'

E-commerce special report: Security

Part IV: There are some simple steps every company can take towards ensuring it is protected not only against hackers and fraudsters, but also against charges of negligence when the worst does happen

Security is as much about physical processes within the four walls of your company as it is about electronic protection from hackers out on the Internet. Stories about e-commerce sites getting hacked propagate around the Web like spam down a fat pipe, but you rarely hear about the companies whose servers get stolen because they forgot to lock the server room door -- which exits onto a back alley. Yet it does happen.

Any breach of security is serious, not only because of the immediate damage it can do to your finances and reputation, but also because of the liabilities that it can lay you open to.

The best defence is to use well-documented processes, so that if something does go wrong you can claim that you did follow due diligence, which can be a saviour in a court of law.

According to research issued by the government in 2002, more than a third of the worst computer system security breaches at UK companies are from employees.

The Information Security Breaches Survey 2002, sponsored by the Department of Trade and Industry and prepared by consultancy firm PricewaterhouseCoopers, found that in small companies, 32 percent of the worst incidents were caused by insiders, but in large companies this figure climbed to 48 percent. This was a big jump from research carried out a year earlier, said the authors.

A third of the "worst" security incidents were virus infections, but there were also high incidences of other, more deliberately targeted attacks. Forty-one percent of companies reported virus infections in the past 12 months -- nearly triple the 16 percent reported in the same survey two years ago.

While hacking attacks accounted for only 14 percent of the worst incidents in the past 12 months, this figure shot up from just 4 percent two years prior. Eleven percent of companies reported that their worst incident was due to inappropriate use of systems (using email or Web browsing to access or distribute inappropriate material), and 6 percent said the cause was theft of information.

Most security incidents resulted in only minor costs, according to the survey, with two-thirds of the most serious incidents costing less than £10,000 to resolve. However, about 4 percent of the UK businesses surveyed said they had suffered costs of more than £500,000 following a single security incident. Two years ago, the companies reported that their worst incidents cost in the range of £20,000 to £100,000. One manufacturer, said the authors, estimated the direct costs associated with a recent virus infection to be £80,000.

Many more companies have inadequate systems in place to deal with security incidents than they did two years ago, but small companies still lag badly. Three-quarters of large companies have procedures for logging and responding to security breaches, and 75 percent have contingency plans, compared to 41 percent and 47 percent respectively for small companies.

OECD guidelines
In September 2002, the UK's e-commerce minister Stephen Timms launched tough new security guidelines that the government said could make businesses much more secure against computer viruses and malicious hackers. The OECD guidelines on information and network security, which update an earlier set released in 1992, try to raise awareness of the importance of security in IT within the business community. They attempt to put security at the heart of information systems management, and enforce the point that networks can only be secure if every user takes security seriously. Drawn up by 30 governments, the guidelines could help create a culture of security in Britain and boost the growth of e-commerce if they were adopted by businesses here, say proponents. The OECD guidelines are available here. BS799 security standard
There is another simple tool that has been around some time (and was revamped last year) that companies can use to help build procedures and contingency plans. British Standard 7799 is arguably the most widely recognised security standard in the world, and the international standard ISO 17799 grew out of it. All UK government departments have to be compliant with BS 7799 in their key business systems by the end of 2003. Part 1 of BS 7799 is a code of practice for information security management systems, and has been a standard since December 2000. This can be used for compliance, but because there are no auditable standards, companies cannot be certified against it. Compliance is straightforward, according to Jeremy Ward of antivirus firm Symantec: "Part 1 of BS 7799 is only 11 pages long -- you don't need professional advice to implement it." But Part 2, which is an auditable standard against which companies can be certified, is a lot more involved. "It is not easy," said Ward, "but there are simple steps -- don't try to swallow the whole elephant in one gulp." One place to start, said Ward, is to find people prepared to take responsibility for assets, such as a customer database. "Then you have to think about what effect there would be on the business if this disappeared for a day -- or even longer. This means risk assessment. Without that you don't get to first base." After risk analysis has been completed, companies can ask themselves what safeguards need to be put in place. But it is not good enough to simply install a firewall, said Ward. "You have to ask yourself why you need it, and where it should go." BS 7799 is built from a pyramid of 127 controls, starting at the top with policy. "Policy needs to be backed by the board, otherwise nobody else in the company will take notice of it," said Ward. "And it has to be short -- no more than about two pages." This policy document should contain measures such as how Internet and email use is controlled. Then comes the procedures: what a company must do to underpin the policies. "Then comes technology, and finally the auditing system -- the whole thing needs to be documented and recorded." According to ICL's principal security consultant Richard Boothroyd, only about 50 companies in the UK are certified to BS 7799. Many more are compliant, though certification is actually easier for smaller companies. "Lots of organisations go for compliance, which is covered by Part 1 of the standard," said Boothroyd but, he added, it is still underused. "Companies do need to be much more aware of BS 7799 than they have been." Unlike the OECD guidelines, BS7799 is not available for free. BS7799 is available here and ISO sells ISO1799, which is based on BS7799, here. Follow these links for more of ZDNet UK's special feature about e-commerce: E-commerce special report Part I: What works Part II: Getting started Part III: Know your laws Part IV: Security An e-commerce toolkit