Alan Calder on IT Governance, information security & ISO 27001

The recent report from the House of Lords Science and Technology select committee into ‘Personal internet security’ highlights the fact that businesses are not doing enough to protect their customers from the dangers of e-crime and on-line fraud. Clearly this is not exactly a ground breaking conclusion; however it is certainly an important one.

The report emphasises my long held views that organisations need to take action to protect valuable data. ISO 27001, the information security standard, is the benchmark for first-rate information security and certification is the best method of protection an organisation can have. Organisations should get certified to ISO 27001 as soon as possible in order to protect their customers as well as themselves.

Surely it is time that the National High Tech Crime Unit (NHTCU) was re-banded in order to tackle e-crime effectively and hopefully deter those responsible. Since it was disbanded and absorbed into the new Series Organised Crime Agency (SOCA) there has generally been nowhere that e-crime can be reported to and local police forces are often ill equipped to deal with e-crime especially where the perpetrator is based in some other jurisdiction. For example: e-crime can be committed by people based in Russia, who have stolen the credit card of people in the US and are now using it to purchase from a site owned by a UK company but hosted on a Canadian server. This simple example illustrates just how vitally important a co-ordinated national police approach is to dealing with e-crime. PCI DSS will not be enough, on its own. The complexities of e-crime need a dedicated unit, so bring back the NHTCU!

Meanwhile, whilst organisations are making the necessary changes to protect sensitive information, individuals should also take action to protect themselves and the ‘Internet Highway Code’ is the benchmark here. It sets out ten straightforward, no-nonsense, plain English rules for staying safe online and arms anyone using a computer with the knowledge of how to avoid all the problems that make the newspaper headlines.

2005 will be the year that more organizations crash and burn through inadequate information security and IT governance practices – more IT projects will go wrong, more malicious incidents, more organised crime frauds and some serious terror attacks, along with even more viruses and increasingly clever spammers – remembering that 80% of organizations never recover from a serious business interruption (fire, fraud, terrorism, etc), the turn of the year is a good time to re-think security postures.

The revised and updated ISO 17799, due out in Spring 2005, will not, on its own, save many organizations – what will save organizations is directors and boards making a conscious effort to put information security on their board agendas and to keep it there throughout the year – and keep it there while they make sure that their organizations are tackling IT projects and information security strategically and systematically.

The last few days have seen a deluge of newspaper headlines and stories about “phishing” frauds. “Phishing” is easy for the consumer to deal with: DON’T respond to invitations to “re-confirm” your personal banking details, however convincing the apparent invitation from your bank to do so.

More insidious, and a much longer term threat that is not getting much publicity at the moment, is the increasing organisation and professionalism of the online criminal community. Hackers, virus writers and spammers used to be separate communities, each containing their own sub-groups and individual cults. Increasingly, they are learning to co-operate, sharing skills and information, to get a part of the lucrative online fraud and spam market.

Hackers and virus writers have the skills that help spam to get into our e-mail boxes – and spam sells all sorts of products as well being the first step in a number of fraudulent schemes, from phishing through to 419 (“Nigerian”) frauds (see http://www.nhtcu.org/).

The growing sophistication of cyber criminals requires a rapid improvement in basic information security skills by all organisations and, even more importantly, home owners and small businesses whose usually poorly protected computers are often used as zombies or relays in more substantial computer crime. There are basic steps that all organisations should take, starting with a risk assessment…….(see http://www.itgovernance.co.uk/consulting.aspx for more information)