Thought for the day:
The cost of negligence
- Posted:
- 16:28 16 Sep 2003
Identity theft is not new, but it is being used as a label to describe the latest trend in fraud.
As businesses become more sophisticated and adopt better
security systems, criminals are finding new ways of cirumventing
security.
However, businesses do not as yet have a secure and trusted means
of identifying individuals when trading online, which means they
must rely on more traditional ways to identify customers.
The more "original" a document a customer has, the more accepting
most businesses are about their identity. Criminals are collecting
original documents based on a real or fictitious individual.
Obtaining duplicate documents such as passports, birth certificates
and driving licences is not impossible, but the cost required to
obtain them must produce a return on investment.
Digging around in household rubbish is probably still the most
effective and cheapest way of obtaining copies of bank statements
and utility bills. A Google search can quickly provide enough
information to build a snapshot of a person's life from information
on personal websites or biographies on corporate websites.
As an indicator of the scale of the problem, the National Criminal
Intelligence Service has estimated that the cost of identity theft
to the British economy is £1.3bn a year. This loss is not just
monetary - a business can suffer reputational harm when its
security systems are shown to be insecure or inadequate.
Businesses have to asses the risk and cost of fraud. There is no
point in implementing hugely expensive security systems if the
potential loss is low. Most businesses work on the basis that a
percentage will be lost to fraud and bad debts. Provided that loss
is acceptable, it will be tolerated.
However, the bigger the business the more likely it is to be
subject to some form of regulatory or shareholder pressure.
Corporate governance, for example, looks at businesses from a risk
perspective.
IT managers are being asked to analyse the risk posed by computer
systems and to present their findings formally to the board. This
information may then be presented to regulators. Some larger
customers also require comfort statements.
To be effective, the IT manager has to work closely with the board
and with risk managers. This is not just about firewalls and
authorising credit card payments - businesses have to look at all
the different functions.
For example, an employee may have a profitable sideline in printing
copies of utility bills for certain addresses. Can your computer
networks and security systems detect and prevent this? Do you have
proper audit trails and exception reporting? What would happen if
this anomaly was reported?
Businesses have to recognise that identity theft exists so that
measures can be taken to investigate and resolve the matter.
What is probably of greater concern is that businesses may have a
greater liability than just the cost of the fraud. If adequate
safeguards have not been implemented and it can be proved that a
business has been negligent, it may be liable for other losses
which were reasonably foreseeable.
What do you think?
What measures have you taken to protect your business from identify fraud? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
George Gardiner is a partner at law firm
Stephenson Harwood
