|
|
|
|
EURIM – IPPR E-Crime StudyPartnership Policing for the Information SocietySecond Discussion Paper |
||
Protecting the VulnerableAddressing the Needs of Small Firms and others without in-house ICT or Security skills |
||
Summary of Key Points |
||
|
Over 10% of
the world population, including half that of the This second paper is focussed on the needs of small firms and those with “always on” connections. Their systems are a particular point of vulnerability: to their owners business affairs, to those in the supply chains to which that owner belongs and to other users if the system is hi-jacked for use as a “zombie” in an organised denial of service attack. Those vulnerabilities can be greatly reduced by: |
||
|
·
educating small firms and individuals
on the risks and on what they can do to protect themselves; ·
opening up new and more
effective channels of advice and communication through those organisations
that are respected in specific communities (public, private and voluntary
sector); · encouraging ICT suppliers, particularly retailers, to promote and sell robust, effective and easy to install/use/update/maintain security products and services. |
||
|
Effective action in these areas requires, however, that: |
||
|
· prevention of computer assisted crime be treated as a mainstream priority, not just as add-on in all ICT education, training and awareness programmes · realistic and practical advice is channelled through those with influence over the target audiences (including perhaps their bank, insurer or communications provider as a condition of service) · customers are educated to request and pay for products and services which are not only robust and usable but also profitable to sell and maintain. |
||
|
There are also very real issues with regard to the scale of resources and expertise needed on the part of law enforcement to handle the rising tide of computer assisted crime. |
||
|
|
||
The scale and nature of the problem |
||
|
Only 7,000
companies have more than 250 employees, with another 27,000 employing 50 -
250. There are 2.6 million sole traders and 1.2 million other firms with fewer
than 50 employees who account for 99% of Small businesses present a particular concern in the emerging electronic economy. The impact of crime on them is well illustrated in a recent Institute of Directors (IOD) report[1]. They commonly have neither ICT nor security expertise nor the time or funds to devote to securing their systems. They are a particular target for government initiatives and education programmes of all types by DTI, by DfeS and by others. However, this has not, to date, had a significant impact on their attitudes and behaviour in the electronic world. Many other organisations without in-house ICT expertise, such as voluntary organisations or charities, face similar problems, including the lack of knowledge as to who to call when an incident occurs, or even to recognise whether it is accidental or malicious. Similar problems affect domestic users, whether as home-based worker, student, parent or consumer. Those who use computers and the Internet without adequate security are not only a danger to themselves, they can also be a danger to the rest of an increasingly inter-connected on-line world, as shown by recent problems with the latest generation of viruses and worms that spread rapidly through poorly protected systems: |
||
|
· they are a point of weakness, with systems which may be remotely accessed and misused – allowing, for example, access to commercially sensitive information or customer and supplier details which may be used for impersonation, fraud or other criminal activity; · many are in the supply chains of larger organisations and present a soft underbelly through which those larger organisations can be attacked; · they cannot be relied on as customers or suppliers if their own existence is threatened by misuse of their systems. |
||
|
Meanwhile, economic pressures mean that larger organisations can devote only limited resource to educating those in their supply chain, whether customers, suppliers, sub-contractors or partners. They will naturally concentrate on those critical to their own business. Most potential victims do not know how to secure their systems effectively or to assess the risks to their business of their use of computers and the Internet. There are many consultancies which claim to be able to provide the necessary advice and guidance, but few are available to do so within the budget likely to be available to a small firm or voluntary organisation. Even if a small business has a budget, how can they identify whom to trust with intimate knowledge of their systems? There is no equivalent of the NACOSS accredited firm that can advise on security and install and routinely check the firewalls, virus checkers and system security settings which should be protecting the information systems, just as locks and alarms protect the office, warehouse or workshop. There is a need for realistic advice and guidance tailored to the needs and concerns of small organisations and individuals. |
||
Approach |
||
|
It is essential to get the message across to small firms that acquiring, installing and maintaining secure information systems is essential both for their own good and for that of the economy generally. Given the sheer numbers and diversity of the small business community, this will be a difficult task, as is shown by the limited success of campaigns run to date. It is necessary to focus on a very few key messages that build on the existing perceptions, expectations and experiences of small firms, rather than to try and establish new concepts and processes. The need for maintenance of plant and the like is already well understood by small firms, as is the expectation that providers supply appropriately configured products and services. The recommendations outlined in this briefing build on this to create an environment where responsibility for creating and maintaining a safe information systems environment is shared between key players. As a part of this shared approach, there needs to be clear guidance on where liability lies should failures occur. Three groups of people/organisations should be involved to address the needs of small firms: |
