IT security kite-mark ignored.
The government is considering ways to improve the 'appalling' take-up of security standard BS7799, as worries over IT security failures grow.
The government is considering ways to improve the 'appalling' take-up of security standard BS7799, as worries over IT security failures grow.
The havoc created by viruses such as the recent SQL Slammer – which caused an estimated $1bn (£618m) of damage – along with fears that IT security does not command a high enough priority for businesses, has prompted the government into action.
David Hendon, director of communication and information industries at the DTI, warned that unless business leaders gave IT security a higher profile, security standards such as BS7799 could become mandatory.
Speaking at a conference in London, Hendon said: ‘There comes a point at which society cannot allow the corporate equivalent of train crashes to keep happening.
‘Corporate responsibility will have to be considered.’
BS7799 provides a framework for implementing a security policy. The lack of firms that have achieved accreditation has worried the government – currently, only 80 certificates have been awarded to UK companies.
This is an ‘appalling’ figure, said Hendon. But, he admitted that even his own department, the DTI, was unlikely to devote money to seeking accreditation until it was forced to.
One way to encourage firms to seek accreditation would be through existing data protection law, according to lawyers. The Information Commission (IC) now includes a question on BS7799 certification in its annual data protection forms.
Under the Data Protection Act, companies holding personal data are required to ensure that the data is stored securely.
Jonathan Armstrong, technology lawyer at law firm Eversheds, believes the IC could presume that if a firm has not signed-up to BS7799, it is not taking effective measures to secure its data and so make accreditation a de facto requirement.
But businesses would oppose the imposition of standards, especially as BS7799 is an expensive process that can take several years to achieve.
The need for information security was not disputed, but this should be ‘achieved through encouragement’, not force, said Jeremy Beale, head of e-business at the Confederation of British Industry.
Firms had been put off because of the perceived costs, said David Lacey, head of information security and governance at the Royal Mail Group. But after going through the accreditation process twice, he said this was a misconception: ‘It is a very efficient way of improving security procedures,’ he said.