Why is information security needed?

The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents. The Audit Commission Update report (1998) shows that fraud or cases of IT abuse often occur due to the absence of basic controls, with one half of all detected frauds found by accident. An Information Security Management System (ISMS) enables information to be shared, whilst ensuring the protection of information and computing assets.

The Audit Commission Update report shows that in the UK the percentage of organizations reporting incidents of IT fraud and abuse in 1997 rose to 45% from 36% in 1994. While equipment theft is a real problem, the most damaging aspect is the loss of data and software. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated. The internet exposes organizations to an increased risk that networks will be accessed improperly, data corrupted and viruses introduced. The percentage of organizations reporting hacking incidents has trebled, with telephone systems as a new target. Not all breaches are the result of crime; inadvertent misuse and human error play their part too. Virus infections are still the single most prevalent form of abuse. More commonplace and just as destructive as crime, are threats like fire, system crashes, and power cuts.

Poor supervision of staff and lack of proper authorization procedures are frequently highlighted as the main causes of security incidents. Companies vary in their approach to preventing security breaches: some prohibit everything, making mundane access tasks difficult; others are too lax and permit access to all by all, exposing themselves to a high degree of risk. Business efficiency relies on the right balance and this is where standards can help.

Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control. The trend for distributed computing has weakened the effectiveness of central, specialist control.

Return to information security homepage

 Your basket
Your basket is empty