Lax e-security hinders dotcom funding

[William Knowles <wk () C4I ORG>]

http://www.vnunet.com/News/1114718

By Ian Lynch
[30 Nov 2000]

Inadequate security systems and management may lead to companies being
blacklisted by City investors, according to a survey published this
week.

The report, called A Risk Too Far and commissioned by internet service
provider Vistorm, shows that while 26 per cent of managers demonstrate
high levels of IT literacy, the majority don't understand how IT
security can affect business performance.

As a result, some companies may be missing out on investment because
they are being incorrectly identified as an above average risk.

Pension funds may also be missing out for the same reason. Fund
managers wrongly regard dotcoms and financial services as being at
greater risk from computer security breaches, the report said.

Ian McKenzie, managing director of managed internet services at
Vistorm, said: "No particular business sector is more at risk than any
other. But if e-security isn't given attention at director level,
there will be enough high-profile security breaches to damage the
development of ebusiness in this country."

Three key reasons were given for fund managers' views: a lack of
verifiable information; a generally poor understanding of who is at
risk and why; and a focus on assessment criteria that do not measure
the impact of future market changes.

The report's recommendations include:

* Adopting recognised frameworks such as BS7799 (soon to be ISO
  17799) as a basis for a comprehensive security procedure.

* Ensuring that IT security is tackled as a business, and not simply
  as an IT challenge.

* Using external audits to validate the robustness of IT security
  solutions on a regular basis.

Chris Ferrant, e-product manager responsible for the BS7799 security
standard at the British Standards Institute, said: "Security needs to
be considered in relation to the value of its importance as an asset
to the company. The technological solutions offered by the IT industry
will only be successful if used within a managed environment."

The report follows on from research carried out by Network Associates
- which ironically had two of its websites hacked this week - which
called for chief executives to take responsibility for e-security.

Vistorm's research has now received the backing of both Certus, the
association of IT directors, and the Computer Services and Software
Association (CSSA).

John Higgins, director general at the CSSA, said: "The 26 per cent of
fund managers who see IT security as a pervasive issue have got it
right. Now, the IT industry must work together to get the other 74 per
cent to see it the same way - otherwise the only Christmas cards we
will receive this year will come with their own virus."

Blue chip companies that have suffered attacks which have made
headlines this year include:

Microsoft, HSBC, Barclays, Powergen, Woolworth's, Credit Suisse,
Safeway, Visa and Bloomberg.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".