Malware threat to UK companiesí IT systems still evolving, new survey finds

The number of UK companies reporting malware infection is down by 60% compared with two years ago, partly because of improved anti-virus controls. Yet, for two-thirds of the companies affected, malware caused their worst information security breach of the year, with some being penetrated by hackers, others losing confidential data and some acting as spam relays. The nature of the malware threat is changing, with writers becoming increasingly sophisticated at concealing their activities. Spyware accounted for a sixth of the worst infections.

These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). The full results of the survey will be launched at Infosecurity Europe in London www.infosec.co.uk

After the significant business disruption caused by viruses, worms, Trojans and spyware (collectively known as malware) in the early 2000s, this yearís survey shows that malware is causing much less direct damage than in the past. Only 14% of UK companies reported a malware infection last year, down from 35% two years ago when the last ISBS survey was carried out. Even among very large businesses, less than half had an infection last year.



According to the ISBS report, it appears that there are three main reasons why fewer malware infections are being reported:

Corporate anti-virus defences have significantly improved. Almost every company has anti-virus software, and 95% scan incoming emails for viruses. Roughly 98% have software to scan for spyware, a big improvement on two years ago, when only three quarters did so; Most minor virus infections no longer register in the same way as they did. They are no longer considered security breaches but as events dealt with by routine controls; and The nature of malware itself ñ infection used to be the end goal, but is now just the first stage in enabling more lucrative attacks by hackers. As a result, malware now seeks to remain undetected. Spyware now accounts for one in six of the worst infections.
Despite the lower levels of infection, it would be a mistake, however, to assume that the malware threat is extinguished. For two thirds of companies that had a virus infection, it was their worst security incident of any kind in the year. Malware infections were particularly damaging in the telecommunications sector.

Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey commented:

If there is one area of security where UK plc has really got the message, itís virus protection. Only a tiny minority of companies donít take this area seriously. The message from this survey is clear ñ if you havenít got anti-virus and anti-spyware software, youíre way outside the benchmark.

ìBut, there remain some serious challenges. Companies now seem to be slower to install operating system patches than they were in 2006. Delaying patches can leave systems vulnerable to attack. On the other hand, rolling out patches instantly, without testing them first, can lead to systems instability. Itís important that companies strike the right balance here ñ risk assessment is essential.î

Dr. Guy Bunker, Chief Scientist at Symantec Corporation, one of the consortium members responsible for the survey, added:

ìWhile the results of the survey are encouraging, itís clear that the battle between malware writers and companies continues unabated. Our recent research shows that there are over a thousand new malicious threats appearing each day. The battle is still on, itís just changed from being obvious and high-profile to silent and obscure but is just as lethal.

ìThe motivation of malware writers has changed. Law enforcement in this area has improved around the world. As a result, the kudos derived from writing a disruptive worm to gain notoriety is outweighed by the personal consequences. Motivated by the money involved, organised crime is employing malware writers to write 'stealthy' code that seeks to obtain confidential information or open security holes which can be exploited for financial gain.î