Top 5 Data Security fallacies from the Financial Services Authority
The FSA Data Security study has revealed common misconceptions among many firms about the risk of data loss and identity fraud:
1. The management of some firms believed the customer data they held was too
limited or too piecemeal to be of value to fraudsters. This is misconceived:
skilled fraudsters can supplement a small core of data by accessing several
different public sources – telephone directories, the electoral roll and other
public records, many of which are available on the internet. They also use
impersonation, for instance during phone calls or in emails, to encourage the
victim to reveal more. Ultimately, they build up enough information to pose as
their victim and obtain credit and other advantages in the victim’s name. In
this way, a firm’s customer data might complete a set of data extensive enough
to commit fraud.
2. There is a perception that only individuals with a high net worth are attractive
targets for identity fraudsters. In fact, people of all ages, in all occupations and
in all income groups are vulnerable if their data is lost. Recent data published
by CIFAS shows the top ten postal districts affected by identity fraud are not
all in affluent areas.
3. A third fallacy is that only large firms with millions of customers are likely to
be targeted. Even a small firm’s customer database might be sold and re-sold
for a substantial sum.
4. Firms often assume the threat to data security is external – from burglars or
computer hackers, for example. However, insiders have more opportunity to
steal customer data and there are many examples of staff stealing customer data
either to commit fraud themselves, or to pass it on to organised criminals.
5. Finally, some firms’ believe that their firm is impervious to data breaches,
because no customer has ever alerted them to identity fraud. The truth may be
closer to the opposite: firms which successfully detect data loss do so because
they have effective risk management systems. Firms with weak controls or
monitoring are likely to be oblivious to any loss. Furthermore, when fraud
does occur, the source of data loss is often impossible to trace. Data is held in
so many places: by government, retailers, employers and many others besides
financial services firms. A victim of identity fraud rarely has the means to
identify where their data was lost.
So in conclusion, size or complexity of organisation makes little difference to the lack of appreciation or understanding surrounding the nature and extent of the risks facing your FSA registered business. In short, an open and honest (preferably independent review) of your data security risks, may be the single best investment your organisation ever made.
Labels: FSA's Top 5 Data Security fallacies