The Confederation of British Industry (CBI) is pressing businesses
to take IT security more seriously or risk facing government
regulations on information security.
The employers organisation is concerned that the UK and US
governments are hardening their attitudes towards companies that
place Internet communication at risk because of sloppy security
practices.
The warning follows concerns from governments following the 11
September attacks in the US, that terrorists could disrupt critical
communications on the Internet by planting malicious code in the
poorly protected company systems.
Jeremy Ward, CBI representative on information security at the
Organisation for Economic Co-operation and Development (OECD), said
the UK and the US governments had signalled that they may introduce
legislation to enforce good security practices.
"Richard Clark, Bush's cyber security chief, has said that we need
to re-consider the concept that everyone everywhere must be
connected to everyone else," Ward said.
"I sum it up by the phrase 'Get protected or get regulated'. There
is a terrific impetus from governments, particularly the US, to
introduce regulation in this area."
The employers group is planning a campaign to urge its members to
adopt the recently published information security guidelines from
the OECD which were rushed through at the insistence of the US
administration, following the attacks on 11 September.
The CBI regards adherence to the guidelines, which lay down eight
broad security principles, with particular emphasis on risk
management, as vital if regulation is to be headed off.
"You only have to look at the Regulation of Investigatory Powers
Act to see that this country is very seriously considering the need
for regulation in this area," Ward said.
"It's just not the security of your company that's a problem.
Everything is interconnected on the Internet, so it's only as
strong as its weakest link," he added.
The CBI is also urging companies to look at the possible benefits
of BS7799 certification. Although take-up has been slow, with only
150 companies worldwide having formal certification, a new version
of the standard released last week promises to make the
certification process simpler.
But Ward suggested that some companies may want to apply the BS7799
principles without the cost of formal certification. There needs to
be a clear business case to justify the cost of independent
verification of a company's security, he said.