• United States



CISO, Boston University

Credit monitoring as an employee benefit

Feb 23, 20154 mins
IT Leadership

Make it easy for people to take care of their financial health

Let’s take a few minutes to talk about one way to give our employees tools to make better security decisions and improve the security of their finances.

A somewhat new form of identity fraud has been in the news lately: Tax Return Fraud (Krebs) (Fox) (NY Post) (Bloomberg): Bad guys are sending in tax returns using other people’s information so they can claim a refund first.  The IRS estimates that they sent out over $5 billion in fraudulent returns last year.  Imagine how you would feel, tortuously completing your tax return only to get a message back from the government saying, “Sorry, you already got your money back.”  60 Minutes did a good story on this last year and featured the story of one person who did an average of 15 returns a day with a modest return of 2-4 each time, resulting in almost $45,000 in profit every day.  This is a big issue that the IRS is working to try to solve, but if a fraudster is successful in using your information, the burden to prove the truth and clean up that situation is entirely on your shoulders.

Unfortunately, while it is important to know about this type of identity fraud, currently the best way to defend against it is to file your taxes as early as you can, and that still leaves a good window of opportunity for the bad guys.  However there are many other kinds of financial and identity fraud out there—by far the most prolific is still the creation of new credit accounts in someone else’s name or unauthorized use of existing credit accounts—and the best defense against these other forms is credit monitoring. 

The Federal Trade Commission requires each of the three credit reporting agencies to provide you one free credit report each year. You can get those reports at Do not confuse it with the myriad competitors out there, this is the only FTC-authorized website to get your free credit report.  The others give you your first one free, but usually you are also automatically signed up for a fee-based credit monitoring service.  Even tries to up-sell services to improve the efficacy of credit monitoring, so you have to look closely for the text link that gets you to your credit report without signing up for more.

When somebody does not have an active credit monitoring service, I recommend that they pull one of their three free reports every four months: in February (after the bills from the holidays come in), pull the report from Experian; in June, grab the report from Trans Union; and in October (before the shopping season starts), get the report from Equifax.  This gives a pretty good view of your credit all year and is entirely free.

But even though this resource is available and easy to use, most people either don’t know about it or only bother to check every few years.  So now let’s shift tone from what you as an individual can do to what we as employers can do to help. 

We, as employers, can help provide a better way. Consider offering credit monitoring as an employee benefit.  Financial health monitoring right alongside physical health monitoring. It doesn’t have to cost the enterprise anything more than the administrative costs to maintain the program. It can be offered as an employee-funded option on a pretax basis. I have seen organizations negotiate directly with one of the three credit reporting agencies for prices in the $10 range for credit monitoring all year, a very small out-of-pocket expense for the peace of mind of knowing that their credit is being actively analyzed and an alert will be pushed to them if something changes.

Organizations that have cyber insurance should consider working through their provider to negotiate the price, as this will likely result in a better cost for the credit monitoring itself and may result in lower insurance costs depending on your provider.  (This is a measurable positive element in security programs when viewed from the perspective of cyber security insurance underwriters.)

Credit monitoring helps to empower our people with better protections against threats to their financial health.  They are alerted as the earliest possible moment to issues that may be surfacing.  Timely information allows for timely response, easier defense and clean-up and, thus, more Convenient Security. 

Quinn R. Shamblin's philosophy is that the convenience and security are not mutually exclusive - good security can be achieved simultaneously with user convenience. Contrary to what people believe, the work of a good information security professional is not to say "no" to a business goal or request, but to find a safe way to say "yes". This philosophy comes from experience gathered throughout a very diverse career.

Quinn started his career as an officer in the U.S. Navy, teaching sailors how to operate the nuclear reactors found on U.S. submarines and aircraft carriers. He then moved into staff and project management in the IT field, spending several years leading the technical development and support of TIBCO technologies for Procter & Gamble, HP, and Hydus, Inc. Quinn then joined the University of Cincinnati as a Cybercrime Investigator, then Manager of Information Security and finally, Director of Information Security. Quinn is now the Information Security Officer at Boston University, one of the leading urban research universities in the world, ranked 41st in the U.S. (U.S. News & World Report) and 50th in the world (Times of London) in 2013. BU is the fourth largest private university in the U.S. with 33,500 students and 9,000 faculty and staff in 16 Schools and Colleges and association with Boston Medical Center.

Quinn is a sought-after presenter in the Information Security field. He has given talks for CSO magazine, the Brazilian government, the FBI, Evanta, EDUCAUSE and many other national, regional and local organizations. He and the team that created Boston University's Premium Secure VM Service won the CSO50 Security Innovation Award in 2014.

Quinn holds an MBA from the University of Cincinnati, a B.S. in Physics from Andrews University and numerous professional certifications, including: CISM, CISSP, ITIL and previously, PMP, GIAC Certified Forensics Analyst (GCFA).

The opinions expressed in this blog are those of Quinn R. Shamblin and do not necessarily represent those of Boston University or IDG Communications, Inc., its parent, subsidiary or affiliated companies.