Alan Calder on IT Governance, information security & ISO 27001

The UK Government’s Information Commissioner has now joined the call for people to be wary of identity fraudsters when using social networking sites. In a press release issued today (’4.5 million young Brits’ futures could be compromised by their electronic footprint’), the Office of the Commissioner calls for young people to follow its six top tips for being safer online.

Of course, this applies to adults as well as children. Identify theft – the fastest growing area of e-crime – and social networking sites are a honey pot of relevant and useful information to support identity theft. Companies have a responsibility to ensure that their IT resources are used safely and legally; I’m fascinated that some managements might encourage their staff to get involved in social networking sites, with all their attendant risks. (For example, Reuters’ CEO Tom Glocer records his enthusiasm for social networking on his own blog.) They’ve obviously not heard of ISO27001 – they could do with some exposure to proper information security management!

The Security View blog is running a poll on how companies are treating access to social networking sites – it will be interesting to see what the feedback is.

On the face of it, I find the call by British MPs for the appointment of an Identity Fraud Tsar a very good thing. Under the proposals of the All Party Group on Identity Fraud this new role would provide a point of coordination between the Government, police and private sector. Given the pervasiveness of this type of crime it is good to see our legislators being – comparatively – on the ball. I am also glad to see them highlighting, as I have done previously, the great potential risk that people put themselves in by divulging all sorts of personal details on social networking sites like Facebook and MySpace (surely a candy store for any online fraudster).

This report follows the recent recommendations by the House of Lords Science & Technology Select Committee, which called for various overdue measures to tackle the broader issue of e-crime. As I noted previously, this was a well considered work that has made many positive contributions. Again, therefore, plaudits to our parliamentarians for recognising the importance of these issues.

However, the job of ID Fraud Tsar or any other measure to tackle e-crime is of little value if it is poorly resourced. The Home Office says it has “done much” to combat identity fraud, including tougher criminal penalties, better co-ordination in prosecuting fraudsters, more powers to share data about frauds and public awareness campaigns. However, this story from ComputerWeekly today suggests the good work of the Lords and Commons is falling on deaf ears at HM Treasury, which hold the all-important purse strings. In its latest Comprehensive Spending Review the government has promised to throw £11 million – not much, frankly – at three fraud-fighting bodies, but has made no apparent provision to do anything about e-crime.

Let us hope, therefore, that amid the many millions generously directed into health and other public services, some may be found for this vital area. If not, any newly appointed Tsar will end up a figurehead unable to do very much at all.

It’s amazing how social trends can often make people do the most stupid things. Sales of paper shredders have gone through the roof of late because the public has woken up to the identity theft risks of making personal data available to strangers. So far so good – an entirely intelligent response. So what makes often the very same people put all of their personal data online instead through social networking sites like Facebook?! As this article rightly points out, this is an open invitation to phishing scams that can become far more targeted and convincing to the individual. I have no doubt that news stories of the first Facebook scam victims will be just around the corner.

If you are going to use sites like this the important thing is to be very circumspect about what you reveal about yourself. You should share the bare minimum at all times. Of course, the really smart move is not to get involved in the first place (which sounds like a killjoy’s view right up until someone empties your bank account for you).