Security policy heart of ID protection

Gartner has called for an increased focus on organisational security policies following a spate of ID theft cases.

Currently holding a IT Security Summit in Sydney, the research company has argued that recent ID theft incidents in NSW proved passwords could no longer protect online consumers.

“These are no longer sufficient for online financial applications,” Gartner president Avivah Litan, said. “Organisations must evaluate a variety of methods to determine which provides adequate authentication and best suits customer and service offerings.”

Litan said an investigation into a NSW-based identity theft syndicate proved that employee screening, as well as data access management policies also needed to be reviewed by organisations.

The syndicate had allegedly used ‘corrupt officers of financial institutions’ to access customer information and internal bank systems, she said.

“Looking only at transaction activity in one account accessed through one channel at one institution typically does not provide enough information to detect many kinds of fraudulent transactions,” Litan said.

While security managers were facing budget challenges to protect customer and business-sensitive information, data protection was much less costly than responding to data breaches, she said.

"A company with at least 100,000 accounts to protect can spend, in the first year, as little as $8 per customer account for just data encryption, or as much as 20 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Litan said.

This compared with an expenditure of $120 per customer account when data is compromised or exposed during a breach.