Security special report: The changing threat

Companies are getting much better at keeping their defences up to date. Unfortunately the attackers are changing their tactics too, says Chris Potter


Companies are getting much better at keeping their defences up to date. Unfortunately the attackers are changing their tactics too, says Chris Potter

The Department of Trade and Industry Information Security Breaches Survey is carried out every two years. It involves telephone interviews with 1,000 businesses of all sizes, plus a series of face-to-face and interactive surveys. As a result, it is the most authoritative survey about this issue in the UK.

When the survey was last carried out in 2004, there was a big increase in the number of UK businesses reporting security incidents. Both external and internal threats appeared to be increasing as a side effect of the increased adoption of the internet. One of the key recommendations was that companies should check that their security defences, such as operating system patches and disaster recovery plans, were robust and up to date.

Two years later, the results of the latest DTI survey are becoming available. While the full report will not be issued until Infosecurity Europe on 25 April, four fact sheets summarising some of the key findings have been released. So, what do these tell us about the state of information security in 2006?

Two years ago, viruses were the single largest cause of security incidents. In 2006, this is still the case, with 35% of UK businesses (and 49% of large ones) suffering infections. However, these numbers are down by 33% on two years ago. Companies are getting much better at keeping their defences up to date; 80% update their anti-virus signature files automatically or on a daily basis, and 88% install new operating system patches within a week. This is making a real difference.

So, does that mean we have cracked the malicious software problem? Sadly not – viruses are becoming more numerous and more insidious, targeting specific information rather than indiscriminately attacking networks. Spyware is a growing threat, against which 25% of UK businesses appear unprotected.

A similar pattern emerges when we look at broader network security. The networking explosion continues, with 88% of corporate internet connections now being broadband. Companies have better security controls over their internet connections and websites than they did two years ago.

All the websites in the 2006 survey that accept financial transactions are behind a firewall, and the number of sites with intrusion detection software has more than doubled since 2004. The better controls are paying off. Despite more attempts to break into networks being reported, there have been fewer actual penetrations by outsiders.

However, emerging technology is again shifting the threat profile. Wireless networking is extending network boundaries and voice over IP telephony is blurring the distinction between voice and data traffic. Removable media devices, such as USB tokens and MP3 players, are making it easier for an insider to take large volumes of data out of an organisation.

Unfortunately, UK businesses seem poorly protected against these new threats. Only 60% of corporate wireless networks are encrypted. Roughly half of all those companies that have implemented VoIP telephony did so without evaluating the associated security risks. And 55% of firms have taken no steps to protect themselves against the threat posed by removable media devices.

It is important to harness the opportunities provided by new technologies without suffering the downside. To do this, businesses need to make sure that they have access to the security expertise necessary to assess the risks and put in place appropriate counter-measures.

Thankfully, it should be easier in the future to access this expertise. The Get Safe Online initiative provides simple clear guidance for companies of all sizes. The new Institute of Information Security Professionals should make it easier for companies to hire security qualified staff or check the credentials of external consultants.

We stand at a critical juncture for information security. Let us hope that, when we look back in a few years time, we will see 2006 as the point at which the seemingly inexorable rise in security incidents halted and the tide began to turn. It is up to all of us to make this happen.

Chris Potter is a partner at PricewaterhouseCoopers

Read: Security special report: The internal threat

Read: Security special report: Who sees your data?

Read: Security special report: Compliance quandary

Read: Security special report: Accessing all areas

Read: Security special report: Fingertip security

Read more on IT risk management