October 2015, Security from the eyes of a consultant
Wednesday, October 21st 2015 11:30am to 1:00pm
From Rob Zeglen, NYSTEC
Copy of Presentation: CATA 10-21-15 NYSTEC Security From A Consultants View
One of our members asked about identity theft insurance. This is a snippet of some research my team did on the value of Identity Protection Services. It is by no means a recommendation, just some findings and some good free service suggestions.
Before organizations consider purchasing Identity Theft Protection, it is important to understand that identity theft protection services cannot prevent identities from being stolen. The services do, however, detect that something has happened, and the sooner you know this the better. Typically, these services are offered to deal with the theft of identity after it has occurred.
There are steps that members can take to perform all the same functions that an identity protection service will perform. Organizations could consider an outreach program to customers to educate them on the following approaches:
- Credit Monitoring:
- Arguably the most effective step an individual can take is to call the three main credit agencies and place a credit freeze on their credit record to limit the possibility of new cards or loans being taken out in their name. In addition, regularly monitor your credit record throughout the year, using the 15 free credit reports you are entitled to receive each year.
- For existing credit accounts, most financial institutions already monitor activity to detect unathorized activity on their customer accounts. In many cases, financial insitutions will proactively send a new credit card if suspicious activity or a compromise has been detected. To suppliment the bank’s detection, always check your account statements each month for unauthorized transactions.
- Resolution Services:
- In the event and individual’s identity has been compromised, there are plenty of sites and organizations that offer free resouces and guidance to help users through the resolution process.
- Free resources providing help and information on how to deal with Identity theft:
“The National Association of Insurance Commissioners says the typical cost of identity theft insurance ranges from $25 to $60 per year. The insurance may include credit alerts, account and credit monitoring, and reimbursement for the costs associated with repairing your credit history if you become a victim. The insurance does not protect you from identity theft – nothing can really do that – and the policy certainly does not cover monetary losses.”
Proactively purchasing Identity Theft services would likely be quite costly for large numbers of users and would do nothing to prevent a breach. Additionally, such an effort would likely indicate to the media and the member base that an organziation was breached and was reacting.
The money spent on insurance may be better spent on assessing and tightening security where needed; for example, implementing two-factor autentication, doing proactive monitoring, holding vendors responsible for security, or delaying projects to ensure that security is bulit in. For example, it will cost the the federal government $133 Million for credit monitoring services due to the Office of Personnel management (OPM) breach http://krebsonsecurity.com
/2015/09/opm-misspends-133m-on-credit-monitoring The breach occurred due to under investment in upgrading legacy system, as well as with new systems being deployed with inadequate security. http://www.forbes.com/sites/katevinton/2015/06/23/opm-director-blames-federal-breach-on-legacy-systems-in-senate-hearing/.
Security Practice Area Manager at NYSTEC