The so-called ‘industrialisation’ of e-crime has been predicated on the proliferation of botnets. A global network of compromised machines now serves as the engine room by which torrents of spam and phishing emails are pumped into global inboxes, distributed denial of service attacks are unleashed on ecommerce providers, and swathes of personal information are stolen or harvested in order to commit fraud, identity theft, and espionage.

In short, criminal activity that was once localised, fragmented and largely irksome has become internationalised, co-ordinated and economically damaging. It represents “the most rapidly expanding form of criminality” globally, according to the Metropolitan Police. A Met report into the subject concludes that the annual global cost of such activity to individuals, businesses, government and other organisations already tops £1 trillion.

In this perilous environment, a catalogue of household names, including insurance giant Norwich Union, retailer TJ Maxx, jobs website Monstor.com, and even major state departments such as the Pentagon and Whitehall, have fallen victim to external, computer-based attacks.

Meanwhile, systemic failures of corporate governance and information management internally have done a good job of making matters worse. Common working practices, from mobile working to the proliferation of portable storage devices, have helped fragment corporate perimeters. Security risks stemming from within the organisation have also grown.

Building society Nationwide and Her Majesty’s Revenue and Customs (HMRC) know this all too well. Both organisations misplaced storage devices containing highly sensitive, unencrypted financial data, much to the consternation of customers, citizens, and regulators alike.

Indeed, in a move designed to underline the critical importance of preventing data leakage, the UK Financial Services Authority slapped record fines on Nationwide and Norwich Union, both of whom were found to have failed to provide adequate data protection.

Mixed responses

It is evident that information security threats have never been more menacing or more diverse. But the profile that the subject has garnered has also ensured unparalleled attention from the board of directors and senior management as well as the vendor community.

There is a palpable sense of urgency with which organisations are now looking to their internal systems and processes in order to address many of the threats that emanate from within and without the business – a development borne out in the Effective IT 2008 Survey results.

Identity (ID) management is a case in point. The technology, which is intended to restrict access to vital information, ranked second out of 30 technology strategies IT directors are planning to implement within the next 12 months. Of those 25% of corporations that have already implemented such a system, an encouraging 45% regard the technology as ‘quite effective’ with a further 31% responding that it is ‘very effective’.

With a total of 76% of respondents rating the technology as ‘effective’ or ‘very effective’, ID management does well in the overall rankings, coming in as the 6^th most effective IT strategy overall. These results also indicate a slight improvement on last year.

Analyst group Gartner identifies five broad classes of identity and access management tools: directory technologies, identity administration, identity auditing, identity verification and access management.

However, of these broad groups, one – identity verification – remains highly problematic for today’s enterprise. Biometrics – the use of a variety of unique physical characteristics such as fingerprints, voice patterns or facial contours to identify individuals – has long been touted as the ideal enterprise identity-verification tool, being supposedly both easy-to-use and highly secure; it has consistently failed to deliver.

As the survey shows, adoption levels of biometrics remain woefully low – just 9% of respondents use biometrics today. A meagre 11% more plan to implement the technology within the next year.

Clues to the technology’s continuing unpopularity can be found elsewhere in the results. In total, 19% of respondents were unhappy with the efficacy of biometrics, marking the technology as ‘not effective’ or ‘not effective enough’, while a further 25% remained ‘neutral’ as to its benefits. Overall, the numbers reporting that biometric technology was effective fell year-over-year.

Furthermore those marking its effects as ‘neutral’ – that is, having had ‘no discernable impact’ – nearly doubled year-on-year. As such, the application of biometric security systems remains thin on the ground. Where it is used, a significant proportion appear under-whelmed.

As such, the results suggest that while many organisations are concerned to improve their access and identity management systems, they do not regard biometrics as the most effective technology with which to achieve this aim – despite the fanfare with which biometric technology initially entered the marketplace. Instead, password protection combined with token and one-time-password based two-factor authentication seems to persist as the method of choice.

As Gartner notes: “Biometric technology is likely to be used more successfully to provide an additional factor for "true" strong authentication, because the other factors complement biometric technology and mitigate some of its weaknesses.”

Further reading

Back to the Effective IT 2008 Report contents page

Inside job The recent spate of high profile data losses is forcing organisations to tackle the worst culprits of e-crime – those operating inside the firewall

Cyber assault The threat to the UK's critical infrastructure from cyber terrorists, activists and others with serious malicious intent is very real and growing.

The state of security Businesses are looking at new ways to exploit the Internet. But these new practices inftorduce new security threats

Find more stories in the Security & Continuity Briefing Room