IT WEEK • 27 SEPTEMBER 2004
40 COMMENT Has the government gone too far in
regulating e-business and data control in the UK?
40 ANALYSIS Corporate IT
faces new types of attack
MANAGEMENTWEEK
WHERE TECHNOLOGY BECOMES BUSINESS REALITY
Editor: Madeline Bennett
Firms fall short of data laws
James Sherwood and Madeline Bennett
STEPS TO COMPLIANCE
F
only about two-thirds
• Inof aITsurvey,
directors said they were fully
irms should archive critical data and
invest in fast retrieval technologies
to comply with data access and reporting rules, experts warned recently. But
poor awareness of data management regulations means that many firms may fail to
meet their obligations.
Speaking in London at a recent event
on compliance, Edmund Sautter of law
firm Mayer, Brown, Rowe & Maw, said systems to comply with data management
rules should follow the lead of those used to
record data on financial transactions.
“Firms would be wise to invest in systems allowing them to archive and produce
the relevant documents
quickly,” Sautter said.
Comprehensive storing
of critical data and
fast retrieval methods
could slash legal costs
in the advent of disputes, he added.
Chalmers: firms
are complacent
•
aware of legal obligations for data
control, archiving and disposal.
Experts say companies must
ensure they archive critical data,
and should consider buying scalable storage and fast retrieval technologies to fulfil their legal duties.
The storage practices of financial services firms could offer a good model, said Val
Bercovici, chief technical architect of storage firm Network Appliance. “Financial
institutions have become world leaders at
data storage, thanks to the repercussions of
non-compliance with storage rules relating
to financial documents,” he said.
However, Tony Lock of analyst firm
Bloor Research said firms should not rush
to buy the latest data storage systems.“Businesses don’t need to buy lots of expensive
storage as it’ll just be rendered obsolete after
a few years,” he said. Instead, he advised
firms to outsource their storage or invest in
scalable storage infrastructures.
There are a range of tools available to
DTI supports IT females
Madeline Bennett and James Mortleman
with firms, and plans to develop a recognition scheme for good SET employers.
he government has opened a facility
One of the principal objectives of the
to encourage more women to take up
resource centre will be to address the skills
technology careers. However, computing
gaps in areas such as technology.“It is vital
is still proving an unpopular option for
for the UK’s competitiveness that we close
many younger females, according to the
the skills gap in science, engineering and
latest A-level figures.
technology,” commented Jacqui Smith,
The Bradford-based UK Resource Cenminister of state for industry.
tre for Women in Science,
Smith added that anEngineering and Technoloother objective is to get more
GIRLS SHY AWAY FROM IT
gy (SET) will work closely
women with SET skills emA-level computing
with industry and academia students by gender
ployed in good jobs and
and aims to encourage more
senior positions. “And we
women to take up employneed to work with business
ment in technology. It will
to make sure that women
receive government funding
who take career breaks retFemale
Male
12%
88%
of more than £4m over the
urn to quality SET posinext three years.
tions,” Smith added.
The new centre, launAccording to recent reched by the DTI, will share
search the pay and prosSource: Joint Council for Qualifications
advice on good practices
pects for women with IT
T
itweek.co.uk
help firms comply with data laws, but many
firms are still uncertain of their precise
responsibilities. In a recent survey by business process specialist Macro 4 only about
two thirds of IT directors said that they
were fully aware of their firms’ obligations
for data management, archiving and disposal, though more than three-quarters
claimed their firms were fully compliant.
In the survey of 100 IT directors, just
over a quarter said they were roughly
aware of compliance issues regarding document management methods, and 11 percent admitted their firms were not meeting
their obligations in this area.
The chasm between poor awareness and
claimed compliance was widest in the
financial sector, where firms face the most
stringent rules. Twenty percent of IT directors in this sector claimed to comply though
they said they were not fully aware of the
requirements. David Chalmers, Macro 4’s
product strategy director, said,“To be ‘more
or less’ aware of what is needed for compliance is the language of complacency. That is
not acceptable for any business.”
www.itweek.co.uk/specials/1142131
Comment, p40 www.macro4.com
skills are now the best they have ever been.
A salary survey by the Chartered Management Institute (CMI) found female IT
managers earn an average of £47,315 a
year. This is second only to women managers in the chemical industry, who command almost £50,000.
