With Troy Allen, chief fraud solutions officer, Kroll Fraud Solutions.
Question: You say that actual hacks aren't an organization's biggest worry. Can you explain?
Allen: Most organizations view their [major] exposure as network or firewall issues. That's not the case. Risk managers and CIOs have concentrated historically on that side of the business to reduce exposure, but are missing [other things] that are much more important and have bigger risks and that also still have implications for IT. Historically, CIOs and risk managers have not been the best people within the organization to deal with breach issues because they have skin in the game. [A theft] looks like it's their fault, and their jobs are at risk. They need to realize [that discussing other issues] is an opportunity for them to stand up in the organization and prove their value by demonstrating the company's exposure … and taking action. It is an opportunity to educate the senior-level team and say, "I know it, you need to know it, and we need to put something in place." It solidifies their value in the organization.
Question: So what other issues must companies focus on?
Allen: Every organization needs to practice miniaturization. There are three main points. Do not collect data that you do not need to have. Number two is that if you have to collect it, minimize the number of locations in which you keep both hard and electronic copies. Number three is only keep it as long as you absolutely have to. Very few organizations practice this. In fact, most intentionally do the opposite of all three. Why? Number one, organizations have been under the impression historically that data is power. Although it is, it also equals risk. Many organizations are built under the premise that collecting as much information as you can on the consumer [is a good thing]. Additionally, many organizations use Social Security numbers as a unique identifier in the system for consumers whether they need that Social Security number or not. They made that necessary by making it the key that connects their databases. What we say is to not collect it unless you absolutely have to have it. Just because the system needs it doesn't mean you have to have it. The only reason to collect [a Social Security number] is if you need to have it for a business reason, not a system reason. Some companies even use Social Security numbers every two weeks when they issue paychecks. Very few organizations purge data. With the cost of electronic memory today, everyone keeps everything forever. We have seen breaches of data that are 25 or 30 years old. There is absolutely no reason [to keep data that long]. Everyone should have a purge schedule worked out by the legal and compliance departments and stick to it.
Question: Those are a lot of things to think about. Are there any other issues?
Allen: When a breach occurs, the investigation of the incident itself and the validation of exactly who is exposed in the incident falls short in most instances. The companies are making assumptions on how it happened, who it happened to and its effect. In most cases, those assumptions are drastically wrong. It goes to both sides. Sometimes they over-estimate who is affected and the costs incurred. In other cases, they underestimate and leave whole groups unaware.
This 3 Questions originally appeared in a report from IT Business Edge.
This was first published in January 2007