Alan Calder on IT Governance, information security & ISO 27001

As expected, blended threats continue to grow significantly. ComputerWeekly reports that in 2006 a company called ScanSafe encountered spyware growth of over 250 percent. What is more: “Not only did we see relentless growth in spyware throughout the year, but we saw that it is increasingly harbouring more sinister payloads.”

Other interesting trends highlighted include the increasing range of vulnerabilities linked to Instant Messaging: ‘Unauthorised internet chat and messaging sessions accounted for 15% of web filtering blocks, said ScanSafe. Internet Messaging systems, while increasingly popular at companies, are now a major target for malware spreaders.’

This amply demonstrates the need for companies to take a ‘whole business’ approach to their infosec issues – technological barriers will help in part, but educating the workforce is another critical component.

More meat on the bones of worries about Instant Messaging. A recent survey found that 81% of IT managers reported a security incident due to Instant Messaging or other ‘greynets’, such as Skype. These incidents cost companies real money – nearly $130,000 annually to be precise. The survey also shows that more users are adopting greynet applications, yet little progress has been made toward combating greynet-related attacks.

This being the case it is all the more vital to tackle the human dimension. Companies that implement ISO 27001 will have clearly communicated policies in place to cover such applications, audit processes to check that rules are being followed and unambiguous penalties for individuals who go against their responsibilities to the company and their colleagues.

I know it’s not news, but it winds me up that there’s a whole industry out here that depends on software faults and basic failings. The information security industry (including my books and company) wouldn’t exist if software manufacturers and others did their job properly – calling their failings ‘vulnerabilties’ is nice, but it doesn’t change the reality.

And new products are launched that just aren’t good enough – take Instant Messenger – or wireless – and now VoIP – and it even appears that VPNs aren’t up to scratch – “right first time” is a pretty hard concept, isn’t it? For instance, I thought I’d done an excellent job on the updae version of my book, but the copy editor came back with nearly 30 queries – and she hasn’t told me how many she just corrected without mentioning them.

Of course, I like it that there’s a business opportunity for us all, but I can’t help wondering how much better at fighting the bad guys we would be if we didn’t have to spend so much time filling the holes left by our own side.