As a former police officer, it was driven into me during my formative years as an investigator that every facet of every case had to be prepared with the utmost diligence.
Any vulnerabilities in your case or any legal loopholes, would undoubtedly be exploited by the defense at a later date.
Risk management has many similarities and arguably none more so than in the area of information security. You can almost guarantee that if there are weaknesses in your information security framework, an attempt will be made at some stage to exploit that vulnerability.
Reflecting this, the need for organizations, and particularly financial services organizations, to secure their systems and networks is robustly regulated. The security of customer data is a key driver and regulatory and legislative requirements, for example the operational risk responsibilities of company directors under Basel II and the Data Protection Act, help enforce good governance.
However there is one significant area where the majority of organizations I work with could undoubtedly raise their game.
In the U.K., the use of call centers, either in-house or outsourced, is rapidly increasing. It's a growth industry and it is estimated that 1.7 percent of the U.K. working population –are currently employed in call centers. Organizations have been quick to recognize the undoubted benefits of deploying call centers. These benefits include significantly reduced overheads and high levels of call processing rates. It is also fair to say that from my experience, call centers are not typically designed for security, as their primary business focus tends to lie elsewhere.
However another rapidly growing phenomenon is exposing organizations to an all too often unconsidered risk – identity theft. Identity theft has its origins in the security of customer data and is now recognized by those with criminal intentions as an easy way to perpetrate a broad variety of offences. Examples of the end product of identity theft include fraud, hacking, industrial espionage, terrorism, money laundering and illegal immigration.
In the U.K., identity theft is rapidly increasing as figures from CIFAS (www.cifas.org.uk) demonstrate:
Number of incidents reported to CIFAS (Credit Industry Fraud Avoidance System)
CIFAS Category 1 – False Identity
Jan to Mar 2002: 10,057
Jan to Mar 2003: 16,303
% Change: 62.11
CIFAS Category 2 – Victim of Impersonation
Jan to Mar 2002: 8,190
Jan to Mar 2003: 11,902
% Change: 45.32
It really needs to be recognized that the customer data to which the call center operator has access is an extremely valuable commodity to the criminal and to the identity thief in particular. Already in the U.K., there is strong evidence of organized criminality proactively targeting call centers with the intention of harvesting customer data. A couple of months ago a call center worker in Scotland was convicted of passing the account details, including the PIN number, of a high net-worth individual to criminals. He had been promised £70,000 for this information but received four and a half years in prison instead. Last year, a Cabinet Office report estimated the cost in the U.K. of identity theft to be £1.3bn per annum – and all this for a crime that is in its infancy.
In the U.S., identity theft is a mature crime with significant visibility in the eyes of the public. With specific legislation to combat it, identity theft is fully defined in U.S. law. In the U.K. however the populist press are only just beginning to publicize the issue and it must still be considered a relatively immature crime. On the other hand information security experts have long recognized that the security of data and information assets is paramount so it comes as some surprise to realize just how vulnerable the average call center function is.
The exposure that call centers face is going to get worse before it gets better. With chip and pin set to reduce the options available to those involved in credit card crime, it is likely that identity theft and database compromise will become the path of least resistance for the criminal. In addition, there is a flourishing trade in identity documents for those organized criminal syndicates involved with human traffickers, economic migrants and bogus asylum seekers and these channels of illegal immigration look set to drive the identity theft crime rate figures higher still. (It is estimated that a stolen passport together with supporting identity details can have a street value of up to £5000.)
As a police officer, I learned my lessons the hard way and as a result always sought to eliminate weaknesses in my caseload at an early stage of an investigation. Organizations need to have the same approach to risk management and the information security mantra of confidentiality, integrity and availability of information assets should be applied universally across an organization. In a perfect world there should be no weak links. This is especially so in call centers and the risks really should be recognized and addressed before the levels of identity theft here in the U.K. get worse.
Neal Ysart, a former Metropolitan Police officer, is an IT security and high technology crime specialist and works within the IT security practice of PricewaterhouseCoopers. He can be contacted at [email protected].