This snapshot taken on 03/06/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
Businesses must adopt good information security practices in order to protect their own business interests as well as the overall economic and social well-being of the nation
Large organisations
Most large organisations are very aware of how vital it is to protect information systems. Chief Information Security Officers advise their boards and Chief Executive Officers (CEOs) on what measures need to be implemented and oversee the implementation and maintenance of their information security measures. Company boards and CEOs are increasingly aware, through pressure from legislation and regulation, that their corporate governance responsibilities must include co-ordination of the risks to their information systems.
Government, large organisations and SMEs must all work to ensure that the information security market meets changing needs and developments. Each sector plays a vital role in driving market forces to ensure that the providers of information security products are kept on their toes. Businesses must demand more secure products from suppliers, thereby influencing the development of these products so that they meet their needs. Smaller organisations can benefit from this as well as the knowledge and R&D resources that government and large organisations can provide.
Government is keen to promote relationships with large organisations and projects that seek to improve private sector information assurance and security. Government works closely with a number of different initiatives, from those involved in promoting best practice and awareness to training and development for professionals and forums for addressing the latest technological developments (some of these organisations are listed in the Useful links section).
Large organisations, which may have state-of-the-art information security products and stringent security policy procedures, should not be complacent. Technological changes will constantly alter the way information security should be handled. For example, the use of PDAs or palm computers and wireless networks is now fairly commonplace yet they are often not given adequate security controls. Information risk assessment and management must be an ongoing part of the organisation's core business practices.
Regulation and legislation
It is not only common sense to address the information security needs of your business, there are also legal and regulatory requirements to consider. In the UK, there are laws governing the use and retention of information on individuals as well as the systems which handle that information. These include the Data Protection Act, Regulation of Investigatory Powers Act (RIPA) and the Computer Misuse Act.
The Turnbull Report provides regulations covering organisations' internal control procedures and risk management. Additionally, there are a number of EU directives governing issues such as privacy and the use of electronic signatures. There are also international regulations which affect many UK organisations. The new Basel II Accord, governing risk for financial service organisations, is currently being developed and is due to be released in mid 2004.
The Sarbanes-Oxley Act in the US has brought significant legislative changes to financial practice and corporate governance regulation. It was introduced in 2002 in the aftermath of a spate of high profile cases of corporate fraud and aims to enhance corporate accountability; it is pertinent to UK companies or their subsidiaries that are quoted on the New York Stock Exchange. Security is a particular theme in the Act including adherence to the international information security standard ISO 17799.
SMEs (small-medium enterprises)
Good protection online means better business. More and more businesses are going online and customers want to know that their interests are in safe hands. By making your business more secure, you are advertising the fact that your organisation is safe and trustworthy to deal with.
Protecting your information systems does not have to be expensive. The size of your organisation will probably indicate the level of protection you need. Every business should consider their information security procedures and assure themselves that they have the appropriate level of security for their needs.
The same advice applies whether you are a voluntary organisation, charity or community organisation. You will need to ensure that you protect your information systems and the information they carry to preserve your interests and those of your customers or donors.
You can find information on how to protect your business at http://www.dti.gov.uk/industries/information_security [External website]
Small enterprises need to protect themselves
A 2004 survey by Network Associates of small firms in Europe revealed that many are not adopting simple techniques to protect themselves from the threat of viruses and malicious hacking. The research found that virus outbreaks can take a company out of action for days and cost an average of €5,000 (£3,300) to put right. For small businesses this can be a significant amount.
Although 40% of those businesses questioned had suffered a virus attack in the last year, and a quarter of companies admitted infecting partners and customers, 45% still said that information security was a low priority.
Source: Network Associates, research carried out in winter 2003 involving 500 small businesses of fewer than 20 employees in the UK, Italy, Spain, France, Netherlands and Germany.
Basic advice for SMEs