Across the world, a substantial majority (by value) of all transactions are carried out via electronic media. Forget the Euro - next year's universal unit of currency is the electron. This raises a particularly pressing question: given the pivotal position of information technology in all aspects of modern business, why does the issue of security of information systems attract so little attention in British boardrooms?
Big name companies will spend six figure sums on physical access control systems for buildings, yet enforce almost no control over the use and management of computer passwords. Vehicle fleets are held in floodlit chain-link compounds, while file servers sit in open corridors.
Information is vulnerable to many forms of attack, both from inside and outside. Staff, often in collusion with suppliers, can use computer-based purchasing and payment systems to divert goods or payments. They may also steal information (either for their own use or for sale to competitors or suppliers), and they can deliberately damage or delete sensitive information. Computer systems can also be susceptible to external threats, either via the Internet or, more often, by the use of direct dial-in connections.
In this respect, the rapid expansion of e-mail as the default means of communication within and between organisations has opened up a particular area of vulnerability. Because e-mail is more concentrated in its location and distribution paths than older forms of written communication, a successful breach of e-mail security can provide a particularly rich harvest for the information thief.
Finally, there is the issue of virus contamination. Virtually every major user of PC workstations has now suffered the effects of some form of virus infection. The damage, though real, seems to be largely random, the result of some bizarre hobby activity which is the IT equivalent of dropping rocks off motorway bridges. However, the countermeasures are inseparable from good systems security practice, supported where appropriate by anti-virus software tools and backed up by well-established reaction plans.
Changing attitudes
The record of British businesses in the area of information security has not been encouraging. A survey carried out by accountants KPMG in late 1995 indicated that 98% of information systems would fail to meet the security criteria set by British Standard 7799, the Code of Practice for Information Security Management. This is doubly worrying when the scale of the problem is taken into account. Anecdotal evidence puts the total loss across the economy in the hundreds of millions, most of this involving staff or internally employed contractors, often acting in collusion with dishonest suppliers.
However, the news is not all bad. Businesses in the UK are gradually beginning to recognise the need to protect information as the vital asset that it is. The DTI's 1996 Information Security Breaches Survey revealed that almost half of the respondents were aware of BS 7799, and of these most were either working towards compliance or had plans to do so. Some 90% of these respondents had recently suffered some form of security breach.
This growing level of awareness has been reflected in Control Risks' own experience. As the head of Control Risks' international investigations division, observes: "It is now impossible to carry out a realistic fraud vulnerability survey without paying detailed attention to the client's computerised information systems. Virtually every issue which would have been covered in a conventional vulnerability analysis, from the segregation of payment authorities to personnel vetting, now has an IT dimension."
The growing significance of information security as a component of the organisation's overall security planning has prompted Control Risks to establish a programme designed to protect its corporate clients from the risks associated with systems security breaches. The Information Systems Security Survey has been designed to provide a consistent approach to the evaluation of vulnerabilities and the establishment of the measures required to minimise threat and loss. It builds on the approach defined in British Standard 7799, supplementing and strengthening it with Control Risks' wide experience of security and protection and the Group's detailed knowledge of current threats and risks around the world.
CONTROL RISKS IS AN INTERNATIONAL CONSULTANCY. WE ADVISE BUSINESSES, GOVERNMENTS AND INDIVIDUALS HOW TO REDUCE THE IMPACT ON THEIR ACTIVITIES OF POLITICAL INSTABILITY, SOCIAL CHANGE, TERRORISM, FRAUD AND CRIME. SINCE ITS FOUNDATION IN 1975, CONTROL RISKS HAS WORKED WITH OVER 3,000 CLIENTS IN MORE THAN 120 COUNTRIES.
FOR DAILY ANALYSIS OF WORLDWIDE EVENTS, OUR ONLINE SERVICES PROVIDE ASSESSMENTS AND ADVICE FOR BOTH CORPORATE MANAGEMENT AND THE INDIVIDUAL BUSINESS TRAVELLER. WE COVER MORE THAN 80 COUNTRIES AND UPDATE THE SERVICES EVERY WORKING DAY. FOR LONGER TERM ASSESSMENTS AND DETAILED FORECASTS, CLIENTS CAN COMMISSION SPECIFIC REPORTS ON A COUNTRY, REGION OR TOPIC.
FOR FURTHER INFORMATION ON CONTROL RISKS' SERVICES, PLEASE CONTACT THE BUSINESS DEVELOPMENT DEPARTMENTS AT OUR OFFICES IN LONDON (TEL: +44 171 222 1552; FAX: +44 171 222 2296), WASHINGTON (TEL: +1 703 893 0083; FAX: +1 703 893 8611) OR TOKYO (TEL: +81 3 5570 6391; FAX: + 81 3 5570 6392)
Control Risks Group Limited ('the Company') endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company but, subject to section 2 (1) Unfair Contract Terms Act 1977, the company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company's negligence (or that of any member of its staff) or in any other way.
See More Popular Content From