Identity protection and patching top IT concerns

The security problems faced by IT organisations in 2003 will intensify in 2004 and many users will be left grappling with...

The security problems faced by IT organisations in 2003 will intensify in 2004 and many users will be left grappling with increasingly complex issues of security architecture, patch management, authentication and legislation, as well as the perennial problem of hacking and viruses.

Patch management

Businesses will be forced to review their patching strategies as the gap between new vulnerabilities being discovered and hackers or virus writers exploiting them continues to shorten, according to Graham Titterington, IT security analyst at Ovum.

"It will make companies more anxious to apply patches more quickly and to keep their anti-virus systems up-to-date. But doing this will be not be easy, particularly for firms with hundreds or thousands of servers," he said.

Identity management

The impact of regulations such as the Data Protection Act, Freedom of Information Act and Sarbanes Oxley in the US will also influence the thinking of IT directors.

They are likely to spur companies to invest in sophisticated identity management systems that will not only control who has access to what company systems, but are likely to help companies improve their productivity.

Neil Barrett, technical director of IT security consultancy Information Risk Management, believes that social engineering and "phishing" attacks - using spoof e-mails and websites to trick people into revealing confidential data - will pose an increasing problem for businesses next year.

As companies continue to improve their defences, hackers will increasingly resort to deception to persuade staff to part with vital security information.

"Organisations will need to see security as not just an IT matter, but as a business issue. The obvious thing to do is to get other parts of the business on board so they are not dealing with problems themselves," said Barrett.


Rather than concentrating solely on keeping the criminals out, a growing number of companies are acknowledging that hackers will penetrate their systems and are putting plans in place to deal with breaches when they occur.

More firms will set up incident response teams in 2004, with remits to ensure that when attacks take place the business can continue to function and remedial action is taken, said Barrett.

The need to gather admissible evidence against successful hackers will pose one of the biggest challenges for these teams next year, said Peter Sommer, reader in computer security at the London School of Economics.

"A number of companies have been thinking about setting up their own computer teams. I am not sure this is the right thing to do because it will mean having skilled people they are not using 90% of the time," he said.


For Philip Virgo, general secretary of Eurim, the highlight next year will be the Home Office's long-awaited e-crime strategy.

Due in the spring, it is expected to address the need to train IT security specialists to nationally agreed standards and provide security guidance for small firms.

There will also be closer collaboration between businesses and the government to tackle phishing attacks on banks, which are threatening public confidence in internet banking.

"We will probably see internet domains such as, and set up for regulated organisations. That will provide a framework for which whole sections of the internet are locked down," said Virgo.

Read more on IT risk management