keep all non-essential doors and windows locked, and unlocked entrances should be continually monitored
6. Train employees in proper ways to approach visitors to your facility, and do not let any visitor go unchallenged.
(Developed in part by the Association of Certified Fraud Examiners)
RETAIL BUSINESS PRECAUTIONS
1. Require another form of identification when accepting a credit card as payment.
2. Do not accept any credit card that is not signed.
3. Train employees to protect against "diversion burglaries”.
4. Stress to employees the importance of keeping doors locked.
5. Look for alternatives to checks for paying bills.
FACTS BUSINESSES SHOULD KNOW
Under Federal Laws/Rules, Consumers Have the Right to:
1. Request a free copy of their credit report once a year from each of the three credit reporting agencies. If they dispute credit report information, credit bureaus must resolve their dispute within 30 days and send written notice of the results of the investigation, including a copy of the credit report, if it has changed.
2. ‘Opt Out’ of credit card companies’ and banks’ marketing programs, including ‘convenience checks’ sent on your credit card account by calling the companies’ customer service numbers.
3. "Opt Out” of credit card solicitations
1-888-567-8688
www.optoutprescreen.com
Under
ColoradoLaw, Consumers Have the Right to:
1. Remove their SSN from driver’s licenses and health insurance cards.
2. Have no more than five (5) digits printed on their credit card receipts.
3. Have their identity verified by credit card solicitors before they send a credit card to an address different than theirs.
4. Have the right to ask businesses, non-profit, and government agencies about their policies for disposal of personal identifying documents.
5. Freeze their credit reports
Miscellaneous Facts:
1. The Fair and Accurate Transactions Act (FACT ACT) mandates that businesses, whether employing one or one million, must take reasonable measures to destroy information derived from consumer credit reports before discarding them. Failure to adequately protect clients’, customers’, or employees’ private information may result in:
· civil penalties up to $1000 per person
· class action lawsuits
· federal fines up to $2500 per violation
· state fines up to $1000 per violation
2.
Colorado requires all businesses, non-profit organizations and government agencies to have policies for the safe disposal of personal identifying documents.
3. Under Title V of the Gramm-Leach-Bliley Act (GLB), financial institutions are required to take steps to protect their customers’ data and face the possibility of fines or jail time for failure to comply.
4. The Health Insurance Portability and Accountability Act (HIPAA) imposes strict guidelines on healthcare plans and providers to guard against the disclosure of patient data.
5. Trash is not private property.
6. Under
Colorado Law it is illegal for a business to write or have written on any check presented for payment the Social Security Number or credit card number of the person presenting the check.
7. 70% of data security breaches are done by insiders.
8.
Colorado law requires entities to conduct a "prompt” and "good faith” investigation upon learning of a security breach (Colorado Revised Statutes 6-1-716). Organizations must also provide prompt notice to those who might be impacted by the breach. If more than 1000
Colorado residents are impacted, the organization must also notify the national credit reporting agencies.
9. Identity theft has evolved from a consumer fraud issue into a serious threat to corporate reputations and finances.
ADT EXCLUSIVE TIPS: WORKPLACE VIOLENCE PREVENTION
· Jan 08, 2010
From 1997 to 2007, there were more than 7,000 workplace homicides nationwide, according to the U.S. Bureau of Labor Statistics. Most of these homicides involved robberies by strangers, but 1,000 involved work colleagues.
Traditional robbery -- which usually targets convenience stores and banks -- have caused an increase in security and the recession has driven potential thieves to even more desperate measures -- targeting business offices for robbery and theft. Offices can often provide easy access for thieves looking for expensive items like laptops, cell phones and even unattended cash.
Workplace violenceperpetrated by thieves, disgruntled former employees, angry customers and even bitter spouses can destroy a company’s reputation along with its employee’s sense of safety and security.
Patrick Fiel, public safety advisor for ADT Security Services, recommends that employers and employees work together to create an action plan to help make their places of business safer.
"Planning can be the number one deterrent to workplace violence. Having policies and procedures in place can make the difference in preventing workplace violence,” he said.
To help employers and employees mitigate workplace violence, Fiel and ADT recommend these important safety tips.
Safety tips for employers:
· Take a physical security survey of your workplace and review current policies and procedures. Enlist the aid of security professionals to help identify possible security vulnerabilities in landscaping, lighting, employee and visitor access and signage.
· Conduct full national background checks on all employees and contractors annually and provide yearly training on workplace violence prevention.
· Install video surveillance camerasto monitor both inside and outside your business. Video surveillance can be a deterrent to potential thieves. It can also be a valuable tool to help identify perpetrators and aid law enforcement before, during and after a robbery, theft or other crime.
· Implement access control systemsand visitor management systems to handle visitor and employee access. All employees and visitors should display proper Identification badges at all times. Make sure to immediately update access control systems, I.D. cards and readers when an employee leaves the company.
