- More porn sneaks onto the iPhone
- 'Swatting' case shows need to ban caller-ID spoofing
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- US sets final emergency responder wireless pilot
When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy.
"Have a public hanging… they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says.
Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City.
GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've got to make it easy, you've got to make a point," he says.
Costa maintains that there hasn't been an explosion of data theft of late, but rather, we're just hearing about it now as a result of laws that require companies to fess up when their data systems have been breached. Nevertheless, data and identify theft are huge problems that companies need to address by assessing risks and reducing them, he says.
The first thing companies need to recognize, Costa says, is that theft or loss takes place in two primary ways: via intentional schemes, such as phishing or even dumpster diving, and unintentional means, such as a tape falling off a truck or a laptop being left behind at an airport. Data is at high risk in the former example, while it is at low risk of being comprised in the latter, he says.
"You have to have two different strategies to attack these two types of problems," Costa says.
Assessing the risk
For starters, companies should figure out which information they hold is most important to them. Examples might be an employee's Social Security number, direct deposit account numbers and passwords. Information relating to partners and customers also needs to be examined.
"Now comes the hard part. You have to say: Where does it exist?" Costa says. "You'll be amazed when you start peeling the onion back… You need to understand where the physical borders are, where the electronic borders are and where all that data is going back and forth."
The Leader in Network Knowledge
Comment