UK businesses are being exposed to ever-greater threats to their information systems as use of the Internet and wider connectivity among companies increases. Security breaches are growing and the cost to companies each year is significant. Although progress is being made to raise levels of security, there is still considerable room for improvement. These are the key findings from the latest government-sponsored survey of information security breaches in the UK, carried out by a consortium of companies led by PricewaterhouseCoopers.
The DTI Information Security Breaches Survey 2004 (ISBS 2004), like its six predecessors, is considered the most authoritative source on the state of information security in the UK. The consortium that ran the survey included Microsoft, Computer Associates and Entrust. The detailed findings were launched today at the Infosecurity Europe Exhibition in
London:
* ISBS 2004 showed that 74% of all businesses (94% of large companies) had a security incident in the last year;
* Malicious incidents (such as viruses, unauthorised access, misuse of systems, fraud and theft) have risen dramatically. 68% of companies (and in 91% of large ones) suffered at least one such incident in the last year, up from 44% in the 2002 survey and just 24% in 2000. Virus infection and inappropriate usage of systems by staff were the cause of most incidents, with the former resulting in the greatest number of serious breaches;
* The average UK business now has roughly one security incident a month and larger ones around one a week;
* The average cost of an organisation’s most serious security incident was around 10,000 (or 120,000 for large companies). The impact on availability was by far the biggest contributor to this cost, with some organisations suffering a major disruption to their operations for more than a month;
* Three-quarters of respondents rated security as a high or very high priority for their top management or the board. More companies than ever have a security policy in place;
* However, many businesses do not fully appreciate the risks they are running. Three-quarters of companies are confident that their technical security processes are sufficient to prevent or detect all significant security breaches. However, less than half of these businesses have robust security controls in place, so this confidence is likely to be misplaced;
* There is a clear skills gap. Only 12% of respondents were aware of the contents of the internationally recognised standard for information security, BS 7799. Only one in ten companies have staff with formal information security qualifications;
* While spend on information security has increased, it is still relatively low and seen as a cost rather than investment. Companies spend an average of 3% of their IT budget on security compared with 2% in 2002, still well below a reasonable 5-10% benchmark level. Less than half of all businesses ever evaluate their return on investment (ROI) on security spend, almost no change from two years ago.
Five key recommendations for companies emerge from the survey:
1. Draw on the right expertise to understand the security threats they face and their legal responsibilities;
2. Integrate security into normal business practice, through a clear security policy and staff education;
3. Invest appropriately in security controls (to mitigate the risks), or in insurance (to transfer them);
4. Check key security defences (such as operating system patches, disaster recovery plans, etc.) are robust and up to date;
5. Respond to security incidents efficiently and effectively, to minimise business disruption.
Minister of State for Energy, e-Commerce and Postal Services, Stephen Timms MP, whose department sponsored the research said:
The survey results show that the UK is now firmly in the Information Age, with companies of all sizes embracing the use of the Internet. However, a side effect of this increased connectivity is greater exposure to information security issues. However, it is encouraging to note that information security remains a high priority at board level. More companies than ever have a security policy in place and those that have adopted BS7799 have found it has yielded real benefits. The battle to contain the information security menace will be a long one, and it is far from won. But it is not a battle UK businesses can afford to lose.
Chris Potter, the PricewaterhouseCoopers information security assurance partner who led the survey, added:
The survey results continue to highlight the vulnerability of UK plc to information security threats. While awareness of the threats has never been higher, many businesses are still finding their precautions are inadequate. There are simple steps that businesses of all sizes can take to reduce the likelihood and impact of future incidents. What this survey shows is that too many companies have waited until an incident hits them before putting counter-measures in place. Stuart Okin, chief security officer, Microsoft Europe, said: The survey highlights that whilst no software is immune from criminal attacks, there is a need for the industry to work together to minimise risks to information security. Microsoft understands that technology alone will not make the Internet safer, and we are wholeheartedly committed to improving our software, helping to develop and communicate best practices and take steps to help protect our customers in a world where vulnerabilities are inevitable. We are currently running a series of educational customer events across the UK to address security needs.
The security skills gap illustrated in the survey is an important issue which Microsoft continues to bridge through initiatives such as the secure software development module on offer at Leeds University since March 2003.
Philip Richardson, vice president Northern Europe, Middle East and Africa, Entrust, said:
Growing security needs, coupled with new legislative pressures, are encouraging organisations to treat information security as the Executive-Level issue it needs to be. Strong identity management is the first step in not only addressing security threats, but also in complying with these new regulations.
Simon Perry, vice president, security strategist, Computer Associates,
said:
We are seeing a dangerous link between spam, viruses and hacking activity, but companies are continuing to deal with the problem of spam, viruses and other security attacks as separate issues. Companies must adopt an integrated approach to these problems and improve the efficiency and cost effectiveness of their approach through integrated management across the security estate. Without an integrated approach to these threats, companies will continue to play into the hands of the hacking community.
DTI survey shows skills shortage and under-investment
Condemns three-quarters of UK business to information security breaches.