Loss of confidential data should now be the top security priority for British business, according to figures published today by the Department for Business, Enterprise & Regulatory Reform (BERR).
The figures come in the latest Information Security Breaches Survey (ISBS) which is conducted for BERR every two years by consultants PWC. The report shows that average expenditure on security has tripled during the last six years, and that the biggest effect has been to reduce the number of security breaches by one third. Despite the reduction, the report says that the cost to British business still runs into several billions of pounds.
Anti-virus and anti-spyware software are widely deployed and helping to keep down threats from outside the company. But four-fifths of companies whose computers had been lost or stolen admitted they had not encrypted their hard drives, and two-thirds of companies still do nothing to prevent confidential data leaving on USB sticks.
Chris Potter, a partner at PWC who led the survey, said there were some contradictions in the results. "Some 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks," he said in a written statement. "Also, 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. The survey also shows 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives. Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings."
Report in summary:
Widespread adoption of the Internet
- 54% of UK companies allow staff to access their systems remotely;
- 42% use a wireless network;
- 17% use Voice over IP telephony, and this will rise to 30% by the end of 2008;
- 5% have moved some of their IT operations offshore; and
84% are heavily dependent on their IT systems.
The security landscape changes
- 98% of companies now have software to scan for spyware
- 94% of wireless networks are now encrypted, versus only 47% in 2002
- 55% of UK companies have a documented security policy, versus 27% in 2002
- Expenditure on information security has increased from 2% to 7% of IT budget since 2002
- 40% of businesses provide ongoing security awareness training to staff – twice as many as six years ago
- 14% use strong (i.e. multi-factor) authentication
11% have implemented BS 7799/ISO 27001, compared to 5% in 2002.
After the peak in 2004, the number of companies reporting a security breach has returned to 2002 levels:
- 45% of small businesses reported a breach in the last year, down from 62% in 2006
- Larger businesses are more likely to have security breaches, with 96% of very large companies (more than 500 employees) affected
- The average cost of the worst incident of the year is highly dependent on the size of the business, varying from roughly £15,000 for small businesses to £1.5 million for very large businesses
- The total cost to British business has dropped by roughly a third compared with two years ago, returning to the levels seen in 2004
Only 17% of companies expect to see fewer security incidents next year.
Confidential information is increasingly at risk, especially in large businesses
- 13% have detected unauthorised outsiders within their network
- 9% had fake (phishing) emails sent asking their customers for data
- 9% had customers impersonated (e.g. after identity theft)
6% have suffered a confidentiality breach.
Companies still fail to protect customer data
- 10% of websites that accept payment details do not encrypt them;
- 21% of companies spend less than 1% of their IT budget on information security;
- 67% do nothing to prevent confidential data leaving on USB sticks;
- 78% of companies that had computers stolen had not encrypted their hard drive;
- 79% are not aware of the contents of security standards BS 7799/ISO 27001.