Bug watch: No such thing as secure IT

This week, Stuart McMillan, European vice president of digital insurance provider Safeonline, argues that there's a big hole in the debate about data security. Businesses must wake up to the fact that you can never create a totally secure IT environment.

How to protect electronic data is becoming one of the big financial and security issues of the early 21st century. Digital failure is costing industry worldwide untold amounts of money, forcing companies out of business and holding back the development and use of new technology.

According to PricewaterhouseCoopers, the damage caused by cyber crime alone is around $1.4tn globally, and this is just one aspect of digital risk.

Most commentators have concentrated overwhelmingly on how to identify and then mitigate threats to data. These should indeed be the first priorities, but there is a marked reluctance to take the next logical step. That means confronting a simple, obvious fact: you can never make electronic data totally secure.

A risk-free environment has never existed, and never will. No number of measures will make your office totally fire or burglar proof, for example. Yet these are physical, tangible risks, and mankind has had thousands of years of practice in dealing with them.

Digital risk, on the other hand, is new. It is invisible and it can strike from any direction: hacking, computer viruses, inaccurate keying of data, employee sabotage, website misuse, power failure or surges, abuse of email, and hard disk crashes, to name but a few.

As a result data is among companies' most vulnerable assets, as well as frequently their most valuable. Yet research conducted for Safeonline by MORI shows that most firms are leaving digital security largely to chance, especially small to medium sized enterprises.

Most people overlook the fact that insurance can be by far the most cost-effective solution to digital risk. There comes a point when further measures to reduce your exposure are no longer practical or financially viable. That is when one way to create a trusted environment for ecommerce is to transfer risk to an insurer.

Businesses are just beginning to wake up to this fact. Inevitably, large international companies are taking the lead, especially those based in the US, which are the main purchasers of digital insurance.

Frequently, policies emphasise data recovery or, failing that, rekeying data from hard copy. This reflects the fact that your first priority when you have lost vital data is to get your business fully operational again.

It is only a matter of time before digital insurance becomes commonplace in Europe, even among relatively small companies. Apart from the fact that it makes business sense, some auditors and banks are starting to demand it as a matter of good corporate governance.

It is in the interests of all concerned to start a debate on what this means in practice. Just as conventional insurers require that policyholders put in place certain fire precautions before they will issue cover, so digital insurers will insist upon certain security standards. This has wide implications for IT manufacturers, providers and consultants.

This may sound like more hassle, but the prize is a truly trusted environment for ecommerce; and that is well worth the effort.