Companies are getting much better at keeping their
defences up to date. Unfortunately the attackers are changing their
tactics too, says Chris Potter
The Department of Trade and Industry Information Security
Breaches Survey is carried out every two years. It involves
telephone interviews with 1,000 businesses of all sizes, plus a
series of face-to-face and interactive surveys. As a result, it is
the most authoritative survey about this issue in the UK.
When the survey was last carried out in 2004, there was a big
increase in the number of UK businesses reporting security
incidents. Both external and internal threats appeared to be
increasing as a side effect of the increased adoption of the
internet. One of the key recommendations was that companies should
check that their security defences, such as operating system
patches and disaster recovery plans, were robust and up to
date.
Two years later, the results of the latest DTI survey are
becoming available. While the full report will not be issued until
Infosecurity Europe on 25 April, four fact sheets summarising some
of the key findings have been released. So, what do these tell us
about the state of information security in 2006?
Two years ago, viruses were the single largest cause of security
incidents. In 2006, this is still the case, with 35% of UK
businesses (and 49% of large ones) suffering infections. However,
these numbers are down by 33% on two years ago. Companies are
getting much better at keeping their defences up to date; 80%
update their anti-virus signature files automatically or on a daily
basis, and 88% install new operating system patches within a week.
This is making a real difference.
So, does that mean we have cracked the malicious software
problem? Sadly not – viruses are becoming more numerous and more
insidious, targeting specific information rather than
indiscriminately attacking networks. Spyware is a growing threat,
against which 25% of UK businesses appear unprotected.
A similar pattern emerges when we look at broader network
security. The networking explosion continues, with 88% of corporate
internet connections now being broadband. Companies have better
security controls over their internet connections and websites than
they did two years ago.
All the websites in the 2006 survey that accept financial
transactions are behind a firewall, and the number of sites with
intrusion detection software has more than doubled since 2004. The
better controls are paying off. Despite more attempts to break into
networks being reported, there have been fewer actual penetrations
by outsiders.
However, emerging technology is again shifting the threat
profile. Wireless networking is extending network boundaries and
voice over IP telephony is blurring the distinction between voice
and data traffic. Removable media devices, such as USB tokens and
MP3 players, are making it easier for an insider to take large
volumes of data out of an organisation.
Unfortunately, UK businesses seem poorly protected against these
new threats. Only 60% of corporate wireless networks are encrypted.
Roughly half of all those companies that have implemented VoIP
telephony did so without evaluating the associated security risks.
And 55% of firms have taken no steps to protect themselves against
the threat posed by removable media devices.
It is important to harness the opportunities provided by new
technologies without suffering the downside. To do this, businesses
need to make sure that they have access to the security expertise
necessary to assess the risks and put in place appropriate
counter-measures.
Thankfully, it should be easier in the future to access this
expertise. The Get Safe Online initiative provides simple clear
guidance for companies of all sizes. The new Institute of
Information Security Professionals should make it easier for
companies to hire security qualified staff or check the credentials
of external consultants.
We stand at a critical juncture for information security. Let us
hope that, when we look back in a few years time, we will see 2006
as the point at which the seemingly inexorable rise in security
incidents halted and the tide began to turn. It is up to all of us
to make this happen.
Chris Potter is a partner at PricewaterhouseCoopers
www.security-survey.gov.uk
www.getsafeonline.org
Read:
Security special report: The internal threat
Read:
Security special report: Who sees your data?
Read:
Security special report: Compliance quandary
Read:
Security special report: Accessing all areas
Read:
Security special report: Fingertip security