Research reveals that companies are still not taking security seriously, reports Bill Goodwin.
Cutting edge research by the Human Firewall Council, a body of specialists devoted to disseminating best practice in IT security, shows that even the best prepared companies have a long way to go before their organisations' systems and information assets are adequately protected.
The council has pioneered a sophisticated online assessment tool, the Security Management Index, which allows IT and security managers to compare the performance of their companies against their peers and the internationally recognised security management standard, ISS17999.
More than 1,000 businesses and public sector organisations around the world, including 116 in the UK, completed the 30-minute assessment, supplying illuminating data that reveals just how well - or rather how badly - different sectors of the economy manage security.
The index shows that eight out of 10 organisations score 70% or less. Three out of four organisations do not fully implement their security policies and only one in five actively reviews them and keeps them up-to-date.
The results provide unequivocal proof that most organisations think of security as a problem that can be solved through technical fixes, such as installing a new firewall or a better intrusion detection system, rather than a management problem for the whole organisation.
"When you look at security management as a discipline it is not just a technology issue, it is about people, security policies and processes. A lot of times people just want one of those things to save them, and it cannot," said the council's chairman, Steve Kahan.
Although the results highlight serious shortfalls for all businesses, some sectors are worse than others. Not surprisingly companies in the defence industry score highest for security management. Financial services were next in line, with the healthcare sector bringing up the rear.
But no sector can afford to relax, said Kahan. The US has introduced new laws requiring healthcare companies to keep information secure. If security management is not up to scratch, they could find themselves legally liable.
Where organisations fall down particularly badly is their failure to ensure that staff are aware, understand and remember their corporate security policies. Almost 40% of organisations simply gave their employees printed manuals containing security policies on the day they started. Few kept policies up to date or had taken steps to ensure that their staff had genuinely read and understood them. Almost 50% of companies had no formal IT security training.
It is not surprising, said Kahan, that employees simply do not know how to recognise a security incident or, if they do, know how to react to it. "If you are a vice-president for information security you should be able to look the chief executive officer in the eye and prove to him that everyone has read and understood the company policy. You should be able to produce a report that proves it."
Another area where companies fall down is in managing access to information systems. Only a quarter of the organisations that completed the Security Management Index have fully implemented access control. Most do not have formal registration of new employees or deregistration of former employees, and password management is woefully inadequate.
Overall it is vital for organisations to ensure that each employee feels a responsibility for security, said Kahan. This might be through sending pop-up awareness notices to their PCs, formal training or holding quizzes about security policies.
The key to security management is the integration of policy and technology. "You must view it in an integrated way, and not try to solve it with a piece-meal approach," Kahan said.
What does the Security Management Index measure?
The index allows organisations to assess their security management performance, and to compare it with companies of similar size in similar business areas. It covers:
- How well security policy is implemented and kept up-to-date
- Security and classifications of assets and resources
- Personnel security
- Physical security
- Communications and operations, including documentation of procedures for incident management, back-up and recovery
- Control of access to systems
- Systems development and maintenance
- Business continuity
- Legal compliance.
More details from www.humanfirewall.org
Lax security is still commonplace
Eight out of 10 organisations score less than 70% for security management
Three out of four do not fully implemented security policies
Four out five could be breaking the law because they do not have adequate compliance programmes
Eight out of 10 have not fully implemented business continuity plans
Only one in four has fully implemented access controls
Only 16% have fully implemented secure policies for systems development and systems integration
Only two out of five have fully implemented personnel security policies
Fewer than 20% have proper incident reporting procedures
More than half do not have a system of asset classification and control
The average score for organisations that completed the index was 52 out of 100.
The Management Security Index is sponsored by the InfoSecurity Europe show (29 April to 1 May) and Computer Weekly
This was first published in March 2003