Who should be reponsible for on-line security?

Yesterday the Cabinet Office Mnister, Gillian Merron MP presided over the launch of the annual Get Safe On-line security awareness campaign. The GSOL website now includes material on business, as well as consumer protection and every customer-facing website should have a hot-link. And if you think the material needs improving, join up and help improve it.

Those at the launch event heard the usual barrage of statistics, this time from a survey of 2000 adults conducted by ICM in October. Three hit home.

– 88% of end users (and 99% of SMEs) now have some form of Internet Security software,

– 73% believe some-one else should have prime responsbility for their on-line security, usually those who want them to transact on-line (i.e. only 27% beleive they themselves should have prime responsbility)

– 36% will not bank on-line (and 21% will not even shop on-line).

I conducted my usual straw poll at such events: asking the journalists present (mainly from the technical press) if they banked on-line. So far over three quarters have looked sheepish, said they have not yet got round to it and finally admitted to having been frightened off by all the scare stories they have covered.

The ICM survey data has not yet been published but the material publicised yesterday on the numbers who post confidential personal information on social networking sites (25%), use unprotected wifi networks (most) and have the the same passwords for everything (25%) indicate that those whose business models rely on secure and trusted mass-market electronic identities, as opposed to the acceptance of statistical risk, have a long path ahead.

In 2001, a couple of months before 9/11 and the start of the “war against terror”, I attended the LEO Foundation Conference to celebrate the start of the second 50 years of business computing and submitted my personal forecast for the future of the world of computing in the period to 2051. My first published forecast, for “Video in the Year 2000”, was made in 1978. It was for “the switchable, editable videophone”. It arrived, more or less to time, in Korea, Japan and coastal China. But it required genuine broadband, not “up to 8 megs”- alias a delivered speed of well under a meg for most. It is still, therefore years away for the UK.

For my LEO forecast I pillaged material from a wide variety of sources, including the unpublished scenario planning exercises of most of the main commercial players and research institutes. Looking back, the main omission was that I missed the effect of post 9/11 anglo-american security paranoia in expediting image and pattern recognition research and deployment. I did, however, correctly forecast the current collapse in trust that “what you see is what you get” – as the technologies of illusion and impersonation accelerate faster than those for authentication and authorisation.

This is a major challenge for those who really do want to to know that you are who you say you are and raises awkward questions, not just the obvious “why do they need to know”. The most serious concerns the possible scale of data manipulation, including by those who have “authorised access” as staff or contractors. How far can we now really trust any of the data in any of the world’s fast multi-plying databases – especially those which are permanently on-line and therefore permanently vulnerable?

One of the speakers at the recent Parliament and the Internet conference pointed out that the best way of securing these might be to move towards “discontinuity” – i.e. systems that connected only when they had a need. In other words, we should reverse the drive towards always-on until we can better manage and reduce the risk – including that of digititis (How safe is your data? – on-line or off?). Others say that you cannot trust any data in any organisation that does not positively vet and audit all those who have the access or authority to update or change it. But how many organisations do that, outside financial services and parts (but by no means all) of the public sector.

The Get Safe On-line material is very good for what it is. But there is a widspread assumption, unfortunately all too often wrong, that large organisations know what they are doing, let alone why. We need similar guidance targeted at those in charge of marketing or service delivery who wish their customers to transact confidently and securely with them on-line.