Chaired – ironically – by head of security and business continuity for HMRC, Jeff Brooker, who began by assuring the audience that “HMRC doesn’t count as getting caught out, because the breach was more than twelve months ago”, the panel also consisted of Dan Blum, senior vice president and principal analyst, Burton Group, and Julia Harris, head of information security at the BBC.
Lord Erroll told delegates that without doubt, we are experiencing huge increase of risk due to the tough economic climate. “Are there incentives not to commit e-crime?” he asked, shortly concluding that there are not, and that more regulation is called for. “E-crime punishment is not heavy enough – the information commissioner (ICO) needs greater powers, the role is there to protect us. Perhaps the ICO should even have power to lock e-criminals up”.
Moving on to the subject of ID cards, Lord Erroll highlighted his concern for “the potential misdirection” that a huge centralised database could create. “The ID card creates a single point of potential failure, which in turn creates more pain for the victim”.
“I’m not sure that it’s useful to attach a single number or name [ID card] to a human being” said Lord Erroll. “I can certainly see the potential dangers outweighing the good”. Speaking honestly, he continued “It’s dangerous to hand over that much control. In fact, I think the whole thing is ‘dead dodgy’. I’m certainly against an ID card that can be used to check up on what we’re doing”.
Julia Harris, head of information security with the BBC spoke of the restrictions of education. “You need to make it easy to be secure, and not give your users any choice. No matter what you educate them, they’ll click on any link they see – especially those that pander to their ego. Business pressures will result in people breaking policy” Harris said.
“The information security industry is more likely to survive this recession than the last one – whereas security used to be seen as an overhead, it’s now becoming known as a necessary evil”.
Harris’ advice for avoiding becoming one of the many companies “that get caught out” included “moving controls closer towards the data. Don’t trust your internal network any more than the internet”. Automate controls for programmers to run their code, and watch what’s going out onto your website, Harris continued.
‘What’s the secret for convincing senior management to invest in information security?’ one audience member asked Harris. “The fear that they’ll end up on the front page of the Daily Mail is enough to make security an easier sell” replied Harris. “Reputation is very important”.
Dan Blum, senior vice president and principal analyst, Burton Group, analysed that “we’ve all been caught out by this new information society. In this information world, we don’t have absolute secrecy”.