By Bob Brown
When it comes to putting data and identity thieves in their place,
Peter Costa says there's no room for being Mr. Nice Guy.
"Have a public hanging - they have to know you'll go after them," says
Costa, who heads up enterprise security at GE Consumer Finance -
Americas. Companies need to be "fanatical about prosecution," he says.
Costa outlined his views (which he stressed are not all necessarily
those of GE as well) for dealing with data and identity theft during a
presentation at last week's CIO Forum (more from the conference ).
The unique annual conference brings together IT suppliers and
potential buyers on a cruise ship sailing out of New York City.
GE will actually call the parole board when a thief's hearing is
coming up to discourage the person's release, Costa says. Before
prosecution, GE will wrap up a case as tightly as it can to ensure
that law enforcement takes identity and data theft seriously. "You've
got to make it easy, you've got to make a point," he says.
Costa maintains that there hasn't been an explosion of data theft of
late, but rather, we're just hearing about it now as a result of laws
that require companies to fess up when their data systems have been
breached. Nevertheless, data and identify theft are huge problems that
companies need to address by assessing risks and reducing them, he
The first thing companies need to recognize, Costa says, is that theft
or loss takes place in two primary ways: via intentional schemes, such
as phishing or even dumpster diving, and unintentional means, such as
a tape falling off a truck or a laptop being left behind at an
airport. Data is at high risk in the former example, while it is at
low risk of being comprised in the latter, he says.
"You have to have two different strategies to attack these two types
of problems," Costa says.
Assessing the risk
For starters, companies should figure out which information they hold
is most important to them. Examples might be an employee's Social
Security number, direct deposit account numbers and passwords.
Information relating to partners and customers also needs to be
"Now comes the hard part. You have to say: Where does it exist?" Costa
says. "You'll be amazed when you start peeling the onion back=85 You
need to understand where the physical borders are, where the
electronic borders are and where all that data is going back and
The next step is looking at high-level risks, which Costa lists as
forced entries, such as hacking; interception of transmissions,
including "snail mail" and faxes; and the insider threat. On the
insider threat, he suggests companies should take a very hard look at
their human resources groups, where low-level people can have access
to lots of sensitive employee data.
"We're far too trusting of insiders," Costa says.
Companies also need to examine how they think people might steal data.
Underestimated are techniques such as people just walking into
supposedly secure areas of a building on the tails of others, Costa
says. Companies tend to spend more energy protecting themselves
against new or sensational risks (He relates this to people fearing
sharks more than pigs even though the farm animals kill more people
yearly. "There's no 'Jaws' about pigs. There's no 'Snout.'")
Process management tools can help companies get organized in
addressing much of this, but companies also need to bring in a wide
cross-section of people, from IT to HR to business process owners,
Reducing the risk
The most important step is getting rid of sensitive data that you
don't need at your company. "I'm shocked and amazed at how many
organizations still use Social Security numbers for employee numbers,"
Costa says. "It means you're putting your Social Security number
Companies should also consolidate high-risk vendors, such as marketing
or mail firms and institute a layered but uncomplicated security
system that includes access controls through identity management,
Costa says. Encryption is key, too.
"Encryption is important here not [just] because it lets you protect
the data, but [also because] it allows you to say, 'We lost the backup
tape but it's encrypted so there's no damage' - even though some
states will still require you to make an announcement about it," he
The best thing to come out of all the attention brought to this issue
of late is that companies are addressing problems more quickly, which
greatly lessens the threat of damage, Costa says.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.