Home | Services | Events | Features | Interviews | Profiles | Reviews | News | Resources | Press | Archive

Richard Hollis: The ITWales Interview

Identity Fraud and IT Security

by Sali Earls

Regular readers of itwales.com will know that IT security is an issue that we cover often, as we feel it's something businesses of all sizes must be aware of and take positive action to combat. Sali Earls recently spoke to Richard Hollis, founder and CEO of European information security consulting firm Orthus, on the subjects of identity fraud, ecrime and social networking. The interview was carried out before the media furore and public outcry surrounding the HM Revenue and Customs loss of disks containing personal details of 25 million child benefit recipients.

Richard Hollis is a seasoned security professional with over 20 years industry management experience, and extensive hands on experience in designing comprehensive IT security, business continuity and disaster recovery programmes for more than one hundred blue chip high tech companies throughout Europe. His career has included time spent as Director of Security for Philips Communications, Deputy Project Security Director to the US Embassy Moscow Reconstruction Project and numerous sensitive security positions within the US Government. His expertise has been shared via numerous articles and white papers, and in appearances on BBC, Channel 4 and CNN, as well as appearing in print in Time, SC, InfoSec, Computing and Computer Weekly.

He spoke to Sali Earls at the Welsh Assembly Government's recent e-Business for Wales 07 event in Llandudno.

Do you think the work of eCrime Wales is important to Wales? How do you think it's perceived in the rest of the UK?
I think it's extremely important, and I think it's perceived as a pioneering effort. I come up from London quite a lot and I see the effort and awareness that Welsh businesses have achieved - they are head and shoulders above what's happening in Ireland, Scotland, and the English regions. When Wales did it was crucial - you followed the London e-Crime Congress, and took what you could and really made people here see that it was an essential and ongoing topic.

How long do you think it's going to take for the message to really filter down to the small businesses? People still seem to be quite sceptical at the moment.
I think you need to clarify the message, and I think you need to tell them what to expect, and explain what the problem is, and more importantly what it isn't. I think the way that the media portrays security and security issues needs to be addressed and clarified, so that people really understand how it could affect small businesses in Wales.

When you had your identity stolen 3 times in 1 year, it took 18 months to fix the problem. What impact has the experience had on you?
It's very personal for me - I'm a security professional and this hit very close to home. It's like selling alarms and someone breaks into your home - it's embarrassing to me.

It made me look at how I process and store data; what information I give companies online and what I don't; and taught me a valuable lesson. I was assuming that the people I gave my data to were securing it. I assumed that because I'm a information security professional, and I thought whether it's a bank, or someone processing my credit card, that they are going to give this the highest attention it deserves, as it's someone's personal details. So when I found out what had happened it really opened my eyes, and it's become a pet peeve of mine ever since.

I think all security should start with you as an individual - you can't expect your company to look after your information at any higher standard than you would look after it yourself. I found my information on the internet with my credit card details and I was upset and embarrassed. If it happens to guys like me, who are information security professionals, and we're paranoid by nature, just think about the average guy in the street who doesn't do this for a living and who doesn't think of these things - because I do.

There's so much information in the media about this and other security issues, but the message doesn't seem to be getting through. What do you think it will take for people to realise they are at risk?
They have to be hit. It's sad but it's true in my experience. I'm out there using my credit card all the time, and if someone else started to use it, I'd pay attention to credit card security. Everyone assumes that their bank or credit card provider will take care of everything, but unfortunately security incidents make converts and those are the hardest lessons to learn.

I remember talking to a guy that sold firewalls - he sold security devices for a living - and one day I had lunch with him, and he's from a very large, very well known manufacturer of firewalls, and he told me he was furious as someone had gained access to his laptop and taken images from his holiday of him and his wife. He did this for a living - but he didn't have a firewall on his personal laptop because it only contained personal information, and he didn't think anyone would see it as having any value. Now he's extremely spooked - as I am - about identity fraud, and concerned about the personal information he had on there, be it passwords or pictures of his family, that he doesn't like the idea of someone else looking at, and rightly so.

Until it happens to you on a personal level, I don't think you can really understand the situation.

So much information is gathered by companies, from postcodes and house numbers when you buy electrical appliances, to your shopping habits and loyalty card details, to passport details on flights. Do you think it's necessary? Should legislation be put into place to protect consumers and businesses from these practices?
No I don't think it's necessary - I think we live in a culture today that collects data for data's sake. Having the information from someone's date of birth to their favourite colour to their blood type, when all they're doing is buying a book from you, isn't necessary. They don't need to know these things, but we give it to them readily, and we're partly to blame because we don't question why they need it.

I can understand if your plane crashes, the emergency services would need your blood type, but it's not needed otherwise, so what assurances do I have that my blood type is not sitting in some airline database.

