UK businesses are failing to defend their IT systems

Organisations are failing to take basic IT security precautions despite a dramatic growth in attacks from hackers and computer...

Organisations are failing to take basic IT security precautions despite a dramatic growth in attacks from hackers and computer viruses, new government research will reveal this month.

The DTI's Information Security Breaches Survey is expected to show that the number of IT security breaches suffered by businesses has increased significantly over the past two years.

Although the security incidents are costing UK firms billions of pounds a year, many are failing to take even basic security precautions, the survey of 1,000 organisations by PricewaterhouseCoopers for the DTI reveals.

Only 27% of the businesses questioned have formulated a security policy - the first step in developing good security practice. Although this represents an increase from 14% two years ago, it shows that many businesses fail to grasp the precautions needed to protect their systems.

Even when companies have policies in place, the survey found that many businesses leave them on a shelf to gather dust.

"Sometimes people are developing the security policy for the sake of having a security policy. They may be developing it because some one on the board has told them to have it or because the regulators say they need it," said Chris Potter, partner at PricewaterhouseCoopers.

About 33% of businesses still do not have a firewall between their Web sites and their internal computer systems, leaving them vulnerable to hackers. And 66% do not have intrusion detection systems, which could detect hackers if they penetrated other defences.

Although these figures will alarm security experts, they represent a sharp improvement from two years ago, when about 80% of companies did not have a firewall.

The worst offenders are smaller firms, which often lack the expertise to protect their systems.

The problem has been exacerbated by a shortage of skilled security specialists, with one retailer taking six months to fill the post of chief security officer.

"There is quite a big knowledge gap that is probably causing UK business quite a lot of damage," said Potter.

The DTI's findings show that UK firms are lagging significantly behind US firms in their approach to security. In the US 95% of firms have firewalls in place.

Although only 15% of the UK firms questioned are aware of the contents of the BS7799 security standard, this is a significant improvement from two years ago, when only 6% of companies had heard of it.

On the positive side, 38% of the organisations that are aware of BS7999 have implemented its recommendations.

Read more on IT risk management