Outlawing lax security

Legislation currently under scrutiny by the US House of Representatives could force publicly traded US corporations to certify that they have conducted an annual computer security audit. This assessment would have to be conducted by a third party, and those supporting the proposal say it would protect America's information networks.

Many technology companies are said to be lobbying heavily against the introduction of such a law, while others point out that to be truly effective such a proposal would have to also apply to private firms and government agencies.

But would the UK benefit from such a law and is there any noise being made about enforced security on this side of the Atlantic? The official line from the government is that effective corporate IT security is fundamentally the responsibility of the companies concerned. "We've got no plans to enforce mandatory IT audits. This isn't on the agenda at all at present," explains a Home Office spokesman. He added that the government is making an effort to ensure the security of companies that play a vital role in the running of the country, through the National Infrastructure Security Coordination Centre (NISCC).

The NISCC was set up around four years ago. Its role is to protect the companies and organisations that operate UK's critical national infrastructure – such as energy, water, and telecommunications networks or government departments – from attacks on their computer networks

The Home Office insists the risk of an electronic attack aimed at a company that is part of the critical infrastructure of the country is very small. The consequences of such an attack could be catastrophic, which is why the government chose to play a closer role in protecting these companies.

Risks and responsibilities
Leaving other firms to handle IT security themselves could be a big mistake, though, if they can't cope with the responsibility, according to some experts. "Some companies are already aware of the risks and are taking action, especially in sectors such as banking, communications and the critical infrastructure. The problem is that they're generally the large companies," says Jeremy Beale, head of e-business at the Confederation of British Industry (CBI), who believes that the vast majority of medium and small businesses don't have the in-house technical expertise to make themselves secure and to engage with suppliers.

These minnows, if insecure, can be a major irritation to bigger fish in the business sea.

"These small firms will be part of a supply chain with larger companies, and the security and robustness of a supply chain is only as strong as its weakest link," Beale warns.

Voluntary standards
But despite this knock-on effect, the CBI says it doesn't support the introduction of compulsory IT audits as suitable standards aren't yet in place. A number of voluntary standards exist, including BS7799 and the tScheme e-commerce mark. There are also several existing bodies that aim to support IT security, such as the Security Alliance for Internet and New Technologies (SAINT) and the Central Sponsor for Information Assurance (CSIA) -- a unit of the Cabinet Office that promotes information assurance.