Businesses ignore new security standard

Link: City businesses ignore hacking threat

The havoc created by worms such as the SQL Slammer has alarmed the government, alongside fears that IT security does not have high enough priority for businesses.

Slammer caused $1bn of damage globally, despite a patch for vulnerability being released eight months previously.

David Hendon, director of communication and information industries at the Department of Trade and Industry, warned unless business leaders gave IT security a higher profile, security standards such as BS7799 could become mandatory.

Speaking at the Protecting Critical Information Infrastructures conference in London, Hendon said: ‘There comes a point at which society cannot allow the corporate equivalent of train crashes to keep happening. Corporate responsibility will have to be considered.’

BS7799 provides a framework for implementing a security policy. The lack of firms that have achieved accreditation has worried the government – currently, only 80 certificates have been awarded to UK companies.

This is an ‘appalling’ figure, said Hendon. But he admitted his own department, the DTI, was unlikely to devote money to seeking accreditation until it is forced to.

One way to encourage firms to seek accreditation would be through existing data protection law, according to laywers.

The Information Commission has started including a question on BS7799 certification in its annual data protection forms.

Under the Data Protection Act, companies holding personal data protection are required to ensure that the data is stored securely.

Jonathan Armstrong, technology lawyer at law firm Eversheds, believes that the IC could presume that if a firm has not signed-up to BS7799, it is not taking effective measures to secure its data and so make accreditation a de facto requirement.

But businesses would oppose the imposition of standards, especailly as BS7799 is an expensive process that can take several years to achieve.

The need for information security was not disputed, but this should be ‘achieved through encouragement’, not force, said Jeremy Beale, head of e-business at industry group the Confederation of British Industry.

This could be done be favouring accredited firms in government tenders, he added.

Firms had been put off because of the perceived costs, said David Lacey, head of information security and governance, Royal Mail Group. But after going through the accreditation process twice, he said this was a misconception: ‘It is a very efficient way of improving security procedures,’ he said.

Related reading