Whose fault is it anyway?

Dave Wilson puts his own colourful spin on the new DTI Information Security Breaches Survey – a survey that examined the state of play regarding computer security at numerous UK businesses.

<b>There is no security on this earth, there is only opportunity. – General Douglas MacArthur. </b>

Just yesterday, Stephen Timms, the UK Minister of State presented the results of the 2004 DTI Information Security Breaches Survey – a survey that examined the state of play regarding computer security at numerous UK businesses.

One of the finds of the report was that the average seriousness of security breaches and the associated cost had fallen slightly since 2002, when the estimate was £30,000 per business.

That was the good news. But here’s the bad news. The rise in the number of ‘incidents’ means that the total cost to UK businesses was of the same order of magnitude as in the past.

What’s even more troubling is that the respondents to the survey were significantly more pessimistic about the future for security breaches than they were two years ago, believing that incidents will happen more often in the further and that they will be harder to detect!

But while they might be rather morose about the future, businesses don’t appear to be doing much about it. The majority, the report says, are still spending less than 1% of their IT budget on security.

One cause of the problem is that spend on information security is still low. It is seen by many as an ‘overhead’, rather than an ‘investment’.

And why shouldn’t it be? At a lot of SMEs, demands for increased IT spend on security are likely to be the last thing that the Managing Director wants to hear.

And not because he’s one of those that believes that Fourier transforms can be worked out better on an abacus, either. No, it’s more likely that he’s already forked out shed loads of brass on computer systems, networking and the like, and simply sees the demands for added spend on IT security as a bloody nuisance. For heaven’s sake, he wants to reduce the number of guys he employs in IT not hire more of them, doesn’t he?

With that in mind, I’m not surprised to hear that less than half of the businesses surveyed evaluate their ‘return on investment (ROI) on security spend’. But should they be doing so? The report thinks they should.

For my part, I think that there’s another course of action that should be taken long before the MD packs his IT staff off on a course to learn the intricacies of BS 7799.

And here’s what it is. Any IT staff that experience security problems should give their suppliers repeated gosh-darned kicks up the derriere and demand that they provide software solutions that are secure and invulnerable to attack. And if they don’t then they should find a supplier that can. It’s no more difficult than that.

After all, who would buy a house with no locks on the door and not complain to the builder? No one, that’s who. So why should SMEs be asked to spend more dosh supporting clearly inadequate software from their vendors? They shouldn’t.

The full DTI report can be downloaded from the Internet <link>here=http://www.pwc.com/Extweb/ncsurvres.nsf/docid/845A49566045759E80256B9D003A4773</link>.

On the web