Infosecurity 2008: use of new technologies exposing UK firms to risk, report finds

The adoption of new technologies is exposing UK companies to high levels of risk, according to agovernment security survey.

The 2008 Information Security Breaches survey for the Department for Business, Enterprise and Regulatory Reform reveals that although 17% of UK companies have adopted voice over IP (VoIP), only 30% have evaluated the security risk involved.

Companies adopting VoIP were twice as likely to suffer a security breach, said Chris Potter, PricewaterhouseCoopers security practice partner and author of the report, which shows the number of UK companies that have implemented VoIP has doubled since the last survey in 2006.

The same level of exposure was also true for the 42% of companies that have adopted wireless networks and the 54% of companies that have implemented remote access to corporate IT systems, said Potter at the official launch of the report.

"The more avenues there are into an organisation, the more likely they are to be attacked, which emphasises the importance of indentifying all the risks," said Potter.

Instant messaging (IM) was another area of concern, said Potter, because it exposes companies to the same risks as e-mail, but half of companies using IM do not have any security controls in place. The report notes that financial companies take the most steps to mitigate IM risks, but said even in this sector, a third have taken no steps.

Companies in Northern Ireland are half as likely as the national average (30%) to block IM and most do not control staff access to IM. In contrast, more than half of Welsh companies block IM and 90% of those that allow it control its usage.

Potter said there were five simple steps businesses of all sizes could take to protect themselves in the changing technological environment.

He said companies should understand the threats they face, use risk assessment to target security investment at the most appropriate areas, integrate security into normal business behaviour through clear policy and staff education, deploy integrated technical controls, and respond effectively and quickly to breaches by planning ahead for contingencies.