While many firms are prepared to shell out for security technology, few understand that it requires policy and management across the whole business. Paul Mason analyses the results of this week's DTI info-security survey and talks to two IT professionals at the front line of security practice.
Shoddy security could lead to disaster as UK firms rush to the Internet without adequate policies or budgets for information security. For all the hype about the "information economy", nearly a third of UK organisations do not recognise information as a business asset. And while there is widespread use of basic security technology - virus protection and passwords - only 14% of firms have a security policy.
These are the key findings of the Information Security Breaches Survey 2000, announced this week by e-minister Patricia Hewitt at the Infosecurity Europe exhibition at London's Olympia.
The survey polled 1,000 UK managers with key responsibility for information security from a cross-section of public and private organisations. It found that 60% of firms had suffered a security breach in the past two years. And as the economy moves online, the report shows the security threat increases. More than 70% of firms with Internet access suffered breaches, rising to 90% for those involved in EDI or similar transactions.
The breakdown of security breaches by type shows that while much of the info-security effort is focused on the external threat, the main threat comes from inside organisations. Operator error and power failures were the two largest sources of security breaches. Viruses accounted for 16% of security incidents, while external unauthorised access accounted for 2%.
Robert Temple, head of the IT security unit at BT, says, "Organisations must remember not to expend all their energies on repelling the 'wily hacker' at the expense of ignoring those people who every day log on to their systems and networks within the firewall. All the evidence suggests that the insider remains the real threat."
The survey showed low prevalence of more complex security tools, reflecting the low use of formal security policies. Experts see security policy as the key to defending business data against misuse: good policies typically start from risk management. They also see information as a whole business issue rather than an IT issue and propose a whole-business contingency plan to deal with and report security incidents.
Gerry O'Neill, senior manager, global risk management solutions at PricewaterhouseCoopers, says, "Best practice means enterprise-wide management of info-security. It is bigger than just IT security. Assessment must be done with business owners. There is no point in doing isolated reviews disconnected from the business sense."
The survey shows a close correlation between the presence of a security policy and the ability to manage advanced security technology. Third-party testing, encryption and two-factor identification are present in a small minority of firms - but a high number with security policies do all three.
This two-tier picture of security practice mirrors company size, with coherent policy and strong technology concentrated in firms of more than 500 employees.
The survey shows low awareness of British Standard 7799 - the DTI-preferred benchmark for best practice in info-security. Just 6% of those surveyed had heard of it, and only 1% have heard of the c:cure certification scheme. Paradoxically, BS7799 is one of the easiest ways for smaller firms to template security policy, and Part I of the standard is on a fast-track to being approved by the International Standards Organisation.
The Data Protection Act indicates that compliance with BS7799 is a good starting point to comply with the act itself. "To maintain appropriate security of data is now a legally enforceable requirement," says Dr John Woulds, director of operations for the Data Protection Commissioner. "If we were dealing with an allegation of breach of security in the context of personal data, and we decided to investigate, one of the things we would ask is 'what steps have you taken to evaluate risks and apply counter-measures?' If a firm has properly applied BS7799 it would be able to answer."
PricewaterhouseCooper's O'Neill says, "The BS7799 standard has been slow to take off but is picking up speed. There are two main drivers: the government sector is starting to ask for it, and this will spin out into suppliers of services to government. The other driver is commercial peer pressure. With e-business there is a desire to prove trust to other companies."
Clearly, UK PLC has a long way to go to bring info-security practice into the Internet age. Budgets and skills, it seems, are still being deployed in the rush into e-commerce, without a similar level of spend on adequate security.
At the heart of the problem is lack of awareness among business leaders of the profound consequences of information security breaches. BT's Robert Temple says, "Yet again we are seeing a validation of the old truism: if you can only afford one counter-measure, make it awareness."
