Identity theft: how you can protect and survive

The proliferation of databases has led to an epidemic of identity theft. Cath Everett reports on the depth of the problem and the steps business should take to protect themselves.

The reason for the alarming increase in identity theft is easy to understand: there's far more personal data around to steal.

Samir Kapuria, director of strategic solutions of security consultancy @stake, explains: "There's a heavy dependency and increasing weight put on information or transactions undertaken in digital format, and there's an ever greater supply of sensitive information in this format, too.

"Therefore, the threat of potential abuse is increasing."

Phil Cracknell, chief technology officer at security consultant netSurity, agrees that with the proliferation of databases, there will still be more sources of information to exploit.

"Identity theft has increased because the opportunities have increased," he says. "Society hasn't suddenly become more evil and more criminals haven't suddenly sprung up.

"It's just that it's easier now for people to do it from their armchairs. You're more likely to do something like this if you don't even have to leave the house."

A further complication is the increasing numbers of organisations that prefer to do business without customers being physically present, which adds to the threat because it becomes more difficult to authenticate who they really are.

The situation is not being helped by new trends such as offshore outsourcing, according to Kapuria. This means access to sensitive data may be provided to staff from third-party organisations, or data may need to be stored remotely in countries where data protection legislation is less stringent than the UK's own.

"You can't outsource the regulatory requirements or the risks, and you are challenged to protect the identity of your clients, although such information may be in third-party hands," he says.

"It's a trade-off between due diligence and mitigating the risk associated with securing your data, and potential cost savings and what strategy the company is following."

So ID theft is serious enough as a growth crime. But, warns Dave Birch, a director at Consult Hyperion, it also undermines confidence in the digital economy.

It's very difficult to put a figure on how much damage identity theft does to UK plc, because of companies' reluctance to admit to having been hit in case of potential damage to their brand image and reputation.

One large credit card company indicated that fraudulent use of credit cards cost it as much as £10bn per year, although Birch points out that for every £1 that is stolen, it costs another £50 to sort out the mess in terms of recompensing customers and internal administration costs.

So what are the most common methods of perpetrating identity theft, and which organisations are at greatest risk?

According to Cracknell, most identity theft is petty in nature and aimed at finding out information such as what the boss or staff have been saying over email, or to establish from internal documents how much colleagues are being paid, for example.

It is generally the result of inadequate password protection in the workplace, and it is often simply a matter of watching colleagues type them in, reading them on a Post-It note, or even guessing.

In terms of external attack, however, Kapuria indicates that are three distinct ways that organisations are likely to suffer - being the target of choice, the target of chance and those in between.

Targets of choice are generally financial services institutions - particularly banks - because of the large amounts of identity information they hold and the obvious potential financial gains.

However, such organisations are often less attractive to the average attacker because they tend to have sophisticated procedures and technologies in place to deal with such eventualities.

Targets of chance, meanwhile, are generated by such electronic forms of social engineering as phishing.

Here, malicious individuals send random targets a mass email indicating, for example, that the message has come from a reputable bank and they need to go to a certain website to update their credit card details or the like.

"These attacks aim at the lowest-common-denominator, least technologically literate targets, and are probably the most challenging facet of protection," points out Kapuria.

"The challenge is to educate users from different strata of life and with different educational backgrounds, but because the net is cast so wide, it only takes one or two respondents to potentially make it lucrative."

A third and growing target, however, is smaller, relatively low-profile organisations that may not have the resources to secure themselves as robustly as larger companies, but may be subject to more random attacks.

"Most of the smaller tier-two companies don't have the necessary prevention, detection and response capability in place, and might not even know that they've been used as a vehicle to extract identities," says Kapuria.

"They don't notice any changes to their web pages or how transactions are executed because pilfering files doesn't generally affect how their technology operates."

But ignorance and inaction are no defence against the law. According to Charlotte Walker-Osborn, associate solicitor with Eversheds, companies have a responsibility to safeguard personal data and ensure that adequate security protection is in place, under legislation such as the Data Protection and Consumer Credit Acts and guidelines such as the Turnbull rules.

Failure to prove that they have done so can be deemed as negligence and therefore makes them liable.

In terms of what comeback organisations have themselves, unfortunately there is currently very little.

This is because identity theft in its present guise is a relatively new legal concept and is not specifically dealt with in law.

At the moment, once a perpetrator has been caught, it is possible to bring an action under the Theft Act 1968, but here it has to be proved that the person involved made a monetary gain, which is not always the case.

Another possibility is Conspiracy to Defraud legislation, but again, the problem here is that, while identity theft is often the pursuit of a solitary individual, a conspiracy involves more than one person.