Safety tips for employees:
- Be aware at your workplace. If you notice someone unfamiliar to your office, someone without an I.D. card or behaving suspiciously, report it to your company’s security team or your supervisor. Never approach anyone you think may pose a threat.
- Use the buddy system. If you ever feel unsafe walking to or from your car after work, walk with a trusted coworker or ask for a security escort.
- Keep personal items such as purses and wallets in a secure place out of sight. About 75 percent of workplace violence incidents are robbery-related, so consider the use of a locked cabinet or desk drawer to secure your valuables at all times.
- Knowledge is power, so take time to review and learn about your company’s policy on evacuations and lockdowns. Knowing what to do and where to go in an emergency can save lives.
In addition to installing security cameras, Fiel recommends updating access control and creating emergency plans. Employers can also utilize effective preventative solutions such as anonymous tip lines for employees to report suspicious behavior or activity.
"Preventative measures like these are key to helping to enhance workplace safety and can provide peace-of-mind for employers, employees and customers,” Fiel said.
Copyright 2009, 1105 Media Inc.
|
Fraudulent Phone Pitches Target Businesses
|
|
|
|
Fraudulent telemarketers rob people every day, using phones as their weapons. Consumers aren’t the only victims. According to the nonprofit National Consumers League, which operates the
National
Fraud
Information
Center, these criminals also target businesses, large and small. Be Careful When You Hear These Pitches:
Prize Promotions
The pitch: You won a prize, but you have to pay or buy something to get it.
The scam: You pay but never get anything, or you get a cheap trinket.
Charities
The pitch: Help the disadvantaged, support your local police, aid disaster victims, etc.
The scam: The charity doesn’t exist, or most of your money goes to a professional fundraiser.
Office Supplies
The pitch: Your supplier calls and offers a great deal before prices rise.
The scam: The caller is an imposter and the supplies are inferior, or you get none at all.
Telephone Slamming
The pitch: You are offered a new billing plan for your phone service.
The scam: You agreed to switch your service to another company without realizing it.
Nigerian Money Offers
The pitch: Help me move a fortune from
Africa, and I’ll give you a big slice of it.
The scam: You pay "transfer” and "legal” fees to move the money to your bank account, but it never materializes.
Advance Fee Loans
The pitch: We’ll get you a loan, guaranteed, for an up-front fee.
The scam: You pay, but you never get a loan.
Many telemarketing offers are legitimate. How can you tell if they’re not? All employees should be familiar with these warning signs:
Promises of easy money;
Pressure to act immediately;
Refusal to send written information;
Scare tactics;
Instructions to send payment by wire or courier.
To protect your business from scams, designate specific employees to handle orders and bills. Before paying, confirm that the purchases were authorized and that you received the products or services. Check unfamiliar companies and charities with your state or local consumer protection agency and the Better Business Bureau. For more information contact the NFIC, 800-876-7060, or go to www.fraud.org/scamsagainstbusinesses.
|
| |
|
|
Protecting Business with ‘Positive Pay’
Positive Pay can help prevent check fraud through digital confirmation of checks presented for payment.
ü Positive Pay is an effective automated fraud detection tool offered by the Cash Management Department of most banks. It matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. All three parts of the check must match exactly or it will not pay.
ü You transmit a file of issued checks to the bank each day. When those checks are presented for payment at the bank, they are compared electronically against the list of transmitted checks.
ü When a check is presented that does not have a "match" in the file, it becomes an "exception item". The bank sends a fax or an image of the exception item to the client. The client reviews the image and instructs the bank to pay or return the check.
ü There is generally a fee charged by the bank for Positive Pay, although some banks now offer the service for free. The fee might well be considered an "insurance premium" to help avoid check fraud losses and liability.
Resources
1.
U.S. Postal Inspection Service,
Denver Office
If your business is a victim of mail fraud, contact the United States Postal
Inspection Service at 303-313-5320
www.usps.com/postalinspectors/
2. Association of Certified Fraud Examiners
The ACFE releases an annual "Report to the Nation on Occupational Fraud &
Abuse”, which can be obtained at this website:
http://www.acfe.com/resources/publications.asp?copy=rttn
3. Credit Reporting Agencies
To request a FREE copy of your Credit Report from all three bureaus (you need your Social Security Number and other verifying information.)
Website: www.annualcreditreport.com
Phone: 877-322-8228
To put a fraud alert on your credit report, contact any one of the following:
Experian 1-888-397-3742, www.experian.com
4. ID Theft Assistance
To obtain a free copy of the District Attorney’s Identity Theft Workbook, call the
District Attorney’s Consumer Protection Line, 720-874-8487.
Identity
Theft
Resource
Center
www.idtheftcenter.org
For Assistance with Economic Crimes
ARAPAHOE, DOUGLAS,
LINCOLN AND