Sixty per cent of companies have suffered an information security breach in the past two years, but only one in seven has a coherent information security policy. And, despite the growth of the information economy, one in three organisations still does not see information as a business asset.
These are the stark findings of a major DTI survey revealed by e-minister Patricia Hewitt.
The Information Security Breaches Survey 2000, will reveal that:
The low number of firms with security policies is significant because the survey shows that a formal approach is effective in preventing and minimising breaches. Four out of five firms that had contingency plans to deal with information breaches said the plan was effective, even in the face of a "serious breach".
The survey confirms that the rush to the internet is opening UK firms to increased risk. Seventy per cent of firms with internet access suffered breaches, rising to 90% for firms engaged in EDI or similar online transactions.
The DTI, which commissioned the research, is pushing British Standard 7799 as a starting point for best practice on info-security. However, only 6% of those surveyed could name BS7799, and less than 1% of firms had achieved certification under the c:cure scheme.
Mike Thornton, IT security controller at Rolls Royce, said: "In the past we have said 'we meet BS7799 in all its major areas - so why pay extra to have someone tell us that?'. However, as we move into e-commerce, the big thing is trust. If business partners are accredited with BS7799 or an ISO, you have something to go on."
Thornton said the move to internet technology was changing the security landscape. "In e-business you move away from the citadel approach - protecting the fortress through firewalling and closed systems - e-business brings the opposition, potentially, into your camp."
The report shows that just 2% of serious information breaches are due to unauthorised external access. Robert Temple, head of the IT security unit at British Telecom, said: "Organisations must remember not to expend all their energies on repelling the 'wily hacker' at the expense of ignoring all those people who every day log on to your systems and networks within the firewall. All the evidence suggests that the insider remains the real threat."