UK Businesses ignoring terrorist and cybercrime threats to information security

Warning issued by the British Standards Institute.

In the wake of findings that show that only 85 UK companies have followed DTI and security service advice to meet the BS7799 Information Security Standard, and the news that the government may fine businesses that fail to put information security systems in place, the British Standards Institute (BSI) is calling for action.

Developed by BSI, BS7799 is the internationally recognised standard for information security management. Both the DTI and MI5 promote the use of BS7799 and were involved in its development from the start. In Whitehall and Washington there is increasing concern about the new threat from terrorists who target companies' information systems -in particular the threat posed to the critical national infrastructure, which includes telecoms, utilities, financial services, health service and emergency services.

In the UK the little known NISCC (National Infrastructure Security Co-ordination Centre) has responsibility for CNI protection. On its website the NISCC describes the threat: "There can be little doubt that the incidence and severity of electronic attacks will increase and the threat will rise for the foreseeable future. Any system connected to the Internet or other public network is a potential target for attackers."

One major focus of concern is The City of London, as one of Europe's main financial services centre. Given that only 85 companies UK-wide are certified to BS7799, the vast majority of companies in the City are potentially ill prepared and exposed.

Commenting on the real nature of the risk, Peter Murray, BSI special consultant, and former information extraction expert who conducted covert operations on behalf of UK governmental organisations, said:
"BS7799 will go a long way to solving the problem. When BSI developed the standard they were looking into the future and predicting an essential business requirement. That future has now arrived but companies are failing to act. "Whether it is a terrorist threat or commercial cybercrime, there is a genuine risk.

"US Security services in Afghanistan found laptops and documents which showed that attacks of this kind were being planned.

"In one recent example in Australia the Queensland water company fell victim to an electronic attack which, over several months, overrode its computerised sewerage system and released sewerage causing environmental damage, prosecution and major reputational damage to the company.

"One of the main problems is that companies feel their information is safe because they have IT 'firewalls' or because they have not had any reported incidents. The reality is that if information has been breached successfully companies won't even know it has happened.

"Reported incidents are probably only 10 percent of the number which actually occur."

Giles Grant MD of BSI Business Information, added: "The government, by its engagement in the Standard from the outset, has laid the ground. It is now for companies to take action and put in place infosec systems."

Acknowledgement - This article was originally published in Continuity Central (www.continuitycentral.com), a resource of business continuity information. Copyright © Portal Publishing Limited.