Petra Cook, head of policy at the CMI,
said that the latest figures were encouraging. “Today’s talented females have the
same opportunities for professional development as their male counterparts, and
with the right skill sets women can achieve
pay parity with men,” she said.
But the prospect of higher wages in technology roles does not appear to be enticing
more women to pursue IT careers. Women
accounted for just 12 percent of computing
A-level students in 2004, and 35 percent of
information and communication technology (ICT) students. These low figures are
especially worrying given the 16 percent
drop in the overall number of computing
A-levels taken compared with last year.
www.setwomenresource.org.uk
CONTENTS
40 COMMENT A swathe of obstructive
and over-protective regulations
has stifled the development and
growth of e-trade and other business in the UK, says Mark Street
37 ANALYSIS Recent research shows
an alarming rise in attacks on IT
systems and portable devices, as
well as a number of new and
more sophisticated threats
US considers
reward for
spam tip-offs
Madeline Bennett
In an attempt to combat junk email,
the US government is considering a
scheme to reward whistleblowers in
spam cases. If the reward scheme
worked well, it could have a knock-on
effect, reducing spam in the UK and
elsewhere, given that most spam
originates in the US.
In a report released this month,
the US Federal Trade Commission
(FTC) said the offer of rewards of
between $100,000 and $250,000 for
turning in spammers could make US
anti-spam legislation more effective.
The idea behind the reward proposal is to encourage employees of
spammers to provide tip-offs, and offset the fear that they might lose their
jobs. Rewards would be limited to
cases of high-value information provided by close contacts of spammers.
The agency has passed its recommendations to Congress, suggesting
that a bounty for spammers should
be written into law. Firms are under
growing pressure to combat spam,
and a recent survey found that most
staff want their firms to have a duty
to block offensive emails.
Antivirus firm Sophos polled over
1,000 people and found that more
than half wanted their employers to
take action to stop offensive spam.
Failure to take preventative measures could land firms in hot water, if
staff decide to take legal action against
their employers for not protecting
them.Although the UK has yet to see
a test case in this area, legal experts
warned it is only a matter of time.
“It is irresponsible for employers
not to protect staff from unsolicited
emails containing offensive, pornographic and racist content,” said Carole
Theriault, consultant at Sophos.
www.itweek.co.uk/specials/1151002
www.tinyurl.com/4ycm5
39
MANAGEMENTWEEK
IT WEEK • 27 SEPTEMBER 2004
E-business suffers Labour pains
Instead of creating an environment in which online commerce could develop and grow,
New Labour has pushed e-businesses into a regulatory straitjacket, argues Mark Street
W
hen Tony Blair came to
power, he vowed to make
the UK one of the most e-enabled
countries in the world.
But as Mike O’Brien takes over
from Stephen Timms as e-commerce minister, companies could
be forgiven for thinking that, far
from being one of the best places
in the world to carry out e-business, the UK could possibly be
one of the worst.
In a very short space of time,
firms intent on doing good ebusiness have found themselves
subject to a wave of obstructive
legislation such as the Data Protection Act, which limits how
much information they can gather about their consumers. And yet
credit card companies can know
everything about our transactions
without penalty.
Now there is a danger that these
over-protective laws will prevent
some companies from taking
advantage of offshore outsourcing
if foreign countries do not come up
to our own restrictive standards.
Under the Data Protection Act,
firms are limited in how they can
monitor their employees to ensure
that staff do not abuse their positions and corporate internet or
email systems. But at the same time
the Regulation of Investigatory
Powers Act ensures that the government has access to all confidential
emails, potentially compromising
highly confidential corporate information, and running completely
counter to the Data Protection Act.
Elsewhere, UK companies have
found themselves subjected to a
mountain of corporate governance
laws, which are forcing IT directors
to devote more and more time to
tools for auditing and logging rather
than getting on with the business of
creating excellent IT systems and
making profits from them.
The Distance Selling Act gives
consumers far too many rights when
they buy goods over the internet,
compared with the high street.
When was the last time your high
street store offered you a seven-day
cooling off period?
There is an also abundance of
employment legislation for companies to adhere to; and employees can
demand company-wide searches on
documents containing their name,
taking up more of the IT department’s precious time.
