House of Lords Internet security recommendations difficult to enforce

The report’s recommendations include: the introduction of a central web-based e-crime reporting system; creation of security breach notification laws; IT security vendors to be held liable for security breaches; and a review of the current system where online fraud is reported to banks, with legislation that holds banks liable for losses. Greg Day, security analyst for McAfee comments: “We welcome many of the recommendations of the report and believe the introduction of a UK disclosure law would be a very positive step forward. Similar legislation is already in place across many US states and I feel it would improve confidence in the security of business in the long-term. “Full disclosure is a positive step in the long term as it provides customers with the confidence that they will be informed should their personal information be breached/lost. Equally, it adds pressure to businesses to ensure that they have the appropriate security measures in place to prevent data breaches occurring to them.” However, he also warns: “Short term, consumers may see an increase in breaches as full disclosure takes effect. It would be important to educate them that this is not a sign of things getting worse, but more visibility of what is, and has already been, happening behind closed doors.” As for the liability of security vendors, Day says: “It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented. You would have to ask, ‘Did they have it configured correctly, updated and maintained?’ “Every business has different IT security requirements depending on their business and IT footprint. A security vendor supplies businesses with the tools, but it is down the business to use them correctly.” Day says McAfee’s own recommendations for increased Internet security for businesses are: Develop, enforce and ensure compliance of a security policy Safeguard data at every stage Implement access control and monitoring tools Monitor and prevent installation and usage of unauthorised applications Educate and retrain employees