Wake-up call to business: Tighten up on information security

According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce of 24.4 million and account for 51.9% of the £2,600 billion UK turnover. Bruce Hallas, a specialist in information security, said "SMEs are particularly prone to poor or even non-existent information security. As awareness of the importance of information security increases, the SMEs stand to lose competitiveness, potentially losing contracts with existing clients and suffering the financial consequences that are increasingly arising from information security incidents."

An over reliance on Information Technology (IT) has developed over recent years. According to Hallas, this is the result of confusing Information Technology with Information Security (IS). With 'insufficient' money to invest in expensive information security expertise, many SME's are investing heavily in IT in the mistaken belief that IT will ensure IS.

"Yet the largest business drivers for security investment are contractual, regulatory, market pressures from consumers, corporate clients and the public sector. Not the typical domain of IT. The biggest security vulnerability lies with people," Hallas says. "Security is about managing the risk from people, both known and unknown, interacting with your information and information systems. It is more about people management than technology."

Tyler Moore of the Computer Laboratories, University of Cambridge expanded, "Information security is now a mainstream political issue, and no longer the province of technologists alone," he said. "People used to think that the internet was not secure because there was not enough of the right technology, not enough sophisticated cryptographic mechanisms, authentication or filtering etc. so advanced encryption, public key infrastructure and firewalls were added. The internet did not get any safer," he added. "In 1999 it became clear that even the latest and greatest technology will not solve all our problems if those who protect and maintain them are not sufficiently movitated. The issue is one of incentives."

The impact of an under-incentivised workforce can have devastating consequences in business such as denial of service attacks allowing viruses to infect the IT system, hospitals putting access to data above patient privacy, bank customers suffering phishing attacks by poorly designed banking systems.

"Economics can explain many of the failures and challenges in a new way" Tyler Moore said. "As companies are beginning to realise the value of good information security practice so security measures are being used not only to manage the evils of the attackers but also to support the business models of companies."

Now that the Achilles heel of the information security problem has been identified, companies, especially banks, often fight shy of divulging information about attacks, whether they have been successfully repelled or not because the information concerned may be sensitive.

Help is at hand in the form of a new report "Security Economics and the Internal Market" which outlines police options regarding the economic problems in providing IS.

The report's first recommendation is for the EU to issue a comprehensive breach notification law to notify consumers when their details have been compromised so they can protect themselves.

Source: Economic & Social Research Council

Related stories:

MySpace links users to US hurricane emergency alerts
In what is heralded as the seeds of an Internet-age emergency broadcast system, MySpace has teamed with the US Department of Homeland Security (DHS) to spread news on hurricanes through users of the online social network.
Home IQ: Winning technologies will make people smarter -- not their houses
Someday, we may be getting fashion advice from our mirrors. Instead of digging through our closets to find the perfect complement for a new shirt, we may hold it up to our bedroom mirror for a computer to scan. Using radio-frequency identification technology, our electronic fashion stylist will then offer suggestions based on what's in our closet or how the latest edition of Vogue or Teen Beat pairs up something similar.
Verizon's G'zOne Boulder cell phone is military tough
For all the convenience and security they offer, it doesn't take much to fry a cell phone. Ever bend over to refill Fido's bowl and have your phone tumble out of your pocket and into the water? Or leave it by the edge of a pool only to have some kid come by and cannonball it into oblivion? Even accidentally dropping it onto the pavement or getting sand inside can do serious damage.
Keeping an eye on intruders
Electronic fingerprinting, iris scans, and signature recognition software are all becoming commonplace biometrics for user authentication and security. However, they all suffer from one major drawback - they can be spoofed by a sufficiently sophisticated intruder. Writing in the International Journal of Biometrics, Japanese researchers describe a new approach based on a person's reflexes that could never be copied, forged, or spoofed.
FAA outage reveals odd computing practices
(AP) -- When a computer glitch at a Federal Aviation Administration center caused widespread airline delays this week, it served as a reminder that the U.S. flight system is waiting for a modernizing overhaul. But it also appears the FAA's management of its existing technologies falls short of standards in other vital sectors.
MIT software aims to thwart cyber hackers
(PhysOrg.com) -- In response to the chronic cyber threat of hackers, MIT Lincoln Laboratory researchers are developing a software tool to identify the most vulnerable points in a computer network. The tool aims to make it possible for system administrators to focus on parts of a network that are most prone to attack, instead of securing all parts of the network.
Saving lives through smarter hurricane evacuations
(PhysOrg.com) -- Hundreds of lives and hundreds of millions of dollars could potentially be saved if emergency managers could make better and more timely critical decisions when faced with an approaching hurricane. Now, an MIT graduate student has developed a computer model that could help do just that.
Best Western rebuts claims of massive data breach
(AP) -- Did a computer intrusion at a Best Western hotel in Germany open the door for a hacker to steal the records of 8 million customers and pull off "the greatest cyber-heist in world history," as a Scottish newspaper put it?

News discussion:

Technology news