Despite the hype around hacking into corporate networks for financial gain - whose spectacular nature means it gets a lot of media attention - identity theft could be something as simple as rooting around in the garbage at the back of a supermarket for credit card receipts, according to Trujilio. He heads a global company who has made a business out of making sure critical information is destroyed before it is thrown into the garbage.
In fact, the traditional forms of identity theft, such as dumpster diving, are still the most widely used. The real boon to identity thieves is the ease with which the stolen information can be used, Trujilio told ZDNet Australia .
"The Internet is a wonderful resource, but it makes it easier to share information for good or bad," said Trujilio. "Whereas before if you stole information you might not have been able to use it, now you can."
"You used to have to present the cards physically, now it can be done online. It's much easier to use the information and companies are now beginning to catch up."
Trujilio thinks there are three reasons companies are beginning to take security seriously. First, laws are finally beginning to catch up with the opportunities for malfeasance.
"It hasn't received a lot of attention from authorities," said Trujilio. "Until recently in many jurisdictions it wasn't a crime." Even if you knew a person had your details and the ability to steal your identity, they couldn't be charged with anything until they actually used that data. "That movement of information was never really treated as a crime."
South Australia recently announced they would draft legislation to close this loophole.
The second reason is the potential loss to the economy and individuals. The Australian Computer Crime and Security Survey showed 67 percent of Australian organisations have been attacked, and estimated the financial cost at more than AU$2 million per year.
"I would say that figure's off by several orders of magnitude," said Trujilio. "The compounding effect is incredible". The compounding effect comes from each theft costing companies, individuals and law enforcement agencies money, according to Trujilio.
The third factor increasing the focus of business on this issue is the fact they have a moral obligation to manage identity information they receive from customers in a proper way, according to Trujilio. More than that, it makes good business sense for customers to be reassured as to the security of the information they provide.
It's not just documents that companies need to keep track of - things such as uniforms and ID cards have been used in the past to gain access to restricted areas. "An airline pilots uniform in the wrong hands can be quite devastating to the security of an airport," said Trujilio, adding police and ambulance uniforms were also useful for illicit penetration.
He cites an example of an airline that donated old pilot uniforms to a clothes-for-the-homeless charity, in the interests of being a good corporate citizen. However, one day a magazine in the city of their headquarters ran a picture of a homeless man in full pilot's uniform with the caption: How secure is this airline? The company now shreds its old uniforms.
Protection Steps
There are steps the company can take to protect its information from falling into the wrong hands, according to Trujilio. "First take an inventory of where the information is, what documents are being produced that contain information about the company," he said. "Effectively, an audit trail of documents in the company."
Then ask the questions: Do the documents have to be stored, or can they be destroyed? Who should have access to those documents throughout their life?
It is best to minimise the number of people who see the information, and to hire people with integrity.
"Build a defined program that describes the steps that will be taken, and then test it on a regular basis," said Trujilio. He recommends testing the system on a regular basis by trying to break into it.
If information is stolen, companies have an obligation to immediately contact those individuals that might be affected and put them on notice. They should then find out how the information was stolen and implement policies to prevent it happening again.
It is also important to co-operate with investigators that may be trying to capture the individuals that committed the crimes.
"The world is a lot riskier than it was several years ago, in every dimension," said Trujilio.
