Confidential data remains at risk despite increased business awareness, new survey finds

IT systems and information security are more important to UK companies than ever before, with 81% of boards giving a high or very high priority to information security. As businesses continue to grasp the opportunities provided by new technology (97% now have a broadband internet connection), there has been a real improvement in controls, particularly in basic disciplines such as anti-virus and backups. The average spend by companies on security defences has tripled over the last six years, resulting in the overall cost to UK plc of reported security breaches dropping by a third. Despite this reduction, the annual cost to companies still runs into several billions of pounds.

Don't forget to register to attend the Biggest Online Recruitment Event of the Year - Click here and complete the form and a member of the Onrec.com team will be in touch

These are among the key findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). The survey, which is carried out every two years, is being launched today at Infosecurity Europe in London. www.infosec.co.uk.

Despite the improvements in security controls, the survey shows that many companies remain exposed to loss of confidential data. For example, four-fifths of companies that have computers stolen have not encrypted their hard drives, and two-thirds of companies do nothing to prevent confidential data leaving on USB sticks.

Business Minister Shriti Vadera said: New technology is a key source of productivity gains, but without adequate investment in security defences these gains can be undermined by IT security breaches. The survey shows increasing understanding by business of the opportunities and threats, but challenges remain.

Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey added: ìThere are still some fundamental contradictions. Some 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks. Also, 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. The survey also shows 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives. Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings.î

The broadband revolution has allowed companies to use the internet to reach their customers and enable their staff to be more mobile:

ï 54% of UK companies allow staff to access their systems remotely;

ï 42% use a wireless network;

ï 17% use Voice over IP telephony, and this will rise to 30% by the end of 2008;

ï 5% have moved some of their IT operations offshore; and

ï 84% are heavily dependent on their IT systems.

Over the last six years, the security landscape has changed dramatically:

ï 98% of companies now have software to scan for spyware;

ï 94% of wireless networks are now encrypted, versus 47% in 2002;

ï 55% of UK companies have a documented security policy, versus 27% in 2002;

ï Expenditure on information security has increased from 2% to 7% of IT budget over that period;

ï 40% of businesses provide ongoing security awareness training to staff ñ twice as many as six years ago;

ï 14% use strong (i.e. multi-factor) authentication; and

ï 11% have implemented the British/International Standard for information security management (BS 7799/ISO 27001), versus only 5% in 2002.

After the peak in 2004, the number of companies reporting a security breach has returned to roughly the level seen in 2002:

ï 45% of small businesses reported a breach in the last year, down from 62% in 2006;

ï Larger businesses are more likely to have security breaches, with 96% of very large companies (more than 500 employees) affected;

ï Most companies affected experienced several breaches in the year ñ the median number of breaches is 6 and the mean is 100;

ï The average cost of the worst incident of the year is highly dependent on the size of the business, varying from roughly 15,000 for small businesses to 1.5 million for very large businesses;

ï The total cost to UK plc has dropped by roughly a third comparedwith two years ago, returning to the levels seen in 2004;

Companies are, however, generally pessimistic, with only 17% expecting fewer security incidents next year.

Andrew Beard, director, PricewaterhouseCoopers LLP, commented: ìIt would be easy for companies to look at the drop in incidents and become complacent. This response would be dangerous. Attitudes and controls in some companies mean that incident statistics are probably understated. For example, companies that carry out risk assessment are four times as likely to detect identity theft as those that do not. In addition the average seriousness of incidents has increased, so roughly a quarter of companies had a serious breach, the same as in 2006.

ìCompanies need to change from an attitude of combating todayís problems to thinking about the future proactively. Itís a bit like the difference between battening down the hatches when a hurricane comes and taking steps to combat climate change. Businesses need to respect the opportunities that ecommerce represents but also consider their duty to protect its users in the long term future.î

The survey findings also indicate that confidential information is increasingly at risk, especially in large businesses, where:

ï 13% have detected unauthorised outsiders within their network;

ï 9% had fake (phishing) emails sent asking their customers for data;

ï 9% had customers impersonated (e.g. after identity theft); and

ï 6% have suffered a confidentiality breach.

While 77% of UK companies say that protecting customer data is a very important driver of their information security expenditure, many companies are simply not doing enough to achieve this goal:

ï 10% of websites that accept payment details do not encrypt them;

ï 21% of companies spend less than 1% of their IT budget on information security;

ï 67% do nothing to prevent confidential data leaving on USB sticks;

ï 78% of companies that had computers stolen had not encrypted their hard drives; and

ï 79% are not aware of the contents of security standards BS 7799/ISO 27001.

The survey suggests five simple steps businesses of all sizes should take to protect themselves in this changing world:

1. Understand the security threats you face, by drawing on the right knowledge sources.

2. Use risk assessment to target your security investment at the most beneficial areas.

3. Integrate security into normal business behaviour, through clear policy and staff education.

4. Deploy integrated technical controls and keep them up to date.

5. Respond quickly and effectively to breaches, e.g. by planning ahead for contingencies.