While many firms are prepared to shell out for security technology,
few understand that it requires policy and management across the
whole business. Paul Mason analyses the results of this week's DTI
info-security survey and talks to two IT professionals at the front
line of security practice
Shoddy security could lead to disaster as UK firms rush to the
Internet without adequate policies or budgets for information
security. For all the hype about the "information economy", nearly
a third of UK organisations do not recognise information as a
business asset. And while there is widespread use of basic security
technology - virus protection and passwords - only 14% of firms
have a security policy.
These are the key findings of the Information Security Breaches
Survey 2000, announced this week by e-minister Patricia Hewitt at
the Infosecurity Europe exhibition at London's Olympia.
The survey polled 1,000 UK managers with key responsibility for
information security from a cross-section of public and private
organisations. It found that 60% of firms had suffered a security
breach in the past two years. And as the economy moves online, the
report shows the security threat increases. More than 70% of firms
with Internet access suffered breaches, rising to 90% for those
involved in EDI or similar transactions.
The breakdown of security breaches by type shows that while much
of the info-security effort is focused on the external threat, the
main threat comes from inside organisations. Operator error and
power failures were the two largest sources of security breaches.
Viruses accounted for 16% of security incidents, while external
unauthorised access accounted for 2%.
Robert Temple, head of the IT security unit at BT, says,
"Organisations must remember not to expend all their energies on
repelling the 'wily hacker' at the expense of ignoring those people
who every day log on to their systems and networks within the
firewall. All the evidence suggests that the insider remains the
real threat."
The survey showed low prevalence of more complex security tools,
reflecting the low use of formal security policies. Experts see
security policy as the key to defending business data against
misuse: good policies typically start from risk management. They
also see information as a whole business issue rather than an IT
issue and propose a whole-business contingency plan to deal with
and report security incidents.
Gerry O'Neill, senior manager, global risk management solutions
at PricewaterhouseCoopers, says, "Best practice means
enterprise-wide management of info-security. It is bigger than just
IT security. Assessment must be done with business owners. There is
no point in doing isolated reviews disconnected from the business
sense."
The survey shows a close correlation between the presence of a
security policy and the ability to manage advanced security
technology. Third-party testing, encryption and two-factor
identification are present in a small minority of firms - but a
high number with security policies do all three.
This two-tier picture of security practice mirrors company size,
with coherent policy and strong technology concentrated in firms of
more than 500 employees.
The survey shows low awareness of British Standard 7799 - the
DTI-preferred benchmark for best practice in info-security. Just 6%
of those surveyed had heard of it, and only 1% have heard of the
c:cure certification scheme. Paradoxically, BS7799 is one of the
easiest ways for smaller firms to template security policy, and
Part I of the standard is on a fast-track to being approved by the
International Standards Organisation.
The Data Protection Act indicates that compliance with BS7799 is
a good starting point to comply with the act itself. "To maintain
appropriate security of data is now a legally enforceable
requirement," says Dr John Woulds, director of operations for the
Data Protection Commissioner. "If we were dealing with an
allegation of breach of security in the context of personal data,
and we decided to investigate, one of the things we would ask is
'what steps have you taken to evaluate risks and apply
counter-measures?' If a firm has properly applied BS7799 it would
be able to answer."
PricewaterhouseCooper's O'Neill says, "The BS7799 standard has
been slow to take off but is picking up speed. There are two main
drivers: the government sector is starting to ask for it, and this
will spin out into suppliers of services to government. The other
driver is commercial peer pressure. With e-business there is a
desire to prove trust to other companies."
Clearly, UK PLC has a long way to go to bring info-security
practice into the Internet age. Budgets and skills, it seems, are
still being deployed in the rush into e-commerce, without a similar
level of spend on adequate security.
At the heart of the problem is lack of awareness among business
leaders of the profound consequences of information security
breaches. BT's Robert Temple says, "Yet again we are seeing a
validation of the old truism: if you can only afford one
counter-measure, make it awareness."
