Thursday, June 23, 2005

Security as competitive advantage

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting snippet from a roundup of the recent spate of identity theft debacles (i.e., CardSystems, Bank of America, Lexis-Nexis, Harvard, ChoicePoint, Cal-Berkeley... *yawn*... *hrnggh*... sorry, dozed off there):

...A May 2005 survey of 8,200 consumers conducted by Lightspeed Research showed that over 80 percent of respondents felt threatened by online identity theft and online fraud.

The survey also indicated that 80 percent of respondents would have more trust in their account provider -- and greater confidence in transacting online -- if their provider offered a hardware-based strong authentication solution.

In addition, 44.5 percent of those surveyed said they would be more likely to switch account providers if a competitor offered hardware-based two-factor authenticators...

I'll take the latter two assertions with a grain of salt. I'd be shocked if 40% of respondents could even define "strong authentication" or "two-factor". But I believe the first contention: people feel increasingly threatened by the tide of cyber-crime washing over the Internet.

So what happens next? Yep, you guessed it! Prepare yourself for a spanking new marketing blitz by companies hoping to pitch identity tracking solutions for consumers. Coffee mugs... tee shirts... USB key fobs... towels (oops, just ignore that Holiday Inn towel I'm drying off with)...

...Take the new product launched by credit information management company Intersections. Called Privacy Protect, the service will keep tabs on credit information as well as public information like DMV, criminal, and mortgage and real estate records. In addition to tracking a person's credit information, such as who makes queries against it, it tracks how other unique information, which can be used for fraudulent activities, is accessed...

Opportunistic, eh? The offering appears to be, in essence, a credit data aggregator with timely alerts.

...For a subscription fee, the service will aggregate and track not only a person's credit information but other unique forms of information that can be used for fraudulent activities... If new applications are made in the customer's name, or address changes at banks, the service alerts go out, for example. In essense, the service monitors publicly-available information that many companies use today to run background checks on prospective employees or customers. After all, if businesses can access your data, then why can't you track how they track it? ...

Seems like a reasonable idea. Especially if the following Gartner estimate has any validity at all:

...According to Gartner (Quote, Chart), 9.4 million online U.S. adults were victimized by identity theft between April 2003 and April 2004. The losses amounted to $11.7 billion...

Wow. ID theft is as common as halitosis at a garlic growers' convention.

So, where's the business opportunity? It's a quality and differentiation issue, in my opinion.

Companies that can demonstrate compliance to standards will likely have a competitive advantage. If your firm handles credit-cards and meets PCI, why not emblazon that fact on your marketing material?

Slap the PCI-certified logo on your web site and stationary. Actually, I really don't know if there is a "PCI-certified" logo. But if there isn't there should be. While PCI is certainly no panacea (as Bruce Schneier has already pointed out), I'll bet CardSystems wishes they'd implemented it 100%.

...The standard, called the Payment Card Industry Data Security Standard, or PCI, consists of 12 requirements (PDF), such as installing a firewall and anti-virus software and regularly updating virus definitions. It also requires companies to encrypt data, to restrict data access to people who need it and to assign a unique identifying number to people with access rights in order to monitor who views and downloads data...

PCI is a good start if only because firms can use it to their competitive advantage. You can bet the major merchants and the credit-card companies will be asking the PCI question of their processors.

The next step? Any firm that handles or accepts sensitive consumer data should voluntarily adopt the principles of PCI on its own. And, hopefully, new and more comprehensive standards will be in place as part of a regulatory framework designed to force companies to better protect identity data.

InternetNews: Fronting a Fix on Data Breaches

No comments: