By Tom Espiner
12 Feb 2008
An organisation has been launched to promote security awareness in the
wake of the plethora of major security breaches in 2007.
The Internet Security Awareness Forum (ISAF), launched on Tuesday at the
British Computer Society (BCS) in London, will be an umbrella body for a
number of organisations, including BCS, IT industry lobbying group
EURIM, and web-safety campaign Get Safe Online.
The forum was created as a result of various security breaches last
year, which ISAF said were the result of a lack of security awareness.
These included the HMRC breach, where 25 million personal details were
lost, and the TJX breach, where up to 96 million credit-card details
ISAF aims to promote information security awareness across government,
corporations and small businesses, as well as among individuals. David
King, chair of ISAF, told ZDNet.co.uk that security awareness was one of
the "big things" for all organisations, and that there was common
security ground between all sizes of public and private organisation.
"There is some common ground," said King. "For example, picking good
passwords, changing passwords frequently, and being conscious of the
impact of sharing information on social-networking sites. Companies have
a responsibility to handle information securely, just as government
King said that ISAF would seek to change people's behaviour so they
would think of the possible security ramifications of their actions
before acting. While organisations needed to have "awareness on the
agenda", multiple approaches needed to be taken to change behaviour,
according to King. "To change behaviour we have to come at the problem
from different angles," he said.
ISAF says it will aim to publish a "Guide for Directors on Information
Security" by the end of April. This will be aimed at senior figures in
public- and private-sector organisations.
Senior civil servants in particular need to have information security
awareness on the agenda, according to Philip Virgo, secretary general of
IT industry lobbying group EURIM. "There's definitely a confusion among
civil servants, just as there's a confusion among [private sector]
managers," said Virgo. "That's down to the amount of conflicting
security advice being given [by groups promoting commercial interests]."
ISAF membership will mainly consist of industry bodies. While the
membership of those bodies consists primarily of commercial
organisations, as well as EURIM, David King said the ISAF would not be a
lobbying group or promotional tool for any particular vendor or set of
"We are not a lobbying organisation," said King. "We don't have
corporate members. Our agenda will be delivered by industry body
representatives. Those industry bodies have different organisations,
which all have their own agendas."
ISAF will also collaborate with web-safety campaign Get Safe Online to
promote security awareness in small businesses and for consumers. The
campaign has been running since 2005, and encountered controversy when
its membership costs were revealed and also the fact that sponsors'
products would be promoted by the site.
Other organisations involved with ISAF include the BCS, the Institution
of Engineering and Technology, (ISC)2 , the Institute of Information
Security Professionals, (IISP) and Jericho Forum.
As well as publishing the "Guide for Directors", the ISAF will also
promote an Information Security Awareness Week from 21 to 25 April, to
coincide with the Infosecurity Europe conference at Olympia in London.
Subscribe to InfoSec News