UK businesses are significantly underspending on IT security despite a massive growth in the number of serious security breaches over the past two years.
Only a third of UK businesses spend more than 1% of their IT budgets on security, a Department of Trade & Industry (DTI) survey reveals - far less than the international benchmark of 3% to 5% let alone the 10% recommended for high risk areas like financial services.
The findings, in a survey of 1,000 organisations polled for the DTI by PricewaterhouseCoopers, suggest that many businesses are treating security as an overhead rather than an investment. Only 30% of those questioned had ever tried to evaluate the return on investment of information security.
Companies are also skimping on educating their staff on good security practice. Only 28% of organisations make workers aware of their security obligations when they join, and 13% have no mechanism for telling them at all. Forty percent do not carry out background checks on employees.
As a result, the number of employee-related incidents has risen over the past two years: 4% of large businesses attribute their worst security incident to poor staff vetting and 16% to poor security training. In one case, an investment bank employee exposed the bank's systems to hackers by plugging in a private modem which investigators took more than two weeks to find.
Most businesses are ill-equipped to deal with security breaches when they occur, the survey shows - a fact which might go some way to explaining why only 16% of companies initiate legal action.
Although 70% of people responsible for IT security said they were confident that they caught all significant security breaches, a quarter have no procedures for logging or reporting incidents.
A quarter of large business and a half of small businesses have no contingency plans to deal with incidents when they do occur. Only one in 10 has documented forensic guidelines which would allow evidence to be preserved for legal action.
On computer misuse, for example, one systems administrator inadvertently broke the law by making copies of pornographic material for investigators. During another porn investigation, systems administrators made so many changes to the suspect PC that its contents could no longer be accepted as evidence in court.
Only half of the businesses had documented procedures to comply with the UK Data Protection Act 1998. Less than a quarter had procedures to make sure they complied with human rights legislation, which governs employees' rights to confidential correspondence.
"If you are investigating someone's activities and you seek to read their private e-mail you could be in breach of human rights legislation. Many businesses assume they have a right to monitor e-mails but that assumption can be dangerous," said Chris Potter, partner at Pricewaterhouse Coopers.