As the role of IT administrators continues to expand, it is imperative that companies not lose sight of their core responsibilities: managing and protecting corporate data. This responsibility is becoming increasingly important in the enterprise due to the staggering rise in identity theft around the globe.

A recent report from the Federal Trade Commission (FTC) found that identity theft has achieved the dubious honor of being the most common form of fraud, accounting for 43% of all complaints.

And as more and more corporate and personal information becomes accessible online, that number is increasing. In fact, the FTC reports that identity theft incidents increased 73% from 2001 to 2002.

For a long time, privacy and other forms of e-security have taken a back seat in the enterprise to pressing business issues that consume the attention of both senior management and IT staff alike. It has been common practice to put off thinking about security until the "unthinkable" occurs - a breach. Obviously, that's too late. With this passive approach, companies may be jeopardizing their customers' privacy.

Consider these cases, which have been previously reported in the media:

• The largest identity theft case in history was announced last fall, with total losses estimated at $2.7 million. In this case, investigators arrested a help desk employee of a third-party credit agency who was able to access confidential information about the company's corporate clients.
• A break-in at a health insurance management company resulted in the theft of a file server containing health care information, including some credit card data, from thousands of U.S. military personnel.

But who should take responsibility for protecting people against identity theft? The responsibility has to come from both individuals and organizations holding sensitive data. It's not an either/or situation. For both parties it's largely a matter of awareness. Individuals need to recognize just how easy it is for someone to use their personal information to commit fraud; and organizations need to recognize that it is a privilege to have access to the personal information of employees and customers.

Many organizations don't realize how much sensitive information they carry on their servers and storage devices. Virtually every organization has personal information about its employees that could be used for fraud. Organizations that keep personal information about their customers have an added burden to protect that information. These organizations cut across nearly every industry - from health care organizations to financial institutions to government entities to online consumer sites.

It is important for companies to recognize that identity thieves are less likely to be nameless, faceless hackers than they are to be employees or partners of the company owning the database. This calls for extra time spent ensuring that users of the database have appropriate levels of authentication and access control. Any organization managing identities and customer information is vulnerable to identity theft, and needs to be vigilant about securing that information.

How can organizations prevent/limit identity thefts? First, companies need to determine where the sensitive information exists within their organizations. This is easier said than done because the information could reside on myriad servers and storage systems. You can't protect what you don't know about. Second, companies need to get a true understanding of where and how the information is used to conduct business. Who is it sent to? Under what circumstances is it sent? How is it sent? Who is authorized to access the information in the first place? Where does it come from? Only then can they begin to understand the various points of vulnerability and address them.

Once these first two steps are complete, companies must ensure the systems in place are tamper-proof - making sure information "at rest" is encrypted. This means properly authenticating users (who gets in), monitoring access of the users (where they can go once inside the system), and monitoring the "perimeter" for intrusion attempts. If this is not done properly, identity information can be compromised and the trust of all identities in the system is called into question. A well-managed system for protecting against identity theft includes the following:

1. Properly vetting individuals to assure that the personal information they provide is truly theirs
2. Providing credentials to users accessing the information and providing them with authentication methods to ensure that someone can't access the information using false credentials
3. Implementing the appropriate technologies that allow administrators to access the data they need to effectively perform their jobs, while implementing policies and safeguards that prevent those same administrators from misusing the information
4. Establishing a solid credential-maintenance program - i.e., updating credentials and privileges on a regular basis
5. Quickly revoking credentials and privileges of those who should no longer have access

No one can diminish the importance of ensuring an employee's computer is up and running, or up-to-date with the latest virus patches. But without working to protect the identities of employees, customers and partners, the loss that could be absorbed by an organization could be immeasurable. If proprietary information is compromised, the trust of the entire organization can be lost, not to mention the loss in actual dollars a security breach could cost a company.