I have just received an e-mail from “The Excellent Network” on “10 Thinks you didn’t know last week” inviting me to click for actions in the coming week. If arrived just after a reference to another data breach at US supermarket chain; I decided not to trust it. I also concluded that my wife was not irrational when she declined to trust the security of our local supermarket.
A couple of days ago that the Boston Globe carried an article on a US supermarket chain (300 stores) that had discovered “software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas.”
The security expert who forward the supermarket reference to me said that the attack did not use anything new – the “story” was that the current focus on perimeter security, as opposed to “defence in depth”, means that many internal corporate networks are surprisingly vulnerable.
This morning I also received a request for a quote for the Information Security Awareness campaign that is due next month. Mine was ” Awareness has to include practical understanding on the part of politicians, directors, managers, professionals, teachers and parents as to what they can and should be doing to better protect their their voters, shareholders, staff, employees, customers, pupils and children – as well as themselves and their systems. That requires us to work together very much better than in the past.”
UK ICT users are said to be spending well over £3 billion a year on information security.
They are not getting value for money.
Until then, whose electornic identity or credentials can you trust?
And why would you wish to – unless some-one else is under-writing the risk?
Hence the ruthlessly practical forward focus of the EURIM work programmes on secure data sharing, identity management and e-crime reduction that are currently being agreed.
The lead participants are no longer interested in making or repeating recommendations. There were nearly sixty in the six papers produced during the EURIM Partnership Policing study from 2003 – 2005. There are more in teh papers since then on Secure Data Sharing And we can now see them being repeated by others – albeit often alongside proposals that we dismissed are impractical or irrelevent.
The lead participants are much more interested in identifying those who are willing to come together in partnerships to do do what is necessary to protect themselves and their customers – regardless of what others may or may not do.
That raises “interesting” issues of accountability, governance and competition which have to faced – especially if we are entering a world of privatised policing.
I am not at all sure we should copy the railway age – ISPs having their own police forces akin to those of the Victorian railway companies.
Hence my very strong personal support for the concepts behind both the Metropolitan Police and ACPO plans for for a national co-ordinating unit which brings together both public and private sector law enforcement resources and for the UK Internet Governance Forum – to bring together the broader “e-crime reduction” constituency, including groupings like the new Information Security Awarenss Forum.
However, I too am accountable, including to the membership of EURIM and look forward to working with those who are serious about taking up arms against a sea of troubles – as opposed to standing on the shore and watching the storm.