To try to remedy this situation, the Home Office is currently proposing new legislation under the auspices of the draft identity cards bill.

This aims to make it possible to arrest individuals for possessing documents they have obtained improperly or for making or using machines that are specifically design to perpetrate fraud.

Under the proposals, those convicted would be liable for up to two years' imprisonment, a fine or both. While the legislation is still currently working its way through Parliament, this element is expected to be enacted more quickly than the identity card piece and could become law as soon as the end of next year.

The cost of identity theft to large companies
One in five of the UK's biggest firms admit to suffering security breaches because of identity theft, and the damage in more than half of these cases has been worse than that caused by viruses.

According to the Department of Trade and Industry's 2004 Information Security Breaches Survey, 15 per cent of these attacks cost about £100,000 and disrupt businesses for more than a month.

The report, conducted by PwC, said the breaches occurred because of 'weaknesses in [companies'] approach to identity management' and stressed the value of authentication measures such as tokens, smartcards and biometrics in foiling such attacks.

Only six per cent of firms - predominantly large corporates - currently use such systems. The study found only three per cent of them were successfully hit.

"The cost savings for authentication technology really kick in when you're a big company," explains Rhodri Davies, head of security technology at reseller Vistorm.

"But as security budgets grow SMEs can also make the case for adopting such technologies."

Chris Potter, the PwC partner who led the survey, says: "This is a demonstration of the benefits of authentication systems."

What organisations should be doing to protect themselves
There are various ways that organisations can protect themselves against identity theft, but it is important to bear in mind that all initiatives will need to be company-specific.

@stake's Kapuria explains: "Every company has its own manner of using sensitive personal data, so the solutions deployed to protect and mitigate risk are by default unique."

As a result, the first thing for IT directors to do when tackling the issue is to understand the risk and the potential impact of that risk across the entire lifecycle of their corporate data, whether that be during its creation, transfer, viewing, storage or its ultimate destruction.

"In each state of the lifecycle, you have to develop an architecture based on the organisation's risk tolerance, its vulnerability and the potential attack vector," says Kapuria.

"In some cases, identity protection is bound by regulation, while in other cases, you might say that you'll accept a certain risk, say with an offshore outsourcing provider, because it brings other benefits."

The architecture in question comprises policies, procedures, awareness programmes and technology to manage things such as access, authentication and entitlement privileges, and it must be implemented across the organisation to be effective.

NetSecurity's Cracknell agrees. "It's necessary to ensure that you've gone through every possible scenario of misuse, and derive manual processes to break these down into manageable chunks," he says.

But he also points out that security is everyone's problem, and internal staff, as well as external customers, suppliers or partners, must be made aware of their responsibilities, even for simple things such as ensuring their passwords don't fall into the wrong hands.

In the case of employees, at least, disciplinary proceedings can be put in motion if abuse is found to have taken place, and legal action can even be instituted for breach of trust if serious problems have occurred.

In the virtual world, however, Cracknell recommends avoiding scenarios such as allowing complete online enrolment when providing products or services, because electronic personas are very difficult to truly authenticate.

"Do anything that might add another level of authentication, then monitor and audit. For example, each time a user logs on, ask them to check that the last time they did so was not a spurious time or date because it's very easy for online users to remain totally anonymous," he advises.

Finally, in terms of organisations protecting themselves from legal liability if the worst does happen, the one thing they must do is be able to provide evidence that they have done all they can to safeguard identity information, even if they have not been successful in this instance.

As Eversheds' Walker-Osborn says: "If you've been following best practice and put in place adequate security, you can put your hands up and say: 'I've done all I could'.

"It makes it much more difficult for the Information Commissioner to come down very hard on you if you can demonstrate that, practically-speaking, you couldn't have done any more."

Spending on security-related technology is expected to increase over the next couple of years, levelling off at five per cent to eight per cent of the IT budget of global 2000 companies, according to a market research firm.

Security spending takes from three per cent to four per cent of IT budgets today, the Meta Group said in a report on information security spending.

That amount, however, is expected to increase at a compound annual growth rate of between eight per cent and 10 per cent through 2006, before reaching a plateau.

Meta recommends that companies look to best practices in their industry as a way to determine how much they should spend as a percentage of their IT budgets.

In general, percentages are expected to be higher among smaller organisations than at very large companies.

The rate of spending is expected to be slower in Europe than in the US, with a five per cent to seven per cent compound annual growth rate (CAGR) versus a 10 per cent CAGR, Meta said.

The major reasons are the lower intensity of publicity regarding cybercrime and compliance issues.