Key findings of Information Security Breaches Survey 2000
- 60% of organisations have suffered a security breach in the last two years
- 31% of organisations do not recognise that any of their business information is a business asset
- Of those organisations that have critical or sensitive information, 43% had suffered an "extremely serious" or "very serious" breach
- One-in-three businesses are either already buying or selling over the Internet, or intend to start in the near future
- Only 14% of organisations have a formal information management security policy in place
- Only 37% of organisations interviewed have undertaken a risk assessment where a systematic approach is taken to assess the security risks faced by the organisation.
- Some good practices are being implemented and adhered to by 83% of the organisations interviewed, such as virus protection and password controls
- 40% of companies reporting security breaches were due to operator or user error
- Nearly three-quarters of organisations that suffered a serious breach had no contingency plan in place to deal with it
- More than half of the organisations which suffered serious breaches do not believe there is anything they could have done to prevent them happening
- Organisations where responsibility for information security rests at board level are also those most likely to have formal policies in place. The presence of a formal policy is one of the most important issues in reporting and resolving security breaches
- Very few organisations were able (or prepared) to report the business implications of their security breaches - but those that were indicated that the cost of a single breach could be over £100,000
Source: ISBS 2000
From the front line: Rolls-Royce
Mike Thornton, IT security controller at Rolls-Royce, sees the Internet changing the model of corporate IT security.
"E-business will focus attention on security a lot harder than in the past. In e-business you move away from the citadel approach - it brings the potential opposition into your camp."
For Thornton, a security policy backed at board level is crucial to helping IT police its relationships with outsourcers and customers. When it comes to security, he says, "if you haven't got support at the top, you will find life very difficult. Having a policy is one thing - applying it is another.
"Outsourcing has focused our attention back on the policy, on the metrics we would expect from our suppliers. You have to look at data access, even with an outsourcer. For example, your clients may not want the customer to have their data."
The DTI survey shows that few firms carry out third-party testing of their security systems. But Thornton praises the idea, "We have just hardened our password policy after using penetration testing. We're looking hard at how we apply and police it.
"Third-party testing certainly caught people's attention. It was better than me doing it: it's better when the words of wisdom come from outside."
On BS7799 Thornton says the engineering giant has, to date, been sceptical. "Because we work in a standards-driven environment, everyone understands the price you pay for trying to meet them. We would say we meet 7799 in all its major areas. Why should we pay extra to have someone tell us that?"
However, Thornton says there will be more acceptance of BS7799 as e-commerce takes off. "The big thing in e-commerce is trust. If you are accredited with 7799 or an ISO then you have something to go on. Making BS7799 into an ISO is a good idea. The business itself is international - one of the major difficulties is to fulfil standards around the globe."
Thornton says one of the most difficult things with a security policy is education. He believes technology is moving so fast that traditional course rollout timetables have to be scrapped, and says Rolls-Royce is now piloting computer-based security training that can be changed as the technology threat develops.
From the front line: Hansard Financial Trust
Mark Syme's task was daunting: to take the secure, closed database of an international financial broker and open it up to business partners on the Web. The solution was to create a secure extranet. And, needless to say, security was a prime concern.
"We were opening up part of our system to the outside world, so we had to create a balance between security and usability," says Syme, IT project manager at Isle of Man-based Hansard Financial Trust.
"Static passwords were never going to be an option," says Syme. The company investigated the use of digital certificates but found these were not flexible enough for the worldwide user base. "We went for RSA key fobs with a number that changes every 60 seconds - so access is only possible with a username, password and key fob," says Syme.
He says Hansard's security policy - backed by a dedicated security officer - helped the company keep IT issues aligned with business needs.
"We third-party tested the system twice, with two different firms. The important thing with third-party testing - because there are a lot of consultants out there - is to take up references. We asked each tester for two or three reference sites.
"In the company, everybody has responsibility for looking after security if they value the business. The security officer is there to enforce the procedures."
As for BS7799, the DTI's best practice benchmark, Syme says the standard did not figure when Hansard was designing the system.
The Information Security Breaches Survey 2000 was sponsored by the DTI and managed by Reed Elsevier in association with Axent Technologies, BT and Nokia. Research was done by Taylor Nelson Sofres. Computer weekly journalists helped design the survey.