The mood among information security people has improved but remains downbeat, according to the 2008 Information Security Breaches Survey.
Computer technology can cause a security problem; or it is merely the means to a security breach. The survey found that businesses are becoming increasingly concerned about what is being said about them on social networking websites, such as Facebook and Bebo, and some have experienced loss of confidential information. IT staff at an insurance company used an Internet chat room to help them solve technical issues. However, this resulted in them inadvertently disclosing the company’s security set-up and configuration in a public forum.
The two biggest drivers forspending on infosecurity are protecting customer information and company reputation. For instance, a large bank was replacing its data storage hardware. It sold off an old tape silo that it no longer needed. Unfortunately, this was still full of old tapes containing unencrypted customer data. A government government agency suffered much adverse media coverage after it lost a large quantity of customer data. Besides, the investigation involved more than 100 man-days of effort. In another case, a conscientious member of staff at one large business started a system for recycling paper. Sadly, the risk of confidential documents being exposed on their way to recycling was not considered.
The number of companies scanning outgoing email has gone up. Over half of large businesses and a quarter of small ones now scan for inappropriate content such as swear words in their outgoing email, an increase of about half over the last two years. However, only one in six businesses checks for confidential data leaving by email. Companies that do scan outgoing email had fewer confidentiality breaches on
average. The survey gives the case of a call centre worker using their work email to ask an external party whether they wanted to acquire customer data. The email stated that if the person was interested in acquiring the data they could contact the employee on their work phone number.
There remains a correlation between the priority senior management give to security and expenditure on it. For example, companies for whom security is not a priority at all spend less than 1pc of their IT budget on security on average. However, even companies where security is a low priority are now devoting 6pc of their IT budget to it. Companies where security is a medium priority have increased their expenditure most; they now spend as much as those where it is a very high priority. There is a
balance for companies to strike between the risk of being vulnerable to attack (if patches are not installed immediately) and the risk of systems instability (if a patch causes problems with the systems in use). For instance, a company bought IDS (Intrusion Detection Software) and installed it on the network; however, they have not had the resource or budget to tune and monitor it. So they are not getting any real value from it.
A pharmacy chain used to rely on paper-based security procedures, since the pharmacists gained the patient’s consent to holding data through physical signature. The increasing use of electronic records is causing the organisation to put more emphasis on information security.
The security officer at a retail bank commented that information security has senior management’s ear but middle management, who are responsible for implementation, are much less convinced. Information security is one person’s enabler and another’s cost of doing business.
A technology company nearly lost some confidential data when tapes were being transferred by a courier firm. By mistake, the delivery driver took the tapes to the next-door address, which was a building site. Rather than realising the error, the driver simply allowed a builder to sign for the tapes. Fortunately, they were recovered.
An insurance company has offshored some of its processing. To mitigate the security risks, the company applies the same control requirements on the outsourced operations as it would if they were in-house. Critically, there are people on-site in the overseas location whose job it is to monitor and supervise the offshored activities.
A medium-sized retailer in the Midlands commented that their senior management have a poor understanding of information security issues and so give it a low priority. The board wants protection without being prepared to spend what is required. To overcome this, the company uses its external systems auditors to assess the security risks and consults widely with personal contacts in the business and security community.
The culture at one distribution company has changed over the last five years. The company invested in ISO 27001 certification several years ago. However, the business viewed security as an inhibitor to business, a particular bugbear being the removal of shared IDs. Increasingly, customers are now focusing on information security in their tender processes. The ISO 27001 certification is helping to win business; this has changed management’s perception considerably.
An IT department piloted software to monitor web usage. The head of IT explained to the team how their activity would be monitored and the disciplinary consequences of inappropriate usage. Unfortunately, this was not enough to change all the behaviour. The software identified a number of individuals in IT abusing access; one was ultimately fired and others formally disciplined. Filtering incoming email to strip out unsolicited junk emails ("spam") has now become virtually universal in UK business. A medium-sized business installed software to scan incoming email for profanity. Unfortunately, the scanner blocked a number of legitimate messages from their business partners in Sweden. It turned out that a common Swedish word is spelt the same way as an English profanity.
Increasingly, companies realise that what they need to do is to change their staff’s behaviour rather than just increase awareness and skills. A “click mentality” has grown up – users do what expedites their activity rather than what they know they ought to. Only when behaviour changes, do businesses realise the benefits of a security-aware culture. One bank found that bringing humour into awareness training has generated more interest and better results. People are much more positive about the training and the messages have stuck better. Examples of positive behaviours showing a high priority include IT literacy at the board level, insistence on effective backup and access control processes, willingness to spend money and regular engagement on security issues. Behaviours that convey a low priority include wanting protection without being prepared to pay for it, lack of action after a security breach, poor understanding of technical issues and too little attention to raising staff awareness.
Simply telling staff not to use removable media devices, a practice relied on by a fifth of firms, does not seem to make a major difference to the chances of having a confidentiality breach. Encryption of data alone does not seem to prevent all breaches, since some organisations that encrypt confidential data still report confidentiality breaches. One medium-sized firm found it hard to persuade the board to deploy security over USB sticks, since the business was making widespread legitimate use of them. Recent high profile security breaches at other companies have helped the directors understand the potential for brand damage and compliance breaches. As a result, secure USB sticks with enforced encryption and complex passwords have been issued to the staff who need them and other devices have been blocked.
Statistics about infosecurity breaches under-estimate the problem, it is suggested. There is some evidence that management is becoming desensitised to minor incidents in well-understood areas, such as systems failure and virus infection. Companies no longer regard these as security breaches, but as routine events swept up by business-as-usual controls without needing to be logged. In some areas, such as network penetration and staff misuse, many companies still lack the controls that would enable them to detect all incidents. According to the hacking community, only a tiny proportion of actual penetrations are detected by network owners. Many firms do not fully appreciate the risks posed by newer technologies (such as USB sticks, Voice over IP, instant messaging and social networking) and so are not aware of breaches involving them. Or, many companies do not log security incidents, and so are likely to
under-report the number of incidents.
You can download the report or a digest at the Department for Business website:
Or at the website of auditors PwC: