Almost half of UK businesses suffer security breaches each year. A
new club - the Infosecurity User Group - for IT users aims to help,
says David Bicknell.
In the months since the terrorist attacks of 11 September 2001 we
have seen security - both information and physical - become an
issue of increasingly high importance.
Now, according to a survey of security breaches from the Department
of Trade & Industry, 73% of UK businesses - up from 53% in 2000
- believe that information security is a high priority for senior
management.
The survey found that 44% of UK businesses have suffered at least
one security breach in the past year. The average cost of such
incidents was £30,000, but several businesses had incidents that
cost more than £500,000.
These statistics go some way toward explaining the growing interest
among users in Computer Weekly's Infosecurity User Group.
It is estimated that 3%-5% of an organisation's IT budget should be
spent on IT security. In some high-risk areas, such as financial
services, this spend could reach 10%. According to the DTI,
however, few UK businesses spend anything like that figure on
information security.
The user group's chairman is Martin Smith, managing director of The
Security Company, who is also chairman and programme arranger for
the computer security conference Compsec. Smith is responsible for
setting the agenda, selecting the speakers, and "refereeing" the
group's meetings.
The topics are determined by the attendees' needs, and include
subjects as diverse as mobile security in the mobile environment,
e-mail security, and the importance and success of network and
systems intrusion detection systems.
"I am determined that the user group is exactly as described on the
tin - a place for security practitioners to share experiences and
ideas. While we will always draw on the supplier community to
contribute, both as speakers and as members, my emphasis will
always be on serving the information security user community. Too
often these initiatives are hijacked by vested commercial
interests. We will resist this, and already we are seeing the
positive results of such an approach," says Smith.
"In time we intend the group to become the premier meeting ground
for those involved in the practical implementation of information
security in all sectors - financial and non-financial - and from
all sizes of organisations, from small- and medium-sized
enterprises to global corporations," he says.
"The issues we face are common across all boundaries. Too often the
lessons learned by one company are lost to others," Smith says.
Common enemies
"The information security community is dealing with common enemies
- fraud, cybercrime, hacking and other forms of unauthorised
intrusion, natural hazards and accidents.
"We are all trying to choose the best products and roll out the
best practices, and there is every reason for us all to pool our
knowledge. I want us to become the most respected and trusted forum
to facilitate this," Smith adds.
One such benefit from the user group has been the results of a
survey among its members about security awareness. "This can be
considered as the oil that lubricates the security machine. Without
the support of the workforce, all security plans are doomed to
failure. The vast majority of personnel are happy to follow the
rules, provided they understand why. Yet this straightforward and
inexpensive weapon in our armoury is too often ignored or done on
the cheap," says Smith.
This view is borne out by the results of the survey. Less than half
(46%) of the group's member companies have implemented a security
awareness campaign and, of those companies which have, only 32%
considered them to be successful. The main reasons for failure were
quoted as lack of management support, staff apathy and lack of
budget. Despite this, members will continue with nearly all their
campaigns.
"I am passionate about security awareness," says Smith. "It is
critical to success and the group members do too. Yet our survey
shows that our members are failing to attract the attention of
senior management and their workforces. In the 2003 programme, I
will arrange half-day security awareness workshops to allow our
members to improve their activities in this field."
The group, which has met four times so far, encourages debate.
Speakers are invited to describe the issues around the topic before
being grilled by the audience. The presentations, which remain
confidential, are followed by informal networking and discussions
and there is no charge for attendance.
"Our members know what they want to know, and our speakers have
universally risen to the challenge. To say that our meetings are
lively is not to do them justice! The atmosphere at times has
proved electric," says Smith.
The reaction among users has certainly been positive. Dai Morgan,
senior IT security consultant at Standard Chartered Bank, says, "I
certainly did enjoy the user group - it's always a pleasure to
discuss an interesting topic with a room of like-minded people. The
speakers were knowledgeable and interesting and it was useful to be
able to share experiences. Overall it was well worth battling the
Tube system on the day of the firemen's strikes to get there."
Jez Clement, Internet and ICT security engineer, Greater London
Authority, says, "I found the user group very useful, and I was
impressed with the candour of the speakers. We're reviewing our
intrusion detection systems, and having access to such frank
information from organisations that had identified the issues and
pitfalls involved was invaluable. Being able to cut through all the
supplier hype was refreshing. We'd probably have found out these
things ourselves, but going to a meeting like this helps give us a
short cut."
Chris Wheeler, director of Imago Fashionwear, says, "I was
persuaded to attend because the meeting claimed to address issues
such as 'What can I do if someone decides to hack into my data?'
and 'What does an intruder want with my data?'
"The discussions were clear and not overly technical, they were
frank and, more importantly, were able to provide me with a
spectrum of options meriting further research, appropriate for my
business."
Alistair Wardell, technical director at Secoda Risk Management,
says the user group provides a good forum for raising awareness of
current issues and discuss-ing real approaches to protecting
organisations - what works, and where the pitfalls are."
www.thesecurityco.com/securityawareness