UK businesses - under attack!

Almost half of UK businesses suffer security breaches each year. A new club - the Infosecurity User Group - for IT users aims to...

Almost half of UK businesses suffer security breaches each year. A new club - the Infosecurity User Group - for IT users aims to help, says David Bicknell.

In the months since the terrorist attacks of 11 September 2001 we have seen security - both information and physical - become an issue of increasingly high importance.
Now, according to a survey of security breaches from the Department of Trade & Industry, 73% of UK businesses - up from 53% in 2000 - believe that information security is a high priority for senior management.
The survey found that 44% of UK businesses have suffered at least one security breach in the past year. The average cost of such incidents was £30,000, but several businesses had incidents that cost more than £500,000.
These statistics go some way toward explaining the growing interest among users in Computer Weekly's Infosecurity User Group.
It is estimated that 3%-5% of an organisation's IT budget should be spent on IT security. In some high-risk areas, such as financial services, this spend could reach 10%. According to the DTI, however, few UK businesses spend anything like that figure on information security.
The user group's chairman is Martin Smith, managing director of The Security Company, who is also chairman and programme arranger for the computer security conference Compsec. Smith is responsible for setting the agenda, selecting the speakers, and "refereeing" the group's meetings.
The topics are determined by the attendees' needs, and include subjects as diverse as mobile security in the mobile environment, e-mail security, and the importance and success of network and systems intrusion detection systems.
"I am determined that the user group is exactly as described on the tin - a place for security practitioners to share experiences and ideas. While we will always draw on the supplier community to contribute, both as speakers and as members, my emphasis will always be on serving the information security user community. Too often these initiatives are hijacked by vested commercial interests. We will resist this, and already we are seeing the positive results of such an approach," says Smith.
"In time we intend the group to become the premier meeting ground for those involved in the practical implementation of information security in all sectors - financial and non-financial - and from all sizes of organisations, from small- and medium-sized enterprises to global corporations," he says.
"The issues we face are common across all boundaries. Too often the lessons learned by one company are lost to others," Smith says.
Common enemies
"The information security community is dealing with common enemies - fraud, cybercrime, hacking and other forms of unauthorised intrusion, natural hazards and accidents.
"We are all trying to choose the best products and roll out the best practices, and there is every reason for us all to pool our knowledge. I want us to become the most respected and trusted forum to facilitate this," Smith adds.
One such benefit from the user group has been the results of a survey among its members about security awareness. "This can be considered as the oil that lubricates the security machine. Without the support of the workforce, all security plans are doomed to failure. The vast majority of personnel are happy to follow the rules, provided they understand why. Yet this straightforward and inexpensive weapon in our armoury is too often ignored or done on the cheap," says Smith.
This view is borne out by the results of the survey. Less than half (46%) of the group's member companies have implemented a security awareness campaign and, of those companies which have, only 32% considered them to be successful. The main reasons for failure were quoted as lack of management support, staff apathy and lack of budget. Despite this, members will continue with nearly all their campaigns.
"I am passionate about security awareness," says Smith. "It is critical to success and the group members do too. Yet our survey shows that our members are failing to attract the attention of senior management and their workforces. In the 2003 programme, I will arrange half-day security awareness workshops to allow our members to improve their activities in this field."
The group, which has met four times so far, encourages debate. Speakers are invited to describe the issues around the topic before being grilled by the audience. The presentations, which remain confidential, are followed by informal networking and discussions and there is no charge for attendance.
"Our members know what they want to know, and our speakers have universally risen to the challenge. To say that our meetings are lively is not to do them justice! The atmosphere at times has proved electric," says Smith.
The reaction among users has certainly been positive. Dai Morgan, senior IT security consultant at Standard Chartered Bank, says, "I certainly did enjoy the user group - it's always a pleasure to discuss an interesting topic with a room of like-minded people. The speakers were knowledgeable and interesting and it was useful to be able to share experiences. Overall it was well worth battling the Tube system on the day of the firemen's strikes to get there."
Jez Clement, Internet and ICT security engineer, Greater London Authority, says, "I found the user group very useful, and I was impressed with the candour of the speakers. We're reviewing our intrusion detection systems, and having access to such frank information from organisations that had identified the issues and pitfalls involved was invaluable. Being able to cut through all the supplier hype was refreshing. We'd probably have found out these things ourselves, but going to a meeting like this helps give us a short cut."
Chris Wheeler, director of Imago Fashionwear, says, "I was persuaded to attend because the meeting claimed to address issues such as 'What can I do if someone decides to hack into my data?' and 'What does an intruder want with my data?'
"The discussions were clear and not overly technical, they were frank and, more importantly, were able to provide me with a spectrum of options meriting further research, appropriate for my business."
Alistair Wardell, technical director at Secoda Risk Management, says the user group provides a good forum for raising awareness of current issues and discuss-ing real approaches to protecting organisations - what works, and where the pitfalls are."

Read more on IT risk management