Call for joint responsibility on net security

LONDON - The internet has become a "playground for criminals", says a recent report, Personal Internet Security . The report, published by the UK House of Lords' science and technology committee, decries the "Wild West" nature of the internet that makes it unrealistic for the UK government to maintain its position that the individual user is responsible for protecting themselves online.

The report quotes a recent survey, "Get Safe Online", which found that people were now more fearful of online fraud than burglary, and the committee warns that public fears of online theft of personal data need to be addressed or risk undermining confidence in the internet.

All organisations with a stake in the internet - such as software manufacturers, internet service providers (ISPs) and online businesses, including banks with e-banking facilities - have a role in promoting personal internet security, says the report. The idea of compelIing ISPs to take more responsibility for customers' security is not new; it has been considered before by government and trade bodies, particularly in relation to data privacy issues. Although the idea seems popular with consumers, the concept of ISPs monitoring all their online traffic throws up many problems.

"The recommendations given are pragmatic and realistic but there are a couple of suggestions that would be more difficult to implement, such as making the ISPs responsible for monitoring internet security," says Jon Harvey, a director in Ernst & Young's financial crime team. "This would require ISPs to monitor all messages being sent to and from their customers. This has already been discussed by government and trade industry bodies and discounted as posing too many data privacy and security issues. If ISPs were required to do this, they would probably have to begin charging customers for internet access, which until now has been largely free. Moreover, this is a global threat and any laws introduced will not protect UK internet user who look-up international sites."

The report calls on the government to introduce a bank data security law requiring financial services firms and online retailers to notify the public immediately about any data security breaches. The law would provide an incentive to banks and other companies trading online to improve data security, says the report. It also calls for measures that would establish legal liability for damage resulting from security flaws.

The government is advised to review "as a matter of urgency" the requirement that online fraud is reported to banks rather than to police in the first instance. It is also advised that victims of e-crime should have acknowledgment from law enforcement bodies that a serious crime has taken place.

Other recommendations include increasing resources available to the police and criminal justice system to catch and prosecute e-criminals; the establishment of a centralised and automated system, administered by the police, for the reporting of internet crime; and the introduction of a security 'kite mark' for internet services.

"This report is reflective of the growing concern in the whole area of data compromise, with the financial services in particular highlighted as targets due to the richness of their data. The Financial Services Authority is investing a lot of effort to mitigate this growing criminal sector," said Neal Ysart, senior manager, forensic technology solutions at PricewaterhouseCoopers in London. "A debate about the measures outlined in this report is only the first of many steps that need to be taken to make a real impact on the many different aspects of the problem of online data security. It is not just banks that are at risk, there are countless organisations that hold personal data, and the online criminals use increasingly sophisticated measures to tap into the wealth of information held on the internet."

The 2006 Ponemon Institute benchmark study estimated the average security breach to cost $4.8 million per breach (results ranged from $226,000 to $22 million) - that equates to $182 per lost customer record - and these estimates do not take into account the incremental costs associated with the breach and the damage to the firm's reputation. With so much at stake, financial firms in particular cannot afford to be complacent about online security - a fact that this report has reiterated to the UK government.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here