Security is everyone's responsibility

This is a good time to be e-commerce minister. The government's aim, to help make the UK the best place to do e-business and give internet access to all those who want it, is gaining momentum.

There are now more than 11 million UK households with internet access. The UK has passed the million mark for broadband subscriptions, with 20,000 more being sold every week.

But in promoting the benefits of life in the information age, we have to be aware of the real and perceived limitations of progress. The issue that comes up time and time again is trust. People see new technologies not only as an opportunity, but as a threat.

The nature of that threat is often unclear, but comes from a natural fear of the unknown reinforced by bad news stories.

We must address this problem. The best way forward is to look to the Guidelines on Information and Network Security published by the Organisation for Economic Co-operation and Development, and at three principles in particular.

First, the guidelines stress the importance of raising awareness. We need to make sure everyone knows that securing information, whether it is stored on a computer or transmitted over a network, is a key issue.

We must ensure that our future citizens understand the need for vigilance. This will complement actions we take to protect them from harmful content and discourage them from stealing content or regarding hackers as the Robin Hoods of the information age. They are not.

We need to make sure that businesses understand the value of their information assets and the tools that will help them.

My department is developing improved guidance to smaller businesses on these issues, and will draw on the standards on information security management (ISO 17799 and BS 7799 part 2) which we helped to develop.

The second element is the principle of responsibility. This makes clear that, in our interconnected world, we are responsible for the way our behaviour affects the systems and networks we use.

This sounds simple, but it marks the start of a new concept in security. It is the concept that has attracted most attention since the publication of the guidelines in the summer. We need to move to a 'culture of security'.

Third, we need to change the way we think and act so that security is not an add-on, but an integral part of the design, implementation and use of all information systems and networks.

We need to embed security into our thinking at work and at home. It needs to be part of the management systems of companies and treated as an aspect of corporate governance.

In short, we need to make secure systems rather than make systems secure.