Lapses in information security among UK businesses are still poorly recorded and understood, reflecting a lack of understanding of the threat level that organisations face, according to the PricewaterhouseCoopers annual Global State of Information Security Survey 2008.
The survey polled 7,000 IT executives from 119 countries (more than 300 from the UK) across all industries on the challenges of protecting corporate information assets.
Although organisations continue to invest heavily in security tools such as software for intrusion detection, encryption and identity management, they are still struggling with their security processes, the study shows.
Most UK companies in the sample did not know where their data was located, 37% were not sure how many incidents they had suffered, and more than half could not say what type of security incident had occurred or what had caused them.
Some 30% of companies had neither measured nor reviewed the effectiveness of their information security policies over the past year.
Confidence about the effectiveness of their organisation's information security activities was also low among the UK executives polled. Less than one in three said they were very confident that their information security was effective. And less than one in four felt very confident about the effectiveness of their suppliers' or business partners' security.
The latter is perhaps not a surprising finding given the recent problems that some organisations have encountered over security lapses when third parties have handled their data, said PwP.
William Beer, director in the information security group of PwP, said, "There appears to be an overall misalignment with executive management's view of security, causing many organisations to fail to capture the full value from their spending in this area.
"Information has become the new currency of business. Its availability, integrity and confidentiality are crucial components of a collaborative business."
More on data security: