NetViews: Security + ignorance = calamity

By Davey Winder [28-05-2002]

Remember this equation: (security + privacy) - action = liability

Every two years the Department of Trade and Industry (DTI) commissions a survey to assess the state of the nation's security for its impact upon UK business.

Since the internet emerged as a major factor in the life of most businesses, the survey is now widely regarded as a good overview of the health of commercial network security instead.

This year it makes for stunning reading and is essential for anyone who has any commercial network management responsibility. The salient points to absorb are that 44 per cent of UK businesses have suffered at least one malicious security breach in the past, with each incident costing a staggering £30,000.

Add to this the fact that 76 per cent of the businesses polled believing they have sensitive or critical information held, plus 73 per cent believing security is a high priority for senior management, only 30 per cent evaluate the ROI of information security expenditure.

The real punchline to this particularly unfunny joke, is that just 51 per cent involved in transactional web site business use encryption to secure data and less than one third encrypt credit card information. With SSL so simple to run, one wonders what they are thinking. I just hope you are not one of the 33 per cent not using authentication to verify customer identity.

That is the security - now for the privacy. The same survey reveals only 49 per cent have procedures to ensure compliance with the DPA, not surprising considering the number leaving themselves open to prosecution under the act if customer details and credit card numbers are exposed through a lack of encryption implementation.

The truth is worse, with the majority of web sites not displaying privacy terms and conditions and falling foul of the DPA anyway. Now the W3C has released the new specs for the Platform for Privacy Preferences (P3P) at www.w3c.org, there is no excuse for offending.

Finally, throw into the mix the small matter of the EC voting on regulations to bring the Communications Privacy Directive in line with our own Regulation of Investigatory Powers (RIP) Act. If you are running a web server or peer-to-peer network, you could find yourself classified as a service provider. You are required by law to retain traffic data logs and allow access to them upon demand by the police and intelligence services, without interception warrant.

Remember the equation at the beginning? If that sounded like your corporate attitude then I sincerely hope you will have absorbed the points made in this column and will change it to: (security + privacy) + action = sanctuary

Source: http://www.vnunet.com/Features/1132176

Oh my. That's startling.