Security by numbers
A couple of months ago, I asked in this column whether bad IT security should become a crime in and of itself, my argument being that a legal duty of disclosure, now enforced in some US states, could induce bean counters to err on the side of caution rather than cheapness when paying for security measures – better spend a few thousand now to avoid a fine with several more zeros if a security hole you knew about gets exploited. In a nutshell, criminalise the breach of data protection rules.
I wasn’t altogether surprised when this argument brought more than the usual crop of nuts from their shells and into my mailbox (you know who you are), although the specific gravity of the vitriol thrown was somewhat higher than expected, even from a community best described as “mad as a box of frogs”. From balancing these rants came this rather thought-provoking mail from Glenn Glidden, IT manager at a college of further education: “I agree that reputation damage could be a good lever for trying to get organisations to change IT security policies, but wouldn’t one way be for the government to require public bodies to implement BS7799?”
He continues: “As far as I am aware there is no specific requirement. Of course, that doesn’t mean it will be applied, hence my support for criminalising such security breaches, doubly so if you know what you should have done.” Glenn himself is addressing the problem using what he sees as an intermediate solution, the UCISA Information Security Handbook (www.ucisa.ac.uk/publications/ist.aspx) as a basis for local policy. This document is based on BS7799 and covers around 90% of its requirements, but it can’t magically supply the time to enable Glenn to implement it, nor can it ensure his staff comply with it: “That’s where legal and government compulsion would help. I’m the only one driving this forward at the moment, hence the slow plodding progress.” Glenn adds: “Implementation time with the handbook would be quicker if it was actually presented as a full policy with audit checklists, so it was closer to an end result. In addition, a staff guide to why security was important would be useful, but appears missing.”
Which prompts me to ask you, the reader, are you implementing BS7799/ISO27001 and, if so, how are you getting on and what resources have you found most useful? What pitfalls have you encountered? Depending on your responses I might devote an entire column to this.
Into the brown stuff
The annual InfoSecurity Europe show is now well and truly behind us, but its legacy of press releases, surveys and research reports lingers on like a bad smell. If anything is calculated to raise my blood pressure to danger level, it’s the annual survey the organisers of this show conduct during the run-up, no doubt to publicise the event as well as security awareness in general, and which always seems to involve chocolate. It isn’t the survey itself that winds me up, but the way it makes apparent the inability of the great British public to get their heads around the concept that their data is valuable and that they need to play a part in protecting it.
That’s why I was pleasantly surprised by the results of the latest poll, which took place outside a busy London railway station and involved a group of pretty ladies asking inappropriate questions about personal IT security issues in exchange for a chocolate bar. The good news is that things have actually become better, or so it would seem, since only 21% of those asked were prepared to reveal their passwords for chocolate this year, compared to a massive 64% last year. Interestingly enough, (although hardly surprising given that my wife and all her friends seem addicted to the stuff) women were four times more likely to succumb to this particular form of bribery than men.