Washington, July 1 : Experts say that it's time for business houses, especially small to medium sized enterprises (SMEs), to tighten up on information security.
"SMEs are particularly prone to poor or even non-existent information security. As awareness of the importance of information security increases, the SMEs stand to lose competitiveness, potentially losing contracts with existing clients and suffering the financial consequences that are increasingly arising from information security incidents," says Bruce Hallas, a specialist in information security.
He says that an increasing reliance on Information Technology (IT) over recent years indicates that people are confusing it with Information Security (IS).
Given that many SMEs lack money to invest in expensive information security expertise, they are investing heavily in IT in the mistaken belief that it will ensure IS.
"Yet the largest business drivers for security investment are contractual, regulatory, market pressures from consumers, corporate clients and the public sector. Not the typical domain of IT. The biggest security vulnerability lies with people. Security is about managing the risk from people, both known and unknown, interacting with your information and information systems. It is more about people management than technology," Hallas says.
Tyler Moore of the Computer Laboratories, University of Cambridge, adds: "Information security is now a mainstream political issue, and no longer the province of technologists alone."
He continues: "People used to think that the internet was not secure because there was not enough of the right technology, not enough sophisticated cryptographic mechanisms, authentication or filtering etc. so advanced encryption, public key infrastructure and firewalls were added. The internet did not get any safer. In 1999 it became clear that even the latest and greatest technology will not solve all our problems if those who protect and maintain them are not sufficiently motivated. The issue is one of incentives."
The experts warn that not giving sufficient incentives to workforce can have devastating consequences in business-such as denial of service attacks allowing viruses to infect the IT system, hospitals putting access to data above patient privacy, bank customers suffering phishing attacks by poorly designed banking systems.
"Economics can explain many of the failures and challenges in a new way. As companies are beginning to realise the value of good information security practice so security measures are being used not only to manage the evils of the attackers but also to support the business models of companies," Tyler Moore says.
Companies, especially banks, often fight shy of divulging information about attacks, whether they have been successfully repelled or not because the information concerned may be sensitive.
Now, a new report 'Security Economics and the Internal Market', which outlines police options regarding the economic problems in providing IS, recommends the EU to issue a comprehensive breach notification law to notify consumers when their details have been compromised so they can protect themselves.