My point is, until we start complaining, until we start asking why they need the data, until we start withholding the data because we question its' worth to the transaction they'll just take it because people make businesses, and make money from your information.

Identity information is big business to businesses that hold marketing databases about favourite colour and blood type and dress size, and this is all money to them and they sell this information to other businesses, so our personal data is extremely valuable to others. Until we question it and stop providing it, they will keep collecting it. Everyone's a sucker for these things, because we trust people - if I ask you your favourite colour you'll tell me, but you won't think I'll put it in a database and sell it to someone else that's trying to sell you new shoes in exactly that colour. It's money, it's marketing and it's commerce, and until we wake up as consumers and say "No" they are going to continue to sell it, and you can't blame them, because we don't question it.

Next time you're asked to fill out your cat's favourite food, tell them it's pasta, so they get that instead of the actual brand, because bad data is the worst thing to these companies that collect data, and these days is the only way to fight back. They get away with it currently because we let them.

What do you think about the uptake of social networking sites like MySpace and Facebook? I'm certainly surprised by the amount of information people are willing to freely share with open profiles. What are the risks?
It's all part of the culture. We all like to think that we're important, and we are because our Facebook entry says we are. This is what we did for Christmas last year, this is where we went on holiday, this is the name of our cat, and this is his favourite food, and this makes us feel good about our lives.

It's tapping into the natural psyche of people wanting to express themselves and feel important. So there are these social networking sites that allow people to talk about themselves, but they don't understand that the information could be used for a variety of purposes, not only marketing, but also fraud. They have no idea, and they just don't see it - it's done in innocence.

It seems second nature to younger people to share information with this way in people, and accept everyone as their "friend".
I think it's tied to our celebrity obsession - people want to be famous. So if you can go to a website and see a picture of yourself, and your favourite colour and your cat's name, and think "Wow, people in China are looking at this and think my cat's just the cutest thing". It's natural and Facebook taps into that.

We're all celebrities on Facebook - that's what they're selling - it's the ability for you or I to express ourselves and give personal information about ourselves to the world.

It's now searchable on Google, so all these people with open profiles can be found without the need for a Facebook membership.
Information is big business today and if you willingly put your personal data out there for people to see, I guess you get what's coming to you, unfortunately.

When you next use Google, keep your browser enabled to see how many cookies they put in - everytime you use Google it tracks where you go, where you came from, what you typed in, even what you moused over, and Google keeps all of that for marketing purposes. If you know what you're doing, you have the option to disallow that, but until you stop them they will take it.

A couple of years ago, I asked you whether the greatest threat to business was from internal or external sources. At the time you said that while it was perceived to be external, 7 out of 10 people in jail for cybercrime are employees of the company that's prosecuting them. What would be your answer today?
My answer today is the same as it was before, and the same as it would have been five years ago - I've been in this business for 30 years and it was the same in my first year of business.

The people that have authorised access are the biggest abusers of it, and it is the most overlooked area - again it's a cultural thing, people don't want to look at the guy at the next desk and suspect them of taking the sales database, or whatever - but it's a sad fact and continues to be true.

I think if anything it's starting to be a more accepted fact - you're seeing people starting to talk more about the insider threat, and data leakage, which infers that someone is on the inside leaking the data. It's starting to be a more accepted fact because companies are installing firewalls and other devices to keep all the bad guys out - to keep people off your lawn, you put up fences - but they are still finding things going missing, and have to realise that the only people here were the employees. While the statistics have gone down - it's now like 6 out of 10 - that's because law enforcement has gone up, and they arrest high profile people because the techniques for tracking them have improved.

The probability is that the threat is from within and it always will be, until we start to design programmes that treat all people the same, and are independent of whether you work for the company or not, and look at how you interact with the information.

What is the future of security in this area?
All of this is going to come crashing together in terms of privacy - I see very clearly that in ten years people like me will not be known as information security professionals, we will be privacy professionals.

A company's privacy will be the same as an individual's privacy - the data associated with you as an individual will become one with the data of the company, and the company will have to comply with ever more legislation. We're already seeing businesses having to take more responsibility for the safe processing of personal data, and I think companies will start to change the way they look at themselves and see the business in terms of what's private about the business and what's not; what's the public facing part of our business that we want everyone to know about, but what's the private side of our business.

So I think we're going to see the world in terms of privacy, but until we're prepared to take care of our own data, we can't expect our companies to do it. You can't accuse your credit card of losing your details, if you throw your bill out with your rubbish. The two areas will converge and it will all be about privacy - personal medical records, personal financial records, and the personal records businesses hold on you, but also a business's records.

Useful links:
Orthus: www.orthus.com
e-Crime Wales: www.ecrimewales.com

Send a comment about this article to editor@itwales.com.

Home | Services | Events | Features | Interviews | Profiles | Reviews | News | Resources | Press | Archive
About ITWales | Privacy Policy
All material on this website ©2002-2008 ITWales