Information security (InfoSec) teams can use employee identity theft protection software to reduce their company’s attack surfaces. They can achieve this by getting employees directly involved in the security process and monitoring for compromised credentials and employee identifying information.

Employee identity theft protection software for InfoSec teams

At G2, we have a tiny but mighty software category for Employee Identity Theft Protection. This software category was created back in March of 2020, and at the time, we couldn’t quite decide where to put this in G2’s category taxonomy. 

At its inception, identity theft protection was a consumer product, but vendors in the space began to package up this functionality and sell it as a B2B offering to company benefit administrators as a new employee benefit. So, this software was listed under G2’s overarching HR Software category. However, there has been a subtle shift in the market where employee identity theft protection software providers are now catering to InfoSec leaders. Security seems to be the more natural home for this kind of software, so it has now been moved under the umbrella of G2’s Security Software categories.

As of today, we have only 18 products and barely a handful of user reviews. Nevertheless, this article aims to inform InfoSec teams about its potential uses as part of an effective corporate security program.

Getting employees personally involved in their own security

Most corporate employees are required to complete an annual security training program, often conducted using security awareness training software, but many of these programs cover only the basics. They are designed to offer general security education that applies to a broad employee audience and is not often tailored to the individual user’s experience. While it is everyone’s responsibility to uphold security, this can seem like a nebulous, “not my job” kind of responsibility for those not in security roles. Providing employees with the security information that relates to them personally, explaining the impact this can have on them and the company, and providing remediation steps can help reinforce the message that company security is indeed everyone’s responsibility.

By using employee identity theft protection software, an employee can get information tailored just for them about their personal security risks. The software alerts employees whose corporate email accounts and credentials have been compromised. It can uncover information that data brokers are gathering about the employee, which could be used in crafting believable spear-phishing attacks. Other features can include: emerging fraud alerts based on the employee’s demographic information such as age and location, 401k retirement account monitoring, health saving account monitoring, and even device security. Given how many companies allow employees to “bring-your-own-device” (BYOD), it’s reasonable to not only offer employees device security on the backend but also share information with them about their own specific device’s security and the steps to improve it. 

According to a 2021 Lifelock survey report, 59% of the just over 10,000 adults surveyed had no idea what to do if their identity was stolen. This suggests that users need more information on how to improve their security and the remediation steps available to them. According to the same Lifelock study, 98% of people take some kind of action following a personal data breach, often to make their passwords stronger. Using business password manager software can help employees use strong and unique passwords for their corporate accounts. Additionally, InfoSec teams can use other identity-authentication-related software, including point solutions like single sign-on (SSO) software and multi-factor authentication (MFA) software, or more comprehensive solutions such as workforce identity and access management software.

Source: 2021 Norton Cyber Safety Insights Report

Identifying credential stuffing and phishing risks early can be advantageous

InfoSec teams can deploy dark web monitoring tools to scan for company-related mentions in illicit marketplaces, including monitoring for compromised credentials and employee identifying information. Employee identity theft protection software can also directly alert the employee of such breaches. This can allow the employee to alert the InfoSec team or take corrective action directly in an effort to reduce the company’s attack surface for credential stuffing attacks where leaked login information is used by unauthorized people and incidents of targeted phishing attempts.

Educating end users on personal security is essential

Companies have tools to protect against internal user threats--such as insider threat management (ITM) software and user and entity behavior analytics (UEBA) software, but what about protecting users externally? Using employee identity theft protection software can help educate end users on their personal current security posture. It can also help employees make informed decisions on how to act more securely moving forward for the benefit of themselves and their company.