Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

<b>Technology News:</b> Businesses fail to address ID theft. By John Stokdyk

by
16th Mar 2006
Save content
Have you found this content useful? Use the button above to save it to your profile.

In spite of the emergence of "phishing" and the steady spread of electronic identity thefts over the past two years, just 1% of UK companies have introduced comprehensive measures to limit unauthorised access to data.

The UK's response to identity fraud is documented in a fact sheet produced by PricewaterhouseCoopers as aprt of the 2006 DTI Information Security Breaches Survey.

"Identity theft and phishing are on the increase, particularly in financial services and telecoms providers. Several businesses reported daily attacks of this nature. It is all the more important therefore that companies adopt an integrated approach to identity and access management; those that have, are seeing real benefits from their investment," said Andrew Beard, the PwC director who supervised the survey.

"Too many companies are still relying on single factor authentication techniques such as user ID and passwords. More companies need to follow the lead of the few larger businesses which are using stronger methods to authenticate their users."

Every year, around 1,000 companies are surveyed. The findings on identity and access management and viruses have already been published in separate PDF factsheets. Another instalment, covering website security will follow before the full survey is finally published at the InfoSecurity Europe event in late April.

The incidence of financial fraud using computers was only 1% overall in the 2006 survey, but large businesses experienced a marked increase in instances where staff gained unauthorised access to data (18%), or where employees obtained and misued confidential information (9%).

The worst incident reported in the survey was a financial fraud that cost one bank millions of pounds. Several small businesses reported frauds that incurred direct losses of between £10,000 and £50,000. The companies experiencing fraud typically needed to spend a further £10,000 on indirect things such as legal help to remedy the situation. And even relatively innocuous confidentiality breaches cost 20% of those affected more than £1,000.

The technique of "Phishing" with bogus emails to collect data for identity theft was unknown in 2004, but affected 3% of respondents in 2006 - and 6% of the large firms surveyed.

Passwords remain the most popular method of preventing unauthorised access, but the increased risk of breaches has prompted large firms, in particular, to move to software tokens or hardware solutions such as smart cards to secure corporate data. Automated provisioning where users have to trigger the electronic creation of access rights to data was applied in 8% of the companies polled and 24% of large businesses.

Companies that adopted not just one, but a collection of these measures managed to avoid security breaches, but represented less than 1% of the survey total. Given the ever-increasing threat, the DTI is keen to encourage more companies to consider the integrated approach.

DTI identity and access management recommendations:

  • Think carefully about who should have access to your IT systems.
  • Allow access on an as-needed basis, and review it periodically.
  • Consider strong authentication for high risk systems.
  • If you have a large number of users, automate the set-up and removal of access rights.
  • Adopt an integrated approach to identity and access management.

    More information on identity and acess management, plus an IT security health check, are available on the DTI's information security website.

  • Tags:

    Replies (1)

    Please login or register to join the discussion.

    Dennis Howlett
    By dahowlett
    17th Mar 2006 05:17

    devilishly difficult
    This is a topic that few seem to care about and even fewer understand. It's also one that's devilishly difficult to resolve because the tech industry seems incapable of putting its vested interests to one side and agree on a common standard for managing identity.

    I'd happily shell out a few $$ per month to have a service that understands all the services I use, the usernames and passwords I employ and then provides me with a vault style service that authenticates me wherever I go and however I access those services.

    Reality? I only know of a handful of companies that are attempting to solve this problem. Outside of course from the lock-in merchants at Microsoft and IBM.

    We deserve better. If the global banking industry is capable of doing it for ATM (albeit in a scrapyard kind of fashion) why not the high tech industry? To use an Americanism that seems wholly appropriate - it sucks.

    Thanks (0)