Despite all the resources and money poured into IT security, financial crime and identity theft remain prolific. This is according to Duncan Waugh, CEO of Document Security Solution Specialists (DSSS), who says people tend to forget how easy it is to source and utilise handwritten and printed matter for the purposes of both general intelligence-gathering and crime.
Waugh says the idea for the security business was born after he was approached by an IT security specialist employed by one of SA's banks to test the integrity of hard copy information. The results of Waugh's document audit penetration was a success, but proved to be devastating for the bank.
"The documentation I recovered and the information that I harvested proved that, while the front door was securely closed and locked behind a massive firewall, the back door was standing wide open. This is how Trash Trackers, now known as DSSS, was born."
DSSS provides a service that completes the security life cycle of data through penetration testing of printed and handwritten documents; a system it refers to as a Document Data Audit.
"We, therefore, assist organisations in the identification of information leaks through 'old school' conventional means, not through technology. With the inevitable promulgation of the Protection of Personal Information (POPI) Act, we will further assist organisations to adequately respond to the new laws and regulations," notes Waugh.
Increasing risk
Waugh says there is an increasing danger of material security risks, as people see no threat to personal or corporate data that can be found in printed matter. He adds that most individuals throw their personal bank statements, credit card statements and utility account statements in the bin, occasionally tearing them up before doing so.
"These same individuals are employed in both clerical and management positions in organisations that process private information in printed form. If they cannot look after their own information, how convinced are you that they will look after information in the control and possession of the organisation they are employed by?"
Waugh says if this is not addressed, the POPI Act will have little or no effect in combating crime. "It is not enough to simply tell management and employees to be careful with printed matter. The effect of their carelessness has to be demonstrated in order for them to fully understand the ramifications of their actions."
There's a trend of careless disposal of printed and handwritten documents in general waste bins, Waugh adds. "The documents we have located include information that is to be protected by the POPI Act, including passwords, intranet codes, intellectual property, stock sheets, salary rolls and stock registers, to name but a few. To my surprise, this includes personal bank statements and credit card statements belonging to senior management."
He says there is also a corresponding belief that locked waste paper boxes in open plan offices prevent the careless disposal of printed matter, and that no-one in any organisation knows for sure what happens to the documents that are actually placed in locked waste paper bins that are collected by independent waste paper companies.
Waugh says that with the influx of illegal immigrants from around Africa, Asia and Eastern Europe, the demand for false South African ID books has increased tenfold. He adds that the supply of false ID books has become a lucrative and competitive industry, with the cost of a false ID book increasing from R500 to R800 during the past 18 years.
"It is little wonder that identity theft and subsequent crimes are becoming more and more prolific. For example, a short-term insurance policy document provides all and every piece of personal information an identity thief needs. With the cover page of a household policy, an identity thief can assume a new identity with relative ease."
Waugh will present at the ITWeb Security Summit, to be held from 7 to 9 May, at the Sandton Convention Centre. He says his main focus will be to educate delegates on the real threat that exists with regard to the protection of personal information handled by organisations, with an emphasis on printed matter.
"We will provide examples of our findings to date and demonstrate just how long the life cycle of printed data can be, much of it unseen."
Share