Forum examines lax data security

Spending on information security is no longer an option, but is essential for all businesses regardless of which sector they are in, according to experts in the field.

“Only 2.7 percent of Korean businesses invested 5 percent or more of their IT budget on information security last year. Meanwhile, about half of the businesses in the U.K. and U.S. allocate at least 5 percent,” said Lee Jae-il, director of policy cooperation at Korea Internet and Security Agency. “As more devices like medical instruments, home appliances and cars are automated throughout our lives, the possibility of cyberattacks and personal information leaks will increase exponentially within the next five years.

“As of now, the Korean security industry can’t provide suitable prevention or responses.”

Lee made his remarks at a roundtable sponsored by the Ministry of Science, ICT and Future Planning.

More than 30 experts from businesses, the cybersecurity industry and academia gathered in central Seoul to discuss what the public and private sectors can do to strengthen security.

“Korea didn’t have a control tower that could give suitable orders in cybersecurity crises, even after having faced a series of cyberattacks over the past few years,” said Lim Jong-in, the recently appointed Blue House special security adviser and dean of Korea University’s Graduate School of Information Security. “The government will construct an overall attack response system, while the private sector needs to expand investment in security maintenance and hire more security experts.”

Analysts and industry insiders pointed out the Korean business community still doesn’t consider spending on information security as a must.

According to data released Tuesday by the ministry, the number of Korean companies that operated information security departments shrank last year compared to 2013. Only 17 percent of local businesses had a cybersecurity executive last year, from 20 percent in 2013. About 7 percent of companies had information security departments, down 2.9 percentage points year-on-year.

Analysts said businesses should perceive information security as a service their clients deserve and that the government needs to provide incentives first.

“It is problematic that the overall private sector considers information security an IT product,” said Jung Sou-hwan, an electronics engineering professor at Soongsil University. “They need to shift their thoughts to think that secure care of customer information is a type of service that can eventually help their business.”

Kim Hong-sun, former head of AhnLab and chief information security officer (CISO) at Standard Chartered Bank Korea, pointed out that the private sector needs to have more discussions to clearly understand how spending money on information security technologies can reduce business risks and eventually enhance performance.

Large companies need to encourage small suppliers to secure their information by providing incentives in order to boost the overall security level, analysts added.

“When we recall the Korea Hydro and Nuclear Power Corp. information leak, many security experts like us thought it happened because of its security relationship with suppliers,” said Yeom Heun-yeol, a professor at Soonchunhyang University. “Companies have to require suppliers to maintain quality security systems, while encouraging them with incentives.”

Yeom explained that Samsung Electronics can be a good model as a company that requires its suppliers to have their information security system independently certified.

While expanding investments, the security experts also pointed out the business community has to start setting up internal rules and teaching employees why information security matters, because many of the leaks occur because of reckless information management by employees.

“Many information leaks happen through unprofessional management of USB flash drives and the absence of information security rules for suppliers,” said Lee Joon-ho, CISO of Naver. “Businesses have to have regular education sessions with their employees about how to deal with security measures and possible consequences of leaks.”

BY KIM JI-YOON [jiyoon.kim@joongang.co.kr]