You are here  IT Management Risk Management

Businesses failing to understand the need for security

Thursday 06 April 2000 12:00
Information security is not just an IT issue

When secret agents mislaid two laptop computers last month, it was only a rigorous security policy and strong encryption technology that allowed intelligence chiefs to reassure the public that national security data was safe.

But next week's DTI survey on information security in UK business will show that most organisations would have been taken to the cleaners. Only one-in-seven companies have an info-security policy, and just 8% use encryption.

The info-security threat is growing. Businesses that trade online are virtually certain to suffer a security breach, the report suggests. Yet, outside the financial and defence-related industries, there is a naive approach to security - especially among small- and medium-sized enterprises.

From the IT security experts to the e-minister the message is the same: information security is about management practice, not technology. It is an issue for the whole business, not just the IT department. And it must be backed up with a pro-active corporate security policy.

But there is scepticism - why not just invest in a good insurance policy instead of lining the pockets of the IT security consultants?

The answer is simple, as the MI5 laptop incident shows: you can put a value on a stolen laptop, but the information on it could sink your business. You can never insure for that.

All this reflects a wider problem. One-third of organisations do not see information as a business asset. Firms are rushing into e-commerce, spending huge amounts on content, but giving little attention and scant resources to protection.

So what can be done? IT professionals have a key role - not just in providing the technical solutions but in educating the business, and enforcing a whole business approach to security.

As lines of business gain greater autonomy within organisations, the need for a coherent approach is yet another argument for IT representation on the board.

While the headline news is that info-security is not just IT security, at the end of the day, IT will get it in the neck when things go wrong.