Summit: Experts divided over information security

Security experts at the V3.co.uk Summit have clashed over how well equipped they think UK organisations are to deal with current information security threats. Deloitte's head of security and privacy Mike Maddison and his colleague Steve Cummings seemed pretty optimistic when we met of the work being done in UK organisations to tighten up on data security.

They pointed to an increasing awareness at board level, an understanding of the value of information and a growing importance placed on user education as signs that we're well on the way to minimising the risk of many of the data breach incidents that have peppered the press in the past few years.

However, Stuart Okin, former Microsoft security advisor and UK managing director of consultancy Comsec, was less optimistic, maintaining that the UK is behind countries like the US and Israel in that many security teams still only consider back-end infrastructural security and are purely reactive when it comes to security threats.

What needs to happen, he told V3.co.uk, is a focus on where the information is travelling, who is accessing it, how they're accessing and so-on. In other words, behavioural monitoring of employees internal to the enterprise in the same way that credit card companies monitor transactions to spot fraud.

This kind of approach could save firms as much as 25 per cent in fraud costs, he maintained. However, whether for cultural reasons, because we're still stuck in recession, or because our regulatory regime is not as severe as some, the UK is still lagging behind.

This is not to say that the gentlemen from Deloitte were wearing rose tinted specs, however, far from it. Maddison acknowledged that education only works when embedded in the day to day running of the organisation, something that sadly doesn't happen across the board. And he acknowledged there is still a challenge firms face in understanding what information they hold - whether it be sensitive personal information or corporate IP - and where it flows out to the extended enterprise.

Read the full interview with Deloitte's Mike Maddison and Steve Cummings here.

12 Nov 2009

Permalink

Do you agree?

Add your comment

I fully agree with Stuart Okin, and this is not based on guess work, but working in the US, and visiting locations like NORAD in the US. I believe there is far too much management rhetoric, and soft focused risk based consultancy, which I agree does have some value – but there seems to be some disjoint when applying it in practical terms. There may also be too many Ivory Towers which drive the policy, but which actually have no sight of what security really looks like from a ground up operational perspective.

Posted by: John Walker 17 Nov 2009

“This is a very interesting article and it addresses two of the main issues the security industry must tackle. Assessing the highest risks and focusing on the ‘human factor’ e.g. the loss of an encrypted USB stick used to back up clinical databases at HMP Preston, is not too much of a problem but the password for the stick was written on a note attached to it, not so bright! I’m not sure we are divided over information security because the points being made are both very relevant and we are seeing businesses tackling both of these issues. We have seen an increased awareness in security at board level as the topic becomes more of a focal point for businesses and the media. The main question is, are we behind the US and Israel because we are lacking in experience and knowledge or because we just don’t seem to have as many attacks targeting UK businesses? Either way the comment is somewhat irrelevant, countries and businesses must focus on the risks and threats relevant to them, whether another country is or not. It is true that many businesses focus more on back-end security and take a purely reactive approach to security threats, however if that is the most business critical part of an enterprise then that is where security needs to be at its highest level. Trends are indicating that hackers are moving away from the obvious and high level business vulnerabilities and are targeting the lower level vulnerabilities so that they go unnoticed for longer. At Pentura we identify the top 10% of high value asset vulnerabilities, which includes what attackers may consider as ‘less important’. The main factor in most data breaches has not been a security solution failure, it has been the human factor, to avoid this problem businesses must ensure they have fool proof security systems and that staff are educated on the risks involved with their day to day work - one without the other is ineffectual.”

Posted by: Simon Morris, Research and development director at Pentura 16 Nov 2009

Add your comment

Your name:
Your email address:	We won't publish your address
Your comment title:
Your comment:	By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.