The recent spate of identity theft cases in New South Wales highlights the need for Australian enterprises to invest and implement stringent security measures – not just in infrastructure, but also in employment practices, according to research and advisory firm Gartner.

Speaking at the company’s IT Security Summit in Sydney recently, Avivah Litan, vice president and distinguished analyst at Gartner, said that banks and other consumer-facing organisations must move beyond simple passwords for online consumer authentication. “These are no longer sufficient for online financial applications. Organisations must evaluate a variety of methods to determine which provides adequate authentication and best suits customer and service offerings.”

A NSW-based identity theft syndicate currently under investigation allegedly used ‘corrupt officers of financial institutions’ to access customer information and internal bank systems. Commenting on this at the Gartner IT Security Summit, Ms Litan said that as part of an overall security policy, companies should engage in sound practices for employee screening, as well as data access management, to prevent employees from selling sensitive customer data to identity thieves.

Ms Litan suggested implementing multi-channel detection systems to fight crime situations such as the recent NSW case. She suggested looking across industries, institutions, accounts and channels to establish and detect fraudulent behaviour patterns. “Looking only at transaction activity in one account accessed through one channel at one institution typically does not provide enough information to detect many kinds of fraudulent transactions,” Ms Litan said.

While security managers are attempting to implement more stringent security measures around sensitive information, the price tag for such protection can cause ‘price tag shock’ for many organisations. Security managers are facing budget challenges to protect customer and business-sensitive information. Gartner analysts pointed out that data protection is much less costly than responding to data breaches.

"A company with at least 100,000 accounts to protect can spend, in the first year, as little as AUD$8 per customer account for just data encryption, or as much as AUD$20 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms Litan said. "This compares with an expenditure of at least AUD$120 per customer account when data is compromised or exposed during a breach."

According to Gartner, there are several data protection options for consideration. Encrypting stored data can provide the most robust data protection, but if that is unfeasible due to cost and complexity, organisations should deploy comprehensive host-based intrusion prevention systems (HIPS). However, successful deployment of HIPS requires strong server configuration control and additional administrative cost and complexity. Another option is strong security audits to validate the organisation’s deployment of satisfactory mitigating controls, reducing the need for data encryption or HIPS. "None of these options are mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach," Ms Litan said.

www.gartner.com/ap/itsecurity

•Date: 21st July 2006• Region: Australia •Type: Article •Topic: ISM
Rate this article or make a comment - click here