Security threats Toolkit

Why security is an information problem

Tags:
Security,
IT Prioirities Conference

Andrew Donoghue ZDNet.co.uk

Published: 28 Sep 2004 17:45 BST

Speaking at the ZDNet UK IT Priorities Conference held in the Park Lane Hotel, London, Simon Perry, VP security at Computer Associates, warned that employees currently understand the material value of the hardware they are entrusted with but haven't been taught to value company information in the same way.

"The most important thing for people to understand is that information is an asset. Rather than thinking about the value of their mobile or laptop, employees need to be trained about the value of information to their company," said Perry.

Also speaking in the panel discussion around the issue of hacking was Richard Starnes, Cable & Wireless director of incident response. He argued that companies needed to implement information systems that tag vital data more clearly.

"Companies should have classification systems. If your employees don't know how sensitive a piece of information is then how are they going to know how it is to be treated?" he said.

Esther George, policy advisor for the Criminal Prosecution Service (CPS), said that the authorities are limited in what they can do when it comes to prosecuting criminals by a general reluctance on the part of companies to admit to hack attacks.

"It is hard to have a definitive effect on criminals if companies are not reporting the crimes," she said.

George also argued that more and more hack attacks originate within companies from their own employees. This has been exacerbated by companies hiring freelancers and temporary workers whose behaviour may not be as strictly regulated as permanent employees.

To counter this problem, companies should at the very least make sure that all their employees are under contract, said George.

"It seems to be a rising trend, particularly within software companies, that you may think someone is an employee but no one has actually told them they are an employee," she said.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

"It might be that the laws are old but they are widely drafted and they have been created so that that they can be applied to the Internet," she said.

Computer Associates' Perry said that another key factor in combating hacking is for home users to take security as seriously as business users, because many new viruses and spyware are propagated on personal machines.

"We can't separate the security of home and business users as we all share the same Internet," he said.

Martin Jordan, a senior manager from KPMG, said that despite the best efforts of the security community, end users would always be playing catch-up to hackers and criminals -- what companies need to decide is how far they are want to lag behind.

"We will always be in catch-up mode -- unless we get to the halcyon days of self-healing networks. But if that doesn't happen then you have got to decide on whether you want to be two steps or 10 miles behind."