BSI warns that UK business ignoring terrorist threat to information security

Press release - 28 April 2003

'Laptop' terrorism and cybercrime pose major threat to UK businesses but international standard to protect companies is little used

BSI warns that business at risk from 25 'Attack Threats'

In the wake of comments that only 85 UK companies have followed DTI and security service advice to meet the BS7799 Information Security (Information Security) Standard, and that the Government may fine businesses that fail to put information security systems in place, BSI (the leading authority on BS7799) is calling for action.

Developed by BSI, BS7799 is the internationally recognised standard for information security management. Both the DTI and MI5 promote the use of BS7799 and were involved in its development from the start.

In Whitehall and Washington there is increasing concern about the new threat from terrorists who target companies' information systems. In particular the threat posed to the 'Critical National Infrastructure' (CNI), which includes Telecoms, Utilities, Financial Services, Health Service and Emergency services.

In the UK the little known NISCC (National Infrastructure Security Co-ordination Centre) has responsibility for CNI protection. On its website the NISCC describes the threat:

"There can be little doubt that the incidence and severity of electronic attacks will increase and the threat will rise for the foreseeable future. Any system connected to the Internet or other public network is a potential target for attackers."

One major focus of concern is The City of London as Europe's main financial services centre. Given that only 85 companies UK-wide are certified to the Standard, the vast majority of companies in the City are potentially ill prepared and exposed.

Commenting on the real nature of the risk, Peter Murray, BSI special consultant, and former information extraction expert who conducted covert operations on behalf of UK governmental organisations, said:

"BS7799 will go a long way to solving the problem. When BSI developed the standard they were looking into the future and predicting an essential business requirement. That future has now arrived but companies are failing to act.

"Whether it is a terrorist threat or commercial cybercrime, there is a genuine risk.

"US Security services in Afghanistan found laptops and documents which showed that attacks of this kind were being planned.

"In one recent example in Australia the Queensland water company fell victim to an electronic attack which, over several months, overrode its computerised sewerage system and released sewerage causing environmental damage, prosecution and major reputational damage to the company.

"One of the main problems is that companies feel their information is safe because they have IT 'firewalls' or because they have not had any reported incidents. The reality is that if information has been breached successfully companies won't even know it has happened.

"Reported incidents are probably only 10% of the number which actually occur."

"The US may have set up a whole department of national security with 170,000 personnel to implement Operation Liberty Shield, but the UK has the best practical solution with BS7799.

Giles Grant MD of BSI Business Information, added "The Government, by its engagement in the Standard from the outset, has laid the ground. It is now for companies to take action and put in place information security systems."

25 Attack Threats to Business Information

In a new book to be published shortly by the BSI, the 25 'Attack Threats' to information security which companies face will be detailed for the first time in one place.

Giles Grant MD of BSI Business Information, said "Information is the lifeblood of all organisations. With the threats to share price and organisational reputation, protecting information has never been more important.

"The risk applies to thousands of companies. It can be high-tech such as 'Freaking' which is the practice of 'piggy-backing' on company phone lines to access computer networks or low-tech 'dumpster-diving' as practiced by the infamous 'Benjie the bin man' who is renowned for sifting through companies rubbish to find corporate secrets.

"The BS7799 Standard is about a comprehensive system for protecting information from 'Business Continuity Management' which ensures that companies can function in the event of a major catastrophe like 9/11, to tried and tested 'threats' such as bugging. It encompasses people, physical environment, communications systems processes and IT systems."