When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy.
"Have a public hanging… they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says.
Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City.
GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've got to make it easy, you've got to make a point," he says.
Costa maintains that there hasn't been an explosion of data theft of late, but rather, we're just hearing about it now as a result of laws that require companies to fess up when their data systems have been breached. Nevertheless, data and identify theft are huge problems that companies need to address by assessing risks and reducing them, he says.
The first thing companies need to recognize, Costa says, is that theft or loss takes place in two primary ways: via intentional schemes, such as phishing or even dumpster diving, and unintentional means, such as a tape falling off a truck or a laptop being left behind at an airport. Data is at high risk in the former example, while it is at low risk of being comprised in the latter, he says.
"You have to have two different strategies to attack these two types of problems," Costa says.
Assessing the risk
For starters, companies should figure out which information they hold is most important to them. Examples might be an employee's Social Security number, direct deposit account numbers and passwords. Information relating to partners and customers also needs to be examined.
"Now comes the hard part. You have to say: Where does it exist?" Costa says. "You'll be amazed when you start peeling the onion back… You need to understand where the physical borders are, where the electronic borders are and where all that data is going back and forth."
The next step is looking at high-level risks, which Costa lists as forced entries, such as hacking; interception of transmissions, including "snail mail" and faxes; and the insider threat. On the insider threat, he suggests companies should take a very hard look at their human resources groups, where low-level people can have access to lots of sensitive employee data.
"We're far too trusting of insiders," Costa says.
Companies also need to examine how they think people might steal data. Underestimated are techniques such as people just walking into supposedly secure areas of a building on the tails of others, Costa says. Companies tend to spend more energy protecting themselves against new or sensational risks (He relates this to people fearing sharks more than pigs even though the farm animals kill more people yearly. "There's no 'Jaws' about pigs. There's no 'Snout.'")
Rss FeedRss Feed
The Leader in Network Knowledge
Comment