DTI bemoans security standard take-up

The UK government is considering ways of improving the "appalling" take-up of security standard BS7799, as fears over IT security failures grow.

The havoc created by worms such as SQL Slammer has alarmed the government, alongside concerns that IT security does not have a high enough priority for businesses.

Slammer caused $1bn (£620m) worth of damage globally, despite a patch being released eight months previously.

David Hendon, director of communication and information industries at the Department of Trade and Industry (DTI), warned that, unless business leaders gave IT security a higher profile, security standards such as BS7799 could become mandatory.

Speaking at the Protecting Critical Information Infrastructures conference in London, Hendon said: "There comes a point at which society cannot allow the corporate equivalent of train crashes to keep happening. Corporate responsibility will have to be considered."

BS7799 provides a framework for implementing a security policy. The lack of firms that have achieved accreditation has worried the government. Currently, only 80 certificates have been awarded to UK companies.

This is an "appalling" figure, according to Hendon. But he admitted that his own department, the DTI, is unlikely to devote money to seeking accreditation until it is forced to.

One way to encourage firms to seek accreditation would be through existing data protection laws, according to lawyers.

The Information Commission has started including a question on BS7799 certification in its annual data protection forms.

Under the Data Protection Act, companies holding personal data are required to ensure that it is stored securely.

The Information Commission could assume that, if a firm is not signed-up to BS7799, its data is not secure, making accreditation a de facto requirement, said Jonathan Armstrong, technology lawyer at law firm Eversheds.

But businesses would oppose the imposition of standards.

Jeremy Beale, head of e-business at the Confederation of British Industry, insisted that the need for information security is not disputed, but that it should be "achieved through encouragement" not force.

He suggested that this could be done by favouring accredited firms in government tenders.

Companies are also being put off because of the perceived costs, according to David Lacey, head of information security and governance at Royal Mail Group.

But, after going through the accreditation process twice, he described this as a misconception. "It is a very efficient way of improving security procedures," he said.