Malware infections down 60% at UK firms

Initial results from the UK Information Security Breaches Survey 2008 show malware infections are down 60% compared with two years ago at UK firms, but DR plans are still poor.

The anti-virus message is finally getting through to British companies with the level of infection by malware down by 60% compared to two years ago. But security could still be undermined by ineffective business continuity plans, and the bad habits of careless employees.

The fall in malware infection is probably the most cheering news to come out of the 2008 Information Security Breaches Survey, which will be officially published next week at the Infosecurity show in London. The survey, carried out every two years by PWC and the DTI (now known as the Department for Business, Enterprise & Regulatory Reform, or BERR), provides the most accurate barometer of the state of information security in British business.

The research found that nearly every company now has anti-virus software, and 95% scan incoming emails for viruses. Around 98% have software to scan for spyware, up from 75% two years ago. Only 14% of UK companies reported a malware infection last year, down from 35% two years before. Even among very large businesses, fewer than half reported an infection last year.

However, those companies that did suffer an infection appeared to feel the effects more acutely. Two-thirds of them said the malware infection had been their worst security incident of any kind during the year, and malware infections were especially damaging in the telecommunications industry.

Chris Potter, a partner at PWC who led the survey, said that although basic anti-virus and anti-spyware defences were much improved, the survey showed that companies were treating system patching less urgently.

British business also seems to have made big strides in the areas of business continuity and disaster recovery, the survey found, with 99% claiming to backup their critical systems and data and 86% doing it on a daily basis.

Business recovery plans were in place at 72% of all companies (up from 58% two years ago), and at 91% of large companies. Off-site backups occurred at 85% of all companies (up from 76% two years ago) and at 91% of large companies.

DR testing a problem

While that was encouraging, half the business recovery plans were never tested, and 10% of those with a plan did not store data off-site.

But as the survey will also demonstrate, most security breaches arise from more mundane causes. The fact was graphically illustrated this week by a BBC investigation which revealed that 13 London councils had lost personal information about members of the public during the last year. The details showed, however, that the examples of poor security had more to do with the drinking habits of council workers than with the exploits of devious hackers.

In one instance, sensitive information about children in care was stolen when a youth worker took files into a bar. In another case, a paper notebook containing the names and addresses of 12 young people in care was stolen from a Kensington & Chelsea Council youth worker while he was in a pub after work.

However, email and USB sticks still provide the potential for large amounts of data to go missing, and the results of another survey by LogLogic show that employees will always find a way to take data home with them, whether they are allowed to or not.

The survey revealed that 42 per cent of adults in the UK had taken data out of the workplace to work on at home, and of these, almost half (45 per cent) said the data was classed as being company confidential.

Fewer than half of the respondents (43 per cent) said their bosses knew when information was being removed and taken home, and 14 per cent of those questioned said they accessed data which was not directly related to their job.

E-mail (29%) and USB memory sticks (27%) were the most popular method of removing data from the workplace. Hard copy printouts accounted for 22%, while 14% was transferred on CD, and 9% was transferred from a work laptop to home PC.

Even after finishing working with the information, 20% admitted they still had the data at home, 6% threw it away without destroying it, and 2 per cent admitted they had no idea what happened to it.

Read more on Hackers and cybercrime prevention