Time to take online security seriously

If there is such a thing as a security season, it reached its frenzied peak this week. The UK has gone security mad and for the past month or so we have been bombarded with research and theories.

We know, for example, that 25 per cent of organisations do not enforce wireless security policies and that 64 per cent of office workers would be willing to swap their passwords for a bar of chocolate.

With such a furore in the IT industry it would be easy to believe that the security message is universally understood, but facts and figures paint a different picture. Security is still a massive problem and electronic crime is increasing.

According to banking body Apacs, losses from online banking fraud leapt by 44 per cent from £23.2m in 2005 to £33.5m in 2006. And in the same period the number of phishing attacks on banks rose from 1,714 to 14,156.

We are told online security is incredibly important and more needs to be done to secure data and prevent attacks, yet the behaviour of influential bodies is more relaxed.

Take Barclays Bank, for example. Last year it said it was going to issue all of its online banking customers with two-factor authentication devices to reduce phishing and card-not-present fraud. Last week, however, it said only a quarter of those customers – about 500,000 people – will be issued with the devices.

If online crime was so serious six months ago that all customers were to be issued with these devices, why has it become less so?

And then there are the law enforcers. Last year the National Hi-Tech Crime Unit was disbanded, and earlier this month police forces handed over e-crime reporting responsibilities to Apacs.

The message is muddled. Online security must be treated with the same regard as physical security. If the police handed responsibility for burglary reporting to an alarm manufacturers’ body there would be outcry.

If official bodies are not going to lead the way, responsibility falls on the IT and business communities. When two thirds of people are dumb enough to swap passwords for sweets, a lot more work needs to be done.

Businesses need to work harder to enforce the point that security companies need to get back to basics on defining their message if we are to make any headway in combating online crime.