One in five of the UK’s larger companies suffered security breaches of their information systems in the last year because of weaknesses in their approach to identity management, a new survey shows. This is one of the key, initial findings from the 2004 Department of Trade and Industry’s biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the Survey will be launched at InfoSecurity Europe in London, April 27-29.
Other key findings from the telephone survey of some 1,000 companiesinclude:
* Roughly one in ten large companies had a significant fraud or breach in confidentiality. More than half of all companies affected said it was their worst incident of the year, even outweighing virus infections;
* Confidentiality breaches caused significant business disruption (for more than a month in 15% of the cases) and took significant staff time to investigate, on average 10-20 man-days. These breaches also incurred the biggest direct cash cost of any security incident - more than
100,000 in legal fees, investigation costs and fines in 15% of cases;
* Companies’ access controls are failing to prevent these incidents.
* The first root cause is that often the sheer number of users and systems puts user administration processes under strain. To counter this, companies are increasingly automating their processes for granting access to systems. 16% of all companies and 31% of large ones do this. Automating user provisioning appears to work. None of the respondents that had done this had suffered financial frauds or systems penetration from outside in the last year;
* The second root cause is over-reliance on passwords to check users’identity. Some 87% of all companies rely solely on user ID and password, while worryingly 7% have no controls at all. Businesses that adopt single sign-on without strong authentication had a higher than average incidence of unauthorised access. Tokens, smart cards and biometrics are only used in 6% of companies. This rises to roughly a quarter of the large businesses. The latter seem to be reaping the benefit with just 3% suffering from an unauthorised access breach compared to 20% for those that haven’t adopted these levels of authentication.
These findings are published in a fact sheet - ’Identity Management’ -
sponsored by one of the world’s leading identity and access management solutions providers Entrust.
Chris Potter, the PricewaterhouseCoopers partner leading the survey, said:
Companies have traditionally been poor at setting up new users and deleting leavers from their systems. We are increasingly seeing businesses automate these processes. While most businesses over-rely on passwords, large organisations are also starting to adopt strong authentication methods such as smart cards and tokens to check users’ identity. A comprehensive approach to identity management includes strong authentication, access control and provisioning. The results of this survey clearly demonstrate the benefits early adopters have gained in terms of reduced security incidents.
Philip Richardson, vice president, Northern Europe, Middle East and Africa, Entrust, added:
It is amazing that one in five businesses experienced a security breach in the past year as a result of weaknesses in their approach to identity management when the technology needed to reduce this risk is now so readily available. However, the message seems to be resonating with
senior executives and Board-level directors. Decision-makers are not only becoming more aware of the potential disruption and damage that security breaches can cause to business, but also that there are new information security governance concerns presented by the changing regulatory landscape.
The factsheet ’Viruses and malicious code’ can be downloaded from
Unauthorised user access to computer systems increasing headache forBritish Business
Survey shows