The government may force companies to conform to security policy standard BS7799 to improve data protection, as worries over IT security failures grow in the wake of the SQL Slammer worm and other attacks.
David Hendon, director of communication and information industries at the Department of Trade and Industry (DTI), warned last week that unless business leaders made IT security a high priority, security standards BS7799 or ISO 17799 might become mandatory.
"There comes a point at which society cannot allow the corporate equivalent of train crashes to keep happening. Corporate responsibility will have to be considered," said Hendon, speaking at the Protecting Critical Information Infrastructures conference in London.
So far, only 80 UK companies have achieved certification for the BS7799 standard. Hendon said this low figure was "appalling", but admitted his own department was unlikely to devote money to seek accreditation until it was forced to do so.
Lawyers said the government may try to push firms to seek accreditation by using existing data protection laws, which require organisations to take measures to secure data. The Information Commission recently included a question on BS7799 certification in its annual data protection forms.
Jonathan Armstrong, technology lawyer at law firm Eversheds, said the commission could presume that if a firm has not signed up to BS7799, it is not taking effective measures to secure its data.
But businesses are likely to oppose the mandatory imposition of standards, especially since BS7799 compliance is a costly process that can take several years to achieve.
Jeremy Beale, head of e-business at the CBI, said security should be "achieved through encouragement" rather than legislation, by measures such as favouring accredited firms in government tenders.
Evershed's Armstrong said it was possible the government would favour suppliers that are BS7799 certified. "But that would leave room for allegations of restraint of trade." Armstrong added that it was legitimate for the government to ask for improved security. "[However] some firms may consider that they have introduced adequate protections without seeking accreditation."
Firms had been put off because of the perceived costs, said David Lacey, head of information security and governance at the Royal Mail Group. But after going through the accreditation process twice, he said this was a misconception: "It is a very efficient way of improving security procedures."
reader comments