alswart -

Info-security is an issue for all

Survey shows serious lack of information security among majority of firms

Next week, Patricia Hewitt, the e-minister, will outline the results of the Information Security Breaches Survey 2000. The results make depressing reading.

More than 60% of organisations claim to have suffered an information security breach in the past two years. An estimated 320,000 organisations suffered a “serious” breach, but only 14% of firms have a coherent security policy, and just 6% of the security managers contacted could name British Standard 7799 - the Department of Trade and Industry’s benchmark for best practice.

The survey reveals that many UK firms have yet to face up to the security challenges of the internet. While there is widespread use of passwords and anti-virus protection, only 46% of firms with external email used email scanning software.

Many firms are fatalistic about information security. Out of the firms that had experienced a serious security incident, the majority thought there was nothing they could have done to stop it, and had no contingency plan.

But security policies are effective, the report reveals. According to the survey:

  • 78% of those with a policy had also carried out risk assessment, compared with a UK average of 37%.
  • 76% of those with a policy had undertaken third-party testing of their systems, compared with a UK average of 14%.
  • 80% of the organisations that had contingency plans said these were effective in coping with serious security breaches.

Michele Mooney, head of BT’s TrustWise digital certificate service, said: “One of the frightening things revealed in the report is how security is viewed as a technology rather than a business issue. There is a lack of understanding of how valuable information is to business. That is staggering.”

Large organisations are likely to have strong security in place, backed by policy, while small to medium-sized enterprises (SMEs) often trust very basic technology, poorly integrated across the business.

Only 11% of firms have procedures in place to log information security incidents. However, among firms with more than 500 employees, 72% have such procedures.

Steve Gailey, managing director of security consultants Buchanan Brown, said: “The truth is most SMEs have got no idea that information security exists as a concept. The ones that do understand usually have no skills in-house to deal with the issue.

“The gap between the haves and the have-nots is opening,” he added. “In the rush to get onto the internet, only the large organisations have the resources to keep up with what the business wants to deploy.”

A view from the front line

Mike Thornton, IT security controller at Rolls Royce, said the key to effective information security was buy-in at board level. “If you haven’t got support at the top you will find life very difficult,” he said. 

Just 14% of firms carry out third party testing, but Thornton confirmed it was useful both in reviewing security and enforcing it. “Third-party testing certainly caught people’s attention – it was far better than me doing it. People take more notice when the words of wisdom come from outside,” he added.

Thornton said the big thing on the agenda now is encryption. “The challenge is to deploy something acceptable to business management, and acceptable globally. If you want encryption, and you’ve got 30,000 email users, where do you draw the line? It’s one thing to give senior managers encryption, but today’s organisations have a flat hierarchy and everyone is important,” he said.

Who drives infosecurity policy?

Tim Mather, director of information security at Symantec Corp, said: “Security is now a board-level decision, the security policy is a board-level procedure. However, the board must also take responsibility for enforcing that security policy through every line manager in the company. Without that, they are putting their business on the line in a game of Russian roulette with the hackers.”

Gerry O’Neill, senior manager at PricewaterhouseCoopers’ global risk management service, confirmed the need to get senior management buy-in.

“Last month we had a meeting of the BS7799 User Group. What came out loud and clear is that security is not about tools and methodologies. It is related to who you involve: the right people at the right levels – getting their involvement in the prioritisation and selection of controls,” he said.

Info Security Breaches 2000: key findings

  • 60% of organisations suffered a security breach in the past two years.
  • 31% do not recognise information as a business asset.
  • 75% had virus protection, and 83% used passwords.
  • Just 15% of firms use firewalls and only 8% use encryption.
  • Only 37% have undertaken risk assessment.
  • 75% of those suffering a breach had no contingency plan to deal with it.
  • Only 14% of organisations have a security policy in place.
  • Only 6% could name BS7799 and only 1% had heard of the c:cure certification scheme for BS7799.

The survey will be presented by e-minister Patrica Hewitt on 11 April at Infosecurity Europe 2000, Olympia, London.

Read more on Hackers and cybercrime prevention