Alan Calder on IT Governance, information security & ISO 27001

More sobering stats. A report by IBM’s Internet Security Systems division says that 2007 will be a bumper year for IT vulnerabilities. It talks of a major growth in vulnerabilities in 2006, with 20 new ones reported every day, and says the trend is set to accelerate in 2007.

We see similar figures on a regular basis so in itself this story is alarming but hardly earth shattering. What would make a difference would be if companies like IBM joined the chorus to encourage businesses to get certified to the relevant security standards.

Some encouraging words about what is becoming a very depressing problem for most people. MessageLabs’ chief security analyst is turning the spotlight on ISPs as the organisations best placed to arrest the rising tide of spam. Particularly as spam acts as a conduit for dangerous malware it is vital that ISPs start to play a constructive role in this. The smart ones will realise that they can win business by acting quickly; the others may very well deserve to go out of business.

Following the news a while ago that some Apple iPods had been shipped complete with a malware infection comes the story that your satnav system may also be a risk. TomTom has allegedly shipped devices that contain a Trojan virus that can jump to an owner’s PC when the two are connected. Happily, there’s no suggestion that this creates hazards for drivers on the road, but it clearly generates a most unwelcome intrusion when they get home. With consumer electronics so integral to our lives paying customers should expect – and will soon demand – that manufacturers have such vulnerabilities locked down. I predict that not long from now ISO 27001 will become a far more mainstream concept.

As expected, blended threats continue to grow significantly. ComputerWeekly reports that in 2006 a company called ScanSafe encountered spyware growth of over 250 percent. What is more: “Not only did we see relentless growth in spyware throughout the year, but we saw that it is increasingly harbouring more sinister payloads.”

Other interesting trends highlighted include the increasing range of vulnerabilities linked to Instant Messaging: ‘Unauthorised internet chat and messaging sessions accounted for 15% of web filtering blocks, said ScanSafe. Internet Messaging systems, while increasingly popular at companies, are now a major target for malware spreaders.’

This amply demonstrates the need for companies to take a ‘whole business’ approach to their infosec issues – technological barriers will help in part, but educating the workforce is another critical component.