British Computer Society website
November 2007
A Call to Security Action
Alan Calder, chief executive of IT Governance Limited, looks at the The House of Lords Report on security.
The recent, comprehensive report into 'Personal Internet Security' published by the House of Lords Science & Technology Select Committee described the internet as 'a powerful force for good' and added that a world without the internet was now 'hardly conceivable'. At the same time, however, it depicted the internet as a lawless Wild West and stressed the dangers posed to the individual by online fraud, stating that businesses were not doing enough to protect their customers from ecrime.
The report underlined the scale of the challenge by stating that ecrime is now more feared than mugging or burglary and that over 20 per cent of people feel it to be the type of crime that they are most likely to encounter. In response, it suggested two courses of action to remedy the situation: 'One is to promote awareness of the risks online; the second is to instill knowledge of how practically to manage them. Both are necessary - one without the other is of little use.'
While this is good, sensible advice it remains to be seen what flesh will be put on the bones of this proposal. While the essentials of internet security can be clearly and concisely explained - as we ourselves have done in our popular plain-English guide - it still requires the individual to focus their time and attention on the subject. While I am generally optimistic about Man's capacity for self-improvement, I am less confident that a majority of computer users will make the time for such essential reading.
Therefore, there is indeed a major onus on businesses and organisations to act in their customers' interests. The authors of the report believe that a law on data security breaches would be one of the most important measures the UK could adopt to promote personal internet security.
This would include definitions of security breaches, a central reporting system and a clear policy on notification letters, which would contain advice on how to deal with the situation. However, until such a law is enacted organisations must themselves take steps to protect their information.
ISO 27001, the global information security standard, is the benchmark for first-rate information security, and becoming ISO 27001-certificated is the best method of protection an organisation can have. It would therefore behove the Select Committee very well to explicitly call for organisations to embrace ISO 27001 as soon as possible in order to protect their customers and themselves.
While considering the dangers posed by ecrime to individuals and organisations alike, the report also noted that when ecrime did occur the systems available to deal with it were often insufficient. Since the National High Tech Crime Unit (NHTCU) was disbanded and absorbed into the new Serious Organised Crime Agency (SOCA) there has generally been no authority to which ecrime can be reported.
The report urges the reversal of a recent decision not to report ecrime directly to the police, stating, 'It is essential that victims of ecrime should be able to lodge a police repor and have some formal acknowledgement of the fact of a crime having been committed in exchange'. However, the fact also remains that local police forces are often ill equipped to deal with ecrime, and especially when the perpetrator is based in some other jurisdiction.
For example, an ecrime could be committed by individuals based in Russia, who could steal the credit card details of people in the US and use it to purchase from a website owned by a UK company but hosted on a Canadian server. This clearly illustrates just how vitally important a coordinated international police approach is to dealing with ecrime, and just how correct the authors of the report are in recommending that a dedicated ecrime unit be set up within the police service.
The committee has acquitted itself well in squaring up to the challenges of ecrime. Their report makes many pertinent points in relation to the online security of individuals and organisations and offers some very timely insights into the policing of the internet. However, when it comes to personal internet security it is clear that we are in for the long haul.
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk) the one-stop-shop for information security books, tools, training and consultancy. He is author of 'The Internet Highway Code', a plain-English guide to Internet self-protection for individuals.