Only 10% of UK businesses and 25% of large companies have staff with formal security qualifications, such as CISSP or CISM, on their security teams, the Department of Trade & Industry's latest Information Breaches Survey has revealed.
And only 42% of businesses have staff with formal IT qualifications of any kind on their security teams, the survey of 1,000 UK businesses showed.
The findings suggest that businesses are finding it difficult to recruit skilled security staff, potentially making it more difficult to keep their teams up to speed with rapid changes in threats and technology.
Over the past four years the proportion of businesses experiencing security incidents has risen from 24% to 68%, with the average cost of the worst breaches ranging from £50,000 to £150,000.
"I think there is a discontinuity between board level, the policy level and people doing security. There is a need for greater education and formal security qualifications," said Andrew Beard, security advisory director at professional services firm PricewaterhouseCoopers. "Although this will not solve the problems by itself, it will help in setting the benchmarks."
Lack of formal education may account for an alarming level of ignorance among companies about corporate security standard BS7799. Only 12% of all businesses surveyed by the DTI, and 39% of large businesses, said they had heard of it.
Awareness of the standard was greatest among telecoms companies and government suppliers and lowest among property and construction companies, the survey revealed.
The low take up of BS7799 in the UK is disappointing, said Beard, given that it is proving increasingly popular overseas. However, it may reflect difficult business conditions over the past two years in the UK, because of the costs to companies in getting security systems and procedures up to the BS7999 standard, he added.
Among those businesses that were aware of BS7799, about 50% were partially or fully compliant, up from 40% two years ago.
Nearly 90% of those companies that had adopted BS7999 said that formal certification had improved their business continuity; 85% said it had minimised damage from security incidents; and 53% said it had led to higher return on investment.