||
|
· Those with the knowledge to produce the necessary information and advice. · Those with the credibility to affect the attitudes and behaviour of small firms. · Those with the ability to get credible information across to communities of small firms. |
||
|
These organisations need to work through three main points of leverage: |
||
|
1. |
To educate small firms and individuals not just on the risks but also on what they can do to protect themselves. |
|
|
2. |
To open up new and more effective channels of advice and communication through key organisations that are respected in specific communities of small businesses. |
|
|
3. |
To encourage ICT suppliers, particularly retailers, to promote and sell robust, effective and easy to install/use/update/maintain security products and services. |
|
|
There is also a need to ensure that small business has effective means of reporting suspicious incidents and receiving intelligence appropriate to their capability to react. The EURIM-IPPR working paper on Reporting Methods and Structures includes discussion on, and recommendations for, action on reporting incidents and the dissemination of intelligence that include the needs of small businesses. |
||
Education and Information
|
||
|
Small firms and individuals need to be educated not just on the risks but on what they can do to protect themselves. This should combine two approaches balancing short and long term goals. |
||
|
In the short term there is a need to bring together the latest generation of crime prevention and information security material from a variety of sources[2], including that from the Home Office and the latest generation of UK-Online and Small Firm advice material supported by the DTI. The resultant practical guidance should be based on situations with which the target audiences can relate, rather than the processes used by law enforcement or by security professionals in larger organisations. Such material needs to exist in many forms, targeted at specific communities of small firms and users. To ensure consistency and to simplify the task of ensuring information is up-to-date and relevant, core sets of information should be created and maintained from which all other material is derived. These should be produced in such a way that they can easily be reproduced in a variety of forms under different labels and logos without having to worry about copyright – but this needs to be done in a way that ensures the content is not compromised and the source is acknowledged. There appear to be two main presentational requirements: |
||
|
· material to promote and inspire confidence in e-commerce, provided the right security precautions are taken; · crime prevention material and guidance for those who believe they are faced with suspicious incidents, including potential e-crime. |
||
|
The presentational requirements are very different but the content needs to cross-refer and to be compatible. This will entail co-operation between those responsible for developing and maintaining material in both areas. |
||
|
Recommendation 1: |
||
|
That the National High-Tech Crime Unit (NHTCU) takes the lead in facilitating the development and maintenance of a common source set of information for the guidance of small firms in managing criminal risk in information systems and e-commerce. |
||
|
The material should cross-reference, and be cross-referenced by, the sections on risk management (including non-criminal risk) in the material developed for the promotion of e-commerce under the UK-Online and other programmes. It needs to include reference to the information on reporting and intelligence dissemination, covered by the working paper on Reporting Methods and Structures suitably adapted to meet the needs of small business communities. The collation process should involve those responsible for supporting large numbers of end-users, PC retailers, insurance companies, high street advisors (e.g. accountants) and relevant victim support groups, as well as government departments, law enforcement and ICT and security suppliers, so as to ensure that the advice is both realistic and related to the perceived needs. The different sets of information, likely to be accessed and read under different circumstances, should then reinforce each other in helping small firms and home-based workers understand the need to treat information security as a key business driver and to follow the steps most necessary to reduce risk to their business. |
||
|
Recommendation 2: |
||
|
That a “Green Cross Code” for safe use of computers and the Internet in small businesses and in homes be developed and distributed widely. This would provide advice, point to publicly available Codes of Practice and Guidance documents for further information, and advise on how to report suspicious incidents. |
||
|
In the long term, practical security to an appropriate level needs to be included as an integral part (not just an add-on) in all publicly funded education and end-user training, as well as that provided by employers for technical and support staff. The aim is to create a workforce that understands the basics of securing business systems and what to expect as a minimum from ICT suppliers. Most existing publicly funded courses and qualifications contain little, if anything, relevant to small firms or end-user security. The paper on Growing the Necessary Skills contains detailed recommendations. Key recommendations of benefit to small business are repeated here to reinforce the need for their active support. |
||
|
Recommendation 3 |
||
|
That the Learning and Skills Councils and other DfES funding agencies work with and through relevant Sector Skills Councils and Professional bodies to mandate the inclusion of practical ICT security in all publicly funded end-user and technician training. |
||
|
In the short term, advantage can be taken of existing training programmes to promote awareness of both risks and solutions on the part of small organisations, home users and those who sell to and support them. |