The signs are that this government’s love of micro-management
through legislation – some admittedly forced on it by Brussels – is set
to continue. Already there have been
strong hints from senior government figures that they will impose
IT security standards on firms as
part of the war on terror.
And yet, where the government
could genuinely do some good,
such as legislating to make BT
speed up the unbundling of the
local loop and get some real competition in the market, nothing is
done. There have also been few tax
System attackers up the ante
New research shows that attacks on IT systems are not only
rising, they are also becoming faster and more sophisticated
SECURITY ANALYSIS BY MADELINE BENNETT
T
he recent Internet Security Threat
Report from security vendor Symantec painted a bleak picture for IT security
– both now and into the future. The firm
outlined myriad threats, including phishing attacks, spyware programs and the
spread of malicious code via peer-to-peer
networks and web browsers.
Symantec also warned firms to take
additional measures to secure portable
devices such as PDAs and mobile phones,
which will face increasing attacks.
Another problem identified in the report is that devices put in place to secure systems are actually becoming
vulnerable themselves. Symantec discovered over
20 flaws in perimeter
devices such as firewalls
Beighton:
speed up
patching
40
and broadband routers, which are actually
designed to prevent intrusions.
Additionally, the security company
warned of a dramatic rise in the number of
hijacked machines, referred to as bots. Bots
hold hidden programs that enable malicious users to remotely control systems for
the purposes of gathering confidential data
or launching attacks.
Before 2004, there were under 2,000
bots detected per day. Now that figure has
increased to an average of 30,000.
Bob Jones, managing director of security company Equiinet, warned that the
threats are increasing. “[The danger is
worse] both in terms of the number of
attacks and the time it’s taking for each
flaw to be exploited,” he said.
Jones added that industry is now relying more heavily on artificial intelligence
techniques to thwart attacks as early as
possible. He cited Bayesian filtering as a
useful self-refining technique that firms
could add to the more conventional methods of detection and defence.
However, more traditional forms of
attack are still widely used. The report
indicated a worrying rise in the number of
new Windows-based viruses and worms.
Almost 5,000 were discovered during the
first six months of this year compared with
under 1,000 in the same period in 2003.
The head of IT security at a large investment bank said corporate defences are
usually capable of stopping viruses and
worms, presuming there is a properly-configured firewall in place. “[But] there’s
always a chance that a worm might enter
through a previously-safe protocol that
can’t be blocked, for example DNS, HTTP,
mail,” he said. “So the more different types
of attacks being made, the more chances
that they get lucky. Sometimes configuration mistakes are made.”
At the same time that attacks are increasing, the average period between a flaw
being discovered and an exploit being
launched has been reduced from seven days
to under six days, according to Symantec.
Nigel Beighton, Symantec’s director of community defence, said firms now have to
patch their systems more quickly.
breaks to encourage firms to
invest in their IT infrastructure in
the economic downturn to ensure
that they are in good shape when
better times return.
All the received wisdom states
that deregulation is the route to
doing better business. The market
should be allowed to dictate its
own needs. What we have seen
over the past few years is the exact
opposite of this.
The UK does not lead the world
in providing an environment to
carry out e-business but it must be
one of the top runners when it
comes to drafting legislation to stop
it. I wish Mr O’Brien the best of
British luck – he’ll need it. ITW
[email protected]
SUMMARY
specialist Symantec
• Security
reports that the number of online
•
•
attacks has grown rapidly and new
types of threat are emerging.
The company says that better
defences are needed to tackle spyware, hijacked PCs, malicious code
targeting mobile devices, and holes
in perimeter devices.
Experts say that wider adoption of
new technologies such as web
services may prevent many threats,
but this is unlikely to happen soon.
“Whether it’s seven days or 5.8, it’s still
a huge challenge for firms. It became a huge
problem once the window fell under a
month,” he said. “The drop to under seven
days means firms can’t rely on their normal
patch schedules and have to move to an ad
hoc scheme, which is more difficult.”
One reason for the growing number of
attacks is that many firms are relying on
older, common systems, said Beighton.
“There have not been many technology
changes over the past two years, so hackers
can reuse exploits,” he said. “The rate of
attacks will slow down when we see some
big technology changes and move to a far
more web services-based environment. But
we’re a few years away from that yet.” ITW
www.tinyurl.com/58rgk
itweek.co.uk