Identity theft isn't just personal, it's corporate

Businesses need to look at their data from a risk perspective and see where they should be prioritising the areas that are of the greatest risk, suggests one expert.


Do you know where your personal and corporate identity information resides or may be lurking? According to two Canadian security experts, personal and corporate identity theft is quickly becoming commonplace in the market and more vigilance and formal corporate policies are needed in order to help combat this issue.

According to Claudiu Popa, president of Toronto-based Informatica, a consulting firm that specialises in privacy compliance and security, someone's identity is perhaps by far the most valuable thing that can be stolen.

"Thieves have a lot of options since they can use someone's identity time and time again," Popa said. "As a criminal, applications for credit cards and mortgages can be made by assuming someone else's identity and by stealing things like social insurance numbers, passports and credit cards."

Popa points out that the issue is not so much just around the issue of sensitive information being stolen, although it does happen he says, but is rather around the fact that it's unknowingly given out in some cases by the users themselves.

"Phishing has become a successful practice because thieves ask for someone else's information which they can then use to impersonate them," Popa explains. "They'll send out forged e-mails impersonating banks and will ask unsuspecting users to fill out forms in detail with their personal information. The issues nowadays are evolving because everyone's trying to exploit new niches so we should all be aware of the dangers," he adds.

Furthermore, Popa also highlights the problem involving corporate identity theft that he says is also on the rise today. He says on its own, security software is often difficult to blame in the incident of an identity theft within a business because sometimes, he adds, it's the administrative staff who will leak out important business information and/or records.

Referring to users as being both the strongest and weakest links within a business, Popa said a reliance on security technology and software will only get one so far when it comes to security and protection of assets. He says it's easy for a thief to obtain any necessary information just by stealing an organisation's domain name and then re-routing all traffic to another website to then access the desired files and information.

David Senf, director of research, security and infrastructure software at IDC Canada, said the problem of identity theft also occurs from a business level too, since the majority of them he said, do not have formal policies in place for its employees.

"Starting from a top down perspective," Senf advises, "businesses need to look at their data from a risk perspective and see where they should be prioritising the areas that are of the greatest risk. Firms can do things such as put policies in place that state what can be sent out or saved to a machine and around things like controlling who has access to the data. Getting employees to follow a policy and getting them to take security seriously is something that everyone needs to be looking at."

In addition, Popa says when business and personal information is given out over the Internet, he mentions that privileged information should only be shared on a need-to-know basis.

Senf also says it's common for organisation information to be leaked when devices such as company laptops are lost. Sensitive customer information is often stored on the notebook hard drive easily enabling hackers to gain access to the information. From there hackers can do whatever they like with it if it's not encrypted. Symantec's most recent Internet Security Threat Report Volume (ISTR) XIII, marking the six-month period from July 1 to December 31, 2007, found that theft or the loss of a computer or other data-storage device accounted for 57 percent of the total of majority of data breaches that could have led to identity theft.

"Web applications, e-mail applications and the network are the really big areas through which data can be lost," Senf said. "Companies need to make sure they're securing end-points to help prevent data from being leaked."

"Recommended For You"

Mobile defence forces Half of convicted ID thieves escape jail