Do you know where your personal and corporate identity information resides or may be lurking? According to two Canadian security experts, personal and corporate identity theft is quickly becoming commonplace in the market and more vigilance and formal corporate policies are needed in order to help combat this issue.
According to Claudiu Popa, president of Toronto-based Informatica, a consulting firm that specialises in privacy compliance and security, someone's identity is perhaps by far the most valuable thing that can be stolen.
"Thieves have a lot of options since they can use someone's identity time and time again," Popa said. "As a criminal, applications for credit cards and mortgages can be made by assuming someone else's identity and by stealing things like social insurance numbers, passports and credit cards."
Popa points out that the issue is not so much just around the issue of sensitive information being stolen, although it does happen he says, but is rather around the fact that it's unknowingly given out in some cases by the users themselves.
"Phishing has become a successful practice because thieves ask for someone else's information which they can then use to impersonate them," Popa explains. "They'll send out forged e-mails impersonating banks and will ask unsuspecting users to fill out forms in detail with their personal information. The issues nowadays are evolving because everyone's trying to exploit new niches so we should all be aware of the dangers," he adds.
Furthermore, Popa also highlights the problem involving corporate identity theft that he says is also on the rise today. He says on its own, security software is often difficult to blame in the incident of an identity theft within a business because sometimes, he adds, it's the administrative staff who will leak out important business information and/or records.
Referring to users as being both the strongest and weakest links within a business, Popa said a reliance on security technology and software will only get one so far when it comes to security and protection of assets. He says it's easy for a thief to obtain any necessary information just by stealing an organisation's domain name and then re-routing all traffic to another website to then access the desired files and information.
David Senf, director of research, security and infrastructure software at IDC Canada, said the problem of identity theft also occurs from a business level too, since the majority of them he said, do not have formal policies in place for its employees.
"Starting from a top down perspective," Senf advises, "businesses need to look at their data from a risk perspective and see where they should be prioritising the areas that are of the greatest risk. Firms can do things such as put policies in place that state what can be sent out or saved to a machine and around things like controlling who has access to the data. Getting employees to follow a policy and getting them to take security seriously is something that everyone needs to be looking at."
In addition, Popa says when business and personal information is given out over the Internet, he mentions that privileged information should only be shared on a need-to-know basis.
Senf also says it's common for organisation information to be leaked when devices such as company laptops are lost. Sensitive customer information is often stored on the notebook hard drive easily enabling hackers to gain access to the information. From there hackers can do whatever they like with it if it's not encrypted. Symantec's most recent Internet Security Threat Report Volume (ISTR) XIII, marking the six-month period from July 1 to December 31, 2007, found that theft or the loss of a computer or other data-storage device accounted for 57 percent of the total of majority of data breaches that could have led to identity theft.
"Web applications, e-mail applications and the network are the really big areas through which data can be lost," Senf said. "Companies need to make sure they're securing end-points to help prevent data from being leaked."
Senf said for Canadian channel partners, a wealth of opportunities are available for those working in this space.
"Channel partners can help firms define policies for sensitive data because not a lot of them have these in place," Senf said. "There are opportunities for partners to find and help train firms to become aware and vigilant with these policies. Vulnerability, security, identity and event management are also areas that can help an organisation understand what's going on because they can help provide visibility within their network."
As found by Phone Busters, a Canadian anti-fraud call centre associated with the Government of Canada and the RCMP, between January 1 and December 31, 2007, over US $5.9 million in losses were reported by Canadians linked to identity fraud.
Ram Manchi, president of AGMA (Alliance for Gray Market and Counterfeit Abatement), a non-profit organisation based in Fremont, Calif., that works to educate and raise awareness around the issues of IT counterfeiting and the grey market, said in the grey market, hackers who do bulk purchasing can obtain user IDs and passwords for as little as 50 cents to $1. Furthermore, Symantec's ISTR stated that full identities, when purchase in larger volumes, often ranged anywhere from $1 to $15.
Senf and Manchi both said businesses also need to establish and invest in more control and maintenance when it comes to securing their company infrastructure.
"The key is control, authentication and verification," Manchi explains, "these things have to be constantly monitored and procedures also need to be in place in the company's back-end to make sure authentication and encryption is being done as needed."
Mark Lorne, general manager of technology at retailer Grand & Toy, said for businesses and personal use, encrypted USB keys are best suited for storing personal and important information. These portable devices, he advises users, should already have security features built in such as file and data encryption.
He also warns that identity thieves may also be a lot closer to home than we think.
"When people think about identity theft and security, they tend to imagine an identity thief as someone far away," Lorne said. "They forget about the person sitting right beside them. A business person updating a proposal on a plane trip, for example, should be aware that the notebook's screen is visible to (those) sitting on either side, or across the aisle," he added.
In this case, he suggests travellers invest in products such as notebook privacy screens, which are portable privacy filters that fit directly over top of a notebook screen to provide visibility only to the user who's sitting directly in front of the display.
For personal and businesses, Lorne also suggests an investment in a paper shredder to ensure information is not being lost and/or stolen.
"Putting a piece of paper in the recycle bin doesn't mean that the valuable information printer on it is...gone," Lorne said. "Anyone combing through waste can find it. Grand & Toy offers a complete line of paper shredders for personal...or communal areas. (To protect both their personal and corporate data, users) should shred all personal and confidential documents," he adds.