How to take the offense on identity theft

Computerworld - Catch Me If You Can isn't just a recent hit at the movies. It's also the apparent cry of a growing band of street criminals and their hacker allies who trade in consumer credit card information, Social Security numbers and other internal company data that washes across millions of Web sites every day with increasing velocity.

It's ironic that as most other types of crime are declining, identity theft is booming. The number of ID theft cases doubled to roughly 162,000 cases last year, making it the leading form of consumer fraud, according to the Federal Trade Commission. The FTC reports that as many as 700,000 consumers may be victims of identity theft this year, costing each person an average of $1,000.

Although the search for causes and cures is endless, several key facts stand out. First, more consumer and business data is online to meet the requirements of on-demand business, and for good reason -- organizations of every size and description are automating the way they do business to cut costs, speed service and reach customers, suppliers and partners more easily.

Second, despite the costs of fighting identity theft, the Web is still the best friend that businesses and consumers ever had. We're not going to scrap the Internet because of identity theft. But we do need to get much more serious about managing identity theft.

	Jeff Drake is director of security strategy for Tivoli Software. He was a founding officer of identity management firm Access360, which was acquired by IBM in 2002. He is is co-author Security Provisioning: Managing Access in the Extended Enterprise (Information Systems Audit and Control Foundation, 2003).

It's not hard to figure out why. Ask yourself who is more likely to be successful -- a full-time malicious hacker searching for a security hole in a company's systems, applications and data, or a developer with a thousand other things to do besides plugging every conceivable security hole?

It's not that we don't have the security tools and smarts to manage the problem. The real issue is that most IT organizations are stretched too thin to devote the resources to keeping up with the thieves, let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in.

Organizations spend too much time reacting to security breaches, rather than preventing them. The most effective deterrent to identity theft is making an organization's IT architecture so airtight that thieves decide it's not worth the trouble.