Organisations are failing to take basic IT security precautions
despite a dramatic growth in attacks from hackers and computer
viruses, new government research will reveal this month.
The DTI's Information Security Breaches Survey is expected to show
that the number of IT security breaches suffered by businesses has
increased significantly over the past two years.
Although the security incidents are costing UK firms billions of
pounds a year, many are failing to take even basic security
precautions, the survey of 1,000 organisations by
PricewaterhouseCoopers for the DTI reveals.
Only 27% of the businesses questioned have formulated a security
policy - the first step in developing good security practice.
Although this represents an increase from 14% two years ago, it
shows that many businesses fail to grasp the precautions needed to
protect their systems.
Even when companies have policies in place, the survey found that
many businesses leave them on a shelf to gather dust.
"Sometimes people are developing the security policy for the sake
of having a security policy. They may be developing it because some
one on the board has told them to have it or because the regulators
say they need it," said Chris Potter, partner at
PricewaterhouseCoopers.
About 33% of businesses still do not have a firewall between their
Web sites and their internal computer systems, leaving them
vulnerable to hackers. And 66% do not have intrusion detection
systems, which could detect hackers if they penetrated other
defences.
Although these figures will alarm security experts, they represent
a sharp improvement from two years ago, when about 80% of companies
did not have a firewall.
The worst offenders are smaller firms, which often lack the
expertise to protect their systems.
The problem has been exacerbated by a shortage of skilled security
specialists, with one retailer taking six months to fill the post
of chief security officer.
"There is quite a big knowledge gap that is probably causing UK
business quite a lot of damage," said Potter.
The DTI's findings show that UK firms are lagging significantly
behind US firms in their approach to security. In the US 95% of
firms have firewalls in place.
Although only 15% of the UK firms questioned are aware of the
contents of the BS7799 security standard, this is a significant
improvement from two years ago, when only 6% of companies had heard
of it.
On the positive side, 38% of the organisations that are aware of
BS7999 have implemented its recommendations.