The average UK business is now hit by a security
incident every month, or once a week for larger companies,
according to the UK's Department of Trade and Industry's (DTI)
bi-annual security survey, published this week.
The survey of 1,000 companies, completed in January by
PricewaterhouseCoopers-led consortium, found that security problems
are now an issue faced by the majority of UK businesses, with
nearly all large companies affected.
The survey found that businesses have not yet adjusted to this
reality and suffers from inadequate security training and
overconfidence in their security systems.
The lack of adequate concern about security is reflected in
spending, which is below the mark considered reasonable by industry
observers.
The majority of UK companies - 74% - have had a security
incident in the past year, rising to 94% for large companies, the
DTI survey found.
That figure includes accidents such as system failures and data
corruption; but malicious incidents are now far more common than
accidents, with 68% of all companies (91% of large businesses)
suffering at least one malicious attack in the past year. In 2002,
only 44% had been attacked, and in 2000 the figure was just
24%.
"If you go back some years, accidental incidents far outweighed
malicious incidents. Now more than twice as many companies had
malicious incidents as accidental ones," said Chris Potter, the PwC
partner who led the survey.
Most malicious attacks were caused by viruses or inappropriate
use of IT systems by staff, with the average cost of an
organisation's most serious incident about £10,000 to £120,000 for
large companies - largely because of disruption to a company's
operations. Some companies suffered disruption for more than a
month after an attack, Potter said.
The upshot for businesses is that security is now an issue
requiring increasing investment, Potter said.
"With security, as with everything else, the issue is one of
cost versus benefit. What we have seen here is that the trend of
incidents is unfortunately upwards, so the cost to UK businesses is
continuing to rise."
In response, companies are now more likely to have a security
policy in place. Three-quarters said they were confident the
measures they had instituted good enough security measures,
although in reality, less than half of the companies surveyed
actually had effective security measures, Potter said.
"We feel there is the problem of overconfidence, because people
do not fully understand the risks they're running," he said.
A skills gap appears to be contributing to the problem, with 11%
of companies having staff with formal security qualifications.
"It's important to realise that qualifications are only one way
of measuring expertise. But if you look at some of the other
figures in the survey, they expose a skills gap in many
businesses," Potter said.
One example, Potter said, was that only 12% of the individuals
responsible for a company's security were aware of the contents of
the BS 7799 standard for information security - a figure that has
not increased in the past two years.
The UK government has praised businesses for making progress in
integrating security.
"It is encouraging to note that information security remains a
high priority at board level," said e-commerce minister Stephen
Timms. "More companies than ever have a security policy in place
and those that have adopted BS7799 have found it has yielded real
benefits."
Participants in the DTI survey were spending an average of 3% of
their IT budget on security, up from 2% in 2002. Industry observers
consider 5% to 10% a reasonable benchmark level. These figures
tally with an IDC study released this week, which also pegged
spending at less than 5% of IT budgets.
IDC expected security expenditure worldwide to hit $48bn this
year, still just 4.8% of overall IT spend, and about on par with
the $43bn annual spending on printers and multifunctional
peripherals. The figure will rise to 7% of the overall IT budget by
2007, IDC said.
Mobile and wireless security spending will grow more quickly,
rising 71% a year to $1.27bn in 2007, IDC said.
Matthew Broersma writes for Techworld.com