Recognise information as an asset and award it the appropriate measures of protection - or suffer the costly consequences, warns Allen Lewis, CCH Enterprise Solutions' Product Management Executive. The issue of poor information security as e-commerce takes off in South Africa is heightened by a lack of proactive attention, with the executive level in organisations passing responsibility off to IT departments.

"It is time management at board level took responsibility for information being protected as an asset," says Lewis. "If the board tasked with the running of the company is not taking adequate care of the assets, then it should be held responsible for the loss of data and for security violations. Ignorance is not an excuse."



Business and technology - interwoven and symbiotic

In today's commercial world, business and technology can no longer be viewed as separate entities - they are interwoven and symbiotic, says Lewis. "IT plays an integral role in the fabric of business today. Senior executives need to be shown that data is an asset, and as such, it falls within their realm of responsibility. In this light, the full responsibility of protecting data needs to be shifted from the IT manager to board level."

Education of company executives should span a broader base than a shift in mindset. A re-focus on the allocation of budget to enable the appropriate expenditure on such protection is essential, together with official recognition observed in the company's annual report for such a requirement.

"British companies are already identifying IT security as an issue that needs addressing from the highest level of the business as a part of the control mechanisms of the company," says Dr Andrew Hutchison, IT security consultant for CCH Enterprise Solutions. "Annual reports in the UK are stipulating an examination of internal controls for the company, of which IT security is a vital component."



Adopting a proactive approach to IT security

Hutchison points out the need for companies to spend consistently and in a controlled manner on security, highlighting the importance of thorough planning for such expenditure as an integral part of the organisation's annual budget. "It's no use adopting a cavalier approach towards security, or the over-cautious approach of being too afraid to conduct business on the Internet at all. e-commerce is here to stay, and companies need to equip themselves in the appropriate manner to cope effectively and efficiently so it complements their business," he says.

A proactive, rather than reactive approach to IT security is all-important, with precautionary measures put into place before disaster strikes, rather than spending money redressing the situation once valuable information has been lost. Hutchison has a number of primary concerns for the metamorphosis of business in accommodating e-commerce, and predicts public key infrastructure (PKI) will play a crucial role from a security perspective.

"The availability of pure e-commerce solutions and trading systems is a problem, together with the constant plague of malicious code that disrupts smooth business operations and causes headaches for network administrators," Hutchison says. "Another area of concern comes with the move towards mobile commerce, which sees transactions conducted not only from fixed point terminals but from handheld devices and personal digital assistants (PDAs). WAP and wireless transport layer security will become essential in this arena."

With attention placed on the need for increased security for protecting information, there needs to be a level of standardisation to which such protection measures conform. The British BS7799 is such a standard - a security policy framework which allows companies to ensure that they have the right internal controls in place. "South African companies can benefit from adopting a formal standard to which levels of IT security would comply," concludes Hutchison.

For details contact Allen Lewis of CCH Enterprise Solutions on tel: (011) 808 3200 or e-mail: allenl@cch.co.za