Information security must be taken more seriously

Monday, January 12, 2009

As it emerges that departments still have lax data security practices, the Cyber Security Knowledge Transfer Network's director, Nigel Jones, calls for collaboration across the sectors and says staff must be convinced of personal data's value before they will protect it better

The issue of information security is growing in importance for government, academia and industry. Sadly, it seems, for the wrong reasons, as the UK has witnessed several high profile incidents of data loss in the last year. We have all seen the headlines in the media, whether the stories of information loss have been down to discarded computers holding sensitive data, or misplaced computer memory sticks.

As is often the case with governmental policy issues hitting wider public awareness, it takes mistakes – often human led – for an issue such as information security to be taken more seriously. Whilst not wanting to profit from scandalous data loss stories, recent activity has further reinforced the need for organisations that help government and industry to tackle information security breaches to work together.

The Cyber Security Knowledge Transfer Network (KTN) is the focal point for UK expertise in cyber security issues and technologies. We are an independent, business-focused network, funded by the government's Technology Strategy Board (TSB), as an advisory body for issues related to e-crime and information security.

The KTN connects cyber security experts in government, industry and academia to encourage collaboration to tackle information security problems for example. The KTN recently worked with the government-funded Economic and Social Research Council (ESRC) and Hewlett-Packard Laboratories to produce guidance on the economics of information security that looked at improving sensitive data handling.

The joint research found that one way to improve data security is for government, business and the IT industry to share examples of information breaches, so a lessons-learned approach can be adopted. Opening up channels of communication, using the KTN as facilitator, will be beneficial, especially as there is little data available to measure incidents of cyber security infringement in the UK currently.

Staffing a safer security community
Motivating government staff responsible for monitoring and maintaining information systems is essential. Leading IT economists have found that computer systems often fail not for technical reasons, but because people who maintain them sometimes lack the drive to keep IT security networks up to speed. In this situation, IT managers must play an important role through their liaison with staff.

IT managers need to instil in their staff that the data they protect is as valuable as their personal pin numbers or online banking details. The logic here is that staff should look after other people's data as if it was something of monetary value in their own home.

IT departments play an important role in protecting information systems – but they are not the only part of an organisation that needs to take e-security seriously. It is essential that all organisations, whether they are government departments or small businesses, address security issues at boardroom level. Senior executives need to make sure adequate security is in place before it's too late. A serious loss of data will affect reputation and finances. It is about prevention not cure, so getting management level buy-in to address security weaknesses is essential, especially if your department is not sure what level of security cover currently exists.

The style of language used to engage senior management about the need for security is very important. IT staff need to be aware that directors may not understand phrases such as 'compliance' and 'information assurance' in the context of information security. However, they do understand risk and business impact, and it is advisable to make a clear business case for information security, as well as addressing the impact on the organisation as a whole.

The technical side to security
Enhancing information security is not just about people and their behaviour. A great degree of data safety involves the technical side, often related to software and the internet.

The KTN's research has found small businesses – with parallels to government departments – thought that having IT provision and a firewall equated to sufficient information security cover. Businesses need to think about seeing information as an asset with monetary value and protect it accordingly. Government departments need to review security provision in line with the importance placed on the value of information, especially if there are doubts that sufficient security systems and processes exist.

Longer term, the KTN would like to see Internet Service Providers (ISPs) take a more active stance in providing better information security procedures. ISPs are in essence the gatekeepers to the internet, and they are in a unique position to initially detect if there are problems with government-run computers and systems. ISPs also have great potential to quarantine IT systems affected by e-security breaches and bugs.

Without getting too technical, IT programmers need to implement security functions at the start of the software design process. To 'bolt on' security functions as an afterthought will cost up to a hundred times more – something to consider when online payment systems are hacked into and hindsight security is required.

A simple solution to the dreaded lost computer memory stick containing sensitive information is simply this: make sure the data is encrypted. Encryption is a straightforward process that can save government departments their reputation – and vast amounts of money as well.

Engaging with the KTN
As well as its recent work looking at the economics of information security, the Cyber Security Knowledge Transfer Network is acting as an industry facilitator, bringing together organisations across the security spectrum to improve data security delivery.

One key area of KTN activity is the formation of Special Interest Groups (SIGs). SIGs are created to address cyber security challenges that require collaboration between government, academics, business leaders and IT professionals.

The KTN recently set up its Economics of Information Security Special Interest Group (SIG). The group is open to the public, private, charitable, and governmental sectors. The SIG is chaired by Professor David Pym. It was set up to help IT managers gain a better economic understanding of how to formulate, resource and measure security policies in today's business environment.

The initial aims of the SIG include identifying key economic issues affecting the information security industry, establishing an interactive community, and identifying the true costs of implementing information security in business today.

At the heart of the KTN's activity is collaboration between government, academia and industry. As the Economics of Information Security group develops, we would like to hear from those aforementioned sectors to get in touch and share ideas to formulate ways of improving information security delivery.

We also run other SIGs addressing issues such as secure software, privacy and human vulnerabilities. The KTN also offers grants and competition funding to help with cyber security research. For further information on how to engage with the KTN, please visit the website.

A future devoid of information security mishap?
In the future, we would like to see information security taken more seriously. If government departments, academia and industry do not address data security concerns, money and reputations will continue to be lost. Self-imposed security breaches will lead to further media stories on how human beings are making hi-tech security systems redundant due to basic flaws. Ultimately, the KTN wants further industry collaboration to improve information security awareness and delivery in the UK.