CBI: boost security or face tougher laws

The Confederation of British Industry (CBI) is pressing businesses to take IT security more seriously or risk facing government...

The Confederation of British Industry (CBI) is pressing businesses to take IT security more seriously or risk facing government regulations on information security.

The employers organisation is concerned that the UK and US governments are hardening their attitudes towards companies that place Internet communication at risk because of sloppy security practices.

The warning follows concerns from governments following the 11 September attacks in the US, that terrorists could disrupt critical communications on the Internet by planting malicious code in the poorly protected company systems.

Jeremy Ward, CBI representative on information security at the Organisation for Economic Co-operation and Development (OECD), said the UK and the US governments had signalled that they may introduce legislation to enforce good security practices.

"Richard Clark, Bush's cyber security chief, has said that we need to re-consider the concept that everyone everywhere must be connected to everyone else," Ward said.

"I sum it up by the phrase 'Get protected or get regulated'. There is a terrific impetus from governments, particularly the US, to introduce regulation in this area."

The employers group is planning a campaign to urge its members to adopt the recently published information security guidelines from the OECD which were rushed through at the insistence of the US administration, following the attacks on 11 September.

The CBI regards adherence to the guidelines, which lay down eight broad security principles, with particular emphasis on risk management, as vital if regulation is to be headed off.

"You only have to look at the Regulation of Investigatory Powers Act to see that this country is very seriously considering the need for regulation in this area," Ward said.

"It's just not the security of your company that's a problem. Everything is interconnected on the Internet, so it's only as strong as its weakest link," he added.

The CBI is also urging companies to look at the possible benefits of BS7799 certification. Although take-up has been slow, with only 150 companies worldwide having formal certification, a new version of the standard released last week promises to make the certification process simpler.

But Ward suggested that some companies may want to apply the BS7799 principles without the cost of formal certification. There needs to be a clear business case to justify the cost of independent verification of a company's security, he said.

Read more on IT risk management