Network security feature
BRITAIN’S economic progress is at risk because small firms are not doing enough to stop cyber crime and human error from damaging business information.
That’s the grim conclusion following research by the Economic and Social Research Council (ESRC).
According to the research funding agency the root cause of the problem is that smaller companies are making the mistake of confusing information technology (IT) with information security (IS).
Bruce Hallas, a specialist in information security at the funding agency, believes that as awareness over the importance of information security increases SMEs stand to lose competitiveness and potentially contracts with existing clients as a result of the financial consequences that arise from information security incidents.
“With insufficient money to invest in expensive information security expertise, many SME’s are investing heavily in IT in the mistaken belief that IT will ensure IS,” he adds.
“Yet the largest business drivers for security investment are contractual, regulatory, market pressures from consumers, corporate clients and the public sector. Not the typical domain of IT. The biggest security vulnerability lies with people
“Security is about managing the risk from people, both known and unknown, interacting with your information and information systems. It is more about people management than technology.”
Tyler Moore, IS expert and one of the authors of a European Network and Information Security Agency (ENISA) commissioned report on policy options regarding the economic problems in providing IS, agrees.
“Information security is now a mainstream political issue, and no longer the province of technologists alone,” he states.
“People used to think that the internet was not secure because there was not enough of the right technology, not enough sophisticated cryptographic mechanisms, authentication or filtering so advanced encryption, public key infrastructure and firewalls were added.
“However the internet didn’t get any safer and by 1999 it became clear that even the latest and greatest technology would not solve all our problems if those who protect and maintain them are not sufficiently motivated. The issue is one of incentives.”
Indeed, having an under-incentivised workforce can have devastating consequences and it’s a phenomomen that the UK is becoming increasingly familiar with. Both the private and public sector have suffered humiliating security breaches in the past few years in particular the loss and theft of data.
And the problem of poor IS procedures is more wide spread than previously thought according to a recent Bell Micro report. Despite firewalls and mail filters more than 60% of survey respondents said they still received unwanted emails from apparently reputable sources such as banks (known as phishing).
Examples of potential damage by inappropriate IS systems:
Distributed denial service attacks where viruses infect machines. The users of the machines often do not know about it, but their machines are used remotely to target other people.
* Health records: Patients suffer when hospital system initiators put the simplicity of the IT system and its access to researchers above the value of patient privacy.
* Bank customers suffer when poorly designed systems enable phishing* to happen and make fraud easier.
* Casino websites suffer whenever they are hit by denial of service website attacks and extorted for ransom.
* Phishing: “The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords.”
But perhaps more worrying is that half of those surveyed used names of family members or favourite sports teams as their passwords – information which can easily be gleaned from social networking sites (which 41% of respondents’ employers let them visit at work) or by hacker programmes.
Staggeringly 73% of respondents actually revealed their mother’s maiden name to researchers – a prime example of sharing personal information that is traditionally used as a password or prompt.
“The areas of concern that become apparent from this research unfortunately seem to point to staff as the weak link in the security chain,” says Steve Browell, general manager of Bell Micro’s security division.
“There is still too much reliance on non-random password protection, which can easily be hacked by identifying personal information so freely distributed on social networking sites.”
According to Moore it’s economics that can explain many of the failures and challenges surrounding IS.
“As companies are beginning to realise the value of good information security practice so security measures are being used not only to manage the evils of the attackers but also to support the business models of companies,” he says.
Admittedly, some of the recommendations from the ENISA report make good sense such as recommending the EU to issue a comprehensive breach notification law to notify consumers when their details have been compromised so they can protect themselves.
But for small business managers faced with the reality of protecting their businesses and complying with new regulations such reports are of little value. According to Robin Hill, co-founder of Leeds-based “vulnerability” management systems developer RandomStorm, education and resource are the vital elements currently missing.
The company offers a range of on-demand scanning, monitoring and alert services to meet with the security requirements of any size of firm without the need for additional infrastructure development. Its applications are particularly attractive for firms operating under strict regulatory regimes governing data theft/protection and transfer.
“I don’t think that SMEs are negligent,” says Hill.
“But there is a knowledge gap. Government business agencies might offer information on IT but I’m not aware of any that offer advice on network security. I think that’s one of the main reasons that SMEs have poor IS knowledge and understanding.
“They’re aware that they have a duty to protect data and so go out and buy IT, not realising that IT is just systems not security.
“Another issue is that small firms often don’t have the skills needed to ensure good network security.”
To help protect customers, staff and the business, Hill recommends an annual health check – something he says that won’t cost the Earth. RandomStorm also offers free security scans followed by a full security report to anyone visiting its website.
“A security consultant will be able to point out potential failures and advise on best practice,” he adds.
With new rules governing the protection of credit card data, companies that neglect to check their network security are exposing themselves to even greater risks. According to the experts compliance and best practice not only secures a firm’s future but could even generate commercial opportunities and potential. Time to start reviewing those passwords it seems.
The Cyber Security Knowledge Transfer Network (KTN) is the focal point for UK expertise in cyber security issues and technologies. The KTN is an independent, business-focused network, funded by government as an advisory body for issues related to e-crime and information security. The KTN is tasked with connecting cyber security experts in government, industry and academia to encourage collaboration as a way to solve problems, develop innovative ideas and support the growth of UK expertise and leadership in the cyber security market.
