Businesses are leaving themselves at risk from cyber
attack by failing to upgrade their security when they allow staff
remote access to their corporate networks.
The Department of Trade & Industry's Information Security
Breaches Survey 2006, to be published next month, found that nearly
20% of companies allowed staff to access corporate systems using
their normal network log-on procedures. The research raised
concerns that firms were leaving their internal systems exposed to
attacks from hackers.
"You are effectively shifting the perimeter of your network and
you are allowing someone into your inner sanctum from a remote
place that is not secure," said Andrew Beard, director of
PricewaterhouseCoopers, which managed the survey.
The report showed that where companies employed additional
security for remote users, 60% required users to enter additional
passwords, but only 9% used two-factor authentication.
About 40% of the 1,000 firms surveyed used a virtual private
network to encrypt communication links between employees' remote
computers and the corporate system, but this rose to 50% for large
companies.
For 90% of the companies surveyed, regulatory compliance was the
main driving force for network access management.
Despite this, the research found that most businesses were
approaching identity management in a piecemeal way and failing to
reap the full benefits.
More than 90% did not have fully automated provisioning systems
for staff access to IT systems, increasing the risk that user
accounts may be left live after staff have left the
organisation.
"There are very few organisations that are adopting a combined
approach with authent- ication, user management and user sign-on.
They seem to be looking at them separately. Just 1% show evidence
they are doing all three," said Beard.
Full results of the survey will be launched at Infosecurity
Europe in London on 25-27 April.
High cost of computer-based fraud
Computer-based fraud accounted for only 1% of the security
breaches experienced by firms last year, but the impact was greater
than any other security breach, the DTI's Information Security
Breaches Survey 2006 revealed.
One large bank lost several million pounds, and several small
businesses reported losses from computer-related fraud of between
£10,000 and £50,000, according to the survey of 1,000 firms.
Some small firms had to spend more than £10,000 in legal and
other costs to repair the damage after a fraud, and 20% of firms
had to spend more than £1,000.