Alan Calder on IT Governance, information security & ISO 27001

This interesting article explains why old-fashioned crime – robbing a bank, say – has now gone online. It’s quicker, easier, and safer for the criminal. That does mean that organisations have to take care to protect themselves against cyber-criminals – and the steps that can be taken range from the simple (see 10 Rules of Information Security for the Smaller Business) to the sophisticated (implementing a best-practice Information Security Management System based on ISO27001, for instance).

At the very least, anyone with corporate responsibilities should have a reasonable understanding of cybercrime – as well as of cyberterrorism and its close cousin, cyberwar. There is a wide range of issues that today fall under the heading of White Collar Crime, and which need attention. Your business is at risk – finding out about the risks is a good first step to taking appropriate action!

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

Progress on both sides of the Atlantic in strengthening national laws against cybercrime. In the States, the House Judiciary Committee has approved a bill that proposes some fairly robust measures against transgressors. This seems the sort of toughening up that is needed in response to the increasing professionalism of cybercriminals. However, current debate in the UK’s House of Lords shows that hastily drafted legislation that carries a big stick can create unintended consequences. Let’s hope that the US bill receives thorough consideration before it passes the House and Senate.