ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Catching up with a famous fraudster

Tom Espiner ZDNet.co.uk

Published: 01 Nov 2007 12:37 GMT

...access to buildings and computers, but do you trust Visa with your DNA? I wouldn't. Once you lose your DNA you've lost your identity forever. As long as information is stored somewhere there's going to be breaches.

The UK government seems to claim that the National Identity Register won't be breached. Are you in favour of identity cards?
I'm not big on ID cards — you're giving the government information that someone else can access. ID cards make it 100 times easier to steal that information, because it's concentrated in one place.

That the ID Cards scheme was passed into law was not a good idea. Nothing is really secure; if the money is right, you can forge a passport to back fraudulent activities — you can forge ID cards. You can replicate holograms, dyes in paper, and give terrorists access to Britain.

With the ID cards scheme, all it takes is one weak civil servant to be bought off, and one weak link can [compromise the system].

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

So how concerned should businesses be about their employees?
Businesses should be very concerned about their employees. Most don't do background checks, because an employee started out as a receptionist. But now, guess what? They're an accounts executive, with access to [sensitive] information.

Companies should do background checks before they employ someone, and continue to do background checks, every 90 days.

But wouldn't that infringe on someone's privacy?
Basically the employee would grant permission to do background checks, as a condition of employment. It's a right of the company to do background checks on employees, to make sure information stays within the company. You can't just keep hiring people, because one weak link breaks the chain.

What's your opinion on a data-breach notification law for the UK?
In the US, every time there's a breach, you get a letter. Absolutely I'm in favour of data-breach laws — if someone gets into a company's systems, or there's a breach, by law companies have to send their customers notification within 24 hours. It lets the person take action themselves.

People have a right to know if their information has been breached.