Practical Approach to Security UK Agency Issues New IT Security Guide for Small Businesses

A new guide, A Practical Guide to IT Security, has been released for small businesses in the UK to assist in improving their IT security. Which threats should they be most concerned about, and how can they use the guide?

According to Simon Rice of the Information Commissioner's Office - the agency that issued the guide - cyber attacks are a top cause for concern for small and midsized businesses, as well as the insider threat and moving applications and processes to the cloud.

"Businesses need to recognize the different sources of these attacks and look at who's going to target their business and take the right steps to mitigate against them," he says in an interview with Information Security Media Group's Tom Field [transcript below].

The guide from the ICO focuses on topics such as anti-virus, employee awareness and physical security, and offers some basic steps businesses can take to improve their security posture, avoid incidents and dodge costly penalties.

The ICO is the UK authority empowered to fine organizations up to 500,000 pounds for noncompliance with the Data Protection Act [see: Lost Tapes Result in 150,000 Fine].

Rice sees a general lack of knowledge and understanding among businesses. "There are a lot of simple and easy things that they could do to protect themselves," he says.

In an interview about the ICO's new guide, Rice discusses:

  • The biggest cyber-threats to businesses;
  • Why organizations are ill-prepared to respond to these threats;
  • How to use this new guide to increase awareness and improve security.

Rice became the Principal Policy Adviser (Technology) at the Information Commissioner's Office in February 2011, with responsibility to lead and develop the technical and information security expertise within the office. He achieves this by supporting the technical aspects of complaints received and also the data breach investigations undertaken. Rice also monitors the technology environment to identify those on the horizon which may impact information rights.

The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

TOM FIELD: To start, why don't you tell us a little bit about yourself and your role with the ICO, please?

SIMON RICE: I'm a technology advisor here at ICO. It's my role to draft and resource all technology expertise and advice across the whole of the office, feeding it towards different teams ranging from the policy to the investigations, and also on the help line. The idea is if anyone within those teams is not a particular technology expert, they can come to me and get the necessary advice and guidance they might need.

IT Security Guide

FIELD: About this report that your organization has just released, tell us a little bit about the genesis of this?

RICE: A couple of years ago, the ICO commissioned a report looking at some of the advice and guidance available out there, specifically for small and medium-sized businesses. It came back and said there's a lot of guidance and information out there. It's either a bit fragmented, disjointed, or difficult to find all sort of above and beyond what a SME might be able to implement and perhaps targeted just to big businesses or government or something like that. Obviously, smaller to medium-sized businesses make up a fair proportion of the UK economy. So it's quite important to target those and help them comply with their obligations under the Data Protection Act.

Biggest Online Threats

FIELD: What do you see as the biggest online threats to businesses in the UK right now?

RICE: There are quite a few and obviously quite a bit of media attention around a lot of them. I'm not sure which is necessarily the biggest, but obviously things like cyber attacks and people targeting websites or online sites and external sources. But I think along side that, the insider threat is also certainly up there with those biggest threats, and really the businesses need to recognize the different sources of these attacks and look at who's going to target their business and take the right steps to mitigate against them. Obviously, moving things through the cloud as well brings up its own sort of different threats, but each of those is so specific and unique to each business and how they implement that within their organization.

FIELD: So particularly, when you're talking about the small to mid-sized enterprise, in what ways to do you find these organizations are ill-prepared to respond to some of these threats you've just discussed?

RICE: I think there's a lack of knowledge and understanding what these threats are. [Businesses] might hear about cyber attacks or foreign governments launching attacks on different businesses and really think, "This isn't applicable to my business." They lack the understanding that a simple password could pose a particular threat to their organization. So I guess it's just this lack of knowledge. There are a lot of simple and easy things that they could do to protect themselves.

FIELD: In what ways then do you see this guide being able to help the organizations? I assume awareness is a big part of it.

RICE: Yes. It can provide hopefully a simple and accessible guide that has got sort of the bigger topics in it and in an understandable and easy way so that people can look through and realize that they might think that a password is an important thing; they might well know that but they don't appreciate the simple things like the word "password" or "123456" isn't a very good password, and try to understand why that might be.

FIELD: It's amazing the number of organizations that do that in the U.S. I've spoken to executives with the Secret Service that say the most common password they find - especially with small to mid-sized enterprises - is the word "password."

RICE: Yes and [it's] almost the case now that securing something with a password like that, you may as well not have bothered. It's not really any sort of protection in certainly a lot of cases.

Consequences for Organizations

FIELD: Well you're in a unique situation because not only do you have a guide for small businesses, but you also have the ability to impose fines and penalties for organizations that don't protect themselves. Speak to me a bit about potential consequences an organization faces if they ignore the advice you have presented to them?

RICE: That's right. For a couple of years now we've had the capability to issue fines up to half a million pounds, but meeting that criterion is actually quite strict. Within that, one of the criteria is the organization knew or ought to have known about the sort of threat and the risk. This guidance is one step toward the fact that they ought to have known. If a small or medium-sized business had a copy of our guidance and read it and decided not to go enable their passwords on their firewall or in their database or wifi, we could demonstrate and say, "Well actually you did know or you ought to have known that was a straight-forward and simple thing that you should have done to protect the personal data," so therefore I'm guessing they could get issued fines.

FIELD: I know that recently in healthcare particularly the ICO has levied some fines that really have got people's attention, not just in the UK but internationally. Has that been the case in other business sectors as well?

RICE: I think the number has to be taken into context and NHS is a massive employer. There are some reports that suggest its one of the biggest employers in Europe, and obviously the data that they're holding is particularly sensitive. Also, they have a very laudable policy of compulsory breaches, reporting breaches in a compulsory manner. So, obviously they're going to be at the top of the list, purely because of their size and the fact that they do report everything. But also a lot of the fines that have been issued have been a lot of these very, very simple things but also these actions have been repeated.

For example, there was one organization that sent a fax containing very highly sensitive information to the wrong recipient, but they got the fine because they did it a second time and a third time, after they had said that they had put measures in place. So as I said, they are kind of strict to receive this penalty, but in much [more] serious cases, organizations should be putting in these sort of simple measures in the first instance.

FIELD: What has been the initial reaction to the data protection guide?

RICE: Very positive feedback so far; some even asked if they could have their own specific version. I would say it's positive feedback. It [has] those important things and simple things that organizations should be doing in order to protect themselves. It's just the starting point for an organization. Simply reading the guidance and implementing some of the measures is a step towards compliance, not necessarily a guarantee, so it's raising that awareness of simple starting points to start to improve security.

Addressing Vulnerabilities

FIELD: Let's talk about some of those starting points. My final question for you is for organizations that might be unsure of their current vulnerabilities, and I would assume there are many of them. What are the immediate steps you recommend so they do understand where they're vulnerable and what the threats are?

RICE: I think the first stage is just to step back and do a bit of an audit. That can obviously be done internally, so people within the organization can look at what systems they have, what computers they have, what hardware and network infrastructure they have and where that data's stored and how it's processed. I would also look at the data that they're protecting. Do they need all of this data? Do they need to process it in the way that they do?

And then, start to look at the vulnerabilities that might be in place. How old is the software on your machine? Have you changed the password? Do you need to change the password? Very, very simple things like that - and doing that an organization finds out that they can't answer those questions if they don't have the skills. Then they can go to someone and get professional security advice that might be more appropriate for their business.

Around the Network