iProof Limited E Security for Britain

E-SECURITY FOR BUSINESS

Rising levels of global tension have engendered a feeling of security consciousness in the business community - particularly with regard to Internet security. Recent months have seen online attacks against businesses skyrocket. These attacks are motivated by many things, from nationalism to mischief-making, and cut across all sectors of industry, both public and private. However, the reaction these events have generated may be a panic reaction, rather than a reasoned one - anxiety about the bogeymen working in the shadows rather than a move towards a genuine understanding of what vulnerabilities exist and how to address them. The first step is education - making public policy makers and business leaders aware of online security issues and how these issues fit into the framework of more conventional security issues, and realising the need for a key individual within each organisation to 'own' the preparedness of the organisation to confront the challenges of online security. Those key individuals must then have access to education and training so that they can lead their organisations in adhering to best-practice policies and minimising risks. An important component in this process of informing and educating the UK's business and leadership communities are 'grass roots' initiatives, such as eSecurity4Britain, which reach out to the business backbone of the UK.

The scope of the Internet security problem is greater than ever, and threatens all sectors of industry, both public and private. According to a recent survey by the Department of Trade and Industry (DTI), 44 per cent of UK businesses suffered at least one malicious security breach within the last 12 months. A disturbing one-fifth of these victims took over a week to recover from the incident, the cost of which averaged £30,000. However, four per cent of these incidents cost businesses over £500,000. Small businesses are particularly vulnerable, as even a relatively modest financial cost could be crippling. With fewer safeguards in place, Small and Medium Enterprises (SMEs) often represent the 'low-hanging fruit', easy targets for hackers and other malicious individuals who systematically scan the Internet for targets.

While hackers were cited by 11 per cent of companies as the cause of their worst security incident, they are not the only threat, as the DTI survey revealed. In 2002, 33 per cent of companies reported that the worst security incident they suffered was the result of a virus infection - often despite the fact that anti-virus software was in place. Other major threats reported were unauthorised access to confidential data (19 per cent), systems failure and data corruption (17 per cent), and staff misuse of company systems (seven per cent).

All this demonstrates that information-security issues are increasingly relevant to best-practice corporate governance. The first step to addressing these issues is ownership - someone within an organisation must be responsible for maintaining standards of information security. That individual must then educate himself or herself to the point where, at the very least, he or she can oversee the formulation of a security policy for the company. This policy is key - it spells out how security will be managed and what contingency plans will come into effect in case of a breach; it is the framework on which solutions to specific security problems are hung and provides a blueprint for minimising risks on all fronts.

Yet, while these security issues must be addressed, they can represent a significant challenge for smaller firms with limited resources. Even achieving the level of understanding required to formulate an effective security policy for a business, and dealing with, for example, third-party contractors providing security services and solutions, can consume significant resources - especially for SMEs. However, many resources exist to assist in meeting this first educational step and provide guidance and information. One of these resources, formed as a direct response to increased incidences of online security breaches, is eSecurity4Britain, an independent, not-for-profit educational forum that brings together a wide range of expert advice, best-practice information and security solutions in a practical, educational format. Our website, www.esecurity4britain.org, features best-practice information and self-assessment checklists that will aid companies in formulating effective security policies.

From a practical standpoint, when embarking on the formulation of these policies, managers should be aware of the British Standard for Information Security Management, BS7799 - internationally recognised by being adopted as ISO 17799 - which serves as a benchmark for best-practice security policies whereby senior management can monitor and control their security, minimise their business risk and ensure that security continues to fulfil corporate, customer and legal requirements. Adherence to this standard should be a deciding factor when considering potential candidates to provide security services.

A top-level understanding of security issues is critical as each business's needs are different. (Again, grass-roots organisations have value as places where business leaders tasked with handling their organisation's security can go to compare notes with peers.) Education is still key, as online security needs must be placed within the larger security framework. It is no good having airtight e-mail security and virus protection if robbers can easily access the premises and steal the IT hardware on which the business depends. With a thorough understanding of the various issues, however, the proper priorities can be determined, a policy formulated, measures undertaken and practices put into place to minimise risk.

While it is beyond the scope of this article to detail the many aspects of online security, there are a few which are worth noting. E-mail is a virtually ubiquitous tool in the modern business world. As an absolute minimum, organisations should have measures in place to protect themselves and their clients or stakeholders from e-mail-related risks. One of the most obvious risks are viruses, which, as the DTI study stated, are a leading cause of security breaches, even in cases where anti-virus measures were in place. This presents a valuable example of how the security policy and a technological solution work together to protect an organisation. Viruses are often transmitted in the form of an attachment to an e-mail. When the attachment is opened, the virus is activated. However, if the organisation has a policy in place where staff are trained not to open e-mail attachments from unknown sources, then virus infections are much less likely. Risk is further reduced by having virus-scanning technology in place as a first line of defence to identify and quarantine any viruses before they even reach the desktop.

Without these measures in place, however, the company faces the risk of damage from the virus, which could cause loss of data, lost time in labour and disruption in workflow, and also the danger of confidential customer data being compromised, and loss of reputation. Again, by having a policy in place whereby critical data is backed up on a regular basis and procedures for reinstating that data are well rehearsed, these effects can be ameliorated.

The eSecurity4Britain initiative was established with the goal of disseminating knowledge that will help business leaders make informed decisions regarding the online security of their businesses, and of helping them connect easily and efficiently with peers experiencing similar problems and with security-solutions providers. The government should encourage this sort of 'grass-roots' initiative, working with organisations, the business community and solutions providers at both a local and national level by promoting and expanding the range of UKOnlineforBusiness's educational material, and working to stimulate open dialogue and give access to effective, low-cost education and training. Internal government initiatives, such as the installation of a secure e-mail system in the Cabinet and Home Office, and external initiatives like the SPAM Summit during July 2003, show that the government is starting to take e-security issues seriously.

The power of the Internet as a communications enabler should be leveraged to encourage the exchange of ideas and information, with the goal of helping business leaders educate themselves on security issues and gain the knowledge they require to make informed decisions about the issues that face their business. If better security measures can be put into place nationwide, then ultimately the economy as a whole will benefit, as losses are prevented and jobs protected.

Supplied by courtesy of Neil Sherratt, Director, iProof Ltd and Managing Partner, eSecurity4Britain.org