Alan Calder on IT Governance, information security & ISO 27001

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.

The ever-watchful Bruce Schneier has flagged up a story which, while no doubt eye-opening for Congress, will come as no surprise to anyone who’s aware that, in spite of their CAN-SPAM Act, the US is the world’s spam capital. What Congress needs to do is to take some determined action against spammers - otherwise it’s just going to go on being surprised by the obvious.

Here’s the tip of a nasty iceberg for all those multinationals that have happily offshored various functions in recent years. You sort of expect a bank to get its security right, don’t you? Maybe not…HSBC is now in pursuit of a former Indian employee who has compromised the bank’s security and defrauded 20 customers to the tune of $425k.

Is this a case of a bank failing to adapt its security policies and procedures to the local environment, or is it just a case of lax bank approaches to information security? It seems to me that banks spend an inordinate amount of money on technological security - all of which, one way or another, makes life more difficult and complicated for their long-suffering customers - but are unable to take appropriate actions at the human level. Yet, more than half of all information security incidents are generated by people inside an organisation’s secure perimeter.

I’m sure that the national skills registry the article talks of is a step in the right direction, but HSBC hadn’t even bothered to join it. The fact that this particular criminal wasn’t in the registry database is a separate issue; HSBC clearly doesn’t have a robust employee vetting process in place - something that ISO 27001 insists on as a basic information security management requirement.

While NatWest Bank in the UK seems to be doing nicely by boasting that its call centres are not offshored (although there is a big gap between the quality of their service and their rhetoric), Powergen is not alone in reversing its offshoring policy. But if offshoring made sense in the first place, why not follow through on that initial investment and develop an appropriate information security environment? Wouldn’t it be cheaper for these organisations to focus on the human aspects of information security - on proper employee vetting and on training and supervision, for example - than on investing in offshoring and then, equally expensively, reversing that decision?

Get Safe Online is out banging the drum for improved Internet security awareness amongst consumers and small businesses. As expected, their new survey reveals some strikingly relaxed attitudes (e.g. 25% of respondents were either not aware of phishing scams, or were unsure of how to protect themselves from being lured to fraudulent websites). Their government-backed website provides a good primer in some of the basics of Internet security, but for businesses that are growing from the sapling to young tree stage it is also helpful to have some more detail, hence my chapter for small businesses in ‘A Business Guide to Information Security’.