In February 2007, financial services giant, the Royal Bank of Scotland, gave notice that it had been targeted by criminals seeking to exploit a hitherto overlooked chink in the corporate firewall: home working. Hackers had hoped to exploit lower levels of security in home computers to burrow into the corporate network.
Home working is becoming increasingly common at many large companies, but frequently security standards are far below those imposed on premise. While companies can insist users connect to their networks via secure links, a “lack of awareness” over basic IT security increases the risks of those machines being compromised, opening a hole in corporate defences, warns Chris Simpson, chief inspector at Scotland Yard’s e-crime unit.
The level of concern is such that many in the IT security industry are beginning to re-evaluate their defensive game plans. IT security is now, quite simply, “all about the end user”, says Lieutenant General Sir Edmund Burton, a key advisor to the Cabinet Office on information assurance and former chairman of the Police Information Technology Organisation (PITO), whether that end user is operating at home, in government or in business.
With criminals exploiting any point of weakness, businesses, public sector organisations and law enforcement agencies have to work together to improve IT security, says John Walker, head of operational security for credit services company Experian. “Business must share information with trusted people and organisations working within their operational sector, be that the financial or healthcare communities, or law enforcement agencies. Only by taking such an approach will it be possible to attempt to address the wider issue of what I would refer to as socially responsible computing, which is in the interest of everybody.”
This will not happen overnight. Business leaders are reluctant to share details of incidents that may damage their reputation, and are often sceptical of law enforcers capabilities. However, examples of good practice are beginning to emerge.
In Sweden, the government is already working with nine local banks to improve IT security levels under its Bank ID programme. “If every government and every service provider tries to manage the threat separately, they will fail because they won’t have the resources. This would be enormously expensive to the overall economy. We have to do it together, and we have to do it in a scalable way so that we can jointly meet the threats,” says Kenneth Tessem, chief operating officer of Bank ID.
Achieving what Burton describes as the “classic joint venture”, in which government, the commercial community, as well as academia, co-operate on a large scale in the interest of the whole group is no small task.
In the UK at least, there is not a strong tradition of the corporate community operating in this way, adds Simon Perry, a security strategist at software vendor CA. It has created something of a “divide” between itself and the state, he says.
The alternative, however, is the inexorable growth of cyber-crime – a situation that leaves everyone highly exposed, says Tessem. “The good guys have to co-operate,” he concludes, “because the bad guys do.”