||
|
Recommendation 4 |
||
|
That the ECDL syllabus and other mass market ICT user skills programmes be extended to include specific security sections that addresses the basic security precautions that all PC users should take -such as anti-virus software and a maintained firewall. |
||
Channels of Communications
|
|
New and more effective channels of advice and communication need to be established through key organisations that are respected in specific communities of small firms (e.g. via Chambers of Commerce, accountants and other local business advisors, Citizens Advice Bureaus, Community Policy Partnerships, Business Link) including the identification of local sources of security advice and guidance that can be trusted. These should be supported by national channels such as UKOnlinefor Business and the Learn Direct and UK-Online Centres, trade associations and professional bodies. Other channels should also be considered. Examples are regular advice columns in the trade press including vertical sector publications and in hobby and other magazines aimed at the consumer market. Good central web sites – building on existing sites such as UKOnlineforBusiness – need to be developed that are attractive to small firms and written in language to which they can relate. It should include practical advice and, to encourage repeat visits, features such as a “Thought for the week” that change frequently and create interest. What is communicated should build on the core set of information created in (1) above to ensure that consistent information is provided to different communities of small firms in the most appropriate form. |
|
Recommendation 5 |
|
That the Home office, DTI and DfES and others co-operate in identifying and supporting suitable channels for the provision of practical advice to communities of small firms on the need for security and where to go for guidance when an incident is suspected. |
|
This should be supported by publicity campaigns to create greater awareness of the dangers of e-crime through a variety of channels |
|
Recommendation 6 |
|
That the Home Office mount a publicity campaign, similar to that on the need to secure your car, highlighting the need for PC security and identifying sources of guidance. |
|
Past experience with shipping systems with security features enabled without informing customers of the side effects (performance, facilities etc.) or of the implications of turning off such features indicates that it is essential to help customers to make informed choices. Given that small firms are often readier to spend money than time, they also need to know the cost for the time of the retailer or independent contractor/consultant (and therefore likely charge) helping them to decide (for example) the settings for their operating system, security software, applications or firewall. Given their lack of understanding of the issues, it is desirable that the people and companies offering such services are appropriately qualified. |
|
Recommendation 7 |
|
Encourage industry-led accreditation schemes, perhaps based on existing qualifications such as the ISEB Certificate in Information Management or the (ISC)2 CISSP certificate combined with a simple CRB search to cover the skills appropriate for advising SMEs. |
System Supply, Services and Support
|
|||
|
ICT suppliers, particularly retailers, need to be encouraged to promote and sell robust, effective and easy to install/use/update/maintain security products and services as one of their most profitable product lines. A key aspect of this is to promote the concept that information systems need regular maintenance if they are to remain effective. For this to become practical, systems must be supplied already configured to include all appropriate mechanisms – and not rely on the customer adding facilities later. |
|||
|
This is the most important of the points of leverage. Until it happens any other activities will be of limited value. Many product suppliers do provide on their web sites information on how to secure their products but this is often not written so as to comprehensible to non-technical people. There are many independent contractors and companies offering services, but it is difficult for a small firm to know whether those providing the services are either competent or trustworthy. |
|||
|
Recommendation 8 |
|||
|
That an industry or trade association grouping (such as SAINT or Intellect) should convene a supplier workshop to review product and service offerings to small firms. Among the topics for consideration should be the profitability of collectively offering and promoting security “health check” packages and secure versions of common products and services (e.g. all ports closed unless specifically switched on as part of an applications package installation routine) to small firms via high street retailers. Ways of delivering services via independent contractors and small service companies should also be considered. |
|||
|
In parallel, independent contractors and service companies should be encouraged to offer maintenance and security auditing services, backed up by relevant qualifications and good practice guidelines. As part of this, appropriate security knowledge and experience should be included as part of the training of all people involved in the development, supply and support of information systems. |
|||
|
Recommendation 9 |
|||
|
BCS, C&G, IMIS, OCR,, skills councils, et al, urgently to review their existing end-user and technician qualifications and ensure that they not only include practical and up-to-date content with regard to security but that this forms a mandatory part of the practice and assessment routines. |
|||
|
|
|||
|
© Copyright EURIM 2004. All Rights Reserved. For written permission to reproduce any part of this publication please contact the Administrative Secretary, EURIM, (email: admin@eurim.org; fax 01984 618383). This will normally be given provided EURIM is fully credited. Whilst EURIM has tried to ensure the accuracy of this publication, it cannot accept responsibility for any errors, omissions, mis-statements or mistakes. |
|||