UK gets to grips with ecommerce security

Network managers need to integrate their security policies at every level for them to be effective, according to a report from business analysts Deloitte & Touche.

The report, called Ecommerce Security - Best Business Practices, provides users with tips on how to take "the first step in establishing one universal framework that can be implemented by businesses around the world".

But the increasing diversity of companies' new and legacy systems makes it difficult to define a single approach to securing data. And in any case, the UK government has already defined its own set of guidelines, which it hopes will be adopted globally.

It has, in fact, expended a great deal of energy during the past year in extolling the virtues of online trading to all sections of the UK's business community. But despite this, a week seldom passes without news of some website exposing reams of sensitive business data.

In 1995, the Department of Trade and Industry (DTI) launched British Standard 7799 (BS7799), which was developed by a committee of industry and government figures.

The standard was proposed as a common framework to enable companies to develop, implement and gauge effective security management measures and to boost confidence in business-to-business ecommerce and consumer-facing trading.

The most recent revision of BS7799, published in 1999, has been submitted to the International Standards Organisation (ISO) to form the basis of an international standard.

Growing pains
Deri Jones, director of security analyst firm NTA Monitor, agreed a global security standard is needed, but believes that its birth could be painful for the industry.

He claimed that the only way standards are likely to come into force is if industry groups adopt their own proprietary ones or if governments make them law. "Same-interest groups such as banks will put together their own standards, in which case you have fragmented frameworks," he said.

Although BS7799 could be seen as the UK government putting its foot down, Jones argues that it is only a first step. "Many of our customers are using this standard. It's not a universal solution to security problems, but it does help companies to make sure they haven't missed any bases."

Not that the DTI would argue with this analysis. Its website (www.dti.gov.uk) acknowledges that the standard does not make companies immune to unwanted intrusions - only that it reduces the likelihood of such breaches occurring, along with their attendant disruption and cost.

UK companies can apply for certification under the standard through c:cure, a DTI-sponsored body, which is run by a division of the British Standards Institute. This certifies third-party companies to act as auditors.

Accredited auditors conduct an independent check of applicants' ebusiness practices. A steering committee sets criteria and monitors performance, and is made up of representatives from companies seeking certification and from ebusinesses that require tight security.

The cost of such audits depends on the size of the organisation and the complexity of its systems, but c:cure claims that firms are prepared to pay an average of up to £900 a day for each qualified auditor to assess their business.

Let's get specific
But Yag Kanani, Deloitte & Touche's secure ebusiness partner for Europe, the Middle East and Africa, claims that while BS7799 provides a "good broad-brush basis" for sound security practices, it is, at heart, a generic information security framework.

"We're looking for specific ebusiness guidelines. Any standard has to live and breathe as technologies develop," he said.

One company that was recently awarded BS7799 certification is Logica's systems integration division, Clef, which evaluates hardware and software for security weaknesses.

Principal consultant Stephen Hill said the firm wanted to prove to potential customers that it is a safe security bet. "BS7799 takes an holistic approach to security. The auditors interviewed a sample of staff plus key employees like our network manager. They checked policies and procedures - we were already fairly secure, but the audit highlighted a few small weaknesses. Now we have a well-oiled machine," he said.

So why is BS7799 not more widely recognised as a stepping stone towards good security practice?

Steering committee secretary Peter Restell said: "At present, the takeup of actual certification in the UK is slow, and the number that could be classified as ebusinesses is difficult to ascertain. It would appear that organisations are finding it takes time to get to a stage where they can be audited by a third party. It's one thing saying you have implemented BS7799, but it's a different story when you have to prove it."

But the government should lead by example, he added. "Government departments have been asked to become compliant with BS7799 and this should encourage businesses to take similar action."

Despite this, NTA Monitor's Jones maintains that the security of organisations trading online can never be guaranteed and that the best strategy for fledgling ebusinesses is to have their systems independently tested. "When we test sites, we find that many of them are built like sieves. Testing closes all the little holes," he said.

So it appears that maintaining the integrity of electronic transactions is destined to become an increasingly key responsibility for network managers into the future, and whichever approach they take, they will have to invest in security to a sensible degree.

Given the amount of damage caused by breaches, in terms of downtime and public relations, however, the cost of tightening ebusiness security should more than pay for itself.