RETURN ON TECHNOLOGY: Have businesses given in to security anxiety?

According to the mainstream media, no sooner is your precious data placed on a hard drive than it’s promptly vacuumed off through a hacker’s hole and inserted into some miscreant’s illicit schemes for world domination.

I admit I’ve advocated for computer security for years, but that was because most companies’ idea of security is to hide the backup CDs in the coffee creamer box. I never meant to contribute to the panic that seems to have gripped the American population about data theft. Believe me, it’s not as bad as it’s been portrayed.

An example of what I’m talking about is from the Dec. 28 edition of USA Today (www.usatoday.com), where writer Jon Swartz says that 2005 was the worst year ever for computer security. Data found its way out of Ford Motor Co., Amro Mortgage Group, Marriott International and Sam’s Club in just one month. I suppose the implication is that if those big boys can be penetrated, the rest of us are just meat on a stick.

But if you read down the article, avoiding the worst of the security expert quotes, the picture gets a little clearer. Marriott lost its data on a vanished backup tape, which may or may not have been stolen. Amro lost its data the same way, with a tape making an apparent getaway. That tape was found, but you’d never know it from the article’s lead paragraph. And the reference to Sam’s Club boils down to the speculation that only 600 credit-card users might have been defrauded.

Another example is from The New York Times (www.nytimes.com) of May 30, in which we supposedly learn that identity thieves are far outstripping the cops in ability, that one in 30 Americans has had his identity stolen, and that security breaches cost the United States some $48 billion in 2005. But these stratospheric numbers are based on a government report from 2003 that itself has numbers concocted out of vapor.

The Federal Trade Commission did a survey asking if anybody had used the respondent’s personal information to transact unauthorized business in his name. That would include things like children misusing credit cards or thieves tanking up on gas before a lost card is canceled. The final estimate was 4.6 percent of Americans having experienced some such “identity theft.” In fact, it would appear from the survey that about half of identity theft is actually perpetrated by somebody the victim knows. And the $48 billion? The report calculated that figure based on respondents’ estimates, which may have been staggeringly high. See the Sept. 1, 2005, issue for an article on this subject by Pat Regnier (money.cnn.com).

The fact is that nobody really knows how much computer security breaching there actually is. Backup tapes get lost. Computers are stolen. Are these “security breaches”? It depends on who’s writing the definitions. If you toss in any kind of data loss, then the USB thumb drive I once lost counts as a security breach. When data unaccountably vanishes, it’s often put down to “hacking.” And security experts often gloomily add a “fudge factor” to the figures to make up for all those supposedly undiscovered violations out there.

Both computer-security firms and credit-card companies love the hype, because both thrive on selling different forms of identity-theft insurance. Just about every credit card issuer, including American Express, MBNA, Discover and Chase, has some kind of theft insurance. Yet with only one chance in 30 of having any kind of identity theft, and then most likely from somebody you wouldn’t want to get into trouble, the issuers know they won’t be paying off in large amounts.

I actually hesitated to write this column, for fear that the general response would be still more slackening of security. But hyping the business community into a lather is unethical, and it’s time to restore some balance. Just as we have made every bodily ache, pain and bit of fatigue into some kind of windfall for the pharmaceutical industry, too many of us have succumbed to security anxiety and the purveyors of products to keep the prowling thieves from our cyberspaces.

The fact is that if you take some elementary precautions and don’t leave data lying around where it can be stolen, you’re 99-percent covered. Make sure you change default passwords. Encrypt really sensitive information. Don’t give out passwords or other security keys over the phone. Lock down your wireless. Keep track of backups. They’re simple, but they’re the things that people forget, and that lead to data loss.