IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
February 13, 2008

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Securing data the right way

The recent case of Her Majesty’s Revenue and Customs losing its entire child benefit database in the post serves to highlight the problem of data theft facing UK security practitioners and their host organisations. With the names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country going missing, speculation that this data could fall into the wrong hands has been rife.

Research commissioned last year by ourselves found that there had been over 25 million exposures of personal records to potential theft and fraud over a 12-month period. This equates to the same number of households in the UK, and highlights the enormous security challenge facing the British public and private sector organisations in today’s data-rich society.

Organisations of every kind keep records on their clients and customers which are vital for a whole array of business practices such as sales activities, marketing campaigns and customer service. Transactional processes like billing, credit and finance requirements all involve maintaining detailed personal records.

It’s fair to say that the need for more sophisticated methods of tracing fraudsters and data thieves has never been greater.

Eventuality of a breach

Many institutions have already put in place tight internal security measures, but all-too-frequently those policies don’t pay attention to the eventuality of a breach. Most companies would be appalled to find their customers were contacted inappropriately by rogue traders with, at worst, fraudulent intentions. Unfortunately, these breaches are very commonly the result of human intervention.

A whole host of situations involving human interference might be to blame from something as simple as an employee losing their work laptop to a more sinister stimulus like an employee who is being blackmailed by criminal elements to obtain customer data.

For larger list owners, the consequent recovery of a client’s marketing communications would typically run costs into hundreds of thousands of pounds, not to mention the resulting chaos for customers and employees alike.

The security and accessibility of data sets is frequently viewed as a purely internal issue. If an organisation were to admit that it had experienced a breach of its data security, that might open it up to potential legal liability and bring about reputational damage. That’s why most companies maintain a dignified silence if it happens. Even the requirement of the Data Protection Act 1998 to keep personal data secure has tended to be viewed as an entirely internal process.

One consequence of this inward focus has been a lack of clear ownership and specified processes to deal with data security. Often, the issue is handled within IT departments rather than as a standalone function.

Out of sight, out of mind

Abuse of this ‘out of sight, out of mind’ attitude has therefore been relatively easy. It’s an uncomfortable fact that most breaches of data security are carried out by an organisation’s own staff, including its directors and senior managers. Research by KPMG Forensic found that the typical company fraudster is a trusted male executive who succeeds with over 20 fraudulent acts over a period of up to five years or more. Enlightening, isn’t it?

However, growing legal pressure emanating from industry-specific regulations through to international laws – now means that every organisation harbouring key data needs to be absolutely sure it’s holding on to it. Indeed, leading brands are becoming increasingly aware of the damage security breaches can do to their image.

As a result, data security is moving away from being an IT discussion to become part of the Boardroom agenda, not least because the brand is often the most highly-valued asset on the balance sheet.

Data security can never be 100% perfect. It’s simply not possible to guarantee the total safety of any asset whether physical or virtual which needs to be in constant use. Certain measures will deliver a much higher degree of security, however, and are more likely to meet compliance requirements.

Perhaps most importantly, data security is being addressed almost exclusively from the point of view of stopping data leaving the organisation through (or to) an unauthorised party. Firewalls and encryption routines help prevent illegal access to sensitive information.

While absolutely necessary, the problem with this approach is that such measures cannot protect against computer theft, loss/theft of data on physical media or the loss/theft of physical records.

Moreover, although escalation procedures once a breach has occurred can actively minimise the impact of identity fraud, it cannot help trace the fraudsters.

Tracking and tracing thieves

There’s a significant need to widely implement measures for tracking and tracing identity thieves and fraudsters once a breach has occurred. There are various means of doing so, whether electronic or physical. However, all involve the use – in one way or another – of ‘seed names’. These are agents or identities that appear to be real customers, but have in fact been inserted into the database to obtain a view of any unauthorised use of records.

In a real life example, the direct marketing industry uses such ‘sleepers’ as standard practice to guard against unauthorised use of commercial mailing lists. Now, corporations and Government bodies are beginning to adopt the same approach for monitoring data abuses.

Even in the early stages of such techniques in the wider commercial and public sectors, there have been cases of pre-emptive discovery where unauthorised data usage data theft, in truth has been identified which would otherwise have remained undiscovered.

UK public and private sector organisations are holding an increasing volume of data on customers and citizens. If such organisations are to continue to be allowed to use this information for improving customer service, they also have to take on the responsibility of keeping it safe and secure. The exposure of 25.45 million personal records every year to potential theft and fraud is already unacceptable. All of us agree on that!

In addition, individuals must become more ‘savvy’ and responsible about the way they keep and dispose of their personal records. For organisations to concentrate only on internal systems security is not enough. Equal amounts of attention need to be given to ways of tracking and tracing abusers and fraudsters after a data breach has occurred so that the perpetrators might be brought to justice on a more frequent basis.

Only by removing the criminal element from the picture can the tidal wave of identity fraud be turned back.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted