Too many businesses are still taking the approach that information security is the job of a CISO or the IT department, when it really should be part of any key business plan, according to Alan Calder, CEO of IT Governance.
Security and data protection has never been far from the headlines over the last 18 months or so thanks to the exploits of hacktivism groups like Anonymous and LulzSec as well as state-sponsored cyber attacks, such as those rumoured to have been launched by China and aimed at the United States.
But while these hack attacks have pushed security up the agenda for many businesses, a worrying number are still not taking the issue as serious as they should be. Speaking at the CRESTcon 2012 event recently held in London, Calder said that improvements have been made, but there is still plenty to do.
Calder said that the financial sector and, to a lesser extent, critical national infrastructure and utility companies have a "working knowledge" of the issues they are facing.
"[However] utilities are still dealing with bigger issues so cyber security is way down the list of things they are dealing with," Calder added. "For most of the rest of the UK, boards are still treating information security as something which is the job of the chief information security officer (CISO) or the IT department."
"It is not on their list. Or if it is on the list it’s allocated to the head of IT, which is probably the least sophisticated approach a board could take to information security risk," Calder added. "Any board that is doing its job properly is going have somewhere between five and 10 real information security risks as part of its risk environment. It will have very clear ownership of those risks and very clear processes in place to deal with them."
Calder also suggested that some organisations are burying their head in the sand when it comes to everyday online threats. No one is safe, he said, even if the attacks we are seeing at the moment seem to be aimed at the multinational corporations such as Google and energy companies or government bodies such as the CIA or the Syrian government.
He warned: "Cyber space is not secure; it is a deeply insecure place to do business, to share information and to be active. Cyber attacks can come from anywhere. It is a simple matter of fact that you are not going to be attacked from Britain if that’s where you are trading, it is likely that a DDoS attack will be mounted out of computers in Japan, perhaps operated by a person in China or Russia."
"It’s about stealing information and compromising systems and defences," Calder added, "and most managers will say: ‘We’re not an IBM or a Microsoft, who’d want to go after us?’ But threats, if they take down or damage a significant organisation are likely to damage a whole bunch of other organisations in the process. If there is an attack on a big company and you are a supplier or customer, what’s the likelihood that you might be seen as a vector for that attack to be directed through?"
Calder concluded by sending a warning to businesses: "Cyber attacks are there, it’s not something that should only be worried about by power or utility companies or big organisations. If you are connected to the internet then you are at risk, it really is as simple as that. If managers don’t understand that they are almost certainly in trouble."