UK firms paying billions for lax IT security

IT security breaches cost UK businesses billions of pounds last year, with 44% of UK companies reporting at least one "malicious"...

IT security breaches cost UK businesses billions of pounds last year, with 44% of UK companies reporting at least one "malicious" security breach in the past 12 months, according to a study by the UK Department of Trade and Industry (DTI).

The number of IT security breaches has more than doubled since the survey in 2000, according to PricewaterhouseCoopers, which carried out the survey on behalf of DTI.

The government will publish the full survey, Information Security Breaches Survey Technical Report, on 23 April.

A serious security breach at a UK business costs an average of £30,000, but some firms faced bills of more than £500,000, the DTI said.

Some 73% of companies polled said they believe information security is a high priority for senior management - up from 53% in 2000 - but 56% also admitted that they were not covered against such breaches by insurance, or do not know if they even have proper insurance, the DTI said.

The DTI estimates that a company should spend between 3% to 5% of its total IT budget on IT security, with high-risk sectors, such as the banking industry, spending 10% of the IT budget.

Only 27% of respondents spend more than 1% of IT budgets on information security. This is because most UK companies regard security as a cost overhead rather than an important investment, the DTI said.

When it comes to evaluating the return on investment of IT security, 30% of UK companies have performed such an exercise, while only 27% of UK businesses have a firm security policy in place, the study found.

Large businesses are much more likely than smaller enterprises to have security plans, with 75% of large businesses having procedures for logging and responding to security incidents, while 73% of large businesses have contingency plans in place for dealing with possible security breaches. The figures among small businesses are 41% and 47%, respectively, the DTI said.

UK businesses are also ignorant of data protection and human rights legislation. Just 49 % of study respondents have documented procedures to ensure compliance with the Data Protection Act 1998 and only 24% have procedures to ensure that they are protecting their staff's rights as outlined by the Human Rights Act, the DTI said.

The DTI report called on UK business to take action on making "sound commercial decisions" concerning IT security investments. Companies need to develop comprehensive IT security policies and then need to educate staff as to what those polices are, how to carry them out and what is expected of each staff member in terms of protecting the information of a company, the DTI said.

UK companies also need to seriously explore insurance options, the study said. At present, only 8% of UK companies have specific IT insurance coverage, though the study found that the adoption of such policies is rapidly increasing, the DTI said.

Read more on IT risk management