A recent Better Business Bureau survey indicated that 9.3 million American adults were victims of identity theft/fraud within the last 12 months, and that annual U.S. fraud costs were at $52.6 billion. Gartner recently reported that almost half of 5,000 internet users it surveyed said that concerns about online attacks had affected their online shopping behavior.
Yet at the same time, we are entering a new computing era where more and more people are logging onto the internet to shop, bank, communicate, collaborate, find a mate, research and more. Businesses that can leverage this trend have a huge opportunity in front of them -- if they can quickly build the infrastructure to capitalize on this new age of participation, and if they can demonstrate that their customers are safe with them.
Public concern about identity theft has also led to government involvement in the issue. As laws are put into place, we're likely to see the same mad scramble to comply that came with legislation surrounding financial reporting. Opportunities for growth may therefore be suppressed not only by consumers shying away from internet-based activities, but by governments issuing mandates that dictate how to protect citizens from identity theft.
It is no wonder that businesses may feel caught between seizing opportunities for growth and putting consumers at risk for identity theft. But in the online world, choosing between opportunity and security is not an option. To succeed today, you have to have both -- you need to be able accelerate business growth without fear. Cultivating the ability to do that elevates security technology from a necessary component of business overhead to an enabler of business growth. Businesses that are confident in the security of their identity infrastructures will bring more online services to market faster, attracting increased consumer participation. By providing a secure experience that consumers trust, companies will achieve strong competitive differentiation.
Businesses must combine low-tech measures (such as shredding paper records) with technology-based protection of sensitive data. For both approaches the first step is asking some common sense questions: Can someone who shouldn't have access to sensitive data get access to it? How? How quickly can you cut off access by people who shouldn't have it -- such as former employees or ex-business partners? What if, despite your efforts, a security breach occurs? Can you pinpoint the location of the breach? Do you have mechanisms in place to quickly limit and, hopefully, control the damage?
The second step should be to make identity management a central component of any security strategy. Identity management enables three processes that are essential to protection against identity theft: granting secure access to customers, partners and others who will be participating online; delivering appropriate access levels based on users' relationships to the company; and continuously monitoring and tracking access for improved auditability and reporting. Identity management makes it easier to manage appropriate levels of access for everyone, ensuring higher levels of security and overall control.
Finally, while it is easy to get caught up in the fear surrounding identity theft, it is important that you give sufficient thought to how to approach the issue and how to make your response effective and cost-efficient for longer term benefits. There is a lesson to be learned here from what happened with Sarbanes-Oxley compliance. Identity theft is on the same track: An issue makes the headlines, legislation is passed and businesses rush to respond, spending far too much and missing way too many opportunities in their haste. Identity theft, while it is still in the stages of making headlines instead of laws, presents a golden opportunity to do things differently.