Taking the offensive on identity theft
By Steve Fittes
Date: May 28, 2003
Catch Me If You Can wasn't just a hit at the movies this winter. It's also the modus operandi of a growing band of street criminals and their hacker allies who trade in consumer credit card information, Social Security numbers and other confidential data that are stored inside organizations and wash across millions of Web sites every day.
The Tennessee Senate recently passed a bill that is designed to help protect veterans from identity theft by removing Social Security numbers from courthouse public records. Identity theft is reaching alarming proportions and needs to be taken seriously by all organizations - before it happens.
As most other types of crime are declining, identity theft is booming. It doubled to roughly 162,000 cases last year and is now the leading consumer fraud, according to the Federal Trade Commission. As many as 700,000 consumers may be victims of identity theft this year, costing each person an average of $1,000.
There are several key causes. More consumer and commercial data are online to meet the requirements of on-demand business. Automating business cuts costs, speeds service and allows organizations to reach customers, suppliers and partners more easily.
We're not going to scrap the Internet because of identity theft. But we do need to get much more serious about managing identity theft.
Too many organizations are still in the dark ages compared to the thieves they are up against. Today's identity thieves, who often have inside experience, are outsmarting us at nearly every turn. Who is more likely to be successful: a full-time hacker searching for a security hole into a company's systems, applications and data, or a developer with a thousand other things to do than plug every conceivable hole?
It's not that we don't have the security tools and smarts to manage the problem. But most information technology (IT) organizations are too stretched to devote the resources needed to keep up with the thieves, let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in.
Organizations spend too much time reacting to security breaches, rather than preventing them. The most effective deterrent to identity theft is making an organization's IT architecture so airtight that thieves decide it's not worth challenging it.
There is nothing new about identity theft, which amounts to exploiting holes in technology. Instead of rifling trash bins for credit card receipts and tapping telephones, today's thieves steal data using a mouse and keyboard, and sell their booty to the highest bidder on the street. Thugs often recruit hackers to steal information.
To fight this growing menace, organizations need to replace their patchwork of security systems with an overall security architecture that plugs the holes inside and outside the enterprise, makes sure the right people have access to the systems, applications and data they need, and keeps everybody else out. Here is a plan of attack to get ahead of identity thieves.
Shut the door on former and temporary employees who maintain valid company IDs and passwords. With employee turnover running at 100 percent in industries such as retail, it's not unusual for 20 percent of company accounts to belong to employees who haven't worked for the organization for five years or longer.
An even bigger inside problem is employees who have unrestricted access to company systems and data that are unrelated to their job responsibility. Security policy should restrict employee access to pertinent areas of the business.
Recognize that today's homegrown security code is highly vulnerable to hacker attack. A hacker can gain access to a public Web site that is linked to an internal file system, and thus gain access to company and customer files.
Many organizations now put customer best practices online, so that other customers can gain insights. As this happens, hackers find ways to get access to applications that provide information about other users, which they can use to steal their identities. The fix is to replace patchwork security code with a sophisticated architecture that closes the holes between parts of the business.
Organizations need to randomize data to protect customer identity and privacy. Customization of individual data is here to stay, but these raw data must be kept under lock and key so that others cannot use them to invade individual privacy.
Does the marketing department need access to everyone's name and address or just to macro trend data? Companies can extract macro data from individual customer information, which will protect privacy rights and yield nearly the same business benefit.
Enhanced security doesn't have to inhibit business. Implemented wisely, security is a business enabler. It's up to organizations to take preventive steps that will strengthen the business and defeat the bad guys before they strike.
Original article: http://www.gomemphis.com/mca/opinion_columnists/article/0,1426,MCA_539_1992409,00.html
^macro[showdigestcomments;^uri;Taking the offensive on identity theft]