New survey shows serious lack of information security among
majority of firms. Paul Mason reports
Next week Patricia Hewitt, the e-minister, will outline the
results of the Information Security Brea-ches Survey 2000. The
results make depressing reading.
More than 60% of organisations claim to have suffered an
information security breach in the last two years. An estimated
320,000 organisations suffered a "serious" breach. But only 14% of
firms have a coherent security policy. And just 6% of the security
managers contacted could name British Standard 7799 - the
Department of Trade and Industry's benchmark for best practice.
The survey reveals that many UK firms have yet to face up to the
security challenges of the Internet. While there is widespread use
of passwords and anti-virus protection, only 46% of firms with
external e-mail used e-mail scanning software.
Many firms are fatalistic about information security. Of the
firms that had experienced a serious security incident, the
majority thought there was nothing they could have done to stop it,
and had no contingency plan.
But security policies are effective, the report reveals.
According to the survey:
- 78% of those with a policy had also carried out risk
assessment, compared with a UK average of 37%
- 76% of those with a policy had undertaken third party testing
of their systems, compared to a UK average of 14%.
- 80% of the organisations that had contingency plans said these
were effective in coping with serious security breaches.
Michele Mooney, head of BT's TrustWise digital certificate
service, said, "One of the frightening things revealed in the
report is how security is viewed as a technology rather than a
business issue. There is a lack of understanding of how valuable
information is to business. That is staggering."
Large organisations are likely to have strong security in place,
backed by policy, while SMEs often trust very basic technology,
poorly integrated across the business.
Only 11% of firms have procedures in place to log information
security incidents. However, among firms with more than 500
employees, 72% have such procedures.
Steve Gailey, managing director of security consultants Buchanan
Brown, said, "The truth is most SMEs have got no idea that
information security exists as a concept. The ones that do
understand usually have no skills in-house to deal with the
issue.
"The gap between the haves and the have-nots is opening," he
added. "In the rush to get onto the Internet only the large
organisations have the resources to keep up with what the business
wants to deploy."
This week's
Information Security Focus
Info Security Breaches 2000: key findings
- 60% of organisations suffered a security breach in the last two
years.
- 31% do not recognise information as a business asset
- 75% had virus protection, and 83% used passwords
- Just 15% of firms use firewalls and only 8% use
encryption
- Only 37% have undertaken risk assessment
- 75% of those suffering a breach had no contingency plan to deal
with it
- Only 14% of organisations have a security policy in
place
- Only 6% could name BS7799 and only 1% had heard of the c:cure
certification scheme for BS7799.
The survey will be presented by e-minister Patrica Hewitt on 11
April at Infosecurity Europe 2000, Olympia, London
A view from the front line
Mike Thornton, IT security controller at Rolls Royce, said the
key to effective information security was buy-in at board level.
"If you haven't got support at the top you will find life very
difficult." Just 14% of firms carry out third party testing, but
Thornton confirmed it was useful both in reviewing security and
enforcing it. "Third party testing certainly caught people's
attention - it was far better than me doing it. People take more
notice when the words of wisdom come from outside."
Thornton said the big thing on the agenda now is encryption.
"The challenge is to deploy something acceptable to business
management, and acceptable globally. If you want encryption, and
you've got 30,000 e-mail users, where do you draw the line? It's
one thing to give senior managers encryption, but today's
organisations have a flat hierarchy and everyone is important."
Who drives infosecurity policy?
Tim Mather, director of information security at Symantec Corp,
said, "Security is now a board-level decision, the security policy
is a board level procedure. However, the board must also take
responsibility for enforcing that security policy through every
line manager in the company. Without that, they are putting their
business on the line in a game of Russian roulette with the
hackers."
Gerry O'Neill, senior manager at PricewaterhouseCoopers' global
risk management service, confirmed the need to get senior
management buy-in. "Last month we had a meeting of the BS7799 User
Group. What came out loud and clear is that security is not about
tools and methodologies. It is related to who you involve: the
right people at the right levels - getting their involvement in the
prioritisation and selection of controls."
More e-security news