This snapshot, taken on 03/06/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
Despite all the recent news coverage of computer viruses such as MyDoom in early 2004 and Sobig in summer 2003, many businesses and home users are still not taking steps to protect their information systems. Government is working with industry to promote awareness and education on a wide range of issues relating to the protection of the nation's information systems.
As a business, information is probably one of your most important assets. If you are denied access to the information you hold on your IT system for one day - maybe that wouldn't cause you too many problems. But what if it was for a week - or you lost that information altogether - or perhaps worse, that information was duplicated and passed on to a direct competitor?
Sadly, many businesses do not even have the most basic protection for their systems. Information security covers measures such as the installing and updating of anti-virus, patching procedures and access control of systems. Good information security practice must be adopted as an integral part of your overall business processes and can prevent your business from costly 'clean-ups' after an event. Perhaps more importantly, information security planning can add value to your business and demonstrate to your customers that you can provide a trustworthy and reliable service.
According to the DTI Information Security Breaches Survey 2004, 1 in 5 large businesses were affected by weaknesses in access control measures to their information. This means that individuals had been allowed access to information without authorisation which could result in crimes such as fraud or extortion. Over half of all companies affected said this was their worst information security incident of the year, ahead of virus infections. This kind of security breach can cause major disruption to the business over a long period and can involve significant staff time spent on investigating and then fixing the problem (10-20 staff days on average). They also tend to be the most costly of any security incident - 15% caused more than £100,000 of legal fees, investigation costs and fines.
Source: DTI Information Security Breaches Survey 2004 [External website]
Information security practices should reflect the needs of your business. It is vital to realise that information security is not simply about installing firewalls or anti-virus software. What is more important than the software product a business might choose to install is addressing the whole issue of information security processes that need to be carried out - from PIN or password control and anti-virus updates, to information back-up procedures.
These may seem time-consuming tasks but, as many organisations have learned, a bit of work up front can save a lot of trouble and cost after the event. After all, there are added benefits from making your business more secure. Your customers will have more trust and confidence in your business if they know that you have made your information systems as secure and reliable as possible.
Web-savvy customers want reassurance that your systems are safe and they are increasingly likely to demand proof. As international standards for information security become more widespread, you may be asked to demonstrate the dependability of your information security arrangements.
The DTI promotes the benefits of good information security practice and provides objective information and advice for businesses on how best to protect your business. You can find this information at http://www.dti.gov.uk/industries/information_security [External website]
A medium-sized company had provided staff with Internet browsing access for some time but the access was shared amongst employees with one username and password per group. This meant that the business had no way of tracking Internet usage to particular users. They became concerned about the lack of monitoring and eventually installed a system whereby users within the company would gain Internet access by simply logging on to their own computer. By law, the company had to notify staff that the system was in place and that their usage would be monitored.
Over a number of days they spotted a significant amount of accesses to an Eastern European 'brides for western men' website. The action was traced to a contractor who was questioned about the activity. It became clear that he was running the business as a sideline and accessing the site to maintain it.
Apart from costing the company a great deal of time and money in terms of his contracted time being spent on this work and not the company's, there was also a question mark over the legality of the site.
For more information go to http://www.dti.gov.uk/bestpractice/technology/security.htm [External website]
It is difficult to establish with any accuracy the actual cost of computer virus and worm attacks. But what is certain is that these attacks are currently increasing in frequency and in sophistication. The recent Sasser worm caused significant problems for major services such as airlines and the coastguard. Early warning is vital to counteract the effects of such attacks and to enable organisations to put appropriate measures in place.
Warning and alerting systems are an important tool in combating electronic attack. CPNI operates the UK Government's Computer Emergency Response Team (CERT) called UNIRAS which issues technical alerts and briefings. To assist in response, CPNI undertakes research into computer network vulnerabilities and alerts stakeholders as necessary.
CPNI promotes a number of information sharing groups. These groups gain quick information on new problems so that advice on ways to manage them can be implemented in time to prevent damage. Organisations can protect their identity and reputation by telling CPNI about a new attack method or vulnerability. This information can be passed onto others in an anonymised form together with advice on what to do.
CPNI has also developed an initiative called WARPs (Warning, Advice and Reporting Points). These enable communities with similar interests to link together and share information in a secure and trusted online environment. They can give early warning of electronic attack, threats and vulnerabilities which can be tailored for the communities' particular requirements. London Connects (see boxed text) has been running a WARP for London boroughs, and Kent has recently set up a similar system. Other WARPs in business communities and amongst further public sector bodies are being planned.
Local government services are increasingly being delivered over the Internet. This provides citizens with a convenient method of interacting with local government, whether for finding out about local childcare services or paying council tax. In order to bolster uptake of online government services, it is essential that the systems supporting them are as resilient as possible. Warning and advice systems provide a valuable service in alerting organisations to possible vulnerabilities and giving information and advice on dealing with threats such as computer viruses and worms.
The London Connects WARP (LCWARP) provides London boroughs with a secure and trusted warning and alerting system for all forms of electronic attack. The service gives information bulletins about cyber-threats, good practice advice and incident reporting. The information is co-ordinated and managed from a central point and can be tailored to the needs of the local government community.
The LCWARP was introduced as a pilot scheme with funding from the CSIA in the Cabinet Office. The Office of the Deputy Prime Minister is now providing further funding to explore the establishment of local authority WARP services on a national basis.
CPNI has developed a freely available WARP Toolbox to make it easy to establish further WARPs. For more information on WARPs go to http://www.niscc.gov.uk
The Department for Education and Skills (DfES) and British Educational Communications and Technology Agency (BECTA) promote acceptable and safe use of information and communications technology (ICT) for schools. This combines knowledge of the needs of education with an understanding of the power of technology. Information and advice on the safe use of the Internet and ICT are available on the Superhighway Safety Website and the ICT Advice website. BECTA has also recently launched the Internet Proficiency Scheme to help teachers educate children on staying safe online.
The Parents Online campaign run by the DfES aims to raise awareness amongst parents of how to help children to go online safely. The campaign provides online learning kits in age-related categories and encourages parents to organise Internet safety events and workshops offering advice and support to local communities.