Key findings of Information Security Breaches Survey
2000
- 60% of organisations have suffered a security breach in the
last two years
- 31% of organisations do not recognise that any of their
business information is a business asset
- Of those organisations that have critical or sensitive
information, 43% had suffered an "extremely serious" or "very
serious" breach
- One-in-three businesses are either already buying or selling
over the Internet, or intend to start in the near future
- Only 14% of organisations have a formal information management
security policy in place
- Only 37% of organisations interviewed have undertaken a risk
assessment where a systematic approach is taken to assess the
security risks faced by the organisation.
- Some good practices are being implemented and adhered to by 83%
of the organisations interviewed, such as virus protection and
password controls
- 40% of companies reporting security breaches were due to
operator or user error
- Nearly three-quarters of organisations that suffered a serious
breach had no contingency plan in place to deal with it
- More than half of the organisations which suffered serious
breaches do not believe there is anything they could have done to
prevent them happening
- Organisations where responsibility for information security
rests at board level are also those most likely to have formal
policies in place. The presence of a formal policy is one of the
most important issues in reporting and resolving security
breaches
- Very few organisations were able (or prepared) to report the
business implications of their security breaches - but those that
were indicated that the cost of a single breach could be over
£100,000
Source: ISBS 2000
From the front line: Rolls-Royce
Mike Thornton, IT security controller at Rolls-Royce, sees the
Internet changing the model of corporate IT security.
"E-business will focus attention on security a lot harder than
in the past. In e-business you move away from the citadel approach
- it brings the potential opposition into your camp."
For Thornton, a security policy backed at board level is crucial
to helping IT police its relationships with outsourcers and
customers. When it comes to security, he says, "if you haven't got
support at the top, you will find life very difficult. Having a
policy is one thing - applying it is another.
"Outsourcing has focused our attention back on the policy, on
the metrics we would expect from our suppliers. You have to look at
data access, even with an outsourcer. For example, your clients may
not want the customer to have their data."
The DTI survey shows that few firms carry out third-party
testing of their security systems. But Thornton praises the idea,
"We have just hardened our password policy after using penetration
testing. We're looking hard at how we apply and police it.
"Third-party testing certainly caught people's attention. It was
better than me doing it: it's better when the words of wisdom come
from outside."
On BS7799 Thornton says the engineering giant has, to date, been
sceptical. "Because we work in a standards-driven environment,
everyone understands the price you pay for trying to meet them. We
would say we meet 7799 in all its major areas. Why should we pay
extra to have someone tell us that?"
However, Thornton says there will be more acceptance of BS7799
as e-commerce takes off. "The big thing in e-commerce is trust. If
you are accredited with 7799 or an ISO then you have something to
go on. Making BS7799 into an ISO is a good idea. The business
itself is international - one of the major difficulties is to
fulfil standards around the globe."
Thornton says one of the most difficult things with a security
policy is education. He believes technology is moving so fast that
traditional course rollout timetables have to be scrapped, and says
Rolls-Royce is now piloting computer-based security training that
can be changed as the technology threat develops.
From the front line: Hansard Financial Trust
Mark Syme's task was daunting: to take the secure, closed
database of an international financial broker and open it up to
business partners on the Web. The solution was to create a secure
extranet. And, needless to say, security was a prime concern.
"We were opening up part of our system to the outside world, so
we had to create a balance between security and usability," says
Syme, IT project manager at Isle of Man-based Hansard Financial
Trust.
"Static passwords were never going to be an option," says Syme.
The company investigated the use of digital certificates but found
these were not flexible enough for the worldwide user base. "We
went for RSA key fobs with a number that changes every 60 seconds -
so access is only possible with a username, password and key fob,"
says Syme.
He says Hansard's security policy - backed by a dedicated
security officer - helped the company keep IT issues aligned with
business needs.
"We third-party tested the system twice, with two different
firms. The important thing with third-party testing - because there
are a lot of consultants out there - is to take up references. We
asked each tester for two or three reference sites.
"In the company, everybody has responsibility for looking after
security if they value the business. The security officer is there
to enforce the procedures."
As for BS7799, the DTI's best practice benchmark, Syme says the
standard did not figure when Hansard was designing the system.
Surveyed by...
The Information Security Breaches Survey 2000 was sponsored by
the DTI and managed by Reed Elsevier in association with Axent
Technologies, BT and Nokia. Research was done by Taylor Nelson
Sofres. Computer weekly journalists helped design the
survey.